Sei sulla pagina 1di 48

Introduction to IEEE

802.1X and Cisco


Identity-Based
Networking Services
(IBNS)
Cisco

2008 Cisco Systems, Inc. All rights reserved.

Abstract
Cisco Identity-Based Networking Services (IBNS)
provides customized access control for wired LAN
networks.
Cisco IBNS is increasingly important in campus networks
as enterprises look for security, visibility, and convergence
at the access edge.
Using IEEE 802.1X and supplementary technologies,
Cisco IBNS is a network solution that provides the
foundation for dynamic, user-differentiated policy and
advanced network intelligence.

2008 Cisco Systems, Inc. All rights reserved.

Basic Identity Concepts


What is an identity?
An assertion of who we are
Allows us to differentiate between one
another

What does an identity look like?


Typical network identities include:
Username and password
Email address: jdoe@foo.com
MAC address: 00-0c-14-a4-9d-33
IP address: 10.0.1.199
Digital certificates

How do we use identities?


Used to grant appropriate authorizations:
rights to services within a given domain

2008 Cisco Systems, Inc. All rights reserved.

What Is Authentication and Authorization?


Authentication is the process of establishing and confirming the
identity of a client requesting services.
Authentication is useful only if used to establish corresponding
authorization (for example, access to a bank account).

I want to withdraw 200 euros please.


Do you have identification?
Yes, I do. Here it is.

Thank you. Here are your euros.

An Authentication System Is Only as Strong


as the Method of Verification Used

2008 Cisco Systems, Inc. All rights reserved.

Applying the Authentication Model to the


Network

I Want to Connect to the Network


Identification Required
Here Is My Identification
Identification VerifiedAccess Granted

Identity-Enabled
Networking
2008 Cisco Systems, Inc. All rights reserved.

Why Is Cisco IBNS Important for the


Campus?
Who are you?

IEEE 802.1x (or supplementary


method) authenticates the user

Where Can You Go?

Based on authentication, user is


placed in correct VLAN

Keep the Outsiders


Out

Keep the Insiders


Honest

What Service Level Do You Receive? Personalize the


The user can be given per-user services
(access control lists [ACLs] todaymore to
come)

What Are You Doing?


The users identity and location can
be used for tracking and accounting

2008 Cisco Systems, Inc. All rights reserved.

Network

Increase Network
Visibility

New Business Environment Demands


Identity
No Boundary for a
Global and Mobile
Workforce
Accountability
for Empowered
Employees

New and Changing


Threats

A recent Gartner survey indicates that


50% of enterprises plan to implement
802.1X in their wired networks by 2011.
Gartner believes that momentum will
increase strongly, and that actual
enterprise adoption will reach 70% by
2011.
Gartner, Findings: Wired 802.1X Adoption on
the Rise, Lawrence Orans and John Pescatore,
July 28, 2008

Compliance
2008 Cisco Systems, Inc. All rights reserved.

Contractors,
Partners, and
Guests
7

IEEE 802.1X: The Foundation of Cisco


IBNS
Terminology
Components
Protocols
I Want to Connect to the Network.
Identification required
Here is my identification
Identification VerifiedAccess Granted

2008 Cisco Systems, Inc. All rights reserved.

IEEE 802.1X Terminology


Supplicant: IEEE 802.1X

Authentication Server:

Client

RADIUS and AAA Server

Microsoft Native and Cisco


Secure Services Client (SSC)

Cisco Secure ACS and


Microsoft IAS and NPS

Cisco
SSC

Authenticator: Access Device


Cisco Catalyst Switches and
Access Points

Back-End Database
AD, LDAP

2008 Cisco Systems, Inc. All rights reserved.

IEEE 802.1X Components


Supplicant
Cisco
SSC

Authentication Server

Authenticator
Layer 4 Link

Layer 2 Point to Point

Hi. Anybody home?

Actual
Authentication
Method Is Policy
Dependent

Who are you?


I am Alice.

Send your password in tunnel


Here is my encrypted password

RELAY

Alice requests access


Tell Alice to send her password
in encrypted tunnel

Alices encrypted password

Success. You may now send


traffic to the network.
2008 Cisco Systems, Inc. All rights reserved.

Alice checks out. Let Alice on


VLAN 10.
10

IEEE 802.1X Protocols


Extensible Authentication Protocol (EAP)
A flexible transport protocol used to carry arbitrary
authentication information
Defined by RFC 3748

Establishes and manages connections


Allows authentication by encapsulating various types of
authentication exchanges (EAP methods)
EAP provides a flexible link layer security framework
Simple encapsulation protocol
No dependency on IP
Assumes no reordering
Can run over loss full or lossless media
Can run over any link layer (Point-to-Point Protocol [PPP], IEEE 802,
etc.)

EAP over LAN = EAPoL


2008 Cisco Systems, Inc. All rights reserved.

11

EAP in Context
Supplicant
Cisco
SSC

Authentication Server

Authenticator
Layer 2 Point to Point

Layer 4 Link

EAPoL Start
EAP ID Request
EAP ID Response
EAP Response: Alice

EAP Request:
Send Tunneled Password
EAP Response:
Tunneled Password
EAP Success

2008 Cisco Systems, Inc. All rights reserved.

EAP Request:
Send Tunneled Password

EAP Response:
Tunneled Password
EAP SuccessLet Alice on
VLAN 10
12

IEEE 802.1X Protocols


EAP Methods
EAP methods define the credential type and authentication method
to be used
Supplicant and authentication server must support the same method
Most common credential types are passwords and X.509 certificates
Certificates often increase complexity of deployment
Prevalent EAP Methods

Method

Client
Credential

EAP-TLS

Client
Not required
Highly secure
certificate
Username
Server-certified Does not
and password TLS tunnel
require client
certificate
PAC
Server PAC
Requires no
certificates

PEAPMSCHAPv2
EAP-FAST

2008 Cisco Systems, Inc. All rights reserved.

Basis for
Encryption

Main Benefit

13

Factors Promoting EAP Method


Enterprise security policy
Certificate authority deployment
Requirements such as two-factor authentication may promote the choice of EAP-TLS

Client support
Windows XP supports EAP-TLS, PEAP with EAP-MSCHAPv2, and PEAP with EAPTLS
Third-party supplicants support a large variety of EAP types, but not all

Authentication server support


RADIUS servers support a large variety of EAP types, but not all

Authentication store
PEAP with EAP-MSCHAPv2 can be used only with authentication stores that
store passwords in MSCHAPv2 format
Not every identity store supports all EAP types

Customer choice of EAP type affects every other component

2008 Cisco Systems, Inc. All rights reserved.

14

EAP Method (PEAP) in Context


Supplicant
Cisco
SSC

Authentication Server

Authenticator
Layer 3 Link

Layer 2 Point to Point

EAPoL Start
EAP ID Request
EAP ID Response
EAP Response: Alice
EAP Request: PEAP
EAP Request: PEAP
EAP Response: PEAP
Client Hello
PEAP Exchange
EAP Success

2008 Cisco Systems, Inc. All rights reserved.

EAP Response: PEAP


Client Hello

EAP SuccessLet Alice on


VLAN 10
15

IEEE 802.1X Protocols


RADIUS
RADIUS acts as the transport for EAP from the authenticator to the
authentication server
RFC describing how RADIUS should support EAP between authenticator
and authentication server: RFC 3579

IP Header

UDP Header

RADIUS Header

EAP Payload

RADIUS is also used to carry policy instructions (authorization)


back to the authenticator in the form of AV pairs

IP Header

UDP Header

RADIUS Header

EAP Payload

AV Pairs

Usage guideline for IEEE 802.1X authenticators use of RADIUS: RFC


3580
AV pairs = Attribute-value pairs
2008 Cisco Systems, Inc. All rights reserved.

16

RADIUS in Context
Supplicant
Cisco
SSC

Authentication Server

Authenticator
Layer 2 Point to Point

Layer 3 Link

EAPoL Start
EAP ID Request
EAP ID Response
RADIUS Access Request
[AVP: EAP Response: Alice]
EAP Request: PEAP
EAP Response: PEAP

EAP Success

2008 Cisco Systems, Inc. All rights reserved.

RADIUS Access Challenge


[AVP: EAP Request: PEAP]
RADIUS Access Request
[AVP: EAP Response: PEAP]

Multiple
ChallengeRequest
Exchanges
Possible

RADIUS Access Accept


[AVP: EAP Success]
[AVP: VLAN 10]
17

Next Section
Wired IEEE 802.1X Port-Based
Access Deployment

2008 Cisco Systems, Inc. All rights reserved.

18

Why Is Identity Difficult in the Wired LAN?


WLANs
Relatively new technology
Required client from the beginning
No old-technology host issues to deal with

Remote-access VPN
Relatively new technology
Required a client from the beginning

Wired Ethernet Networks


Ethernet mature technology widely deployed
Never really required authentication client
20 years of older protocols, devices, operating
systems, and applications, most of which were built
with the assumption of open connectivity

IEEE 802.1X in Wired Environments


A change from all this
Requires prior knowledge of device capabilities
before configuring access port (major operating
expense challenge)

No old-technology host issues to deal with

Features to Help with


Wired IEEE 802.1X
Deployments

FlexAuth: Single-port configuration with


flexible authentication technology (IEEE
802.1X, MAB, and WebAuth)
802.1X open mode: Enhanced IEEE
802.1X authenticator (wired switches, etc.)
to address OS, protocol, and management
application issues
IP Telephony (IPT) integration
enhancements: MDA
Simplification of MAB
Network access point (NAC) profiler: Provides
endpoint discovery and profiling

2008 Cisco Systems, Inc. All rights reserved.

19

IEEE 802.1X: The Foundation of Identity


EAP over LAN
(EAPoL)
Supplicant
(IEEE 802.1X
Client)

RADIUS
Authenticator
(Switch, Access
Point, Etc.)

R
A
D
I
U
S

Authentication
Server
(Cisco
Secure ACS,
Etc.)

9 IEEE 802.1 working group standard


9 Provides port-based access control using authentication
Enforcement using MACbased filtering and portstate monitoring
2008 Cisco Systems, Inc. All rights reserved.

Defines encapsulation for


EAP over IEEE 802 media:
EAPoL
20

Default Port State Without IEEE 802.1X


No Authentication Required

No visibility
No access control

Switch Port

CP
DH TP
TF
B5
KR
TP
HT

?
User

2008 Cisco Systems, Inc. All rights reserved.

21

Default Security with 802.1X


Before Authentication

No visibility (yet)
Strict access control

Switch Port

One Physical Port >Two Virtual Ports


Uncontrolled Port (EAPoL Only)
Controlled Port (Everything Else)

CP
DH TP
TF
B5
KR
TP
L
HT
Po
EA

Interface Fast Ethernet 3/48


Authentication Port-Control Auto

User

All Traffic Except EAPoL Is Dropped


2008 Cisco Systems, Inc. All rights reserved.

22

Default Security with 802.1X


After Authentication

User or device is known


Identity-based access control

Switch Port

Single MAC per port

Looks the
Same as
Without
IEE 802.1X

CP
DH TP
TF
B5
KR
TP
HT

?
Authenticated User: Sally

2008 Cisco Systems, Inc. All rights reserved.

Having read your mind


Sally, that is true. Unless
you apply an authorization,
access is wide open. We
can restrict access with
dynamic VLAN assignment
or downloadable ACLs.

Interface Fast Ethernet 3/48


Authentication Port-Control Auto

23

Default Security: Consequences


Default IEEE 802.1X Challenge

Devices without supplicants


cannot send EAPoL
No EAPoL = No access

C
DH

One Physical Port >Two Virtual Ports


Uncontrolled Port (EAPoL Only)
Controlled Port (Everything Else)

TP
TF

Offline

Switch Port

L
Po
A
E

Interface Fast Ethernet 3/48


Authentication Port-Control Auto

No EAPoL = No Access

2008 Cisco Systems, Inc. All rights reserved.

24

Simplifying IEEE 802.1X Deployments


Challenge

Cisco IOS Software


Enhancement

Clientless device

Cisco IOS Software MAB plus NAC


Profiler

Host asset
management

Cisco IOS Software IEEE 802.1X


Open mode

Operation cost

Cisco IOS Software flexible


authentication (FlexAuth)

IPT integration

Cisco IOS Software MDA


Cisco IOS Software EAPoL logoff
and MAB inactivity timer
Cisco IOS Software Cisco
Discovery Protocol host connect TLV

2008 Cisco Systems, Inc. All rights reserved.

25

Authenticating Clientless Devices:


MAC Authentication Bypass (MAB)

End-Point Host
No Response
No Response

Link Up

EAP ID Request
EAP ID Request
EAP ID Request

Dot1x and MAB


1
0:30
0:20
0:10
0:05
0:01
0:00
Timeout
2
3

0:30
0:20
0:10
0:05
0:01
0:00

Timeout

0:30
0:20
0:10
0:05
0:01
0:00

Timeout

RADIUS

No Response
Fallback to MAB

Learn MAC

Port Enabled

7
8

RADIUS Access
Request: 00.0a.95.7f.de.06
RADIUS Access Accept

00.0a.95.7f.de.06

Same authorizations as IEEE 802.1X (VLAN or ACL)

interface fastEthernet 3/48


authentication port-control auto
mab

Requires current database of known MAC addresses

2008 Cisco Systems, Inc. All rights reserved.

26

MAB Limitations and Challenges


MAB requires creation and maintenance of MAC
database
Default IEEE 802.1X timeout = 90 seconds
90 seconds: Default MSFT DHCP timeout
90 seconds: Default PXE timeout
Current workaround: Timer tuning (always requires testing)
max-reauth-req: Maximum number of times (default = 2) that the switch
retransmits an EAP ID Request frame on the wire
tx-period: Number of seconds (default = 30) that the switch waits for a
response to an EAP ID Request frame before retransmitting
IEEE 802.1X Timeout = (max-reauth-req + 1) * tx-period

2008 Cisco Systems, Inc. All rights reserved.

27

Simplifying MAB Deployments: NAC Profiler


Build MAC Database Before Deploying IEEE 802.1X
NAC Profiler Collector

interface range gigE 1/0/1 - 24


switchport access vlan 30
switchport voice vlan 31
snmp-server host 10.100.10.215 RO
snmp-server enable traps mac-notification
snmp-server enable traps snmp linkup linkdown

SNMP

DHCP

Port, MAC Address,


Organizational Unique
Identifier, and Vendor ID

NAC
Profiler
Server

interface VLAN 30
ip helper-address 10.100.10.215

2008 Cisco Systems, Inc. All rights reserved.

28

NAC Profiler
Query MAC Database After Deploying IEEE 802.1X
1.

IEEE 802.1X times out and switch initiates MAB.

2.

Cisco Secure Access Control Server (ACS) queries Profiler database

NAC Profiler
Server

Profiler validates MAC address.

4.

Cisco Secure ACS sends MAB success.

5.

Switch enables port (with optional authorization).


interface range gigE 1/0/1 - 24
switchport access vlan 30
switchport voice vlan 31
authentication port-control auto
mab

1
00-18-f8-09-cf-d7

Port Enabled

2008 Cisco Systems, Inc. All rights reserved.

RADIUS Access Request: 00-18-f8-09-cf-d7


RADIUS Access Accept

3
LDAP Success

3.

LDAP : 00-18-f8-09-cf-d7

using LDAP.

ACS

29

Next Section
Open Mode

2008 Cisco Systems, Inc. All rights reserved.

30

IEEE 802.1X and MAB: Open Mode


Open Mode (No Restrictions)

Sw i t

IEEE 802.1X and MAB


enabled
Open mode: Enabled

ch P

or t

All traffic in addition to EAP is


allowed
CP P
DH TFT
TP
HT

EA

RADIUS Accounting Logs Provide Visibility


Passed and failed IEEE 802.1X/EAP
attempts
List of valid dot1x capable
List of non-dotx capable

Passed and failed MAB attempts


List of valid MAC addresses
List of invalid or unknown MAC addresses
2008 Cisco Systems, Inc. All rights reserved.

31

IEEE 802.1X and MAB: Open Mode


r

Selectively Open Access

ic
cif

e
Sp

Open mode (pin hole)

CP
H
D
PX

e
erv

r ve
e
S

On specific TCP and UDP ports


Restrict to specific addresses

EAP allowed (controlled port)

C
DH

TP
T
H
TP
F
T
S
TP
T
H
EA

Pin Hole Explicit TCP and


UDP Ports to Allow
Desired Access

Block General Access Until


Successful IEEE 802.1X,
MAB or WebAuth

2008 Cisco Systems, Inc. All rights reserved.

32

Example: Open Mode on IEEE 802.1X


Port with Access Control
Cisco Secure
ACS and AAA

Wired Ethernet
End Points

DHCP
DNS

DI
RA

Cisco Catalyst 6500


Series
IEEE 802.1X*
Ethernet Port
EAP

US

PXE
Server

10.100.10.117

EAP
DHCP
ANY
DNS
ANY

DHCP
DNS

PXE

10.100.10.116

PXE
Slide Source: Ken Hook

IP: 10.100.60.200

interface range gigE 1/0/1 - 24


switchport access vlan 30
switchport voice vlan 31
ip access-group UNAUTH in
authentication host-mode multi-domain
authentication open
authentication port-control auto
mab

(After Authentication)
(Before
Authentication)
6506-2#show tcam interface g1/13 acl in ip
permit
permit
ip
tcphost
any 10.100.60.200
any established
any
match-any
permit
udp
tcp any any established
eq bootps match-any
permit
udp any host
any eq
10.100.10.116
bootps
eq domain
permit
udp any host 10.100.10.116
10.100.10.117 eq tftp
domain
deny
permit
ip
udp
any
any
any
host 10.100.10.117 eq tftp
deny
ip any any

ip access-list extended UNAUTH


permit tcp any any established
permit udp any any eq bootps
permit udp any host 10.100.10.116 eq domain
permit udp any host 10.100.10.117 eq tftp
Sample
Open Mode
Configurations

* Works on FlexAuth and MDA Enabled Ports


2008 Cisco Systems, Inc. All rights reserved.

33

Next Section
Flexible Authentication (FlexAuth)

2008 Cisco Systems, Inc. All rights reserved.

34

Flexible Authentication
Host Roulette
Choice of Policy Enforcement
Mechanisms: VLAN, Downloadable
per-User ACL, and URL

EAP Credentials Sent and


ValidatedPort Authorized

Valid MAC
Address

Employee

Partner

Host
802.1X
Guest
Client
User
Change

Faculty

Valid
MAC
Addr

Guest
User

802.1X
Client

Sub
Contractor

IEEE 802.1X Times Out or Fails

1X

EAP
Unknown MAC AccessAccept with URL
Redirect
MAB

MAB
Known MACAccess Accept
Port Authorized

WEB

Valid
Host
Asset

One Configuration Addresses All Use Cases and All


Host Modes
Controllable Sequence of Access Control
Mechanisms, with Flexible Failure and Fallback
Authorization
Choice of Policy Enforcement Mechanisms: VLAN,
Downloadable per-User ACL, and URL
2008 Cisco Systems, Inc. All rights reserved.

URL

interface GigabitEthernet1/13
authentication host-mode multi-domain
authentication order dot1x mab webauth
authentication priority dot1x mab webauth
authentication port-control auto
dot1x pae authenticator
authentication violation restrict
authentication fallback WEB-AUTH
mab

Benefit: Greater Flexibility and


Deterministic Behavior

35

Next Section
IP Telephony Integration

2008 Cisco Systems, Inc. All rights reserved.

36

IP Telephony (IPT) and IEEE 802.1X


Fundamental Challenges
1 OneDeviceperPort

Catalyst 3750 SERIES


1 2

k
Lin

Do

SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK

wn

MODE

3 4

5 6

7 8

9 10

11 12

13 14

15 16

17 18

19 20

21 22

23 24

25 26

27 28

29 30

31 32

33 34

35 36

37 38

39 40

41 42

43 44

45 46

47 48

1X

15X 17X

31X 33X

47X

2X

16X 18X

32X 34X

48X

The operation of Port Access Control assumes that the


Ports on which it operate offer a point-to-point connection
between a single Supplicant and a single Authenticator. It is
this assumption that allows the authentication decision to be
made on a per-Port basis.
IEEE 802.1X, Revision 2004

2 IEEE802.1XMachineStateDependsonLinkState

1 TwoDevicesperPort
Catalyst 3750 SERIES
1 2

?????

SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
MODE

3 4

5 6

7 8

9 10

11 12

13 14

15 16

17 18

19 20

21 22

23 24

25 26

27 28

29 30

31 32

33 34

35 36

37 38

39 40

41 42

43 44

45 46

47 48

1X

15X 17X

31X 33X

47X

2X

16X 18X

32X 34X

48X

Security Violation

2 PCLinkStateIsUnknowntoSwitch

IPT Breaks the Point-to-Point Model


2008 Cisco Systems, Inc. All rights reserved.

37

Multidomain Authentication (MDA)


Solving the Two-Devices-per-Port Problem
MDA

IEEE 802.1X

Single Device per Port

Single Device per Domain per Port

Phone Authenticates in Voice Domain and


Tags Traffic in Voice VLAN ID (VVID)
IEEE 802.1q

Voice

Catalyst 3750 SERIES


1

SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK

Data

PC Authenticates in Data Domain and


Untagged Traffic in Port VLAN ID (PVID)

MODE

10

11 12

13 14

15 16

17 18

19 20

21 22

23 24

25 26

27 28

29 30

31 32

33 34

35 36

37 38

39 40

41 42

43 44

45 46

47 48

1X

15X 17X

31X 33X

47X

2X

16X 18X

32X 34X

48X

Two Domains per Port

MDA Replaces Cisco Discovery Protocol Bypass


Supports Cisco and Third-Party Phones
Phones and PCs Use IEEE 802.1X or MAB
2008 Cisco Systems, Inc. All rights reserved.

38

MDA for Cisco IP Phones


No Supplicant
on Phone
Cisco Discovery Protocol
EAP

SSC

EAP

interface GigE 1/0/5


switchport mode access
switchport access vlan 2
switchport voice vlan 12
authentication host-mode multi-domain
authentication port-control auto
dot1x pae authenticator
mab

1
2

3 Access Request: Phone MAC


5

Access Accept: Phone VSA

1.
2.
3.
4.

Phone learns VVID from Cisco Discovery Protocol.


IEEE 802.1X times out.
Switch initiates MAB for phones MAC.
Cisco Secure ACS returns Access Accept with Vendor Specific Attribute (VSA)
for phones (device-traffic-class=voice).
5. Switch allows phone traffic on either VLAN until phone sends tagged packet;
then only voice VLAN traffic is allowed.
6. Asynchronously, PC authenticates using IEEE 802.1X or MAB. Authenticated
PC traffic is allowed on the data VLAN only.
2008 Cisco Systems, Inc. All rights reserved.

39

MDA in Action
3750-1(config-if)#do
3750-1(config-if)#do sh
sh dot1x
dot1x int
int G1/0/5
G1/0/5 details
details
<...>
<...>
Dot1x
Dot1x Authenticator
Authenticator Client
Client List
List
------------------------------------------------------------Domain
== DATA
Domain
DATA
Supplicant
=
0014.5e42.66df
Supplicant
= 0014.5e42.66df
Auth
SM
State
=
Auth SM State
= AUTHENTICATED
AUTHENTICATED
Auth
BEND
SM
State
=
IDLE
Auth BEND SM State
= IDLE
Port
Status
=
Port Status
= AUTHORIZED
AUTHORIZED
Authentication
Method
=
Dot1x
Authentication Method
= Dot1x
Authorized
By
=
Authorized By
= Authentication
Authentication Server
Server
Domain
Domain
Supplicant
Supplicant
Auth
Auth SM
SM State
State
Auth
BEND
Auth BEND SM
SM State
State
Port
Status
Port Status
Authentication
Authentication Method
Method
Authorized
By
Authorized By

2008 Cisco Systems, Inc. All rights reserved.

== VOICE
VOICE
== 0016.9dc3.08b8
0016.9dc3.08b8
== AUTHENTICATED
AUTHENTICATED
== IDLE
IDLE
== AUTHORIZED
AUTHORIZED
== MAB
MAB
== Authentication
Authentication Server
Server

40

IPT and IEEE 802.1X


The Link-State Problem
1. Legitimate Users Cause Security Violation

PortAuthorizedfor
0011.2233.4455Only
Catalyst 3750 SERIES
1

A
S:0011.2233.4455

SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
MODE

9 10

11 12

13 14

15 16

17 18

19 20

21 22

23 24

25 26

27 28

29 30

31 32

33 34

35 36

37 38

39 40

41 42

43 44

45 46

47 48

1X

15X 17X

31X 33X

47X

2X

16X 18X

32X 34X

48X

Security Violation

B
S:6677.8899.AABB

2. Hackers Can Spoof MAC Address to Gain Access Without Authenticating


Catalyst 3750 SERIES
1 2

SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
MODE

3 4

5 6

7 8

9 10

11 12

13 14

15 16

17 18

19 20

21 22

23 24

25 26

27 28

29 30

31 32

33 34

35 36

37 38

39 40

41 42

43 44

45 46

47 48

1X

15X 17X

31X 33X

47X

2X

16X 18X

32X 34X

48X

Security Hole
S:0011.2233.4455
S:0011.2233.4455

2008 Cisco Systems, Inc. All rights reserved.

41

Previous Solution: Proxy EAPoL Logoff


Domain
= DATA
Supplicant
= 0011.2233.4455
Port Status
= AUTHORIZED
Authentication Method = Dot1x

SSC

Caveats:
Only for IEEE 802.1X
Devices Behind
Phone

Catalyst 3750 SERIES


1 2

SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
MODE

3 4

5 6

7 8

9 10

11 12

13 14

15 16

17 18

19 20

21 22

23 24

25 26

27 28

29 30

31 32

33 34

35 36

37 38

39 40

41 42

43 44

45 46

47 48

1X

15X 17X

31X 33X

47X

2X

16X 18X

32X 34X

48X

Requires:
Logoff-Capable Phones

PC A Unplugs
Domain
Port Status

Session Cleared
Immediately by
Proxy EAPoL Logoff

EAPoL Logoff

PC B Plugs In

= DATA
= UNAUTHORIZED

Catalyst 3750 SERIES


1

SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
MODE

9 10

11 12

13 14

15 16

17 18

19 20

21 22

23 24

25 26

27 28

29 30

31 32

33 34

35 36

37 38

39 40

41 42

43 44

45 46

47 48

1X

15X 17X

31X 33X

47X

2X

16X 18X

32X 34X

48X

Domain
= DATA
Supplicant
= 6677.8899.AABB
Port Status
= AUTHORIZED
Authentication Method = Dot1x

SSC

Catalyst 3750 SERIES


1 2

SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
MODE

2008 Cisco Systems, Inc. All rights reserved.

3 4

5 6

7 8

9 10

11 12

13 14

15 16

17 18

19 20

21 22

23 24

25 26

27 28

29 30

31 32

33 34

35 36

37 38

39 40

41 42

43 44

45 46

47 48

1X

15X 17X

31X 33X

47X

2X

16X 18X

32X 34X

48X

42

Previous Solution: MAB Inactivity Timeout


Domain
= DATA
Supplicant
= 0011.2233.4455
Port Status
= AUTHORIZED
Authentication Method = MAB

interface GigE 1/0/5


switchport mode access
switchport access vlan 2
switchport voice vlan 12
authentication host-mode multi-domain
authentication port-control auto
authentication timer inactivity 300
mab

Catalyst 3750 SERIES


1 2

SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
MODE

3 4

5 6

7 8

9 10

11 12

13 14

15 16

17 18

19 20

21 22

23 24

25 26

27 28

29 30

31 32

33 34

35 36

37 38

39 40

41 42

43 44

45 46

47 48

1X

15X 17X

31X 33X

47X

2X

16X 18X

32X 34X

48X

Device
Unplugs
Domain
= DATA
Supplicant
= 0011.2233.4455
Port Status
= AUTHORIZED
Authentication Method = MAB

Vulnerable to Security
Violations and Holes

Catalyst 3750 SERIES


1

SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
MODE

Inactivity Timer
Expires

Domain
Port Status

9 10

11 12

13 14

15 16

17 18

19 20

21 22

23 24

25 26

27 28

29 30

31 32

33 34

35 36

37 38

39 40

41 42

43 44

45 46

47 48

15X 17X

31X 33X

47X

2X

16X 18X

32X 34X

48X

= DATA
= UNAUTHORIZED

Session Cleared and


Vulnerability Closed

Catalyst 3750 SERIES


1 2

SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
MODE

2008 Cisco Systems, Inc. All rights reserved.

1X

Caveats:
Quiet devices may have to
reauthenticate; network
access denied until
reauthentication completes
Still a window of vulnerability

3 4

5 6

7 8

9 10

11 12

13 14

15 16

17 18

19 20

21 22

23 24

25 26

27 28

29 30

31 32

33 34

35 36

37 38

39 40

41 42

43 44

45 46

47 48

1X

15X 17X

31X 33X

47X

2X

16X 18X

32X 34X

48X

43

N EW

New Solution: Cisco Discovery Protocol Host Connect TLV


Domain
= DATA
Supplicant
= 0011.2233.4455
Port Status
= AUTHORIZED
Authentication Method = MAB

9 Link status message


addresses root cause
Catalyst 3750 SERIES

SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
MODE

9 10

11 12

13 14

15 16

17 18

19 20

21 22

23 24

25 26

27 28

29 30

31 32

33 34

35 36

37 38

39 40

41 42

43 44

45 46

47 48

1X

15X 17X

31X 33X

47X

2X

16X 18X

32X 34X

48X

9 Session cleared
immediately

Device A Unplugs
Domain
Port Status

Phone Sends Link


Down TLV to Switch

9 Works for MAB and


IEEE 802.1X

= DATA
= UNAUTHORIZED

Cisco Discovery Protocol Link Down

9 Nothing to configure

Catalyst 3750 SERIES


1

SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
MODE

9 10

11 12

13 14

15 16

17 18

19 20

21 22

23 24

25 26

27 28

29 30

31 32

33 34

35 36

37 38

39 40

41 42

43 44

45 46

47 48

1X

15X 17X

31X 33X

47X

2X

16X 18X

32X 34X

48X

9 Cisco on Cisco Value


Device B Plugs In
Domain
= DATA
Supplicant
= 6677.8899.AABB
Port Status
= AUTHORIZED
Authentication Method = Dot1x

SSC
Catalyst 3750 SERIES
1

SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
MODE

2008 Cisco Systems, Inc. All rights reserved.

9 10

11 12

13 14

15 16

17 18

19 20

21 22

23 24

25 26

27 28

29 30

31 32

33 34

35 36

37 38

39 40

41 42

43 44

45 46

47 48

1X

15X 17X

31X 33X

47X

2X

16X 18X

32X 34X

48X

44

IP Telephony Integration: Summary


1
VVID

Cisco Discovery
Protocol
Notification
EAPOL Logoff
Supplicant

Inactivity Timers

Use Case: PC Disconnect Behind an IP Phone


Allows Cisco and Third-Party IP Phones Without
Supplicants to be Identified and Authenticated
First-Hop Switch Snoops Protocols
First-Hop Switch Proxies Requests to Authentication
Service

2008 Cisco Systems, Inc. All rights reserved.

Customer Benefits
Allows More Devices to Participate in the
Identity Network
Eliminates Capital and Operating Expenses for
Upgrade and Replacement of All IP Phones

45

Main Points
Cisco Identity-Based Networking Services (IBNS)
provides a security foundation for customers
New Cisco IBNS features simplify deployments and
operations

2008 Cisco Systems, Inc. All rights reserved.

46

Additional Resources
Cisco IBNS Website:
http://www.cisco.com/go/ibns
Products:
Cisco Catalyst 6500 Series Switches
http://www.cisco.com/go/6500
Cisco Catalyst 4500 Series Switches
http://www.cisco.com/go/4500
Cisco Catalyst 3750 Series Switches
http://www.cisco.com/go/3750
Cisco Catalyst 3560 Series Switches
http://www.cisco.com/go/3560
Cisco Catalyst 2960 Series Switches
http://www.cisco.com/go/2960

2008 Cisco Systems, Inc. All rights reserved.

47

2008 Cisco Systems, Inc. All rights reserved.

48

Potrebbero piacerti anche