Brkcam 2007

Deploying 802.
1X
BRKCAM-2007
Luc Billot
lbillot@cisco.com
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Deploying 802.1X in Enterprise Campus

This session covers the principles and design aspects of identitybased networking based on the IEEE 802.1x standard, which allows enterprise network administrators to explicitly control who and what gets on their networks. Identity services are technology solutions with tools to improve the security of physical and logical access to LANs. The Cisco Identity Based Networking Services (IBNS) solution incorporates all of the capabilities defined in 802.1x and provides enhancements and extensions for improving identity-based access control. Important extensions discussed include the ability to provide interoperation with IP telephony and the ability to track when and where anyone gets onto an enterprise network. Identity services are a requisite technology for network admission control (NAC). It is recommended that those attending have at least an introductory knowledge of Campus network design and a good understanding of the basic network security principles and protocols such as RADIUS.
2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Who am I
Cisco Public
Overview and Agenda

Network Access Default Functionality Deployment Considerations Reporting and Monitoring Deployment Case Study
Cisco Public
What We Wont Be Covering

AAA authentication on routers IPSec authentication In-depth concepts on identity management and single sign-on (upper layer identity) Specific Extensible Authentication Protocol (EAP) methods X.509 certificates and PKI WLAN
Cisco Public
First Networkers with IPv6 over Wireless

SSID: NW08 Stateless Autoconfiguration
+ Optional Stateless DHCPv6
IPv6 connectivity offered by

http://www.space.net See case study CCS-2002 Tuesday 12:15
Participate at Deploying IPv6 BoF Thursday 11:00 Lets talk about it on: http://networkers.intronetworks.com Some statistics on http://www.cisconetworkers6.com
Best effort only, this is the first Networkers with IPv6
Cisco Public
Network Access
Cisco Public
Basic Identity Concepts

What is an identity?
An indicator of a client in a trusted domain; typically used as a pointer to a set of rights or permissions; allows us to differentiate between clients
What does it look like?

Can look like anything lbillot@cisco.com Luc Billot 00-0c-14-a4-9d-33
How do we use identities?

Used to provide authorizationsrights to services within a domain; services are arbitrary and can happen at any layer of the OSI model
Cisco Public
What Is Authentication?
The process of establishing and confirming the identity of a client requesting services Authentication is only useful if used to establish corresponding authorization Model is very common in everyday scenarios
Id Like to Withdraw $200.00 Please. Do You Have Identification? Yes, I Do. Here It Is. Thank You. Heres Your Money.
An Authentication System Is Only as Strong as the Method of Verification Used

10
Identity and Authentication Are Important?
Cisco Public
11
Applying the Authentication Model to the Network
Id Like to Connect to the Network. Do You Have Identification? Yes, I Do. Here It Is. Thank You. Here You Go.
Cisco Public
12
Network Access Control Model
Request for Service (Connectivity)
Backend Authentication Support
Identity Store Integration
LAN media independence User authentication Device authentication
Cisco Public
13
Default Functionality
Cisco Public
14
Identity-Based Networking Services (IBNS)

General Identity and Authentication Space
MAC Auth
IEEE 802.1X Web Auth

AAA Policy Management Provisioning Troubleshooting Compliance Reporting
Cisco Public
15
IEEE 802.1X
Standard set by the IEEE 802.1 working group Is a framework designed to address and provide port-based access control using authentication Primarily 802.1X is an encapsulation definition for EAP over IEEE 802 mediaEAPOL (EAP over LAN) is the key protocol Layer 2 protocol for transporting authentication messages (EAP) between supplicant (user/PC) and authenticator (switch or access point) Assumes a secure connection Actual enforcement is via MAC-based filtering and port-state monitoring
16
General Description IEEE 802.1X Terminology
I US AD R
OL) EA P ( W) LAN APO (E ver less PO e EA Wi r ver O Authenticator EA P (e.g. Switch, Access Point)
R A D I U S
Authentication Server
Supplicant
Cisco Public
17
802.1X Port Access Control Model

Authenticator
Switch Router WLAN AP
Identity Store/Management
MS AD LDAP NDS ODBC
Request for Service (Connectivity)
Backend Authentication Support
Identity Store Integration
Supplicant
Desktop/laptop IP phone WLAN AP Switch
Authentication Server
IAS ACS Any IETF RADIUS server
Cisco Public
18
Extensible Authentication Protocol (EAP)

A flexible transport protocol used to carry arbitrary authentication informationnot the authentication method itself EAP provides a flexible link layer security framework
Simple encapsulation protocol No dependency on IP Few link layer assumptions Can run over any link layer (PPP, 802, etc.) Assumes no reordering Can run over loss full or lossless media
Originally specified in RFC 2284, obsolete by RFC 3748

19
What Does EAP Do?

Transports authentication information in the form of EAP payloads Establishes and manages connection; allows authentication by encapsulating various types of authentication exchanges Prevalent EAP types
EAP-TLS: Uses x.509 v3 PKI certificates and the TLS mechanism for authentication PEAP: Protected EAP tunnel mode EAP encapsulator; tunnels other EAP types in an encrypted tunnel (TLS) EAP-FAST (RFC4851): Designed to not require certificates; tunnels other EAP types in an encrypted tunnel (TLS)
EAP Payload 802.1X Header Ethernet Header
EAP Payload RADIUS UDP IP Header

20
Cisco Public
Choosing An EAP Type

Enterprise security policy
Are there requirements that drive a particular type Requirements, such as, two factor authentication may drive the choice of EAP-TLS
Supplicant support
Windows XP-Vista supports EAP-TLS, PEAP w/EAP-MSCHAPv2 3rd party supplicants support a large variety of EAP types
RADIUS server support

RADIUS servers support a large variety of EAP types, but not all
Authentication store
PEAP w/EAP-MSCHAPv2 can only be used with authentication stores that store passwords in MSCHAPv2 format Not every identity store supports all the EAP types
Customer choice of EAP type drives every other component

21
How Is RADIUS Used Here?

RADIUS acts as the transport for EAP, from the authenticator (switch) to the authentication server (RADIUS server) RFC for how RADIUS should support EAP between authenticator and authentication serverRFC 3579
IP Header UDP Header RADIUS Header EAP Payload
RADIUS is also used to carry policy instructions (authorization) back to the authenticator in the form of AV pairs
IP Header UDP Header RADIUS Header EAP Payload AV Pairs
Usage guideline for 802.1X authenticators use of RADIUSRFC 3580

22
Cisco Public
A Closer Look:
802.1X, STP
Port Unauthorized
Cisco IOS
aaa authentication dot1x default group radius aaa authorization network default group radius radius-server host 10.100.100.100 radius-server key cisco123 dot1x system-auth-control interface GigabitEthernet1/0/1 dot1x port-control auto
Cisco Public
23
A Closer Look:
802.1X, STP
Port Unauthorized
EAPOL-Start EAP-Identity-Request EAP-Identity-Response
802.1X
24
A Closer Look:
802.1X, STP
Port Unauthorized
EAPOL-Start EAP-Identity-Request EAP-Identity-Response EAP-Auth Exchange EAP-Success/Failure
EAPMethod Dependent
Auth Exchange w/AAA Server Authentication Successful/Rejected
802.1X
RADIUS
25
A Closer Look:
802.1X, STP
Port Unauthorized
EAPMethod Dependent
Auth Exchange w/AAA Server Authentication Successful/Rejected Policy Instructions
Port Authorized
802.1X
RADIUS
26
A Closer Look:
802.1X, STP
Port Unauthorized
EAPMethod Dependent
Port Authorized
EAPOL-Logoff
Port Unauthorized
802.1X
RADIUS
27
A Closer Look:
802.1X, STP
Port Unauthorized
EAPMethod Dependent
Port Authorized
EAPOL-Logoff
Port Unauthorized
Actual Authentication Conversation Is Between Client and Auth Server Using EAP; the Switch Is an EAP Conduit, but Aware of Whats Going on
802.1X
RADIUS
28
Authenticating Without 802.1X

802.1X is the recommended port-based authentication method at the access layer. But there will always be clients that cannot do 802.1X:
Managed devices: e.g. corporate printers Unmanaged devices: e.g contractor PC
Two methods to authenticate without 802.1X: MAC Authentication & Web Authentication.
Cisco Public
29
MAC Authentication Bypass (MAB)

EAP who?
Port Unauthorized
EAP-Identity-Request EAP-Identity-Request EAP-Identity-Request Authenticate Printers MAC Authentication Successful/Rejected Policy Instructions
Port Authorized
Cisco Public
30
Web Authentication
EAP who?
Guest
Port Unauthorized
EAP-Identity-Request EAP-Identity-Request EAP-Identity-Request HTTP://www.acme.com HTTP:// loginpage.html Username, Password Authenticate Username/Password Authentication Successful/Rejected Policy Instructions
Port Authorized
31
Default Security and Operation
Cisco Public
32
Default Security of 802.1X

For Each 802.1X Switch Port, the Switch Creates Two Virtual Access Points at Each Port
The Controlled Port Is Open Only When the Device Connected to the Port Has Been Authorized by 802.1X
Controlled
EAPOL
Uncontrolled
EAPOL
Uncontrolled Port Provides a extensible authentication Uncontrolled port provides a path forPath for Extensible protocol over LAN (EAPOL) and CDP traffic only Authentication Protocol over LAN (EAPOL) Traffic Only
Cisco Public
33
00-01-76-48-90-ff
??
Before 802.1X authentication

MAC address of end-station is unknown Spanning-tree is not in a forwarding state for the switch port No traffic can be processed by switch CPU with the exception of EAPOL
802.1X state machine directly reliant on link state of port
Cisco Public
34

Permit only 00-01-76-48-90-ff
00-01-76-48-90-ff
IOS
dot1x port-control auto
After 802.1X authentication:

MAC address of authenticated end-station is known Only that one MAC address is allowed (single auth mode) Network cannot be compromised by a non-802.x client or a different 802.1X client seen on the wire
Single-auth mode ensures the validity of the authenticated session

35
00-01-76-48-90-ff
??
00-67-e5-bb-45-21
Additional MAC addresses on wire treated as security violation This includes VMware type devices This includes machines that attempt to transmit gratuitous ARP frames
Note: Any Other Type of Data Transmission or Network Attack Is Not Within the Scope of the 802.1X Standard, nor the Default Deployment on a Switch
36
Modifying Default Security of 802.1X

00-01-76-48-90-ff authenticated Permit all other MACs
00-01-76-48-90-ff
IOS dot1x host-mode multi-host
00-67-e5-bb-45-21
What if the physical topology does not allow a point-to-point connection? (e.g. hub in conference room) Multi-host mode Use 802.1X to authorize the port only Any amount of unauthenticated stations subsequently allowed on wire
37
Securing 802.1X in Multi-host Mode

Permit only 00-01-76-48-90-ff & 00-67-e5-bb-45-21
00-01-76-48-90-ff
IOS dot1x host-mode multi-host switchport port-security switchport port-security maximum 3 switchport port-security aging time 2
00-67-e5-bb-45-21
Recommendation:
Use 802.1X to authorize the port Use port-security to limit the number of other devices allowed on the wire.
38
Non-802.1X Client
No EAPOL 802.1X Process
Cisco Public
40
Non-802.1X Client
No EAPOL
EAPOL-Request (Identity) D = 01.80.c2.00.00.03
802.1X Process 1 Upon Link Up
Cisco Public
41
Non-802.1X Client
No EAPOL
X X
EAPOL-Request (Identity) D = 01.80.c2.00.00.03 EAPOL-Request (Identity) D = 01.80.c2.00.00.03
802.1X Process 1 Upon Link Up 2 30 Seconds
Cisco Public
42
Non-802.1X Client
No EAPOL
X X X
EAPOL-Request (Identity) D = 01.80.c2.00.00.03 EAPOL-Request (Identity) D = 01.80.c2.00.00.03 EAPOL-Request (Identity) D = 01.80.c2.00.00.03
802.1X Process 1 Upon Link Up 2 30 Seconds 3 30 Seconds
Cisco Public
43
Non-802.1X Client
No EAPOL
X X X
802.1X Process 1 Upon Link Up 2 30 Seconds 3 30 Seconds
Any 802.1X-enabled switch port will send EAPOL identity-request frames on the wire (whether a supplicant is there or not) No network access is given if the switch does not receive an EAPOL identity-response. Whole process restarts after a hold timer Process can start again if a supplicant appears on the port and sends an EAPOL-Start.
44
Deployment Considerations
Cisco Public
45
IBNS Deployment Considerations

Authentication and Endpoint Considerations 802.1X and Microsoft Windows Authorization Non-802.1X Clients & Guests Failed Access Handling RADIUS Availability IP Telephony Other Considerations
Cisco Public
46
802.1X Authentication Database

Where is the single source of authentication credentials for the enterprise? Do you have to build new or extend trust between databases? Some enterprises could not use Active Directory (AD) or other Network Operating System (NOS) user/machine authentication databases
Cisco Public
47
802.1X Supplicant Support

802.1X requires client side code (supplicant code) Growing support for supplicants in the industry
MicrosoftNative in Win2K, XP, Vista and 2003 OpensourceOpen1x xsupplicant for UNIX/Linux platforms AppleNative OS X support Cisco Secure Services ClientCSSC From Meetinghouse acquisition support for Win2K, WinXP CSSC 4.1Free Wired only version on CCO (EAP-FAST only) CSSC 5.xFull Supplicant available Used within ACU for the wireless client
48
Supplicant Considerations
Microsoft Windows
User and machine authentication DHCP request time out Machine authentication restriction Default methods: MD5 (XP only), PEAP, EAP-TLS
Unix/Linux considerations
Open source: xsupplicant Project (University of Utah) Available from http://www.open1x.org Supports EAP-MD5, EAP-TLS, PEAP/MSCHAPv2, PEAP/EAP-GTC
Native Apple supplicant support in OS X 10.3

802.1X is turned off by default! Default parametersTTLS, LEAP, PEAP, MD5, FAST supported Support for airport and wired interfaces Single sign on can be accomplished with Applescripts (test carefully)
49

Cisco Public
52
Why You Care About GPO Interoperability

Many customers use Windows system (mostly Windows 2000, Windows XP, Windows Server 2003) as their core computing system A Group Policy Object (GPO) is one of the most common methods of system compliancy and security enforcement in a Windows Environment GPO is a common use case scenario:
Network Device mapping Applying Logon/Logoff scripts to workstations Batch mechanism to trigger applications Security compliance enforcement such as password rule, etc.
53
What Is Group Policy

Group policy is an infrastructure used to deliver and apply one or more desired configurations or policy settings to a set of targeted users and computer within an Active Directory environment Types of Group Policy
Registry-based policy Security options Software installation and maintenance options Scripts options Folder redirection options
Cisco Public
54
Windows Logon Procedure and Network Connectivity Dependency

Power On Certificate Auto Enrollment Time Synchronization Dynamic DNS Update GINA Kerberos Authentication (User Account)
Kernel Loading Windows HAL Loading Device Driver Loading
Obtain Network Address (Static, DHCP) Determine Site and DC (DNS, LDAP) Establish Secure Channel to AD (LDAP, SMB) Kerberos Authentication (Machine Account) Network Not Required
User GPOs Loading (Async) GPO based Logon Script Execution (SMB) GPO based Startup Script Execution Computer GPOs Loading (Async)
Network Dependency
Cisco Public
56
GPO Network Dependency

Successful GPO loading for both Machine and User GPOs (without 802.1X involvement) requires following elements:
1. 2. 3. Valid and routable IP address and connectivity to AD Windows startup serialization (Predictable Windows startup event) Fallback mechanism (Timeout mechanism, Local Logon, Periodic Policy Refresh, etc.)
Key Protocol conversation during Windows Startup Process

1. 2. 3. 4. 5. 6. Addressing (DHCP) Site and Domain Determination (DNS, LDAP) Secure Channel Establishment to AD (SMB) Authentication (Kerberos) Time Synchronization (NTP) Policy Application (LDAP, SMB)
Unstable network connectivity introduces instability in policy loading process

57
802.1X and Windows Logon Procedure

Recall Default Security of 802.1X:
No network connectivity until successful authentication.
Windows Logon Process and 802.1X are not serialized at all for Windows 2000, XP, 2003, or Vista
802.1X may break Windows Logon sequence at some points
Additional complications:
Two authentication contexts to consider: Machine and User Dynamic VLAN assignment may introduce additional network initialization, impacting Windows Logon sequence (Windows 2000 and XP were never designed to handle this event)
Clear understanding and proper design is required for successful 802.1X deployments.
58
Introduction of 802.1X to Windows Logon/Startup Procedure

Kernel Loading Windows HAL Loading Device Driver Loading Power On 802.1X Machine Auth 802.1X User Auth Certificate Auto Enrollment Time Synchronization Dynamic DNS Update GINA
Obtain Network Address (Static, DHCP) Determine Site and DC (DNS, LDAP) Establish Secure Channel to AD (LDAP, SMB) Kerberos Authentication (Machine Account)
Kerberos Auth (User Account) User GPOs Loading (Async) GPO based Logon Script Execution (SMB) GPO based Startup Script Execution Computer GPOs Loading (Async)
Start of 802.1X auth may vary among supplicants Components that are in race condition with 802.1X Auth
59
Successful 802.1X/GPO Interoperability Key Conditions

802.1X Machine Authentication
Should always start as soon as device drivers are initialized and be completed before GINA is displayed to user IP connectivity (DHCP, RARP) is always established right after successful authentication Logon process (Domain lookup, SChannel, Kerberos Auth, etc.) needs to be on hold until network connectivity is established and completed before GINA is displayed to user
802.1X User Authentication

Should always start right after user provides credential to GINA and submits IP connectivity (DHCP, RARP) is always established right after successful authentication Logon process (Domain lookup, SChannel, Kerberos Auth, etc.) needs to be on hold until network connectivity is established
60
Ideal Sequence of 802.1X/ Logon Serialization

Kernel Loading Windows HAL Loading Device Driver Loading Power On 802.1X Machine Auth Certificate Auto Enrollment Time Synchronization Dynamic DNS Update GINA 802.1X User Auth + network connectivity
Obtain Network Address (Static, DHCP) Determine Site and DC (DNS, LDAP) Establish Secure Channel to AD (LDAP, SMB) Kerberos Authentication (Machine Account)
Kerberos Auth (User Account) User GPOs Loading (Async) GPO based Logon Script Execution (SMB) GPO based Startup Script Execution Computer GPOs Loading (Async)
Start / End of 802.1X authentication Components that depend on network connectivity

61
Current 802.1X/Winlogon Interoperability with Supplicants

Supplicant may create race condition between 802.1X authentication and Windows Logon process Appropriate configuration/condition/change on Windows system are required to minimize the possible risk of race condition 100% interoperability/serialization is not guaranteed yet
Cisco Public
62
Microsoft Issues with DHCP

DHCP Is a Parallel Event, Independent of 802.1X Authentication
With wired interfaces a successful 802.1X authentication does not force an DHCP address discovery (no media-connect signal) This produces a problem if not properly planned DHCP starts once interface comes up If 802.1X authentication takes too long, DHCP may time out
802.1X AuthVariable Timeout DHCPTimeout at 62 Seconds
DHCP
Power Up Load NDIS Drivers
Setup Secure Channel to DC
Present GINA (Ctrl-Alt-Del) Login
Cisco Public
63
Microsoft Fixes
Windows XP: Install Service Pack 1a + KB 826942 Windows 2000: Install Service Pack 4
Supplicant Authenticator Authentication Server
Login Req. Send Credentials Accept ICMP Echo (x3) for Default GW from Old IP as Soon as EAP-Success Frame Is Rcvd DHCP-Request (D=255.255.255.255) (After Pings Have Gone Unanswered) DHCP-Discover (D=255.255.255.255) Forward Credentials to ACS Server Auth Successful (EAPSuccess) VLAN Assignment
DHCP-NAK (Wrong Subnet)
At This Point, DHCP Proceeds Normally

64
802.1X and Windows Recommendations

Start simple with authentication Consider machine authentication only
You need to manage auth behavior on XP/2000 via registry keys http://support.microsoft.com/kb/309448/en-us http://www.microsoft.com/technet/network/wifi/wififaq.mspx
Use the automatic provisioning built into AD if possible

Machines are provisioned automatically with a machine password Can have certificates automatically provisioned via AD GPOs
Cisco Public
65

Authentication and Endpoint Considerations 802.1X and Microsoft Windows Authorization Non 802.1X Clients & Guests Failed Access Handling RADIUS Availability IP Telephony Other Considerations
Cisco Public
66
Authorization
Authorization is the ability to enforce policies on identities Typically policies are applied using a group methodologyallows for easier manageability The goal is to take the notion of group management and policies into the network The most basic authorization in 802.1X and IBNS is the ability to allow or disallow access to the network at the link layer Other forms of authorization include VLAN assignment, ACL assignment, 802.1X with ARP inspection, etc.
67
802.1X with VLAN Assignment

Dynamic VLAN assignment based on identity of group, or individual, at the time of authentication VLANs assigned by nameallows for more flexible VLAN management Allows dynamic VLAN policies to be applied to groups of users (i.e., VLAN QoS, VLAN ACLs, etc.) Tunnel attributes used to send back VLAN configuration information to authenticator Tunnel attributes are defined by RFC 2868 Usage for VLANs is specified in the 802.1X standard Remember implications of VLAN assignment when doing machine and user authentication
68
802.1X with VLAN Assignment

AV Pairs UsedAll Are IETF Standard
[64] Tunnel-typeVLAN (13) [65] Tunnel-medium-type802 (6) [81] Tunnel-private-group-ID<VLAN name>
Marketing
IOS aaa authorization network default group radius
VLAN name must match switch configuration Mismatch results in authentication/authorization failure
69
Authorization Recommendations
Everyone thinks they want to do VLAN assignment
VLAN assignment is completely optional
Ask yourself if the driver is to separate users Most people do not have this requirement they just want validation that the PC or user connecting to the network is known
Leave the port in its default VLAN or assign the VLAN during machine authentication if possible
Cisco Public
72

Cisco Public
73
Handling Non-802.1X Clients & Guests Deployment Options

1) Authenticate via less-secure method
MAC Auth Bypass Web Auth (client must have browser)
2) Give them limited access after timeout

Guest VLAN
3) Allow WLAN access instead of wired

WLAN is a great way to do guest access if available
Cisco Public
74
MAC Authentication Bypass (MAB)

Client
X X X ? ?
EAPOL-Request (Identity) D = 01.80.c2.00.00.03 EAPOL-Request (Identity) D = 01.80.c2.00.00.03 EAPOL-Request (Identity) D = 01.80.c2.00.00.03 EAPOL-Timeout Initiate MAB Learn MAC
Dot1x/MAB 1 2 3 4 5
Upon link up 30-seconds 30-seconds 30-seconds Variable
RADIUS
6 7 8
RADIUS-Access Request RADIUS-Access Accept
00.0a.95.7f.de.06
Port Enabled
IOS Switch(config-if)# dot1x mac-auth-bypass

75
Web-based Proxy Authentication

No EAPOL 802.1X Process RADIUS Process
1 2
802.1X Timeouts Client Initiates ConnectionActivates Port Authentication State Machine Switch Port Filters Traffic Limiting It to HTTP, HTTPS, DNS and DHCP
3
Switch Port Relays DHCP Address from DHCP Server User Starts Web Browser and Initiates Web Connection
5
Switch Port Redirects URL and Presents HTTP Form Prompting for Userid/Pwd User Enters CredentialsThey Are Checked Against RADIUS DB via PAPIf Authenticated Then Switch Port Opened for Normal Network Access
Cisco Public
76
802.1X with Guest VLAN
X X X Client
EAP-Identity-Request D = 01.80.c2.00.00.03 EAP-Identity-Request D = 01.80.c2.00.00.03 EAP-Identity-Request D = 01.80.c2.00.00.03 EAP-Success D = 01.80.c2.00.00.03
1 2 3 4
Upon link up 30-seconds 30-seconds 30-seconds
Port Deployed into the Guest VLAN
802.1X Process
Note: The Timer Values Displayed Above Are the Default and Can Be Tuned
Any 802.1X-enabled switchport will send EAPOL-Identity-Request frames on the wire (whether a supplicant is there or not) A device is only deployed into the guest VLAN based on the lack of response to the switchs EAP-Request-Identity frames (which can be thought of as 802.1X hellos) No further security or authentication to be applied. Its as if the administrator de-configured 802.1X, and hard-set the port into the specified VLAN
77
MAB and Web-Auth

These features work together
802.1X Timeout MAB Web-Auth if MAB fails
Determine what features you want to use based on your operations Be VERY careful tweaking timers.
You dont want an 802.1X capable machine to do MAB or WebAuth before 802.1X can respond to the EAPOL Identity requests
Cisco Public
80
MAB and Guest VLAN

These features work together
802.1X Timeout MAB Guest VLAN if MAB fails
Determine what features you want to use based on your operations Be very careful tweaking timers
You dont want a 802.1X capable machine to do MAB or Guest VLAN before 802.1X can respond to the EAPOL Identity requests
Cisco Public
81

Cisco Public
82
The Problem?
Authentication Failures
1 2
*EAPOL-Start
EAP-Identity-Exchange
3 5
RADIUS-Access-Request
EAP
EAP-Data-Request
EAP .. Exchange RADIUS-Reject EAPOL-Failure
6
Authentication Server (AAA/ACS)
7
Authenticator (Switch)
Supplicant (Client) Port is never granting access
X
802.1X
RADIUS
*Note: EAPOL-Starts are optional, possibility of EAP-NAK left out intentionally, and EAP exchange dependent on method
83
Why Auth Fail VLAN?

802.1X 802.1X
Certificate Expired!
User Unknown!
Employees credentials expire or entered incorrectly As 802.1X becomes more prevalent, more guests will fail auth because they have 802.1X enabled by default. Many enterprises require guests and failed corporate assets get conditional access to the network.
Re-provision credentials through a web proxy or VPN Tunnel Provide guest access through VLAN assignment or web proxy
84
The Solution?
Auth-Fail-VLAN
13 15 17
IOS dot1x auth-fail vlan 50 RADIUS-Reject EAPOL-Failure
12
14 EAP-Identity-Exchange
16
EAP
EAP-Data-Request
EAP .. Exchange RADIUS-Reject EAPOL-Failure
18
Authentication Server (AAA/ACS)
19
Authenticator (Switch)
Supplicant (Client) Port is now granted access to auth-fail vlan
802.1X
RADIUS
It is up to the supplicant to access the network.
2004-802.1X spec (max-start) -- If the supplicant tries to authenticate more than this value after you fail a certain number of times, the supplicant should assume authorized.
85

Cisco Public
86
The Problem?
(Re)Authentication Fails Because AAA unavailable
EAP-Identity-Exchange
RADIUS-Access-Request RADIUS-Access-Request RADIUS-Access-Request
3
EAPOL-Failure
X
Supplicant (Client) 802.1X Port is not granting access Authenticator (Switch) RADIUS AAA Server
Cisco Public
87
Solution: Inaccessible Authentication Bypass Existing User Reauthenticates

IOS dot1x critical radius-server x.x.x.x username test password test interface gigabitethernet 1/0/1 dot1x critical dot1x critical VLAN 10
Port authorized
EAP-Success/Failure Re-authentication Triggered by timer
EAP-Success/Failure Optional
Auth Exchange w/AAA Server fails
Keep existing VLAN
88
Inaccessible Authentication Bypass New User Attempts Authentication

Port Unauthorized
EAP-Success/Failure Optional
Auth Exchange w/AAA Server fails
Port authorized Move to VLAN 10 (or access vlan if no critical VLAN configured)
89
Inaccessible Authentication Bypass RADIUS Server Comes Back

Port authorized
EAP-Success/Failure Re-authentication Triggered by timer
EAP-Identity-Request EAP-Identity-Response EAP-Auth Exchange EAP-Success/Failure


90
Inaccessible Authentication Bypass RADIUS Server comes back

IOS Dot1x critical radius-server x.x.x.x username test password test Interface gigabitethernet 1/0/1 dot1x critical dot1x critical VLAN 10 dot1x critical recovery action reinitialize
Port authorized
EAP-Success/Failure RADIUS Server comes back -> immediate reinitialize 802.1X State Machine
EAP-Identity-Request EAP-Identity-Response EAP-Auth Exchange EAP-Success/Failure


91

Cisco Public
92
802.1X and Voice

Multi-VLAN Access Ports (MVAP) With Multi-VLAN Access Ports, a port can belong to two VLANs, while still allowing the separation of voice/data traffic while enabling you to configure 802.1X An access port able to handle two VLANs
Native or Port VLAN Identifier (PVID) Auxiliary or Voice VLAN Identifier (VVID)
Hardware set to dot1q trunk

Tagged 802.1q
Untagged 802.3
Cisco Public
93
802.1X and Voice

The controlled port is open only when the device connected to the port has been authorized by 802.1X
Controlled
EAPOL CDP
Un-Controlled
EAPOL+CDP EAPOL
Uncontrolled port provides a path for Extensible Authentication Protocol over LANLAN (EAPOL) traffictraffic only Extensible Authentication Protocol over (EAPOL) and CDP ONLY
1. Cisco IP phones are able to tag their packets because they receive VLAN information via CDP which is processed on uncontrolled port as shown above 2. A CDP exchange is used to allow the phone to be exempt from any 802.1X restriction for port-forwarding
94
802.1X with VVID: Previous Limitations

1
Port Already Authenticated
Cisco Public
95
PC Leaves
Port Remains Authorized
If an End-User Disconnects, the Port Remains Authorized by 802.1X!!!
Cisco Public
96
Illegitimate User
An illegitimate user can now gain access to the port by spoofing the authenticated MAC address, and bypass 802.1X completely Security Hole In an attempt to workaround this, some customers have enabled periodic reauthentication of end-devices This is not the reason to enable reauthentication We need to deal with the fact that any machine can disappear from the network and the switch (and 802.1X) does not know about it explicitly (i.e. link doesnt go down)
97

1
Cisco Public
98
PC Leaves
X
3
If an End User Disconnects, the Port Remains Authorized by 802.1X
Cisco Public
99
Legitimate User
X
Security Violation
A legitimate user may now attempt to gain access to the port by way of 802.1X However, assuming MAC addresses are different, now the switch may treat this as a security violation! In an attempt to workaround this, some customers have enabled periodic reauthentication of end-devices This is not the reason to enable reauthentication Overall, same issue as previous slides
100
802.1X with VVID: EAPOL-Logoff

1
Cisco Public
101
PC Leaves
X
3
X
EAPOL-Logoff Transmitted
If an end-user disconnects, an IP phone transmits an EAPOLLogoff frame to the switch

SA = PC MAC address DA = 01-80-C2-00-00-03 (PAE group address)
Two basic functions needed from phone

Monitor the PAE group address to determine who and where supplicant is Actually transmit the EAPOL-Logoff frame
102
4
New Authenticated Session
The switch thinks it is a standard EAPOL-logoff frame transmitted by a supplicant indicating end of service This closes the current security hole, and promotes subsequent mobility
103
802.1X with VVID: Deployment Issues

NO EAPOL
X X
1 2 3
802.1X Process
Upon Link Up 30 Seconds 30 Seconds
Assuming no supplicant on the wire, a port will be deployed into the guest VLAN after step three above, if guest VLAN is configured
104
802.1X with VVID: Deployment Issues

Supplicant
X X
1 2 3
802.1X Process
Upon Link Up 30 Seconds 30 Seconds
If any user plugs into a phone, 802.1X is now totally dependent on how their supplicant is configured to operate By default, Microsoft Windows supplicants do not send EAPOL-Starts; you will want to know why 802.1X works when you plug into a switch, and why it doesnt work when you plug into a phone!
105
IPT/802.1X Solution Overview

Multi-Domain-Auth
Switch ports to authenticate the PC and the IP phone separately Switch port is an MVAP (aka Aux-VLAN port) Supports 1X functionality
On Voice-VLAN as well as Data-VLAN
Supports MAB functionality

On Voice-VLAN as well as Data-VLAN IP Phones without 802.1X capability require MAC Authentication Bypass (MAB) support
The solution is extensible in order to support the planned launch of 802.1X supplicant capability on Cisco IP phones
As well as any 3rd Party IP Phones with 802.1X capability
The solution supports both static as well as dynamic configuration on IP phones (for VVID)
106
Solution for non-Cisco IP Phones

No supplicant on phone
1
802.1X enabled port with MAB and voice capability 2 RADIUS server
4
Authorized link
3 Data VLAN VP state-machine is in blocking state and Voice VLAN VP state-machine is in ask state
Switch
5 1 2 3 4 Phone sends untagged DHCP blocked by switch
802.1X times out (phone not allowed to communicate to the network yet) Switch initiates MAB Access-Request on behalf of the phone Switch receives Access-Accept & information that the device is an IP phone. Portforwarding is allowed on either VLAN. Non-Cisco phone continues to send traffic which is now allowed on the PVID as a result of authenticating the MAC-Address. Phone then reboots onto VVID normally.
107
802.1X and Cisco IP Telephony

802.1X supplicant on Cisco IP Phones
EAP-MD5 supported on Models 7906 / 7911 / 7931 / 7941 / 7961 / 7970 / 7971 Phone load 8.2(1) December 2006
Cisco Public
108
Example
Switch#sh dot1x int g1/0/1 details Dot1x Info for GigabitEthernet8/0/1 ----------------------------------PAE = AUTHENTICATOR PortControl = AUTO ControlDirection = Both HostMode = MULTI_DOMAIN ReAuthentication = Disabled QuietPeriod = 60 ServerTimeout = 30 SuppTimeout = 30 ReAuthPeriod = 3600 (Locally configured) ReAuthMax = 2 MaxReq = 2 TxPeriod = 30 RateLimitPeriod = 0 Mac-Auth-Bypass = Enabled (EAP) Inactivity = None Guest-VLAN = 401 Dot1x Authenticator Client List ------------------------------Domain = DATA Supplicant Auth SM State Auth BEND SM Stat Port Status Authentication Method Authorized By VLAN Policy Domain Supplicant Auth SM State Auth BEND SM Stat Port Status Authentication Method Authorized By VLAN Policy = = = = = = = = = = = = = = = 1222.c0a8.0102 AUTHENTICATED IDLE AUTHORIZED Dot1x Authentication Server 100 VOICE 000f.8fb7.16a0 AUTHENTICATED IDLE AUTHORIZED MAB Authentication Server N/A
Any combination of 802.1X and MAB for phone Any combination of 802.1X, MAB, Guest-VLAN, AuthFail-VLAN, AAAFail-VLAN for PC
PC authenticated by 802.1X
Phone authenticated by MAB
Cisco Public
109
802.1X/MAB Aging with IPT

1
MAB PC Leaves
X
2
Cant send EAPOL-Logoff for MAB! Port Remains Authorized
802.1X addressed this issue by having the phone send EAPOL-Logoff when 802.1X device leaves the port. MAB has same issue as 802.1X except there is no control plane between the switch and phone for MAB. As was the case with 802.1X before Cisco Phones supported EAPOLLogoff, this situation can lead to security violations. Workaround is MAB inactivity timer
Currently on the 3k and 6k (CatOS)
IOS switchport port-security dot1x mac-auth-bypass timeout inactivity 30
110

Cisco Public
112
Pre eXecution Boot Environment: PXE

Very common way to image new machines and reimage existing machines; i.e. F12 - Network Boot Assumes IP connectivity and happens before OS loads
Uses DHCP extensions and TFTP to download boot image typically No 802.1X supplicant therefore no connectivity
LAN workarounds at this time are MAB or Guest VLAN

Challenge is to initiate MAB or Guest VLAN access before the PXE firmware times out PXE firmware per spec should timeout in 60 seconds. Some PXE firmware has been observed to expire in as little as five secondslots of testing required to verify the solution
113
PXE OS Boot in 802.1x Networks: Demo

Solution Problem
Step 1: 802.1x enabled switch sends authentication request to client Embedded Trust Agent.
BIOS-PXE RemoteAgent sends authentication response to switch. Step 2: Embedded Trust boot breaks in 802.1x enterprise networks
Step 3: Authentication credentials passed onto ACS (RADIUS Server) for verification. Step 4: Radius server grants client access to network. Step 5: PXE boot agent (BIOS on client) downloads OS from PXE server. Step 6: OS boots on client.
Intel Core 2 Duo Processor (CPU)
Operating System SW Agents
RADIUS Server Intel Q35 Express Chipset* Management Console Corporate Network 802.1x Enabled Switch PXE Server
* Available in future release of products via firmware upgrade.
(G)MCH
Manageability Engine
Embedded Trust Agent
DDR2 DDR2
Intel PRO/1000 LAN
ICH9-DO Filters Sensors MAC
FLASH BIOS NVM
= System Off
= System On
= Out-of-band
Intel vPro Processor Technology Cisco Network Admission Control support includes the Mobile Intel GM965 Express Chipset with the ICH8M-Enhanced.
Cisco Public
116
Wake on LAN (WOL)

There is a feature that enables support of WOL on the switches Issue: With MAB or Guest VLAN configured
If the device goes to sleep and drops link or if reauth is triggered and the device is asleep; MAB/Guest VLAN handling will be triggered and the device will potentially get placed on a new VLAN The WOL magic packet to wake the machine will be sent to the original 802.1X auth VLAN
Workaround
Make sure all managed assets are in a MAC address database and assign the device to the same VLAN with MAB
117
Cisco Public
Vista Supplicant RC SP1 & Server 2008 RC0

Demo Lab Solved past issues seen with Windows XP supplicant
SSO serialization Vlan assignment /DHCP renew Vlan assignment / GPO update & Logon script First time user login on a PC ( No Cached Credential ) User Aging Password
Wired & Wireless 802.1X configuration setup by GPO

118
Vista Supplicant RC SP1 & Server 2008 RC0
Cisco Public
119
Summary
Cisco Public
120
Summary
IBNS improves enterprise security IBNS improves enterprise visibility IBNS is a platform for other security initiatives, i.e. NAC Keys to success:
Understand your security requirements Choose the right EAP type and supplicant for your network Understand the Windows boot process Use new features to support IP Telephony
IBNS Is Deployable Today

121
Q and A
Cisco Public
122
Cisco Public
123

Brkcam 2007

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Brkcam 2007

Caricato da

Copyright:

Formati disponibili

Deploying 802.

Deploying 802.1X in Enterprise Campus

2008 Cisco Systems, Inc. All rights reserved.

2008 Cisco Systems, Inc. All rights reserved.

Overview and Agenda

2008 Cisco Systems, Inc. All rights reserved.

What We Wont Be Covering

2008 Cisco Systems, Inc. All rights reserved.

First Networkers with IPv6 over Wireless

IPv6 connectivity offered by

2008 Cisco Systems, Inc. All rights reserved.

2008 Cisco Systems, Inc. All rights reserved.

Basic Identity Concepts

What does it look like?

How do we use identities?

2008 Cisco Systems, Inc. All rights reserved.

An Authentication System Is Only as Strong as the Method of Verification Used

Identity and Authentication Are Important?

2008 Cisco Systems, Inc. All rights reserved.

Applying the Authentication Model to the Network

2008 Cisco Systems, Inc. All rights reserved.

Network Access Control Model

Request for Service (Connectivity)

Backend Authentication Support

Identity Store Integration

LAN media independence User authentication Device authentication

2008 Cisco Systems, Inc. All rights reserved.

2008 Cisco Systems, Inc. All rights reserved.

Identity-Based Networking Services (IBNS)

IEEE 802.1X Web Auth

2008 Cisco Systems, Inc. All rights reserved.

General Description IEEE 802.1X Terminology

2008 Cisco Systems, Inc. All rights reserved.

802.1X Port Access Control Model

Request for Service (Connectivity)

Backend Authentication Support

Identity Store Integration

Extensible Authentication Protocol (EAP)

Originally specified in RFC 2284, obsolete by RFC 3748

What Does EAP Do?

EAP Payload 802.1X Header Ethernet Header

EAP Payload RADIUS UDP IP Header

2008 Cisco Systems, Inc. All rights reserved.

Choosing An EAP Type

RADIUS server support

Customer choice of EAP type drives every other component

How Is RADIUS Used Here?

Usage guideline for 802.1X authenticators use of RADIUSRFC 3580

2008 Cisco Systems, Inc. All rights reserved.

2008 Cisco Systems, Inc. All rights reserved.

Authenticating Without 802.1X

2008 Cisco Systems, Inc. All rights reserved.

MAC Authentication Bypass (MAB)

2008 Cisco Systems, Inc. All rights reserved.

Default Security and Operation

2008 Cisco Systems, Inc. All rights reserved.

Default Security of 802.1X

2008 Cisco Systems, Inc. All rights reserved.

Default Security of 802.1X

Before 802.1X authentication

802.1X state machine directly reliant on link state of port

2008 Cisco Systems, Inc. All rights reserved.