Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
1X
BRKCAM-2007
Luc Billot
lbillot@cisco.com
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco Public
Who am I
Cisco Public
Cisco Public
Cisco Public
Participate at Deploying IPv6 BoF Thursday 11:00 Lets talk about it on: http://networkers.intronetworks.com Some statistics on http://www.cisconetworkers6.com
Best effort only, this is the first Networkers with IPv6
Cisco Public
Network Access
Cisco Public
Cisco Public
What Is Authentication?
The process of establishing and confirming the identity of a client requesting services Authentication is only useful if used to establish corresponding authorization Model is very common in everyday scenarios
Id Like to Withdraw $200.00 Please. Do You Have Identification? Yes, I Do. Here It Is. Thank You. Heres Your Money.
10
Cisco Public
11
Id Like to Connect to the Network. Do You Have Identification? Yes, I Do. Here It Is. Thank You. Here You Go.
Cisco Public
12
Cisco Public
13
Default Functionality
Cisco Public
14
MAC Auth
Cisco Public
15
IEEE 802.1X
Standard set by the IEEE 802.1 working group Is a framework designed to address and provide port-based access control using authentication Primarily 802.1X is an encapsulation definition for EAP over IEEE 802 mediaEAPOL (EAP over LAN) is the key protocol Layer 2 protocol for transporting authentication messages (EAP) between supplicant (user/PC) and authenticator (switch or access point) Assumes a secure connection Actual enforcement is via MAC-based filtering and port-state monitoring
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
16
I US AD R
OL) EA P ( W) LAN APO (E ver less PO e EA Wi r ver O Authenticator EA P (e.g. Switch, Access Point)
R A D I U S
Authentication Server
Supplicant
Cisco Public
17
Identity Store/Management
MS AD LDAP NDS ODBC
Supplicant
Desktop/laptop IP phone WLAN AP Switch
2008 Cisco Systems, Inc. All rights reserved.
Authentication Server
IAS ACS Any IETF RADIUS server
Cisco Public
18
19
Cisco Public
Supplicant support
Windows XP-Vista supports EAP-TLS, PEAP w/EAP-MSCHAPv2 3rd party supplicants support a large variety of EAP types
Authentication store
PEAP w/EAP-MSCHAPv2 can only be used with authentication stores that store passwords in MSCHAPv2 format Not every identity store supports all the EAP types
21
RADIUS is also used to carry policy instructions (authorization) back to the authenticator in the form of AV pairs
IP Header UDP Header RADIUS Header EAP Payload AV Pairs
Cisco Public
A Closer Look:
802.1X, STP
Port Unauthorized
Cisco IOS
aaa authentication dot1x default group radius aaa authorization network default group radius radius-server host 10.100.100.100 radius-server key cisco123 dot1x system-auth-control interface GigabitEthernet1/0/1 dot1x port-control auto
Cisco Public
23
A Closer Look:
802.1X, STP
Port Unauthorized
EAPOL-Start EAP-Identity-Request EAP-Identity-Response
802.1X
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
24
A Closer Look:
802.1X, STP
Port Unauthorized
EAPOL-Start EAP-Identity-Request EAP-Identity-Response EAP-Auth Exchange EAP-Success/Failure
EAPMethod Dependent
Auth Exchange w/AAA Server Authentication Successful/Rejected
802.1X
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
RADIUS
25
A Closer Look:
802.1X, STP
Port Unauthorized
EAPOL-Start EAP-Identity-Request EAP-Identity-Response EAP-Auth Exchange EAP-Success/Failure
EAPMethod Dependent
Auth Exchange w/AAA Server Authentication Successful/Rejected Policy Instructions
Port Authorized
802.1X
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
RADIUS
26
A Closer Look:
802.1X, STP
Port Unauthorized
EAPOL-Start EAP-Identity-Request EAP-Identity-Response EAP-Auth Exchange EAP-Success/Failure
EAPMethod Dependent
Auth Exchange w/AAA Server Authentication Successful/Rejected Policy Instructions
Port Authorized
EAPOL-Logoff
Port Unauthorized
802.1X
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
RADIUS
27
A Closer Look:
802.1X, STP
Port Unauthorized
EAPOL-Start EAP-Identity-Request EAP-Identity-Response EAP-Auth Exchange EAP-Success/Failure
EAPMethod Dependent
Auth Exchange w/AAA Server Authentication Successful/Rejected Policy Instructions
Port Authorized
EAPOL-Logoff
Port Unauthorized
Actual Authentication Conversation Is Between Client and Auth Server Using EAP; the Switch Is an EAP Conduit, but Aware of Whats Going on
802.1X
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
RADIUS
28
Two methods to authenticate without 802.1X: MAC Authentication & Web Authentication.
Cisco Public
29
Port Unauthorized
EAP-Identity-Request EAP-Identity-Request EAP-Identity-Request Authenticate Printers MAC Authentication Successful/Rejected Policy Instructions
Port Authorized
Cisco Public
30
Web Authentication
EAP who?
Guest
Port Unauthorized
EAP-Identity-Request EAP-Identity-Request EAP-Identity-Request HTTP://www.acme.com HTTP:// loginpage.html Username, Password Authenticate Username/Password Authentication Successful/Rejected Policy Instructions
Port Authorized
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
31
Cisco Public
32
Controlled
EAPOL
Uncontrolled
EAPOL
Uncontrolled Port Provides a extensible authentication Uncontrolled port provides a path forPath for Extensible protocol over LAN (EAPOL) and CDP traffic only Authentication Protocol over LAN (EAPOL) Traffic Only
Cisco Public
33
00-01-76-48-90-ff
??
Cisco Public
34
00-01-76-48-90-ff
IOS
35
00-01-76-48-90-ff
??
00-67-e5-bb-45-21
Additional MAC addresses on wire treated as security violation This includes VMware type devices This includes machines that attempt to transmit gratuitous ARP frames
Note: Any Other Type of Data Transmission or Network Attack Is Not Within the Scope of the 802.1X Standard, nor the Default Deployment on a Switch
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
36
00-01-76-48-90-ff
IOS dot1x host-mode multi-host
00-67-e5-bb-45-21
What if the physical topology does not allow a point-to-point connection? (e.g. hub in conference room) Multi-host mode Use 802.1X to authorize the port only Any amount of unauthenticated stations subsequently allowed on wire
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
37
00-01-76-48-90-ff
IOS dot1x host-mode multi-host switchport port-security switchport port-security maximum 3 switchport port-security aging time 2
00-67-e5-bb-45-21
Recommendation:
Use 802.1X to authorize the port Use port-security to limit the number of other devices allowed on the wire.
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
38
Non-802.1X Client
No EAPOL 802.1X Process
Cisco Public
40
Non-802.1X Client
No EAPOL
Cisco Public
41
Non-802.1X Client
No EAPOL
X X
Cisco Public
42
Non-802.1X Client
No EAPOL
X X X
Cisco Public
43
Non-802.1X Client
No EAPOL
X X X
Any 802.1X-enabled switch port will send EAPOL identity-request frames on the wire (whether a supplicant is there or not) No network access is given if the switch does not receive an EAPOL identity-response. Whole process restarts after a hold timer Process can start again if a supplicant appears on the port and sends an EAPOL-Start.
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
44
Deployment Considerations
Cisco Public
45
Cisco Public
46
Cisco Public
47
48
Supplicant Considerations
Microsoft Windows
User and machine authentication DHCP request time out Machine authentication restriction Default methods: MD5 (XP only), PEAP, EAP-TLS
Unix/Linux considerations
Open source: xsupplicant Project (University of Utah) Available from http://www.open1x.org Supports EAP-MD5, EAP-TLS, PEAP/MSCHAPv2, PEAP/EAP-GTC
49
Cisco Public
52
53
Cisco Public
54
Obtain Network Address (Static, DHCP) Determine Site and DC (DNS, LDAP) Establish Secure Channel to AD (LDAP, SMB) Kerberos Authentication (Machine Account) Network Not Required
2008 Cisco Systems, Inc. All rights reserved.
User GPOs Loading (Async) GPO based Logon Script Execution (SMB) GPO based Startup Script Execution Computer GPOs Loading (Async)
Network Dependency
Cisco Public
56
57
Windows Logon Process and 802.1X are not serialized at all for Windows 2000, XP, 2003, or Vista
802.1X may break Windows Logon sequence at some points
Additional complications:
Two authentication contexts to consider: Machine and User Dynamic VLAN assignment may introduce additional network initialization, impacting Windows Logon sequence (Windows 2000 and XP were never designed to handle this event)
Clear understanding and proper design is required for successful 802.1X deployments.
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
58
Obtain Network Address (Static, DHCP) Determine Site and DC (DNS, LDAP) Establish Secure Channel to AD (LDAP, SMB) Kerberos Authentication (Machine Account)
Kerberos Auth (User Account) User GPOs Loading (Async) GPO based Logon Script Execution (SMB) GPO based Startup Script Execution Computer GPOs Loading (Async)
Start of 802.1X auth may vary among supplicants Components that are in race condition with 802.1X Auth
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
59
60
Obtain Network Address (Static, DHCP) Determine Site and DC (DNS, LDAP) Establish Secure Channel to AD (LDAP, SMB) Kerberos Authentication (Machine Account)
Kerberos Auth (User Account) User GPOs Loading (Async) GPO based Logon Script Execution (SMB) GPO based Startup Script Execution Computer GPOs Loading (Async)
61
Cisco Public
62
Cisco Public
63
Microsoft Fixes
Windows XP: Install Service Pack 1a + KB 826942 Windows 2000: Install Service Pack 4
Supplicant Authenticator Authentication Server
Login Req. Send Credentials Accept ICMP Echo (x3) for Default GW from Old IP as Soon as EAP-Success Frame Is Rcvd DHCP-Request (D=255.255.255.255) (After Pings Have Gone Unanswered) DHCP-Discover (D=255.255.255.255) Forward Credentials to ACS Server Auth Successful (EAPSuccess) VLAN Assignment
64
Cisco Public
65
Cisco Public
66
Authorization
Authorization is the ability to enforce policies on identities Typically policies are applied using a group methodologyallows for easier manageability The goal is to take the notion of group management and policies into the network The most basic authorization in 802.1X and IBNS is the ability to allow or disallow access to the network at the link layer Other forms of authorization include VLAN assignment, ACL assignment, 802.1X with ARP inspection, etc.
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
67
68
Marketing
VLAN name must match switch configuration Mismatch results in authentication/authorization failure
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
69
Authorization Recommendations
Everyone thinks they want to do VLAN assignment
VLAN assignment is completely optional
Ask yourself if the driver is to separate users Most people do not have this requirement they just want validation that the PC or user connecting to the network is known
Leave the port in its default VLAN or assign the VLAN during machine authentication if possible
Cisco Public
72
Cisco Public
73
Cisco Public
74
X X X ? ?
EAPOL-Request (Identity) D = 01.80.c2.00.00.03 EAPOL-Request (Identity) D = 01.80.c2.00.00.03 EAPOL-Request (Identity) D = 01.80.c2.00.00.03 EAPOL-Timeout Initiate MAB Learn MAC
Dot1x/MAB 1 2 3 4 5
Upon link up 30-seconds 30-seconds 30-seconds Variable
RADIUS
6 7 8
00.0a.95.7f.de.06
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Port Enabled
1 2
802.1X Timeouts Client Initiates ConnectionActivates Port Authentication State Machine Switch Port Filters Traffic Limiting It to HTTP, HTTPS, DNS and DHCP
3
Switch Port Relays DHCP Address from DHCP Server User Starts Web Browser and Initiates Web Connection
5
Switch Port Redirects URL and Presents HTTP Form Prompting for Userid/Pwd User Enters CredentialsThey Are Checked Against RADIUS DB via PAPIf Authenticated Then Switch Port Opened for Normal Network Access
Cisco Public
76
X X X Client
1 2 3 4
802.1X Process
Note: The Timer Values Displayed Above Are the Default and Can Be Tuned
Any 802.1X-enabled switchport will send EAPOL-Identity-Request frames on the wire (whether a supplicant is there or not) A device is only deployed into the guest VLAN based on the lack of response to the switchs EAP-Request-Identity frames (which can be thought of as 802.1X hellos) No further security or authentication to be applied. Its as if the administrator de-configured 802.1X, and hard-set the port into the specified VLAN
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
77
Determine what features you want to use based on your operations Be VERY careful tweaking timers.
You dont want an 802.1X capable machine to do MAB or WebAuth before 802.1X can respond to the EAPOL Identity requests
Cisco Public
80
Determine what features you want to use based on your operations Be very careful tweaking timers
You dont want a 802.1X capable machine to do MAB or Guest VLAN before 802.1X can respond to the EAPOL Identity requests
Cisco Public
81
Cisco Public
82
The Problem?
Authentication Failures
1 2
*EAPOL-Start
EAP-Identity-Exchange
3 5
RADIUS-Access-Request
RADIUS-Access-Request
EAP
EAP-Data-Request
6
Authentication Server (AAA/ACS)
7
Authenticator (Switch)
X
802.1X
RADIUS
*Note: EAPOL-Starts are optional, possibility of EAP-NAK left out intentionally, and EAP exchange dependent on method
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
83
Certificate Expired!
User Unknown!
Employees credentials expire or entered incorrectly As 802.1X becomes more prevalent, more guests will fail auth because they have 802.1X enabled by default. Many enterprises require guests and failed corporate assets get conditional access to the network.
Re-provision credentials through a web proxy or VPN Tunnel Provide guest access through VLAN assignment or web proxy
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
84
The Solution?
Auth-Fail-VLAN
13 15 17
IOS dot1x auth-fail vlan 50 RADIUS-Reject EAPOL-Failure
12
14 EAP-Identity-Exchange
RADIUS-Access-Request
RADIUS-Access-Request
16
EAP
EAP-Data-Request
18
Authentication Server (AAA/ACS)
19
Authenticator (Switch)
802.1X
RADIUS
2004-802.1X spec (max-start) -- If the supplicant tries to authenticate more than this value after you fail a certain number of times, the supplicant should assume authorized.
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
85
Cisco Public
86
The Problem?
(Re)Authentication Fails Because AAA unavailable
EAP-Identity-Exchange
3
EAPOL-Failure
X
Supplicant (Client) 802.1X Port is not granting access Authenticator (Switch) RADIUS AAA Server
Cisco Public
87
Port authorized
EAP-Success/Failure Optional
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
88
Port Unauthorized
EAP-Success/Failure Optional
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Port authorized Move to VLAN 10 (or access vlan if no critical VLAN configured)
89
Port authorized
Port authorized
EAP-Success/Failure RADIUS Server comes back -> immediate reinitialize 802.1X State Machine
Cisco Public
92
Untagged 802.3
Cisco Public
93
Controlled
EAPOL CDP
Un-Controlled
EAPOL+CDP EAPOL
Uncontrolled port provides a path for Extensible Authentication Protocol over LANLAN (EAPOL) traffictraffic only Extensible Authentication Protocol over (EAPOL) and CDP ONLY
1. Cisco IP phones are able to tag their packets because they receive VLAN information via CDP which is processed on uncontrolled port as shown above 2. A CDP exchange is used to allow the phone to be exempt from any 802.1X restriction for port-forwarding
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
94
Cisco Public
95
PC Leaves
Cisco Public
96
Illegitimate User
An illegitimate user can now gain access to the port by spoofing the authenticated MAC address, and bypass 802.1X completely Security Hole In an attempt to workaround this, some customers have enabled periodic reauthentication of end-devices This is not the reason to enable reauthentication We need to deal with the fact that any machine can disappear from the network and the switch (and 802.1X) does not know about it explicitly (i.e. link doesnt go down)
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
97
Cisco Public
98
PC Leaves
X
3
Cisco Public
99
Legitimate User
X
Security Violation
A legitimate user may now attempt to gain access to the port by way of 802.1X However, assuming MAC addresses are different, now the switch may treat this as a security violation! In an attempt to workaround this, some customers have enabled periodic reauthentication of end-devices This is not the reason to enable reauthentication Overall, same issue as previous slides
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
100
Cisco Public
101
PC Leaves
X
3
X
EAPOL-Logoff Transmitted
102
4
New Authenticated Session
The switch thinks it is a standard EAPOL-logoff frame transmitted by a supplicant indicating end of service This closes the current security hole, and promotes subsequent mobility
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
103
X X
1 2 3
802.1X Process
Upon Link Up 30 Seconds 30 Seconds
Assuming no supplicant on the wire, a port will be deployed into the guest VLAN after step three above, if guest VLAN is configured
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
104
X X
1 2 3
802.1X Process
Upon Link Up 30 Seconds 30 Seconds
If any user plugs into a phone, 802.1X is now totally dependent on how their supplicant is configured to operate By default, Microsoft Windows supplicants do not send EAPOL-Starts; you will want to know why 802.1X works when you plug into a switch, and why it doesnt work when you plug into a phone!
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
105
The solution is extensible in order to support the planned launch of 802.1X supplicant capability on Cisco IP phones
As well as any 3rd Party IP Phones with 802.1X capability
The solution supports both static as well as dynamic configuration on IP phones (for VVID)
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
106
4
Authorized link
3 Data VLAN VP state-machine is in blocking state and Voice VLAN VP state-machine is in ask state
Switch
802.1X times out (phone not allowed to communicate to the network yet) Switch initiates MAB Access-Request on behalf of the phone Switch receives Access-Accept & information that the device is an IP phone. Portforwarding is allowed on either VLAN. Non-Cisco phone continues to send traffic which is now allowed on the PVID as a result of authenticating the MAC-Address. Phone then reboots onto VVID normally.
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
107
Cisco Public
108
Example
Switch#sh dot1x int g1/0/1 details Dot1x Info for GigabitEthernet8/0/1 ----------------------------------PAE = AUTHENTICATOR PortControl = AUTO ControlDirection = Both HostMode = MULTI_DOMAIN ReAuthentication = Disabled QuietPeriod = 60 ServerTimeout = 30 SuppTimeout = 30 ReAuthPeriod = 3600 (Locally configured) ReAuthMax = 2 MaxReq = 2 TxPeriod = 30 RateLimitPeriod = 0 Mac-Auth-Bypass = Enabled (EAP) Inactivity = None Guest-VLAN = 401 Dot1x Authenticator Client List ------------------------------Domain = DATA Supplicant Auth SM State Auth BEND SM Stat Port Status Authentication Method Authorized By VLAN Policy Domain Supplicant Auth SM State Auth BEND SM Stat Port Status Authentication Method Authorized By VLAN Policy = = = = = = = = = = = = = = = 1222.c0a8.0102 AUTHENTICATED IDLE AUTHORIZED Dot1x Authentication Server 100 VOICE 000f.8fb7.16a0 AUTHENTICATED IDLE AUTHORIZED MAB Authentication Server N/A
Any combination of 802.1X and MAB for phone Any combination of 802.1X, MAB, Guest-VLAN, AuthFail-VLAN, AAAFail-VLAN for PC
PC authenticated by 802.1X
Cisco Public
109
X
2
802.1X addressed this issue by having the phone send EAPOL-Logoff when 802.1X device leaves the port. MAB has same issue as 802.1X except there is no control plane between the switch and phone for MAB. As was the case with 802.1X before Cisco Phones supported EAPOLLogoff, this situation can lead to security violations. Workaround is MAB inactivity timer
Currently on the 3k and 6k (CatOS)
IOS switchport port-security dot1x mac-auth-bypass timeout inactivity 30
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
110
Cisco Public
112
113
BIOS-PXE RemoteAgent sends authentication response to switch. Step 2: Embedded Trust boot breaks in 802.1x enterprise networks
Step 3: Authentication credentials passed onto ACS (RADIUS Server) for verification. Step 4: Radius server grants client access to network. Step 5: PXE boot agent (BIOS on client) downloads OS from PXE server. Step 6: OS boots on client.
Intel Core 2 Duo Processor (CPU)
RADIUS Server Intel Q35 Express Chipset* Management Console Corporate Network 802.1x Enabled Switch PXE Server
* Available in future release of products via firmware upgrade.
(G)MCH
Manageability Engine
Embedded Trust Agent
DDR2 DDR2
= System Off
= System On
= Out-of-band
Intel vPro Processor Technology Cisco Network Admission Control support includes the Mobile Intel GM965 Express Chipset with the ICH8M-Enhanced.
Cisco Public
116
Workaround
Make sure all managed assets are in a MAC address database and assign the device to the same VLAN with MAB
117
Cisco Public
118
Cisco Public
119
Summary
Cisco Public
120
Summary
IBNS improves enterprise security IBNS improves enterprise visibility IBNS is a platform for other security initiatives, i.e. NAC Keys to success:
Understand your security requirements Choose the right EAP type and supplicant for your network Understand the Windows boot process Use new features to support IP Telephony
121
Q and A
Cisco Public
122
Cisco Public
123