Brksec 2005

Deploying Wired 802.
1X
BRKSEC-2005
Presentation_ID
2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
Housekeeping
We value your feedback- don't forget to complete your online session evaluations after each session & complete the Overall Conference Evaluation which will be available online from Thursday Visit the World of Solutions Please remember this is a 'non-smoking' venue! Please switch off your mobile phones Please make use of the recycling bins provided Please remember to wear your badge at all times including the Party
BRKSEC-2005
Cisco Public
Session Objective
Understand base 802.1X concepts Learn the benefits of deploying 802.1X Learn how to configure and deploy 802.1X Learn lessons on how to make it work when you get back to your lab
BRKSEC-2005
Cisco Public
Agenda
802.1X and Wired Access Default Functionality Deployment Considerations Reporting and Monitoring Looking Forward Deployment Case Study
BRKSEC-2005
Cisco Public
What We Wont Be Covering

AAA authentication on routers IPSec authentication In-depth concepts on identity management and single sign-on (upper layer identity) Specific Extensible Authentication Protocol (EAP) methods in depth X.509 certificates and PKI Wireless LAN 802.1X Switch Features that are not consistent across platforms CatOS
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
802.1X and Wired Access
BRKSEC-2005
Cisco Public
Why is 802.1X Important in the Campus

Who are you?
802.1X (or supplementary method) authenticates the user
Keep the Outsiders Out
Where can you go?
Based on authentication, user is placed in correct VLAN
Keep the Insiders Honest

Personalize the Network Increase Network Visibility
7
What service level to you receive?

The user can be given per-user services (ACLs today, more to come)
What are you doing?

The users identity and location can be used for tracking and accounting
BRKSEC-2005
Cisco Public
Basic Identity Concepts

What is an identity?
an assertion of who we are. allows us to differentiate between one another
What does it look like?

Typical Network Identities include Username / Password
Email: jdoe@foo.com
MAC Address: 00-0c-14-a4-9d-33 IP Address: 10.0.1.199
Digital Certificates
How do we use identities?

Used to grant appropriate authorizations rights to services within a given domain
What Is Authentication? Authorization?

Authentication is the process of establishing and confirming the identity of a client requesting services Authentication is only useful if used to establish corresponding authorization (e.g. access to a bank account)
Id Like to Withdraw 200.00 Euros Please. Do You Have Identification? Yes, I Do. Here It Is. Thank You. Heres Your Euros.
An Authentication System Is Only as Strong as the Method of Verification Used

Identity and Authentication Are Important?
BRKSEC-2005
Cisco Public
10
Applying the Authentication Model to the Network
Id Like to Connect to the Network. Identification required Here is my identification Identification verified, access granted!
Identity-Enabled Networking
11
BRKSEC-2005
Cisco Public
Default Functionality
BRKSEC-2005
Cisco Public
12
IEEE 802.1X
Standard set by the IEEE 802.1 working group Is a framework designed to address and provide port-based access control using authentication
802.1X is primarily an encapsulation definition for EAP over IEEE 802 mediaEAPOL (EAP over LAN) is the key protocol
Layer 2 protocol for transporting authentication messages (EAP) between supplicant (user/PC) and authenticator (switch or access point) Assumes a secure connection
Actual enforcement is via MAC-based filtering and port-state monitoring
BRKSEC-2005
Cisco Public
13
802.1X Port Access Control Model

Identity Store/Management Authenticator
Switch Router WLAN AP MS Active Directory LDAP NDS ODBC
SSC
Layer 3 Layer 2
Request for Service (Connectivity) Supplicant

Desktop/laptop IP phone WLAN AP Switch
Backend Authentication Support
Identity Store Integration
Authentication Server
IAS / NPS ACS Any IETF RADIUS server
BRKSEC-2005
Cisco Public
14
802.1X Protocols
Supplicant
Authenticator
SSC
Layer 2
Layer 3
EAP
RADIUS
StoreDependent
EAP over LAN (EAPoL)
EAP over WLAN (EAPoW)
BRKSEC-2005
Cisco Public
15
802.1X - Extensible Authentication Protocol (EAP)

Establishes and manages connection; allows authentication by encapsulating various types of authentication exchanges
EAP provides a flexible link layer security framework

Simple encapsulation protocol No dependency on IP Few link layer assumptions Can run over any link layer (PPP, 802, etc.) Assumes no reordering Can run over loss full or lossless media
Defined by RFC 3748

16
802.1X - RADIUS
RADIUS acts as the transport for EAP from the authenticator to the authentication server RFC for how RADIUS should support EAP between authenticator and authentication serverRFC 3579
IP Header UDP Header RADIUS Header EAP Payload
RADIUS is also used to carry policy instructions (authorization) back to the authenticator in the form of AV pairs
AV Pairs
IP Header
UDP Header
RADIUS Header
EAP Payload
Usage guideline for 802.1X authenticators use of RADIUS - RFC 3580 AV Pairs : Attribute-Values Pairs.
BRKSEC-2005
Cisco Public
19
A Closer Look: IOS Switch Configuration

802.1X
SSC
Port Unauthorized
Cisco IOS
aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius radius-server host 10.100.100.100 radius-server key cisco123 dot1x system-auth-control interface GigabitEthernet1/0/1 authentication port-control auto dot1x pae authenticator
BRKSEC-2005
Cisco Public
20
A Closer Look:
802.1X
SSC
Port Unauthorized EAPOL-Start EAP-Identity-Request EAP-Identity-Response

EAPMethod Dependent Actual authentication is between client and auth server using EAP. The switch is an EAP conduit, but aware of whats going on
EAP-Auth Exchange
Auth Exchange w/AAA Server Auth Success & Policy Instructions
EAP-Success EAPOL-Logoff
Port Authorized
Port Unauthorized 802.1X RADIUS

21
BRKSEC-2005
Cisco Public
Default Security with 802.1X

Before Authentication
interface fastEthernet 3/48 authentication port-control auto
No visibility (yet) Strict Access Control
?
USER
One Physical Port ->Two Virtual ports Uncontrolled port (EAPoL only) Controlled port (everything else)
ALL traffic except EAPoL is dropped

24
Default Security with 802.1X

After Authentication
User/Device is Known Identity-based Access Control
Single MAC per port
Looks the same as without 802.1X interface fastEthernet 3/48 authentication port-control auto dot1x pae authenticator
?
Authenticated User: Sally
Default authorization is on or off. Dynamic VLANs or ACLs can be used to customize the user experience.
BRKSEC-2005
Cisco Public
25
Default Security: Consequences

Default 802.1x Challenge Devices without supplicants Cant send EAPoL No EAPoL = No Access
interface fastEthernet 3/48 authentication port-control auto dot1x pae authenticator
Offline
One Physical Port ->Two Virtual ports Uncontrolled port (EAPoL only) Controlled port (everything else)
No EAPoL / No Access
BRKSEC-2005
Cisco Public
26
Default Security: More Consequences

Multiple MACs on Port
Assumed to Be Malicious
Hubs, Gratuitous ARPs, VMWare
VM
BRKSEC-2005
Cisco Public
27
Deployment Considerations
BRKSEC-2005
Cisco Public
28
802.1X Deployment Considerations

Non-802.1X Clients & Guests Failed Access Handling RADIUS Availability Flexible Authentication Sequencing Multiple Devices Per Port Authorization Authentication and Endpoint Considerations
802.1X and Microsoft Windows

Other Considerations
29
Handling Non-802.1X Clients & Guests

Authenticate via less-secure method
MAC Authentication Bypass (MAB) Web Auth (client must have browser)
Give them limited access after timeout and no response

Guest VLAN
Allow WLAN access instead of wired

WLAN is a great way to do guest access if available
BRKSEC-2005
Cisco Public
30
802.1X with Guest VLAN
Client
X X X
EAP-Identity-Request D = 01.80.c2.00.00.03
1 2 3 4
Upon link up 30-seconds 30-seconds 30-seconds
EAP-Identity-Request D = 01.80.c2.00.00.03
EAP-Identity-Request D = 01.80.c2.00.00.03 EAP-Success D = 01.80.c2.00.00.03
Port Deployed into the Guest VLAN
802.1X Process
authentication event no-response action authorize vlan 50
Any 802.1X-enabled switchport will send EAPOL-Identity-Request frames on the wire (whether a supplicant is there or not)
A device is only deployed into the guest VLAN based on the lack of response to the switchs EAP-Request-Identity frames (which can be thought of as 802.1X hellos) No further security or authentication to be applied. Its as if the administrator deconfigured 802.1X (i.e. multi-host), and hard-set the port into the specified VLAN 90 Seconds is greater than MSFT DHCP timeout
31
MAC Authentication Bypass (MAB)

Client
X X X ? ?
EAPOL-Request (Identity) D = 01.80.c2.00.00.03 EAPOL-Request (Identity) D = 01.80.c2.00.00.03 EAPOL-Request (Identity) D = 01.80.c2.00.00.03 EAPOL-Timeout Initiate MAB Learn MAC
Dot1x/MAB 1 2 3 4 5
Upon link up 30-seconds 30-seconds 30-seconds Variable
RADIUS
6 7 8
RADIUS-Access Request RADIUS-Access Accept
00.0a.95.7f.de.06
Port Enabled
interface GigabitEthernet 1/1 mab

32
MAB Limitations & Challenges

MAB requires creating and maintaining MAC database Default 802.1X timeout = 90 seconds
90 sec > default MSFT DHCP timeout 90 sec > default PXE timeout Current Workaround: Timer tuning (always requires testing) max-reauth-req: maximum number of times (default: 2) that the switch retransmits an EAP-Identity-Request frame on the wire tx-period: number of seconds (default: 30) that the switch waits for a response to an EAP-Identity-Request frame before retransmitting 802.1X Timeout == (max-reauth-req + 1) * tx-period
BRKSEC-2005
Cisco Public
33
NAC Profiler
Query MAC Database After Deploying 802.1X
1) 802.1X times out, switch initiates MAB 2) ACS queries Profiler Database using LDAP 3) Profiler validates MAC address 4) ACS sends MAB success 5) Switch enables port (with optional authorization)
interface range gigE 1/0/1 - 24 switchport access vlan 30 switchport voice vlan 31 authentication port-control auto mab LDAP : 00-18-f8-09-cf-d7 NAC Profiler Server
3
LDAP Success ACS
35
1
00-18-f8-09-cf-d7
RADIUS-Access Request: 00-18-f8-09-cf-d7 RADIUS-Access Accept
2 4
Port Enabled
BRKSEC-2005
Cisco Public
Microsoft AD as MAB Database (DB)
For Your Reference
Can be used as a MAB DB using an user object. The username and password will be the mac address of the device.
Many useless objects
May conflict with complex password policy
Can create a lightweight AD instance for this purpose that can be referred to via LDAP Can use the ieee802Device object class for the MAB data base.
Reduces object count No conflict with complex password policy Windows Server 2003 RC2 and Windows Server 2008
BRKSEC-2005
Cisco Public
36
Web-Based Proxy Authentication

No EAPOL 802.1X Process RADIUS Process
1 2
802.1X Timeouts Client Initiates ConnectionActivates Port Authentication State Machine Switch Port Filters Traffic Limiting It to HTTP, HTTPS, DNS and DHCP
3
Switch Port Relays DHCP Address from DHCP Server User Starts Web Browser and Initiates Web Connection
5
Switch Port Redirects URL and Presents HTTP Form Prompting for Userid/Pwd User Enters CredentialsThey Are Checked Against RADIUS DB via PAPIf Authenticated Then Switch Port Opened for Normal Network Access
7
BRKSEC-2005
Cisco Public
37


41
802.1X Client Without Valid Credential

Authentication Failures
1 2 *EAPOL-Start 3
EAP-Identity-Exchange
RADIUS-Access-Request RADIUS-Access-Request 4
EAP
5 EAP-Data-Request EAP .. Exchange

RADIUS-Reject 6
EAPOL-Failure
X
SSC
802.1X Supplicant (Client) Authenticator (Switch) RADIUS Authentication Server (AAA/ACS)
Port is never granting access
* Note: EAPOL-Starts are optional, possibility of EAP-NAK left out intentionally, and EAP exchange dependent on method.
This works great in preventing rogue access to a network! This is a primary reason Enterprises look to deploy 802.1X/Identity Networking! This is also the problem! (How should we provide access to devices that fail?)
BRKSEC-2005
Cisco Public
42
Why Provide Access to Devices that Fail?

802.1X 802.1X
Certificate Expired!
User Unknown!
Employees credentials expire or entered incorrectly As 802.1X becomes more prevalent, more guests will fail auth because they have 802.1X enabled by default. Many enterprises require guests and failed corporate assets get conditional access to the network.
Re-provision credentials through a web proxy or VPN Tunnel Provide guest access through VLAN assignment or web proxy
44
Failed Auth: Solution 1

Auth-Fail-VLAN
RADIUS-Reject EAPOL-Failure EAP-Identity-Exchange RADIUS-Access-Request RADIUS-Access-Request EAP-DataRequest EAP .. Exchange RADIUS-Reject
EAPOLSuccess
SSC
802.1X Supplicant (Client)
Authenticator (Switch)
RADIUS Authentication Server (AAA/ACS)
Port is now granted access
interface GigabitE 3/13 authentication port-control auto authentication event fail action authorize vlan 51
On the third consecutive failure, the port is enabled and an EAPOL-Success is transmitted
45
802.1X with Auth-Fail VLAN

Deployment Considerations
1. Supplicant cannot exit the Auth-Fail VLAN
Only alternatives: switch-initiated re-authentication or port bounce
2. No Secondary Authentication Mechanism. 3. Auth-Fail VLAN, like Guest VLAN, is a switch-local authorization > centralized policy on AAA server is not enforced 4. Switch and AAA server have conflicting views of network
Access Granted
Auth-fail VLAN
Access Denied
BRKSEC-2005
Cisco Public
46
Failed Auth: Solution 2

Flex-auth: Next-method
EAP-Identity-Response RADIUS-Access-Request: EAP RADIUS-Access-Response
EAP-Request
EAP .. Exchange RADIUS-Reject Learn MAC RADIUS-Access-Request: MAC RADIUS-Access-Accept
SSC
802.1X
Authenticator (Switch) RADIUS Authentication Server (AAA/ACS)

interface GigabitE 3/13 authentication port-control auto authentication order dot1x mab mab authentication event fail action next-method
Supplicant (Client)
Port is now granted access based on MAB authorization
On 802.1X failure, the port continues to the next authentication method (MAB)
47
802.1X with Next-Method MAB

Deployment Considerations MAC Database required Policy decision: should 802.1X-capable devices get same access level if they authenticate via MAB after failing 802.1X?
MAB-Assigned VLAN
BRKSEC-2005
Cisco Public
48


49
The Problem RADIUS Unavailable

1
EAP-Identity-Exchange
RADIUS-Access-Request RADIUS-Access-Request RADIUS-Access-Request
3
EAPOL-Failure
X
Client Switch RADIUS Port is not granting access
BRKSEC-2005
Cisco Public
50
Inaccessible Authentication Bypass

IOS dot1x critical recovery delay 100 radius-server host x.x.x.x test username [username] radius-server dead-criteria 15 tries 3 Interface GigabitEthernet 1/0/1 dot1x critical authentication event server dead action authorize vlan 100 authentication event server alive action reinitialize
Port authorized
EAP-Success/Failure RADIUS Server comes back -> immediate reinitialize 802.1X State Machine
EAP-Identity-Request EAP-Identity-Response EAP-Auth Exchange EAP-Success/Failure

Auth Exchange w/AAA Server Authentication Successful/Rejected

51


52
Flexible Authentication Sequencing (Flex-Auth)

Flex-Auth fallback examples weve already seen:
Configurable behavior after 802.1X failure authentication event failure action authorize vlan X
authentication event failure action next-method

Configurable behavior after 802.1X timeout authentication event no-response action authorize vlan Y
Configurable behavior before & after AAA server dies

authentication event server dead action authorize vlan Z authentication event server alive action reinitialize
Two more features complete Flex-Auth:

authentication order authentication priority
53
Flex-Auth Sequencing
Default Order: 802.1X First
By default, the switch attempts most secure auth method first.
Flex-Auth Order: MAB First

Alternative order does MAB on first packet from device
802.1X
802.1X Timeout
MAB
MAB fails
Timeout can mean significant delay before MAB.
MAB
MAB fails
802.1X
802.1X Timeout
Guest VLAN
Guest VLAN
BRKSEC-2005
Cisco Public
54
Flex-Auth Order with Flex-Auth Priority

Default Priority: 802.1X ignored after successful MAB
MAB
MAB fails
Port Authorized by MAB
EAPoL-Start Received
MAB passes
802.1X
Flex-Auth Priority: 802.1X starts despite successful MAB
Priority determines which method can preempt other methods.
By default, method sequence determines priority (first method has highest priority).
If MAB has priority, EAPoL-Starts will be ignored if MAB passes.
55


56
802.1X & IPT: A Special Case

Voice Ports With Voice Ports, a port can belong to two VLANs, while still allowing the separation of voice/data traffic while enabling you to configure 802.1X An access port able to handle two VLANs
Native or Port VLAN Identifier (PVID) / Authenticated by 802.1X Auxiliary or Voice VLAN Identifier (VVID) / Authenticated by CDP
Hardware set to dot1q trunk

Tagged 802.1q
Untagged 802.3
BRKSEC-2005
Cisco Public
57
802.1X and Voice:

Multi-Domain Authentication (MDA)
IEEE 802.1X MDA
Single device per port
Single device per domain per port
Phone authenticates in Voice Domain, tags traffic in VVID

802.1q
Voice
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X
Catalyst 3750 SERIES

SYST RPS MASTR STAT DUPLX SPEED STACK MODE
1X 1 3
2 2X 16X 18X 32X 34X 48X
Data PC authenticates in Data Domain, untagged traffic in PVID
Two Domains Per Port
MDA replaces CDP Bypass Supports Cisco & 3rd Party Phones
3K: 12.2(35)SEE 4K: 12.2(37)SG 6K: 12.2(33)SXI
Phones and PCs use 802.1X or MAB

60
MDA for Any IP Phone

interface GigE 1/0/5 authentication host-mode multi-domain authentication port-control auto dot1x pae authenticator mab
No Supplicant on Phone
CDP EAP
1 2
SSC
3 Access-Request: Phone MAC
6 1) 2) 3) 4) 5)
EAP
Access-Accept: Phone VSA 4
Phone learns VVID from CDP (Cisco phone) 802.1X times out Switch initiates MAB ACS returns Access-Accept with Phone VSA. Phone traffic allowed on either VLAN until it sends tagged packet, then only voice VLAN 6) (Asynchronous) PC authenticates using 802.1X or MAB PC traffic allowed on data VLAN only
61
MDA in Action
Phone authenticated by MAB PC Authenticated by 802.1X
Either 802.1X or MAB for phone Any combination of 802.1X, MAB, Guest-VLAN, Auth-Fail-VLAN, IAB for PC
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved.
ID-6500a#sho authentication session int g 7/1 Interface: GigabitEthernet7/1 MAC Address: 000f.2322.d9a2 IP Address: 10.6.110.2 User-Name: 00-0F-23-22-D9-A2 Status: Authz Success Domain: VOICE Oper host mode: multi-domain Oper control dir: both Posture Token: Unknown Authorized By: Authentication Server Session timeout: N/A Idle timeout: N/A Common Session ID: 0A00645A0000000102124450 Acct Session ID: 0x00000007 Handle: 0x1D000001 --snip-Interface: GigabitEthernet7/1 MAC Address: 000d.60fc.8bf5 IP Address: 10.6.80.2 User-Name: host/beta-supp Status: Authz Success Domain: DATA Oper host mode: multi-domain Oper control dir: both Posture Token: Healthy Authorized By: Authentication Server Vlan Policy: 80 Session timeout: N/A Idle timeout: N/A Common Session ID: 0A00645A000000020213FF9C Acct Session ID: 0x00000008 Handle: 0x6E000002 Runnable methods list: Method State dot1x Authc Success mab Not run
Cisco Public
62
IPT & 802.1X: The Link-State Problem

1) Legitimate users cause security violation
Port authorized for 0011.2233.4455 only
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X 1 3
A
S:0011.2233.4455
1X
2 2X 16X 18X 32X 34X 48X
B
S:6677.8899.AABB
Security Violation
2) Hackers can spoof MAC to gain access without authenticating
A
S:0011.2233.4455
S:0011.2233.4455

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X 1 3
1X
2 2X 16X 18X 32X 34X 48X
Security Hole
BRKSEC-2005
Cisco Public
65
Previous Solution: Proxy EAPoL-Logoff

Domain = DATA Supplicant = 0011.2233.4455 Port Status = AUTHORIZED Authentication Method = Dot1x
SSC
MODE

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X 1 3
SYST RPS MASTR STAT DUPLX SPEED STACK
1X
2 2X 16X 18X 32X 34X 48X
Only for 802.1X devices behind phone

Requires: Logoff-capable Phones
Caveats:
PC-A Unplugs
Domain Port Status = DATA = UNAUTHORIZED
Session cleared immediately by proxy EAPoL-Logoff
EAPol-Logoff
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X 1 3
1X
2 2X 16X 18X 32X 34X 48X
PC-B Plugs In
Domain = DATA Supplicant = 6677.8899.AABB Port Status = AUTHORIZED Authentication Method = Dot1x
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X 1 3
B
BRKSEC-2005
SSC
1X 2X 16X 18X 32X 34X 48X
Cisco Public
66
Previous Solution: MAB Inactivity Timeout

Domain = DATA Supplicant = 0011.2233.4455 Port Status = AUTHORIZED Authentication Method = MAB

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X 1 3
1X
2 2X 16X 18X 32X 34X 48X
interface GigE 1/0/5 switchport mode access switchport access vlan 2 switchport voice vlan 12 authentication host-mode multi-domain authentication port-control auto authentication timer inactivity 300 mab
Device Unplugs
Vulnerable to security violation and/or hole

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X 1 3
1X
Caveats: Quiet devices may have to reauth; network access denied until re-auth completes. Still a window of vulnerability.
2 2X 16X 18X 32X 34X 48X
Inactivity Timer Expires
Domain Port Status
= DATA = UNAUTHORIZED
Session cleared. Vulnerability closed.

MODE

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X 1 3
SYST RPS MASTR STAT DUPLX SPEED STACK
1X
3K:12.2(35)SE 4K: 12.2(50)SG 6K: 12.2(33)SXI
2 2X 16X 18X 32X 34X 48X
BRKSEC-2005
Cisco Public
67
NEW Solution: CDP 2nd Port Notification

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X 1 3
Link status msg addresses root cause

4
1X
2 2X 16X 18X 32X 34X 48X
Device A Unplugs Domain Port Status

Phone sends link down TLV to switch. CDP Link Down
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X 1 3
Session cleared immediately.

= DATA = UNAUTHORIZED
Works for MAB and 802.1X

2 4 48X
1X
2X
16X 18X
32X 34X
Nothing to configure
Device B Plugs In Domain = DATA Supplicant = 6677.8899.AABB Port Status = AUTHORIZED Authentication Method = Dot1x
SSC
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X 1 3
1X
2 2X 16X 18X 32X 34X 48X
IP Phone: 8.4(1) 3K: 12.2(50)SE 4K: 12.2(50)SG 6K: 12.2(33)SXI
BRKSEC-2005
Cisco Public
68
Modifying Default Security with 802.1X

Multi-Auth Mode
Multiple MACs on Port Each MAC authenticated
802.1X or MAB
interface fastEthernet 3/48 authentication port-control auto authentication host-mode multi-auth
VM
No VLAN Assignment Supported Superset of MDA with multiple Data Devices per port
Cisco Public
BRKSEC-2005
71


73
Authorization
Authorization is the embodiment of the ability to enforce policies on identities Typically policies are applied using a group methodologyallows for easier manageability The goal is to take the notion of group management and policies into the network Types of Authorization:
Default: Closed until authenticated.
Dynamic: VLAN assignment, ACL assignment

Local: Guest VLAN, Auth-fail VLAN, Critical Auth VLAN
BRKSEC-2005
Cisco Public
74
Changing the Default Authorization:

Open Access
Open Mode (No Restrictions)
Authentication Performed No Access Control
interface GigabitE 3/13 authentication port-control auto authentication open mab
BRKSEC-2005
Cisco Public
75
Open Access Application 1: Monitor Mode

Monitor the network, see whos on, address future connectivity problems by installing supplicants and credentials, creating MAB database
TO DO Before implementing access control: Confirm that all these should be on network Install supplicants on X, Y, Z clients Upgrade credentials on failed 802.1X clients Update MAC database with failed MABs
RADIUS accounting logs provide visibility: Passed/Failed 802.1X/EAP attempts List of valid 802.1X capable List of non-802.1X capable Passed/Failed MAB attempts List of Valid MACs List of Invalid or unknown MACs
76
Open Mode Application 2:

Selectively Open Mode
Selectively Open Access
Open Mode (Pinhole)

On Specific TCP/UDP Ports
interface GigabitE 3/13 authentication port-control auto authentication open ip access-group UNAUTH in
Restrict to Specific Addresses
EAP Allowed (Controlled Port) Download general-access ACL upon authentication
Pinhole explicit tcp/udp ports to allow desired access Block General Access Until Successful 802.1X, MAB or WebAuth
BRKSEC-2005
Cisco Public
77
Open Mode with Dynamic ACLs

ACS/AAA
Wired Ethernet End Points

Catalyst 6500 802.1X Ethernet Port EAP
DHCP DNS
DHCP DNS
10.100.10.116
PXE Server
10.100.10.117
EAP
DHCP ANY DNS ANY (After Authentication) (Before Authentication) Switch#show tcam interface g1/13 acl in ip permit ip host 10.100.60.200 any permit tcp any any established match-any permit udp any any established match-any tcp eq bootps permit udp any hosteq bootps any 10.100.10.116 eq domain permit udp any host 10.100.10.117 eq tftp 10.100.10.116 domain permit deny ip any any 10.100.10.117 eq tftp udp any host deny ip any any
PXE IP: 10.100.60.200
PXE
Slide Source: Ken Hook
interface range gigE 1/0/1 - 24 switchport access vlan 30 switchport voice vlan 31 ip access-group UNAUTH in authentication host-mode multi-domain authentication open authentication port-control auto mab
ip access-list extended UNAUTH permit tcp any any established permit udp any any eq bootps permit udp any host 10.100.10.116 eq domain permit udp any host 10.100.10.117 eq tftp
Sample Open Mode Configs
BRKSEC-2005
Cisco Public
78
Dynamic Authorization:
VLAN Assignment Dynamic VLAN assignment based on identity of group, or individual, at the time of authentication VLANs assigned by nameallows for more flexible VLAN management Tunnel attributes used to send back VLAN configuration information to authenticator Tunnel attributes are defined by RFC 2868 Usage for VLANs is specified in the 802.1X standard
BRKSEC-2005
Cisco Public
79
802.1X with VLAN Assignment

AV Pairs UsedAll Are IETF Standard
[64] Tunnel-typeVLAN (13) [65] Tunnel-medium-type802 (6) [81] Tunnel-private-group-ID<VLAN name>
Marketing
aaa authorization network default group radius
VLAN name must match switch configuration Mismatch results in authentication failure
80
URL Redirect
Client Authentication Process RADIUS
1 2
802.1X/MAC Authentication RADIUS authorizes port with URL redirect User Initiates Web Connection
4
Switch Port Redirects to Web Page
Requires HTTP on the switch Mainly used for custom notification at this time Future integration with other Cisco products
Web Page
Does not authenticate via the web native to the switch
82
Authorization Recommendations
All Authorization (VLAN, dACL, etc.) is completely optional Only use it if you have to separate users due to a business requirement Most enterprises do not have this requirement for known users Leave the port in its default VLAN or assign the VLAN during machine authentication if possible
BRKSEC-2005
Cisco Public
83


84
802.1X Authentication Database

Where is the single source of authentication credentials for the enterprise? Do you have to build new or extend trust between databases? Some enterprises could not use Active Directory (AD) or other Network Operating System (NOS) user/machine authentication databases EAP Method may have requirements of the Authentication Database. For example, if MS-CHAPv2 is required for password authentication.
BRKSEC-2005
Cisco Public
85
Supplicant Considerations
Microsoft Windows
User and machine authentication DHCP request time out Machine authentication restriction Default methods: MD5, PEAP, EAP-TLS
Unix/Linux considerations
Open source: xsupplicant Project (University of Utah)
Available from http://www.open1x.org

Supports EAP-MD5, EAP-TLS, PEAP/MSCHAPv2, PEAP/EAP-GTC
Native Apple supplicant support in OS X 10.3

802.1X is turned off by default! Default parametersTTLS, LEAP, PEAP, MD5, FAST supported Support for airport and wired interfaces In 10.5 Single sign on (SSO) can be accomplished for system or user. Not both at the same time
86
Cisco Secure Services Client (SSC)

Introduces features over and above the native supplicants
EAP types
Secure Services Client
Features
Robust Profile Management Support for industry standards Endpoint integrity Single sign-on capable Enabling of group policies
PEAP, TLS, FAST, etc.

Management Interfaces Automatic VPN initiation
Administrative control
Windows XP, 2003, Vista
Benefits
Simple, secure device connectivity Minimizes chances of network compromise from infected devices Reduces complexity
SSC
Restricts unauthorized network access

Centralized provisioning
BRKSEC-2005
Cisco Public
87


88
Windows Boot Cycle Overview

Kernel Loading Windows HAL Loading Device Driver Loading Power On Inherent Assumption of Network Connectivity Certificate Auto Enrollment Time Synchronization Dynamic DNS Update GINA Kerberos Auth (User Account)
X X X X X X X
Obtain Network Address (Static, DHCP)
Determine Site and DC (DNS, LDAP)

Establish Secure Channel to AD (LDAP, SMB) Kerberos Authentication (Machine Account)
Earliest Network Connectivity with User Auth Only User GPOs Loading (Async) GPO based Logon Script Execution (SMB) GPO based Startup Script Execution Computer GPOs Loading (Async)
Components that depend on network connectivity

Components broken with 802.1X user authentication only

89
Problem 1: Microsoft Issues with DHCP

DHCP Is a Parallel Event, Independent of 802.1X Authentication With wired interfaces a successful 802.1X authentication does not force an DHCP address discovery (no mediaconnect signal) DHCP starts once interface comes up If 802.1X authentication takes too long, DHCP may time out
802.1X AuthVariable Timeout
DHCPTimeout at 62 Seconds
DHCP
Power Up Load NDIS Drivers
Setup Secure Channel to DC
Present GINA (Ctrl-Alt-Del) Login
BRKSEC-2005
Cisco Public
90
Problem 2: Machine GPOs Broken

What Is a Group Policy? Group policy is an infrastructure used to deliver and apply one or more desired configurations or policy settings to a set of targeted users and computer within an Active Directory environment Types of Group Policy
Registry-based policy Security options Software installation and maintenance options Scripts options Folder redirection options
91
The Solution: Machine Authentication

What is machine authentication?
The ability of a Windows workstation to authenticate under its own identity, independent of the requirement for an interactive user session
What is it used for?

Machine authentication is used at boot time by Windows OSes to authenticate and communicate with Windows domain controllers in order to pull down machine group policies
Why do we care?
Pre-802.1X this worked under the assumption that network connectivity was a given; post-802.1X the blocking of network access prior to 802.1X authentication breaks DHCP & machine-based group policy model UNLESS the machine can authenticate using its own identity in 802.1X
BRKSEC-2005
Cisco Public
92
802.1X VLAN Assignment

Problem 1: DHCP Renewal
When using dynamic VLAN assignment with user & machine authentication, the hosts VLAN can change when user logs in.
IP address may need to change also
Supplicant behavior has been addressed by Microsoft

Windows XP: install service pack 1a + KB 826942 Windows 2000: install service pack 4 Needed for VLAN assignment with Wireless Zero Config
Updated supplicants trigger DHCP IP address renewal

Successful authentication causes client to ping default gateway (three times) with a sub-second timeout Lack of echo reply will trigger a DHCP IP renew Successful echo reply will leave IP as is Prerenewal ping prevents lost connections when subnet stays the same but client may be WLAN roaming
BRKSEC-2005
Cisco Public
95
DHCP and 802.1X

Windows XP: Install Service Pack 1a + KB 826942 Windows 2000: Install Service Pack 4
Supplicant Authenticator
For Your Reference
Login Req. Send Credentials Accept ICMP Echo (x3) for Default GW from Old IP as Soon as EAP-Success Frame Is Rcvd DHCP-Request (D=255.255.255.255) (After Pings Have Gone Unanswered) DHCP-Discover (D=255.255.255.255) Forward Credentials to ACS Server Auth Successful (EAPSuccess) VLAN Assignment
DHCP-NAK (Wrong Subnet)
At This Point, DHCP Proceeds Normally

96
Problem 2: Real Boot Sequence & VLAN Assignment

GINA Certificate Auto Enrollment Time Synchronization Dynamic DNS Update GINA Kernel Loading Windows HAL Loading Device Driver Loading Power On
802.1X Machine Auth
X X X X X X
Fast Logon Optimization
802.1X User Auth
Obtain Network Address (Static, DHCP) Determine Site and DC (DNS, LDAP) Establish Secure Channel to AD (LDAP, SMB)
Kerberos Auth (User Account) User GPOs Loading (Async) GPO based Logon Script Execution (SMB) GPO based Startup Script Execution Computer GPOs Loading (Async)
Kerberos Authentication (Machine Account)
Machine VLAN
User VLAN Components that are in race condition with 802.1X Auth
97
Start of 802.1X auth may vary among supplicants

Problem 3 : VLAN Assignment and GPOs

Kernel Loading Windows HAL Loading Device Driver Loading Power On 802.1X Machine Auth
VLAN1 10.1.1.1
Certificate Auto Enrollment Time Synchronization Dynamic DNS Update GINA
VLAN2 99.1.1.1
802.1X User Auth
Obtain Network Address (Static, DHCP) Determine Site and DC (DNS, LDAP) Establish Secure Channel to AD (LDAP, SMB)
Kerberos Auth (User Account) User GPOs Loading (Async) GPO based Logon Script Execution (SMB)
Kerberos Authentication (Machine Account)
GPO based Startup Script Execution Computer GPOs Loading (Async)
Start of 802.1X auth may vary among supplicants Components that are in race condition with 802.1X Auth
BRKSEC-2005
Cisco Public
98
Vista SP1/Windows 2008 and XP SP3

If the supplicants fail 802.1X authentication once the supplicant goes down for twenty minutes before it tries again
Vista SP1/Windows 2008 - KB957931 http://support.microsoft.com/kb/957931
XP SP3 KB coming soon
BRKSEC-2005
Cisco Public
99
802.1X and Windows

Recommendations
Machine Authentication is mandatory for managed environments Consider machine authentication only
Manage auth behavior on XP SP2/2000 via registry keys http://support.microsoft.com/kb/309448/en-us http://www.microsoft.com/technet/network/wifi/wififaq.mspx Manage XP SP3/Vista Supplicant through XML http://support.microsoft.com/kb/929847
Use the automatic provisioning built into AD if possible

Machines are provisioned automatically with a machine password Can have certificates automatically provisioned via AD GPOs
BRKSEC-2005
Cisco Public
100
VLANs and Windows: Recommendations

When using Dynamic VLANs:
Disable Fast Logon Optimization Use the same VLAN for machine and user authorization
VLAN assignment requires AD, DHCP server, and network switch changes (planning, routing, trunking, etc.)
Access Control Lists (ACLs) are a policy enforcement alternative to VLANs. Beware of TCAM implications: the number of ACEs on L3 switch is limited. ACL per port can be assigned by RADIUS server per group.
BRKSEC-2005
Cisco Public
101


102
Remote Desktop
XP: Microsoft Remote Desktop logs off the local user and drops the machine into machine mode which results in a machine auth.
Vista: Leaves the local user logged onto the system, so it does not trigger an 802.1X auth.
If machine authentication and user authentication result in the same VLAN then there are no problems If machine authentication puts the machine in a different VLAN, then user authentication must be maintained despite Windows logging the user off. SSC on XP provides the above solution
BRKSEC-2005
Cisco Public
103
Pre eXecution Boot Environment (PXE) Default Security Impact

PXE BIOS needs network access within 60 seconds of link-up to download bootable OS Most PXE implementations do not support 802.1X. No 802.1X = No network access = No OS download.
One Physical Port ->Two Virtual ports

Uncontrolled port (EAPoL only) Controlled port (everything else)
PXE BIOS
interface fastEthernet 3/48 authentication port-control auto
ALL traffic except EAPoL is dropped

105
PXE Solution 1
MAC Authentication Bypass (MAB) *
Client
Dot1x/MAB
RADIUS
EAPOL-Request (Identity) DHCP Discover 1 DHCP Discover 2
Upon link up
X X
10-seconds
X X ?
EAPOL-Request (Identity) DHCP Discover 3
X
10-seconds 10-seconds Variable Port Enabled RADIUS-Access Request: 00.0a.95.7f.de.06 RADIUS-Access Accept
EAPOL-Request (Identity) EAPOL-Timeout Initiate MAB Learn MAC
DHCP Discover 4
PXE Continues
PXE BIOS
00.0a.95.7f.de.06
* - exact packet sequence will vary

interface GigabitE 3/13 authentication port-control auto dot1x timeout tx-period 10 mab
106
PXE Solution 2:
Open Mode with Interface ACL
Selectively Open Access
interface GigabitE 3/13 authentication port-control auto authentication open ip access-group UNAUTH in
Open Mode (Pinhole)

On Specific TCP/UDP Ports for PXE Restrict to Specific Addresses
EAP Allowed (Controlled Port) Download general-access ACL upon authentication
Pinhole explicit tcp/udp ports to allow desired access
PXE BIOS
Block General Access Until Successful MAB
BRKSEC-2005
Cisco Public
107
Wake On LAN (WOL) and 802.1X

Selectively Open Access Outbound
Default - Block Outbound Traffic Until Successful 802.1X/MAB
802.1X controls port traffic in BOTH directions Use WOL support on switch to allow outbound (from switch) traffic to wake up device
Allow outbound traffic
WOL Capable Device
interface GigabitE 3/13 authentication port-control auto authentication control-direction in
BRKSEC-2005
Cisco Public
108
Intel Advanced Management Technology (AMT) - PXE and WoL Solution

After Authentication
AMT has a supplicant on the NIC AMT Device is authenticated before PXE BIOS PXE can proceed like 802.1X was never turned enabled AMT Device is authenticated after device goes to sleep Defends IP address of upper layer OS. No more directed broadcasts for WoL Magic packets
Looks the same as without 802.1X
Authenticated User: AMT

110
Monitoring and Troubleshooting
BRKSEC-2005
Cisco Public
111
802.1X Monitoring and Trouble Shooting

Major components to 802.1X monitoring
RADIUS accounting NAD logs
RADIUS logs
NAD CLI SNMP on NAD
Major components of 802.1X Troubleshooting

Correlated log reports ACS View Third party log analysis and reporting
SNMP on NAP
NAD CLI
BRKSEC-2005
Cisco Public
112
802.1X with RADIUS Accounting

Supplicant 2 802.1X Process 1 Authenticate
EAPOL-Success
RADIUS Process
Access-Accept
BRKSEC-2005
Cisco Public
113

Supplicant 2 802.1X Process 1 Authenticate
EAPOL-Success
RADIUS Process
Access-Accept Accounting Request Accounting Response
3
4
Accounting-request packets Contains one or more AV pairs to report various events and related information to the RADIUS server
Tracking user-level events are used in the same mechanism

114

Similar to other accounting and tracking mechanisms that already exist using RADIUS
Can now be done through 802.1X
Increases network session awareness

Provide information into a management infrastructure about who logs in, session duration, support basic billing usage reporting, etc.
Provides a means to map the information of authenticated

Identity, Port, MAC, Switch = IP, Port, MAC, Switch Identity IP Switch + Port = Location
IOS aaa accounting dot1x default start-stop group radius
BRKSEC-2005
Cisco Public
115
Troubleshooting:
Identify Points of Failure
It is important to understand the failure point in the picture It is important to understand which issue causes what failures In most case, description of the issue symptom can be vague or misleading and you must correlate separate pieces of information for problem resolution.
BRKSEC-2005
Cisco Public
116
ACS View 5.0 RADIUS Authentication
BRKSEC-2005
Cisco Public
117
ACS View 5.0 Authentications Details
BRKSEC-2005
Cisco Public
118
Simple Homegrown Tools
BRKSEC-2005
Cisco Public
119
802.1X Port Config

interface GigabitEthernet7/1 switchport switchport mode access switchport voice vlan 110 ip access-group default_acl in authentication event fail action next-method authentication host-mode multi-domain authentication open authentication priority dot1x mab authentication port-control auto authentication violation restrict mab snmp trap mac-notification change added snmp trap mac-notification change removed dot1x pae authenticator dot1x timeout tx-period 10 spanning-tree portfast edge
ID-6500a#sho authentication session interface gigabitEthernet 7/1 Interface: GigabitEthernet7/1 MAC Address: 000f.2322.d9a2 IP Address: 10.6.110.2 User-Name: 00-0F-23-22-D9-A2 Status: Authz Success Domain: VOICE Oper host mode: multi-domain Oper control dir: both Posture Token: Unknown Authorized By: Authentication Server Session timeout: N/A Idle timeout: N/A Common Session ID: 0A00645A00000007000E37CC Acct Session ID: 0x00000009 Handle: 0x0E000007 Runnable methods list: Method State dot1x Failed over mab Authc Success ---------------------------------------Interface: GigabitEthernet7/1 MAC Address: IP Address: User-Name: Status: Domain: Oper host mode: Oper control dir: Posture Token: Authorized By: Vlan Policy: Session timeout: Idle timeout: Common Session ID: Acct Session ID: Handle: 000d.60fc.8bf5 10.6.50.2 nac\darrimil Authz Success DATA multi-domain both Healthy Authentication Server 50 N/A N/A 0A00645A0000000D0030B498 0x00000011 0x1500000D
For Your Reference
Runnable methods list: Method State dot1x Authc Success mab Not run
120
EAP Problem
Certificate Trust Issues
One of the most common issues seen in deployment and pilots
ACS 4.2
ACS 5.0
121
802.1X Authorization Failure 1

In case that network authorization is NOT ENABLED on a NAD ACS Message Type: Authentication Successful Authentication Failure Reason (AFR): There is no AFR associated with this error since authentication succeeds User Experience: Balloon message Windows cannot connect you to the network (contact your network administrator)
Following CLI is missing aaa authorization network default group radius
VLAN assignment succeeds but assigns port to VLAN 0
Session Timeout (Radius Attribute 27) is not assigned to port Reauthentication timer value
Consequently there is no VLAN 0, therefore default port VLAN is used for authorization, and if there is no DHCP setup for this VLAN then client cant obtain IP address. Also Reauthentication Timer becomes 0. This means that there will be no reauthentication. Supplicant might try to re-DHCP if its cant get an IP address
122

ID-6500a#debug condition interface GigabitEthernet 7/1 ----------------New feature ID-6500a#debug auth feature vlan_assign event
Auth Feature vlan_assign events debugging is on *Dec 15 14:46:58.439: %AUTHMGR-5-START: Starting 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1 *Dec 15 14:46:59.243: %DOT1X-5-SUCCESS: Authentication successful for client (000d.60fc.8bf5) on Interface Gi7/1 *Dec 15 14:46:59.243: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1 *Dec 15 14:46:59.243: AUTH-FEAT-VLAN-ASSIGN-EVENT (Gi7/1): Successfully assigned VLAN 0 *Dec 15 14:46:59.751: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (000d.60fc.8bf5) on Interface Gi7/1
ID-6500a#sho authentication sess interface g 7/1 Interface: GigabitEthernet7/1 MAC Address: IP Address: User-Name: Status: Domain: Oper host mode: Oper control dir: Authorized By: Vlan Policy: Session timeout: Idle timeout: Common Session ID: Acct Session ID: Handle:
BRKSEC-2005
000d.60fc.8bf5 10.6.50.2 nac\darrimil Authz Success DATA multi-domain both Authentication Server N/A N/A N/A 0A00645A0000000E005DD8A8 0x00000013 0xF900000E
Cisco Public
123

In case that invalid Radius attribute is sent via Radius Access-Accept ACS Message Type: Authen Successful AFR: There is no AFR associated with this error since authentication succeeds User Experience: Balloon message Windows cannot connect you to the network (contact your network administrator) Radius Access-Accept with invalid Radius Attribute 81 is sent Basic rule is that 81 attribute needs to be either string or integer. If String, it needs to match the VLAN name that exists on switch. If Integer then it needs match the VLAN ID that exists on switch Passed Authentication reports authentication is successful Authorization failure on switch is NEVER reported back to ACS.
*Dec 15 15:03:21.007: %AUTHMGR-5-START: Starting 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1 *Dec 15 15:03:21.911: %DOT1X-5-SUCCESS: Authentication successful for client (000d.60fc.8bf5) on Interface Gi7/1 *Dec 15 15:03:21.911: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1 *Dec 15 15:03:21.911: %DOT1X_SWITCH-5-ERR_VLAN_NOT_FOUND: Attempt to assign non-existent or shutdown VLAN BadVLAN to 802.1x port GigabitEthernet7/1 *Dec 15 15:03:21.911: %AUTHMGR-5-FAIL: Authorization failed for client (000d.60fc.8bf5) on Interface Gi7/1
124

In case that invalid Radius attribute is sent via Radius Access-Accept ACS Message Type: Authen Successful AFR: There is no AFR associated with this error since authentication succeeds User Experience: Balloon message Windows cannot connect you to the network (contact your network administrator) For the Downloadable ACL feature is used there must be a interface ACL applied to the interface.
Passed Authentication reports authentication is successful Authorization failure on switch is NEVER reported back to ACS.
*Aug 26 13:44:29.991: %DOT1X-5-SUCCESS: Authentication successful for client (000d.60fc.8bf5) on Interface Gi7/1 *Aug 26 13:44:29.991: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1 *Aug 26 13:44:29.991: %EPM-6-POLICY_REQ: IP=0.0.0.0| MAC=000d.60fc.8bf5| AUDITSESID=0A00645A000000140090E0A0| AUTHTYPE=DOT1X| EVENT=APPLY *Aug 26 13:44:29.991: %EPM-6-AAA: POLICY=xACSACLx-IP-phone-dACL-48a4f023 | EVENT=DOWNLOAD-REQUEST *Aug 26 13:44:30.003: %EPM-6-AAA: POLICY=xACSACLx-IP-phone-dACL-48a4f023 | EVENT=DOWNLOAD-SUCCESS *Aug 26 13:44:30.003: %EPM-4-POLICY_APP_FAILURE: IP=0.0.0.0| MAC=000d.60fc.8bf5| AUDITSESID=0A00645A000000140090E0A0| AUTHTYPE=DOT1X| POLICY_TYPE=Named ACL| POLICY_NAME=xACSACLx-IP-phone-dACL-48a4f023| RESULT=FAILURE| REASON=Interface ACL not configured *Aug 26 13:44:30.003: %EPM-6-IPEVENT: IP=0.0.0.0| MAC=000d.60fc.8bf5| AUDITSESID=0A00645A000000140090E0A0| AUTHTYPE=DOT1X| EVENT=IP-WAIT *Aug 26 13:44:30.031: %AUTHMGR-5-FAIL: Authorization failed for client (000d.60fc.8bf5) on Interface Gi7/1
125
Looking Forward
BRKSEC-2005
Cisco Public
126
Overview of Cisco TrustSec

Cisco TrustSec (CTS) affects multiple areas of the network and comprises of improvements in the following areas:
1 2
Confidentiality & Integrity Centralized Role Based Access Control (RBAC) Policy Administration Identification, Authentication and Authorization for all networked entities, and classification into topology independent security groups
BRKSEC-2005
Cisco Public
127
User 1 has access to both servers
SGACL Enforcement (1)

4 SGACL 1 Server 1
User 1
7
User 2
Server 2
2 9 SGACL
RBACLs
Source Destination
4
User 3
S1+S2 S1 S2
Cisco ACS
7 9
External Directory Server
1. Security Group Tag is applied on ingress switch port 2. Roles/Attribute-based ACL policies is applied on security group tags (permit, deny, log, police, remark, span, redirect, )
130
User 1 has access to both servers User 2 has access to Server 1

4 SGACL 1 Server 1
User 1
7
User 2
Server 2
2 9 SGACL
RBACLs
SGT
4
User 3
DGT
S1+S2 S1 S2
Cisco ACS
7 9
1. Security Group Tag is applied on ingress switch port 2. Roles/Attribute-based ACL policies is applied on security group tags (permit, deny, log, police, remark, span, redirect, )
131

4
User 1 has access to both servers User 2 has access to Server 1 User 3 access to Server 1 denied
User 1
1 SGACL
Server 1
Access Denied to User 3
7
User 2
Server 2
2 9 SGACL
RBACLs
SGT
4
User 3
DGT
S1+S2 S1 S2
Cisco ACS
7 9
1. Security Group Tag is applied on ingress switch port 2. Role-based ACL policies is applied on security group tags (permit, deny, log, police, remark, span, redirect, )
132
Customer Case Study
BRKSEC-2005
Cisco Public
133
802.1X Deployment Case Study 1

Retailer required to only allow their assets to connect to the network due to lack of physical security Selected 802.1X as the technical solution after evaluation
Primarily an MSFT desktop and server environment; small group of MAC OSX for designers
Approximately 14,000 ports at home office and remote stores Cisco IP Telephony environment Pervasive Wireless environment
BRKSEC-2005
Cisco Public
134
802.1X Deployment Case Study 1 (Cont)

Selected Machine Authentication only for wired and wireless Leveraged the automatic provisioning of machine certificates in Active Directory to provision the machine credentials (automatic user certificates also possible) Manually provisioned non AD devices if possible Failed authentication VLAN and unknown MAC addresses assigned to guest VLAN on wired only at home office; no guest VLAN at remote sites No guest WLAN access IAB used for AAA failures for remote office survivability Multiple Supplicants; try to leverage native OS supplicant if possible
BRKSEC-2005
Cisco Public
135
802.1X Deployment Case Study 1 (Cont)

Lab Work
IP Telephony handled by CDP exceptions PXE tested and handled via MAB
Tested Guest VLAN backhaul and Proxy for AUP
No Wake On LAN Decided to handle credential re-provisioning via SSL VPN account triggered via help desk ticket Bought 3rd party tool to build MAC address database Extended SIM for reporting
Decided on access layer only deployment since data center had physical security
BRKSEC-2005
Cisco Public
136
802.1X Deployment Case Study 1 Methodology

Conducted POC with Network/Desktop Operations Pre-production pilot with all of IT
Monitored Failed Authentications/Unknown MACs via group reports to monitor for supplicant configurations issues and unknown devices Ran trend reports on IPT and PXE support calls to judge impact
Deployed supplicant configuration/credentials before switches
Deployed Internet VLAN with appropriate backhaul to Internet Edge

Deployed 802.1X in monitor mode on a per building basis
802.1X, MAB, Unknown MAB, Failed VLAN all went to default port VLAN Continued Trend reporting for other services
Deployed 802.1X guest enforcement
BRKSEC-2005
Cisco Public
137
Case Study 2: 802.1X Implementation

802.1X facts and figures
4000 devices with 802.1x supplicant (Windows XP, SP2) 0 devices with MAB 96% dedicated PC, 4% shared PC for internet access 7500 ports with 802.1x activated 2 ACS Appliances for RADIUS 20 AD/Radius groups 650 VLANs
100 Meeting rooms with wired only Guest VLAN
More Information: CCS-1001 802.1X Case Study

138
Case Study 2: MBDA Group Structure

EADS BAE SYSTEMS FINMECCANICA
37.5%
37.5%
25%
MBDA
100% 100% 100% 100
MBDA DEUTSCHLAND
MBDA France
MBDA UK
MBDA ITALIA
Integrated organisation
BRKSEC-2005
Cisco Public
139
Summary
802.1X improves enterprise security 802.1X improves enterprise visibility 802.1X is a platform for other security initiatives Supplicants are important 802.1X is deployable now New features have significantly simplified deployment 802.1X is not only a network project, it affects the whole IT organization
BRKSEC-2005
Cisco Public
140
Q&A
BRKSEC-2005
Cisco Public
141
Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Dont forget to activate your Cisco Live Virtual account for access to all session material, communities, and on-demand and live activities throughout the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com.
144
BRKSEC-2005
Cisco Public
BRKSEC-2005
Cisco Public
145

Brksec 2005

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Brksec 2005

Încărcat de

Drepturi de autor:

Formate disponibile

Deploying Wired 802.

2009 Cisco Systems, Inc. All rights reserved.

2009 Cisco Systems, Inc. All rights reserved.

2009 Cisco Systems, Inc. All rights reserved.

2009 Cisco Systems, Inc. All rights reserved.

What We Wont Be Covering

802.1X and Wired Access

2009 Cisco Systems, Inc. All rights reserved.

Why is 802.1X Important in the Campus

802.1X (or supplementary method) authenticates the user

Keep the Outsiders Out

Where can you go?

Based on authentication, user is placed in correct VLAN

Keep the Insiders Honest

What service level to you receive?

What are you doing?

2009 Cisco Systems, Inc. All rights reserved.

Basic Identity Concepts

What does it look like?

How do we use identities?

What Is Authentication? Authorization?

An Authentication System Is Only as Strong as the Method of Verification Used

Identity and Authentication Are Important?

2009 Cisco Systems, Inc. All rights reserved.

Applying the Authentication Model to the Network

2009 Cisco Systems, Inc. All rights reserved.

2009 Cisco Systems, Inc. All rights reserved.

Actual enforcement is via MAC-based filtering and port-state monitoring

2009 Cisco Systems, Inc. All rights reserved.

802.1X Port Access Control Model

Request for Service (Connectivity) Supplicant

Backend Authentication Support

Identity Store Integration

2009 Cisco Systems, Inc. All rights reserved.

EAP over LAN (EAPoL)

EAP over WLAN (EAPoW)

2009 Cisco Systems, Inc. All rights reserved.

802.1X - Extensible Authentication Protocol (EAP)

EAP provides a flexible link layer security framework

Defined by RFC 3748

2009 Cisco Systems, Inc. All rights reserved.

A Closer Look: IOS Switch Configuration

2009 Cisco Systems, Inc. All rights reserved.

Port Unauthorized EAPOL-Start EAP-Identity-Request EAP-Identity-Response

Auth Exchange w/AAA Server Auth Success & Policy Instructions

Port Unauthorized 802.1X RADIUS

2009 Cisco Systems, Inc. All rights reserved.

Default Security with 802.1X

No visibility (yet) Strict Access Control

ALL traffic except EAPoL is dropped

Default Security with 802.1X

2009 Cisco Systems, Inc. All rights reserved.

Default Security: Consequences

2009 Cisco Systems, Inc. All rights reserved.

Default Security: More Consequences

2009 Cisco Systems, Inc. All rights reserved.

2009 Cisco Systems, Inc. All rights reserved.

802.1X Deployment Considerations

802.1X and Microsoft Windows

Handling Non-802.1X Clients & Guests

Give them limited access after timeout and no response

Allow WLAN access instead of wired