BRKSEC-2005

Deploying Wired 802.1X BRKSEC-2005

Housekeeping 

We value your feedback- don't forget to complete your online session evaluations after each session & complete the Overall Conference Evaluation which will be available online from Thursday



Visit the World of Solutions



Please remember this is a 'non-smoking' venue!



Please switch off your mobile phones



Please make use of the recycling bins provided



Please remember to wear your badge at all times including the Party

Session Objective 

Understand base 802.1X concepts



Learn the benefits of deploying 802.1X



Learn how to configure and deploy 802.1X



Learn lessons on how to make it work when you get back to your lab

Agenda 

802.1X and Wired Access



Default Functionality



Deployment Considerations



Reporting and Monitoring



Looking Forward



Deployment Case Study

What We Won’t Be Covering 

AAA authentication on routers



IPSec authentication



In-depth concepts on identity management and single sign-on (upper layer identity)



Specific Extensible Authentication Protocol (EAP) methods in depth



X.509 certificates and PKI



Wireless LAN 802.1X



Switch Features that are not consistent across platforms



CatOS

802.1X and Wired Access

Why is 802.1X Important in the Campus 1

2

3

4

Who are you? 802.1X (or supplementary method) authenticates the user

Where can you go? Based on authentication, user is placed in correct VLAN

What service level to you receive? The user can be given per-user services (ACLs today, more to come)

What are you doing? The user’s identity and location can be used for tracking and accounting

Keep the Outsiders Out Keep the Insiders Honest Personalize the Network Increase Network Visibility

Basic Identity Concepts 

What is an identity? an assertion of who we are. allows us to differentiate between one another



What does it look like? Typical Network Identities include Username / Password Email: [email protected] MAC Address: 00-0c-14-a4-9d-33 IP Address: 10.0.1.199 Digital Certificates



How do we use identities? Used to grant appropriate authorizations — rights to services within a given domain

What Is Authentication? Authorization? 

Authentication is the process of establishing and confirming the identity of a client requesting services



Authentication is only useful if used to establish corresponding authorization (e.g. access to a bank account)

I’d Like to Withdraw € 200.00 Euros Please.

Do You Have Identification? Yes, I Do. Here It Is. Thank You. Here’s Your Euros.

An Authentication System Is Only as Strong as the Method of Verification Used

Identity and Authentication Are Important?

Applying the Authentication Model to the Network

I’d Like to Connect to the Network.

Identification required Here is my identification Identification verified, access granted!

Identity-Enabled Networking

Default Functionality

IEEE 802.1X 

Standard set by the IEEE 802.1 working group



Is a framework designed to address and provide port-based access control using authentication



802.1X is primarily an encapsulation definition for EAP over IEEE 802 media—EAPOL (EAP over LAN) is the key protocol



Layer 2 protocol for transporting authentication messages (EAP) between supplicant (user/PC) and authenticator (switch or access point)



Assumes a secure connection



Actual enforcement is via MAC-based filtering and port-state monitoring

802.1X Port Access Control Model Identity Store/Management • MS Active Directory • LDAP • NDS • ODBC

Authenticator

• Switch • Router • WLAN AP

SSC

Layer 3 Layer 2

Request for Service (Connectivity) Supplicant

• Desktop/laptop • IP phone • WLAN AP • Switch

Backend Authentication Support

Authentication Server

•IAS / NPS •ACS •Any IETF RADIUS server

Identity Store Integration

802.1X Protocols

Supplicant


Authenticator SSC

Layer 2

EAP

EAP over LAN (EAPoL)

EAP over WLAN (EAPoW)

Layer 3

RADIUS

StoreDependent

802.1X - Extensible Authentication Protocol (EAP) 

Establishes and manages connection; allows authentication by encapsulating various types of authentication exchanges



EAP provides a flexible link layer security framework Simple encapsulation protocol No dependency on IP Few link layer assumptions Can run over any link layer (PPP, 802, etc.) Assumes no reordering Can run over loss full or lossless media



Defined by RFC 3748

802.1X - RADIUS 

RADIUS acts as the transport for EAP from the authenticator to the authentication server



RFC for how RADIUS should support EAP between authenticator and authentication server —RFC 3579

IP Header 

UDP Header

RADIUS Header

EAP Payload

RADIUS is also used to carry policy instructions (authorization) back to the authenticator in the form of AV pairs

IP Header

UDP Header

RADIUS Header

EAP Payload

AV Pairs



Usage guideline for 802.1X authenticators use of RADIUS - RFC 3580



AV Pairs : Attribute-Values Pairs.

A Closer Look: IOS Switch Configuration 802.1X SSC

Port Unauthorized

Cisco IOS aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius radius-server host 10.100.100.100 radius-server key cisco123 dot1x system-auth-control interface GigabitEthernet1/0/1 authentication port-control auto dot1x pae authenticator

A Closer Look: 802.1X SSC

Port Unauthorized Actual authentication is between client and auth server using EAP. The switch is an EAP conduit, but aware of what’s going on

EAPOL-Start EAP-Identity-Request EAP-Identity-Response EAP—Method Dependent

EAP-Auth Exchange

Auth Exchange w/AAA Server

Auth Success & Policy Instructions EAP-Success

Port Authorized

EAPOL-Logoff

Port Unauthorized 802.1X

RADIUS

Default Security with 802.1X Before Authentication

 

interface fastEthernet 3/48 authentication port-control auto

No visibility (yet) Strict Access Control

?

One Physical Port ->Two Virtual ports Uncontrolled port (EAPoL only) Controlled port (everything else)

USER

ALL traffic except EAPoL is dropped

Default Security with 802.1X interface fastEthernet 3/48 authentication port-control auto dot1x pae authenticator

After Authentication  

User/Device is Known Identity-based Access Control Single MAC per port Looks the same as without 802.1X

? Authenticated User: Sally

Default authorization is on or off. Dynamic VLANs or ACLs can be used to customize the user experience.

Default Security: Consequences interface fastEthernet 3/48 authentication port-control auto dot1x pae authenticator

Default 802.1x Challenge 

Devices without supplicants

Can’t send EAPoL 

No EAPoL = No Access

Offline


No EAPoL / No Access

Default Security: More Consequences Multiple MACs on Port 

Assumed to Be Malicious Hubs, Gratuitous ARPs, VMWare

VM

interface fastEthernet 3/48 authentication port-control auto dot1x pae authenticator

Deployment Considerations

802.1X Deployment Considerations 

Non-802.1X Clients & Guests



Failed Access Handling



RADIUS Availability



Flexible Authentication Sequencing



Multiple Devices Per Port



Authorization



Authentication and Endpoint Considerations



802.1X and Microsoft Windows



Other Considerations

Handling Non-802.1X Clients & Guests 

Authenticate via less-secure method MAC Authentication Bypass (MAB) Web Auth (client must have browser)



Give them limited access after timeout and no response Guest VLAN



Allow WLAN access instead of wired WLAN is a great way to do guest access if available

802.1X with Guest VLAN

X X X Client

√

EAP-Identity-Request D = 01.80.c2.00.00.03

1

Upon link up

EAP-Identity-Request D = 01.80.c2.00.00.03

2

30-seconds

3

30-seconds

4

30-seconds

EAP-Identity-Request D = 01.80.c2.00.00.03 EAP-Success D = 01.80.c2.00.00.03

Port Deployed into the Guest VLAN

802.1X Process

authentication event no-response action authorize vlan 50



Any 802.1X-enabled switchport will send EAPOL-Identity-Request frames on the wire (whether a supplicant is there or not)



A device is only deployed into the guest VLAN based on the lack of response to the switch’s EAP-Request-Identity frames (which can be thought of as 802.1X hellos)



No further security or authentication to be applied. It’s as if the administrator de configured 802.1X (i.e. multi-host), and hard-set the port into the specified VLAN



90 Seconds is greater than MSFT DHCP timeout

MAC Authentication Bypass (MAB) Client

X X X ? ?

Dot1x/MAB

EAPOL-Request (Identity) D = 01.80.c2.00.00.03 EAPOL-Request (Identity) D = 01.80.c2.00.00.03

1

Upon link up

2

30-seconds

EAPOL-Request (Identity) D = 01.80.c2.00.00.03

3

30-seconds

EAPOL-Timeout Initiate MAB

4

30-seconds

Learn MAC

5

Variable

√ 00.0a.95.7f.de.06

8

RADIUS

6

RADIUS-Access Request

7

RADIUS-Access Accept

Port Enabled

interface GigabitEthernet 1/1 mab

MAB Limitations & Challenges 

MAB requires creating and maintaining MAC database



Default 802.1X timeout = 90 seconds 90 sec > default MSFT DHCP timeout 90 sec > default PXE timeout Current Workaround: Timer tuning (always requires testing) max-reauth-req: maximum number of times (default: 2) that the switch retransmits an EAP-Identity-Request frame on the wire tx-period: number of seconds (default: 30) that the switch waits for a response to an EAP-Identity-Request frame before retransmitting 802.1X Timeout == (max-reauth-req + 1) * tx-period

NAC Profiler Query MAC Database After Deploying 802.1X NAC Profiler Server

1) 802.1X times out, switch initiates MAB 2) ACS queries Profiler Database using LDAP 3) Profiler validates MAC address 4) ACS sends MAB success

7 d f c 9 0 8 f 8 1 0 0 : P A D L

5) Switch enables port (with optional authorization) interface range gigE 1/0/1 - 24 switchport access vlan 30 switchport voice vlan 31 authentication port-control auto mab

1 00-18-f8-09-cf-d7

5

Port Enabled

s s e c c u S P A D L

2

RADIUS-Access Request: 00-18-f8-09-cf-d7 RADIUS-Access Accept

3

4

ACS

Microsoft AD as MAB Database (DB) 

For Your Reference

Can be used as a MAB DB using an user object. The username and password will be the mac address of the device. Many useless objects May conflict with complex password policy



Can create a lightweight AD instance for this purpose that can be referred to via LDAP



Can use the ieee802Device object class for the MAB data base. Reduces object count No conflict with complex password policy Windows Server 2003 RC2 and Windows Server 2008

Web-Based Proxy Authentication No EAPOL

1 2

802.1X Process

RADIUS Process

802.1X Timeouts Client Initiates Connection—Activates Port Authentication State Machine Switch Port Filters Traffic Limiting It to HTTP, HTTPS, DNS and DHCP

3 Switch Port Relays DHCP Address from DHCP Server

4

User Starts Web Browser and Initiates Web Connection

5 Switch Port Redirects URL and Presents HTTP Form Prompting for Userid/Pwd

7

User Enters Credentials—They Are Checked Against RADIUS DB via PAP—If Authenticated Then Switch Port Opened for Normal Network Access

6








RADIUS Availability









Authorization










802.1X Client Without Valid Credential Authentication Failures 1 2

*EAPOL-Start

EAP-Identity-Exchange

3

RADIUS-Access-Request RADIUS-Access-Request

EAP-Data-Request

EAP

4

5

… EAP ………….. Exchange …

RADIUS-Reject EAPOL-Failure

6

7

X SSC

802.1X Supplicant (Client) Port is never granting access

Authenticator (Switch)

RADIUS Authentication Server (AAA/ACS)

* Note: Note: EAPOL-Starts EAPOL-Starts are optional, possibility of EAP-NAK left out intentionally, and EAP exchange dependent dependent on method.

• This works great in preventing rogue access to a network! • This is a primary reason Enterprises look to deploy 802.1X/Identity Networking! • This is also the problem! (How should we provide access to devices that fail?) fai l?)

Why Provide Access to Devices that Fail? Certificate Expired!

802.1X 802.1X

User Unknown! 

Employees’ credentials expire or entered incorrectly



As 802.1X becomes more prevalent, more guests will fail auth because they have 802.1X enabled by default.



Many enterprises require guests and failed corporate assets get conditional access to the network. Re-provision credentials through a web proxy or VPN Tunnel Provide guest access through VLAN assignment or web proxy

Failed Auth: Solution 1 Auth-Fail-VLAN RADIUS-Reject EAPOL-Failure EAP-Identity -Exchange -Exchange RADIUS-Access-Request RADIUS-Access-Request EAP-Data- Request … EAP ………….. Exchange … RADIUS-Reject EAPOL- Success √ SSC

802.1X Supplicant (Client) Port is now granted access



interface GigabitE 3/13 authentication port-control auto authentication event fail action authorize vlan 51

On the third consecutive failure, the port is enabled and an EAPOL-Success is transmitted

802.1X with Auth-Fail VLAN Deployment Considerations 1. Supplicant cannot exit the Auth-Fail VLAN Only alternatives: switch-initiated re-authentication or port bounce

2. No Secondary Authentication Mechanism. 3. Auth-Fail VLAN, like Guest VLAN, is a switch-local authorization > centralized policy on AAA server is not enforced 4. Switch and AAA server have conflicting views of network

Access Granted Auth-fail VLAN

Access Denied

Failed Auth: Solution 2 Flex-auth: Next-method EAP-Identity-Response

RADIUS-Access-Request: EAP RADIUS-Access-Response

EAP-Request

… EAP ………….. Exchange …

RADIUS-Reject Learn MAC

RADIUS-Access-Request: MAC RADIUS-Access-Accept

√

SSC

802.1X Supplicant (Client) Port is now granted access based on MAB authorization



interface GigabitE 3/13 authentication port-control auto authentication order dot1x mab mab authentication event fail action next-method

On 802.1X failure, the port continues to the next authentication method (MAB)

802.1X with Next-Method MAB Deployment Considerations 

MAC Database required



Policy decision: should 802.1X-capable devices get same access level if they authenticate via MAB after failing 802.1X?

MAB-Assigned VLAN








RADIUS Availability









Authorization










The Problem — RADIUS Unavailable 1

EAP-Identity-Exchange

2

RADIUS-Access-Request RADIUS-Access-Request RADIUS-Access-Request

X

3 EAPOL-Failure

X Client

Switch

Port is not granting access

RADIUS

Inaccessible Authentication Bypass IOS

dot1x critical recovery delay 100 radius-server host x.x.x.x test username [username] radius-server dead-criteria 15 tries 3 Interface GigabitEthernet 1/0/1 dot1x critical authentication event server dead action authorize vlan 100 authentication event server alive action reinitialize

Port authorized

EAP-Success/Failure RADIUS Server comes back -> immediate reinitialize 802.1X State Machine

EAP-Identity-Request EAP-Identity-Response EAP-Auth Exchange EAP-Success/Failure

Auth Exchange w/AAA Server Authentication Successful/Rejected








RADIUS Availability









Authorization










Flexible Authentication Sequencing (Flex-Auth) 

Flex-Auth fallback examples we’ve already seen: Configurable behavior after 802.1X failure authentication authenticatio n event failure action authorize vlan X authentication authenticatio n event failure action next-method Configurable behavior after 802.1X timeout authentication authenticatio n event no-response action authorize vlan Y Configurable behavior before & after AAA server dies authentication event server dead action authorize vlan Z authentication authenticatio n event server alive action reinitialize



Two more features complete Flex-Auth: authentication authenticatio n order authentication authenticatio n priority

Flex-Auth Sequencing Defa De fau ult Ord Order: er: 8 802 02.1 .1X X Fir First st By default, the switch attempts most secure auth method first.

802.1X 802.1X Timeout

Timeout can mean significant delay before MAB.

Fle Flex-Au -Auth Orde rder: MAB Fir First st Alternative order does MAB on first packet from device

MAB MAB fails

MAB

802.1X

MAB fails

802.1X Timeout

Guest VLAN

Guest VLAN

Flex-Auth Order with Flex-Auth Priority Default Priority: 802.1X ignored after successful MAB

MAB

s B e A s s M a p

Port Authorized by MAB

EAPoL-Start Received

MAB fails

802.1X

Flex-Auth Priority: 802.1X starts despite successful MAB



Priority determines which method can preempt other methods.



By default, method sequence determines priority (first method has highest priority).



If MAB has priority, EAPoL-Starts will be ignored if MAB passes.








RADIUS Availability









Authorization










802.1X & IPT: A Special Case 

Voice Ports



With Voice Ports, a port can belong to two VLANs, while still allowing the separation of voice/data traffic while enabling you to configure 802.1X



An access port able to handle two VLANs Native or Port VLAN Identifier ( PVID) / Authenticated by 802.1X Auxiliary or Voice VLAN Identifier (VVID) / ―Authenticated‖ by CDP



Hardware set to dot1q trunk Tagged 802.1q

Untagged 802.3

MDA for Any IP Phone

No Supplicant on Phone

1) 2) 3) 4) 5)

CDP

1

EAP

SSC

6

interface GigE 1/0/5 authentication host-mode multi-domain authentication port-control auto dot1x pae authenticator mab

2

EAP

3

5

Access-Request: Phone MAC Access-Accept: Phone VSA 4

Phone learns VVID from CDP (Cisco phone) 802.1X times out Switch initiates MAB ACS returns Access-Accept with Phone VSA. Phone traffic allowed on either VLAN until it sends tagged packet, then only voice VLAN 6) (Asynchronous) PC authenticates using 802.1X or MAB • PC traffic allowed on data VLAN only

MDA in Action Phone authenticated by MAB PC Authenticated by 802.1X



Either 802.1X or MAB for phone



Any combination of 802.1X, MAB, Guest-VLAN, Auth-Fail-VLAN, IAB for PC

ID-6500a#sho authentication session int g 7/1 Interface: GigabitEthernet7/1 MAC Address: 000f.2322.d9a2 IP Address: 10.6.110.2 User-Name: 00-0F-23-22-D9-A2 Status: Authz Success Domain: VOICE Oper host mode: multi-domain Oper control dir: both Posture Token: Unknown Authorized By: Authentication Server Session timeout: N/A Idle timeout: N/A Common Session ID: 0A00645A0000000102124450 Acct Session ID: 0x00000007 Handle: 0x1D000001 --snip-Interface: GigabitEthernet7/1 MAC Address: 000d.60fc.8bf5 IP Address: 10.6.80.2 User-Name: host/beta-supp Status: Authz Success Domain: DATA Oper host mode: multi-domain Oper control dir: both Posture Token: Healthy Authorized By: Authentication Server Vlan Policy: 80 Session timeout: N/A Idle timeout: N/A Common Session ID: 0A00645A000000020213FF9C Acct Session ID: 0x00000008 Handle: 0x6E000002 Runnable methods list: Method State dot1x Authc Success mab Not run

Modifying Default Security with 802.1X Multi-Auth Mode Multiple MACs on Port 

Each MAC authenticated 802.1X or MAB

interface fastEthernet 3/48 authentication port-control auto authentication host-mode multi-auth

VM

 

No VLAN Assignment Supported Superset of MDA with multiple Data Devices per port








RADIUS Availability









Authorization










Authorization 

Authorization is the embodiment of the ability to enforce policies on identities



Typically policies are applied using a group methodology—allows for easier manageability



The goal is to take the notion of group management and policies into the network



Types of Authorization: Default: Closed until authenticated. Dynamic: VLAN assignment, ACL assignment Local: Guest VLAN, Auth-fail VLAN, Critical Auth VLAN

Changing the Default Authorization: ―Open Access‖

Open Mode (No Restrictions)

 

Authentication Performed No Access Control

interface GigabitE 3/13 authentication port-control auto authentication open mab

Open Access Application 1: Monitor Mode Monitor the network, see who’s on, address future connectivity problems by installing supplicants and credentials, creating MAB database

TO DO Before implementing access control: Confirm that all these should be on network Install supplicants on X, Y, Z clients Upgrade credentials on failed 802.1X clients Update MAC database with failed MABs

… RADIUS accounting logs provide visibility:  Passed/Failed 802.1X/EAP attempts  List of valid 802.1X capable  List of non-802.1X capable  Passed/Failed MAB attempts  List of Valid MACs  List of Invalid or unknown MACs

Open Mode Application 2: Selectively Open Mode Selectively Open Access 

Open Mode (Pinhole)

interface GigabitE 3/13 authentication port-control auto authentication open ip access-group UNAUTH in

On Specific TCP/UDP Ports Restrict to Specific Addresses 

EAP Allowed (Controlled Port)



Download general-access ACL upon authentication

Pinhole explicit tcp/udp ports to allow desired access Block General Access Until Successful 802.1X, MAB or WebAuth

Open Mode with Dynamic ACLs ACS/AAA

Wired Ethernet End Points

DHCP DNS

Catalyst 6500 802.1X Ethernet Port

EAP

10.100.10.117

EAP DHCP ANY DNS ANY

DHCP DNS

PXE

PXE Server

10.100.10.116

PXE Slide Source: Ken Hook

IP: 10.100.60.200

interface range gigE 1/0/1 - 24 switchport access vlan 30 switchport voice vlan 31 ip access-group UNAUTH in authentication host-mode multi-domain authentication open authentication port-control auto mab

(After Authentication) (Before Authentication) Switch#show tcam interface g1/13 acl in ip permit permit ip tcphost any10.100.60.200 any established any match-any permit udp tcp any any established eq bootps match-any permit udp any any hosteq 10.100.10.116 bootps eq domain permit udp any host 10.100.10.116 10.100.10.117 eq domain tftp deny permit ip udp any any any host 10.100.10.117 eq tftp deny ip any any

ip access-list extended UNAUTH permit tcp any any established permit udp any any eq bootps permit udp any host 10.100.10.116 eq domain permit udp any host 10.100.10.117 eq tftp Sample Open Mode Configs

Dynamic Authorization: VLAN Assignment 

Dynamic VLAN assignment based on identity of group, or individual, at the time of authentication



VLANs assigned by name—allows for more flexible VLAN management



Tunnel attributes used to send back VLAN configuration information to authenticator



Tunnel attributes are defined by RFC 2868



Usage for VLANs is specified in the 802.1X standard

802.1X with VLAN Assignment AV Pairs Used—All Are IETF Standard 

[64] Tunnel-type—―VLAN‖ (13)



[65] Tunnel-medium-type —―802‖ (6)



[81] Tunnel-private-group-ID —

Marketing

aaa authorization network default group radius



VLAN name must match switch configuration



Mismatch results in authentication failure

URL Redirect Client

1

Authentication Process

802.1X/MAC Authentication RADIUS authorizes port with URL redirect

2

3

RADIUS

User Initiates Web Connection

4 Switch Port Redirects to Web Page



Requires HTTP on the switch



Does not ―authenticate‖ via the web native to the switch



Mainly used for custom notification at this time



Future integration with other Cisco products

Web Page

Authorization Recommendations 

All Authorization (VLAN, dACL, etc.) is completely optional



Only use it if you have to separate users due to a business requirement



Most enterprises do not have this requirement for known users



Leave the port in its default VLAN or assign the VLAN during machine authentication if possible








RADIUS Availability









Authorization










802.1X Authentication Database 

Where is the single source of authentication credentials for the enterprise?



Do you have to build new or extend trust between databases?



Some enterprises could not use Active Directory (AD) or other Network Operating System (NOS) user/machine authentication databases



EAP Method may have requirements of the Authentication Database. For example, if MS-CHAPv2 is required for password authentication.

Supplicant Considerations 

Microsoft Windows User and machine authentication DHCP request time out Machine authentication restriction Default methods: MD5, PEAP, EAP-TLS



Unix/Linux considerations Open source: xsupplicant Project (University of Utah) Available from http://www.open1x.org Supports EAP-MD5, EAP-TLS, PEAP/MSCHAPv2, PEAP/EAP-GTC



Native Apple supplicant support in OS X 10.3 802.1X is turned off by default! Default parameters —TTLS, LEAP, PEAP, MD5, FAST supported Support for airport and wired interfaces In 10.5 Single sign on (SSO) can be accomplished for system or user. Not both at the same time

Cisco Secure Services Client (SSC) 

Secure Services Client

Introduces features over and above the native supplicants

Features Robust Profile Management



EAP types



Support for industry standards

PEAP, TLS, FAST, etc.



Single sign-on capable



Management Interfaces 

Automatic VPN initiation

Endpoint integrity

Enabling of group policies 

Windows XP, 2003, Vista

Administrative control

Benefits 

Simple, secure device connectivity Minimizes chances of network compromise from infected devices





SSC



Reduces complexity

Restricts unauthorized network access 

Centralized provisioning








RADIUS Availability









Authorization










Windows Boot Cycle Overview Certificate Auto Enrollment Time Synchronization Dynamic DNS Update

Kernel Loading Windows HAL Loading Device Driver Loading Power On

GINA Kerberos Auth (User Account)

Inherent Assumption of Network Connectivity

X X X X X X X Obtain Network Address (Static, DHCP) Determine Site and DC (DNS, LDAP) Establish Secure Channel to AD (LDAP, SMB) Kerberos Authentication (Machine Account)

Earliest Network Connectivity with User Auth Only User GPOs Loading (Async) GPO based Logon Script Execution (SMB) GPO based Startup Script Execution Computer GPOs Loading (Async)

Components that depend on network connectivity

X

Components broken with 802.1X user authentication only

Problem 1: Microsoft Issues with DHCP DHCP Is a Parallel Event, Independent of 802.1X Authentication 

With wired interfaces a successful 802.1X authentication does not force an DHCP address discovery (no mediaconnect signal)



DHCP starts once interface comes up



If 802.1X authentication takes too long, DHCP may time out 802.1X Auth—Variable Timeout DHCP—Timeout at 62 Seconds

Power Up Load NDIS Drivers

DHCP

Setup Secure Channel to DC

Present GINA (Ctrl-Alt-Del) Login

Problem 2: Machine GPOs Broken What Is a Group Policy? 

Group policy is an infrastructure used to deliver and apply one or more desired configurations or policy settings to a set of targeted users and computer within an Active Directory environment



Types of Group Policy Registry-based policy Security options Software installation and maintenance options Scripts options Folder redirection options

The Solution: Machine Authentication 

What is machine authentication? The ability of a Windows workstation to authenticate under its own identity, independent of the requirement for an interactive user session



What is it used for? Machine authentication is used at boot time by Windows OSes to authenticate and communicate with Windows domain controllers in order to pull down machine group policies



Why do we care? Pre-802.1X this worked under the assumption that network connectivity was a given; post-802.1X the blocking of network access prior to 802.1X authentication breaks DHCP & machine-based group policy model — UNLESS the machine can authenticate using its own identity in 802.1X

802.1X VLAN Assignment Problem 1: DHCP Renewal 

When using dynamic VLAN assignment with user & machine

authentication, the host’s VLAN can change when user logs in. IP address may need to change also



Supplicant behavior has been addressed by Microsoft Windows XP: install service pack 1a + KB 826942 Windows 2000: install service pack 4 Needed for VLAN assignment with Wireless Zero Config



Updated supplicants trigger DHCP IP address renewal Successful authentication causes client to ping default gateway (three times) with a sub-second timeout Lack of echo reply will trigger a DHCP IP renew Successful echo reply will leave IP as is Prerenewal ping prevents lost connections when subnet stays the same but client may be WLAN roaming

DHCP and 802.1X Windows XP: Install Service Pack 1a + KB 826942 Windows 2000: Install Service Pack 4 Supplicant


Authenticator

Login Req. Send Credentials Accept ICMP Echo (x3) for Default GW from ―Old IP‖ as Soon as EAP-Success Frame Is Rcvd DHCP-Request (D=255.255.255.255) (After Pings Have Gone Unanswered)

For Your Reference

Forward Credentials to ACS Server Auth Successful (EAP—Success) VLAN Assignment

DHCP-NAK (Wrong Subnet)

DHCP-Discover (D=255.255.255.255)

At This Point, DHCP Proceeds Normally

Problem 2: ―Real‖ Boot Sequence & VLAN Assignment GINA Certificate Auto Enrollment Time Synchronization Dynamic DNS Update

Kernel Loading Windows HAL Loading Device Driver Loading

GINA

Power On

X X X

802.1X Machine Auth

Fast Logon Optimization

802.1X User Auth

X X X Obtain Network Address (Static, DHCP)

Kerberos Auth (User Account)

Determine Site and DC (DNS, LDAP)

User GPOs Loading (Async)

Establish Secure Channel to AD (LDAP, SMB)

GPO based Logon Script Execution (SMB) GPO based Startup Script Execution

Kerberos Authentication (Machine Account)

Computer GPOs Loading (Async)

Machine VLAN

User VLAN

Start of 802.1X auth may vary among supplicants

Components that are in race condition with 802.1X Auth

Problem 3 : VLAN Assignment and GPOs Kernel Loading Windows HAL Loading Device Driver Loading Power On

Certificate Auto Enrollment Time Synchronization Dynamic DNS Update

VLAN1 – 10.1.1.1

GINA

802.1X User Auth

802.1X Machine Auth

√

Obtain Network Address (Static, DHCP)

Kerberos Auth (User Account)

Determine Site and DC (DNS, LDAP)

User GPOs Loading (Async)

Establish Secure Channel to AD (LDAP, SMB)

GPO based Logon Script Execution (SMB) GPO based Startup Script Execution

Kerberos Authentication (Machine Account)

Computer GPOs Loading (Async) Start of 802.1X auth may vary among supplicants Components that are in race condition with 802.1X Auth

VLAN2 – 99.1.1.1

Vista SP1/Windows 2008 and XP SP3 

If the supplicants fail 802.1X authentication once the supplicant goes down for twenty minutes before it tries again Vista SP1/Windows 2008 - KB957931 http://support.microsoft.com/kb/957931 XP SP3 – KB coming soon

802.1X and Windows Recommendations 

Machine Authentication is mandatory for managed environments



Consider machine authentication only Manage auth behavior on XP SP2/2000 via registry keys http://support.microsoft.com/kb/309448/en-us http://www.microsoft.com/technet/network/wifi/wififaq.mspx Manage XP SP3/Vista Supplicant through XML http://support.microsoft.com/kb/929847



Use the automatic provisioning built into AD if possible Machines are provisioned automatically with a machine password Can have certificates automatically provisioned via AD GPOs

VLANs and Windows: Recommendations 

When using Dynamic VLANs: Disable Fast Logon Optimization Use the same VLAN for machine and user authorization VLAN assignment requires AD, DHCP server, and network switch changes (planning, routing, trunking, etc.)



Access Control Lists (ACLs) are a policy enforcement alternative to VLANs. Beware of TCAM implications: the number of ACEs on L3 switch is limited.



ACL per port can be assigned by RADIUS server per group.








RADIUS Availability









Authorization










Remote Desktop 

XP: Microsoft Remote Desktop logs off the local user and drops the machine into machine mode which results in a machine auth.



Vista: Leaves the local user logged onto the system, so it does not trigger an 802.1X auth.



If machine authentication and user authentication result in the same VLAN then there are no problems



If machine authentication puts the machine in a different VLAN, then user authentication must be maintained despite Windows logging the user off.



SSC on XP provides the above solution

Pre eXecution Boot Environment (PXE) Default Security Impact 

 

PXE BIOS needs network access within 60 seconds of link-up to download bootable OS Most PXE implementations do not support 802.1X. No 802.1X = No network access = No OS download.

PXE BIOS


interface fastEthernet 3/48 authentication port-control auto

ALL traffic except EAPoL is dropped

PXE Solution 1 MAC Authentication Bypass (MAB) * Client

Dot1x/MAB

X

EAPOL-Request (Identity) DHCP Discover 1 DHCP Discover 2

X X ?

Upon link up

X X

EAPOL-Request (Identity) DHCP Discover 3

10-seconds

X

EAPOL-Request (Identity)

10-seconds

EAPOL-Timeout Initiate MAB

10-seconds

Learn MAC

Variable

√

Port Enabled DHCP Discover 4

RADIUS-Access Request: 00.0a.95.7f.de.06 RADIUS-Access Accept

√

PXE Continues

PXE BIOS 00.0a.95.7f.de.06

* - exact packet seq

RADIUS

ill vary

interface GigabitE 3/13 authentication port-control auto dot1x timeout tx-period 10

PXE Solution 2: Open Mode with Interface ACL Selectively Open Access



interface GigabitE 3/13 authentication port-control auto authentication open ip access-group UNAUTH in

Open Mode (Pinhole) On Specific TCP/UDP Ports for PXE Restrict to Specific Addresses

 

EAP Allowed (Controlled Port) Download general-access ACL upon authentication

Pinhole explicit tcp/udp ports to allow desired access

PXE BIOS

Block General Access Until Successful MAB

Wake On LAN (WOL) and 802.1X Selectively Open Access Outbound Default - Block Outbound Traffic Until Successful 802.1X/MAB  

802.1X controls port traffic in BOTH directions Use WOL support on switch to allow outbound (from switch) traffic to wake up device

Allow outbound traffic

WOL Capable Device

interface GigabitE 3/13 authentication port-control auto authentication control-direction in

Intel Advanced Management Technology (AMT) - PXE and WoL Solution After Authentication  



AMT has a supplicant on the NIC AMT Device is authenticated before PXE BIOS PXE can proceed like 802.1X was never turned enabled AMT Device is authenticated after device goes to sleep Defends IP address of upper layer OS. No more directed broadcasts for WoL Magic packets

Looks the same as without 802.1X

Authenticated User: AMT

interface fastEthernet 3/48 authentication port-control auto dot1x pae authenticator

Monitoring and Troubleshooting

802.1X Monitoring and Trouble Shooting 

Major components to 802.1X monitoring RADIUS accounting NAD logs RADIUS logs NAD CLI SNMP on NAD



Major components of 802.1X Troubleshooting Correlated log reports ACS View Third party log analysis and reporting SNMP on NAP NAD CLI

802.1X with RADIUS Accounting Supplicant

802.1X Process

1 Authenticate 2

EAPOL-Success

2

Access-Accept

RADIUS Process

802.1X with RADIUS Accounting Supplicant

802.1X Process

1 Authenticate 2

EAPOL-Success

2

Access-Accept

3

Accounting Request

4

Accounting Response

RADIUS Process



Accounting-request packets



Contains one or more AV pairs to report various events and related information to the RADIUS server



Tracking user-level events are used in the same mechanism

802.1X with RADIUS Accounting 

Similar to other accounting and tracking mechanisms that already exist using RADIUS Can now be done through 802.1X



Increases network session awareness



Provide information into a management infrastructure about who logs in, session duration, support basic billing usage reporting, etc.



Provides a means to map the information of authenticated Identity, Port, MAC, Switch = IP, Port, MAC, Switch

Identity

IP

Switch + Port = Location

IOS aaa accounting dot1x default start-stop group radius

Troubleshooting: Identify Points of Failure 

It is important to understand the failure point in the picture



It is important to understand which issue causes what failures



In most case, description of the issue symptom can be vague or misleading and you must correlate separate pieces of information for problem resolution.

ACS View 5.0 RADIUS Authentication

ACS View 5.0 Authentications Details

Simple Homegrown Tools

802.1X Port Config interface GigabitEthernet7/1 switchport switchport mode access switchport voice vlan 110 ip access-group default_acl in authentication event fail action next-method authentication host-mode multi-domain authentication open authentication priority dot1x mab authentication port-control auto authentication violation restrict mab snmp trap mac-notification change added snmp trap mac-notification change removed dot1x pae authenticator dot1x timeout tx-period 10 spanning-tree portfast edge

For Your Reference

ID-6500a#sho authentication session interface gigabitEthernet 7/1 Interface: GigabitEthernet7/1 MAC Address: 000f.2322.d9a2 IP Address: 10.6.110.2 User-Name: 00-0F-23-22-D9-A2 Status: Authz Success Domain: VOICE Oper host mode: multi-domain Oper control dir: both Posture Token: Unknown Authorized By: Authentication Server Session timeout: N/A Idle timeout: N/A Common Session ID: 0A00645A00000007000E37CC Acct Session ID: 0x00000009 Handle: 0x0E000007 Runnable methods list: Method State dot1x Failed over mab Authc Success ---------------------------------------Interface: GigabitEthernet7/1 MAC Address: IP Address: User-Name: Status: Domain: Oper host mode: Oper control dir: Posture Token: Authorized By: Vlan Policy: Session timeout: Idle timeout: Common Session ID: Acct Session ID: Handle:

000d.60fc.8bf5 10.6.50.2 nac\darrimil Authz Success DATA multi-domain both Healthy Authentication Server 50 N/A N/A 0A00645A0000000D0030B498 0x00000011 0x1500000D

Runnable methods list: Method State dot1x Authc Success mab Not run

EAP Problem — Certificate Trust Issues 

One of the most common issues seen in deployment and pilots ACS 4.2

ACS 5.0

802.1X Authorization Failure 1 

In case that network authorization is NOT ENABLED on a NAD



ACS Message Type: Authentication Successful



Authentication Failure Reason (AFR): There is no AFR associated with this error since authentication succeeds



User Experience: Balloon message ―Windows cannot connect you to the network

(contact your network administrator)‖ Following CLI is missing

aaa authorization network default group radius



VLAN assignment succeeds but assigns port to VLAN 0



Session Timeout (Radius Attribute 27) is not assigned to port Reauthentication timer value



Consequently there is no VLAN 0, therefore default port VLAN is used for

authorization, and if there is no DHCP setup for this VLAN then client can’t obtain IP address.



Also Reauthentication Timer becomes 0. This means that there will be no reauthentication.



Supplicant might try to re-DHCP if it’s can’t get an IP address

802.1X Authorization Failure 1 ID-6500a#debug condition interface GigabitEthernet 7/1

----------------New feature

ID-6500a#debug auth feature vlan_assign event Auth Feature vlan_assign events debugging is on *Dec 15 14:46:58.439: %AUTHMGR-5-START: Starting 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1 *Dec 15 14:46:59.243: %DOT1X-5-SUCCESS: Authentication successful for client (000d.60fc.8bf5) on Interface Gi7/1 *Dec 15 14:46:59.243: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1 *Dec 15 14:46:59.243: AUTH-FEAT-VLAN-ASSIGN-EVENT (Gi7/1): Successfully assigned VLAN 0 *Dec 15 14:46:59.751: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (000d.60fc.8bf5) on Interface Gi7/1 ID-6500a#sho authentication sess interface g 7/1 Interface:

GigabitEthernet7/1

MAC Address: IP Address: User-Name:

000d.60fc.8bf5 10.6.50.2 nac\darrimil

Status:

Authz Success

Domain:

DATA

Oper host mode: Oper control dir: Authorized By:

multi-domain both Authentication Server

Vlan Policy:

N/A

Session timeout:

N/A

Idle timeout:

N/A

Common Session ID:

0A00645A0000000E005DD8A8

Acct Session ID:

0x00000013

Handle:

0xF900000E


In case that invalid Radius attribute is sent via Radius Access-Accept



ACS Message Type: Authen Successful



AFR: There is no AFR associated with this error since authentication succeeds



User Experience: Balloon message ―Windows cannot connect you to the network



Radius Access-Accept with invalid Radius Attribute 81 is sent



Basic rule is that 81 attribute needs to be either ―string‖ or ―integer‖. If String, it



Passed Authentication reports authentication is successful



Authorization failure on switch is NEVER reported back to ACS.

(contact your network administrator)‖

needs to match the VLAN name that exists on switch. If Integer then it needs match the VLAN ID that exists on switch

*Dec 15 15:03:21.007: %AUTHMGR-5-START: Starting 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1 *Dec 15 15:03:21.911: %DOT1X-5-SUCCESS: Authentication successful for client (000d.60fc.8bf5) on Interface Gi7/1 *Dec 15 15:03:21.911: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1 *Dec 15 15:03:21.911: %DOT1X_SWITCH-5-ERR_VLAN_NOT_FOUND: Attempt to assign non-existent or shutdown VLAN BadVLAN to 802.1x port GigabitEthernet7/1 *Dec 15 15:03:21.911: %AUTHMGR-5-FAIL: Authorization failed for client (000d.60fc.8bf5) on Interface Gi7/1


In case that invalid Radius attribute is sent via Radius Access-Accept



ACS Message Type: Authen Successful



AFR: There is no AFR associated with this error since authentication succeeds



User Experience: Balloon message ―Windows cannot connect you to the network (contact your



For the Downloadable ACL feature is used there must be a interface ACL applied to the interface.



Passed Authentication reports authentication is successful



Authorization failure on switch is NEVER reported back to ACS.

network administrator)‖

*Aug 26 13:44:29.991: %DOT1X-5-SUCCESS: Authentication successful for client (000d.60fc.8bf5) on Interface Gi7/1 *Aug 26 13:44:29.991: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1 *Aug 26 13:44:29.991: %EPM-6-POLICY_REQ: IP=0.0.0.0| MAC=000d.60fc.8bf5| AUDITSESID=0A00645A000000140090E0A0| AUTHTYPE=DOT1X| EVENT=APPLY *Aug 26 13:44:29.991: %EPM-6-AAA: POLICY=xACSACLx-IP-phone-dACL-48a4f023 | EVENT=DOWNLOAD-REQUEST *Aug 26 13:44:30.003: %EPM-6-AAA: POLICY=xACSACLx-IP-phone-dACL-48a4f023 | EVENT=DOWNLOAD-SUCCESS *Aug 26 13:44:30.003: %EPM-4-POLICY_APP_FAILURE: IP=0.0.0.0| MAC=000d.60fc.8bf5| AUDITSESID=0A00645A000000140090E0A0| AUTHTYPE=DOT1X| POLICY_TYPE=Named ACL| POLICY_NAME=xACSACLx-IP-phone-dACL-48a4f023| RESULT=FAILURE| REASON=Interface ACL not configured *Aug 26 13:44:30.003: %EPM-6-IPEVENT: IP=0.0.0.0| MAC=000d.60fc.8bf5| AUDITSESID=0A00645A000000140090E0A0| AUTHTYPE=DOT1X| EVENT=IP-WAIT

Looking Forward

Overview of Cisco TrustSec Cisco TrustSec (CTS) affects multiple areas of the network and comprises of improvements in the following areas: 1

Confidentiality & Integrity

2

Centralized Role Based Access Control (RBAC) Policy Administration

3

Identification, Authentication and Authorization for all networked entities, and classification into topology independent security groups

User 1 has access to both servers

SGACL Enforcement (1) 4

User 1

1

Server 1

SGACL

Server 2

7

2

User 2

SGACL

9

RBACLs

User 3

Source

Destination

4

S1+S2

7

S1

9

S2 Cisco ACS

External Directory Server

1. Security Group Tag is applied on ingress switch port 2. Roles/Attribute-based ACL policies is applied on security group tags (permit, deny, log, police, remark, span, redirect, …)

SGACL Enforcement (2)

User 1 has access to both servers User 2 has access to Server 1

4

User 1

1

Server 1

SGACL

Server 2

7

2

User 2

SGACL

9

RBACLs

User 3

SGT

DGT

4

S1+S2

7

S1

9

S2 Cisco ACS


1. Security Group Tag is applied on ingress switch port 2. Roles/Attribute-based ACL policies is applied on security group tags (permit, deny, log, police, remark, span, redirect, …)

SGACL Enforcement (3)

User 1 has access to both servers User 2 has access to Server 1 User 3 – access to Server 1 denied

4

User 1

1

Server 1

SGACL Access Denied to User 3

Server 2

7

2

User 2

SGACL

9

RBACLs

User 3

SGT

DGT

4

S1+S2

7

S1

9

S2 Cisco ACS


1. Security Group Tag is applied on ingress switch port 2. Role-based ACL policies is applied on security group tags (permit, deny, log, police, remark, span, redirect, …)

Customer Case Study

802.1X Deployment Case Study 1 

Retailer required to only allow their assets to connect to the network due to lack of physical security



Selected 802.1X as the technical solution after evaluation



Primarily an MSFT desktop and server environment; small group of MAC OSX for designers



Approximately 14,000 ports at home office and remote stores



Cisco IP Telephony environment



Pervasive Wireless environment

802.1X Deployment Case Study 1 (Cont) 

Selected Machine Authentication only for wired and wireless



Leveraged the automatic provisioning of machine certificates in Active Directory to provision the machine credentials (automatic user certificates also possible)



Manually provisioned non AD devices if possible



Failed authentication VLAN and unknown MAC addresses

assigned to ―guest‖ VLAN on wired only at home office; no ―guest‖ VLAN at remote sites



No guest WLAN access



IAB used for AAA failures for remote office survivability



Multiple Supplicants; try to leverage native OS supplicant if possible

802.1X Deployment Case Study 1 (Cont) 

Lab Work IP Telephony handled by CDP exceptions PXE tested and handled via MAB

Tested ―Guest VLAN‖ backhaul and Proxy for AUP 

No Wake On LAN



Decided to handle credential re-provisioning via SSL VPN account triggered via help desk ticket



Bought 3rd party tool to build MAC address database



Extended SIM for reporting



Decided on access layer only deployment since data center had physical security

802.1X Deployment Case Study 1 Methodology 

Conducted POC with Network/Desktop Operations



Pre-production pilot with all of IT Monitored Failed Authentications/Unknown MACs via group reports to monitor for supplicant configurations issues and unknown devices Ran trend reports on IPT and PXE support calls to judge impact



Deployed supplicant configuration/credentials before switches



Deployed ―Internet‖ VLAN with appropriate backhaul to Internet Edge



Deployed 802.1X in ―monitor‖ mode on a per building basis 802.1X, MAB, Unknown MAB, Failed VLAN all went to default port VLAN Continued Trend reporting for other services



Deployed 802.1X ―guest enforcement‖

Case Study 2: 802.1X Implementation 

802.1X facts and figures 4000 devices with 802.1x supplicant (Windows XP, SP2) 0 devices with MAB 96% dedicated PC, 4% shared PC for internet access 7500 ports with 802.1x activated 2 ACS Appliances for RADIUS 20 AD/Radius groups 650 VLANs 100 Meeting rooms with « wired only » Guest VLAN

More Information: CCS-1001 802.1X Case Study

Case Study 2: MBDA Group Structure EADS

BAE SYSTEMS

37.5%

FINMECCANICA

37.5%

25%

MBDA 100%

MBDA DEUTSCHLAND

100%

MBDA France

100%

MBDA UK

Integrated organisation

%

100

MBDA ITALIA

Summary 

802.1X improves enterprise security



802.1X improves enterprise visibility



802.1X is a platform for other security initiatives



Supplicants are important



802.1X is deployable now



New features have significantly simplified deployment



802.1X is not only a network project, it affects the whole IT organization

Q&A

Complete Your Online Session Evaluation 

Give us your feedback and you could win fabulous prizes. Winners announced daily.



Receive 20 Passport points for each session evaluation you complete.



Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Don’t forget to activate your Cisco Live Virtual account for access to all session material, communities, and on-demand and live activities throughout the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com.

BRKSEC-2005

Recommend Documents