Deploying Wired 802.1X BRKSEC-2005
Housekeeping
We value your feedback- don't forget to complete your online session evaluations after each session & complete the Overall Conference Evaluation which will be available online from Thursday
Visit the World of Solutions
Please remember this is a 'non-smoking' venue!
Please switch off your mobile phones
Please make use of the recycling bins provided
Please remember to wear your badge at all times including the Party
Session Objective
Understand base 802.1X concepts
Learn the benefits of deploying 802.1X
Learn how to configure and deploy 802.1X
Learn lessons on how to make it work when you get back to your lab
Agenda
802.1X and Wired Access
Default Functionality
Deployment Considerations
Reporting and Monitoring
Looking Forward
Deployment Case Study
What We Won’t Be Covering
AAA authentication on routers
IPSec authentication
In-depth concepts on identity management and single sign-on (upper layer identity)
Specific Extensible Authentication Protocol (EAP) methods in depth
X.509 certificates and PKI
Wireless LAN 802.1X
Switch Features that are not consistent across platforms
CatOS
802.1X and Wired Access
Why is 802.1X Important in the Campus 1
2
3
4
Who are you? 802.1X (or supplementary method) authenticates the user
Where can you go? Based on authentication, user is placed in correct VLAN
What service level to you receive? The user can be given per-user services (ACLs today, more to come)
What are you doing? The user’s identity and location can be used for tracking and accounting
Keep the Outsiders Out Keep the Insiders Honest Personalize the Network Increase Network Visibility
Basic Identity Concepts
What is an identity? an assertion of who we are. allows us to differentiate between one another
What does it look like? Typical Network Identities include Username / Password Email:
[email protected] MAC Address: 00-0c-14-a4-9d-33 IP Address: 10.0.1.199 Digital Certificates
How do we use identities? Used to grant appropriate authorizations — rights to services within a given domain
What Is Authentication? Authorization?
Authentication is the process of establishing and confirming the identity of a client requesting services
Authentication is only useful if used to establish corresponding authorization (e.g. access to a bank account)
I’d Like to Withdraw € 200.00 Euros Please.
Do You Have Identification? Yes, I Do. Here It Is. Thank You. Here’s Your Euros.
An Authentication System Is Only as Strong as the Method of Verification Used
Identity and Authentication Are Important?
Applying the Authentication Model to the Network
I’d Like to Connect to the Network.
Identification required Here is my identification Identification verified, access granted!
Identity-Enabled Networking
Default Functionality
IEEE 802.1X
Standard set by the IEEE 802.1 working group
Is a framework designed to address and provide port-based access control using authentication
802.1X is primarily an encapsulation definition for EAP over IEEE 802 media—EAPOL (EAP over LAN) is the key protocol
Layer 2 protocol for transporting authentication messages (EAP) between supplicant (user/PC) and authenticator (switch or access point)
Assumes a secure connection
Actual enforcement is via MAC-based filtering and port-state monitoring
802.1X Port Access Control Model Identity Store/Management • MS Active Directory • LDAP • NDS • ODBC
Authenticator
• Switch • Router • WLAN AP
SSC
Layer 3 Layer 2
Request for Service (Connectivity) Supplicant
• Desktop/laptop • IP phone • WLAN AP • Switch
Backend Authentication Support
Authentication Server
•IAS / NPS •ACS •Any IETF RADIUS server
Identity Store Integration
802.1X Protocols
Supplicant
Authentication Server
Authenticator SSC
Layer 2
EAP
EAP over LAN (EAPoL)
EAP over WLAN (EAPoW)
Layer 3
RADIUS
StoreDependent
802.1X - Extensible Authentication Protocol (EAP)
Establishes and manages connection; allows authentication by encapsulating various types of authentication exchanges
EAP provides a flexible link layer security framework Simple encapsulation protocol No dependency on IP Few link layer assumptions Can run over any link layer (PPP, 802, etc.) Assumes no reordering Can run over loss full or lossless media
Defined by RFC 3748
802.1X - RADIUS
RADIUS acts as the transport for EAP from the authenticator to the authentication server
RFC for how RADIUS should support EAP between authenticator and authentication server —RFC 3579
IP Header
UDP Header
RADIUS Header
EAP Payload
RADIUS is also used to carry policy instructions (authorization) back to the authenticator in the form of AV pairs
IP Header
UDP Header
RADIUS Header
EAP Payload
AV Pairs
Usage guideline for 802.1X authenticators use of RADIUS - RFC 3580
AV Pairs : Attribute-Values Pairs.
A Closer Look: IOS Switch Configuration 802.1X SSC
Port Unauthorized
Cisco IOS aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius radius-server host 10.100.100.100 radius-server key cisco123 dot1x system-auth-control interface GigabitEthernet1/0/1 authentication port-control auto dot1x pae authenticator
A Closer Look: 802.1X SSC
Port Unauthorized Actual authentication is between client and auth server using EAP. The switch is an EAP conduit, but aware of what’s going on
EAPOL-Start EAP-Identity-Request EAP-Identity-Response EAP—Method Dependent
EAP-Auth Exchange
Auth Exchange w/AAA Server
Auth Success & Policy Instructions EAP-Success
Port Authorized
EAPOL-Logoff
Port Unauthorized 802.1X
RADIUS
Default Security with 802.1X Before Authentication
interface fastEthernet 3/48 authentication port-control auto
No visibility (yet) Strict Access Control
?
One Physical Port ->Two Virtual ports Uncontrolled port (EAPoL only) Controlled port (everything else)
USER
ALL traffic except EAPoL is dropped
Default Security with 802.1X interface fastEthernet 3/48 authentication port-control auto dot1x pae authenticator
After Authentication
User/Device is Known Identity-based Access Control Single MAC per port Looks the same as without 802.1X
? Authenticated User: Sally
Default authorization is on or off. Dynamic VLANs or ACLs can be used to customize the user experience.
Default Security: Consequences interface fastEthernet 3/48 authentication port-control auto dot1x pae authenticator
Default 802.1x Challenge
Devices without supplicants
Can’t send EAPoL
No EAPoL = No Access
Offline
One Physical Port ->Two Virtual ports Uncontrolled port (EAPoL only) Controlled port (everything else)
No EAPoL / No Access
Default Security: More Consequences Multiple MACs on Port
Assumed to Be Malicious Hubs, Gratuitous ARPs, VMWare
VM
interface fastEthernet 3/48 authentication port-control auto dot1x pae authenticator
Deployment Considerations
802.1X Deployment Considerations
Non-802.1X Clients & Guests
Failed Access Handling
RADIUS Availability
Flexible Authentication Sequencing
Multiple Devices Per Port
Authorization
Authentication and Endpoint Considerations
802.1X and Microsoft Windows
Other Considerations
Handling Non-802.1X Clients & Guests
Authenticate via less-secure method MAC Authentication Bypass (MAB) Web Auth (client must have browser)
Give them limited access after timeout and no response Guest VLAN
Allow WLAN access instead of wired WLAN is a great way to do guest access if available
802.1X with Guest VLAN
X X X Client
√
EAP-Identity-Request D = 01.80.c2.00.00.03
1
Upon link up
EAP-Identity-Request D = 01.80.c2.00.00.03
2
30-seconds
3
30-seconds
4
30-seconds
EAP-Identity-Request D = 01.80.c2.00.00.03 EAP-Success D = 01.80.c2.00.00.03
Port Deployed into the Guest VLAN
802.1X Process
authentication event no-response action authorize vlan 50
Any 802.1X-enabled switchport will send EAPOL-Identity-Request frames on the wire (whether a supplicant is there or not)
A device is only deployed into the guest VLAN based on the lack of response to the switch’s EAP-Request-Identity frames (which can be thought of as 802.1X hellos)
No further security or authentication to be applied. It’s as if the administrator de configured 802.1X (i.e. multi-host), and hard-set the port into the specified VLAN
90 Seconds is greater than MSFT DHCP timeout
MAC Authentication Bypass (MAB) Client
X X X ? ?
Dot1x/MAB
EAPOL-Request (Identity) D = 01.80.c2.00.00.03 EAPOL-Request (Identity) D = 01.80.c2.00.00.03
1
Upon link up
2
30-seconds
EAPOL-Request (Identity) D = 01.80.c2.00.00.03
3
30-seconds
EAPOL-Timeout Initiate MAB
4
30-seconds
Learn MAC
5
Variable
√ 00.0a.95.7f.de.06
8
RADIUS
6
RADIUS-Access Request
7
RADIUS-Access Accept
Port Enabled
interface GigabitEthernet 1/1 mab
MAB Limitations & Challenges
MAB requires creating and maintaining MAC database
Default 802.1X timeout = 90 seconds 90 sec > default MSFT DHCP timeout 90 sec > default PXE timeout Current Workaround: Timer tuning (always requires testing) max-reauth-req: maximum number of times (default: 2) that the switch retransmits an EAP-Identity-Request frame on the wire tx-period: number of seconds (default: 30) that the switch waits for a response to an EAP-Identity-Request frame before retransmitting 802.1X Timeout == (max-reauth-req + 1) * tx-period
NAC Profiler Query MAC Database After Deploying 802.1X NAC Profiler Server
1) 802.1X times out, switch initiates MAB 2) ACS queries Profiler Database using LDAP 3) Profiler validates MAC address 4) ACS sends MAB success
7 d f c 9 0 8 f 8 1 0 0 : P A D L
5) Switch enables port (with optional authorization) interface range gigE 1/0/1 - 24 switchport access vlan 30 switchport voice vlan 31 authentication port-control auto mab
1 00-18-f8-09-cf-d7
5
Port Enabled
s s e c c u S P A D L
2
RADIUS-Access Request: 00-18-f8-09-cf-d7 RADIUS-Access Accept
3
4
ACS
Microsoft AD as MAB Database (DB)
For Your Reference
Can be used as a MAB DB using an user object. The username and password will be the mac address of the device. Many useless objects May conflict with complex password policy
Can create a lightweight AD instance for this purpose that can be referred to via LDAP
Can use the ieee802Device object class for the MAB data base. Reduces object count No conflict with complex password policy Windows Server 2003 RC2 and Windows Server 2008
Web-Based Proxy Authentication No EAPOL
1 2
802.1X Process
RADIUS Process
802.1X Timeouts Client Initiates Connection—Activates Port Authentication State Machine Switch Port Filters Traffic Limiting It to HTTP, HTTPS, DNS and DHCP
3 Switch Port Relays DHCP Address from DHCP Server
4
User Starts Web Browser and Initiates Web Connection
5 Switch Port Redirects URL and Presents HTTP Form Prompting for Userid/Pwd
7
User Enters Credentials—They Are Checked Against RADIUS DB via PAP—If Authenticated Then Switch Port Opened for Normal Network Access
6
802.1X Deployment Considerations
Non-802.1X Clients & Guests
Failed Access Handling
RADIUS Availability
Flexible Authentication Sequencing
Multiple Devices Per Port
Authorization
Authentication and Endpoint Considerations
802.1X and Microsoft Windows
Other Considerations
802.1X Client Without Valid Credential Authentication Failures 1 2
*EAPOL-Start
EAP-Identity-Exchange
3
RADIUS-Access-Request RADIUS-Access-Request
EAP-Data-Request
EAP
4
5
… EAP ………….. Exchange …
RADIUS-Reject EAPOL-Failure
6
7
X SSC
802.1X Supplicant (Client) Port is never granting access
Authenticator (Switch)
RADIUS Authentication Server (AAA/ACS)
* Note: Note: EAPOL-Starts EAPOL-Starts are optional, possibility of EAP-NAK left out intentionally, and EAP exchange dependent dependent on method.
• This works great in preventing rogue access to a network! • This is a primary reason Enterprises look to deploy 802.1X/Identity Networking! • This is also the problem! (How should we provide access to devices that fail?) fai l?)
Why Provide Access to Devices that Fail? Certificate Expired!
802.1X 802.1X
User Unknown!
Employees’ credentials expire or entered incorrectly
As 802.1X becomes more prevalent, more guests will fail auth because they have 802.1X enabled by default.
Many enterprises require guests and failed corporate assets get conditional access to the network. Re-provision credentials through a web proxy or VPN Tunnel Provide guest access through VLAN assignment or web proxy
Failed Auth: Solution 1 Auth-Fail-VLAN RADIUS-Reject EAPOL-Failure EAP-Identity -Exchange -Exchange RADIUS-Access-Request RADIUS-Access-Request EAP-Data- Request … EAP ………….. Exchange … RADIUS-Reject EAPOL- Success √ SSC
802.1X Supplicant (Client) Port is now granted access
Authenticator (Switch)
RADIUS Authentication Server (AAA/ACS)
interface GigabitE 3/13 authentication port-control auto authentication event fail action authorize vlan 51
On the third consecutive failure, the port is enabled and an EAPOL-Success is transmitted
802.1X with Auth-Fail VLAN Deployment Considerations 1. Supplicant cannot exit the Auth-Fail VLAN Only alternatives: switch-initiated re-authentication or port bounce
2. No Secondary Authentication Mechanism. 3. Auth-Fail VLAN, like Guest VLAN, is a switch-local authorization > centralized policy on AAA server is not enforced 4. Switch and AAA server have conflicting views of network
Access Granted Auth-fail VLAN
Access Denied
Failed Auth: Solution 2 Flex-auth: Next-method EAP-Identity-Response
RADIUS-Access-Request: EAP RADIUS-Access-Response
EAP-Request
… EAP ………….. Exchange …
RADIUS-Reject Learn MAC
RADIUS-Access-Request: MAC RADIUS-Access-Accept
√
SSC
802.1X Supplicant (Client) Port is now granted access based on MAB authorization
Authenticator (Switch)
RADIUS Authentication Server (AAA/ACS)
interface GigabitE 3/13 authentication port-control auto authentication order dot1x mab mab authentication event fail action next-method
On 802.1X failure, the port continues to the next authentication method (MAB)
802.1X with Next-Method MAB Deployment Considerations
MAC Database required
Policy decision: should 802.1X-capable devices get same access level if they authenticate via MAB after failing 802.1X?
MAB-Assigned VLAN
802.1X Deployment Considerations
Non-802.1X Clients & Guests
Failed Access Handling
RADIUS Availability
Flexible Authentication Sequencing
Multiple Devices Per Port
Authorization
Authentication and Endpoint Considerations
802.1X and Microsoft Windows
Other Considerations
The Problem — RADIUS Unavailable 1
EAP-Identity-Exchange
2
RADIUS-Access-Request RADIUS-Access-Request RADIUS-Access-Request
X
3 EAPOL-Failure
X Client
Switch
Port is not granting access
RADIUS
Inaccessible Authentication Bypass IOS
dot1x critical recovery delay 100 radius-server host x.x.x.x test username [username] radius-server dead-criteria 15 tries 3 Interface GigabitEthernet 1/0/1 dot1x critical authentication event server dead action authorize vlan 100 authentication event server alive action reinitialize
Port authorized
EAP-Success/Failure RADIUS Server comes back -> immediate reinitialize 802.1X State Machine
EAP-Identity-Request EAP-Identity-Response EAP-Auth Exchange EAP-Success/Failure
Auth Exchange w/AAA Server Authentication Successful/Rejected
802.1X Deployment Considerations
Non-802.1X Clients & Guests
Failed Access Handling
RADIUS Availability
Flexible Authentication Sequencing
Multiple Devices Per Port
Authorization
Authentication and Endpoint Considerations
802.1X and Microsoft Windows
Other Considerations
Flexible Authentication Sequencing (Flex-Auth)
Flex-Auth fallback examples we’ve already seen: Configurable behavior after 802.1X failure authentication authenticatio n event failure action authorize vlan X authentication authenticatio n event failure action next-method Configurable behavior after 802.1X timeout authentication authenticatio n event no-response action authorize vlan Y Configurable behavior before & after AAA server dies authentication event server dead action authorize vlan Z authentication authenticatio n event server alive action reinitialize
Two more features complete Flex-Auth: authentication authenticatio n order authentication authenticatio n priority
Flex-Auth Sequencing Defa De fau ult Ord Order: er: 8 802 02.1 .1X X Fir First st By default, the switch attempts most secure auth method first.
802.1X 802.1X Timeout
Timeout can mean significant delay before MAB.
Fle Flex-Au -Auth Orde rder: MAB Fir First st Alternative order does MAB on first packet from device
MAB MAB fails
MAB
802.1X
MAB fails
802.1X Timeout
Guest VLAN
Guest VLAN
Flex-Auth Order with Flex-Auth Priority Default Priority: 802.1X ignored after successful MAB
MAB
s B e A s s M a p
Port Authorized by MAB
EAPoL-Start Received
MAB fails
802.1X
Flex-Auth Priority: 802.1X starts despite successful MAB
Priority determines which method can preempt other methods.
By default, method sequence determines priority (first method has highest priority).
If MAB has priority, EAPoL-Starts will be ignored if MAB passes.
802.1X Deployment Considerations
Non-802.1X Clients & Guests
Failed Access Handling
RADIUS Availability
Flexible Authentication Sequencing
Multiple Devices Per Port
Authorization
Authentication and Endpoint Considerations
802.1X and Microsoft Windows
Other Considerations
802.1X & IPT: A Special Case
Voice Ports
With Voice Ports, a port can belong to two VLANs, while still allowing the separation of voice/data traffic while enabling you to configure 802.1X
An access port able to handle two VLANs Native or Port VLAN Identifier ( PVID) / Authenticated by 802.1X Auxiliary or Voice VLAN Identifier (VVID) / ―Authenticated‖ by CDP
Hardware set to dot1q trunk Tagged 802.1q
Untagged 802.3
MDA for Any IP Phone
No Supplicant on Phone
1) 2) 3) 4) 5)
CDP
1
EAP
SSC
6
interface GigE 1/0/5 authentication host-mode multi-domain authentication port-control auto dot1x pae authenticator mab
2
EAP
3
5
Access-Request: Phone MAC Access-Accept: Phone VSA 4
Phone learns VVID from CDP (Cisco phone) 802.1X times out Switch initiates MAB ACS returns Access-Accept with Phone VSA. Phone traffic allowed on either VLAN until it sends tagged packet, then only voice VLAN 6) (Asynchronous) PC authenticates using 802.1X or MAB • PC traffic allowed on data VLAN only
MDA in Action Phone authenticated by MAB PC Authenticated by 802.1X
Either 802.1X or MAB for phone
Any combination of 802.1X, MAB, Guest-VLAN, Auth-Fail-VLAN, IAB for PC
ID-6500a#sho authentication session int g 7/1 Interface: GigabitEthernet7/1 MAC Address: 000f.2322.d9a2 IP Address: 10.6.110.2 User-Name: 00-0F-23-22-D9-A2 Status: Authz Success Domain: VOICE Oper host mode: multi-domain Oper control dir: both Posture Token: Unknown Authorized By: Authentication Server Session timeout: N/A Idle timeout: N/A Common Session ID: 0A00645A0000000102124450 Acct Session ID: 0x00000007 Handle: 0x1D000001 --snip-Interface: GigabitEthernet7/1 MAC Address: 000d.60fc.8bf5 IP Address: 10.6.80.2 User-Name: host/beta-supp Status: Authz Success Domain: DATA Oper host mode: multi-domain Oper control dir: both Posture Token: Healthy Authorized By: Authentication Server Vlan Policy: 80 Session timeout: N/A Idle timeout: N/A Common Session ID: 0A00645A000000020213FF9C Acct Session ID: 0x00000008 Handle: 0x6E000002 Runnable methods list: Method State dot1x Authc Success mab Not run
Modifying Default Security with 802.1X Multi-Auth Mode Multiple MACs on Port
Each MAC authenticated 802.1X or MAB
interface fastEthernet 3/48 authentication port-control auto authentication host-mode multi-auth
VM
No VLAN Assignment Supported Superset of MDA with multiple Data Devices per port
802.1X Deployment Considerations
Non-802.1X Clients & Guests
Failed Access Handling
RADIUS Availability
Flexible Authentication Sequencing
Multiple Devices Per Port
Authorization
Authentication and Endpoint Considerations
802.1X and Microsoft Windows
Other Considerations
Authorization
Authorization is the embodiment of the ability to enforce policies on identities
Typically policies are applied using a group methodology—allows for easier manageability
The goal is to take the notion of group management and policies into the network
Types of Authorization: Default: Closed until authenticated. Dynamic: VLAN assignment, ACL assignment Local: Guest VLAN, Auth-fail VLAN, Critical Auth VLAN
Changing the Default Authorization: ―Open Access‖
Open Mode (No Restrictions)
Authentication Performed No Access Control
interface GigabitE 3/13 authentication port-control auto authentication open mab
Open Access Application 1: Monitor Mode Monitor the network, see who’s on, address future connectivity problems by installing supplicants and credentials, creating MAB database
TO DO Before implementing access control: Confirm that all these should be on network Install supplicants on X, Y, Z clients Upgrade credentials on failed 802.1X clients Update MAC database with failed MABs
… RADIUS accounting logs provide visibility: Passed/Failed 802.1X/EAP attempts List of valid 802.1X capable List of non-802.1X capable Passed/Failed MAB attempts List of Valid MACs List of Invalid or unknown MACs
Open Mode Application 2: Selectively Open Mode Selectively Open Access
Open Mode (Pinhole)
interface GigabitE 3/13 authentication port-control auto authentication open ip access-group UNAUTH in
On Specific TCP/UDP Ports Restrict to Specific Addresses
EAP Allowed (Controlled Port)
Download general-access ACL upon authentication
Pinhole explicit tcp/udp ports to allow desired access Block General Access Until Successful 802.1X, MAB or WebAuth
Open Mode with Dynamic ACLs ACS/AAA
Wired Ethernet End Points
DHCP DNS
Catalyst 6500 802.1X Ethernet Port
EAP
10.100.10.117
EAP DHCP ANY DNS ANY
DHCP DNS
PXE
PXE Server
10.100.10.116
PXE Slide Source: Ken Hook
IP: 10.100.60.200
interface range gigE 1/0/1 - 24 switchport access vlan 30 switchport voice vlan 31 ip access-group UNAUTH in authentication host-mode multi-domain authentication open authentication port-control auto mab
(After Authentication) (Before Authentication) Switch#show tcam interface g1/13 acl in ip permit permit ip tcphost any10.100.60.200 any established any match-any permit udp tcp any any established eq bootps match-any permit udp any any hosteq 10.100.10.116 bootps eq domain permit udp any host 10.100.10.116 10.100.10.117 eq domain tftp deny permit ip udp any any any host 10.100.10.117 eq tftp deny ip any any
ip access-list extended UNAUTH permit tcp any any established permit udp any any eq bootps permit udp any host 10.100.10.116 eq domain permit udp any host 10.100.10.117 eq tftp Sample Open Mode Configs
Dynamic Authorization: VLAN Assignment
Dynamic VLAN assignment based on identity of group, or individual, at the time of authentication
VLANs assigned by name—allows for more flexible VLAN management
Tunnel attributes used to send back VLAN configuration information to authenticator
Tunnel attributes are defined by RFC 2868
Usage for VLANs is specified in the 802.1X standard
802.1X with VLAN Assignment AV Pairs Used—All Are IETF Standard
[64] Tunnel-type—―VLAN‖ (13)
[65] Tunnel-medium-type —―802‖ (6)
[81] Tunnel-private-group-ID —
Marketing
aaa authorization network default group radius
VLAN name must match switch configuration
Mismatch results in authentication failure
URL Redirect Client
1
Authentication Process
802.1X/MAC Authentication RADIUS authorizes port with URL redirect
2
3
RADIUS
User Initiates Web Connection
4 Switch Port Redirects to Web Page
Requires HTTP on the switch
Does not ―authenticate‖ via the web native to the switch
Mainly used for custom notification at this time
Future integration with other Cisco products
Web Page
Authorization Recommendations
All Authorization (VLAN, dACL, etc.) is completely optional
Only use it if you have to separate users due to a business requirement
Most enterprises do not have this requirement for known users
Leave the port in its default VLAN or assign the VLAN during machine authentication if possible
802.1X Deployment Considerations
Non-802.1X Clients & Guests
Failed Access Handling
RADIUS Availability
Flexible Authentication Sequencing
Multiple Devices Per Port
Authorization
Authentication and Endpoint Considerations
802.1X and Microsoft Windows
Other Considerations
802.1X Authentication Database
Where is the single source of authentication credentials for the enterprise?
Do you have to build new or extend trust between databases?
Some enterprises could not use Active Directory (AD) or other Network Operating System (NOS) user/machine authentication databases
EAP Method may have requirements of the Authentication Database. For example, if MS-CHAPv2 is required for password authentication.
Supplicant Considerations
Microsoft Windows User and machine authentication DHCP request time out Machine authentication restriction Default methods: MD5, PEAP, EAP-TLS
Unix/Linux considerations Open source: xsupplicant Project (University of Utah) Available from http://www.open1x.org Supports EAP-MD5, EAP-TLS, PEAP/MSCHAPv2, PEAP/EAP-GTC
Native Apple supplicant support in OS X 10.3 802.1X is turned off by default! Default parameters —TTLS, LEAP, PEAP, MD5, FAST supported Support for airport and wired interfaces In 10.5 Single sign on (SSO) can be accomplished for system or user. Not both at the same time
Cisco Secure Services Client (SSC)
Secure Services Client
Introduces features over and above the native supplicants
Features Robust Profile Management
EAP types
Support for industry standards
PEAP, TLS, FAST, etc.
Single sign-on capable
Management Interfaces
Automatic VPN initiation
Endpoint integrity
Enabling of group policies
Windows XP, 2003, Vista
Administrative control
Benefits
Simple, secure device connectivity Minimizes chances of network compromise from infected devices
SSC
Reduces complexity
Restricts unauthorized network access
Centralized provisioning
802.1X Deployment Considerations
Non-802.1X Clients & Guests
Failed Access Handling
RADIUS Availability
Flexible Authentication Sequencing
Multiple Devices Per Port
Authorization
Authentication and Endpoint Considerations
802.1X and Microsoft Windows
Other Considerations
Windows Boot Cycle Overview Certificate Auto Enrollment Time Synchronization Dynamic DNS Update
Kernel Loading Windows HAL Loading Device Driver Loading Power On
GINA Kerberos Auth (User Account)
Inherent Assumption of Network Connectivity
X X X X X X X Obtain Network Address (Static, DHCP) Determine Site and DC (DNS, LDAP) Establish Secure Channel to AD (LDAP, SMB) Kerberos Authentication (Machine Account)
Earliest Network Connectivity with User Auth Only User GPOs Loading (Async) GPO based Logon Script Execution (SMB) GPO based Startup Script Execution Computer GPOs Loading (Async)
Components that depend on network connectivity
X
Components broken with 802.1X user authentication only
Problem 1: Microsoft Issues with DHCP DHCP Is a Parallel Event, Independent of 802.1X Authentication
With wired interfaces a successful 802.1X authentication does not force an DHCP address discovery (no mediaconnect signal)
DHCP starts once interface comes up
If 802.1X authentication takes too long, DHCP may time out 802.1X Auth—Variable Timeout DHCP—Timeout at 62 Seconds
Power Up Load NDIS Drivers
DHCP
Setup Secure Channel to DC
Present GINA (Ctrl-Alt-Del) Login
Problem 2: Machine GPOs Broken What Is a Group Policy?
Group policy is an infrastructure used to deliver and apply one or more desired configurations or policy settings to a set of targeted users and computer within an Active Directory environment
Types of Group Policy Registry-based policy Security options Software installation and maintenance options Scripts options Folder redirection options
The Solution: Machine Authentication
What is machine authentication? The ability of a Windows workstation to authenticate under its own identity, independent of the requirement for an interactive user session
What is it used for? Machine authentication is used at boot time by Windows OSes to authenticate and communicate with Windows domain controllers in order to pull down machine group policies
Why do we care? Pre-802.1X this worked under the assumption that network connectivity was a given; post-802.1X the blocking of network access prior to 802.1X authentication breaks DHCP & machine-based group policy model — UNLESS the machine can authenticate using its own identity in 802.1X
802.1X VLAN Assignment Problem 1: DHCP Renewal
When using dynamic VLAN assignment with user & machine
authentication, the host’s VLAN can change when user logs in. IP address may need to change also
Supplicant behavior has been addressed by Microsoft Windows XP: install service pack 1a + KB 826942 Windows 2000: install service pack 4 Needed for VLAN assignment with Wireless Zero Config
Updated supplicants trigger DHCP IP address renewal Successful authentication causes client to ping default gateway (three times) with a sub-second timeout Lack of echo reply will trigger a DHCP IP renew Successful echo reply will leave IP as is Prerenewal ping prevents lost connections when subnet stays the same but client may be WLAN roaming
DHCP and 802.1X Windows XP: Install Service Pack 1a + KB 826942 Windows 2000: Install Service Pack 4 Supplicant
Authentication Server
Authenticator
Login Req. Send Credentials Accept ICMP Echo (x3) for Default GW from ―Old IP‖ as Soon as EAP-Success Frame Is Rcvd DHCP-Request (D=255.255.255.255) (After Pings Have Gone Unanswered)
For Your Reference
Forward Credentials to ACS Server Auth Successful (EAP—Success) VLAN Assignment
DHCP-NAK (Wrong Subnet)
DHCP-Discover (D=255.255.255.255)
At This Point, DHCP Proceeds Normally
Problem 2: ―Real‖ Boot Sequence & VLAN Assignment GINA Certificate Auto Enrollment Time Synchronization Dynamic DNS Update
Kernel Loading Windows HAL Loading Device Driver Loading
GINA
Power On
X X X
802.1X Machine Auth
Fast Logon Optimization
802.1X User Auth
X X X Obtain Network Address (Static, DHCP)
Kerberos Auth (User Account)
Determine Site and DC (DNS, LDAP)
User GPOs Loading (Async)
Establish Secure Channel to AD (LDAP, SMB)
GPO based Logon Script Execution (SMB) GPO based Startup Script Execution
Kerberos Authentication (Machine Account)
Computer GPOs Loading (Async)
Machine VLAN
User VLAN
Start of 802.1X auth may vary among supplicants
Components that are in race condition with 802.1X Auth
Problem 3 : VLAN Assignment and GPOs Kernel Loading Windows HAL Loading Device Driver Loading Power On
Certificate Auto Enrollment Time Synchronization Dynamic DNS Update
VLAN1 – 10.1.1.1
GINA
802.1X User Auth
802.1X Machine Auth
√
Obtain Network Address (Static, DHCP)
Kerberos Auth (User Account)
Determine Site and DC (DNS, LDAP)
User GPOs Loading (Async)
Establish Secure Channel to AD (LDAP, SMB)
GPO based Logon Script Execution (SMB) GPO based Startup Script Execution
Kerberos Authentication (Machine Account)
Computer GPOs Loading (Async) Start of 802.1X auth may vary among supplicants Components that are in race condition with 802.1X Auth
VLAN2 – 99.1.1.1
Vista SP1/Windows 2008 and XP SP3
If the supplicants fail 802.1X authentication once the supplicant goes down for twenty minutes before it tries again Vista SP1/Windows 2008 - KB957931 http://support.microsoft.com/kb/957931 XP SP3 – KB coming soon
802.1X and Windows Recommendations
Machine Authentication is mandatory for managed environments
Consider machine authentication only Manage auth behavior on XP SP2/2000 via registry keys http://support.microsoft.com/kb/309448/en-us http://www.microsoft.com/technet/network/wifi/wififaq.mspx Manage XP SP3/Vista Supplicant through XML http://support.microsoft.com/kb/929847
Use the automatic provisioning built into AD if possible Machines are provisioned automatically with a machine password Can have certificates automatically provisioned via AD GPOs
VLANs and Windows: Recommendations
When using Dynamic VLANs: Disable Fast Logon Optimization Use the same VLAN for machine and user authorization VLAN assignment requires AD, DHCP server, and network switch changes (planning, routing, trunking, etc.)
Access Control Lists (ACLs) are a policy enforcement alternative to VLANs. Beware of TCAM implications: the number of ACEs on L3 switch is limited.
ACL per port can be assigned by RADIUS server per group.
802.1X Deployment Considerations
Non-802.1X Clients & Guests
Failed Access Handling
RADIUS Availability
Flexible Authentication Sequencing
Multiple Devices Per Port
Authorization
Authentication and Endpoint Considerations
802.1X and Microsoft Windows
Other Considerations
Remote Desktop
XP: Microsoft Remote Desktop logs off the local user and drops the machine into machine mode which results in a machine auth.
Vista: Leaves the local user logged onto the system, so it does not trigger an 802.1X auth.
If machine authentication and user authentication result in the same VLAN then there are no problems
If machine authentication puts the machine in a different VLAN, then user authentication must be maintained despite Windows logging the user off.
SSC on XP provides the above solution
Pre eXecution Boot Environment (PXE) Default Security Impact
PXE BIOS needs network access within 60 seconds of link-up to download bootable OS Most PXE implementations do not support 802.1X. No 802.1X = No network access = No OS download.
PXE BIOS
One Physical Port ->Two Virtual ports Uncontrolled port (EAPoL only) Controlled port (everything else)
interface fastEthernet 3/48 authentication port-control auto
ALL traffic except EAPoL is dropped
PXE Solution 1 MAC Authentication Bypass (MAB) * Client
Dot1x/MAB
X
EAPOL-Request (Identity) DHCP Discover 1 DHCP Discover 2
X X ?
Upon link up
X X
EAPOL-Request (Identity) DHCP Discover 3
10-seconds
X
EAPOL-Request (Identity)
10-seconds
EAPOL-Timeout Initiate MAB
10-seconds
Learn MAC
Variable
√
Port Enabled DHCP Discover 4
RADIUS-Access Request: 00.0a.95.7f.de.06 RADIUS-Access Accept
√
PXE Continues
PXE BIOS 00.0a.95.7f.de.06
* - exact packet seq
RADIUS
ill vary
interface GigabitE 3/13 authentication port-control auto dot1x timeout tx-period 10
PXE Solution 2: Open Mode with Interface ACL Selectively Open Access
interface GigabitE 3/13 authentication port-control auto authentication open ip access-group UNAUTH in
Open Mode (Pinhole) On Specific TCP/UDP Ports for PXE Restrict to Specific Addresses
EAP Allowed (Controlled Port) Download general-access ACL upon authentication
Pinhole explicit tcp/udp ports to allow desired access
PXE BIOS
Block General Access Until Successful MAB
Wake On LAN (WOL) and 802.1X Selectively Open Access Outbound Default - Block Outbound Traffic Until Successful 802.1X/MAB
802.1X controls port traffic in BOTH directions Use WOL support on switch to allow outbound (from switch) traffic to wake up device
Allow outbound traffic
WOL Capable Device
interface GigabitE 3/13 authentication port-control auto authentication control-direction in
Intel Advanced Management Technology (AMT) - PXE and WoL Solution After Authentication
AMT has a supplicant on the NIC AMT Device is authenticated before PXE BIOS PXE can proceed like 802.1X was never turned enabled AMT Device is authenticated after device goes to sleep Defends IP address of upper layer OS. No more directed broadcasts for WoL Magic packets
Looks the same as without 802.1X
Authenticated User: AMT
interface fastEthernet 3/48 authentication port-control auto dot1x pae authenticator
Monitoring and Troubleshooting
802.1X Monitoring and Trouble Shooting
Major components to 802.1X monitoring RADIUS accounting NAD logs RADIUS logs NAD CLI SNMP on NAD
Major components of 802.1X Troubleshooting Correlated log reports ACS View Third party log analysis and reporting SNMP on NAP NAD CLI
802.1X with RADIUS Accounting Supplicant
802.1X Process
1 Authenticate 2
EAPOL-Success
2
Access-Accept
RADIUS Process
802.1X with RADIUS Accounting Supplicant
802.1X Process
1 Authenticate 2
EAPOL-Success
2
Access-Accept
3
Accounting Request
4
Accounting Response
RADIUS Process
Accounting-request packets
Contains one or more AV pairs to report various events and related information to the RADIUS server
Tracking user-level events are used in the same mechanism
802.1X with RADIUS Accounting
Similar to other accounting and tracking mechanisms that already exist using RADIUS Can now be done through 802.1X
Increases network session awareness
Provide information into a management infrastructure about who logs in, session duration, support basic billing usage reporting, etc.
Provides a means to map the information of authenticated Identity, Port, MAC, Switch = IP, Port, MAC, Switch
Identity
IP
Switch + Port = Location
IOS aaa accounting dot1x default start-stop group radius
Troubleshooting: Identify Points of Failure
It is important to understand the failure point in the picture
It is important to understand which issue causes what failures
In most case, description of the issue symptom can be vague or misleading and you must correlate separate pieces of information for problem resolution.
ACS View 5.0 RADIUS Authentication
ACS View 5.0 Authentications Details
Simple Homegrown Tools
802.1X Port Config interface GigabitEthernet7/1 switchport switchport mode access switchport voice vlan 110 ip access-group default_acl in authentication event fail action next-method authentication host-mode multi-domain authentication open authentication priority dot1x mab authentication port-control auto authentication violation restrict mab snmp trap mac-notification change added snmp trap mac-notification change removed dot1x pae authenticator dot1x timeout tx-period 10 spanning-tree portfast edge
For Your Reference
ID-6500a#sho authentication session interface gigabitEthernet 7/1 Interface: GigabitEthernet7/1 MAC Address: 000f.2322.d9a2 IP Address: 10.6.110.2 User-Name: 00-0F-23-22-D9-A2 Status: Authz Success Domain: VOICE Oper host mode: multi-domain Oper control dir: both Posture Token: Unknown Authorized By: Authentication Server Session timeout: N/A Idle timeout: N/A Common Session ID: 0A00645A00000007000E37CC Acct Session ID: 0x00000009 Handle: 0x0E000007 Runnable methods list: Method State dot1x Failed over mab Authc Success ---------------------------------------Interface: GigabitEthernet7/1 MAC Address: IP Address: User-Name: Status: Domain: Oper host mode: Oper control dir: Posture Token: Authorized By: Vlan Policy: Session timeout: Idle timeout: Common Session ID: Acct Session ID: Handle:
000d.60fc.8bf5 10.6.50.2 nac\darrimil Authz Success DATA multi-domain both Healthy Authentication Server 50 N/A N/A 0A00645A0000000D0030B498 0x00000011 0x1500000D
Runnable methods list: Method State dot1x Authc Success mab Not run
EAP Problem — Certificate Trust Issues
One of the most common issues seen in deployment and pilots ACS 4.2
ACS 5.0
802.1X Authorization Failure 1
In case that network authorization is NOT ENABLED on a NAD
ACS Message Type: Authentication Successful
Authentication Failure Reason (AFR): There is no AFR associated with this error since authentication succeeds
User Experience: Balloon message ―Windows cannot connect you to the network
(contact your network administrator)‖ Following CLI is missing
aaa authorization network default group radius
VLAN assignment succeeds but assigns port to VLAN 0
Session Timeout (Radius Attribute 27) is not assigned to port Reauthentication timer value
Consequently there is no VLAN 0, therefore default port VLAN is used for
authorization, and if there is no DHCP setup for this VLAN then client can’t obtain IP address.
Also Reauthentication Timer becomes 0. This means that there will be no reauthentication.
Supplicant might try to re-DHCP if it’s can’t get an IP address
802.1X Authorization Failure 1 ID-6500a#debug condition interface GigabitEthernet 7/1
----------------New feature
ID-6500a#debug auth feature vlan_assign event Auth Feature vlan_assign events debugging is on *Dec 15 14:46:58.439: %AUTHMGR-5-START: Starting 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1 *Dec 15 14:46:59.243: %DOT1X-5-SUCCESS: Authentication successful for client (000d.60fc.8bf5) on Interface Gi7/1 *Dec 15 14:46:59.243: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1 *Dec 15 14:46:59.243: AUTH-FEAT-VLAN-ASSIGN-EVENT (Gi7/1): Successfully assigned VLAN 0 *Dec 15 14:46:59.751: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (000d.60fc.8bf5) on Interface Gi7/1 ID-6500a#sho authentication sess interface g 7/1 Interface:
GigabitEthernet7/1
MAC Address: IP Address: User-Name:
000d.60fc.8bf5 10.6.50.2 nac\darrimil
Status:
Authz Success
Domain:
DATA
Oper host mode: Oper control dir: Authorized By:
multi-domain both Authentication Server
Vlan Policy:
N/A
Session timeout:
N/A
Idle timeout:
N/A
Common Session ID:
0A00645A0000000E005DD8A8
Acct Session ID:
0x00000013
Handle:
0xF900000E
802.1X Authorization Failure 2
In case that invalid Radius attribute is sent via Radius Access-Accept
ACS Message Type: Authen Successful
AFR: There is no AFR associated with this error since authentication succeeds
User Experience: Balloon message ―Windows cannot connect you to the network
Radius Access-Accept with invalid Radius Attribute 81 is sent
Basic rule is that 81 attribute needs to be either ―string‖ or ―integer‖. If String, it
Passed Authentication reports authentication is successful
Authorization failure on switch is NEVER reported back to ACS.
(contact your network administrator)‖
needs to match the VLAN name that exists on switch. If Integer then it needs match the VLAN ID that exists on switch
*Dec 15 15:03:21.007: %AUTHMGR-5-START: Starting 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1 *Dec 15 15:03:21.911: %DOT1X-5-SUCCESS: Authentication successful for client (000d.60fc.8bf5) on Interface Gi7/1 *Dec 15 15:03:21.911: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1 *Dec 15 15:03:21.911: %DOT1X_SWITCH-5-ERR_VLAN_NOT_FOUND: Attempt to assign non-existent or shutdown VLAN BadVLAN to 802.1x port GigabitEthernet7/1 *Dec 15 15:03:21.911: %AUTHMGR-5-FAIL: Authorization failed for client (000d.60fc.8bf5) on Interface Gi7/1
802.1X Authorization Failure 3
In case that invalid Radius attribute is sent via Radius Access-Accept
ACS Message Type: Authen Successful
AFR: There is no AFR associated with this error since authentication succeeds
User Experience: Balloon message ―Windows cannot connect you to the network (contact your
For the Downloadable ACL feature is used there must be a interface ACL applied to the interface.
Passed Authentication reports authentication is successful
Authorization failure on switch is NEVER reported back to ACS.
network administrator)‖
*Aug 26 13:44:29.991: %DOT1X-5-SUCCESS: Authentication successful for client (000d.60fc.8bf5) on Interface Gi7/1 *Aug 26 13:44:29.991: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1 *Aug 26 13:44:29.991: %EPM-6-POLICY_REQ: IP=0.0.0.0| MAC=000d.60fc.8bf5| AUDITSESID=0A00645A000000140090E0A0| AUTHTYPE=DOT1X| EVENT=APPLY *Aug 26 13:44:29.991: %EPM-6-AAA: POLICY=xACSACLx-IP-phone-dACL-48a4f023 | EVENT=DOWNLOAD-REQUEST *Aug 26 13:44:30.003: %EPM-6-AAA: POLICY=xACSACLx-IP-phone-dACL-48a4f023 | EVENT=DOWNLOAD-SUCCESS *Aug 26 13:44:30.003: %EPM-4-POLICY_APP_FAILURE: IP=0.0.0.0| MAC=000d.60fc.8bf5| AUDITSESID=0A00645A000000140090E0A0| AUTHTYPE=DOT1X| POLICY_TYPE=Named ACL| POLICY_NAME=xACSACLx-IP-phone-dACL-48a4f023| RESULT=FAILURE| REASON=Interface ACL not configured *Aug 26 13:44:30.003: %EPM-6-IPEVENT: IP=0.0.0.0| MAC=000d.60fc.8bf5| AUDITSESID=0A00645A000000140090E0A0| AUTHTYPE=DOT1X| EVENT=IP-WAIT
Looking Forward
Overview of Cisco TrustSec Cisco TrustSec (CTS) affects multiple areas of the network and comprises of improvements in the following areas: 1
Confidentiality & Integrity
2
Centralized Role Based Access Control (RBAC) Policy Administration
3
Identification, Authentication and Authorization for all networked entities, and classification into topology independent security groups
User 1 has access to both servers
SGACL Enforcement (1) 4
User 1
1
Server 1
SGACL
Server 2
7
2
User 2
SGACL
9
RBACLs
User 3
Source
Destination
4
S1+S2
7
S1
9
S2 Cisco ACS
External Directory Server
1. Security Group Tag is applied on ingress switch port 2. Roles/Attribute-based ACL policies is applied on security group tags (permit, deny, log, police, remark, span, redirect, …)
SGACL Enforcement (2)
User 1 has access to both servers User 2 has access to Server 1
4
User 1
1
Server 1
SGACL
Server 2
7
2
User 2
SGACL
9
RBACLs
User 3
SGT
DGT
4
S1+S2
7
S1
9
S2 Cisco ACS
External Directory Server
1. Security Group Tag is applied on ingress switch port 2. Roles/Attribute-based ACL policies is applied on security group tags (permit, deny, log, police, remark, span, redirect, …)
SGACL Enforcement (3)
User 1 has access to both servers User 2 has access to Server 1 User 3 – access to Server 1 denied
4
User 1
1
Server 1
SGACL Access Denied to User 3
Server 2
7
2
User 2
SGACL
9
RBACLs
User 3
SGT
DGT
4
S1+S2
7
S1
9
S2 Cisco ACS
External Directory Server
1. Security Group Tag is applied on ingress switch port 2. Role-based ACL policies is applied on security group tags (permit, deny, log, police, remark, span, redirect, …)
Customer Case Study
802.1X Deployment Case Study 1
Retailer required to only allow their assets to connect to the network due to lack of physical security
Selected 802.1X as the technical solution after evaluation
Primarily an MSFT desktop and server environment; small group of MAC OSX for designers
Approximately 14,000 ports at home office and remote stores
Cisco IP Telephony environment
Pervasive Wireless environment
802.1X Deployment Case Study 1 (Cont)
Selected Machine Authentication only for wired and wireless
Leveraged the automatic provisioning of machine certificates in Active Directory to provision the machine credentials (automatic user certificates also possible)
Manually provisioned non AD devices if possible
Failed authentication VLAN and unknown MAC addresses
assigned to ―guest‖ VLAN on wired only at home office; no ―guest‖ VLAN at remote sites
No guest WLAN access
IAB used for AAA failures for remote office survivability
Multiple Supplicants; try to leverage native OS supplicant if possible
802.1X Deployment Case Study 1 (Cont)
Lab Work IP Telephony handled by CDP exceptions PXE tested and handled via MAB
Tested ―Guest VLAN‖ backhaul and Proxy for AUP
No Wake On LAN
Decided to handle credential re-provisioning via SSL VPN account triggered via help desk ticket
Bought 3rd party tool to build MAC address database
Extended SIM for reporting
Decided on access layer only deployment since data center had physical security
802.1X Deployment Case Study 1 Methodology
Conducted POC with Network/Desktop Operations
Pre-production pilot with all of IT Monitored Failed Authentications/Unknown MACs via group reports to monitor for supplicant configurations issues and unknown devices Ran trend reports on IPT and PXE support calls to judge impact
Deployed supplicant configuration/credentials before switches
Deployed ―Internet‖ VLAN with appropriate backhaul to Internet Edge
Deployed 802.1X in ―monitor‖ mode on a per building basis 802.1X, MAB, Unknown MAB, Failed VLAN all went to default port VLAN Continued Trend reporting for other services
Deployed 802.1X ―guest enforcement‖
Case Study 2: 802.1X Implementation
802.1X facts and figures 4000 devices with 802.1x supplicant (Windows XP, SP2) 0 devices with MAB 96% dedicated PC, 4% shared PC for internet access 7500 ports with 802.1x activated 2 ACS Appliances for RADIUS 20 AD/Radius groups 650 VLANs 100 Meeting rooms with « wired only » Guest VLAN
More Information: CCS-1001 802.1X Case Study
Case Study 2: MBDA Group Structure EADS
BAE SYSTEMS
37.5%
FINMECCANICA
37.5%
25%
MBDA 100%
MBDA DEUTSCHLAND
100%
MBDA France
100%
MBDA UK
Integrated organisation
%
100
MBDA ITALIA
Summary
802.1X improves enterprise security
802.1X improves enterprise visibility
802.1X is a platform for other security initiatives
Supplicants are important
802.1X is deployable now
New features have significantly simplified deployment
802.1X is not only a network project, it affects the whole IT organization
Q&A
Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily.
Receive 20 Passport points for each session evaluation you complete.
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Don’t forget to activate your Cisco Live Virtual account for access to all session material, communities, and on-demand and live activities throughout the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com.