Professional Documents
Culture Documents
1-800-COURSESwww.globalknowledge.com
Introduction
A standard to remember, and one that youll have netmares about as you get started with deployment, is the infamous 802.1X. This is an authentication protocol that was designed back in 2001. There are different speculations on why there was such a high rate of failure, whether it is lack of understanding, technologies such as RADIUS Servers that just didnt have the features that were needed, or a combination of the two. 802.1X, or dot1x as its commonly called, is simply an authentication method used by endpoints (Windows, MACs, iDevices, Android) to gain access to the network. You may have already used this protocol with your wireless infrastructure, so now its time to implement it across the board on wired and wireless.
Authentication Server: The RADIUS server that processes the authentication requests; also responsible for returning attributes, such as access lists and VLANs, to the NAD.
Notice the Dst: MAC indicates Nearest, which, if you look at the MAC (01:80:c2:00:00:03), it is a reserved MAC. Any endpoint or device that receives traffic destined to this address should process the packet locally. The switch we are using is configured to use the 2010 version of dot1x.
The frame in Figure 2 contains no IP addresses and no Layer 4 headers. It containsnothing other than Layer 2 information and a special payload called theEAP. This EAP payload contains the authentication protocol information needed for the endpoint to authenticate to the network. Figure 3 displays the follow-up request from the RADIUS server, where it is requesting Protected EAP (PEAP) (type 25) communication.
The Version field in Figure 3 indicates a 2010 flavor of 802.1X. The switch that sent the packet is running the latest code and thus supports the latest implementation of the protocol. Also note the Type field indicates a PEAP packet. Now there are many, many different flavors of EAP authentication protocols. PEAP is the most common due to its ease of deployment. Lets face it, dot1x isnt our entire lives; we have other things to do at work. To streamline the configuration of PEAP, we could create Group Policy Objects (GPOs) on our Windows servers and push down the PEAP configuration to our clients. Also, there is no additional supplicant to install, since Windows and other popular operating systems already come shipped with PEAP capabilities. Well talk a little more about PEAP later. For now, know that this is a PEAP request sent from the RADIUS server to our switch, and then the switch proxies that data in an EAPoL packet to our client.
1. T he client send its client hello packet to the RADIUS server. In this packet, the client sends a TLS record with the contents: Random, Cipher Suites, Compression Support, and any Extensions of Capabilities (Figure 4).
2. T he next packet is from the RADIUS server. The contents (which are three records contained in this packet) are the Server Hello record, the Server Certificate, and the Server Hello Done record (Figure 5). These records contain: a. S erver Hello: Random data generated on the RADIUS server, Session ID generated on the RADIUS server, Cipher Suite selected, Extensions, and Compression settings.
b. T he next record is the Certificate being supplied from the RADIUS server (Figure 6). Notice that the certificate chain, the RADIUS server cert, and the certification authority (CA) that signed the RADIUS servers cert are passed in the record:
Figure 6. Certificate
3. T he next packet sent from the client is an acknowledgement to the PEAP request (Figure 7). Actually, the RADIUS server sends two more packets with the same header values, but the payload changes (notice the byte count changing 1030, 1026, and 232 bytes).
4. N ext comes the client response, containing three records: Clients Key Exchange, Change Cipher Spec, and Encrypted Handshake Message (Figure 8). The encrypted handshake method is the session key that the client has chosen to use and encrypting it, using the public key of the RADIUS server (this was provided in the identity certificate of the RADIUS server).
5. T he following packet from the RADIUS server is the change cipher spec message and the encrypted handshake message, which is basically the server sending back encrypted information using the shared session key. If all works correctly, the client will be able to decrypt and confirm the message (Figure 9).
6. N ow that we have negotiated the ciphers and have successfully exchanged session keys, we need to authenticate the client to the RADIUS server using an inner-method of authentication (Figure 10). Commonly, we use MSCHAPv2, but it can also be a client-based certificate sent through this encrypted TLS session. Since this session is truly encrypted, we wont be able to determine the inner method of authentication, but neither would an attacker (unless they did a man-in-the middle attack on the TLS session).
Authentication Tab
Now that the service has been started, go to the NIC properties. Once there, youll notice the Authentication tab and its various options (Figure 12). This is the dot1x configuration.
The Enable IEEE 802.1X authentication option allows you to enable or disable the supplicant. The Settings drop-down box has two values: PEAP method of authentication and Smart Card or other certificate EAPTLS method of authentication. The Remember my credentials for this connection each time Im logged on option allows the credentials to be cached from a user, which, in turn, are supplied during authentication. This option helps if timers have been set to low values, and dot1x requests authentication or re-authentication, and the user doesnt have time to supply credentials. Since PEAP already uses the current users credentials, it would be beneficial to disable this option for environments where computers are being shared. Also note that in the past, with XP, this option was toggled on or off with a registry value, which Win7 does not use. Fallback to unauthorized network access option means that if a client fails authentication using dot1x, instead of just telling the NIC that its done and dead, it keeps the port in an unauthorized state. The Additional Settings button will take you to the more advanced dot1x settings. Here we can select Machine authentication and or User authentication. The thing to remember is that its not an AND that most users want. Actually, its not up to the machine at all. When the EAPoL request is made from the switch, the credentials provided are the cached credentials (machine or user) that the device is currently logged in with.
If your machine boots up and dot1x immediately requests credentials from your machine, then the machine credentials will be used. Machine authentication happens within the first couple of seconds of the machine booting; basically, by the time you see the Windows logo, its already occurred. At this point, youll get the graphical identification and authentication (GINA) requesting credentials. Your user will supply credentials, and the dot1x process on the machine forwards the new credentials to the switch, which proxies them to the RADIUS server. A key point here is that the client itself can also generate EAPoL packets on the fly, without having the switch request them first. If you want to use both machine and user authentications, its up to the RADIUS server to determine whether this is allowed or not. The policies defined on that server dictate what to look for to determine machine and or user authentication. You can select the Enable Single Sign On option, if you need to have the primarily wireless clients connect to the network before they logon to the workstation or immediately after. This option defines when to supply the credentials. Again, this does not affect the hard-wired clients, because the medium is already present. In wireless, the single sign-on (SSO) option allows you to determine when to supply credentials for the wireless connection. Lets go back to the main Authentication tab. From here, click the Settings button next to PEAP (Figure 13). These settings are crucial for securing the PEAP connection.
10
First, the Validate server certificate option is enabled by default and should be disabled. The Connect to these servers option is one that is commonly misconfigured. The text in this field needs to match the Issued to field on the RADIUS server certificate. I know that you are thinking about redundancy, right? Well, of course you are, so the answer is yes, you can add multiple entries by separating them out with semi-colons. The following option (Figure 14) allows you to select the Trusted Root CAs for the connection. Heres the kicker: these are always on, and you cannot toggle them on or off. I know, you see the checkbox, but it doesnt do anything.
The Authentication method drop-down also contains value of interest. MSCHAPv2 is selected by default, but a client-based certificate can also be used for authentication. The thing to remember is that the outer (Phase1) TLS tunnel is used to secure the tunnel for this inner method authentication to take place. If this were a straight EAP-TLS connection, certs would be exchanged without any encryption. However using PEAP-TLS ensures we are encrypted first, then the client presents its certificate. In most cases, youll stick with MSCHAPv2, which eliminates the need for client-based certificates. The Enable Fast Reconnect option allows a users session to quickly resume without having to go through the inner method of authentication. This works because we are using TLS, which supports session-resume. So as long as the users can resume the TLS session, they will be granted access. This is useful for users who frequently roam between access points. The Disconnect if server does not support cryptobinding TLV option is used to prevent man-in-themiddle attacks where information is taken from Phase 1 of the tunnel negotiation and Phase 2 (client authentication). The information is hashed, and the hash is forwarded to the peer. This ensures both Phase 1 and Phase 2 data are sent and received between appropriate peers and that a phase was not compromised.
11
The last option on the page is the Enable Identity Privacy option. In this field, we can specify any identifying information that will be used prior the Phase 1 tunnel negotiation with PEAP. Remember that this information is supplied in clear text. We can specify anything in this field, if we are worried about eavesdropping on the wire. Right behind that RADIUS packet and after TLS negotiation, we see another RADIUS packet with the inner method of authentication using the actual machine/user credentials. Remember, however, this username will be encrypted.
Conclusion
As time goes on, well be seeing more and more of 802.1X in the environments we support. We have to for due diligence. Allowing trusted and non-trusted hosts to connect to our networks without proper controls is really just turning our head to security. You may have heard concerns or nightmare stories about 802.1X, but with the tools we have today and the method of implementation, this can be seamless in an environment and far exceeds any compliance requirements you may have. I will say this, though; this is one technology you HAVE to take a deep dive on. Its also a case for taking a course to really learn the technology in an environment thats not your production.
Learn More
To learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge, Global Knowledge suggests the following courses: 802.1X - Introduction to 802.1X Operations for Cisco Security Professionals ACS 5.2 - Cisco Secure Access Control System SISE - Implementing and Configuring Cisco Identity Services Engine v1.1 Visit www.globalknowledge.com or call 1-800-COURSES (1-800-268-7737) to speak with a Global Knowledge training advisor.
12