Case Study : MBDA 802.

1X Campus
CCS-1001 Sylvie PHALIPPOU Network Engineer MBDA / France sylvie.phalippou@mbda-systems.com
CCS-1001 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

Housekeeping
We value your feedback- don't forget to complete your online session evaluations after each session & complete the Overall Conference Evaluation which will be available online from Thursday Visit the World of Solutions Please remember this is a 'non-smoking' venue! Please switch off your mobile phones Please make use of the recycling bins provided Please remember to wear your badge at all times including the Party
2

CCS-1001

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

Agenda
MBDA : Company Overview Network Architecture 802.1X overview Deploying 802.1X
Company Goals Network and security requirements Design constraints Implementation schedule Deployment workshops Features selections Implementation Tools and procedures Benefits/Lessons learned

Current Status and future plan Conclusion

CCS-1001 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

MBDA : Company Overview

CCS-1001

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

MBDA : History/Shareholders/Products
Created in 2001 MBDA is a leading global world-wide missiles and missile systems prime contractor Extensive unrivalled product portfolio covering the whole range of requirements 45 products in service / 30 products under development Extensive experience of international programs e.g. Storm Shadow/SCALP, Taurus, Aster, Meteor, Milan Supported by major shareholders: BAE SYSTEMS, EADS, Finmeccanica
CCS-1001 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

MBDA Group Structure

EADS BAE SYSTEMS FINMECCANICA

37.5 %
100

37.5 % MBDA
100%

25 %
100

100%

MBDA DEUTSCHLAND

MBDA France

MBDA UK

MBDA ITALIA

Integrated organisation

CCS-1001

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

MBDA European Centers

10,400 people worldwide, 60% in Technical/Engineering functions
Lostock
Production

UK 2,900 GE 1,100

Stevenage
R&D/Integration

Bristol
Software & Systems

Ulm
R&D

USA 100 FR 4,800

Compigne
Electronic

Schrobenhausen
Management/R&D/ Production/ Integration

Unterschleiheim
Management/R&D

La Spezia
R&D/Integration

Le Plessis-Robinson
Management/R&D

Rome
Management/R&D

Centre Region
R&D/Production/Integration

IT 1,500
Cisco Public

Fusaro
Production/Integration
7

CCS-1001

2009 Cisco Systems, Inc. All rights reserved.

MBDA : Network Architecture

CCS-1001

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

Network Architecture
Campus Corporate & Business Networks : Campus : 3 tiers architecture (Core, Distribution, Access) Cisco switches : Cat3750/Cat4500/Cat6500 3 VRF-Lite : 1 for office and ToIP, 1 for Guest VLAN , 1 for Video Surveillance/Physical Security No communications between VRF 802.1X deployment on the Office VRF corporate Networks WAN : Cisco router 7200 / Leased line
CCS-1001 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

MBDAF LAN Physical View

ACTUAL CAMPUS LAN

CCS-1001 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

10

MBDAF LAN Logical View

VRF Corporate

VRF Video

VRF Guest

CCS-1001

2009 Cisco Systems, Inc. All rights reserved.

Actual Campus LAN

Cisco Public

11

Scale and Figures

Corporate & Business Networks :
3000 users in 5 Buildings Access : 230 Cat3750 in 38 cabinets with IOS 12.2(46)SE Distribution : 8 Cat4500 SUP5-10G with IOS 12.2(31)SGA Core : 2 Cat6500 SUP720-10G with IOS 12.2(18)SXF6 Server farms : 3 Cat6500 SUP720-10G with IOS 12.2(18)SXF6 9000 Ethernet Ports 4000 IP phones 5000 Workstations and PCs OSPF as a routing protocol within VRF PVST+ between access Layer and distribution Layer
CCS-1001 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

12

802.1X overview

CCS-1001

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

13

Why 802.1X ? Because it is better to know who is connected

CCS-1001

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

14

Network Access Control Model

Microsoft Active Directory

CS-ACS RADIUS

Request for Service (Connectivity)

Backend Authentication Support

Identity Store Integration

LAN media independence User authentication Device authentication

CCS-1001 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

15

MBDA France Deploying 802.1X

CCS-1001 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

16

Company Goals
Allow cost reduction and workforce collaboration : CY2005 1- Aggregate THREE Paris offices in a new & modern campus
Velizy La Source Le Plessis Robinson

Velizy Villacoublay Chatillon

2- Allow a greater mobility for the project teams 3- Reach Security requirements 4- Deploy IP telephony 5- Increase campus availability Deliver new design for Network architecture in Q1 CY2007
CCS-1001 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

17

Network & Security requirements

Architecture based on VRF-lite and VLAN segmentation 2 Office Vlans per Floor for generic users 2 ToIP VLAN per floor for IP phones For One Project team => One VLAN in one building Move from static/manual MAC authorization to DEVICE and/or USER 802.1x authentication Shared resources using specifics VLANs/VRF : VoIP Network administration Servers Video etc Internet access LAN Guest access in Meeting rooms Flexible authentication for any Devices WIFI as a Rogue AP detector only
CCS-1001 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

Where I am? What is my new address?

18

802.1X Design Contraints

Identification of TWO machine class Corporate PC 90% Windows XP PC 10 % Linux All corporate PC belong to MBDA Active Directory Domain Guest PC CISCO ACS servers as the AAA servers : 2 ACS 4.1 based on appliances 802.1X authentication for Corporate PC from Active Directory Map AD PC groups to ACS groups per project Authorization with VLAN assignment per Group Other Devices (Guest PC) automatically fail in Guest VLAN
CCS-1001 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

19

802.1X implementation schedule

1. 802.1X features tests : Q4 CY2005 (3 Months)
1. Main focus : PC and Machine authentication 2. Certificates provisioning 3. Scalability 4. Management of the BACKEND server.

2. Architecture final design : Q1 CY2006 (1 Month)

1. Three tiers architecture + VRF 2. ACS servers and MS Active Directory 3. ACL between VLANS in the Main VRF

3. Full Architecture test : Q3 CY2006 (3 Months) 4. New Site deployment: Q1 CY2007 (3 Months)
CCS-1001 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

20

802.1X - Features Selection in 2006

MACHINE Dot1X Authentication tested and deployed Windows XP SP2 with Native Microsoft supplicant PEAP then EAP-TLS Apply Microsoft registery patches deployment with GPO http://support.microsoft.com/kb/309448/en-us USER Dot1X Authentication - tested Gina modification not possible in MBDA context MACHINE and USER Dot1x Authentication - tested Same VLAN must be assigned for both Machine and User at that time IP Phone : No 802.1x Supplicant MAC Authentication Bypass for non 802.1x corporate Devices tested Some issues when IP phone was removed
CCS-1001 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

21

802.1X deployment workshops

Define all procedures for new site deployment Change in the IT provisioning method for projects and guests Macro used to ease Dot1X configuration on switches : dot1x guest vlan MAB: interface FastEthernet1/0/47 dot1x mac-auth-bypass .
CCS-1001 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

22

802.1X implementation
802.1X facts and figures 4000 devices with 802.1x supplicant (Windows XP, SP2) 0 devices with MAB 96% dedicated PC, 4% shared PC for internet access 7500 Ethernet ports with 802.1x activated 2 ACS 4.1 Appliances for RADIUS 20 AD/Radius groups 650 VLANs 100 Meeting rooms with wired only Guest VLAN
CCS-1001 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

23

802.1X Tools and procedures

LAN Admin based on CW2000 LMS : User Tracking to locate a specific MAC address ACL and Security based on Solsoft/Netpartitionner (Exaprotect): for ACL management between VLANs MS tools for all AD aspects

CCS-1001

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

24

Benefits and lessons learned

Successful installation end of March 2007 All employees moved on time early April 2007 Wired User mobility improvement : transparent for IT Before 802.1x : 20 moves a day as a maximum Lan access in Meetings rooms required manual changes Guest network available (LAN in Meeting rooms) First two months with few problems So far solved PEAP password expiration => EAP-TLS MAC Authentication Bypass : not mature enough in 2007 => Manual Port management timeout of supplicant => IOS upgrade

CCS-1001

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

25

Current Status and Future Plan

Working State : User mobility is effective no complains from user IT save configuration time Per project Organization is implemented 802.1x deployment in other sites Next Step : 802.1X for phones (VoIP is already deployed) 802.1x for Printers 802.1x in other countries TBD MBDA requests to CISCO : Hierarchical VLAN allocation : ADMIN PC should join Admin VLAN if Admin VLAN is available. Otherwise, Admin PC should join User VLAN. 802.1x QoS inheritance Reduce 802.1x debugging impact on Cat3750
CCS-1001 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

26

802.1x : It works !
CCS-1001 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

27

Recommended Reading
CCS-1001

Source: Cisco Press

CCS-1001 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

28

Meet The Expert

To make the most of your time at Cisco Networkers 2009, schedule a Face-to-Face Meeting with a top Cisco Expert. Designed to provide a "big picture" perspective as well as "in-depth" technology discussions, these face-to-face meetings will provide fascinating dialogue and a wealth of valuable insights and ideas. Visit the Meeting Centre reception desk located in the Meeting Centre in World of Solutions

CCS-1001

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

29

CCS-1001

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

30