Deploying Wired 802.

1X

BRKSEC-2005

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

2

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Overview and Agenda
Network Access Default Functionality Deployment Considerations Reporting and Monitoring Looking Forward Deployment Case Study

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

3

What We Won’t Be Covering
AAA authentication on routers IPSec authentication In-depth concepts on identity management and single sign-on (upper layer identity) Specific Extensible Authentication Protocol (EAP) methods X.509 certificates and PKI Wireless LAN 802.1X Switch Features that are not consistent across platforms CatOS
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

4

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Network Access

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

5

Today’s Access Layer
End Users Network Access Devices

Intranet Employees

Managed Assets

Guests/Contractors Internet Outsiders

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

6

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Identity Networking Heuristics
Keep the outsiders out
Prevent unsecured individual gaining physical and logical access to a network
Email

Keep the insiders honest
What can validated users do when they get network access?


X Payroll

Increase network visibility (real-time and logged)
Enterprises need accountability.
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

7

Basic Identity Concepts
What is an identity?
An indicator of a client in a trusted domain; typically used as a pointer to a set of rights or permissions; allows us to differentiate between clients

What does it look like?
Can look like anything dmiller@foo.com Darrin Miller 00-0c-14-a4-9d-33

How do we use identities?
Used to provide authorizations—rights to services within a domain; services are arbitrary and can happen at any layer of the OSI model
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

8

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

What Is Authentication?
The process of establishing and confirming the identity of a client requesting services Authentication is only useful if used to establish corresponding authorization Model is very common in everyday scenarios
I’d Like to Withdraw $200.00 Please.

Do You Have Identification?

Yes, I Do. Here It Is.

Thank You. Here’s Your Money.

An Authentication System Is Only as Strong as the Method of Verification Used
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

9

Identity and Authentication Are Important?

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

10

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Applying the Authentication Model to the Network

I’d Like to Connect to the Network.

Do You Have Identification?

Yes, I Do. Here It Is.

Thank You. Here You Go.

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

11

Network Access Control Model

Request for Service (Connectivity)

Backend Authentication Support

Identity Store Integration

• • •

LAN media independence User authentication Device authentication

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

12

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Default Functionality

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

13

Identity Networking
General Identity and Authentication Space

IEEE 802.1X MAC Auth
AAA Policy Management Troubleshooting

Web Auth

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

14

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

IEEE 802.1X
Standard set by the IEEE 802.1 working group Is a framework designed to address and provide port-based access control using authentication Primarily 802.1X is an encapsulation definition for EAP over IEEE 802 media—EAPOL (EAP over LAN) is the key protocol Layer 2 protocol for transporting authentication messages (EAP) between supplicant (user/PC) and authenticator (switch or access point) Assumes a secure connection Actual enforcement is via MAC-based filtering and port-state monitoring
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

15

General Description IEEE 802.1X Terminology

RAD

IUS

R A D I U S

) POL (EA W) LAN r APO Ove s (E EAP eles r Wir Ove EAP Authenticator Port Access Entity (PAE)

Authentication Server

Supplicant

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

16

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Extensible Authentication Protocol (EAP)
A flexible transport protocol used to carry arbitrary authentication information—not the authentication method itself EAP provides a flexible link layer security framework
Simple encapsulation protocol No dependency on IP Few link layer assumptions Can run over any link layer (PPP, 802, etc.) Assumes no reordering Can run over loss full or lossless media

Defined by RFC 3748
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

17

What Does EAP Do?
Transports authentication information in the form of EAP payloads Establishes and manages connection; allows authentication by encapsulating various types of authentication exchanges Prevalent EAP types
EAP-TLS: Uses x.509 v3 PKI certificates and the TLS mechanism for authentication PEAP: Protected EAP tunnel mode EAP encapsulator; tunnels other EAP types in an encrypted tunnel (TLS) EAP-FAST (RFC4851): Designed to not require certificates; tunnels other EAP types in an encrypted tunnel (TLS)
EAP Payload EAP Payload 802.1X Header Ethernet Header RADIUS UDP IP Header

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

18

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Factors That Drive EAP Usage
Enterprise security policy
Are there requirements that drive a particular type? Requirements, such as, two factor authentication may drive the choice of EAP-TLS

Supplicant support
Windows XP supports EAP-TLS, PEAP w/EAP-MSCHAPv2 3rd party supplicants support a large variety of EAP types

RADIUS server support
RADIUS servers support a large variety of EAP types, but not all

Authentication store
PEAP w/EAP-MSCHAPv2 can only be used with authentication stores that store passwords in MSCHAPv2 format Not every identity store supports all the EAP types

Customer choice of EAP type influences component selection
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

19

How Is RADIUS Used Here?
RADIUS acts as the transport for EAP, from the authenticator (switch) to the authentication server (RADIUS server) RFC for how RADIUS should support EAP between authenticator and authentication server—RFC 3579
IP Header UDP Header RADIUS Header EAP Payload

RADIUS is also used to carry policy instructions (authorization) back to the authenticator in the form of AV pairs
IP Header UDP Header RADIUS Header EAP Payload AV Pairs

Usage guideline for 802.1X authenticators use of RADIUS—RFC 3580
BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

20

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

A Closer Look
802.1X, STP

Port Unauthorized
Cisco IOS
aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius radius-server host 10.100.100.100 radius-server key cisco123 dot1x system-auth-control interface GigabitEthernet1/0/1 dot1x pae authenticator dot1x port-control auto

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

21

A Closer Look
802.1X, STP

Port Unauthorized
EAPOL-Start EAP-Identity-Request EAP-Identity-Response

802.1X
BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

22

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

A Closer Look
802.1X, STP

Port Unauthorized
EAPOL-Start EAP-Identity-Request EAP-Identity-Response EAP-Auth Exchange EAP-Success/Failure

EAP—Method Dependent
Auth Exchange w/AAA Server Authentication Successful/Rejected

802.1X
BRKSEC-2005 14657_05_2008_c1

RADIUS

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

23

A Closer Look
802.1X, STP

Port Unauthorized
EAPOL-Start EAP-Identity-Request EAP-Identity-Response EAP-Auth Exchange EAP-Success/Failure

EAP—Method Dependent
Auth Exchange w/AAA Server Authentication Successful/Rejected Policy Instructions

Port Authorized

802.1X
BRKSEC-2005 14657_05_2008_c1

RADIUS

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

24

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

A Closer Look
802.1X, STP

Port Unauthorized
EAPOL-Start EAP-Identity-Request EAP-Identity-Response EAP-Auth Exchange EAP-Success/Failure

EAP—Method Dependent
Auth Exchange w/AAA Server Authentication Successful/Rejected Policy Instructions

Port Authorized
EAPOL-Logoff

Port Unauthorized

802.1X
BRKSEC-2005 14657_05_2008_c1

RADIUS

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

25

A Closer Look
802.1X, STP

Port Unauthorized
EAPOL-Start EAP-Identity-Request EAP-Identity-Response EAP-Auth Exchange EAP-Success/Failure

EAP—Method Dependent
Auth Exchange w/AAA Server Authentication Successful/Rejected Policy Instructions

Port Authorized
EAPOL-Logoff

Port Unauthorized

Actual Authentication Conversation Is Between Client and Auth Server Using EAP; the Switch Is an EAP Conduit, but Aware of What’s Going on

802.1X
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

RADIUS
26

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Default Security and Operation

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

27

Default Security of 802.1X
For Each 802.1X Switch Port, the Switch Creates Two Virtual Access Points at Each Port
The Controlled Port Is Open Only When the Device Connected to the Port Has Been Authorized by 802.1X

Controlled

EAPOL

Uncontrolled

EAPOL

Uncontrolled port provides Uncontrolled Port Provides a Path for Extensible (EAPOL) and CDP traffic a path for extensible authentication protocol over LAN only Authentication Protocol over LAN (EAPOL) Traffic Only

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

28

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Default Security of 802.1X

00-01-76-48-90-ff

??

Before 802.1X authentication
MAC address of end-station is unknown Spanning-tree is not in a forwarding state for the switch port No traffic can be processed by switch CPU with the exception of EAPOL

802.1X state machine directly reliant on link state of port

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

29

Default Security of 802.1X
Permit only 00-01-76-48-90-ff

00-01-76-48-90-ff

IOS

dot1x pae authenticator dot1x port-control auto

After 802.1X authentication:
MAC address of authenticated end-station is known Only that one MAC address is allowed (“single auth mode”) Network cannot be compromised easily by a non-802.x client or a different 802.1X client seen on the wire

Single-auth mode ensures the validity of the authenticated session

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

30

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Default Security of 802.1X

00-01-76-48-90-ff

??

00-67-e5-bb-45-21

Additional MAC addresses on wire treated as security violation This includes VMware type devices This includes machines that attempt to transmit gratuitous ARP frames
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

31

Modifying Default Security of 802.1X
00-01-76-48-90-ff authenticated Permit all other MACs

00-01-76-48-90-ff

IOS dot1x host-mode multi-host

00-67-e5-bb-45-21

What if the physical topology does not allow a point-to-point connection? (e.g. hub in conference room) Multi-host mode Use 802.1X to authorize the port only Any amount of unauthenticated stations subsequently allowed on wire
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

32

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Securing 802.1X in Multi-Host Mode
Permit only 00-01-76-48-90-ff & 00-67-e5-bb-45-21

00-01-76-48-90-ff

IOS dot1x host-mode multi-host switchport port-security switchport port-security maximum 3 switchport port-security aging time 2
00-67-e5-bb-45-21

Recommendation:
Use 802.1X to authorize the port Use port-security to limit the number of other devices allowed on the wire.
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

33

Switches and 802.1X

00-01-76-48-90-ff DA = 01-80-c2-00-00-03

X

Things to consider before deploying switches in an 802.1X environment
Supplicants use 01-80-c2-00-00-03 This group MAC address is also one of the 16 addresses reserved by IEEE 802.1D in the Bridge Protocol Data Unit (BPDU) block Switches that comply with 802.1D will discard EAPOL frames by design This is ensures that EAPOL is not transparently forwarded by a MAC bridge

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

34

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Non-802.1X Client

Client

X X X √

1
EAP-Identity-Request D = 01.80.c2.00.00.03 EAP-Identity-Request D = 01.80.c2.00.00.03 EAP-Identity-Request D = 01.80.c2.00.00.03

Upon link up 30-seconds 30-seconds 30-seconds

2 3 4

802.1X Process

Any 802.1X-enabled switch port will send EAPOL identity-request frames on the wire (whether a supplicant is there or not) No network access is given if the switch does not receive an EAPOL identity-response. Whole process restarts after a hold timer Process can start again if a supplicant appears on the port and sends an EAPOL-Start.
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

35

Deployment Considerations

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

36

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Identity Networking Deployment Considerations
Authentication and Endpoint Considerations 802.1X and Microsoft Windows Authorization Non-802.1X Clients & Guests Failed Access Handling RADIUS Availability IP Telephony Other Considerations

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

37

802.1X Authentication Database
Where is the single source of authentication credentials for the enterprise? Do you have to build new or extend trust between databases? Some enterprises could not use Active Directory (AD) or other Network Operating System (NOS) user/machine authentication databases

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

38

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Supplicant Considerations
Microsoft Windows
User and machine authentication DHCP request time out Machine authentication restriction Default methods: MD5, PEAP, EAP-TLS

Unix/Linux considerations
Open source: xsupplicant Project (University of Utah) Available from http://www.open1x.org Supports EAP-MD5, EAP-TLS, PEAP/MSCHAPv2, PEAP/EAP-GTC

Native Apple supplicant support in OS X 10.3
802.1X is turned off by default! Default parameters—TTLS, LEAP, PEAP, MD5, FAST supported Support for airport and wired interfaces In 10.5 Single sign on (SSO) can be accomplished for system or user. Not both at the same time
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

BRKSEC-2005 14657_05_2008_c1

39

Extended Supplicant Suites
Introduces features over and above the native supplicants
EAP types Management Interfaces
Secure Services Client

Features
Robust Profile Management Support for industry standards Endpoint integrity Single sign-on capable Enabling of group policies Administrative control

Benefits
Simple, secure device connectivity Minimizes chances of network compromise from infected devices

SSC

Reduces complexity Restricts unauthorized network access Centralized provisioning

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

40

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Identity Networking Deployment Considerations
Authentication and Endpoint Considerations 802.1X and Microsoft Windows Authorization Non-802.1X Clients & Guests Failed Access Handling RADIUS Availability IP Telephony Other Considerations

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

41

Why You Care?
Original Windows boot process assumed IP connectivity
Recall Default Security of 802.1X No network connectivity until successful authentication.

Windows Logon Process and 802.1X are not serialized with 802.1X for Windows 2000, XP, 2003
Creates race conditions between 802.1X and normal boot process

The above impacts the following
Group Policy Objects Authentication contexts: Machine and User Authentication Authorization Decisions – VLAN assignment DHCP

Clear understanding and proper design is required for successful 802.1X deployments.
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

42

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

What Is Group Policy
Group policy is an infrastructure used to deliver and apply one or more desired configurations or policy settings to a set of targeted users and computer within an Active Directory environment Machine and User Group Policy Objects (GPOs) Types of Group Policy
Registry-based policy Security options Software installation and maintenance options Scripts options Folder redirection options
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

43

802.1X w/Windows Boot Process
Kernel Loading Windows HAL Loading Device Driver Loading Certificate Auto Enrollment Time Synchronization Dynamic DNS Update

VLAN1 – 10.1.1.1

GINA

VLAN2 – 99.1.1.1

Power On

802.1X Machine Auth

802.1X User Auth

Obtain Network Address (Static, DHCP) Determine Site and DC (DNS, LDAP)

Kerberos Auth (User Account) User GPOs Loading (Async)

Establish Secure Channel to AD (LDAP, SMB)

GPO based Logon Script Execution (SMB)

Kerberos Authentication (Machine Account)

GPO based Startup Script Execution Computer GPOs Loading (Async)

Start of 802.1X auth may vary among supplicants Components that are in race condition with 802.1X Auth

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

44

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Current 802.1X/Winlogon Interoperability with Supplicants
Supplicant may create race condition between 802.1X authentication and Windows Logon process Appropriate configuration/condition/change on Windows system are required to “minimize” the possible risk of race condition “100%” interoperability/serialization is not guaranteed yet on XP Vista SP1 does serialize the login process!

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

45

Microsoft Issues with DHCP

DHCP Is a Parallel Event, Independent of 802.1X Authentication
With wired interfaces a successful 802.1X authentication does not force an DHCP address discovery (no media-connect signal) This produces a problem if not properly planned DHCP starts once interface comes up If 802.1X authentication takes too long, DHCP may time out
802.1X Auth—Variable Timeout DHCP—Timeout at 62 Seconds
DHCP

Power Up Load NDIS Drivers

Setup Secure Channel to DC

Present GINA (Ctrl-Alt-Del) Login

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

46

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Microsoft Fixes
Supplicant

Windows XP: Install Service Pack 1a + KB 826942 Windows 2000: Install Service Pack 4 Authenticator

Authentication Server

Login Req. Send Credentials Accept ICMP Echo (x3) for Default GW from “Old IP” as Soon as EAP-Success Frame Is Rcvd DHCP-Request (D=255.255.255.255) (After Pings Have Gone Unanswered) DHCP-Discover (D=255.255.255.255) Forward Credentials to ACS Server Auth Successful (EAP—Success) VLAN Assignment

DHCP-NAK (Wrong Subnet)

At This Point, DHCP Proceeds Normally
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

47

802.1X and Windows Recommendations
Start simple with authentication Consider machine authentication only
You need to manage auth behavior on XP/2000 via registry keys http://support.microsoft.com/kb/309448/en-us http://www.microsoft.com/technet/network/wifi/wififaq.mspx

Use the automatic provisioning built into AD if possible
Machines are provisioned automatically with a machine password Can have certificates automatically provisioned via AD GPOs

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

48

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Identity Networking Deployment Considerations
Authentication and Endpoint Considerations 802.1X and Microsoft Windows Authorization Non 802.1X Clients & Guests Failed Access Handling RADIUS Availability IP Telephony Other Considerations

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

49

Authorization
Authorization is the ability to enforce policies on identities Typically policies are applied using a group methodology—allows for easier manageability The goal is to take the notion of group management and policies into the network The most basic authorization in Identity Networking is the ability to allow or disallow access to the network at the link layer Other forms of authorization include VLAN assignment, 802.1X with ARP inspection, etc.
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

50

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

802.1X with VLAN Assignment
Dynamic VLAN assignment based on identity of group, or individual, at the time of authentication VLANs assigned by name—allows for more flexible VLAN management Allows dynamic VLAN policies to be applied to groups of users (i.e., VLAN QoS, VLAN ACLs, etc.) Tunnel attributes used to send back VLAN configuration information to authenticator Tunnel attributes are defined by RFC 2868 Usage for VLANs is specified in the 802.1X standard Remember implications of VLAN assignment when doing machine and user authentication

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

51

802.1X with VLAN Assignment
AV Pairs Used—All Are IETF Standard [64] Tunnel-type—“VLAN” (13) [65] Tunnel-medium-type—“802” (6) [81] Tunnel-private-group-ID—<VLAN name>
Marketing

IOS aaa authorization network default group radius

VLAN name must match switch configuration Mismatch results in authentication/authorization failure
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

52

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Authorization Recommendations
VLAN Assignment is completely optional Only use it if you have to separate users due to a business requirement Most enterprises do not have this requirement for known users Leave the port in its default VLAN or assign the VLAN during machine authentication if possible

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

53

Identity Networking Deployment Considerations
Authentication and Endpoint Considerations 802.1X and Microsoft Windows Authorization Non-802.1X Clients & Guests Failed Access Handling RADIUS Availability IP Telephony Other Considerations

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

54

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Handling Non-802.1X Clients & Guests
Deployment Options
MAC Auth Bypass Web Auth (client must have browser)

Authenticate via less-secure method

Give them limited access after timeout and no response
Guest VLAN

Allow WLAN access instead of wired
WLAN is a great way to do guest access if available

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

55

Client

MAC Authentication Bypass (MAB)

X X X ? ?

EAPOL-Request (Identity) D = 01.80.c2.00.00.03 EAPOL-Request (Identity) D = 01.80.c2.00.00.03 EAPOL-Request (Identity) D = 01.80.c2.00.00.03 EAPOL-Timeout Initiate MAB Learn MAC

Dot1x/MAB

RADIUS

1 2 3 4 5

Upon link up 30-seconds 30-seconds 30-seconds Variable

6 7 8

RADIUS-Access Request RADIUS-Access Accept


00.0a.95.7f.de.06
BRKSEC-2005 14657_05_2008_c1

Port Enabled

IOS Switch(config-if)# dot1x mac-auth-bypass
56

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Web-Based Proxy Authentication
No EAPOL 802.1X Process RADIUS Process

1 2 3

802.1X Timeouts Client Initiates Connection—Activates Port Authentication State Machine Switch Port Filters Traffic Limiting It to HTTP, HTTPS, DNS and DHCP Switch Port Relays DHCP Address from DHCP Server

4

5

User Starts Web Browser and Initiates Web Connection Switch Port Redirects URL and Presents HTTP Form Prompting for Userid/Pwd

7
BRKSEC-2005 14657_05_2008_c1

User Enters Credentials—They Are Checked Against RADIUS DB via PAP—If Authenticated Then Switch Port Opened for Normal Network Access

6

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

57

802.1X with Guest VLAN

Client

X X X √

EAP-Identity-Request D = 01.80.c2.00.00.03 EAP-Identity-Request D = 01.80.c2.00.00.03 EAP-Identity-Request D = 01.80.c2.00.00.03 EAP-Success D = 01.80.c2.00.00.03

1 2 3 4

Upon link up 30-seconds 30-seconds 30-seconds

Port Deployed into the Guest VLAN

802.1X Process

Any 802.1X-enabled switchport will send EAPOL-Identity-Request frames on the wire (whether a supplicant is there or not) A device is only deployed into the guest VLAN based on the lack of response to the switch’s EAP-Request-Identity frames (which can be thought of as 802.1X hellos) No further security or authentication to be applied. It’s as if the administrator de-configured 802.1X (i.e. multi-host), and hard-set the port into the specified VLAN 90 Seconds is greater than MSFT DHCP timeout
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

58

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

802.1X Timeouts
max-reauth-req: sets the maximum number of times (default: 2) that the switch retransmits an EAP-IdentityRequest frame on the wire before receiving a response from the connected client tx-period: sets the number of seconds (default: 30) that the switch waits for a response to an EAP-IdentityRequest frame from the client before retransmitting the request

802.1X Timeout
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved.

(max-reauth-req + 1) * tx-period
Cisco Public

59

802.1X Timeout Configuration
The configurable values for the parameters are:
max-reauth-req tx-period 1–10 1–65535 sec.

802.1X Timeout

(max-reauth-req + 1) * tx-period

The below timeouts 802.1X in 60 seconds
interface FastEthernet0/1 switchport access VLAN 2 switchport mode access dot1x pae authenticator dot1x port-control auto dot1x timeout tx-period 20 dot1x max-reauth-req 1 dot1x guest-VLAN 10 spanning-tree portfast

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

60

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

MAB, Guest VLAN, Web-Auth
Determine what features you want to use based on your operations Be aware of implications of tweaking timers.
802.1X capable machine may do MAB or Web-Auth before 802.1X driver can initialize ACS Logs may show two records for MAB and 802.1X for one device. Need to be aware for reporting/troubleshooting

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

61

Identity Networking Deployment Considerations
Authentication and Endpoint Considerations 802.1X and Microsoft Windows Authorization Non-802.1X Clients & Guests Failed Access Handling RADIUS Availability IP Telephony Other Considerations

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

62

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

The Problem — Authentication Failures
1 2
*EAPOL-Start

EAP-Identity-Exchange

3 5

RADIUS-Access-Request RADIUS-Access-Request

4

EAP Exchange

EAPOL-Failure

7

RADIUS-Reject

6

X
Switch AAA

Client Port is never granting access

*Note: EAPOL-Starts are optional, possibility of EAP-NAK left out intentionally, and EAP exchange dependent on method
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

63

Why Auth Fail VLAN?
802.1X 802.1X

Certificate Expired!

User Unknown!

Employees’ credentials expire or entered incorrectly As 802.1X becomes more prevalent, more guests will fail auth because they have 802.1X enabled by default. Many enterprises require guests and failed corporate assets get conditional access to the network.
Re-provision credentials through a web proxy or VPN Tunnel Provide guest access through VLAN assignment or web proxy
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

64

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

The Solution — Auth-Fail-VLAN
EAPOL-Failure

13 15

RADIUS-Reject

12

14

EAP-Identity-Exchange

RADIUS-Access-Request

RADIUS-Access-Request EAP-Data-Request 17 … EAP ………….. Exchange … EAPOL-Failure

16 18

19

RADIUS-Reject


Client Port is now granted access to auth-fail-VLAN Switch AAA IOS dot1x auth-fail vlan 50

It is up to the supplicant to access the network.

2004-802.1X spec (max-start) — If the supplicant tries to authenticate more than this value after you fail a certain number of times, the supplicant should assume authorized.
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

65

Identity Networking Deployment Considerations
Authentication and Endpoint Considerations 802.1X and Microsoft Windows Authorization Non-802.1X Clients & Guests Failed Access Handling RADIUS Availability IP Telephony Other Considerations

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

66

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

The Problem — AAA Unavailable
1

EAP-Identity-Exchange

2

RADIUS-Access-Request RADIUS-Access-Request RADIUS-Access-Request

X

3
EAPOL-Failure

X
Client Port is not granting access Switch AAA

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

67

Inaccessible Authentication Bypass
IOS dot1x critical recovery delay 100 radius-server host x.x.x.x test username [username] radius-server dead-criteria 15 tries 3 Interface GigabitEthernet 1/0/1 dot1x critical dot1x critical VLAN 10 dot1x critical recovery action reinitialize

Port authorized

EAP-Success/Failure RADIUS Server comes back -> immediate reinitialize 802.1X State Machine

EAP-Identity-Request EAP-Identity-Response EAP-Auth Exchange EAP-Success/Failure
BRKSEC-2005 14657_05_2008_c1

Auth Exchange w/AAA Server Authentication Successful/Rejected
68

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Identity Networking Deployment Considerations
Authentication and Endpoint Considerations 802.1X and Microsoft Windows Authorization Non-802.1X Clients & Guests Failed Access Handling RADIUS Availability IP Telephony Other Considerations

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

69

802.1X and Voice
Voice Ports With Voice Ports, a port can belong to two VLANs, while still allowing the separation of voice/data traffic while enabling you to configure 802.1X An access port able to handle two VLANs
Native or Port VLAN Identifier (PVID) Auxiliary or Voice VLAN Identifier (VVID)

Hardware set to dot1q trunk
Tagged 802.1q

Untagged 802.3
BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

70

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

802.1X and Voice
The controlled port is open only when the device connected to the port has been authorized by 802.1X

Controlled
EAPOL CDP

Un-Controlled

EAPOL+CDP EAPOL

• Extensible phones are ableProtocol over LAN (EAPOL) they receive VLAN Cisco IP Authentication to tagProtocolpackets(EAPOL) traffic ONLY Extensible Authentication their over LAN because and CDP traffic only information via CDP which is processed on uncontrolled port as shown above • A CDP exchange is used to allow the phone to be exempt from any 802.1X restriction for port-forwarding

Uncontrolled port provides a for path for Uncontrolled port provides a path

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

71

802.1X with VVID: Previous Limitations
1
Port Already Authenticated

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

72

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

802.1X with VVID: Previous Limitations

2

PC Leaves

3

Port Remains Authorized

√?

If an End-User Disconnects, the Port Remains Authorized by 802.1X!!!

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

73

802.1X with Voice: Previous Limitations

4

Illegitimate User

3

Port Remains Authorized

√?

An illegitimate user can now gain access to the port by spoofing the authenticated MAC address, and bypass 802.1X completely— Security Hole In an attempt to workaround this, some customers have enabled periodic reauthentication of end-devices This is not the reason to enable reauthentication We need to deal with the fact that any machine can disappear from the network and the switch (and 802.1X) does not know about it explicitly (i.e. link doesn’t go down)
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

74

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

802.1X with Voice: Previous Limitations
1
Port Already Authenticated

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

75

802.1X with Voice: Previous Limitations

2

PC Leaves

3

Port Remains Authorized

√?

If an End User Disconnects, the Port Remains Authorized by 802.1X

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

76

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

802.1X with Voice: Previous Limitations

4

Legitimate User

5

Security Violation

X

A legitimate user may now attempt to gain access to the port by way of 802.1X However, assuming MAC addresses are different, now the switch may treat this as a security violation! In an attempt to workaround this, some customers have enabled periodic reauthentication of end-devices This is not the reason to enable reauthentication Overall, same issue as previous slides
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

77

802.1X with Voice: EAPOL-Logoff
1
Port Already Authenticated

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

78

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

802.1X with Voice: EAPOL-Logoff

2

PC Leaves

X
3

X
EAPOL-Logoff Transmitted

If an end-user disconnects, an IP phone transmits an EAPOL-Logoff frame to the switch Two basic functions needed from phone
Monitor the PAE group address to determine who and where supplicant is Actually transmit the EAPOL-Logoff frame
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

79

802.1X with Voice: EAPOL-Logoff


4
New Authenticated Session

The switch thinks it is a standard EAPOL-logoff frame transmitted by a supplicant indicating end of service This closes the current security hole, and promotes subsequent mobility

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

80

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

802.1X with Voice: Deployment Issues

X X X √

1
EAP-Identity-Request D = 01.80.c2.00.00.03 EAP-Identity-Request D = 01.80.c2.00.00.03 EAP-Identity-Request D = 01.80.c2.00.00.03

Upon link up 30-seconds 30-seconds 30-seconds

2 3 4

802.1X Process

Assuming no supplicant on the wire, a port will be deployed into the guest VLAN after step four above, if guest VLAN is configured

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

81

802.1X with Voice: Deployment Issues

Client

X X X √

1
EAP-Identity-Request D = 01.80.c2.00.00.03 EAP-Identity-Request D = 01.80.c2.00.00.03 EAP-Identity-Request D = 01.80.c2.00.00.03

Upon link up 30-seconds 30-seconds 30-seconds

2 3 4

802.1X Process

If any user plugs into a phone, 802.1X is now totally dependent on how their supplicant is configured to operate By default, Microsoft Windows supplicants do not send EAPOLStarts; you will want to know why 802.1X works when you plug into a switch, and why it doesn’t work when you plug into a phone!
BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

82

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Recommended 802.1X and Voice Solution — Multi-Domain-Auth
Switch ports to authenticate the PC and the IP phone separately Switch port is an voice port (aka Aux-VLAN port) Supports 1X functionality
On Voice-VLAN as well as Data-VLAN

Supports MAB functionality
On Voice-VLAN as well as Data-VLAN IP Phones without 802.1X capability require MAC Authentication Bypass (MAB) support

The solution is extensible in order to support the planned launch of 802.1X supplicant capability on Cisco IP phones
As well as any 3rd Party IP Phones with 802.1X capability

The solution supports both static as well as dynamic configuration on IP phones (for VVID)

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

83

Solution for Non-Cisco IP Phones
No Supplicant on Phone
1
802.1X enabled port with MAB and voice capability RADIUS server

2 4

3

Switch

Authorized link

5 1 2 3 4 Phone sends untagged DHCP blocked by switch

Data VLAN VP state-machine is in blocking state and Voice VLAN VP state-machine is in ask state

802.1X times out (phone not allowed to communicate to the network yet) Switch initiates MAB Access-Request on behalf of the phone Switch receives Access-Accept & information that the device is an IP phone. Portforwarding is allowed on either VLAN.

5

Non-Cisco phone continues to send traffic which is now allowed on the PVID as a result of authenticating the MAC-Address. Phone then reboots onto VVID normally.

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

84

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

802.1X and Cisco IP Telephony
802.1X supplicant on Cisco IP Phones
EAP-MD5 supported on Models 7906 / 7911 / 7931 / 7941 / 7961 / 7970 / 7971 Phone load 8.2(1) December 2006
For Your Reference

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

85

Example
Any combination of 802.1X and MAB for phone Any combination of 802.1X, MAB, Guest-VLAN, Auth-Fail-VLAN, AAA-Fail-VLAN for PC

Switch#sh dot1x int g1/0/1 details Dot1x Info for GigabitEthernet8/0/1 ----------------------------------PAE = AUTHENTICATOR PortControl = AUTO ControlDirection = Both HostMode = MULTI_DOMAIN ReAuthentication = Disabled QuietPeriod = 60 ServerTimeout = 30 SuppTimeout = 30 ReAuthPeriod = 3600 (Locally configured) ReAuthMax = 2 MaxReq = 2 TxPeriod = 30 RateLimitPeriod = 0 Mac-Auth-Bypass = Enabled (EAP) Inactivity = None Guest-VLAN = 401 Dot1x Authenticator Client List ------------------------------Domain = DATA Supplicant Auth SM State Auth BEND SM Stat Port Status Authentication Method Authorized By VLAN Policy Domain Supplicant Auth SM State Auth BEND SM Stat Port Status Authentication Method Authorized By VLAN Policy = = = = = = = = = = = = = = = 1222.c0a8.0102 AUTHENTICATED IDLE AUTHORIZED Dot1x Authentication Server 100 VOICE 000f.8fb7.16a0 AUTHENTICATED IDLE AUTHORIZED MAB Authentication Server N/A

PC authenticated by 802.1X

Phone authenticated by MAB

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

86

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Identity Networking Deployment Considerations
Authentication and Endpoint Considerations 802.1X and Microsoft Windows Authorization Non-802.1X Clients & Guests Failed Access Handling RADIUS Availability IP Telephony Other Considerations

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

87

Pre eXecution Boot Environment: PXE
Very common way to image new machines and reimage existing machines; i.e. “F12 - Network Boot” Assumes IP connectivity and happens before OS loads
Uses DHCP extensions and TFTP to download boot image typically No 802.1X supplicant therefore no connectivity

LAN workarounds at this time are MAB or Guest VLAN
Challenge is to initiate MAB or Guest VLAN access before the PXE firmware times out PXE firmware per spec should timeout in 60 seconds. Some PXE firmware has been observed to expire in as little as five seconds—lots of testing required to verify the solution Advanced Management Technology (AMT) from Intel can authenticate the device before the PXE BIOS
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

88

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Wake on LAN (WOL)
There is a feature that enables support of WOL on the switches Issue: With MAB or Guest VLAN configured
The device goes to sleep and drops link. This link drop will restart the 802.1X state machine. If the PC doesn’t respond, MAB/Guest VLAN handling will be triggered and the device will potentially get placed on a new VLAN If placed in a new VLAN the WOL magic packet to wake the machine will be sent to the original 802.1X auth VLAN

Workaround
Make sure all managed assets are in a MAC address database and assign the device to the same VLAN with MAB

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

89

MAC Address Database
Can be created from existing tools
Asset/Inventory Database

Can be created by doing log analysis
Don’t enable 802.1X supplicant Permit all MAC addresses to create logs Analyze logs to create the MAC address database

Can be created using tools that detect and profile
Detects Devices through passive monitoring Profiles/Classifies the device through passive profiling

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

90

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Monitoring and Troubleshoting

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

91

Identity Networking Monitoring and Trouble Shooting
Major components to Identity Networking monitoring
RADIUS accounting NAD logs RADIUS logs NAD CLI SNMP on NAD

Major components of Identity Networking Troubleshooting
Correlated log reports ACS View Third party log analysis and reporting SNMP on NAP NAD CLI

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

92

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

802.1X with RADIUS Accounting
Supplicant
1 2

Authenticate

802.1X Process
2

RADIUS Process

EAPOL-Success

Access-Accept

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

93

802.1X with RADIUS Accounting
Supplicant
1 2

Authenticate

802.1X Process
2 3 4

RADIUS Process

EAPOL-Success

Access-Accept Accounting Request Accounting Response

Accounting-request packets Contains one or more AV pairs to report various events and related information to the RADIUS server Tracking user-level events are used in the same mechanism
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

94

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

802.1X with RADIUS Accounting
Similar to other accounting and tracking mechanisms that already exist using RADIUS
Can now be done through 802.1X

Increases network session awareness Provide information into a management infrastructure about who logs in, session duration, support basic billing usage reporting, etc. Provides a means to map the information of authenticated
Identity, Port, MAC, Switch
=

Identity

IP

IP, Port, MAC, Switch

Switch + Port = Location

IOS aaa accounting dot1x default start-stop group radius
BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

95

Cisco Secure ACS View
Turnkey appliance Capable of managing large volumes of Cisco Secure ACS data. Generate historical reports and monitoring real-time data sent from ACS servers. Collects and correlates data from multiple Cisco Secure ACS servers and logs. Provides sophisticated reporting, alerting and troubleshooting functions for Cisco Secure ACS deployments. Currently for ACS 4.2 only.
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

96

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Reports
Cisco Secure ACS View provides pre-defined reports and supports custom queries on-demand or on a scheduled basis. ACS View reports include:
• Authentication Reports • Session Reports • Device Administration Reports • ACS Configuration Reports • ACS Administration Reports

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

97

Alerts
Cisco Secure ACS View Supports the Following User-Defined Alerts: Failed (or passed) authentications over a specified length of time for a user, user group, ACS server, etc. Authentication inactivity over a specified length of time for a user, user group, ACS server, network access device, network device group, etc. Specific TACACS+ command execution for a user, user group, network access device or network device group Specific ACS server administration operations on specified ACS servers

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

98

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

ACS View

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

99

Simple Homegrown Tools

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

100

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Troubleshooting: Identify Points of Failure
It is important to understand the failure point in the picture It is important to understand which issue causes what failures In most case, description of the issue symptom can be vague or misleading and you must correlate separate pieces of information for problem resolution.

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

101

ACS Problem — Certificate Trust Issues
One of the most common issues seen in deployment Indicates that the CA certificate is not installed and trusted on the supplicant

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

102

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

802.1X Port Config
ID-3560#show run int fa0/1 Building configuration... Current configuration : 217 bytes ! interface FastEthernet0/1 switchport access vlan 20 switchport mode access switchport voice vlan 99 dot1x mac-auth-bypass dot1x pae authenticator dot1x port-control auto dot1x host-mode multi-domain dot1x timeout tx-period 15 dot1x critical dot1x critical recovery action initialize dot1x auth-fail vlan 50 dot1x critical vlan 50 spanning-tree portfast End
ID-3560#show dot1x int fa0/1 details Dot1x Info for FastEthernet0/1 ----------------------------------PAE = AUTHENTICATOR PortControl = AUTO ControlDirection = Both HostMode = MULTI_DOMAIN ReAuthentication = Enabled QuietPeriod = 60 ServerTimeout = 30 SuppTimeout = 30 ReAuthPeriod = 3600 (Locally configured) ReAuthMax = 2 MaxReq = 2 TxPeriod = 15 RateLimitPeriod = 0 Dot1x Authenticator Client List ------------------------------Domain = DATA Supplicant = 000d.60fc.9c38 Auth SM State = AUTHENTICATED Auth BEND SM State = IDLE Port Status ReAuthPeriod ReAuthAction TimeToNextReauth Authentication Method Posture Authorized By Vlan Policy = = = = = = = = AUTHORIZED 3600 Reauthenticate 1333 Dot1x Healthy Authentication Server 10

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

103

802.1X Authorization Failure 1
In case that network authorization is NOT ENABLED on a NAD ACS Message Type: Authen Successful AFC: There is no AFC associated with this error since authentication succeeds User Experience: Balloon message “Windows cannot connect you to the network (contact your network administrator)”
Following CLI is missing aaa authorization network default group radius

VLAN assignment succeeds but assigns port to VLAN 0 Session Timeout (Radius Attribute 27) is not assigned to port Reauthentication timer value Consequently there is no VLAN 0, therefore default port VLAN is used for authorization, and if there is no DHCP setup for this VLAN then client can’t obtain IP address. Also Reauthentication Timer becomes 0. This means that there will be no reauthentication.
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

104

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

802.1X Authorization Failure 1
Feb 27 15:55:16.659: dot1x-ev:dot1x_sendRespToServer: Response sent to the server from 000d.60fc.9c38 Feb 27 15:55:16.668: dot1x-ev:dot1x_vlan_assign_authc_success called on interface FastEthernet0/1 Feb 27 15:55:16.676: dot1x-ev:dot1x_vlan_assign_authc_success: Successfully assigned VLAN 0 to interface FastEthernet0/1 Feb 27 15:55:16.676: dot1x-ev:dot1x_switch_supplicant_add: Adding 000d.60fc.9c38 on FastEthernet0/1 in vlan 1, domain is DATA Feb 27 15:55:16.676: dot1x-ev:dot1x_switch_addr_add: Added MAC 000d.60fc.9c38 to vlan 1 on interface FastEthernet0/1

ID-3560#show dot1x int fa0/1 d -- skipped -Dot1x Authenticator Client List ------------------------------Domain Supplicant Auth SM State Auth BEND SM State Port Status ReAuthPeriod ReAuthAction TimeToNextReauth Authentication Method Authorized By Vlan Policy = DATA = 000d.60fc.9c38 = AUTHENTICATED = IDLE = AUTHORIZED = 0 = 0 = Dot1x = Authentication Server = N/A VLAN is not assigned although switch receives 64, 65, and 81 = Terminate State machine shows that port is authorized State machine shows that supplicant is authenticated

Attr. 27 will not overwrite the default, rather switch sets it to 0

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

105

802.1X Authorization Failure 2
• • • • In case that invalid Radius attribute is sent via Radius Access-Accept ACS Message Type: Authen Successful AFC: There is no AFC associated with this error since authentication succeeds User Experience: Balloon message “Windows cannot connect you to the network (contact your network administrator)” Radius Access-Accept with invalid Radius Attribute 81 is sent Basic rule is that 81 attribute needs to be either “string” or “integer”. If String, it needs to match the VLAN name that exists on switch. If Integer then it needs match the VLAN ID that exists on switch

Passed Authentication reports authentication is successful Authorization failure on switch is NEVER reported back to ACS.
Feb 27 16:39:40.839: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up Feb 27 16:39:41.477: %DOT1X_SWITCH-5-ERR_RADIUS_VLAN_NOT_FOUND: Attempt to assign non-existent VLAN wrong_vlan to dot1x port FastEthernet0/1 Feb 27 16:39:41.930: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

106

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

802.1X Authorization Failure 2
This is very difficult to troubleshoot since ACS reports successful authentication but user fails authentication and gets upset . Only way to troubleshoot is to use syslog message, if switch console and debug command is not a choice
Console log message
Feb 27 16:39:40.839: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up Feb 27 16:39:41.477: %DOT1X_SWITCH-5-ERR_RADIUS_VLAN_NOT_FOUND: Attempt to assign non-existent VLAN wrong_vlan to dot1x port FastEthernet0/1 Feb 27 16:39:41.930: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up

Message to Syslog Server

THIS SYSLOG IS ONLY AVAILABLE on 12.2 (44) SE or later version of Cat2K, 3K IOS. For other platform, debug output is required. (verified with Cat3560 12.2 (44)SE)
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

107

Invalid Radius Secret
Radius secret is either invalid (wrong with the one configured on ACS) or corrupted ACS Message Type: Bad request from NAS AFC: Invalid message authenticator in EAP request Others: Very common during deployment phase. The secret key is invalid on switch configuration or on ACS, or configuration section is corrupted
RDS 02/28/2008 11:45:40 D 7523 2420 0x0 NAS: 10.1.200.2:28166:250 Cleaning lookup entry. RDS 02/28/2008 11:45:43 D 7421 2452 0x0 NAS: First Request (RequestID:Port) 68:27910 inserted to the lookup table. RDS 02/28/2008 11:45:43 D 0299 2452 0x0 Request from host 10.1.200.2:1812 code=1, id=68, length=205 on port 1645 RDS 02/28/2008 11:45:43 E 0407 2452 0x0 Request from 10.1.200.2 contains invalid Message-Authenticator, ignoring RDS 02/28/2008 11:45:43 D 7523 2452 0x0 NAS: 10.1.200.2:27910:68 Cleaning lookup entry. RDS 02/28/2008 11:45:48 D 7421 2452 0x0 NAS: First Request (RequestID:Port) 68:27910 inserted to the lookup table. RDS 02/28/2008 11:45:48 D 0299 2452 0x0 Request from host 10.1.200.2:1812 code=1, id=68, length=205 on port 1645 RDS 02/28/2008 11:45:48 E 0407 2452 0x0 Request from 10.1.200.2 contains invalid Message-Authenticator, ignoring RDS 02/28/2008 11:45:48 D 7523 2452 0x0 NAS: 10.1.200.2:27910:68 Cleaning lookup entry. RDS 02/28/2008 11:45:53 D 7421 2452 0x0 NAS: First Request (RequestID:Port) 68:27910 inserted to the lookup table. RDS 02/28/2008 11:45:53 D 0299 2452 0x0 Request from host 10.1.200.2:1812 code=1, id=68, length=205 on port 1645 RDS 02/28/2008 11:45:53 E 0407 2452 0x0 Request from 10.1.200.2 contains invalid Message-Authenticator, ignoring RDS 02/28/2008 11:45:53 D 7523 2452 0x0 NAS: 10.1.200.2:27910:68 Cleaning lookup entry. RDS 02/28/2008 11:45:57 D 7421 2452 0x0 NAS: First Request (RequestID:Port) 68:27910 inserted to the lookup table. RDS 02/28/2008 11:45:57 D 0299 2452 0x0 Request from host 10.1.200.2:1812 code=1, id=68, length=205 on port 1645 RDS 02/28/2008 11:45:57 E 0407 2452 0x0 Request from 10.1.200.2 contains invalid Message-Authenticator, ignoring RDS 02/28/2008 11:45:57 D 7523 2452 0x0 NAS: 10.1.200.2:27910:68 Cleaning lookup entry.

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

108

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Looking Forward

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

109

Authentication — Today
Static ordering of authentication methods • Static fallback on timeout and failure

EAP EAP Guest VLAN Failed Auth VLAN

X

802.1X timeout/failure

EAP

802.1X times out

MAB

X

MAB Access Reject

URL

Web Auth

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

110

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Future — Flexible Authentication (FlexAuth)
Flexible ordering of authentication methods Flexible fallback of timeout and failure methods

EAP

EAP EAP EAP

X

802.1X failure/timeout

MAB

X

MAB Access Reject

URL

Web Auth

Cat6K IOS (Fall’08) Interface gigabitEthernet 1/0/1 authentication fallback dot1x mab webauth authentication timeout dot1x mab webauth

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

111

Open Mode
For Each 802.1x Switch Port, the Switch Creates TWO Virtual Access Points at Each Port
The Controlled Port Is Now Wide Open when any Device Connects to the Port!

Any EAPOL

Controlled Uncontrolled

Any EAPOL

UncontrolledUncontrolled Port Provides a Path for a Path for Port continues to provides Extensible Authentication Protocol over LAN over AND (EAPOL) Traffic Extensible Authentication Protocol(EAPOL)LANCDP Traffic ONLY
Interface gigabitEthernet 1/0/1 authentication open
BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

112

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Open Mode
• • No checking between “open” and any control mechanism used to control access. Policy Enforcement Techniques to control pre-auth and duringauth access ACLs VLANs

interface fastethernet 1/0/1 access-group default_policy in ip access-list extended default_policy 10 permit udp dhcpc any any 20 permit udp dns any any 30 permit udp any any eq tftp 30 deny ip any any

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

113

Device Movement/Host Replacement
EAPOL-Logoff enables Device movement for 802.1X devices behind IP Phones MAB still restrict devices to a single port when authenticated behind IP phones. CDP Notification allows device movement and host replacement on links that include IP phones for all authentication methods CatOS 8.7(1), Cat6k IOS 12.2(33)XSI “Summer ’08” Phone firmware – 8.(4)1 Phone Models supported
7911,7906, 7940, 7941, 7960, 7961, 7970,7971, 7945, 7965, 7975,7931 (check release notes for final list)
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

114

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Authentication with IPT: CDP Notification
1
Port Already Authenticated

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

115

Authentication with IPT: CDP Notification

2

PC Leaves

X
3

X
CDP Notification Transmitted

If an end-user disconnects, an IP phone transmits a CDP frame to the switch Two basic functions needed from phone
Monitor the second port status Send CDP Second Port Status TLV

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

116

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Authentication with IPT: CDP Notification


4
New Authenticated Session

The switch is given an explicit notification of the end of service This closes the current security hole, and promotes subsequent mobility

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

117

Improved Logging/Monitoring
Improved Logs for authentication and authorization events (auth success/failure, etc.) Standardized attributes in RADIUS accounting Extensions to IEEE-PAE MIB (per mac address reauthentication)

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

118

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Downloadable ACLs
Centralized ACL configuration for switches Implemented as a Port ACL
Currently requires an interface ACL to be applied
Client Authentication Process ACS

1 2

802.1X/MAB Authentication RADIUS authorizes port with dACL

3
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

dACL downloaded from ACS

119

URL Redirect
Client

Authentication Process

RADIUS

1 2 3

802.1X/MAB Authentication RADIUS authorizes port with URL redirect User Initiates Web Connection

4
Switch Port Redirects to Web Page

Requires HTTP on the switch Mainly used for custom notification at this time Future integration with other Cisco products
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Web Page

Does not “authenticate” via the web native to the switch

120

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

MAB Inactivity
Cat 3k Now/Cat6K IOS (Fall’08) Interface gigabitethernet 1/0/1 dot1x mac-auth-bypass timeout inactivity 3600

1

MAB Device Disconnects

X

No traffic detected from PC

MAB Authenticated Device Disconnects, but link does not go down because of a hub, IPT device, etc. Switch does not detect traffic from mac address for x amount of time and Switch disconnects the session

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

121

Multi-Auth Host Mode
Cat6K IOS (Fall’08) Interface GigabitEthernet 1/0/1 authentication host-mode multi-auth

*

Client 1 Authentication Client 2 Authentication

Works with FlexAuth (802.1X, MAB, Web Auth) VMware support No support for guest VLAN and failed auth VLAN Limited to ACLs for authorization for each data domain device
* Remember switches discard EAPOL by default
BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

122

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Deployment Case Study

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

123

Identity Networking Deployment Case Study
Retailer required to only allow their assets to connect to the network due to lack of physical security Selected 802.1X as the technical solution after evaluation Primarily an MSFT desktop and server environment; small group of MAC OSX for designers Approximately 14,000 ports at home office and remote stores Cisco IP Telephony environment Pervasive Wireless environment
BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

124

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Identity Networking Deployment Case Study (Cont.)
Selected Machine Authentication only for wired and wireless Leveraged the automatic provisioning of machine certificates in Active Directory to provision the machine credentials (automatic user certificates also possible) Manually provisioned non AD devices if possible Failed authentication VLAN and unknown MAC addresses assigned to “guest” VLAN on wired only at home office; no “guest” VLAN at remote sites No guest WLAN access IAB used for AAA failures for remote office survivability Multiple Supplicants; tried to leverage native OS supplicant

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

125

Identity Networking Deployment Case Study (Cont.)
Lab Work
IP Telephony handled by CDP exceptions PXE tested and handled via MAB Tested “Guest VLAN” backhaul and Proxy for AUP

No Wake On LAN Decided to handle credential re-provisioning via SSL VPN account triggered via help desk ticket Bought 3rd party tool to build MAC address database Extended SIM for reporting Decided on access layer only deployment since data center had physical security
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

126

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Identity Networking Deployment Methodology
Conducted POC with Network/Desktop Operations Pre-production pilot with all of IT
Monitored Failed Authentications/Unknown MACs via group reports to monitor for supplicant configurations issues and unknown devices Ran trend reports on IPT and PXE support calls to judge impact

Deployed supplicant configuration/credentials before switches Deployed “Internet” VLAN with appropriate backhaul to Internet Edge Deployed 802.1X in “monitor” mode on a per building basis
802.1X, MAB, Unknown MAB, Failed VLAN all went to default port VLAN Continued Trend reporting for other services

Deployed 802.1X “guest enforcement”
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

127

Recommended Reading
Network Security Architectures Network Security Fundamentals Network Security Principles and Practices Cisco Access Control Security: AAA Administration Services Cisco Wireless LAN Security Cisco Network Admission Control, Vol. I and II

Available Onsite at the Cisco Company Store
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

128

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008. Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

129

Summary
Identity Networking improves enterprise security Identity Networking improves enterprise visibility Identity Networking is a platform for other security initiatives, i.e. NAC Keys to success:
Understand your security requirements Understand the Windows boot process Choose the right authorization for your requirements Understand implications of IP Telephony Expend effort up front to identify and plan for impact of 802.1X

Identity Networking Is Deployable Today
BRKSEC-2005 14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

130

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr

Q and A

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

131

BRKSEC-2005 14657_05_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

132

© 2006, Cisco Systems, Inc. All rights reserved. 14657_05_2008_c1.scr