Professional Documents
Culture Documents
1X and
More
BRKSEC-2691
Hariprasad Holla
Technical Marketing Engineer, Cisco
#clmel
Secure Access Sessions
BRKSEC-2690 - Deploying Security Group Tags
- 105, Wednesday 18 Mar 1:00 PM - 2:30 PM by Kevin Regan - Product Manager, Cisco
BRKSEC-2044 - Building an Enterprise Access Control Architecure Using ISE and TrustSec
- 207, Thursday 19 Mar 8:30 AM - 10:30 AM by Imran Bashir - Technical Marketing Engineer, Cisco
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Short History of Identity Services
In the Dark Ages, Then we had MAB, We now have new way of
there was only Web Authentication, doing Identity based
IEEE 802.1X Auth-Fail VLAN, Guest access, with features like
VLAN, Flex-Auth, Critical ACL, Concurrent
Deployment Modes Authentication, Templates,
and other features and more.
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
4
Agenda
• Identity networking
• IBNS 2.0
• IBNS 2.0 Features
• Troubleshooting IBNS 2.0
• Additional things to know
• Conclusion
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
5
Identity Networking
Fundamentals of 802.1X
Identity Netw ork
Ethernet Router Services Policy
Sw itch Engine Server
Wireless Access Access Free
Controller Point Control RADIUS
Server
Open
Window s Apple OSX LDAP
Native Native Active Directory
Authentication Identity
Supplicant Authenticator Server Store
802.1X RADIUS
Ethernet / WLAN IP / Layer 3
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
7
Fundamentals of 802.1X
Authentication Identity
Supplicant Authenticator Server Store
Credentials
(Certificate / Password / Token)
802.1X RADIUS
Ethernet / WLAN IP / Layer 3
EAP
Authentication Identity
Supplicant Authenticator Server Store
802.1X RADIUS
IP / Layer 3
Port-Authorised
EAP EAP
802.1X RADIUS
EAP: EAP-SUCCESS
RADIUS: ACCESS-ACCEPT
[+Authorization Attributes ]
Port-Unauthorised
(If authentication fails)
802.1X
Authentication
Authenticator Server
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
10
Authorisation Options
Beyond ACCESS-ACCEPTs and ACCESS-REJECTs
EMPLOYEE VLAN
EMPLOYEE (5)
Security Group Tag (SGT) SGT
SGT, SXP Transport | SGACL, SGFW Enforcement
(More on SGTs: BRKSEC-2690, BRKSEC-3690)
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
11
Three Proven Deployment Modes
.1X
Failures
.1X-Pass
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
14
Low Impact Mode Closed Mode
Pre-Auth and Post-Auth Access controlled by IP ACLs No access prior authentication, Specific access on Auth-success
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
15
Configuration You Should Care About
IBNS 1.0
or
IBNS 2.0
Configurations
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public * Currently only on 3650 and 3850 platforms
16
Identity Configurations aaa new-model Global AAA
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa session-id common
!
dot1x system-auth-control
!
radius server ise
address ipv4 172.20.254.201 auth-port 1645 acct-port 1646
key cisco
interface GigabitEthernet1/0/1
switchport access vlan 100 IBNS 1.0 class-map type control subscriber match-all DOT1X IBNS 2.0
match method dot1x
switchport mode access class-map type control subscriber match-all MAB
authentication control-direction in match method mab
authentication event fail action authorize vlan 100 ....
authentication event server dead action authorize vlan 100 !
authentication event no-response action authorize vlan 100 policy-map type control subscriber POLICY_Gi1/0/1
authentication open event session-started match-all
authentication order dot1x mab 10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
authentication priority dot1x mab -Or- ....
authentication port-control auto !
authentication periodic template ACCESS-PORT
authentication timer reauthenticate server ....
authentication timer inactivity server dynamic access-session port-control auto
authentication violation restrict service-policy type control subscriber POLICY_Gi1/0/1
mab ....
dot1x pae authenticator !
dot1x timeout tx-period 5 interface GigabitEthernet1/0/1
spanning-tree portfast source template ACCESS-PORT
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
17
IBNS 2.0
Motivations for IBNS 2.0
RADIUS Server RADIUS Servers
Critical ACL Differentiated Authentication
Need for a feature to locally activate an IP ACL Switch should send authentication requests to
during RADIUS Server outage specific RADIUS servers for specific methods
Need more flexibility in moving between the Per port configurations grow making it difficult to
authorisations for various authentication methods manage system configurations. Cant ‘write’ at times
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
19
IBNS 2.0
RADIUS
Authenticator Server
RADIUS
MAB
LAN
VLAN SGT
dACL
Authorisations
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
20
From 15.2(1)E / 03.05.00E
IBNS 2.0 C3850/C3650 FCS
15.2(1)SY on C6500
Any Authentication with Any Authorisation on Any media 03.06.00E on Sup8E
Authentication
Access Session
Manager
Manager
Parameter Service
Class-maps Templates RADIUS
Map VLAN VLAN
802.1X
Authenticator Server
MAB
dACL dACL
802.1X
VLAN
Policy-map (Identity Control Policy) Authentication
SGT SGT
Manager RADIUS
WebAuth
Interface Template(s) dACL MAB
LAN
Modular Configurations SGT
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
21
Global AAA & RADIUS
IBNS 1.0 Configurations Configurations
switchport
...
dot1x pae
authentication
switchport auth host-mode switchport
... auth port-control ...
dot1x pae auth event fail dot1x pae
authentication auth event server authentication
auth host-mode auth periodic auth host-mode
switchport auth port-control ... auth port-control switchport
... auth event fail auth event fail ...
dot1x pae auth event server auth event server dot1x pae
authentication auth periodic Interface Config auth periodic authentication
auth host-mode ... ... auth host-mode
auth port-control auth port-control
auth event fail auth event fail
auth event server Interface Config Interface Config auth event server
auth periodic auth periodic
... ...
EVENT
CLASS
ACTION
Access VLAN Defined under
ACTIVATE
Voice VLAN ‘class-map’
Access Control List EVENT
CLASS command
Service Template ACTION
Defined under
Identity Control Policy ‘policy-map’ command
Configured with
‘service-template’ Policy applied with
‘service-policy’ command
command switchport...
service-policy...
access-session...
Configured with
Interface Template ‘template’ command
Event Class
Event Class
Action Action
IDENTITY CONTROL POLICY
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
24
Templates
Dynamic Configuration Done the Right Way
Configuration by Reference:
• Service Templates
– will be dynamically assigned to a session Gi1/0/1 User Port
– can be locally defined -or-
– downloaded via RADIUS
Gi1/0/2 User Port
• Interface Templates
– Cure for the Configuration Bloat
Gi1/0/3 User Port
– Generic tool, not restricted to Session / Identity
– Like Port Profiles on NX-OS
Gi1/0/4 Access Point
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
25
Service Template Example
Using a Critical Auth Example switch(config)#service-template CRITICAL
switch(config-service-template)#?
service-template configuration commands:
service-template CRITICAL absolute-timer Absolute timeout value in seconds
description allow all traffic access-group Access list to be applied
access-group PERMIT-IPV4-ANY description Enter a description
access-group PERMIT-IPV6-ANY exit Exit identity policy configuration submode
! inactivity-timer Inactivity timeout value in seconds
interface-template Interface template to be applied
linksec Configure link security parameters
no Negate a command or set its defaults
redirect Redirect clients to a particular location
Example service-policy Configure service policy
sgt SGT tag
and tag tag name
tunnel tunnel for wired client access
Available vlan Vlan to be applied
Commands voice
<cr>
Voice feature
• Can also be defined on the RADIUS server and downloaded dynamically as needed per
authorisation or during CoA (ISE 1.2 Feature)
• Used as one of the Actions per Control-Policy or as part of the RADIUS Authorisation (AV Pair)
• Templates via AAA can contain arbitrary AV Pairs
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
26
Applying a Template
• Similar to Applying a Port ACL via filter-id
RADIUS
Switch
• Can also be
triggered via
Access-Request
RADIUS CoA
EAPoL
username=jdoe
• Service-Templates
activation can be a
local Control Policy
Enforce
Access-Accept
AV-Pair “subscriber:service-
action
• If it doesn’t exist, it
name=TEMPLATE”
ACS
the switch
template […]
• Interface-template Configuration
mab
access-session port-control […] • Per-Interface Configuration
service-policy type control subscriber […]
Parameter Service
Class-maps Templates RADIUS
Map VLAN VLAN
802.1X
Authenticator Server
MAB
dACL dACL
802.1X
VLAN
Policy-map (Identity Control Policy) Authentication
SGT SGT
Manager RADIUS
WebAuth
Interface Template(s) dACL MAB
LAN
Modular Configurations SGT
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
37
Critical ACL
Scenarios today with Low Impact Mode:
Before Authentication Authentication Success AAA Server Unreachable
PRE-AUTH-ACL PRE-AUTH-ACL + dACL PRE-AUTH-ACL
Infra Servers Infra Servers Infra Servers
(DHCP, DNS) Permit ip host
(DHCP, DNS) (DHCP, DNS)
- 10.1.1.1 any
Permit any Permit any Permit any
DHCP DHCP DHCP
Permit any DNS RADIUS Permit any DNS RADIUS Permit any DNS RADIUS
Deny any any Serv er Deny any any Serv er Deny any any Serv er
Before authentication success, the On authentication success, the The endpoint may be authorised to a
endpoint has limited access to the RADIUS server authorises the critical VLAN, but the PRE-AUTH-
network resources, defined by the endpoint with a dACL (permit ip any ACL on the port would still block the
PRE-AUTH-ACL on the port any) granting full access access during AAA outage*
* Critical authorisation wont apply to endpoints that were authorised by AAA server when it was reachable
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
38
Critical ACL
Configuration Example
activate service-template
Do
AAA-DOWN All
authorise port
authentication-failure Match
First Terminate 1X & MAB
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
39
Critical ACL
Configuration Example
service-template CRITICAL
Event Class Action access-group CRITICAL-V4
access-group CRITICAL-V6
!
!
session-started always authenticate via 802.1X
policy-map type control subscriber DOT1X
event session-started match-all
10 class always do-until-failure
violation always restrict 10 authenticate using dot1x
event violation match-all
agent-found always authenticate via 802.1X 10 class always do-all
10 restrict
activate service-template event agent-found match-all
10 class always do-all
10 authenticate using dot1x
AAA-DOWN Do
All
authorise port event authentication-failure match-first
10 class AAA-DOWN do-all
authentication-failure Match
First Terminate 1X & MAB 10 activate service-template CRITICAL
20 authorize
1X-FAIL authenticate via MAB 30 terminate dot1x
40 terminate mab
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
20 class 1X-FAIL do-all
40 10 authenticate using mab
username 000c293c8dca password 0 000c293c8dca
EAP RADIUS
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
42
Differentiated Authentication
Authenticate different methods with different Servers
aaa group server radius mab-servers
ISE server name ise01
!
aaa group server radius 1x-servers
server name ise02
!
aaa authentication dot1x 1x-servers group 1x-servers
aaa authentication dot1x mab-servers group mab-servers
.1x Gi1/0/1
!
aaa authorization network 1x-servers group 1x-servers
aaa authorization network mab-servers group mab-servers
!
NAC radius server ise02
address ipv4 172.20.254.8 auth-port 1645 acct-port 1646
key xxxxxx
!
radius server ise01
address ipv4 172.20.254.4 auth-port 1645 acct-port 1646
key xxxxxx
IPv6 Identity*
With Identity-Policy, both IPv4 & IPv6 endpoints can be securely on-boarded in a consistent manor
! interface GigabitEthernet1/0/1
ipv6 snooping policy v6-snoop switchport access vlan 100
trusted-port switchport mode access
! access-session port-control auto
vlan configuration 100-180 ipv6 traffic-filter IPV6-PRE-AUTH-ACL in
ipv6 nd suppress dot1x pae authenticator
ipv6 snooping spanning-tree portfast
! service-policy type control subscriber ACCESS-POL
interface TenGig1/1/1 !
description *** Uplink *** service-template CRITICAL
[ ... ] description allow all traffic
ipv6 snooping attach-policy v6-snoop access-group PERMIT-IPV4-ANY
! access-group PERMIT-IPV6-ANY
!
Enable IPv6 Device Tracking IPv6 Pre-auth-acl limits IPv6 traffic prior to authentication
Make Identity Policy IPv6 aware Same identity control policy apply for both IPv4 & IPv6 clients
Note: Define which VLANs to apply and also trust the Service-template provisions for IPv6 ACL for Post-Auth /
uplink port Critical authorisation purposes.
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
45
Low-Impact Mode with Per-User-ACL Currently Supported only on Cisco
Catalyst 3650 and 3850 Switches
User-Name: employee1@ibns.lab
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: AC14FE6500000FAD029BD96A
Switch interface GigabitEthernet1/0/1 Acct Session ID: 0x00000FA3
switchport access vlan 100 Handle: 0x5F000002
switchport mode access Current Policy: POLICY_Gi1/0/1
authentication host-mode multi-auth
Server Policies:
authentication open Per-User ACL: GigabitEthernet1/0/1#v6#37F2F598
authentication port-control auto : deny ipv6 any host 2001:db8:254::10
ipv6 traffic-filter IPV6-PRE-AUTH-ACL in : permit ipv6 any any
802.1X
mab
MAB
RADIUS
Supplicant Authenticator Server
Switch Switch ACCESS-REQ
ACCESS-ACCEPT
EAPoL device-traffic-class
= switch
...
trunk
switchport mode access
dot1x pae authenticator
authentication port auto
...
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
49
NEAT with Interface Template
NEAT with Macro NEAT with Template
template NEAT
switchport mode trunk
RADIUS RADIUS
Supplicant Authenticator Server Supplicant Authenticator Server
Switch Switch ACCESS-REQ Switch Switch ACCESS-REQ
ACCESS-ACCEPT ACCESS-ACCEPT
EAPoL device-traffic-class EAPoL Interface-template-
= switch name = NEAT
... ...
trunk
switchport mode access switchport mode access
dot1x pae authenticator dot1x pae authenticator
authentication port auto authentication port auto
... ...
Upon successful ‘Supplicant Switch’ authentication, Same output as the ‘Macro based NEAT’, but the
the ‘Authenticator Switch’ applies a built-in Macro to interface running configuration remains intact, while
change the interface (running) configuration from the (runtime) ‘derived configuration’ changes from
access to trunk access to trunk
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
50
NEAT with Interface Template
cisp enable
!
Before SSw Authentication After SSw Authentication
template neat-authz
switchport trunk encapsulation dot1q ASw#show running-config int Gi0/12 ASw#show running-config int Gi0/12
switchport trunk native vlan 254 Building configuration... Building configuration...
switchport mode trunk
Derived configuration : 179 bytes Derived configuration : 179 bytes
! !
interface GigabitEthernet0/12 interface GigabitEthernet0/12
description ** To SSw 0/12 ** description ** To SSw 0/12 **
switchport access vlan 254 switchport access vlan 254
switchport mode access switchport mode access
dot1x pae authenticator dot1x pae authenticator
spanning-tree portfast spanning-tree portfast
! !
ASw#show derived-config int Gi0/12 ASw#show derived-config int Gi0/12
Building configuration... Building configuration...
Server Policies:
ACS ACL: xACSACLx-IP-permit-most-50b5f56e
Template: EMPLOYEE_1 (priority 100) Applied Policies (here: with server
Vlan Group: Vlan: 160
ACS ACL: xACSACLx-IP-permit-most-50b5f56e assigned Template)
Method status list:
Method State
dot1x Authc Success
mab Stopped
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
53
Troubleshooting Control Policy
• (cont.)
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
58
802.1X on Trunk Ports
Requirement: Authenticate Flex Connect AP over trunk
interface and let the AP authenticate the wireless clients.
RADIUS
EAP-SUCCESS
EAP-RESP ACCESS-ACCEPT
ACCESS-REQUEST
Trunk WAN
V100
00.0A.95.7F.DE.06
G1/0/47
Corp LAN
G1/0/1
V200
00.0A.95.7F.DE.06
Since 12.2(53)SE2, only for MAB
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
60
New Access-session Attribute Feature
Send source VLAN on the switchport to RADIUS Server
Switch(config)#access-session attributes filter-list
list custom-name
Switch(config-com-filter-list)#vlan-id
Switch(config-com-filter-list)#exit
Switch(config)#
Switch(config)#access-session authentication
attributes filter-spec include list custom-name
Applies to all authentication methods | System must be in IBNS 2.0 (policy) mode
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
61
RADIUS Probe-on Feature
Without Probe-on
radius server server-01 2000 switches sending periodic probes
address ipv4 10.0.1.1 auth-port 1812 acct-port
1813
= unnecessary overhead on the RADIUS
automate-tester username dummy Server
!
radius-server deadtime 15
radius-server dead-criteria 3 tries Want RADIUS server to be marked
“ALIVE” only when reachable. Do not
Send periodic probes want to disturb clients in critical-auth
even when server is Alive
User=dummy ...
%RADIUS-6-SERVERALIVE: Group radius: Radius
ACCESS-REJECT server 10.0.1.1:1812,1813 is responding again
(previously dead).
%RADIUS-4-RADIUS_ALIVE: RADIUS server
Mark Dead Server 10.0.1.1:1812,1813 is being marked alive.
Alive after ‘deadtime’ ...
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
62
RADIUS Probe-on Feature
Without Probe-on With Probe-on
radius server server-01
address ipv4 10.0.1.1 auth-port 1812 acct-port
2000
radius server switches sending
server-01
address ipv4 10.0.1.1 auth-port 1812 acct-port 1813
1813 periodic
automate-tester probes
username dummy =probe-on
unnecessary
automate-tester username dummy !
! overhead
radius-server deadtime on
15 RADIUS Server
radius-server deadtime 15 radius-server dead-criteria 3 tries
radius-server dead-criteria 3 tries
Want RADIUS server to be
Send periodic probes Send probes only
even when server is Alive whenmarked “ALIVE” only
server is Dead when
reachable. Do not want to
User=dummy User=dummy
disturb clients in critical-auth
%RADIUS-6-SERVERALIVE: Group radius: Radius
ACCESS-REJECT
server 172.20.254.4:1645,1646 is responding
again (previously dead).
Mark Dead Server %RADIUS-4-RADIUS_ALIVE:
Mark Dead Server Alive RADIUS
after server
Alive after ‘deadtime’ 172.20.254.4:1645,1646 is
response to probe packetsbeing marked alive.
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
63
IPDT: Resolving ‘IP Address Conflict’ Issue
RFC-5227 Explains the ARP probe and Duplicate
address detection mechanisms
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
65
Conclusion
Key Takeaways
IBNS 2.0 is flexible and extensible, Create once use many approach
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
67
Q&A
Complete Your Online Session Evaluation
Give us your feedback and receive a
Cisco Live 2015 T-Shirt!
Complete your Overall Event Survey and 5 Session
Evaluations.
BRKSEC-2691 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Thank you.