Deploying Wired 802.

1X
BRKSEC-2005

Presentation_ID

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

Housekeeping
We value your feedback- don't forget to complete your online session evaluations after each session & complete the Overall Conference Evaluation which will be available online from Thursday Visit the World of Solutions Please remember this is a 'non-smoking' venue! Please switch off your mobile phones Please make use of the recycling bins provided Please remember to wear your badge at all times including the Party

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

Session Objective
Understand base 802.1X concepts Learn the benefits of deploying 802.1X Learn how to configure and deploy 802.1X Learn lessons on how to make it work when you get back to your lab

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

Agenda
802.1X and Wired Access Default Functionality Deployment Considerations Reporting and Monitoring Looking Forward Deployment Case Study

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

What We Wont Be Covering

AAA authentication on routers IPSec authentication In-depth concepts on identity management and single sign-on (upper layer identity) Specific Extensible Authentication Protocol (EAP) methods in depth X.509 certificates and PKI Wireless LAN 802.1X Switch Features that are not consistent across platforms CatOS
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

802.1X and Wired Access

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

Why is 802.1X Important in the Campus

Who are you?

802.1X (or supplementary method) authenticates the user

Keep the Outsiders Out

Where can you go?

Based on authentication, user is placed in correct VLAN

Keep the Insiders Honest

Personalize the Network Increase Network Visibility
7

What service level to you receive?

The user can be given per-user services (ACLs today, more to come)

What are you doing?

The users identity and location can be used for tracking and accounting

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

Basic Identity Concepts

What is an identity?
an assertion of who we are. allows us to differentiate between one another

What does it look like?

Typical Network Identities include Username / Password

Email: [email protected]
MAC Address: 00-0c-14-a4-9d-33 IP Address: 10.0.1.199

Digital Certificates

How do we use identities?

Used to grant appropriate authorizations rights to services within a given domain
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

What Is Authentication? Authorization?

Authentication is the process of establishing and confirming the identity of a client requesting services Authentication is only useful if used to establish corresponding authorization (e.g. access to a bank account)

Id Like to Withdraw 200.00 Euros Please. Do You Have Identification? Yes, I Do. Here It Is. Thank You. Heres Your Euros.

An Authentication System Is Only as Strong as the Method of Verification Used

BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

Identity and Authentication Are Important?

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

10

Applying the Authentication Model to the Network

Id Like to Connect to the Network. Identification required Here is my identification Identification verified, access granted!

Identity-Enabled Networking
11

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

Default Functionality

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

12

IEEE 802.1X
Standard set by the IEEE 802.1 working group Is a framework designed to address and provide port-based access control using authentication

802.1X is primarily an encapsulation definition for EAP over IEEE 802 mediaEAPOL (EAP over LAN) is the key protocol
Layer 2 protocol for transporting authentication messages (EAP) between supplicant (user/PC) and authenticator (switch or access point) Assumes a secure connection

Actual enforcement is via MAC-based filtering and port-state monitoring

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

13

802.1X Port Access Control Model

Identity Store/Management Authenticator
Switch Router WLAN AP MS Active Directory LDAP NDS ODBC

SSC

Layer 3 Layer 2

Request for Service (Connectivity) Supplicant

Desktop/laptop IP phone WLAN AP Switch

Backend Authentication Support

Identity Store Integration

Authentication Server
IAS / NPS ACS Any IETF RADIUS server

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

14

802.1X Protocols

Supplicant
Authenticator
SSC

Authentication Server

Layer 2

Layer 3

EAP

RADIUS

StoreDependent

EAP over LAN (EAPoL)

EAP over WLAN (EAPoW)

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

15

802.1X - Extensible Authentication Protocol (EAP)

Establishes and manages connection; allows authentication by encapsulating various types of authentication exchanges

EAP provides a flexible link layer security framework

Simple encapsulation protocol No dependency on IP Few link layer assumptions Can run over any link layer (PPP, 802, etc.) Assumes no reordering Can run over loss full or lossless media

Defined by RFC 3748

BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

16

802.1X - RADIUS
RADIUS acts as the transport for EAP from the authenticator to the authentication server RFC for how RADIUS should support EAP between authenticator and authentication serverRFC 3579
IP Header UDP Header RADIUS Header EAP Payload

RADIUS is also used to carry policy instructions (authorization) back to the authenticator in the form of AV pairs
AV Pairs

IP Header

UDP Header

RADIUS Header

EAP Payload

Usage guideline for 802.1X authenticators use of RADIUS - RFC 3580 AV Pairs : Attribute-Values Pairs.

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

19

A Closer Look: IOS Switch Configuration

802.1X
SSC

Port Unauthorized

Cisco IOS
aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius radius-server host 10.100.100.100 radius-server key cisco123 dot1x system-auth-control interface GigabitEthernet1/0/1 authentication port-control auto dot1x pae authenticator

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

20

A Closer Look:
802.1X
SSC

Port Unauthorized EAPOL-Start EAP-Identity-Request EAP-Identity-Response

EAPMethod Dependent Actual authentication is between client and auth server using EAP. The switch is an EAP conduit, but aware of whats going on

EAP-Auth Exchange

Auth Exchange w/AAA Server Auth Success & Policy Instructions

EAP-Success EAPOL-Logoff

Port Authorized

Port Unauthorized 802.1X RADIUS

21

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

Default Security with 802.1X

Before Authentication
interface fastEthernet 3/48 authentication port-control auto

No visibility (yet) Strict Access Control

?
USER

One Physical Port ->Two Virtual ports Uncontrolled port (EAPoL only) Controlled port (everything else)

ALL traffic except EAPoL is dropped

BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

24

Default Security with 802.1X

After Authentication
User/Device is Known Identity-based Access Control
Single MAC per port
Looks the same as without 802.1X interface fastEthernet 3/48 authentication port-control auto dot1x pae authenticator

?
Authenticated User: Sally

Default authorization is on or off. Dynamic VLANs or ACLs can be used to customize the user experience.

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

25

Default Security: Consequences

Default 802.1x Challenge Devices without supplicants Cant send EAPoL No EAPoL = No Access
interface fastEthernet 3/48 authentication port-control auto dot1x pae authenticator

Offline

One Physical Port ->Two Virtual ports Uncontrolled port (EAPoL only) Controlled port (everything else)

No EAPoL / No Access

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

26

Default Security: More Consequences

Multiple MACs on Port
Assumed to Be Malicious
Hubs, Gratuitous ARPs, VMWare
interface fastEthernet 3/48 authentication port-control auto dot1x pae authenticator

VM

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

27

Deployment Considerations

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

28

802.1X Deployment Considerations

Non-802.1X Clients & Guests Failed Access Handling RADIUS Availability Flexible Authentication Sequencing Multiple Devices Per Port Authorization Authentication and Endpoint Considerations

802.1X and Microsoft Windows

Other Considerations
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

29

Handling Non-802.1X Clients & Guests

Authenticate via less-secure method
MAC Authentication Bypass (MAB) Web Auth (client must have browser)

Give them limited access after timeout and no response

Guest VLAN

Allow WLAN access instead of wired

WLAN is a great way to do guest access if available

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

30

802.1X with Guest VLAN

Client

X X X

EAP-Identity-Request D = 01.80.c2.00.00.03

1 2 3 4

Upon link up 30-seconds 30-seconds 30-seconds

EAP-Identity-Request D = 01.80.c2.00.00.03
EAP-Identity-Request D = 01.80.c2.00.00.03 EAP-Success D = 01.80.c2.00.00.03

Port Deployed into the Guest VLAN

802.1X Process

authentication event no-response action authorize vlan 50

Any 802.1X-enabled switchport will send EAPOL-Identity-Request frames on the wire (whether a supplicant is there or not)
A device is only deployed into the guest VLAN based on the lack of response to the switchs EAP-Request-Identity frames (which can be thought of as 802.1X hellos) No further security or authentication to be applied. Its as if the administrator deconfigured 802.1X (i.e. multi-host), and hard-set the port into the specified VLAN 90 Seconds is greater than MSFT DHCP timeout
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

31

MAC Authentication Bypass (MAB)

Client

X X X ? ?

EAPOL-Request (Identity) D = 01.80.c2.00.00.03 EAPOL-Request (Identity) D = 01.80.c2.00.00.03 EAPOL-Request (Identity) D = 01.80.c2.00.00.03 EAPOL-Timeout Initiate MAB Learn MAC

Dot1x/MAB 1 2 3 4 5
Upon link up 30-seconds 30-seconds 30-seconds Variable

RADIUS

6 7 8

RADIUS-Access Request RADIUS-Access Accept

00.0a.95.7f.de.06
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

Port Enabled

interface GigabitEthernet 1/1 mab

32

MAB Limitations & Challenges

MAB requires creating and maintaining MAC database Default 802.1X timeout = 90 seconds
90 sec > default MSFT DHCP timeout 90 sec > default PXE timeout Current Workaround: Timer tuning (always requires testing) max-reauth-req: maximum number of times (default: 2) that the switch retransmits an EAP-Identity-Request frame on the wire tx-period: number of seconds (default: 30) that the switch waits for a response to an EAP-Identity-Request frame before retransmitting 802.1X Timeout == (max-reauth-req + 1) * tx-period

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

33

NAC Profiler
Query MAC Database After Deploying 802.1X
1) 802.1X times out, switch initiates MAB 2) ACS queries Profiler Database using LDAP 3) Profiler validates MAC address 4) ACS sends MAB success 5) Switch enables port (with optional authorization)
interface range gigE 1/0/1 - 24 switchport access vlan 30 switchport voice vlan 31 authentication port-control auto mab LDAP : 00-18-f8-09-cf-d7 NAC Profiler Server

3
LDAP Success ACS
35

1
00-18-f8-09-cf-d7

RADIUS-Access Request: 00-18-f8-09-cf-d7 RADIUS-Access Accept

2 4

Port Enabled

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

Microsoft AD as MAB Database (DB)

For Your Reference

Can be used as a MAB DB using an user object. The username and password will be the mac address of the device.
Many useless objects

May conflict with complex password policy

Can create a lightweight AD instance for this purpose that can be referred to via LDAP Can use the ieee802Device object class for the MAB data base.
Reduces object count No conflict with complex password policy Windows Server 2003 RC2 and Windows Server 2008

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

36

Web-Based Proxy Authentication

No EAPOL 802.1X Process RADIUS Process

1 2

802.1X Timeouts Client Initiates ConnectionActivates Port Authentication State Machine Switch Port Filters Traffic Limiting It to HTTP, HTTPS, DNS and DHCP

3
Switch Port Relays DHCP Address from DHCP Server User Starts Web Browser and Initiates Web Connection

5
Switch Port Redirects URL and Presents HTTP Form Prompting for Userid/Pwd User Enters CredentialsThey Are Checked Against RADIUS DB via PAPIf Authenticated Then Switch Port Opened for Normal Network Access

7
BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

37

802.1X Deployment Considerations

Non-802.1X Clients & Guests Failed Access Handling RADIUS Availability Flexible Authentication Sequencing Multiple Devices Per Port Authorization Authentication and Endpoint Considerations

802.1X and Microsoft Windows

Other Considerations
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

41

802.1X Client Without Valid Credential

Authentication Failures
1 2 *EAPOL-Start 3

EAP-Identity-Exchange

RADIUS-Access-Request RADIUS-Access-Request 4

EAP

5 EAP-Data-Request EAP .. Exchange

RADIUS-Reject 6

EAPOL-Failure
X

SSC
802.1X Supplicant (Client) Authenticator (Switch) RADIUS Authentication Server (AAA/ACS)

Port is never granting access

* Note: EAPOL-Starts are optional, possibility of EAP-NAK left out intentionally, and EAP exchange dependent on method.

This works great in preventing rogue access to a network! This is a primary reason Enterprises look to deploy 802.1X/Identity Networking! This is also the problem! (How should we provide access to devices that fail?)

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

42

Why Provide Access to Devices that Fail?

802.1X 802.1X

Certificate Expired!

User Unknown!

Employees credentials expire or entered incorrectly As 802.1X becomes more prevalent, more guests will fail auth because they have 802.1X enabled by default. Many enterprises require guests and failed corporate assets get conditional access to the network.
Re-provision credentials through a web proxy or VPN Tunnel Provide guest access through VLAN assignment or web proxy
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

44

Failed Auth: Solution 1

Auth-Fail-VLAN
RADIUS-Reject EAPOL-Failure EAP-Identity-Exchange RADIUS-Access-Request RADIUS-Access-Request EAP-DataRequest EAP .. Exchange RADIUS-Reject

EAPOLSuccess

SSC
802.1X Supplicant (Client)
Authenticator (Switch)

RADIUS Authentication Server (AAA/ACS)

Port is now granted access

interface GigabitE 3/13 authentication port-control auto authentication event fail action authorize vlan 51

On the third consecutive failure, the port is enabled and an EAPOL-Success is transmitted
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

45

802.1X with Auth-Fail VLAN

Deployment Considerations
1. Supplicant cannot exit the Auth-Fail VLAN
Only alternatives: switch-initiated re-authentication or port bounce

2. No Secondary Authentication Mechanism. 3. Auth-Fail VLAN, like Guest VLAN, is a switch-local authorization > centralized policy on AAA server is not enforced 4. Switch and AAA server have conflicting views of network

Access Granted
Auth-fail VLAN

Access Denied

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

46

Failed Auth: Solution 2

Flex-auth: Next-method
EAP-Identity-Response RADIUS-Access-Request: EAP RADIUS-Access-Response

EAP-Request

EAP .. Exchange RADIUS-Reject Learn MAC RADIUS-Access-Request: MAC RADIUS-Access-Accept

SSC
802.1X

Authenticator (Switch) RADIUS Authentication Server (AAA/ACS)

interface GigabitE 3/13 authentication port-control auto authentication order dot1x mab mab authentication event fail action next-method

Supplicant (Client)
Port is now granted access based on MAB authorization

On 802.1X failure, the port continues to the next authentication method (MAB)
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

47

802.1X with Next-Method MAB

Deployment Considerations MAC Database required Policy decision: should 802.1X-capable devices get same access level if they authenticate via MAB after failing 802.1X?

MAB-Assigned VLAN

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

48

802.1X Deployment Considerations

Non-802.1X Clients & Guests Failed Access Handling RADIUS Availability Flexible Authentication Sequencing Multiple Devices Per Port Authorization Authentication and Endpoint Considerations

802.1X and Microsoft Windows

Other Considerations
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

49

The Problem RADIUS Unavailable

1

EAP-Identity-Exchange

RADIUS-Access-Request RADIUS-Access-Request RADIUS-Access-Request

3
EAPOL-Failure

X
Client Switch RADIUS Port is not granting access

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

50

Inaccessible Authentication Bypass

IOS dot1x critical recovery delay 100 radius-server host x.x.x.x test username [username] radius-server dead-criteria 15 tries 3 Interface GigabitEthernet 1/0/1 dot1x critical authentication event server dead action authorize vlan 100 authentication event server alive action reinitialize

Port authorized

EAP-Success/Failure RADIUS Server comes back -> immediate reinitialize 802.1X State Machine

EAP-Identity-Request EAP-Identity-Response EAP-Auth Exchange EAP-Success/Failure

BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

Auth Exchange w/AAA Server Authentication Successful/Rejected

51

802.1X Deployment Considerations

Non-802.1X Clients & Guests Failed Access Handling RADIUS Availability Flexible Authentication Sequencing Multiple Devices Per Port Authorization Authentication and Endpoint Considerations

802.1X and Microsoft Windows

Other Considerations
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

52

Flexible Authentication Sequencing (Flex-Auth)

Flex-Auth fallback examples weve already seen:
Configurable behavior after 802.1X failure authentication event failure action authorize vlan X

authentication event failure action next-method

Configurable behavior after 802.1X timeout authentication event no-response action authorize vlan Y

Configurable behavior before & after AAA server dies

authentication event server dead action authorize vlan Z authentication event server alive action reinitialize

Two more features complete Flex-Auth:

authentication order authentication priority
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

53

Flex-Auth Sequencing
Default Order: 802.1X First
By default, the switch attempts most secure auth method first.

Flex-Auth Order: MAB First

Alternative order does MAB on first packet from device

802.1X
802.1X Timeout

MAB
MAB fails

Timeout can mean significant delay before MAB.

MAB
MAB fails

802.1X
802.1X Timeout

Guest VLAN

Guest VLAN

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

54

Flex-Auth Order with Flex-Auth Priority

Default Priority: 802.1X ignored after successful MAB

MAB
MAB fails

Port Authorized by MAB

EAPoL-Start Received

MAB passes

802.1X

Flex-Auth Priority: 802.1X starts despite successful MAB

Priority determines which method can preempt other methods.

By default, method sequence determines priority (first method has highest priority).
If MAB has priority, EAPoL-Starts will be ignored if MAB passes.
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

55

802.1X Deployment Considerations

Non-802.1X Clients & Guests Failed Access Handling RADIUS Availability Flexible Authentication Sequencing Multiple Devices Per Port Authorization Authentication and Endpoint Considerations

802.1X and Microsoft Windows

Other Considerations
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

56

802.1X & IPT: A Special Case

Voice Ports With Voice Ports, a port can belong to two VLANs, while still allowing the separation of voice/data traffic while enabling you to configure 802.1X An access port able to handle two VLANs
Native or Port VLAN Identifier (PVID) / Authenticated by 802.1X Auxiliary or Voice VLAN Identifier (VVID) / Authenticated by CDP

Hardware set to dot1q trunk

Tagged 802.1q

Untagged 802.3

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

57

802.1X and Voice:

Multi-Domain Authentication (MDA)
IEEE 802.1X MDA

Single device per port

Single device per domain per port

Phone authenticates in Voice Domain, tags traffic in VVID

802.1q

Voice
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X

Catalyst 3750 SERIES

SYST RPS MASTR STAT DUPLX SPEED STACK MODE
1X 1 3

2 2X 16X 18X 32X 34X 48X

Data PC authenticates in Data Domain, untagged traffic in PVID

Two Domains Per Port

MDA replaces CDP Bypass Supports Cisco & 3rd Party Phones

3K: 12.2(35)SEE 4K: 12.2(37)SG 6K: 12.2(33)SXI

Phones and PCs use 802.1X or MAB

BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

60

MDA for Any IP Phone

interface GigE 1/0/5 authentication host-mode multi-domain authentication port-control auto dot1x pae authenticator mab

No Supplicant on Phone

CDP EAP

1 2

SSC

3 Access-Request: Phone MAC

6 1) 2) 3) 4) 5)

EAP

Access-Accept: Phone VSA 4

Phone learns VVID from CDP (Cisco phone) 802.1X times out Switch initiates MAB ACS returns Access-Accept with Phone VSA. Phone traffic allowed on either VLAN until it sends tagged packet, then only voice VLAN 6) (Asynchronous) PC authenticates using 802.1X or MAB PC traffic allowed on data VLAN only
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

61

MDA in Action
Phone authenticated by MAB PC Authenticated by 802.1X

Either 802.1X or MAB for phone Any combination of 802.1X, MAB, Guest-VLAN, Auth-Fail-VLAN, IAB for PC
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved.

ID-6500a#sho authentication session int g 7/1 Interface: GigabitEthernet7/1 MAC Address: 000f.2322.d9a2 IP Address: 10.6.110.2 User-Name: 00-0F-23-22-D9-A2 Status: Authz Success Domain: VOICE Oper host mode: multi-domain Oper control dir: both Posture Token: Unknown Authorized By: Authentication Server Session timeout: N/A Idle timeout: N/A Common Session ID: 0A00645A0000000102124450 Acct Session ID: 0x00000007 Handle: 0x1D000001 --snip-Interface: GigabitEthernet7/1 MAC Address: 000d.60fc.8bf5 IP Address: 10.6.80.2 User-Name: host/beta-supp Status: Authz Success Domain: DATA Oper host mode: multi-domain Oper control dir: both Posture Token: Healthy Authorized By: Authentication Server Vlan Policy: 80 Session timeout: N/A Idle timeout: N/A Common Session ID: 0A00645A000000020213FF9C Acct Session ID: 0x00000008 Handle: 0x6E000002 Runnable methods list: Method State dot1x Authc Success mab Not run
Cisco Public

62

IPT & 802.1X: The Link-State Problem

1) Legitimate users cause security violation
Port authorized for 0011.2233.4455 only
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X 1 3

A
S:0011.2233.4455

SYST RPS MASTR STAT DUPLX SPEED STACK MODE

1X

2 2X 16X 18X 32X 34X 48X

B
S:6677.8899.AABB

Security Violation

2) Hackers can spoof MAC to gain access without authenticating

A
S:0011.2233.4455
S:0011.2233.4455

Catalyst 3750 SERIES

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X 1 3

SYST RPS MASTR STAT DUPLX SPEED STACK MODE

1X

2 2X 16X 18X 32X 34X 48X

Security Hole

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

65

Previous Solution: Proxy EAPoL-Logoff

Domain = DATA Supplicant = 0011.2233.4455 Port Status = AUTHORIZED Authentication Method = Dot1x

SSC
MODE

Catalyst 3750 SERIES

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X 1 3

SYST RPS MASTR STAT DUPLX SPEED STACK

1X

2 2X 16X 18X 32X 34X 48X

Only for 802.1X devices behind phone

Requires: Logoff-capable Phones

Caveats:

PC-A Unplugs
Domain Port Status = DATA = UNAUTHORIZED

Session cleared immediately by proxy EAPoL-Logoff

EAPol-Logoff
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X 1 3

SYST RPS MASTR STAT DUPLX SPEED STACK MODE

1X

2 2X 16X 18X 32X 34X 48X

PC-B Plugs In

Domain = DATA Supplicant = 6677.8899.AABB Port Status = AUTHORIZED Authentication Method = Dot1x
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X 1 3

B
BRKSEC-2005

SSC
SYST RPS MASTR STAT DUPLX SPEED STACK MODE
1X 2X 16X 18X 32X 34X 48X

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

66

Previous Solution: MAB Inactivity Timeout

Domain = DATA Supplicant = 0011.2233.4455 Port Status = AUTHORIZED Authentication Method = MAB

Catalyst 3750 SERIES

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X 1 3

SYST RPS MASTR STAT DUPLX SPEED STACK MODE

1X

2 2X 16X 18X 32X 34X 48X

interface GigE 1/0/5 switchport mode access switchport access vlan 2 switchport voice vlan 12 authentication host-mode multi-domain authentication port-control auto authentication timer inactivity 300 mab

Device Unplugs
Domain = DATA Supplicant = 0011.2233.4455 Port Status = AUTHORIZED Authentication Method = MAB

Vulnerable to security violation and/or hole

Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X 1 3

SYST RPS MASTR STAT DUPLX SPEED STACK MODE

1X

Caveats: Quiet devices may have to reauth; network access denied until re-auth completes. Still a window of vulnerability.

2 2X 16X 18X 32X 34X 48X

Inactivity Timer Expires

Domain Port Status

= DATA = UNAUTHORIZED

Session cleared. Vulnerability closed.

MODE

Catalyst 3750 SERIES

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X 1 3

SYST RPS MASTR STAT DUPLX SPEED STACK

1X

3K:12.2(35)SE 4K: 12.2(50)SG 6K: 12.2(33)SXI

2 2X 16X 18X 32X 34X 48X

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

67

NEW Solution: CDP 2nd Port Notification

Domain = DATA Supplicant = 0011.2233.4455 Port Status = AUTHORIZED Authentication Method = MAB
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X 1 3

Link status msg addresses root cause

4

SYST RPS MASTR STAT DUPLX SPEED STACK MODE

1X

2 2X 16X 18X 32X 34X 48X

Device A Unplugs Domain Port Status

Phone sends link down TLV to switch. CDP Link Down
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X 1 3

Session cleared immediately.

= DATA = UNAUTHORIZED

Works for MAB and 802.1X

2 4 48X

SYST RPS MASTR STAT DUPLX SPEED STACK MODE

1X

2X

16X 18X

32X 34X

Nothing to configure

Device B Plugs In Domain = DATA Supplicant = 6677.8899.AABB Port Status = AUTHORIZED Authentication Method = Dot1x

SSC
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X 1 3

SYST RPS MASTR STAT DUPLX SPEED STACK MODE

1X

2 2X 16X 18X 32X 34X 48X

IP Phone: 8.4(1) 3K: 12.2(50)SE 4K: 12.2(50)SG 6K: 12.2(33)SXI

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

68

Modifying Default Security with 802.1X

Multi-Auth Mode
Multiple MACs on Port Each MAC authenticated
802.1X or MAB

interface fastEthernet 3/48 authentication port-control auto authentication host-mode multi-auth

VM

No VLAN Assignment Supported Superset of MDA with multiple Data Devices per port
Cisco Public

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

71

802.1X Deployment Considerations

Non-802.1X Clients & Guests Failed Access Handling RADIUS Availability Flexible Authentication Sequencing Multiple Devices Per Port Authorization Authentication and Endpoint Considerations

802.1X and Microsoft Windows

Other Considerations
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

73

Authorization
Authorization is the embodiment of the ability to enforce policies on identities Typically policies are applied using a group methodologyallows for easier manageability The goal is to take the notion of group management and policies into the network Types of Authorization:
Default: Closed until authenticated.

Dynamic: VLAN assignment, ACL assignment

Local: Guest VLAN, Auth-fail VLAN, Critical Auth VLAN

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

74

Changing the Default Authorization:

Open Access
Open Mode (No Restrictions)

Authentication Performed No Access Control

interface GigabitE 3/13 authentication port-control auto authentication open mab

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

75

Open Access Application 1: Monitor Mode

Monitor the network, see whos on, address future connectivity problems by installing supplicants and credentials, creating MAB database

TO DO Before implementing access control: Confirm that all these should be on network Install supplicants on X, Y, Z clients Upgrade credentials on failed 802.1X clients Update MAC database with failed MABs

RADIUS accounting logs provide visibility: Passed/Failed 802.1X/EAP attempts List of valid 802.1X capable List of non-802.1X capable Passed/Failed MAB attempts List of Valid MACs List of Invalid or unknown MACs
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

76

Open Mode Application 2:

Selectively Open Mode
Selectively Open Access

Open Mode (Pinhole)

On Specific TCP/UDP Ports

interface GigabitE 3/13 authentication port-control auto authentication open ip access-group UNAUTH in

Restrict to Specific Addresses

EAP Allowed (Controlled Port) Download general-access ACL upon authentication

Pinhole explicit tcp/udp ports to allow desired access Block General Access Until Successful 802.1X, MAB or WebAuth

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

77

Open Mode with Dynamic ACLs

ACS/AAA

Wired Ethernet End Points

Catalyst 6500 802.1X Ethernet Port EAP
DHCP DNS

DHCP DNS

10.100.10.116

PXE Server

10.100.10.117

EAP
DHCP ANY DNS ANY (After Authentication) (Before Authentication) Switch#show tcam interface g1/13 acl in ip permit permit ip tcp host any 10.100.60.200 any established any match-any permit udp tcp any any established eq bootps match-any permit udp any any hosteq 10.100.10.116 bootps eq domain permit udp any host 10.100.10.116 10.100.10.117 eq domain tftp deny permit ip udp any any any host 10.100.10.117 eq tftp deny ip any any

PXE IP: 10.100.60.200

PXE
Slide Source: Ken Hook

interface range gigE 1/0/1 - 24 switchport access vlan 30 switchport voice vlan 31 ip access-group UNAUTH in authentication host-mode multi-domain authentication open authentication port-control auto mab

ip access-list extended UNAUTH permit tcp any any established permit udp any any eq bootps permit udp any host 10.100.10.116 eq domain permit udp any host 10.100.10.117 eq tftp
Sample Open Mode Configs

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

78

Dynamic Authorization:
VLAN Assignment Dynamic VLAN assignment based on identity of group, or individual, at the time of authentication VLANs assigned by nameallows for more flexible VLAN management Tunnel attributes used to send back VLAN configuration information to authenticator Tunnel attributes are defined by RFC 2868 Usage for VLANs is specified in the 802.1X standard

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

79

802.1X with VLAN Assignment

AV Pairs UsedAll Are IETF Standard
[64] Tunnel-typeVLAN (13) [65] Tunnel-medium-type802 (6) [81] Tunnel-private-group-ID<VLAN name>

Marketing

aaa authorization network default group radius

VLAN name must match switch configuration Mismatch results in authentication failure
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

80

URL Redirect
Client Authentication Process RADIUS

1 2

802.1X/MAC Authentication RADIUS authorizes port with URL redirect User Initiates Web Connection

4
Switch Port Redirects to Web Page

Requires HTTP on the switch Mainly used for custom notification at this time Future integration with other Cisco products
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

Web Page

Does not authenticate via the web native to the switch

82

Authorization Recommendations
All Authorization (VLAN, dACL, etc.) is completely optional Only use it if you have to separate users due to a business requirement Most enterprises do not have this requirement for known users Leave the port in its default VLAN or assign the VLAN during machine authentication if possible

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

83

802.1X Deployment Considerations

Non-802.1X Clients & Guests Failed Access Handling RADIUS Availability Flexible Authentication Sequencing Multiple Devices Per Port Authorization Authentication and Endpoint Considerations

802.1X and Microsoft Windows

Other Considerations
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

84

802.1X Authentication Database

Where is the single source of authentication credentials for the enterprise? Do you have to build new or extend trust between databases? Some enterprises could not use Active Directory (AD) or other Network Operating System (NOS) user/machine authentication databases EAP Method may have requirements of the Authentication Database. For example, if MS-CHAPv2 is required for password authentication.

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

85

Supplicant Considerations
Microsoft Windows
User and machine authentication DHCP request time out Machine authentication restriction Default methods: MD5, PEAP, EAP-TLS

Unix/Linux considerations
Open source: xsupplicant Project (University of Utah)

Available from http://www.open1x.org

Supports EAP-MD5, EAP-TLS, PEAP/MSCHAPv2, PEAP/EAP-GTC

Native Apple supplicant support in OS X 10.3

802.1X is turned off by default! Default parametersTTLS, LEAP, PEAP, MD5, FAST supported Support for airport and wired interfaces In 10.5 Single sign on (SSO) can be accomplished for system or user. Not both at the same time
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

86

Cisco Secure Services Client (SSC)

Introduces features over and above the native supplicants
EAP types
Secure Services Client

Features
Robust Profile Management Support for industry standards Endpoint integrity Single sign-on capable Enabling of group policies

PEAP, TLS, FAST, etc.

Management Interfaces Automatic VPN initiation

Administrative control

Windows XP, 2003, Vista

Benefits
Simple, secure device connectivity Minimizes chances of network compromise from infected devices Reduces complexity

SSC

Restricts unauthorized network access

Centralized provisioning

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

87

802.1X Deployment Considerations

Non-802.1X Clients & Guests Failed Access Handling RADIUS Availability Flexible Authentication Sequencing Multiple Devices Per Port Authorization Authentication and Endpoint Considerations

802.1X and Microsoft Windows

Other Considerations
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

88

Windows Boot Cycle Overview

Kernel Loading Windows HAL Loading Device Driver Loading Power On Inherent Assumption of Network Connectivity Certificate Auto Enrollment Time Synchronization Dynamic DNS Update GINA Kerberos Auth (User Account)

X X X X X X X
Obtain Network Address (Static, DHCP)

Determine Site and DC (DNS, LDAP)

Establish Secure Channel to AD (LDAP, SMB) Kerberos Authentication (Machine Account)

Earliest Network Connectivity with User Auth Only User GPOs Loading (Async) GPO based Logon Script Execution (SMB) GPO based Startup Script Execution Computer GPOs Loading (Async)

Components that depend on network connectivity

BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

Components broken with 802.1X user authentication only

89

Problem 1: Microsoft Issues with DHCP

DHCP Is a Parallel Event, Independent of 802.1X Authentication With wired interfaces a successful 802.1X authentication does not force an DHCP address discovery (no mediaconnect signal) DHCP starts once interface comes up If 802.1X authentication takes too long, DHCP may time out
802.1X AuthVariable Timeout

DHCPTimeout at 62 Seconds
DHCP

Power Up Load NDIS Drivers

Setup Secure Channel to DC

Present GINA (Ctrl-Alt-Del) Login

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

90

Problem 2: Machine GPOs Broken

What Is a Group Policy? Group policy is an infrastructure used to deliver and apply one or more desired configurations or policy settings to a set of targeted users and computer within an Active Directory environment Types of Group Policy
Registry-based policy Security options Software installation and maintenance options Scripts options Folder redirection options
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

91

The Solution: Machine Authentication

What is machine authentication?
The ability of a Windows workstation to authenticate under its own identity, independent of the requirement for an interactive user session

What is it used for?

Machine authentication is used at boot time by Windows OSes to authenticate and communicate with Windows domain controllers in order to pull down machine group policies

Why do we care?
Pre-802.1X this worked under the assumption that network connectivity was a given; post-802.1X the blocking of network access prior to 802.1X authentication breaks DHCP & machine-based group policy model UNLESS the machine can authenticate using its own identity in 802.1X

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

92

802.1X VLAN Assignment

Problem 1: DHCP Renewal
When using dynamic VLAN assignment with user & machine authentication, the hosts VLAN can change when user logs in.
IP address may need to change also

Supplicant behavior has been addressed by Microsoft

Windows XP: install service pack 1a + KB 826942 Windows 2000: install service pack 4 Needed for VLAN assignment with Wireless Zero Config

Updated supplicants trigger DHCP IP address renewal

Successful authentication causes client to ping default gateway (three times) with a sub-second timeout Lack of echo reply will trigger a DHCP IP renew Successful echo reply will leave IP as is Prerenewal ping prevents lost connections when subnet stays the same but client may be WLAN roaming

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

95

DHCP and 802.1X

Windows XP: Install Service Pack 1a + KB 826942 Windows 2000: Install Service Pack 4
Supplicant Authenticator

For Your Reference

Authentication Server

Login Req. Send Credentials Accept ICMP Echo (x3) for Default GW from Old IP as Soon as EAP-Success Frame Is Rcvd DHCP-Request (D=255.255.255.255) (After Pings Have Gone Unanswered) DHCP-Discover (D=255.255.255.255) Forward Credentials to ACS Server Auth Successful (EAPSuccess) VLAN Assignment

DHCP-NAK (Wrong Subnet)

At This Point, DHCP Proceeds Normally

BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

96

Problem 2: Real Boot Sequence & VLAN Assignment

GINA Certificate Auto Enrollment Time Synchronization Dynamic DNS Update GINA Kernel Loading Windows HAL Loading Device Driver Loading Power On

802.1X Machine Auth

X X X X X X

Fast Logon Optimization

802.1X User Auth

Obtain Network Address (Static, DHCP) Determine Site and DC (DNS, LDAP) Establish Secure Channel to AD (LDAP, SMB)

Kerberos Auth (User Account) User GPOs Loading (Async) GPO based Logon Script Execution (SMB) GPO based Startup Script Execution Computer GPOs Loading (Async)

Kerberos Authentication (Machine Account)

Machine VLAN

User VLAN Components that are in race condition with 802.1X Auth
97

Start of 802.1X auth may vary among supplicants

BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

Problem 3 : VLAN Assignment and GPOs

Kernel Loading Windows HAL Loading Device Driver Loading Power On 802.1X Machine Auth

VLAN1 10.1.1.1

Certificate Auto Enrollment Time Synchronization Dynamic DNS Update GINA

VLAN2 99.1.1.1

802.1X User Auth

Obtain Network Address (Static, DHCP) Determine Site and DC (DNS, LDAP) Establish Secure Channel to AD (LDAP, SMB)

Kerberos Auth (User Account) User GPOs Loading (Async) GPO based Logon Script Execution (SMB)

Kerberos Authentication (Machine Account)

GPO based Startup Script Execution Computer GPOs Loading (Async)

Start of 802.1X auth may vary among supplicants Components that are in race condition with 802.1X Auth

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

98

Vista SP1/Windows 2008 and XP SP3

If the supplicants fail 802.1X authentication once the supplicant goes down for twenty minutes before it tries again
Vista SP1/Windows 2008 - KB957931 http://support.microsoft.com/kb/957931
XP SP3 KB coming soon

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

99

802.1X and Windows

Recommendations
Machine Authentication is mandatory for managed environments Consider machine authentication only
Manage auth behavior on XP SP2/2000 via registry keys http://support.microsoft.com/kb/309448/en-us http://www.microsoft.com/technet/network/wifi/wififaq.mspx Manage XP SP3/Vista Supplicant through XML http://support.microsoft.com/kb/929847

Use the automatic provisioning built into AD if possible

Machines are provisioned automatically with a machine password Can have certificates automatically provisioned via AD GPOs

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

100

VLANs and Windows: Recommendations

When using Dynamic VLANs:
Disable Fast Logon Optimization Use the same VLAN for machine and user authorization

VLAN assignment requires AD, DHCP server, and network switch changes (planning, routing, trunking, etc.)

Access Control Lists (ACLs) are a policy enforcement alternative to VLANs. Beware of TCAM implications: the number of ACEs on L3 switch is limited. ACL per port can be assigned by RADIUS server per group.

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

101

802.1X Deployment Considerations

Non-802.1X Clients & Guests Failed Access Handling RADIUS Availability Flexible Authentication Sequencing Multiple Devices Per Port Authorization Authentication and Endpoint Considerations

802.1X and Microsoft Windows

Other Considerations
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

102

Remote Desktop
XP: Microsoft Remote Desktop logs off the local user and drops the machine into machine mode which results in a machine auth.

Vista: Leaves the local user logged onto the system, so it does not trigger an 802.1X auth.
If machine authentication and user authentication result in the same VLAN then there are no problems If machine authentication puts the machine in a different VLAN, then user authentication must be maintained despite Windows logging the user off. SSC on XP provides the above solution

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

103

Pre eXecution Boot Environment (PXE) Default Security Impact

PXE BIOS needs network access within 60 seconds of link-up to download bootable OS Most PXE implementations do not support 802.1X. No 802.1X = No network access = No OS download.

One Physical Port ->Two Virtual ports

Uncontrolled port (EAPoL only) Controlled port (everything else)

PXE BIOS

interface fastEthernet 3/48 authentication port-control auto

ALL traffic except EAPoL is dropped

BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

105

PXE Solution 1
MAC Authentication Bypass (MAB) *
Client

Dot1x/MAB

RADIUS

EAPOL-Request (Identity) DHCP Discover 1 DHCP Discover 2

Upon link up

X X
10-seconds

X X ?

EAPOL-Request (Identity) DHCP Discover 3

X
10-seconds 10-seconds Variable Port Enabled RADIUS-Access Request: 00.0a.95.7f.de.06 RADIUS-Access Accept

EAPOL-Request (Identity) EAPOL-Timeout Initiate MAB Learn MAC

DHCP Discover 4

PXE Continues

PXE BIOS
00.0a.95.7f.de.06

* - exact packet sequence will vary

BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

interface GigabitE 3/13 authentication port-control auto dot1x timeout tx-period 10 mab
106

PXE Solution 2:
Open Mode with Interface ACL
Selectively Open Access
interface GigabitE 3/13 authentication port-control auto authentication open ip access-group UNAUTH in

Open Mode (Pinhole)

On Specific TCP/UDP Ports for PXE Restrict to Specific Addresses

EAP Allowed (Controlled Port) Download general-access ACL upon authentication

Pinhole explicit tcp/udp ports to allow desired access

PXE BIOS

Block General Access Until Successful MAB

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

107

Wake On LAN (WOL) and 802.1X

Selectively Open Access Outbound
Default - Block Outbound Traffic Until Successful 802.1X/MAB

802.1X controls port traffic in BOTH directions Use WOL support on switch to allow outbound (from switch) traffic to wake up device

Allow outbound traffic

WOL Capable Device

interface GigabitE 3/13 authentication port-control auto authentication control-direction in

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

108

Intel Advanced Management Technology (AMT) - PXE and WoL Solution

After Authentication
AMT has a supplicant on the NIC AMT Device is authenticated before PXE BIOS PXE can proceed like 802.1X was never turned enabled AMT Device is authenticated after device goes to sleep Defends IP address of upper layer OS. No more directed broadcasts for WoL Magic packets
interface fastEthernet 3/48 authentication port-control auto dot1x pae authenticator

Looks the same as without 802.1X

Authenticated User: AMT

BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

110

Monitoring and Troubleshooting

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

111

802.1X Monitoring and Trouble Shooting

Major components to 802.1X monitoring
RADIUS accounting NAD logs

RADIUS logs
NAD CLI SNMP on NAD

Major components of 802.1X Troubleshooting

Correlated log reports ACS View Third party log analysis and reporting

SNMP on NAP
NAD CLI

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

112

802.1X with RADIUS Accounting

Supplicant 2 802.1X Process 1 Authenticate
EAPOL-Success

RADIUS Process

Access-Accept

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

113

802.1X with RADIUS Accounting

Supplicant 2 802.1X Process 1 Authenticate
EAPOL-Success

RADIUS Process

Access-Accept Accounting Request Accounting Response

3
4

Accounting-request packets Contains one or more AV pairs to report various events and related information to the RADIUS server

Tracking user-level events are used in the same mechanism

BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

114

802.1X with RADIUS Accounting

Similar to other accounting and tracking mechanisms that already exist using RADIUS
Can now be done through 802.1X

Increases network session awareness

Provide information into a management infrastructure about who logs in, session duration, support basic billing usage reporting, etc.

Provides a means to map the information of authenticated

Identity, Port, MAC, Switch = IP, Port, MAC, Switch Identity IP Switch + Port = Location

IOS aaa accounting dot1x default start-stop group radius

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

115

Troubleshooting:
Identify Points of Failure
It is important to understand the failure point in the picture It is important to understand which issue causes what failures In most case, description of the issue symptom can be vague or misleading and you must correlate separate pieces of information for problem resolution.

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

116

ACS View 5.0 RADIUS Authentication

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

117

ACS View 5.0 Authentications Details

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

118

Simple Homegrown Tools

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

119

802.1X Port Config

interface GigabitEthernet7/1 switchport switchport mode access switchport voice vlan 110 ip access-group default_acl in authentication event fail action next-method authentication host-mode multi-domain authentication open authentication priority dot1x mab authentication port-control auto authentication violation restrict mab snmp trap mac-notification change added snmp trap mac-notification change removed dot1x pae authenticator dot1x timeout tx-period 10 spanning-tree portfast edge

ID-6500a#sho authentication session interface gigabitEthernet 7/1 Interface: GigabitEthernet7/1 MAC Address: 000f.2322.d9a2 IP Address: 10.6.110.2 User-Name: 00-0F-23-22-D9-A2 Status: Authz Success Domain: VOICE Oper host mode: multi-domain Oper control dir: both Posture Token: Unknown Authorized By: Authentication Server Session timeout: N/A Idle timeout: N/A Common Session ID: 0A00645A00000007000E37CC Acct Session ID: 0x00000009 Handle: 0x0E000007 Runnable methods list: Method State dot1x Failed over mab Authc Success ---------------------------------------Interface: GigabitEthernet7/1 MAC Address: IP Address: User-Name: Status: Domain: Oper host mode: Oper control dir: Posture Token: Authorized By: Vlan Policy: Session timeout: Idle timeout: Common Session ID: Acct Session ID: Handle: 000d.60fc.8bf5 10.6.50.2 nac\darrimil Authz Success DATA multi-domain both Healthy Authentication Server 50 N/A N/A 0A00645A0000000D0030B498 0x00000011 0x1500000D

For Your Reference

Runnable methods list: Method State dot1x Authc Success mab Not run
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

120

EAP Problem
Certificate Trust Issues
One of the most common issues seen in deployment and pilots
ACS 4.2

ACS 5.0
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

121

802.1X Authorization Failure 1

In case that network authorization is NOT ENABLED on a NAD ACS Message Type: Authentication Successful Authentication Failure Reason (AFR): There is no AFR associated with this error since authentication succeeds User Experience: Balloon message Windows cannot connect you to the network (contact your network administrator)
Following CLI is missing aaa authorization network default group radius

VLAN assignment succeeds but assigns port to VLAN 0

Session Timeout (Radius Attribute 27) is not assigned to port Reauthentication timer value
Consequently there is no VLAN 0, therefore default port VLAN is used for authorization, and if there is no DHCP setup for this VLAN then client cant obtain IP address. Also Reauthentication Timer becomes 0. This means that there will be no reauthentication. Supplicant might try to re-DHCP if its cant get an IP address
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

122

802.1X Authorization Failure 1

ID-6500a#debug condition interface GigabitEthernet 7/1 ----------------New feature ID-6500a#debug auth feature vlan_assign event

Auth Feature vlan_assign events debugging is on *Dec 15 14:46:58.439: %AUTHMGR-5-START: Starting 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1 *Dec 15 14:46:59.243: %DOT1X-5-SUCCESS: Authentication successful for client (000d.60fc.8bf5) on Interface Gi7/1 *Dec 15 14:46:59.243: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1 *Dec 15 14:46:59.243: AUTH-FEAT-VLAN-ASSIGN-EVENT (Gi7/1): Successfully assigned VLAN 0 *Dec 15 14:46:59.751: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (000d.60fc.8bf5) on Interface Gi7/1
ID-6500a#sho authentication sess interface g 7/1 Interface: GigabitEthernet7/1 MAC Address: IP Address: User-Name: Status: Domain: Oper host mode: Oper control dir: Authorized By: Vlan Policy: Session timeout: Idle timeout: Common Session ID: Acct Session ID: Handle:
BRKSEC-2005

000d.60fc.8bf5 10.6.50.2 nac\darrimil Authz Success DATA multi-domain both Authentication Server N/A N/A N/A 0A00645A0000000E005DD8A8 0x00000013 0xF900000E
Cisco Public

2009 Cisco Systems, Inc. All rights reserved.

123

802.1X Authorization Failure 2

In case that invalid Radius attribute is sent via Radius Access-Accept ACS Message Type: Authen Successful AFR: There is no AFR associated with this error since authentication succeeds User Experience: Balloon message Windows cannot connect you to the network (contact your network administrator) Radius Access-Accept with invalid Radius Attribute 81 is sent Basic rule is that 81 attribute needs to be either string or integer. If String, it needs to match the VLAN name that exists on switch. If Integer then it needs match the VLAN ID that exists on switch Passed Authentication reports authentication is successful Authorization failure on switch is NEVER reported back to ACS.
*Dec 15 15:03:21.007: %AUTHMGR-5-START: Starting 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1 *Dec 15 15:03:21.911: %DOT1X-5-SUCCESS: Authentication successful for client (000d.60fc.8bf5) on Interface Gi7/1 *Dec 15 15:03:21.911: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1 *Dec 15 15:03:21.911: %DOT1X_SWITCH-5-ERR_VLAN_NOT_FOUND: Attempt to assign non-existent or shutdown VLAN BadVLAN to 802.1x port GigabitEthernet7/1 *Dec 15 15:03:21.911: %AUTHMGR-5-FAIL: Authorization failed for client (000d.60fc.8bf5) on Interface Gi7/1
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

124

802.1X Authorization Failure 3

In case that invalid Radius attribute is sent via Radius Access-Accept ACS Message Type: Authen Successful AFR: There is no AFR associated with this error since authentication succeeds User Experience: Balloon message Windows cannot connect you to the network (contact your network administrator) For the Downloadable ACL feature is used there must be a interface ACL applied to the interface.

Passed Authentication reports authentication is successful Authorization failure on switch is NEVER reported back to ACS.
*Aug 26 13:44:29.991: %DOT1X-5-SUCCESS: Authentication successful for client (000d.60fc.8bf5) on Interface Gi7/1 *Aug 26 13:44:29.991: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1 *Aug 26 13:44:29.991: %EPM-6-POLICY_REQ: IP=0.0.0.0| MAC=000d.60fc.8bf5| AUDITSESID=0A00645A000000140090E0A0| AUTHTYPE=DOT1X| EVENT=APPLY *Aug 26 13:44:29.991: %EPM-6-AAA: POLICY=xACSACLx-IP-phone-dACL-48a4f023 | EVENT=DOWNLOAD-REQUEST *Aug 26 13:44:30.003: %EPM-6-AAA: POLICY=xACSACLx-IP-phone-dACL-48a4f023 | EVENT=DOWNLOAD-SUCCESS *Aug 26 13:44:30.003: %EPM-4-POLICY_APP_FAILURE: IP=0.0.0.0| MAC=000d.60fc.8bf5| AUDITSESID=0A00645A000000140090E0A0| AUTHTYPE=DOT1X| POLICY_TYPE=Named ACL| POLICY_NAME=xACSACLx-IP-phone-dACL-48a4f023| RESULT=FAILURE| REASON=Interface ACL not configured *Aug 26 13:44:30.003: %EPM-6-IPEVENT: IP=0.0.0.0| MAC=000d.60fc.8bf5| AUDITSESID=0A00645A000000140090E0A0| AUTHTYPE=DOT1X| EVENT=IP-WAIT *Aug 26 13:44:30.031: %AUTHMGR-5-FAIL: Authorization failed for client (000d.60fc.8bf5) on Interface Gi7/1
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

125

Looking Forward

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

126

Overview of Cisco TrustSec

Cisco TrustSec (CTS) affects multiple areas of the network and comprises of improvements in the following areas:
1 2

Confidentiality & Integrity Centralized Role Based Access Control (RBAC) Policy Administration Identification, Authentication and Authorization for all networked entities, and classification into topology independent security groups

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

127

User 1 has access to both servers

SGACL Enforcement (1)

4 SGACL 1 Server 1

User 1

7
User 2

Server 2
2 9 SGACL

RBACLs
Source Destination

4
User 3

S1+S2 S1 S2
Cisco ACS

7 9

External Directory Server

1. Security Group Tag is applied on ingress switch port 2. Roles/Attribute-based ACL policies is applied on security group tags (permit, deny, log, police, remark, span, redirect, )
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

130

User 1 has access to both servers User 2 has access to Server 1

SGACL Enforcement (2)

4 SGACL 1 Server 1

User 1

7
User 2

Server 2
2 9 SGACL

RBACLs

SGT
4
User 3

DGT
S1+S2 S1 S2
Cisco ACS

7 9

External Directory Server

1. Security Group Tag is applied on ingress switch port 2. Roles/Attribute-based ACL policies is applied on security group tags (permit, deny, log, police, remark, span, redirect, )
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

131

SGACL Enforcement (3)

4

User 1 has access to both servers User 2 has access to Server 1 User 3 access to Server 1 denied

User 1

1 SGACL

Server 1

Access Denied to User 3

7
User 2

Server 2
2 9 SGACL

RBACLs

SGT
4
User 3

DGT
S1+S2 S1 S2
Cisco ACS

7 9

External Directory Server

1. Security Group Tag is applied on ingress switch port 2. Role-based ACL policies is applied on security group tags (permit, deny, log, police, remark, span, redirect, )
BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

132

Customer Case Study

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

133

802.1X Deployment Case Study 1

Retailer required to only allow their assets to connect to the network due to lack of physical security Selected 802.1X as the technical solution after evaluation

Primarily an MSFT desktop and server environment; small group of MAC OSX for designers
Approximately 14,000 ports at home office and remote stores Cisco IP Telephony environment Pervasive Wireless environment

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

134

802.1X Deployment Case Study 1 (Cont)

Selected Machine Authentication only for wired and wireless Leveraged the automatic provisioning of machine certificates in Active Directory to provision the machine credentials (automatic user certificates also possible) Manually provisioned non AD devices if possible Failed authentication VLAN and unknown MAC addresses assigned to guest VLAN on wired only at home office; no guest VLAN at remote sites No guest WLAN access IAB used for AAA failures for remote office survivability Multiple Supplicants; try to leverage native OS supplicant if possible

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

135

802.1X Deployment Case Study 1 (Cont)

Lab Work
IP Telephony handled by CDP exceptions PXE tested and handled via MAB

Tested Guest VLAN backhaul and Proxy for AUP

No Wake On LAN Decided to handle credential re-provisioning via SSL VPN account triggered via help desk ticket Bought 3rd party tool to build MAC address database Extended SIM for reporting

Decided on access layer only deployment since data center had physical security

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

136

802.1X Deployment Case Study 1 Methodology

Conducted POC with Network/Desktop Operations Pre-production pilot with all of IT
Monitored Failed Authentications/Unknown MACs via group reports to monitor for supplicant configurations issues and unknown devices Ran trend reports on IPT and PXE support calls to judge impact

Deployed supplicant configuration/credentials before switches

Deployed Internet VLAN with appropriate backhaul to Internet Edge

Deployed 802.1X in monitor mode on a per building basis
802.1X, MAB, Unknown MAB, Failed VLAN all went to default port VLAN Continued Trend reporting for other services

Deployed 802.1X guest enforcement

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

137

Case Study 2: 802.1X Implementation

802.1X facts and figures
4000 devices with 802.1x supplicant (Windows XP, SP2) 0 devices with MAB 96% dedicated PC, 4% shared PC for internet access 7500 ports with 802.1x activated 2 ACS Appliances for RADIUS 20 AD/Radius groups 650 VLANs

100 Meeting rooms with wired only Guest VLAN

More Information: CCS-1001 802.1X Case Study

BRKSEC-2005 2009 Cisco Systems, Inc. All rights reserved. Cisco Public

138

Case Study 2: MBDA Group Structure

EADS BAE SYSTEMS FINMECCANICA

37.5%

37.5%

25%

MBDA
100% 100% 100% 100

MBDA DEUTSCHLAND

MBDA France

MBDA UK

MBDA ITALIA

Integrated organisation

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

139

Summary
802.1X improves enterprise security 802.1X improves enterprise visibility 802.1X is a platform for other security initiatives Supplicants are important 802.1X is deployable now New features have significantly simplified deployment 802.1X is not only a network project, it affects the whole IT organization

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

140

Q&A

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

141

Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Dont forget to activate your Cisco Live Virtual account for access to all session material, communities, and on-demand and live activities throughout the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com.
144

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

145