802.

1x Port Based Authentication

Johan Loos

Johan at accessdenied.be
Who?

Independent Information Security Consultant and Trainer

Vulnerability Management and Assessment
Wireless Security
Next-Generation Firewalls
Virtualization Security
MCT, CISSP, ISO 27001 LI/LA, ISO 27005 RM, .

Port Based Authentication - Johan Loos

Agenda

Understanding 802.1x
802.1x EAP Authentication Methods
PKI Requirements
Understanding Network Policy Server Role
Understanding VLANs
Understanding 802.1x Authentication
Switch Configuration
Relax, Its Demo Time
Things to think about

What we not cover: IP Phone (Voice), PXE

Understanding 802.1x
What is 802.1x?

Framework designed to provide port-based network access

Layer-2 security to permit or deny access based on identity
of the client
Identity is based on who we are and is based on:
MAC address
Certificate
Username/password

Port Based Authentication - Johan Loos

Why is 802.1x important?

Authenticate devices connected to switch ports

When authentication fails:
No or limited network access
When authentication succeeds:
Access is granted
Access can be restricted by using (downloadable) access lists

Port Based Authentication - Johan Loos

802.1x Benefits

Visibility:
Clients are authenticated
Identity can be used for security audits and forensics
Security:
Strongest authentication methods should be used
Transparancy:
No involvement of end-user

Port Based Authentication - Johan Loos

802.1x Components

Supplicant
Authenticator
Authentication Server

Port Based Authentication - Johan Loos

802.1x EAP Authentication Methods
802.1x EAP Methods
Method Identification
EAP-TTLS Any authentication
EAP-TLS Certificate
EAP-MSCHAPv2 Password
PEAP-EAP-TLS TLS + Certificate
PEAP-MS-CHAPv2 TLS + Password

EAP-MD5
EAP-LEAP
EAP-SIM

Port Based Authentication - Johan Loos

EAP-TLS Authentication

No user identity protection

Active Directory Domain Services
Active Directory Certificate Services
Network Policy Server (RADIUS server)
802.1x capable devices
Client (Windows XP/Vista/7/8)

Port Based Authentication - Johan Loos

EAP-TLS Authentication

Certificate based authentication for users or computers

Provides mutual authentication
No dependency on the password of the user
Protected by public key cryptography
Network Policy Server must have a certificate
Wired client must have a certificate

Port Based Authentication - Johan Loos

EAP-TLS Authentication

Port Based Authentication - Johan Loos

EAP-TTLS Authentication

Extends TLS by creating a secure tunnel

Encapsulation EAP in TLS
Can be used as proxy
Client does not need a certificate
Only server authentication
Protection against eavesdropping and mitm
Windows Server 2012 and Windows 8

Port Based Authentication - Johan Loos

EAP-MSCHAPv2 Authentication

Password based authentication for users or computers

User or computer account must be member of the domain
Easier to deploy
Provides mutual authentication
Network Policy Server must have a certificate
Wired or wireless clients does not need a certificate

Port Based Authentication - Johan Loos

EAP-MSCHAPv2 Authentication

Port Based Authentication - Johan Loos

EAP-MSCHAPv2 Authentication

Port Based Authentication - Johan Loos

PEAP

Used TLS to enhance security by protecting authentication

traffic (EAP-MSCHAPv2 or EAP-TLS) between the wired
client and the RADIUS server
Does not specify the authentication method
Wired client authenticates the RADIUS server
Protection against packet injection between wired client and
RADIUS

Port Based Authentication - Johan Loos

PEAP

Fast reconnect (no re-authentication when the client moves

between wireless access points)
Not supported with EAP-MD5
Does not support guest authentication (blank username and
password)
Support for smart cards

Port Based Authentication - Johan Loos

PEAP-EAP-MSCHAPv2

Port Based Authentication - Johan Loos

Configure Wired Clients

Wired AutoConfig Service

Configure 802.1x Manually
Configure 802.1x via Group Policy

Port Based Authentication - Johan Loos

Configure Wired Clients

Port Based Authentication - Johan Loos

Types of Authentication

Port Based Authentication - Johan Loos

Types of Authentication

User Authentication
Specifies that when users are not logged on to the
computer, authentication is performed by using the
computer credentials
Computer Authentication
Authentication is always performed by using only the
computer credentials
Guest Authentication
Allows connection to the network that are regulated by
the restrictions and permissions that are set for the guest
account

Port Based Authentication - Johan Loos

PKI Requirements
Requirements for PKI

Server running Active Directory Certificate Services

NPS must have a certificate
If using EAP-TLS for computers:
Computer certificate for every client
If using EAP-TLS for users:
User certificate for every user account
Certificate can be stored on workstation or smartcard
Root Certificate must be installed on NPS servers and
workstations

Port Based Authentication - Johan Loos

Requirements for PKI

Certificates must be issued by an enterprise CA

Certificate must be linked to private key
CRL or OCSP must be accessible
All certificates in the chain must be trusted
Configure auto enrollment

Port Based Authentication - Johan Loos

Understanding Network Policy Server
Installing the NPS Server Role

Dedicated server or domain controller

Server Manager
Network Policy Server Role
Register Server in Active Directory

Port Based Authentication - Johan Loos

NPS Server Certificate

Commercial Certification Authority

You need to buy a certificate for each server
Automatically trusted
Single purpose certificate
Active Directory Certificate Services
Need knowledge of PKI
Automatic enrollment
Single or multi purpose certificate

Port Based Authentication - Johan Loos

NPS Server Certificate

OpenSSL
Free
Single or multi purpose certificate
Root CA must be placed under Trusted Root Authorities
Self-signed
Free
No trust

Port Based Authentication - Johan Loos

Configure the NPS Server

Add each switch as RADIUS client

Choose the correct Vendor
Specify a strong shared secret
Configure Connection Request Policy
Configure Network Policies

Port Based Authentication - Johan Loos

Configure NPS Server Logging

Log File (ias log file format)

SQL Database
Event Viewer

Port Based Authentication - Johan Loos

Configure Connection Request Policy on NPS

Make sure that the request comes from the switch

NAS IPv4 Address
Ethernet
NAS Port Type

Port Based Authentication - Johan Loos

Configure Network Policies on NPS

Configure a strong authentication method

Make sure that only authorized users have access by using
security groups in the condition

Port Based Authentication - Johan Loos

NPS Proxy

Port Based Authentication - Johan Loos

NPS Proxy

Network access servers are configured as RADIUS clients on

the RADIUS proxy
Provide authentication for users which are not member of
the domain
Process large number of connection requests
Outsourced services

Port Based Authentication - Johan Loos

Load Balancing with NPS Proxy

When (PEAP)-EAP-TLS is used due to extra load

Configure network access servers to send connection request
to multiple NPS servers
Use NPS as NPS proxy to load balance connection requests
Priority:
Specify order of importance of NPS proxy server (lower is
higher priority)
Weight:
How many connection requests can be send

Port Based Authentication - Johan Loos

Understanding Virtual LANs
Use of Virtual LANs

Reduce size of the broadcast domain on the network

Layer 2
Access port carry only one VLAN
Trunk port supports multiple VLANs
Route traffic between VLANs using a layer-3 device

Port Based Authentication - Johan Loos

Dynamic VLAN Assignment

Feature to place the wired client into a specific VLAN

Use Network Policy Server to create Network Policy, assign
VLAN ID
RADIUS attributes
[64 ] Tunnel-Type = VLAN
[65] Tunnel-Medium-Type = IEEE-802
[81] Tunnel-Private-Group-Id=VLAN ID

Port Based Authentication - Johan Loos

Dynamic VLAN Assignment

When no VLAN is supplied or 802.1x authentication is

disabled, the switch add the wired client into the default
VLAN
When incorrect VLAN information is supplied by the RADIUS
server and 802.1x authentication is enabled, switch port is
placed into unauthorized state
Important:
Be sure that VLAN 1 is not the default VLAN. If
authentication fails, the wired client can still access the
network
Shutdown switch ports when not in use

Port Based Authentication - Johan Loos

Dynamic VLAN Assignment

When VLAN information is correctly supplied by the RADIUS

server, the switch port is placed in that VLAN
If multi-host mode is enabled on the switch port, all hosts are
placed in the same VLAN as the first authenticated host
When re-authentication fails, the switch assigns the switch
port to guest or restricted VLAN

Port Based Authentication - Johan Loos

Guest-VLAN

Allows unauthenticated wired clients access to a specific

VLAN
When to use:
Client Operating System is not supported
No 802.1x client software exist on the wired on wireless
client

Port Based Authentication - Johan Loos

Restricted-VLAN

Allows wired clients who are failing authentication to access

a specific VLAN
Clients are 802.1x compliant
When to use:
When the authentication process fails
Certificate on the wired client computer has expired
Invalid password
Limit access to Internet or CA by using ACLs

Port Based Authentication - Johan Loos

802.1x Dynamic ACL Assignment

Access Control Lists provides a way to control access to

network resources
Downloadable ACL
[ 5000] Cisco-AV-Pair = ip:inacl#201=deny tcp any host
10.32.5.3 eq www
RADIUS attributes
ACLs must exists on the switch
[11 ] Filter-Id = #ACL(.in or .out)

Port Based Authentication - Johan Loos

Understanding 802.1x Authentication
802.1x Authentication Process

Port Based Authentication - Johan Loos

802.1x Message Exchange

Port Based Authentication - Johan Loos

802.1x MAC Authentication Bypass

MAC-Address used for authentication

Active Directory Database can be used
Create username/password equal to MAC Address
Can be used as faillback method
When to use:
Printers

Port Based Authentication - Johan Loos

802.1x Authentication with Port Security

802.1x used to authenticates the switch port

Port security is used to manage network access
Can be limited to one or more MAC addresses
When client is authenticated:
MAC address is added to port security list

Port Based Authentication - Johan Loos

802.1x Authentication and NAP

Integration between 802.1x and Network Access Protection

First authentication, next healt state

Port Based Authentication - Johan Loos

Switch Configuration
802.1x Port State

Port authorization state is controlled by using the following

command:
dot1x port-control <interface>
Force-authorized
Disable 802.1x. The port sends normal traffic without
802.1x based authentication of the client
Force-unauthorized
No connection is possible and ignoring authentication
attempts
Auto
Allow EAPOL packets and enables 802.1x authentication
Port Based Authentication - Johan Loos
802.1x Timers

Periodic Re-Authentication
Specify re-authentication of the client
Quiet Period
The switch remains idle for a certain time and tries again
when the switch cannot authenticate the client
Switch-to-Client Retransmission Time
If the switch does not receive an answer at boot time from
the client
Switch sends EAP-Request/identity frame
Client sends EAP-Response/identity frame

Port Based Authentication - Johan Loos

802.1x Switch Configuration

Cisco Catalyst 3560 8 ports PoE

Port Based Authentication - Johan Loos

Relax, its demo time
802.1x Authentication Demo

Port Based Authentication - Johan Loos

802.1x Authentication Demo

802.1x Authentication using EAP-TLS

802.1x Authentication using PEAP-EAP-TLS
802.1x Authentication using PEAP-EAP-TLS + VLAN 20
802.1x Authentication using PEAP-EAP-TLS + dynamic ACL
(2 methods)

Port Based Authentication - Johan Loos

Things to think about
When it goes wrong

Certificate enrollment
Certificate renewal/expiration
Password based authentication
User and Machine authentication
RADIUS server not available
Non 802.1x capable endpoints

Port Based Authentication - Johan Loos