Professional Documents
Culture Documents
1X
BRKSEC-2005
Agenda
Authentication Protocols and Operation
IEEE 802.1X MAB Web Auth
Authorization
Five stages of authorization IP Telephony
Deployment Scenarios
Monitor Mode Low Impact Mode High Security Mode
BRKSEC-2005 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
BRKSEC-2005
Cisco Public
4
BRKSEC-2005
Cisco Public
What Is Authentication?
Authentication is the process of establishing and confirming the identity of a client requesting services
200.00 Euros Please. Do You Have Identification? Yes, I Do. Here It Is.
BRKSEC-2005
Cisco Public
Access to the Network. Do You Have Identification? Yes, I Do. Here It Is.
Authentication
Utilizing encapsulation via Extensible Authentication Protocol (EAP) over IEEE 802 media
BRKSEC-2005 2011 Cisco and/or its affiliates. All rights reserved.
Port-Based
Enforcement via MACbased filtering and portstate monitoring
Cisco Public
Authenticator
Switch / WLAN
Authentication Server
RADIUS Server
Backend Database
AD, LDAP, etc
SSC
BRKSEC-2005
Cisco Public
Supplicant Considerations
Microsoft Windows
Native Supplicant: TLS, PEAP Alternatives: AnyConnect 3.0, Secure W2
Linux Apple
IP Phone
xsupplicant http://www.open1x.org
Native Supplicant: TTLS, LEAP, PEAP, MD5, FAST In 10.5 single sign on (SSO) can be accomplished for system or user.
Check documentation
Configuration Examples
Supplicants
Windows
IP Phone
OS X
BRKSEC-2005
Cisco Public
10
Switch Considerations
IOS Configuration
aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius aaa accunting dot1x default start-stop group radius radius-server host 10.100.100.100 radius-server key cisco123 interface GigabitEthernet1/0/1 authentication port-control auto dot1x pae authenticator
BRKSEC-2005
Cisco Public
11
BRKSEC-2005
Cisco Public
12
Configuration Examples
Authentication Servers
NPS
ACS
BRKSEC-2005
Cisco Public
13
EAP Method
Authentication Method (What & How)
BRKSEC-2005
Cisco Public
14
How
23hs*^450
Common EAP Methods Method Client Credential EAP-TLS Client certificate PEAPUsername MSCHAPv2 /Password
BRKSEC-2005 2011 Cisco and/or its affiliates. All rights reserved.
server CA
server
CA
Certificate Authority (CA) is a trusted 3rd party that enables devices to trust each other.
BRKSEC-2005
Cisco Public
16
PKI
BRKSEC-2005
Cisco Public
17
CA
Alice AlicePwd
server
Alice Is Authenticated
Encrypted Tunnel
BRKSEC-2005
Cisco Public
18
EAP-TLS
This is a trusted server
CA
client
server
CA
Alice is Authenticated
BRKSEC-2005
Cisco Public
19
Client support
Windows XP supports EAP-TLS, PEAP w/EAP-MSCHAPv2, PEAP w/EAP-TLS 3rd party supplicants support a large variety of EAP types, but not all
Authentication store
PEAP w/EAP-MSCHAPv2 can only be used with authentication stores that store passwords in MSCHAPv2 format
BRKSEC-2005
Cisco Public
20
EAP Method
Authentication Method
EAP
Format / Framework
BRKSEC-2005
Cisco Public
21
Specifies message format and reliable transport for EAP methods Defined by RFC 3748 Four packets: Request, Response, Success, Failure Simple encapsulation protocol that runs over any link layer
BRKSEC-2005
Cisco Public
22
EAP Method
Authentication Method
EAP
Format / Framework
EAPoL
L2 Encapsulation
RADIUS
AAA Protocol
BRKSEC-2005
Cisco Public
23
EAPoL-Start
BRKSEC-2005
Cisco Public
24
RADIUS acts as the transport for EAP from the switch to the RADIUS server
RFC 3579, 3580 RADIUS is also used to carry policy instructions (authorization) back to the authenticator in the form of Attribute-Values (AV) Pairs.
BRKSEC-2005
Cisco Public
25
get EAP from supplicant to authentication server Switch also enforces policy and controls network access
BRKSEC-2005 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
26
Initiation
EAPoL Start
EAP-Request Identity
Authentication
EAP-Request: TLS
EAP-Response: TLS Client Hello
RADIUS Access-Challenge
[AVP: EAP-Request TLS Start]
Authorization
EAP Success
RADIUS Access-Accept
[AVP: EAP Success] [AVP: VLAN 10, dACL-n]
BRKSEC-2005
Cisco Public
27
EAPoL Logoff
3 4
5
28
BRKSEC-2005
Cisco Public
BRKSEC-2005
Cisco Public
29
SSC
Employee
Guest
Rogue 802.1X
Managed Assets
802.1X Passed
BRKSEC-2005
Cisco Public
30
00.0a.95.7f.de.06
Any Packet 2
MAB
BRKSEC-2005
Cisco Public
31
Printer VLAN
Contractor VLAN
RADIUS
Cisco Public
ACS
LDAP
MAC Database
32
BRKSEC-2005
00.0a.95.7f.de.06
Authenticator
RADIUS Server
= tx-period
= max-reauth-req
IEEE 802.1X Times Out MAB Starts
Time until endpoint sends first packet after IEEE 802.1X timeout
Any Packet
RADIUS Access-Accept
33
802.1X
Timeout
MAB
Short Enough To Prevent Timeouts Long Enough To Allow 802.1X Devices to Authenticate
(max-reauth-req + 1) * tx-period
FlexAuth
interface GigabitEthernet1/4 authentication order mab dot1x authentication priority* dot1x mab
MAB
MAB Fails
802.1X
34
Build It
Bootstrap methods to gather data e.g. SNMP, Syslog, Accounting, Monitor Mode
Buy It
Automated Device Discovery e.g. ISE For more info: BRKSEC-2041
35
BRKSEC-2005
Cisco Public
BRKSEC-2005
Cisco Public
36
Switch
AAA Server
Switch Queries AAA Server 5 AAA Server Returns Policy 6 Switch Applies New ACL Policy
BRKSEC-2005 2011 Cisco and/or its affiliates. All rights reserved.
37
Web-Auth can be a fallback from 802.1X or MAB. Web-Auth and Guest VLAN are mutually exclusive Web-Auth supports ACL authorization only
Web-Auth behind an IP Phone requires MultiDomain Authentication (MDA)
BRKSEC-2005
Cisco Public
38
Authentication Summary
IEEE 802.1X Strong authentication Requires a client MAB Supports clientless devices Requires pre-existing database, timing issues
WebAuth
Support for clientless users Limited applications
BRKSEC-2005
Cisco Public
39
BRKSEC-2005
Cisco Public
40
What Is Authorization?
Authorization is the process of granting a level of access to the network
200.00 Please. Do You Have Identification? Yes, I Do. Here It Is. Thank You. Here are Your Euros.
Cisco Public
41
BRKSEC-2005
Cisco Public
42
Authorization:
Pre-Authentication Options
Default: Closed
Selectively Open
Open
switch(config-if)#authentication open
Cisco Public
BRKSEC-2005
43
Authorization:
Passed 802.1X/MAB Authentication
Default: Open
Alice
BRKSEC-2005
Cisco Public
44
Authorization:
Failed 802.1X Authentication
Default: Closed
?
Next-method*
Auth-Fail VLAN
BRKSEC-2005
45
Authorization:
No 802.1X Authentication (No Client)
Default: Closed
?
Next-method*
Guest VLAN
switch(config-if)#mab
*Final authorization determined by results of next method
46
Authorization:
No 802.1X/MAB Authentication (AAA Server Dead)
Default: Closed
Critical VLAN
47
BRKSEC-2005
Cisco Public
48
VM
BRKSEC-2005
Cisco Public
49
Data Domain
MDA replaces CDP Bypass Supports Cisco & 3rd Party Phones Phones and PCs use 802.1X or MAB
BRKSEC-2005 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
interface fastEthernet 3/48 dot1x pae authenticator authentication port-control auto authentication host-mode multi-domain
50
EAP-Identity-Request
EAP-Identity-Request
EAP-Identity-Request
Fallback to MAB
Learn MAC
Benefits
No client, no credential needed -> Works for all phones Enables visibility & access control. PAP is not process-intensive Compatible with other 802.1X features
BRKSEC-2005 2011 Cisco and/or its affiliates. All rights reserved.
Deployment Considerations
Default 802.1X timeout = 90 seconds latency Must create & maintain phone MAC database AAA server must be configured to assign phone to voice domain
Cisco Public
51
EAP-Response: TLS
RADIUS Access Request [AVP: EAP-Response: CP-79xx-xxxxxxxx RADIUS Access-Challenge [AVP: EAP-Response: TLS] RADIUS Access Request [AVP: EAP-Request: TLS Server Hello]
RADIUS Access-Accept
EAP Success
[device-traffic-class=voice]
Benefits Strong Authentication with Minimal Delay Can be deployed without touching the phone or creating a database. Compatible with other 802.1X features
BRKSEC-2005 2011 Cisco and/or its affiliates. All rights reserved.
Deployment Considerations Choice of EAP Method impacts deployability Cisco phone require 7970G, 79x1, 79x2, 79x5 with X.509 cert support & firmware 8.5(2) AAA server dependency
Cisco Public
52
MIC or LSC
EAP-TLS
MIC or LSC
BRKSEC-2005
53
CAPF
BRKSEC-2005
Cisco Public
54
In Phone Config or BAT Template No need to touch the phone Phone must be on the network when you do this.
BRKSEC-2005 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
55
2.
Works for one-offs, not mass deployments
56
interface fastEthernet 3/48 dot1x pae authenticator authentication port-control auto authentication host-mode multi-auth VM
BRKSEC-2005
Cisco Public
57
Authorization Summary
Single-host
Authentication Status Pre-802.1X
Successful 802.1X
Alternative 1 Open
Dynamic VLAN
Multi-Domain-Auth Multi-Auth
Failed 802.1X No 802.1X (no client) Successful MAB Failed MAB No 802.1X, MAB (server down)
Auth-Fail VLAN Guest VLAN Dynamic VLAN Guest VLAN Critical VLAN
BRKSEC-2005
Cisco Public
58
Deployment Scenarios
BRKSEC-2005
Cisco Public
59
General Principles:
Start simple Start with minimal restrictions Evolve as necessary
BRKSEC-2005
Cisco Public
60
Monitor Mode
Authentication Without Access Control
BRKSEC-2005
Cisco Public
61
SSC
BRKSEC-2005
Cisco Public
62
Multi-Auth
Failed Employees Contractor/Guest Corporate Asset Contractor/Guest Corporate Asset Phones Phones Contractor/Guest All
BRKSEC-2005
BRKSEC-2005
Cisco Public
64
AAA Server
Should be fully configured except for authorization policy:
Communication with AAA clients (i.e. switches) Communication with credential repository (e.g. AD, MAC Database) PKI (CA certs, server cert) EAP Configuration MAB Configuration
Endpoints
Should be fully configured:
PKI (CA certs, client cert) or other credentials Supplicants configured & installed everywhere supported Enable machine auth Enable user auth if needed
BRKSEC-2005
Cisco Public
65
66
RADIUS Attribute Framed-I P-Address(8) User-Name(1) Acct-Session-Time(46) Acct-I nput-Octets(42) Acct-Output-Octets (43) Acct-I nput-Packets(47) Acct-Output-Packets(48)
BRKSEC-2005
RADIUS Attribute Acct-Status-Type(40) NAS-Port-Type(61) NAS-Port-I d(87) Called-Station-I d(30) Calling-Station-I d(31) Service-Type(6) NAS-I P-Address(4)
Cisco Public
Observed Failure:
Fix:
Import ACS Server Cert Signed by Enterprise CA
BRKSEC-2005
Cisco Public
68
MAC.CSV
BRKSEC-2005
Cisco Public
69
Benefits
Limitations
No Access Control
Next Steps
BRKSEC-2005
Monitor the Network Evaluate Remaining Risk Prepare for Access Control
Cisco Public
70
Monitor Mode
Authentication Without Access Control
BRKSEC-2005
Cisco Public
71
Limit number of devices connecting to port Add new features to support IP Phones
BRKSEC-2005
Cisco Public
72
Single-host
Phones
Phones
Successful 802.1X
Successful MAB
Contractor/Guest All
BRKSEC-2005
Cisco Public
interface GigabitEthernet1/4 Block General Access Until switchport access vlan 60 Successful 802.1X, MAB or WebAuth switchport mode access switchport voice vlan 61 ip access-group PRE-AUTH in For Low Impact authentication open authentication port-control auto From Monitor Mode mab dot1x pae authenticator
BRKSEC-2005 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
74
Pre-Auth ACL
permit ip host 10.100.20.200 any permit tcp any any established permit udp any any eq bootps permit udp any host 10.100.10.116 eq domain permit udp any host 10.100.10.117 eq tftp
SSC
Contents of dACL are arbitrary. Can have as many unique dACLs are there are user permission groups Same principles as pre-auth port ACL
BRKSEC-2005 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
75
permit ip host 10.100.20.200 any permit udp any any eq bootps Pre-Auth permit udp any host 10.100.10.238 eq tftp permit udp any host 10.100.10.238 range 32768 61000 ACL
Pre-auth ACL allows just enough access for config, CTL New config enables 802.1X on phone After 802.1X, phone has full access Same idea can give MAB phones access before 802.1X times out
BRKSEC-2005 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
76
PXE
permit ip host 10.100.20.200 any Pre-Auth permit udp any any eq bootps permit udp any host 10.100.10.238 eq tftp ACL
Pre-auth ACL allows just enough access for DHCP, TFTP Downloaded OS has 802.1X Enabled After 802.1X, Client Has Full Access
BRKSEC-2005
Cisco Public
77
Cert expired
Alternative: configure a failback authentication method (e.g. MAB) with appropriate authorization policy
IT website!
MAB passed
SSC
BRKSEC-2005
Cisco Public
78
BRKSEC-2005
Cisco Public
79
A
S:0011.2233.4455
1X
B
S:6677.8899.AABB
Security Violation
1X
Security Hole
BRKSEC-2005
Cisco Public
80
Proxy EAPoL-Logoff
Catalyst 3750 SERIES
SSC
Proxy EAPoL-Logoff
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X 1 3
Only works for 802.1X endpoints Requires Logoff-capable phone Potential Competitive Differentiator
4
1X
Inactivity Timer
Session Cleared
Catalyst 3750 SERIES
13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X 1 3
Inactivity Timer
2 4
10
11 12
1X
2X
16X 18X
32X 34X
48X
Switch feature Works for MAB endpoints Port vulnerable during timeout Quiet devices may get kicked off
Session Cleared
CDP Link Down
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X 1 3
1X
2X
16X 18X
32X 34X
Works for all 802.1X, MAB, Web-Auth. Nothing to configure Combined switch + phone feature.
BRKSEC-2005
Cisco Public
Recommended!
81
Benefits
Limitations
No L2 Isolation
Next Steps
BRKSEC-2005
82
Monitor Mode
Authentication Without Access Control
BRKSEC-2005
Cisco Public
83
BRKSEC-2005
Cisco Public
84
Single-host
All Employees Failed Employees, Contractor, Guest Corporate Asset, Contractor,Guest Corporate Asset
Pre-802.1X Successful 802.1X Failed 802.1X No 802.1X (no client) Successful MAB Successful 802.1X Successful MAB Failed MAB No 802.1X, MAB (server down)
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Closed Dynamic VLAN Guest-Fail-Critical VLAN Next-Method (on by default if MAB configured) Dynamic VLAN Voice VSA Voice VSA Guest-Fail-Critical VLAN Guest-Fail-Critical VLAN
85
BRKSEC-2005
86
BRKSEC-2005
Cisco Public
87
Configure dynamic VLANs for any user that should be in different VLAN
BRKSEC-2005
Cisco Public
88
89
1) EAP-Response: SSw
3)
EAP-Response: Alice
[VLAN Yellow]
4)
1) 2) 3) 4)
BRKSEC-2005
NEAT-capable sSW authenticates itself to Authenticator Switch (ASw). ASw converts port to trunk SSw authenticates users and devices in conference room ASw learns authenticated MACs via Client Information Signaling Protocol (CISP)
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
90
NEAT Configurations
SSw
Global Configs cisp enable dot1x supplicant force-multicast dot1x credentials <profile_name> username <user> password <passwd> Interface config Connected to ASw interface gigabitethernet1/0/1 switchport trunk encap dot1q switchport mode trunk dot1x pae supplicant dot1x credentials <profile_name>
ASw
Global Config neat enable cisp enable Minimal Interface config Connected to SSw interface GigabitEthernet5/1 switchport access vlan $AVID switchport mode access dot1x pae authenticator authentication port-control auto
Autoconfig Apply Macro no switchport access vlan $AVID no switchport nonegotiate switchport mode trunk switchport trunk native vlan $AVID no spanning-tree bpduguard enable spanning-tree portfast trunk
RADIUS Server
BRKSEC-2005
Cisco Public
91
Benefits
Limitations
Next Steps
BRKSEC-2005
92
Conclusion
BRKSEC-2005
Cisco Public
93
Hospital da Luz
http://www.cisco.com/web/strategy/docs/healthcare/daLuz_hospital_cStudy.pdf High Security MAB first for medical devices
Telecomputing
Managed LAN / Cloud Service Provider 12K endpoints, all remote offices
BRKSEC-2005
Cisco Public
94
BRKSEC-2005
Cisco Public
95
BRKSEC-2005
Cisco Public
96
www.cisco.com/go/ibns
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps65 86/ps6638/whitepaper_C11-530469.html
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps65 86/ps6638/Whitepaper_c11-532065.html http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps65 86/ps6638/guide_c07-627531.html
BRKSEC-2005
Cisco Public
97
BRKSEC-2005
Cisco Public
98
BRKSEC-2005
Cisco Public
99
BRKSEC-2005
Cisco Public
100
Thank you.
BRKSEC-2005
Cisco Public
101