v1 BRKSEC-2005 c2

Deploying IEEE 802.
1X
BRKSEC-2005
Agenda
Authentication Protocols and Operation
IEEE 802.1X MAB Web Auth
Authorization
Five stages of authorization IP Telephony
Deployment Scenarios
Monitor Mode Low Impact Mode High Security Mode
BRKSEC-2005 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
For Your Reference
Authentication Protocols and Operation: IEEE 802.1X
BRKSEC-2005
2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Why Is IEEE 802.1X Important?

1
Who are you?
802.1X (or supplementary method) authenticates the user
Keep the Outsiders Out

Keep the Insiders Honest
Where can you go?

Based on authentication, user is placed in correct VLAN
What service level to you receive?

The user can be given per-user services)
Personalize the Network

Increase Network Visibility
4
4
BRKSEC-2005
What are you doing?

be used for tracking and accounting
Cisco Public
Basic Identity Concepts

What is an identity?
an assertion of who we are. allows us to differentiate between one another
What does it look like?

Typical Network Identities include Username / Password Email: jdoe@foo.com MAC Address: 00-0c-14-a4-9d-33 IP Address: 10.0.1.199 Digital Certificates
How do we use identities?

Used to grant appropriate authorizations rights to services within a given domain
What Is Authentication?
Authentication is the process of establishing and confirming the identity of a client requesting services
200.00 Euros Please. Do You Have Identification? Yes, I Do. Here It Is.
An Authentication System Is Only as Strong as the Method of Verification Used
BRKSEC-2005
Cisco Public
IEEE 802.1X Provides Port-Based Access Control Using Authentication

802.1X-2001 802.1X-2004 802.1X-
Access to the Network. Do You Have Identification? Yes, I Do. Here It Is.
Authentication
Utilizing encapsulation via Extensible Authentication Protocol (EAP) over IEEE 802 media
BRKSEC-2005 2011 Cisco and/or its affiliates. All rights reserved.
Port-Based
Enforcement via MACbased filtering and portstate monitoring
Cisco Public
IEEE 802.1X Has Multiple Components

Primary Components Supplicant
802.1X Client
Authenticator
Switch / WLAN
Authentication Server
RADIUS Server
Backend Database
AD, LDAP, etc
SSC
Submits credentials for authentication
Forwards credentials to authentication server

Controls access to network
credentials Defines access policy
Supports authentication server functions
BRKSEC-2005
Cisco Public
Supplicant Considerations
Microsoft Windows
Native Supplicant: TLS, PEAP Alternatives: AnyConnect 3.0, Secure W2
Linux Apple
IP Phone
xsupplicant http://www.open1x.org
Native Supplicant: TTLS, LEAP, PEAP, MD5, FAST In 10.5 single sign on (SSO) can be accomplished for system or user.
Cisco Native Supplicant: MD5, TLS, FAST Minimum version: 8.5(2)
Printers, APs, etc

Check documentation
Configuration Examples
Supplicants
Windows
IP Phone
OS X
BRKSEC-2005
Cisco Public
10
Switch Considerations
IOS Configuration
aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius aaa accunting dot1x default start-stop group radius radius-server host 10.100.100.100 radius-server key cisco123 interface GigabitEthernet1/0/1 authentication port-control auto dot1x pae authenticator
BRKSEC-2005
Cisco Public
11
Authentication Server Considerations
Microsoft IAS / NPS
Cisco ACS / ISE
Any IETF RADIUS server
BRKSEC-2005
Cisco Public
12
Configuration Examples
Authentication Servers
NPS
ACS
BRKSEC-2005
Cisco Public
13
IEEE 802.1X Has Multiple Protocols

Protocols
AC 3
EAP Method
Authentication Method (What & How)
BRKSEC-2005
Cisco Public
14
EAP Method Defines What Credential and How to Submit

What
alice c1sC0L1v Private Public
How
23hs*^450
Common EAP Methods Method Client Credential EAP-TLS Client certificate PEAPUsername MSCHAPv2 /Password
Basis for Encryption Not required Server-cert TLS tunnel

Cisco Public
Key Benefit Highly secure Does not require client cert

15
A Few Words About Certificates

I can trust server cert issued by trusted CA client
server CA
server
CA
Certificate Authority (CA) is a trusted 3rd party that enables devices to trust each other.
BRKSEC-2005
Cisco Public
16
Distribution of Certificates Requires Public Key Infrastructure (PKI)

server client CA
PKI
BRKSEC-2005
Cisco Public
17
EAP Method in Action: PEAP
This is a trusted server
CA
Alice AlicePwd
server
Alice Is Authenticated
Encrypted Tunnel
BRKSEC-2005
Cisco Public
18
EAP Method in Action: TLS
EAP-TLS
This is a trusted server
CA
client
server
CA
Alice is Authenticated
BRKSEC-2005
Cisco Public
19
Factors That Drive EAP Method

Enterprise security policy
Certificate Authority deployment Requirements such as two factor authentication may drive the choice of EAP-TLS
Client support
Windows XP supports EAP-TLS, PEAP w/EAP-MSCHAPv2, PEAP w/EAP-TLS 3rd party supplicants support a large variety of EAP types, but not all
Authentication server support

RADIUS servers support a large variety of EAP types, but not all
Authentication store
PEAP w/EAP-MSCHAPv2 can only be used with authentication stores that store passwords in MSCHAPv2 format
Not every identity store supports all the EAP types
Your choice of EAP type drives other components
BRKSEC-2005
Cisco Public
20
Extensible Authentication Protocol (EAP) Is an Authentication Framework

Protocols
AC 3
EAP Method
Authentication Method
EAP
Format / Framework
BRKSEC-2005
Cisco Public
21
Extensible Authentication Protocol (EAP) Is an Authentication Framework
Specifies message format and reliable transport for EAP methods Defined by RFC 3748 Four packets: Request, Response, Success, Failure Simple encapsulation protocol that runs over any link layer
BRKSEC-2005
Cisco Public
22
EAPoL and RADIUS Transport EAP

Protocols
AC 3
EAP Method
Authentication Method
EAP
Format / Framework
EAPoL
L2 Encapsulation
RADIUS
AAA Protocol
BRKSEC-2005
Cisco Public
23
EAP over LAN (EAPoL) Transports EAP over Layer 2

AC 3
EAPoL
Defined by IEEE 802.1X

Three primary messages:
EAP Packet
EAPoL-Logoff
EAPoL-Start
BRKSEC-2005
Cisco Public
24
RADIUS Transports EAP from Switch to Authentication Server

RADIUS
RADIUS acts as the transport for EAP from the switch to the RADIUS server
RFC 3579, 3580 RADIUS is also used to carry policy instructions (authorization) back to the authenticator in the form of Attribute-Values (AV) Pairs.
BRKSEC-2005
Cisco Public
25
The Switch Provides the Glue

AC 3
EAPoL RADIUS
get EAP from supplicant to authentication server Switch also enforces policy and controls network access
26
Putting It All Together
Initiation
EAPoL Start
EAP-Request Identity
EAP-Response Identity: Alice
RADIUS Access Request

[AVP: EAP-Response: Alice]
Authentication
EAP-Request: TLS
EAP-Response: TLS Client Hello
RADIUS Access-Challenge
[AVP: EAP-Request TLS Start]
RADIUS Access Request

[AVP: EAP-Response: TLS Client Hello]
Multiple ChallengeRequest Exchanges Possible
Authorization
EAP Success
RADIUS Access-Accept
[AVP: EAP Success] [AVP: VLAN 10, dACL-n]
BRKSEC-2005
Cisco Public
27
Taking It All Apart

a Session 1
Link Down
EAPoL Logoff
3 4
Session Timeout Idle Timeout

RADIUS Change of Authorization
5
28
BRKSEC-2005
Cisco Public
Authentication Protocols and Operation: MAC Authentication Bypass (MAB)
BRKSEC-2005
Cisco Public
29
Default Access Control Is Binary

Unauthenticated
SSC
SSC
Employee (bad credential)
Employee
Guest
Rogue 802.1X
Managed Assets
802.1X Passed
BRKSEC-2005
Cisco Public
30
MAC Authentication Bypass (MAB)
00.0a.95.7f.de.06
IEEE 802.1X Timeout
EAPoL: EAP Request-Identity
EAPoL: EAP Request-Identity EAPoL: EAP Request-Identity
Any Packet 2
MAB
RADIUS Access-Request [AVP: 00.0a.95.7f.de.06 ]

BRKSEC-2005
Cisco Public
31
802.1X with MAC Auth Bypass (MAB)

Deployment Considerations
MAB enables differentiated access control MAB leverages centralized policy on AAA server
Dependency on 802.1X timeout -> delayed network access

MAB requires a database of known MAC addresses
Printer VLAN
Contractor VLAN
RADIUS
Cisco Public
ACS
LDAP
MAC Database
32
BRKSEC-2005
Variables That Impact Delay
00.0a.95.7f.de.06
Authenticator
RADIUS Server
EAPoL: EAP Request-Identity EAPoL: EAP Request-Identity EAPoL: EAP Request-Identity
= tx-period
Total Time From Link Up To Network Access
= max-reauth-req
IEEE 802.1X Times Out MAB Starts
Time until endpoint sends first packet after IEEE 802.1X timeout
Any Packet
RADIUS Access-Request [AVP: 00.0a.95.7f.de.06]
Network Access Granted

33
Dealing with MAB-Related Delays

Three Options
1) Change the Timeout
interface GigabitEthernet1/4 dot1x max-reauth-req 2 (default) dot1x timeout tx-period 30 (default)
802.1X
Timeout
MAB
Short Enough To Prevent Timeouts Long Enough To Allow 802.1X Devices to Authenticate
(max-reauth-req + 1) * tx-period
FlexAuth
interface GigabitEthernet1/4 authentication order mab dot1x authentication priority* dot1x mab
MAB
MAB Fails
802.1X
First packet from device will trigger MAB
Prepare For Additional Control Plane Traffic
3) Low Impact Deployment Scenario

*Priority Matters! www.cisco.com/go/ibns -> Whitepapers
34
MAC Databases: Device Discovery

Find It
Leverage Existing Asset Database e.g. Purchasing Department, CUCM For more info: BRKSEC-3005
Build It
Bootstrap methods to gather data e.g. SNMP, Syslog, Accounting, Monitor Mode
Buy It
Automated Device Discovery e.g. ISE For more info: BRKSEC-2041
35
BRKSEC-2005
Cisco Public
Authentication Protocols and Operation: Web Authentication
BRKSEC-2005
Cisco Public
36
802.1X with Basic Web Authentication

DHCP/DNS
Multiple Triggers Single Port Config Mostly Flex-auth
Switch
AAA Server
802.1X Timeout 802.1X Failure MAB Failure

Port Enabled, 2 Pre-Auth ACL Applied
Access VLAN only Pre-Auth ACL must permit DHCP, DNS ACL applies to port -> phones must use MDA
Host Acquires IP Address, Triggers Session State

DHCP, ARP trigger State
Host Opens Browser 4 Login Page Host Sends Password

IP HTTP (Secure-)Server Enabled User May be Prompted for Cert Trust Use Web Auth AAA Fail Policy for AAA outages Server authorizes user
Switch Queries AAA Server 5 AAA Server Returns Policy 6 Switch Applies New ACL Policy
VLAN assignment not supported Cisco Public
37
802.1X with Web-Auth

Deployment Considerations Web-Auth is only for users (not devices)
browser required manual entry of username/password
Web-Auth can be a fallback from 802.1X or MAB. Web-Auth and Guest VLAN are mutually exclusive Web-Auth supports ACL authorization only
Web-Auth behind an IP Phone requires MultiDomain Authentication (MDA)
BRKSEC-2005
Cisco Public
38
Authentication Summary
IEEE 802.1X Strong authentication Requires a client MAB Supports clientless devices Requires pre-existing database, timing issues
WebAuth
Support for clientless users Limited applications
BRKSEC-2005
Cisco Public
39
Authorization The Five Stages
BRKSEC-2005
Cisco Public
40
What Is Authorization?
Authorization is the process of granting a level of access to the network
200.00 Please. Do You Have Identification? Yes, I Do. Here It Is. Thank You. Here are Your Euros.
Five stages of authorization:

Pre-Authentication
Passed Authentication
Three types of MAC Filtering:

Single MAC per port
Single MAC per domain per port
Failed Authentication No Authentication (no client)

BRKSEC-2005
Multiple MACs per port
No Authentication (AAA server dead)
Cisco Public
41
Default Authorization Is Binary

Unauthenticated 802.1X/MAB Passed
Looks the same as without 802.1X
No visibility (yet) Strict access control Everything except EAPoL is dropped
User/Device is known All traffic is allowed Access VLAN is now open
BRKSEC-2005
Cisco Public
42
Authorization:
Pre-Authentication Options
Default: Closed
Selectively Open
Open
switch(config-if)#authentication open switch(config-if)#ip access-group PRE-AUTH in
switch(config-if)#authentication open
Cisco Public
BRKSEC-2005
43
Authorization:
Passed 802.1X/MAB Authentication
Default: Open
Alice
Dynamic ACL Dynamic VLAN
BRKSEC-2005
Cisco Public
44
Authorization:
Failed 802.1X Authentication
Default: Closed
?
Next-method*
Auth-Fail VLAN
switch(config-if)#authentication event fail action next-method

*Final authorization determined by results of next method
BRKSEC-2005
switch(config-if)#authentication event fail action authorize vlan 50

Cisco Public
45
Authorization:
No 802.1X Authentication (No Client)
Default: Closed
?
Next-method*
Guest VLAN
switch(config-if)#mab
*Final authorization determined by results of next method
switch(config-if)#authentication event no-response action authorize vlan 51

46
Authorization:
No 802.1X/MAB Authentication (AAA Server Dead)
Default: Closed
Critical VLAN
switch(config-if)#authentication event server dead action authorize vlan 52

47
Authorization Hostmodes and IP Telephony
BRKSEC-2005
Cisco Public
48
Authorization: Single MAC Filtering

Default: Single Host Mode
Multiple MACs not allowed to ensure validity of authenticated session

Hubs, VMWare, Phones, Grat
Applies in Open and Closed Mode
interface fastEthernet 3/48 dot1x pae authenticator authentication port-control auto
VM
BRKSEC-2005
Cisco Public
49
Modifying Single-MAC Requirement

IP Phones
Multi-Domain Authentication (MDA) Host Mode
IEEE 802.1X MDA
Single device per port
Single device per domain per port

Voice Domain
Data Domain
MDA replaces CDP Bypass Supports Cisco & 3rd Party Phones Phones and PCs use 802.1X or MAB
interface fastEthernet 3/48 dot1x pae authenticator authentication port-control auto authentication host-mode multi-domain
50
MDA with MAC Authentication Bypass (MAB)

00.18.ba.c7.bc.ee
EAP-Identity-Request
Fallback to MAB
Learn MAC
RADIUS-Access Request: 00.18.ba.c7.bc.ee
Voice VLAN Enabled
RADIUS-Access Accept device-traffic-class=voice
Benefits
No client, no credential needed -> Works for all phones Enables visibility & access control. PAP is not process-intensive Compatible with other 802.1X features
Deployment Considerations
Default 802.1X timeout = 90 seconds latency Must create & maintain phone MAC database AAA server must be configured to assign phone to voice domain
Cisco Public
51
MDA with IEEE 802.1X
EAPoL Start EAPoL Request Identity

EAPoL Response Identity
EAP-Response: TLS
RADIUS Access Request [AVP: EAP-Response: CP-79xx-xxxxxxxx RADIUS Access-Challenge [AVP: EAP-Response: TLS] RADIUS Access Request [AVP: EAP-Request: TLS Server Hello]
EAP-Request: TLS Client Hello
Actual Exchanges depend on EAP Method (MD5, TLS, FAST)
EAP Success
[device-traffic-class=voice]
Benefits Strong Authentication with Minimal Delay Can be deployed without touching the phone or creating a database. Compatible with other 802.1X features
Deployment Considerations Choice of EAP Method impacts deployability Cisco phone require 7970G, 79x1, 79x2, 79x5 with X.509 cert support & firmware 8.5(2) AAA server dependency
Cisco Public
52
802.1X EAP Methods on Cisco Phones

Method EAP-MD5 Phone Credential Username / password Deployment Considerations Password manually configured on phone Phone name / password must be in AAA database Not supported on ACS 5.0 or 5.1 Supported on ACS 4.2 with PAC-Free + PKI Authz Bypass feature in NAP Never need to touch the phone: All config done from CUCM GUI (7.1.2) ACS 5 does not require username lookup after TLS cert validation -> No need to enter phone names in any database
Cisco Public
EAP-FAST with TLS
MIC or LSC
EAP-TLS
MIC or LSC
BRKSEC-2005
53
Cert-Based 802.1X Is Easy with Cisco IP Phones and ACS 5!

Manufacturing Installed Certificates
Pre-installed on every phone that supports EAP-TLS & EAP-FAST Automatically used if 802.1X enabled Export Cisco Man Root Sub CA and Cisco Root CA from CUCM to ACS Easy to match with ACS 5 Authz rule
Locally Significant Certificates

LSCs are customer controlled CUCM issues LSCs to phones CAPF can be self- or CA-signed Export CAPF and CA root certs from CUCM to ACS Easy to match with ACS 5 Authz rule
CAPF
BRKSEC-2005
Cisco Public
54
Enabling 802.1X on Phones

Old Way New Way (CUCM 7.1.2)
In Phone Config or BAT Template No need to touch the phone Phone must be on the network when you do this.
55
Enabling 802.1X Post-Deployment

How do you enable 802.1X on a phone via the network if the phone needs 802.1X to get on the network?
1. Non 802.1X Staging Area

Initial phone boot-up in network without 802.1X
2.
Works for one-offs, not mass deployments
3. MAB -> 802.1X

Use MAB to get device on network Grant just enough access to download config file Phone resets with 802.1X enabled
4. Low Impact Mode

56
Modifying Single-MAC Requirement

Virtualized Endpoints
Multi-Authentication Host Mode
MAC based enforcement for each device

802.1X and/or MAB
Multi-Auth is a superset of MDA
interface fastEthernet 3/48 dot1x pae authenticator authentication port-control auto authentication host-mode multi-auth VM
BRKSEC-2005
Cisco Public
57
Authorization Summary
Single-host
Authentication Status Pre-802.1X
Successful 802.1X
Default Authorization Closed

Open
Alternative 1 Open
Dynamic VLAN
Alternative 2 Selectively Open

Dynamic ACL
Multi-Domain-Auth Multi-Auth
Failed 802.1X No 802.1X (no client) Successful MAB Failed MAB No 802.1X, MAB (server down)
Same as Pre-Auth Same as Pre-Auth Open Same as Pre-Auth Same as Pre-Auth
Auth-Fail VLAN Guest VLAN Dynamic VLAN Guest VLAN Critical VLAN
Next-Method Next-Method Dynamic ACL Next-Method
BRKSEC-2005
Cisco Public
58
Deployment Scenarios
BRKSEC-2005
Cisco Public
59
What Is a Deployment Scenario?

A set of configuration guidelines designed to meet particular deployment goal
Simplify deployments by following a blueprint Increase efficiency by combining features that interoperate most effectively Phase deployments for minimal impact to end users Customize basic blueprint as needed
General Principles:
Start simple Start with minimal restrictions Evolve as necessary
BRKSEC-2005
Cisco Public
60
The First Scenario: Monitor Mode
Monitor Mode
Authentication Without Access Control
Low Impact Mode

Minimal Impact to Network and Users
High Security Mode

Logical Isolation of User Groups / Device Types
BRKSEC-2005
Cisco Public
61
Monitor Mode Overview

Monitor Mode Goals
No Impact to Existing Network Access
Monitor Mode: How To

Enable 802.1X & MAB Enable Open Access
All traffic in addition to EAP is allowed Like not having 802.1X enabled except authentications still occur
Deterrence through accountability
Enable Multi-Auth Host-Mode Disable Authorization
SSC
BRKSEC-2005
Cisco Public
62
Monitor Mode: Network Access Table

Endpoints All Employees Authentication Status Pre-802.1X Successful 802.1X Failed 802.1X No 802.1X (no client) Successful MAB Successful 802.1X Successful MAB Failed MAB No 802.1X, MAB (server down)
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authorization (Network Access) Open Open Open Next-Method (MAB)
Multi-Auth
Failed Employees Contractor/Guest Corporate Asset Contractor/Guest Corporate Asset Phones Phones Contractor/Guest All
BRKSEC-2005
Open Open Open Open Open

63
Monitor Mode: Switch

Switch Global Config
aaa new-model aaa authentication dot1x default group radius dot1x system-auth-control radius-server host 10.100.10.150 auth-port 1645 acct-port 1646 key cisco radius-server vsa send authentication
Switch Interface Config

interface GigabitEthernet1/4 switchport access vlan 60 switchport mode access switchport voice vlan 61 authentication host-mode multi-auth Monitor Mode authentication open authentication port-control auto mab Basic 802.1X/MAB dot1x pae authenticator
BRKSEC-2005
Cisco Public
64
Monitor Mode: AAA Server and Endpoints
AAA Server
Should be fully configured except for authorization policy:
Communication with AAA clients (i.e. switches) Communication with credential repository (e.g. AD, MAC Database) PKI (CA certs, server cert) EAP Configuration MAB Configuration
Endpoints
Should be fully configured:
PKI (CA certs, client cert) or other credentials Supplicants configured & installed everywhere supported Enable machine auth Enable user auth if needed
BRKSEC-2005
Cisco Public
65
Monitor Mode: Next Steps

Monitor Mode Next Steps
Improve Accuracy Evaluate Remaining Risk Leverage Information Prepare for Access Control
SSC
Passed/failed 802.1x/eap attempts Passed/Failed MAB attempts
RADIUS Authentication & Accounting Logs
List of valid 802.1X-capable endpoints List of invalid 802.1X-capable endpoints
List of Valid MACs List of Invalid or unknown MACs

66
Information Pays for Itself

ROI Without Access Control
RADIUS Attribute Framed-I P-Address(8) User-Name(1) Acct-Session-Time(46) Acct-I nput-Octets(42) Acct-Output-Octets (43) Acct-I nput-Packets(47) Acct-Output-Packets(48)
BRKSEC-2005
Example Value 10.100.41.200 scadora 27 2614 2469 7 18
RADIUS Attribute Acct-Status-Type(40) NAS-Port-Type(61) NAS-Port-I d(87) Called-Station-I d(30) Calling-Station-I d(31) Service-Type(6) NAS-I P-Address(4)
Cisco Public
Example Value Interim-Update Ethernet FastEthernet2/48 00-1F-6C-3E-56-8F 00-1E-4A-A9-00-A8 Framed-User 10.100.10.4

67
Preparing for Access Control

Fix 802.1X Errors
Observed Failure:
Fix:
Import ACS Server Cert Signed by Enterprise CA
BRKSEC-2005
Cisco Public
68
Preparing for Access Control

Put Valid MACs in MAB Database
Observed Failure
Fix
MAC.CSV
BRKSEC-2005
Cisco Public
69
Monitor Mode in a Nutshell

Summary
Authentication without Authorization
Benefits
Extensive Network Visibility No Impact to Endpoints or Network
Limitations
No Access Control
Next Steps
BRKSEC-2005
Monitor the Network Evaluate Remaining Risk Prepare for Access Control
Cisco Public
70
The Second Scenario: Low Impact
Monitor Mode
Low Impact Mode

High Security Mode

BRKSEC-2005
Cisco Public
71
Low Impact Mode Overview

Low Impact Mode Goals
Begin to control/differentiate network access Minimize Impact to Existing Network Access Retain Visibility of Monitor Mode architect your network
Keep existing VLAN design Minimize LAN changes
Low Impact Mode: How To

Start from Monitor Mode Add new features for accesscontrol
downloadable ACLs flexible auth fail handling
Limit number of devices connecting to port Add new features to support IP Phones
BRKSEC-2005
Cisco Public
72
Low Impact: Network Access Table

Endpoints Authentication Status Pre-802.1X Successful 802.1X Failed 802.1X No 802.1X (no client)
Successful MAB
Authorization Selectively Open Dynamic ACL

Next-Method (MAB) Next-Method (MAB)
Single-host
All Employees Failed Employees Contractor/Guest Corporate Asset Contractor/Guest

Corporate Asset
Dynamic ACL Dynamic ACL + Voice VSA

Dynamic ACL + Voice VSA
Multi-Domain-Auth (with link-state solution)
Phones
Phones
Successful 802.1X
Successful MAB
Contractor/Guest All
BRKSEC-2005
Failed MAB No 802.1X, MAB (server down)
Same as Pre-Auth Same as Pre-Auth

73
Cisco Public
Low Impact Mode: Switch

Switch Global Config (add to Monitor Mode)
aaa authorization network default group radius ip device-tracking Pre-Authentication Port Authorization State
Pinhole explicit tcp/udp ports to allow desired access
interface GigabitEthernet1/4 Block General Access Until switchport access vlan 60 Successful 802.1X, MAB or WebAuth switchport mode access switchport voice vlan 61 ip access-group PRE-AUTH in For Low Impact authentication open authentication port-control auto From Monitor Mode mab dot1x pae authenticator
74
Low Impact Mode: AAA Server

Configure downloadable ACLs for authenticated users
Pre-Auth ACL
permit ip host 10.100.20.200 any permit tcp any any established permit udp any any eq bootps permit udp any host 10.100.10.116 eq domain permit udp any host 10.100.10.117 eq tftp
SSC
Contents of dACL are arbitrary. Can have as many unique dACLs are there are user permission groups Same principles as pre-auth port ACL
75
Example: Using Low Impact Mode to Bootstrap a New Phone

10.100.10.238
permit ip host 10.100.20.200 any permit udp any any eq bootps Pre-Auth permit udp any host 10.100.10.238 eq tftp permit udp any host 10.100.10.238 range 32768 61000 ACL
Pre-auth ACL allows just enough access for config, CTL New config enables 802.1X on phone After 802.1X, phone has full access Same idea can give MAB phones access before 802.1X times out
76
Example: Using Low Impact Mode for PXE

DHCP, TFTP
PXE
permit ip host 10.100.20.200 any Pre-Auth permit udp any any eq bootps permit udp any host 10.100.10.238 eq tftp ACL
Pre-auth ACL allows just enough access for DHCP, TFTP Downloaded OS has 802.1X Enabled After 802.1X, Client Has Full Access
BRKSEC-2005
Cisco Public
77
Low Impact: Failed Authentication

Devices that fail 802.1X will have restricted access (Pre-Auth ACL) Policy question: Is that sufficient access?
SSC
Cert expired
Alternative: configure a failback authentication method (e.g. MAB) with appropriate authorization policy
IT website!

interface GigabitEthernet1/4 switchport access vlan 60 switchport mode access switchport voice vlan 61 ip access-group PRE-AUTH in authentication event fail action next-method authentication open authentication port-control auto mab dot1x pae authenticator
Cert expired
MAB passed
SSC
HTTP now allowed
BRKSEC-2005
Cisco Public
78
Low Impact: Host Mode

With Multi-Auth, port piggybacking cannot be mitigated as effectively. In Low Impact mode, transition to Multi-domain (for IP Telephony) or Single-host (non-IPT).
interface GigabitEthernet1/4 switchport access vlan 60 switchport mode access switchport voice vlan 61 ip access-group PRE-AUTH in authentication host-mode multi-domain authentication open authentication event fail action next authentication port-control auto mab dot1x pae authenticator
BRKSEC-2005
Cisco Public
79
IPT & 802.1X: The Link-State Problem

1) Legitimate users cause security violation Port authorized for
0011.2233.4455 only
A
S:0011.2233.4455
Catalyst 3750 SERIES

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X 1 3
SYST RPS MASTR STAT DUPLX SPEED STACK MODE
1X
2 2X 16X 18X 32X 34X 48X
B
S:6677.8899.AABB
Security Violation
2) Hackers can spoof MAC to gain access without authenticating A

S:0011.2233.4455 S:0011.2233.4455
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X 1 3
1X
2 2X 16X 18X 32X 34X 48X
Security Hole
BRKSEC-2005
Cisco Public
80
Link State: Three Solutions

Session Cleared
Proxy EAPoL-Logoff
SSC
Proxy EAPoL-Logoff
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X 1 3
Only works for 802.1X endpoints Requires Logoff-capable phone Potential Competitive Differentiator
4
1X
2 2X 16X 18X 32X 34X 48X
Inactivity Timer
Session Cleared
13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X 1 3
Inactivity Timer
2 4
10
11 12
1X
2X
16X 18X
32X 34X
48X
Switch feature Works for MAB endpoints Port vulnerable during timeout Quiet devices may get kicked off
Session Cleared
CDP Link Down
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 15X 17X 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 31X 33X 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 47X 1 3
CDP 2nd Port Status

2 4 48X
1X
2X
16X 18X
32X 34X
Works for all 802.1X, MAB, Web-Auth. Nothing to configure Combined switch + phone feature.
BRKSEC-2005
Cisco Public
Recommended!
81
Low Impact in a Nutshell

Summary
Default open + pre-auth ACL Differentiated Access Control using dynamic ACLs
Benefits
Minimal Impact to Endpoints Minimal Impact to Network
Limitations
No L2 Isolation
Next Steps
BRKSEC-2005
Monitor the Network Tune ACLs as necessary Evaluate Remaining Risk

Cisco Public
82
The Last Scenario: High Security
Monitor Mode
Low Impact Mode

High Security Mode

BRKSEC-2005
Cisco Public
83
High Security Mode Overview

High Security Mode Goals
No access before authentication Rapid access for non-802.1Xcapable corporate assets Logical isolation of traffic at the access edge
Network Virtualization Solution
High Security: How To

Timers or authentication order change Implement identity-based VLAN assignment
BRKSEC-2005
Cisco Public
84
High Security Mode: Network Access Table

Endpoint Authentication Status Authorization
Single-host
All Employees Failed Employees, Contractor, Guest Corporate Asset, Contractor,Guest Corporate Asset
Pre-802.1X Successful 802.1X Failed 802.1X No 802.1X (no client) Successful MAB Successful 802.1X Successful MAB Failed MAB No 802.1X, MAB (server down)
Closed Dynamic VLAN Guest-Fail-Critical VLAN Next-Method (on by default if MAB configured) Dynamic VLAN Voice VSA Voice VSA Guest-Fail-Critical VLAN Guest-Fail-Critical VLAN
85
Multi-Domain-Auth (with link-state solution)
Phones Phones Contractor/Guest All
BRKSEC-2005
High Security Mode: Switch

Switch Global Config (add to Monitor Mode)
aaa authorization network default group radius
vlan 60 name data vlan 61 name voice vlan 62 name video vlan 63 name fail-guest-critical

interface GigabitEthernet1/4 switchport access vlan 60 switchport mode access switchport voice vlan 61 no authentication open authentication event fail authorize vlan 63 authentication event no-response authorize vlan 63 authentication event server dead action authorize vlan 63 authentication port-control auto mab dot1x pae authenticator
Auth-Fail VLAN Guest VLAN* Critical VLAN
*Not needed if AAA server has Unknown MAC policy
86
Clientless Endpoints Need Attention
Option 1: Reduce Timeout

interface GigabitEthernet1/4 dot1x timeout tx-period 5
90+ seconds by default
Option 2: Reverse Order

interface GigabitEthernet1/4 authentication order mab dot1x
BRKSEC-2005
Cisco Public
87
High Security Mode: AAA Server

If no VLAN sent, switch will use static switchport VLAN
Configure dynamic VLANs for any user that should be in different VLAN
BRKSEC-2005
Cisco Public
88
Extending the Network Edge
Hubs on an 802.1X network:

introduce multiple MACs per port may not actually be hubs are not managed devices
Ideally, extended edge:

Extends trust and policy Uses a managed device Works on any access port
Cisco Public
89
Network Edge Authentication Topology (NEAT)

Supplicant Switch (SSw)
1) EAP-Response: SSw
3)
EAP-Response: Alice
RADIUS Access Request [AVP: EAP-Response: SSw

RADIUS Access-Accept 2) [device-traffic-class=switch]
RADIUS Access Request [AVP: EAP-Response: Alice

[VLAN Yellow]
4)
1) 2) 3) 4)
BRKSEC-2005
NEAT-capable sSW authenticates itself to Authenticator Switch (ASw). ASw converts port to trunk SSw authenticates users and devices in conference room ASw learns authenticated MACs via Client Information Signaling Protocol (CISP)
90
NEAT Configurations
SSw
Global Configs cisp enable dot1x supplicant force-multicast dot1x credentials <profile_name> username <user> password <passwd> Interface config Connected to ASw interface gigabitethernet1/0/1 switchport trunk encap dot1q switchport mode trunk dot1x pae supplicant dot1x credentials <profile_name>
ASw
Global Config neat enable cisp enable Minimal Interface config Connected to SSw interface GigabitEthernet5/1 switchport access vlan $AVID switchport mode access dot1x pae authenticator authentication port-control auto
Autoconfig Apply Macro no switchport access vlan $AVID no switchport nonegotiate switchport mode trunk switchport trunk native vlan $AVID no spanning-tree bpduguard enable spanning-tree portfast trunk
RADIUS Server
BRKSEC-2005
Cisco Public
91
High Security in a Nutshell

Summary
Default closed Differentiated access control using dynamic VLANs Logical Isolation at L2 No Access for Unauthorized Endpoints Network Extension Using NEAT
Benefits
Limitations
Impact to Network Impact to Endpoints
Next Steps
BRKSEC-2005
Monitor the Network Evaluate Remaining Risk

Cisco Public
92
Conclusion
BRKSEC-2005
Cisco Public
93
Yes, It Really Does Work

Siemens IT
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/case_study_c36-539649.html 50K+ endpoints, Windows native supplicant, EAP-TLS IP Telephony
Hospital da Luz
http://www.cisco.com/web/strategy/docs/healthcare/daLuz_hospital_cStudy.pdf High Security MAB first for medical devices
Telecomputing
Managed LAN / Cloud Service Provider 12K endpoints, all remote offices
Large Software Vendor

Gartner Case Study Windows native supplicant, PEAP-MSCHAP-v2, Cloudpath, MS SMS, 70K endpoints Support staff: < 5 hours/ week once deployed
Large European Municipality

10K+ endpoints 100% successful with Monitor Mode, currently progressing to Low Impact
BRKSEC-2005
Cisco Public
94
Lessons Learned & Factors for Success

Start with Monitor Mode
Collect and study network telemetry Phase in access control

Homogeneity makes things easier Prioritize teamwork and communication Multiple protocols, multiple features, multiple products Proof of concept is not optional
BRKSEC-2005
Cisco Public
95
Where to Find out More
Advanced 802.1X BRKSEC-3005
Profiling and Guest BRKSEC-2041
TrustSec SGA, SGTs, SGACLs BRKSEC-2046
BRKSEC-2005
Cisco Public
96
Where to Find out More

Whitepapers
Deployment Scenario Design Guide Deployment Scenario Config Guide IEEE 802.1X Deep Dive MAB Deep Dive Web Auth Deep Dive Flex Auth App Note IP Telephony Deep Dive
www.cisco.com/go/ibns
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps65 86/ps6638/whitepaper_C11-530469.html
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps65 86/ps6638/Whitepaper_c11-532065.html http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps65 86/ps6638/guide_c07-627531.html
http://www.cisco.com/univercd/cc/td/doc/solution/macauthb.pdf http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps65 86/ps6638/app_note_c27-577494.html http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps65 86/ps6638/app_note_c27-577490.html

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps65 86/ps6638/application_note_c27573287_ps6638_Products_White_Paper.html http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps65 86/ps6638/config_guide_c17-605524.html
BRKSEC-2005
Cisco Public
97
Complete Your Online Session Evaluation

Receive 25 Cisco Preferred Access points for each session evaluation you complete. Give us your feedback and you could win fabulous prizes. Points are calculated on a daily basis. Winners will be notified by email after July 22nd. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center. account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.
BRKSEC-2005
Cisco Public
98
Visit the Cisco Store for Related Titles http://theciscostores.com
BRKSEC-2005
Cisco Public
99
BRKSEC-2005
Cisco Public
100
Thank you.
BRKSEC-2005
Cisco Public
101

v1 BRKSEC-2005 c2

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

v1 BRKSEC-2005 c2

Uploaded by

Copyright:

Available Formats

Deploying IEEE 802.

For Your Reference

Authentication Protocols and Operation: IEEE 802.1X

2011 Cisco and/or its affiliates. All rights reserved.

Why Is IEEE 802.1X Important?

Keep the Outsiders Out

Where can you go?

What service level to you receive?

Personalize the Network

What are you doing?

2011 Cisco and/or its affiliates. All rights reserved.

Basic Identity Concepts

What does it look like?

How do we use identities?

An Authentication System Is Only as Strong as the Method of Verification Used

2011 Cisco and/or its affiliates. All rights reserved.

IEEE 802.1X Provides Port-Based Access Control Using Authentication

IEEE 802.1X Has Multiple Components

Submits credentials for authentication

Forwards credentials to authentication server

credentials Defines access policy

Supports authentication server functions

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Native Supplicant: MD5, TLS, FAST Minimum version: 8.5(2)

Printers, APs, etc

2011 Cisco and/or its affiliates. All rights reserved.

2011 Cisco and/or its affiliates. All rights reserved.

Authentication Server Considerations

Microsoft IAS / NPS

Cisco ACS / ISE

Any IETF RADIUS server

2011 Cisco and/or its affiliates. All rights reserved.

2011 Cisco and/or its affiliates. All rights reserved.

IEEE 802.1X Has Multiple Protocols

2011 Cisco and/or its affiliates. All rights reserved.

EAP Method Defines What Credential and How to Submit

Basis for Encryption Not required Server-cert TLS tunnel

Key Benefit Highly secure Does not require client cert

A Few Words About Certificates

2011 Cisco and/or its affiliates. All rights reserved.

Distribution of Certificates Requires Public Key Infrastructure (PKI)

2011 Cisco and/or its affiliates. All rights reserved.

EAP Method in Action: PEAP

This is a trusted server

2011 Cisco and/or its affiliates. All rights reserved.

EAP Method in Action: TLS

2011 Cisco and/or its affiliates. All rights reserved.

Factors That Drive EAP Method

Authentication server support

Not every identity store supports all the EAP types

Your choice of EAP type drives other components

2011 Cisco and/or its affiliates. All rights reserved.

Extensible Authentication Protocol (EAP) Is an Authentication Framework

2011 Cisco and/or its affiliates. All rights reserved.

Extensible Authentication Protocol (EAP) Is an Authentication Framework

2011 Cisco and/or its affiliates. All rights reserved.

EAPoL and RADIUS Transport EAP

2011 Cisco and/or its affiliates. All rights reserved.

EAP over LAN (EAPoL) Transports EAP over Layer 2

Defined by IEEE 802.1X

2011 Cisco and/or its affiliates. All rights reserved.

RADIUS Transports EAP from Switch to Authentication Server