802.1x Introduction
Veronika Štorková, CCIE R&S #23705
Systems Engineer
Agenda
Identity and Authentication
Network Access Protocols and
Mechanisms
Cisco TrustSec – Umbrella for 802.1x
Basic 802.1x configuration on a LAN
switch
Cisco Expo – T-SEC
Cisco Public
2
Why Identity Is Important
1
2
3
4
Cisco Expo – T-SEC
Who are you?
802.1x (or supplementary method)
authenticates the user
Where can you go?
Based on authentication, user is
placed in correct VLAN
What service level do you receive?
The user can be given per-user
services (ACLs today, more to come)
What are you doing?
The user’s identity and location can
be used for tracking and accounting
Cisco Public
Keep the
Outsiders Out
Keep the
Insiders
Honest
Personalize
the Network
Increase
Network
Visibility
3
Basic Identity Concepts
What is an identity?
–an assertion of who we are.
–allows us to differentiate between
one another
What does it look like?
–Typical Network Identities include
•Username / Password
•Email: jdoe@foo.com
•MAC Address: 00-0c-14-a4-9d-33
•IP Address: 10.0.1.199
•Digital Certificates
How do we use identities?
–Used to grant appropriate
authorizations — rights to services
within a given domain
Cisco Expo – T-SEC
Cisco Public
4
What Is Authentication? Authorization?
Authentication is the process of establishing and
confirming the identity of a client requesting services
Authentication is only useful if used to establish
corresponding authorization (e.g. access to a bank
account)
I’d Like to Withdraw €500.00 Euros Please.
Do You Have Identification?
Yes, I Do. Here It Is.
Thank You. Here’s Your Euros.
Cisco Expo – T-SEC
An Authentication System Is Only as Strong
as the Method of Verification Used
Cisco Public
5
Applying the Authentication Model to the
Network
I’d Like to Connect to the Network.
Identification required
Here is my identification
Identification verified, access granted!
Identity-Enabled
Networking
Cisco Expo – T-SEC
Cisco Public
6
Some Important Points on Authentication
The process of authentication is used to verify
a claimed identity
An identity is useful as a pointer to an applicable
policy and for accounting
Without authorization or associated policies,
authentication alone is pretty meaningless
An authentication system is only as strong
as the method of verification used
Cisco Expo – T-SEC
Cisco Public
7
Agenda
Identity and Authentication
Network Access Protocols and
Mechanisms
Cisco TrustSec – Umbrella for 802.1x
Basic 802.1x configuration on a LAN
switch
Cisco Expo – T-SEC
Cisco Public
8
IEEE 802.1X
Standard set by the IEEE 802.1 working group
Is a framework designed to address and provide portbased access control using authentication
802.1X is primarily an encapsulation definition for EAP
over IEEE 802 media—EAPOL (EAP over LAN) is the key
protocol
Layer 2 protocol for transporting authentication messages
(EAP) between supplicant (user/PC) and authenticator
(switch or access point)
Assumes a secure connection
Actual enforcement is via MAC-based filtering and portstate monitoring
Cisco Expo – T-SEC
Cisco Public
9
802.1X Port Access Control Model
Identity Store/Management
• MS Active Directory
• LDAP
• NDS
• ODBC
Authenticator
• Switch
• Router
• WLAN AP
SSC
Layer 2
Request for Service
(Connectivity)
Supplicant
• Desktop/laptop
• IP phone
• WLAN AP
• Switch
Cisco Expo – T-SEC
Layer 3
Backend Authentication
Support
Identity Store
Integration
Authentication Server
•IAS / NPS
•ACS
•Any IETF RADIUS server
Cisco Public
10
802.1X Protocols
Supplicant
SSC
Authenticator
Layer 2
EAP
EAP over LAN
(EAPoL)
Cisco Expo – T-SEC
Authentication Server
Identity Store
Layer 3
RADIUS
StoreDependent
EAP over WLAN
(EAPoW)
Cisco Public
11
Extensible Authentication Protocol (EAP)
Transports arbitrary authentication information in the form
of EAP payloads
Establishes and manages connections; allows authentication by
encapsulating various types of authentication exchanges
It is not an authentication mechanism itself
Actual authentication mechanisms are called EAP Methods
EAP provides a flexible link layer security framework
Simple encapsulation protocol -- no dependency on IP
Few link layer assumptions
Can run over any link layer (PPP, 802, etc.)
Assumes no reordering, can run over lossy or lossless media
Defined by RFC 3748 (http://www.ietf.org/rfc/rfc3748.txt)
Cisco Expo – T-SEC
Cisco Public
12
A Closer Look:
802.1X
SSC
Port Unauthorized
EAPOL-Start
EAP-Identity-Request
EAP-Identity-Response
EAP—Method
Dependent
EAP-Auth Exchange
EAP-Success
Auth Exchange w/AAA Server
Actual authentication
is between client and
auth server using EAP.
The switch is an EAP
conduit, but aware of
what’s going on
Auth Success & Policy Instructions
Port Authorized
EAPOL-Logoff
Port Unauthorized
802.1X
Cisco Expo – T-SEC
RADIUS
Cisco Public
13
For Your
Reference
802.1X - EAP Methods
EAP Methods define the credential type and authentication method to be
used.
– Supplicant and Authentication Server must support the same method
– Most common credential types are passwords and X.509 certificates
– Certificates often increase complexity of deployment
Common EAP Methods
Method
EAP-TLS
PEAPMSCHAPv2
EAP-FAST
Cisco Expo – T-SEC
Client
Credential
Basis for
Encryption
Username
/Password
Server-cert TLS Does not
tunnel
require client
cert
Client
certificate
PAC
Not required
Server PAC
Cisco Public
Key Benefit
Highly secure,
x.509 certs
Requires no
certs
14
EAP Authentication Methods
Challenge-response-based
MD5 -- uses MD5 based challenge-response for authentication
LEAP-MD5EAP: uses username/password authentication
EAP-MSCHAPv2: uses username/password MSCHAPv2 challenge-response
authentication
Cryptographic-based
EAP-TLS: uses X.509 v3 PKI certificates and the TLS mechanism for
authentication
Tunneling methods
PEAP: protected EAP tunnel mode; EAP encapsulates other EAP types in an
encrypted tunnel - much like web based SSL
EAP-TTLS: other EAP methods over an extended EAP-TLS encrypted tunnel
EAP-FAST: tunneling method designed to not require the deployment of
certificates
Other
EAP-GTC: generic token and OTP authentication
GSS-API : kerberos
Cisco Expo – T-SEC
Cisco Public
15
Tunneling Methods
Some EAP methods setup an encrypted tunnel and
pass credentials through the tunnel
Anonymous outer identity - Provides the ability to
completely obfuscate the user’s credentials
SSC / ACS – Yes
Windows Native / IAS - No
Some EAP methods require an EAP method inside the
tunnel (PEAP and FAST)
Some EAP methods does not require an EAP method
inside the tunnel (TTLS) – used with legacy RADIUS
Cisco Expo – T-SEC
Cisco Public
16
For Your
Reference
EAP Nomenclature
Examples:
TLS means EAP-TLS
MSCHAPv2 means EAP-MSCHAPv2
GTC means EAP-GTC
PEAP/TLS means EAP-PEAP with EAP-TLS inside the
encrypted tunnel
PEAP/MSCHAPv2 means EAP-PEAP with EAPMSCHAPv2 inside the encrypted tunnel
PEAP means PEAP/MSCHAPv2 – In this techtorial
FAST/MSCHAPv2 means EAP-FAST with EAPMSCHAPv2 inside the encrypted tunnel
Cisco Expo – T-SEC
Cisco Public
17
EAP Protocols: Feature Support
For Your
Reference
EAP-TLS
PEAP
EAP-FAST
Login Scripts (Active Directory)
Yes
Yes
Yes
Password Expiration (AD)
N/A
Yes
Yes
Client and OS Availability
SSC, XP, Vista
and Others
SSC, XP, Vista
and Others
SSC, Vista and
Others
MS DB Support
Yes
Yes
Yes
LDAP DB Support
Yes
Yes
Yes
OTP Support
No
Yes
Yes
Off-line Dictionary Attacks
No
No
No
Server Certificates Required
Yes
Yes
No
Client Certificates Required
Yes
No
No
Computing Impact
High
Medium
Low
Single Sign-on
Cisco Expo – T-SEC
Yes
Cisco Public
Yes
Yes
18
Factors That Drive EAP Method
Enterprise security policy
– Certificate Authority deployment
– Requirements such as two factor authentication may drive the choice of EAPTLS
Client support
– Windows XP supports EAP-TLS, PEAP w/EAP-MSCHAPv2, PEAP w/EAP-TLS
– 3rd party supplicants support a large variety of EAP types, but not all
Authentication server support
– RADIUS servers support a large variety of EAP types, but not all
Identity store
– PEAP w/EAP-MSCHAPv2 can only be used with authentication stores that
store passwords in MSCHAPv2 format
– Not every identity store supports all the EAP types
Customer choice of EAP type drives other components
Cisco Expo – T-SEC
Cisco Public
19
How Is RADIUS Used Here?
RADIUS acts as the transport for EAP, from the authenticator (switch)
to the authentication server (RADIUS server)
RFC for how RADIUS should support EAP between authenticator
and authentication server—RFC 3579
IP Header
UDP Header RADIUS Header
EAP Payload
RADIUS is also used to carry policy instructions (authorization)
back to the authenticator in the form of AV pairs
IP Header
UDP Header RADIUS Header
EAP Payload
AV Pairs
Usage guideline for 802.1X authenticators use of RADIUS - RFC
3580
AV Pairs : Attribute-Values Pairs.
Cisco Expo – T-SEC
Cisco Public
20
Default Security with 802.1X
Before Authentication
interface fastEthernet 3/48
authentication port-control auto
No visibility (yet)
Strict Access Control
?
SW I T C H PO R T
C P
D H
T P
T F
B 5
K R
T P
L
H T
P o
E A
One Physical Port ->Two Virtual ports
Uncontrolled port (EAPoL only)
Controlled port (everything else)
USER
ALL traffic except EAPoL is dropped
Cisco Expo – T-SEC
Cisco Public
21
Default Security with 802.1X
interface fastEthernet 3/48
authentication port-control auto
dot1x pae authenticator
After Authentication
User/Device is Known
Identity-based Access Control
SW I T C H PO R T
Single MAC per port
Looks the
same as
without
802.1X
?
Authenticated User: Sally
Cisco Expo – T-SEC
C P
D H
T P
T F
B 5
K R
T P
H T
Default authorization
is on or off. Dynamic
VLANs or ACLs can
be used to customize
the user experience.
Cisco Public
22
Default Security: Consequences
interface fastEthernet 3/48
authentication port-control auto
dot1x pae authenticator
Default 802.1x Challenge
Devices without supplicants
Can’t send EAPoL
No EAPoL = No Access
Offline
SW I T C H PO R T
t
e s
u
P
e q
C
R
D H
ti ty
P
n
T
d e
T F
Lo I
P
E A
One Physical Port ->Two Virtual ports
Uncontrolled port (EAPoL only)
Controlled port (everything else)
No EAPoL / No Access
Cisco Expo – T-SEC
Cisco Public
23
Default Security: More Consequences
interface fastEthernet 3/48
authentication port-control auto
dot1x pae authenticator
Multiple MACs on Port
SEC U R I T Y VI O
L AT I O N
Assumed to Be Malicious
Hubs, Gratuitous ARPs, VMWare
SW I T C H PO R T
VM
Cisco Expo – T-SEC
Cisco Public
24
Handling Non-802.1X Clients & Guests
Authenticate via less-secure method
–MAC Authentication Bypass (MAB)
–Web Auth (client must have browser)
Give them limited access after timeout and
no response
–Guest VLAN
Allow WLAN access instead of wired
–WLAN is a great way to do guest access if
available
Cisco Expo – T-SEC
Cisco Public
25
MAC Authentication Bypass (MAB)
Client
X
X
X
?
?
EAPOL-Request (Identity)
D = 01.80.c2.00.00.03
EAPOL-Request (Identity)
D = 01.80.c2.00.00.03
EAPOL-Request (Identity)
D = 01.80.c2.00.00.03
EAPOL-Timeout
Initiate MAB
Learn MAC
1
Upon link up
2
30-seconds
3
30-seconds
4
30-seconds
5
Variable
8
Dot1x/MAB
6
7
Port Enabled
RADIUS
RADIUS-Access
Request
RADIUS-Access
Accept
√
00.0a.95.7f.de.06
Cisco Expo – T-SEC
interface GigabitEthernet 1/1
mab
Cisco Public
26
MAB Limitations & Challenges
MAB requires creating and maintaining MAC
database
Default 802.1X timeout = 90 seconds
– 90 sec > default MSFT DHCP timeout
– 90 sec > default PXE timeout
– Current Workaround: Timer tuning (always requires
testing)
• max-reauth-req: maximum number of times (default: 2) that
the switch retransmits an EAP-Identity-Request frame on the
wire
• tx-period: number of seconds (default: 30) that the switch
waits for a response to an EAP-Identity-Request frame
before retransmitting
• 802.1X Timeout == (max-reauth-req + 1) * tx-period
Cisco Expo – T-SEC
Cisco Public
27
NAC Profiler
Query MAC Database After Deploying 802.1X
1) 802.1X times out, switch initiates MAB
NAC Profiler
Server
2) ACS queries Profiler Database using LDAP
3) Profiler validates MAC address
4) ACS sends MAB success
LDAP : 00-18-f8-09-cf-d7
5) Switch enables port (with optional authorization)
interface range gigE 1/0/1 - 24
switchport access vlan 30
switchport voice vlan 31
authentication port-control auto
mab
1
00-18-f8-09-cf-d7
Cisco Expo – T-SEC
5
2
RADIUS-Access Request: 00-18-f8-09-cf-d7
RADIUS-Access Accept
Port Enabled
Cisco Public
LDAP Success
3
4
ACS
28
802.1X with Guest VLAN
Client
X
X
X
√
EAP-Identity-Request
D = 01.80.c2.00.00.03
EAP-Identity-Request
D = 01.80.c2.00.00.03
EAP-Identity-Request
D = 01.80.c2.00.00.03
EAP-Success
D = 01.80.c2.00.00.03
1
Upon link up
2
30-seconds
3
30-seconds
4
30-seconds
Port Deployed
into the Guest
VLAN
802.1X
Process
authentication event no-response action authorize vlan 50
Any 802.1X-enabled switchport will send EAPOL-Identity-Request frames on the
wire (whether a supplicant is there or not)
A device is only deployed into the guest VLAN based on the lack of response to
the switch’s EAP-Request-Identity frames (which can be thought of as 802.1X
hellos)
No further security or authentication to be applied. It’s as if the administrator deconfigured 802.1X (i.e. multi-host), and hard-set the port into the specified VLAN
90 Seconds is greater than MSFT DHCP timeout
Cisco Expo – T-SEC
Cisco Public
29
802.1X and Voice:
Multi-Domain Authentication (MDA)
MDA
IEEE 802.1X
Single device per domain per port
Single device per port
Phone authenticates in Voice Domain,
tags traffic in VVID
802.1q
Voice
Data
PC authenticates in Data Domain,
untagged traffic in PVID
MDA replaces CDP Bypass
Supports Cisco & 3rd Party Phones
Phones and PCs use 802.1X or MAB
Cisco Expo – T-SEC
Cisco Public
Catalyst 3750 SERIES
MODE
SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
1
2
3
4
5
6
7
8
9 10
11 12
13 14
15 16
17 18
19 20
21 22
23 24
25 26
27 28
29 30
31 32
33 34
35 36
37 38
39 40
41 42
43 44
45 46
47 48
1X
15X 17X
31X 33X
47X
2X
16X 18X
32X 34X
48X
1
3
2
4
Two Domains Per Port
3K: 12.2(35)SEE
4K: 12.2(37)SG
6K: 12.2(33)SXI
30
IPT & 802.1X: The Link-State Problem
1) Legitimate users cause security violation
A
S:0011.2233.4455
Port authorized for
0011.2233.4455 only
B
SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
Catalyst 3750 SERIES
MOD E
Security Violation
S:6677.8899.AABB
2) Hackers can spoof MAC to gain access without authenticating
A
Catalyst 3750 SERIES
SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
MOD E
Security Hole
S:0011.2233.4455
S:0011.2233.4455
Cisco Expo – T-SEC
Cisco Public
31
802.1X + IPT Solution
Link State: Three Solutions
Proxy EAPoL-Logoff
Only works for 802.1X endpoints
Requires Logoff-capable phone
Potential Competitive Differentiator
Session
Cleared
Inactivity Timer
Session
Cleared
Inactivity Timer
3
1
47
48
47
;
4
;8
4
5
46
42
41
43
44
38
39
4:
37
33
34
3
5
3
6
32
31
;
3
;3
3
;2
3
;4
31
2
9
3:
27
28
23
24
25
26
21
22
1
9
2
:
1
7
1
8
1
;5
1
;7
1
3
1
4
1
5
1
6
11
1
2
8
9
1
:
6
4
2
5
7
3
1
;8
"
,
"
#
1
;
1
;6
!
4
"
$#
%
&
2
"
'
!
!
(
'
*)
" $# $
"
# +
#
+
'
"
;2
1
Catalyst 3750
Switch feature
Works for MAB endpoints
Port vulnerable during timeout
Quiet devices may get kicked off
.
/0
.
-
Catalyst 3750
Proxy EAPoL-Logoff
SSC
CDP 2nd Port Status
CDP Link Down
RV
RT
RS
RU
RR
RQ
RP
RX
QW
RO
QV
QU
QR
QT
QS
QP
QQ
QX
PW
QO
PT
PV
PU
PR
PQ
PS
PX
PP
PO
O
V
OU
O
W
O
T
O
S
O
R
O
Q
O
P
O
X
W
OO
V
U
R
T
S
O
QO
Y
QQ
Y
RU
Y
PYQ
QR
Y
RV
Y
Q
O
SY
OU
Y
O
TY
O
VY
O
O
Y
Works for all 802.1X, MAB, Web-Auth.
Nothing to configure
Combined switch + phone feature.
<
=
>
?
Cisco Expo – T-SEC
Cisco Public
R
@A
B
C
D
P
@
E
?
?
>
>
F
E
HG
@A
BA
<
B
@
IA
I
E
@
PY
@
J
@
A
Q
P
Catalyst 3750
K
L
N
M
L
K
Session Cleared
Cisco
Cisco on
on Cisco
Cisco Value!
Value!
32
NEW Solution: CDP 2nd Port Notification
Domain
= DATA
Supplicant
= 0011.2233.4455
Port Status
= AUTHORIZED
Authentication Method = MAB
Session cleared
immediately.
Works for MAB and
802.1X
= DATA
= UNAUTHORIZED
CDP Link Down
.
/0
.
3
1
4
;7
4
;8
47
48
43
44
45
46
42
38
34
41
39
4:
35
36
37
33
32
31
;
3
;3
32
;
3
;4
31
2
9
3:
25
2
6
27
28
23
24
21
22
17
1
8
1
9
2
:
1
5
;
1
;7
1
6
;
1
;8
1
3
1
4
1
5
1
6
11
1
2
8
7
9
1
:
6
2
4
1
;
+ "
' ,
" "#
Nothing to configure
!
RU
RV
O
RU
Y
RV
Y
RT
RS
RP
RR
RQ
RX
QW
RO
QT
QV
QR
QP
QX
QU
QQ
QS
QO
QO
Y
QQ
Y
PYQ
QR
Y
PW
PT
PV
PS
PU
PR
PQ
PX
PP
O
V
O
T
O
P
O
R
PO
O
U
O
W
O
S
O
SY
O
UY
O
TY
O
VY
O
Q
O
X
W
OO
T
V
U
R
Q
S
P
O
Y
PY
>
<
=
>
?
Cisco Expo – T-SEC
Cisco Public
R
P
@
BA
C
D
@
E
?
?
>
F
E
HG
@
BAA
<
B
@
IA
I
@
E J
@ @
A
O
Catalyst 3750
K
L
N
M
L
K
SSC
Domain
= DATA
Supplicant
= 6677.8899.AABB
Port Status
= AUTHORIZED
Authentication Method = Dot1x
Q
Device B Plugs In
4
"
$#
%
&
2
"
'
!
!
"
(
') $#
* #
$
"#
+
;2
5
Catalyst 3750
1
Phone sends link
down TLV to switch.
Domain
Port Status
3
Device A Unplugs
Catalyst 3750
Link status msg
addresses root cause
IP Phone: 8.4(1)
3K: 12.2(50)SE
4K: 12.2(50)SG
6K: 12.2(33)SXI
33
Modifying Default Security with 802.1X
Multi-Auth Mode
Multiple MACs on Port
Each MAC authenticated
SW I T C H PO R T
802.1X or MAB
L
P o
E A
L
P o
E A
interface fastEthernet 3/48
authentication port-control auto
authentication host-mode multi-auth
VM
Cisco Expo – T-SEC
No VLAN Assignment Supported
Superset of MDA with multiple Data
Devices per port
Cisco Public
34
Summary: Multiple Hosts per Port
For Your
Reference
Host Mode
Enforcement
Deployment Considerations
Multi-Domain Auth
(MDA)
One Voice Device +
One Data Device per port
Multi-Auth
Superset of MDA with
multiple Data Devices per
port
• Same as single host mode except phone
authenticates
• Supports third party phones
Multi-Host
One authenticated device
allows any number of
subsequent mac addresses.
Single
Cisco Expo – T-SEC
Single mac address per port
• Second mac address triggers a security violation
• VMs on the host must share the same mac
address.
• CDP Bypass is the only IPT solution.
• Authenticates every mac address in the data
domain.
• VMs on the host may use different mac
addresses.
• One VLAN (default port VLAN) for all devices on
the port
• Not recommended
• VMs on the host may use different mac
addresses.
• CDP Bypass is the only IPT solution.
Cisco Public
35
Agenda
Identity and Authentication
Network Access Protocols and
Mechanisms
Cisco TrustSec – Umbrella for 802.1x
Basic 802.1x configuration on a LAN
switch
Cisco Expo – T-SEC
Cisco Public
36
The Transformation:
The World Is Our New Workspace
Right
Any Resource
Right
Any Device
BORDERLESS NETWORKS
Any Person
Right
Right
Any Place
ANext GenerationArchitecture
to Deliver
the New WorkspaceExperience
Cisco Expo – T-SEC
Cisco Public
37
Cisco TrustSec
Cisco TrustSec is a security solution that provides
policy-based access control, identity-aware networking,
and data integrity and confidentiality services
The term TrustSec has been
expanded to include several
methods for securing network
access and control, including:
Switch infrastructure solutions:
•Identity-Based Networking
Services
•802.1X
•Security Group Tags (SGTs)
Cisco Expo – T-SEC
Cisco Public
Appliance-based solutions:
•Network Admission Control
38
Authentication and Authorization
NAC Appliances
802.1x/Infrastructure
Vicky Sanchez
Employee, Marketing
Wireline
3 p.m.
Frank Lee
Guest
Wireless
9 a.m.
Security Camera G/W
Agentless Asset
MAC: F5 AB 8B 65 00 D4
Francois Didier
Consultant
HQ—Strategy
Remote Access
6 p.m.
Cisco Expo – T-SEC
Identity
Information
Group:
Full-Time
Employee
Group:
Contractor
Other
Conditions
(Controlling Access)
Time and Date
Broad Access
Authorization
Limited Access
+
Guest/Internet
Quarantine
Posture Location
Deny Access
Group:
Guest
Device
Type
Cisco Public
Access
Type
Access
Compliance
Reporting
39
Cisco TrustSec Portfolio
Appliance Policy Components
NAC Manager
NAC Server
Admin, Reporting, Posture, Services,
and Policy Store and Enforcement
OR
ACS
Identity & 802.1x
Access Policy System
Endpoint Components (Optional)
NAC Agent
Web Agent
No-Cost Persistent & Temporal Clients for
Authentication, Posture, & Remediation
OR
SSC
802.1x Supplicant
CSSC or OSEmbedded Supplicant
Infrastructure Components (Enforcement)
Cisco 2900/3560/3700/4500/6500 and Nexus 7000 switches, Adaptive
Security Appliance (ASA), Wireless and Routing Infrastructure
Cisco Expo – T-SEC
Cisco Public
+
NAC Profiler
Profiles NonAuthenticating Devices
NAC Guest
Full-Featured Guest
Provisioning Server
What’s Right For Me?
Immediate need for
posture assessment?
Largely non-Cisco
access infrastructure?
802.1x or industry
standard mandate over
next 1-2 years?
Have or plan to deploy
a service-enabled
infrastructure?
Portfoli
o
NAC
NAC
ACS
ACS
Note –Guest Server and Profiler
can be deployed with both NAC
and ACS
40
Agenda
Identity and Authentication
Network Access Protocols and
Mechanisms
Cisco TrustSec – Umbrella for 802.1x
Basic 802.1x configuration on a LAN
switch
Cisco Expo – T-SEC
Cisco Public
41
Default 802.1x settings on LAN switch – 1.
Feature
Value
Host mode
Single-host mode
RADIUS server
• IP address
• UDP authentication port, Key
Control direction
Period re-authentication
Number of seconds between
re-authentication attempts
Re-authentication number
Quiet period
Retransmission time
Maximum retransmission number
Cisco Expo – T-SEC
• None specified.
• None specified.
• 1812.
Bidirectional direction
Disabled
3600s
2 times (number of times that the switch restarts
the authentication process before the port
changes to the unauthorized state).
60 seconds (number of seconds that the switch
remains in the quiet state following a failed
authentication exchange with the client).
30 seconds (number of seconds that the switch
should wait for a response to an EAP
request/identity frame from the client before
resending the request).
2 times (number of times that the switch will send
an EAP-request/identity frame before restarting
the authentication process).
Cisco Public
42
Default 802.1x settings on LAN switch – 2.
Feature
Value
Client timeout period
30 seconds (when relaying a request from
the authentication server to the client, the
amount of time the switch waits for a
response before resending the request
to the client.)
Authentication server timeout
Guest VLAN
Inaccessible authentication bypass
Restricted VLAN
Authenticator (switch) mode
MAC authentication bypass
Cisco Expo – T-SEC
30 seconds (when relaying a response
from the client to the authentication server,
the amount of time the switch waits for a
reply before resending the response to the
server.)
dot1x timeout server-timeout (@ intf)
None specified
Disabled
None specified
None specified
Disabled
Cisco Public
43
802.1x configuration guidelines
Ports are authenticated before any other Layer 2 or Layer 3 features are
enabled.
If you try to change the mode of an 802.1x-enabled port (for example, from
access to trunk), an error message appears, and the port mode is not
changed.
If the VLAN to which an 802.1x-enabled port is assigned changes, this
change is transparent and does not affect the switch. For example, this
change occurs if a port is assigned to a RADIUS server-assigned VLAN and
is then assigned to a different VLAN after re-authentication.
If the VLAN to which an 802.1x port is assigned to shut down, disabled, or
removed, the port becomes unauthorized.
802.1x protocol is supported on L2 static-access ports, voice VLAN ports,
and L3 routed ports
802.1x not supported on
– Trunk ports, dynamic ports, dynamic-access ports, EtherChannel, SPAN &
RSPAN destination ports
If using Cisco ACS for EAP-TLS and EAP-MD5, must run version 3.2.1 and
higher
Cisco Expo – T-SEC
Cisco Public
44
Basic 802.1x config
Cisco Expo – T-SEC
Cisco Public
45
RADIUS – to – switch config
Cisco Expo – T-SEC
Cisco Public
46
Switch Port Before Config
interface GigabitEthernet1/0/4
description Dot1x
switchport access vlan 2
switchport mode access
switchport voice vlan 200
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast spanning-tree
bpduguard enable ip verify source
ip dhcp snooping limit rate 10 end
Cisco Expo – T-SEC
Cisco Public
47
Switch Port After Config
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
radius-server attribute 8 include-in-access-req
radius-server host 192.168.10.5 auth-port 1645 acct-port 1646 key cisco
radius-server vsa send authentication
interface GigabitEthernet1/0/15
description Sample Dot1x
switchport access vlan 2
switchport mode access
switchport voice vlan 200
dot1x pae authenticator
authentication port-control auto
srr-queue …
Cisco Expo – T-SEC
Cisco Public
48
Switch Port Before Auth
Switch#show authentication session gi1/0/15
Interface: GigabitEthernet1/0/15
MAC Address: Unknown
IP Address: Unknown
Status: Running
Domain: UNKNOWN
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A640A050000163C37C0ED38
Acct Session ID: 0x0000163E
Handle: 0xD600063D
Runnable methods list:
Method
State
dot1x
Running
Cisco Expo – T-SEC
Cisco Public
49
Switch Port After Auth
Switch#show authentication sessions interface g1/0/15
Interface: GigabitEthernet1/0/15
MAC Address: 0014.5e95.d6cc
IP Address: 10.1.2.200
User-Name: admin
Status: Authz Success
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A640A050000163D37C44E6C
Acct Session ID: 0x0000163F
Handle: 0x5D00063E
Runnable methods list:
Method
State
dot1x
Authc Success
Cisco Expo – T-SEC
Cisco Public
50
Agenda
Identity and Authentication
Network Access Protocols and
Mechanisms
Cisco TrustSec – Umbrella for 802.1x
Basic 802.1x configuration on a LAN
switch
Cisco Expo – T-SEC
Cisco Public
51
Summary
References
Configuring IEEE 802.1x Port-Based
Authentication (Cat3560-E, IOS 12.2(52)SE)
– http://www.cisco.com/en/US/partner/docs/switches/la
n/catalyst3750e_3560e/software/release/12.2_52_se/
configuration/guide/sw8021x.html
Network Virtualization--Access Control Design
Guide (Cisco CVD)
– http://www.cisco.com/en/US/docs/solutions/Enterprise
/Network_Virtualization/AccContr.html
Cisco Expo – T-SEC
Cisco Public
53
Recommended Reading
LAN Switch Security: What Hackers Know
About Your Switches – Eric Vyncke,
Christopher Paggen
– http://www.ciscopress.com/bookstore/product.
asp?isbn=1587052563
Cisco Expo – T-SEC
Cisco Public
54
Cisco Expo – T-SEC
Cisco Public
55
Download PDF
Similar pages