You are on page 1of 66

Deploying Wired 802.

1X

BRKSEC-2005

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Overview and Agenda

ƒ Network Access
ƒ Default Functionality
ƒ Deployment Considerations
ƒ Reporting and Monitoring
ƒ Looking Forward
ƒ Deployment Case Study

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3

What We Won’t Be Covering
ƒ AAA authentication on routers
ƒ IPSec authentication
ƒ In-depth concepts on identity management
and single sign-on (upper layer identity)
ƒ Specific Extensible Authentication Protocol
(EAP) methods
ƒ X.509 certificates and PKI
ƒ Wireless LAN 802.1X
ƒ Switch Features that are not consistent across
platforms
ƒ CatOS
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Network Access

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5

Today’s Access Layer
End Users Network Access Devices

Intranet
Employees

Managed Assets

Guests/Contractors

Internet

Outsiders

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Identity Networking Heuristics

ƒ Keep the outsiders out
Prevent unsecured individual gaining
physical and logical access to a network
Email

ƒ Keep the insiders honest √
What can validated users do when they
X Payroll
get network access?

ƒ Increase network visibility (real-time
and logged)
Enterprises need accountability.

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7

Basic Identity Concepts
ƒ What is an identity?
An indicator of a client in a trusted domain;
typically used as a pointer to a set of rights
or permissions; allows us to differentiate
between clients
ƒ What does it look like?
Can look like anything
dmiller@foo.com
Darrin Miller
00-0c-14-a4-9d-33
ƒ How do we use identities?
Used to provide authorizations—rights to
services within a domain; services are
arbitrary and can happen at any layer
of the OSI model
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
What Is Authentication?
ƒ The process of establishing and confirming the identity
of a client requesting services
ƒ Authentication is only useful if used to establish
corresponding authorization
ƒ Model is very common in everyday scenarios
I’d Like to Withdraw $200.00 Please.

Do You Have Identification?

Yes, I Do. Here It Is.

Thank You. Here’s Your Money.

An Authentication System Is Only as Strong
as the Method of Verification Used

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9

Identity and Authentication
Are Important?

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Applying the Authentication Model
to the Network

I’d Like to Connect to the Network.

Do You Have Identification?

Yes, I Do. Here It Is.

Thank You. Here You Go.

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11

Network Access Control Model

Request for Service Backend Authentication Identity Store
(Connectivity) Support Integration

• LAN media independence
• User authentication
• Device authentication

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Default Functionality

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13

Identity Networking
General Identity and Authentication Space

IEEE 802.1X

MAC Auth
Web Auth

AAA
Policy
Management
Troubleshooting

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
IEEE 802.1X
ƒ Standard set by the IEEE 802.1 working group
ƒ Is a framework designed to address and provide
port-based access control using authentication
ƒ Primarily 802.1X is an encapsulation definition for
EAP over IEEE 802 media—EAPOL (EAP over LAN)
is the key protocol
ƒ Layer 2 protocol for transporting authentication
messages (EAP) between supplicant (user/PC)
and authenticator (switch or access point)
ƒ Assumes a secure connection
ƒ Actual enforcement is via MAC-based filtering
and port-state monitoring
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15

General Description
IEEE 802.1X Terminology

R
A
D
I
IUS U
RAD S

L)
APO Authentication
L AN (E OW
) Server
r EAP
Ove ss (
EAP ele
r Wir
Ove
EAP
Authenticator
Port Access Entity (PAE)

Supplicant

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Extensible Authentication Protocol (EAP)

ƒ A flexible transport protocol used to carry arbitrary
authentication information—not the authentication
method itself
ƒ EAP provides a flexible link layer security framework
Simple encapsulation protocol
No dependency on IP
Few link layer assumptions
Can run over any link layer (PPP, 802, etc.)
Assumes no reordering
Can run over loss full or lossless media

ƒ Defined by RFC 3748
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17

What Does EAP Do?
ƒ Transports authentication information in the form of EAP payloads
ƒ Establishes and manages connection; allows authentication by
encapsulating various types of authentication exchanges
ƒ Prevalent EAP types
EAP-TLS: Uses x.509 v3 PKI certificates and the TLS mechanism
for authentication
PEAP: Protected EAP tunnel mode EAP encapsulator; tunnels other
EAP types in an encrypted tunnel (TLS)
EAP-FAST (RFC4851): Designed to not require certificates; tunnels
other EAP types in an encrypted tunnel (TLS)

EAP Payload

EAP Payload RADIUS

802.1X Header UDP

Ethernet Header IP Header

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Factors That Drive EAP Usage
ƒ Enterprise security policy
Are there requirements that drive a particular type?
Requirements, such as, two factor authentication may drive the
choice of EAP-TLS
ƒ Supplicant support
Windows XP supports EAP-TLS, PEAP w/EAP-MSCHAPv2
3rd party supplicants support a large variety of EAP types
ƒ RADIUS server support
RADIUS servers support a large variety of EAP types, but not all
ƒ Authentication store
PEAP w/EAP-MSCHAPv2 can only be used with authentication stores that
store passwords in MSCHAPv2 format
Not every identity store supports all the EAP types
ƒ Customer choice of EAP type influences component selection
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19

How Is RADIUS Used Here?
ƒ RADIUS acts as the transport for EAP, from the authenticator
(switch) to the authentication server (RADIUS server)
ƒ RFC for how RADIUS should support EAP between authenticator
and authentication server—RFC 3579

IP Header UDP Header RADIUS Header EAP Payload

ƒ RADIUS is also used to carry policy instructions (authorization)
back to the authenticator in the form of AV pairs

IP Header UDP Header RADIUS Header EAP Payload AV Pairs

ƒ Usage guideline for 802.1X authenticators use of
RADIUS—RFC 3580

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
A Closer Look
802.1X, STP

Port Unauthorized
Cisco IOS
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius

radius-server host 10.100.100.100
radius-server key cisco123

dot1x system-auth-control

interface GigabitEthernet1/0/1
dot1x pae authenticator
dot1x port-control auto

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21

A Closer Look
802.1X, STP

Port Unauthorized
EAPOL-Start
EAP-Identity-Request
EAP-Identity-Response

802.1X

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
A Closer Look
802.1X, STP

Port Unauthorized
EAPOL-Start
EAP-Identity-Request
EAP-Identity-Response EAP—Method Dependent
EAP-Auth Exchange Auth Exchange w/AAA Server
EAP-Success/Failure Authentication Successful/Rejected

802.1X RADIUS

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23

A Closer Look
802.1X, STP

Port Unauthorized
EAPOL-Start
EAP-Identity-Request
EAP-Identity-Response EAP—Method Dependent
EAP-Auth Exchange Auth Exchange w/AAA Server
EAP-Success/Failure Authentication Successful/Rejected
Port Authorized
Policy Instructions

802.1X RADIUS

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
A Closer Look
802.1X, STP

Port Unauthorized
EAPOL-Start
EAP-Identity-Request
EAP-Identity-Response EAP—Method Dependent
EAP-Auth Exchange Auth Exchange w/AAA Server
EAP-Success/Failure Authentication Successful/Rejected
Port Authorized
Policy Instructions
Port Unauthorized
EAPOL-Logoff

802.1X RADIUS

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25

A Closer Look
802.1X, STP

Port Unauthorized
EAPOL-Start
EAP-Identity-Request
EAP-Identity-Response EAP—Method Dependent
EAP-Auth Exchange Auth Exchange w/AAA Server
EAP-Success/Failure Authentication Successful/Rejected
Port Authorized
Policy Instructions
Port Unauthorized
EAPOL-Logoff
Actual Authentication Conversation Is Between Client and Auth Server
Using EAP; the Switch Is an EAP Conduit, but Aware of What’s Going on
802.1X RADIUS

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Default Security
and Operation

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27

Default Security of 802.1X

For Each 802.1X Switch Port, the Switch Creates
Two Virtual Access Points at Each Port

The Controlled Port Is Open Only When the Device
Connected to the Port Has Been Authorized by 802.1X

Controlled

EAPOL Uncontrolled EAPOL

Uncontrolled port provides Uncontrolled Port Provides
a path for extensible a Pathprotocol
authentication for Extensible
over LAN (EAPOL) and CDP traffic
Authentication Protocol over onlyLAN (EAPOL) Traffic Only

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Default Security of 802.1X

00-01-76-48-90-ff ??

ƒ Before 802.1X authentication
MAC address of end-station
is unknown
Spanning-tree is not in a forwarding state for the switch port
No traffic can be processed by switch CPU with the exception of
EAPOL
ƒ 802.1X state machine directly reliant on link state of port

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29

Default Security of 802.1X
Permit only
00-01-76-48-90-ff

00-01-76-48-90-ff IOS
dot1x pae authenticator
dot1x port-control auto

ƒ After 802.1X authentication:
MAC address of authenticated end-station is known
Only that one MAC address is allowed (“single auth mode”)
Network cannot be compromised easily by a non-802.x client or a
different 802.1X client seen on the wire
ƒ Single-auth mode ensures the validity of the authenticated session

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Default Security of 802.1X

00-01-76-48-90-ff ??

00-67-e5-bb-45-21

ƒ Additional MAC addresses on wire treated as security violation
ƒ This includes VMware type devices
ƒ This includes machines that attempt to transmit gratuitous
ARP frames

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31

Modifying Default Security of 802.1X
00-01-76-48-90-ff authenticated
Permit all other MACs

00-01-76-48-90-ff
IOS
dot1x host-mode multi-host

00-67-e5-bb-45-21

ƒ What if the physical topology does not allow a point-to-point
connection? (e.g. hub in conference room)
ƒ Multi-host mode
ƒ Use 802.1X to authorize the port only
ƒ Any amount of unauthenticated stations subsequently allowed on wire
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Securing 802.1X in Multi-Host Mode
Permit only
00-01-76-48-90-ff &
00-67-e5-bb-45-21

00-01-76-48-90-ff

IOS
dot1x host-mode multi-host
switchport port-security
switchport port-security maximum 3
switchport port-security aging time 2
00-67-e5-bb-45-21

Recommendation:
ƒ Use 802.1X to authorize the port
ƒ Use port-security to limit the number of other devices allowed on
the wire.
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33

Switches and 802.1X

00-01-76-48-90-ff

X
DA = 01-80-c2-00-00-03

ƒ Things to consider before deploying switches in an 802.1X environment
Supplicants use 01-80-c2-00-00-03
This group MAC address is also one of the 16 addresses reserved by IEEE
802.1D in the Bridge Protocol Data Unit (BPDU) block
Switches that comply with 802.1D will discard EAPOL frames by design
This is ensures that EAPOL is not transparently forwarded by a MAC bridge

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Non-802.1X Client
X 1 Upon link up

EAP-Identity-Request
2 30-seconds
X
D = 01.80.c2.00.00.03
EAP-Identity-Request
3 30-seconds
X
D = 01.80.c2.00.00.03
EAP-Identity-Request
4

D = 01.80.c2.00.00.03 30-seconds
802.1X
Client Process

ƒ Any 802.1X-enabled switch port will send EAPOL identity-request
frames on the wire (whether a supplicant is there or not)
ƒ No network access is given if the switch does not receive an
EAPOL identity-response.
ƒ Whole process restarts after a hold timer
ƒ Process can start again if a supplicant appears on the port and
sends an EAPOL-Start.
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35

Deployment
Considerations

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Identity Networking Deployment
Considerations

ƒ Authentication and Endpoint Considerations
ƒ 802.1X and Microsoft Windows
ƒ Authorization
ƒ Non-802.1X Clients & Guests
ƒ Failed Access Handling
ƒ RADIUS Availability
ƒ IP Telephony
ƒ Other Considerations

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37

802.1X Authentication Database

ƒ Where is the single source of authentication
credentials for the enterprise?
ƒ Do you have to build new or extend trust
between databases?
ƒ Some enterprises could not use Active Directory (AD)
or other Network Operating System (NOS)
user/machine authentication databases

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Supplicant Considerations
ƒ Microsoft Windows
User and machine authentication
DHCP request time out
Machine authentication restriction
Default methods: MD5, PEAP, EAP-TLS
ƒ Unix/Linux considerations
Open source: xsupplicant Project
(University of Utah)
Available from http://www.open1x.org
Supports EAP-MD5, EAP-TLS,
PEAP/MSCHAPv2, PEAP/EAP-GTC
ƒ Native Apple supplicant support in OS X 10.3
802.1X is turned off by default!
Default parameters—TTLS, LEAP, PEAP, MD5, FAST supported
Support for airport and wired interfaces
In 10.5 Single sign on (SSO) can be accomplished for system or user. Not both
at the same time
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 39

Extended Supplicant Suites
Secure Services Client
ƒ Introduces features over
Features
and above the native ƒ Robust Profile Management
supplicants ƒ Support for industry standards
ƒ Endpoint integrity
EAP types
ƒ Single sign-on capable
Management Interfaces ƒ Enabling of group policies
ƒ Administrative control

Benefits
ƒ Simple, secure device connectivity
ƒ Minimizes chances of network
compromise from infected devices
ƒ Reduces complexity
SSC ƒ Restricts unauthorized network access
ƒ Centralized provisioning

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Identity Networking Deployment
Considerations

ƒ Authentication and Endpoint Considerations
ƒ 802.1X and Microsoft Windows
ƒ Authorization
ƒ Non-802.1X Clients & Guests
ƒ Failed Access Handling
ƒ RADIUS Availability
ƒ IP Telephony
ƒ Other Considerations

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41

Why You Care?
ƒ Original Windows boot process assumed IP connectivity
Recall Default Security of 802.1X
No network connectivity until successful authentication.
ƒ Windows Logon Process and 802.1X are not serialized with
802.1X for Windows 2000, XP, 2003
Creates race conditions between 802.1X and normal boot process
ƒ The above impacts the following
Group Policy Objects
Authentication contexts: Machine and User Authentication
Authorization Decisions – VLAN assignment
DHCP

Clear understanding and proper design is required for
successful 802.1X deployments.
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
What Is Group Policy

ƒ Group policy is an infrastructure used to deliver and
apply one or more desired configurations or policy
settings to a set of targeted users and computer
within an Active Directory environment
ƒ Machine and User Group Policy Objects (GPOs)
ƒ Types of Group Policy
Registry-based policy
Security options
Software installation and maintenance options
Scripts options
Folder redirection options

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43

802.1X w/Windows Boot Process Certificate Auto Enrollment
Time Synchronization
Kernel Loading
Dynamic DNS Update
Windows HAL Loading
Device Driver Loading
VLAN1 – VLAN2 – 99.1.1.1
10.1.1.1 GINA
Power On

802.1X Machine Auth 802.1X User Auth

Obtain Network Address
(Static, DHCP)
√ Kerberos Auth
(User Account)

Determine Site and DC
(DNS, LDAP) User GPOs Loading
(Async)

Establish Secure
Channel to AD GPO based Logon
(LDAP, SMB) Script Execution (SMB)

Kerberos Authentication GPO based Startup
(Machine Account) Script Execution

Computer GPOs Loading (Async)

Start of 802.1X auth may vary among supplicants

Components that are in race condition with 802.1X Auth

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Current 802.1X/Winlogon Interoperability
with Supplicants

ƒ Supplicant may create race condition between 802.1X
authentication and Windows Logon process
ƒ Appropriate configuration/condition/change on
Windows system are required to “minimize” the
possible risk of race condition
ƒ “100%” interoperability/serialization is not
guaranteed yet on XP
ƒ Vista SP1 does serialize the login process!

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45

Microsoft Issues with DHCP
DHCP Is a Parallel Event, Independent of
802.1X Authentication
ƒ With wired interfaces a successful 802.1X authentication does not
force an DHCP address discovery (no media-connect signal)
ƒ This produces a problem if not properly planned
ƒ DHCP starts once interface comes up
ƒ If 802.1X authentication takes too long, DHCP may time out

802.1X Auth—Variable Timeout

DHCP—Timeout at 62 Seconds

DHCP
Power Up Load NDIS Setup Secure Present GINA
Drivers Channel (Ctrl-Alt-Del) Login
to DC

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 46

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Microsoft Fixes
Windows XP: Install Service Pack 1a + KB 826942
Windows 2000: Install Service Pack 4
Authentication
Supplicant Authenticator Server

Login Req.
Send Credentials Forward Credentials to ACS Server

Accept Auth Successful (EAP—Success)

ICMP Echo (x3) for Default GW VLAN Assignment
from “Old IP” as Soon as
EAP-Success Frame Is Rcvd
DHCP-Request (D=255.255.255.255)
(After Pings Have Gone Unanswered) DHCP-NAK (Wrong Subnet)
DHCP-Discover (D=255.255.255.255)

At This Point, DHCP Proceeds Normally
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47

802.1X and Windows
Recommendations

ƒ Start simple with authentication
ƒ Consider machine authentication only
You need to manage auth behavior on XP/2000 via
registry keys
http://support.microsoft.com/kb/309448/en-us
http://www.microsoft.com/technet/network/wifi/wififaq.mspx

ƒ Use the automatic provisioning built into AD if possible
Machines are provisioned automatically with a
machine password
Can have certificates automatically provisioned via AD GPOs

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Identity Networking Deployment
Considerations

ƒ Authentication and Endpoint Considerations
ƒ 802.1X and Microsoft Windows
ƒ Authorization
ƒ Non 802.1X Clients & Guests
ƒ Failed Access Handling
ƒ RADIUS Availability
ƒ IP Telephony
ƒ Other Considerations

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 49

Authorization

ƒ Authorization is the ability to enforce policies on
identities
ƒ Typically policies are applied using a group
methodology—allows for easier manageability
ƒ The goal is to take the notion of group management
and policies into the network
ƒ The most basic authorization in Identity Networking is
the ability to allow or disallow access to the network at
the link layer
ƒ Other forms of authorization include VLAN assignment,
802.1X with ARP inspection, etc.

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
802.1X with VLAN Assignment
ƒ Dynamic VLAN assignment based on identity of group, or
individual, at the time of authentication
ƒ VLANs assigned by name—allows for more flexible
VLAN management
ƒ Allows dynamic VLAN policies to be applied to groups of users
(i.e., VLAN QoS, VLAN ACLs, etc.)
ƒ Tunnel attributes used to send back VLAN configuration
information to authenticator
ƒ Tunnel attributes are defined by RFC 2868
ƒ Usage for VLANs is specified in the 802.1X standard
ƒ Remember implications of VLAN assignment when doing machine
and user authentication

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51

802.1X with VLAN Assignment
AV Pairs Used—All Are IETF Standard
ƒ [64] Tunnel-type—“VLAN” (13)
ƒ [65] Tunnel-medium-type—“802” (6)
ƒ [81] Tunnel-private-group-ID—<VLAN name>

Marketing

IOS
aaa authorization network default group radius

ƒ VLAN name must match switch configuration
ƒ Mismatch results in authentication/authorization failure
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Authorization Recommendations

ƒ VLAN Assignment is completely optional
ƒ Only use it if you have to separate users due to a
business requirement
ƒ Most enterprises do not have this requirement for
known users
ƒ Leave the port in its default VLAN or assign the VLAN
during machine authentication if possible

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53

Identity Networking Deployment
Considerations

ƒ Authentication and Endpoint Considerations
ƒ 802.1X and Microsoft Windows
ƒ Authorization
ƒ Non-802.1X Clients & Guests
ƒ Failed Access Handling
ƒ RADIUS Availability
ƒ IP Telephony
ƒ Other Considerations

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Handling Non-802.1X Clients & Guests
Deployment Options
ƒ Authenticate via less-secure method
MAC Auth Bypass
Web Auth (client must have browser)

ƒ Give them limited access after timeout and no response
Guest VLAN

ƒ Allow WLAN access instead of wired
WLAN is a great way to do guest access if available

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55

MAC Authentication Bypass (MAB)
Client Dot1x/MAB RADIUS
EAPOL-Request (Identity)
1 Upon link up
X D = 01.80.c2.00.00.03
EAPOL-Request (Identity)
2 30-seconds
X D = 01.80.c2.00.00.03
EAPOL-Request (Identity)
3 30-seconds
X D = 01.80.c2.00.00.03
EAPOL-Timeout
4 30-seconds
? Initiate MAB

5 Variable
?
Learn MAC
RADIUS-Access
6 Request
RADIUS-Access
7 Accept


8 Port Enabled

00.0a.95.7f.de.06 IOS
Switch(config-if)# dot1x mac-auth-bypass

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Web-Based Proxy Authentication
No EAPOL 802.1X Process RADIUS Process

802.1X Timeouts
1
Client Initiates Connection—Activates Port Authentication State Machine
2
Switch Port Filters Traffic Limiting It to HTTP, HTTPS, DNS and DHCP
3
Switch Port Relays DHCP Address from DHCP Server
4
User Starts Web Browser and Initiates Web Connection
5
Switch Port Redirects URL and Presents HTTP Form Prompting for Userid/Pwd
6
User Enters Credentials—They Are Checked Against RADIUS DB via PAP—If
Authenticated Then Switch Port Opened for Normal Network Access
7

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57

802.1X with Guest VLAN
EAP-Identity-Request

X D = 01.80.c2.00.00.03 1 Upon link up

EAP-Identity-Request
2 30-seconds
X
D = 01.80.c2.00.00.03 Port Deployed
EAP-Identity-Request into the Guest
3 30-seconds VLAN
X
D = 01.80.c2.00.00.03
EAP-Success
4

D = 01.80.c2.00.00.03 30-seconds
802.1X
Client Process

ƒ Any 802.1X-enabled switchport will send EAPOL-Identity-Request frames
on the wire (whether a supplicant is there or not)
ƒ A device is only deployed into the guest VLAN based on the lack of
response to the switch’s EAP-Request-Identity frames (which can be
thought of as 802.1X hellos)
ƒ No further security or authentication to be applied. It’s as if the
administrator de-configured 802.1X (i.e. multi-host), and hard-set the port
into the specified VLAN
ƒ 90 Seconds is greater than MSFT DHCP timeout
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
802.1X Timeouts

ƒ max-reauth-req: sets the maximum number of times
(default: 2) that the switch retransmits an EAP-Identity-
Request frame on the wire before receiving a response
from the connected client
ƒ tx-period: sets the number of seconds (default: 30) that
the switch waits for a response to an EAP-Identity-
Request frame from the client before retransmitting
the request

802.1X Timeout Æ (max-reauth-req + 1) * tx-period

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59

802.1X Timeout Configuration

ƒ The configurable values for the parameters are:
max-reauth-req Æ 1–10
tx-period Æ 1–65535 sec.
802.1X Timeout Æ (max-reauth-req + 1) * tx-period
ƒ The below timeouts 802.1X in 60 seconds
interface FastEthernet0/1
switchport access VLAN 2
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x timeout tx-period 20
dot1x max-reauth-req 1
dot1x guest-VLAN 10
spanning-tree portfast

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
MAB, Guest VLAN, Web-Auth

ƒ Determine what features you want to use based on
your operations
ƒ Be aware of implications of tweaking timers.
802.1X capable machine may do MAB or Web-Auth before
802.1X driver can initialize
ACS Logs may show two records for MAB and 802.1X for one
device. Need to be aware for reporting/troubleshooting

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61

Identity Networking Deployment
Considerations

ƒ Authentication and Endpoint Considerations
ƒ 802.1X and Microsoft Windows
ƒ Authorization
ƒ Non-802.1X Clients & Guests
ƒ Failed Access Handling
ƒ RADIUS Availability
ƒ IP Telephony
ƒ Other Considerations

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
The Problem — Authentication Failures

1 *EAPOL-Start

2 EAP-Identity-Exchange
3 RADIUS-Access-Request

RADIUS-Access-Request 4

EAP Exchange 5

RADIUS-Reject 6
EAPOL-Failure 7

X
Switch
Client
Port is never
AAA
granting access

*Note: EAPOL-Starts are optional, possibility of EAP-NAK left out intentionally, and EAP
exchange dependent on method
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63

Why Auth Fail VLAN?
Certificate Expired!
802.1X

802.1X

User Unknown!

ƒ Employees’ credentials expire or entered incorrectly
ƒ As 802.1X becomes more prevalent, more guests will
fail auth because they have 802.1X enabled by default.
ƒ Many enterprises require guests and failed corporate
assets get conditional access to the network.
Re-provision credentials through a web proxy or VPN Tunnel
Provide guest access through VLAN assignment or web proxy
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 64

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
The Solution — Auth-Fail-VLAN
RADIUS-Reject 12
EAPOL-Failure 13
14 EAP-Identity-Exchange
15 RADIUS-Access-Request

RADIUS-Access-Request 16
EAP-Data-Request 17
… EAP ………….. Exchange …
RADIUS-Reject 18
EAPOL-Failure 19


Port is now Switch
granted
Client
access to
AAA
auth-fail-VLAN
IOS
ƒ It is up to the supplicant to access the network. dot1x auth-fail vlan 50

ƒ 2004-802.1X spec (max-start) — If the supplicant tries to authenticate
more than this value after you fail a certain number of times, the
supplicant should assume authorized.
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65

Identity Networking Deployment
Considerations

ƒ Authentication and Endpoint Considerations
ƒ 802.1X and Microsoft Windows
ƒ Authorization
ƒ Non-802.1X Clients & Guests
ƒ Failed Access Handling
ƒ RADIUS Availability
ƒ IP Telephony
ƒ Other Considerations

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
The Problem — AAA Unavailable

1 EAP-Identity-Exchange
2 RADIUS-Access-Request
RADIUS-Access-Request
RADIUS-Access-Request
X
3
EAPOL-Failure

X
Client Switch AAA

Port is not
granting access

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67

Inaccessible Authentication Bypass
IOS
dot1x critical recovery delay 100
radius-server host x.x.x.x test username [username]
radius-server dead-criteria 15 tries 3
Interface GigabitEthernet 1/0/1
dot1x critical
dot1x critical VLAN 10
dot1x critical recovery action reinitialize
Port authorized

EAP-Success/Failure

RADIUS Server comes back -> immediate reinitialize
802.1X State Machine
EAP-Identity-Request
EAP-Identity-Response
EAP-Auth Exchange Auth Exchange w/AAA Server
EAP-Success/Failure Authentication Successful/Rejected

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 68

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Identity Networking Deployment
Considerations

ƒ Authentication and Endpoint Considerations
ƒ 802.1X and Microsoft Windows
ƒ Authorization
ƒ Non-802.1X Clients & Guests
ƒ Failed Access Handling
ƒ RADIUS Availability
ƒ IP Telephony
ƒ Other Considerations

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 69

802.1X and Voice
ƒ Voice Ports
ƒ With Voice Ports, a port can belong to two VLANs, while still
allowing the separation of voice/data traffic while enabling you to
configure 802.1X
ƒ An access port able to handle two VLANs
Native or Port VLAN Identifier (PVID)
Auxiliary or Voice VLAN Identifier (VVID)
ƒ Hardware set to dot1q trunk
Tagged 802.1q

Untagged 802.3

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 70

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
802.1X and Voice
The controlled port is open only when the device connected to the
port has been authorized by 802.1X

Controlled
EAPOL CDP Un-Controlled EAPOL+CDP
EAPOL

Uncontrolled port provides a path for
Uncontrolled port provides a path for
• Extensible
Cisco IP phones are able
Authentication
Extensible to tagProtocol
Protocol
Authentication their
overpackets
LAN
over because
LAN (EAPOL)
(EAPOL) they
traffic ONLYreceive
and VLAN
CDP traffic only
information via CDP which is processed on uncontrolled port as shown above
• A CDP exchange is used to allow the phone to be exempt from any 802.1X
restriction for port-forwarding

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 71

802.1X with VVID: Previous Limitations

1 Port Already Authenticated

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 72

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
802.1X with VVID: Previous Limitations

2 PC Leaves

3
√?
Port Remains Authorized

If an End-User Disconnects, the Port Remains
Authorized by 802.1X!!!

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 73

802.1X with Voice: Previous Limitations

4 Illegitimate User

3
√?
Port Remains Authorized

ƒ An illegitimate user can now gain access to the port by spoofing the
authenticated MAC address, and bypass 802.1X completely—
Security Hole
ƒ In an attempt to workaround this, some customers have enabled periodic
reauthentication of end-devices
ƒ This is not the reason to enable reauthentication
ƒ We need to deal with the fact that any machine can disappear from the
network and the switch (and 802.1X) does not know about it explicitly
(i.e. link doesn’t go down)
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 74

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
802.1X with Voice: Previous Limitations

1 Port Already Authenticated

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 75

802.1X with Voice: Previous Limitations

2 PC Leaves

3
√?
Port Remains Authorized

If an End User Disconnects, the Port Remains
Authorized by 802.1X

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 76

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
802.1X with Voice: Previous Limitations

4 Legitimate User

5 Security Violation
X
ƒ A legitimate user may now attempt to gain access to the port by
way of 802.1X
ƒ However, assuming MAC addresses are different, now the switch
may treat this as a security violation!
ƒ In an attempt to workaround this, some customers have enabled
periodic reauthentication of end-devices
ƒ This is not the reason to enable reauthentication
ƒ Overall, same issue as previous slides
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 77

802.1X with Voice: EAPOL-Logoff

1 Port Already Authenticated

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 78

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
802.1X with Voice: EAPOL-Logoff

2 PC Leaves

X X
3 EAPOL-Logoff Transmitted

ƒ If an end-user disconnects, an IP phone transmits an
EAPOL-Logoff frame to the switch
ƒ Two basic functions needed from phone
Monitor the PAE group address to determine who and where
supplicant is
Actually transmit the EAPOL-Logoff frame
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 79

802.1X with Voice: EAPOL-Logoff


4 New Authenticated Session

ƒ The switch thinks it is a standard EAPOL-logoff frame
transmitted by a supplicant indicating end of service
ƒ This closes the current security hole, and promotes
subsequent mobility

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 80

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
802.1X with Voice: Deployment Issues
X 1 Upon link up

EAP-Identity-Request
2 30-seconds
X
D = 01.80.c2.00.00.03
EAP-Identity-Request
3 30-seconds
X
D = 01.80.c2.00.00.03
EAP-Identity-Request
4

D = 01.80.c2.00.00.03 30-seconds
802.1X
Process

ƒ Assuming no supplicant on the wire, a port will be
deployed into the guest VLAN after step four
above, if guest VLAN is configured

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 81

802.1X with Voice: Deployment Issues
X 1 Upon link up

EAP-Identity-Request
2 30-seconds
X
D = 01.80.c2.00.00.03
EAP-Identity-Request
3 30-seconds
X
D = 01.80.c2.00.00.03
EAP-Identity-Request
4

D = 01.80.c2.00.00.03 30-seconds
802.1X
Client Process

ƒ If any user plugs into a phone, 802.1X is now totally dependent on
how their supplicant is configured to operate
ƒ By default, Microsoft Windows supplicants do not send EAPOL-
Starts; you will want to know why 802.1X works when you plug into
a switch, and why it doesn’t work when you plug into a phone!

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 82

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Recommended 802.1X and Voice
Solution — Multi-Domain-Auth
ƒ Switch ports to authenticate the PC and the IP phone separately
ƒ Switch port is an voice port (aka Aux-VLAN port)
ƒ Supports 1X functionality
On Voice-VLAN as well as Data-VLAN
ƒ Supports MAB functionality
On Voice-VLAN as well as Data-VLAN
IP Phones without 802.1X capability require MAC Authentication Bypass
(MAB) support
ƒ The solution is extensible in order to support the planned launch of 802.1X
supplicant capability on Cisco IP phones
As well as any 3rd Party IP Phones with 802.1X capability
ƒ The solution supports both static as well as dynamic configuration on IP
phones (for VVID)

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 83

Solution for Non-Cisco IP Phones
No Supplicant on Phone
802.1X enabled port RADIUS server
with MAB and voice
1 capability
2 3
4
Switch

Authorized link Data VLAN VP state-machine is
in blocking state and
5 Voice VLAN VP state-machine is
in ask state
1 Phone sends untagged DHCP blocked by switch

2 802.1X times out (phone not allowed to communicate to the network yet)

3 Switch initiates MAB Access-Request on behalf of the phone

4 Switch receives Access-Accept & information that the device is an IP phone. Port-
forwarding is allowed on either VLAN.

5 Non-Cisco phone continues to send traffic which is now allowed on the PVID as a
result of authenticating the MAC-Address. Phone then reboots onto VVID normally.

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 84

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
802.1X and Cisco IP Telephony
For Your
Reference
ƒ 802.1X supplicant on Cisco IP Phones
EAP-MD5 supported on Models 7906 / 7911 / 7931 / 7941 /
7961 / 7970 / 7971
Phone load 8.2(1) December 2006

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 85

Example Switch#sh dot1x int g1/0/1 details

Dot1x Info for GigabitEthernet8/0/1
-----------------------------------
ƒ Any combination PAE
PortControl
= AUTHENTICATOR
= AUTO
of 802.1X and ControlDirection
HostMode
= Both
= MULTI_DOMAIN
MAB for phone ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 30
ƒ Any combination SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
of 802.1X, MAB, ReAuthMax = 2

Guest-VLAN, MaxReq
TxPeriod
= 2
= 30

Auth-Fail-VLAN, RateLimitPeriod
Mac-Auth-Bypass
= 0
= Enabled (EAP)
AAA-Fail-VLAN Inactivity
Guest-VLAN
= None
= 401
for PC Dot1x Authenticator Client List
PC authenticated
------------------------------- by 802.1X
Domain = DATA

Supplicant = 1222.c0a8.0102
Auth SM State = AUTHENTICATED
Auth BEND SM Stat = IDLE
Port Status = AUTHORIZED
Authentication Method = Dot1x
Authorized By = Authentication Server
VLAN Policy = 100
Phone
Domain
Supplicant
=
=
VOICE
000f.8fb7.16a0
authenticated
Auth SM State = AUTHENTICATED by MAB
Auth BEND SM Stat = IDLE
Port Status = AUTHORIZED
Authentication Method = MAB
Authorized By = Authentication Server
BRKSEC-2005 VLAN Policy = N/A
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 86

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Identity Networking Deployment
Considerations

ƒ Authentication and Endpoint Considerations
ƒ 802.1X and Microsoft Windows
ƒ Authorization
ƒ Non-802.1X Clients & Guests
ƒ Failed Access Handling
ƒ RADIUS Availability
ƒ IP Telephony
ƒ Other Considerations

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 87

Pre eXecution Boot Environment: PXE
ƒ Very common way to image new machines and reimage existing
machines; i.e. “F12 - Network Boot”
ƒ Assumes IP connectivity and happens before OS loads
Uses DHCP extensions and TFTP to download boot
image typically
No 802.1X supplicant therefore no connectivity
ƒ LAN workarounds at this time are MAB or Guest VLAN
Challenge is to initiate MAB or Guest VLAN access before the PXE
firmware times out
PXE firmware per spec should timeout in 60 seconds.
Some PXE firmware has been observed to expire in as little as five
seconds—lots of testing required to verify the solution
Advanced Management Technology (AMT) from Intel can authenticate
the device before the PXE BIOS
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 88

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Wake on LAN (WOL)
ƒ There is a feature that enables support of WOL
on the switches
ƒ Issue: With MAB or Guest VLAN configured
The device goes to sleep and drops link.
This link drop will restart the 802.1X state machine.
If the PC doesn’t respond, MAB/Guest VLAN handling will be triggered
and the device will potentially get placed on a new VLAN
If placed in a new VLAN the WOL magic packet to wake the machine
will be sent to the original 802.1X auth VLAN
ƒ Workaround
Make sure all managed assets are in a MAC address database and
assign the device to the same VLAN with MAB

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 89

MAC Address Database

ƒ Can be created from existing tools
Asset/Inventory Database

ƒ Can be created by doing log analysis
Don’t enable 802.1X supplicant
Permit all MAC addresses to create logs
Analyze logs to create the MAC address database

ƒ Can be created using tools that detect and profile
Detects Devices through passive monitoring
Profiles/Classifies the device through passive profiling

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 90

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Monitoring and
Troubleshoting

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 91

Identity Networking Monitoring and
Trouble Shooting
ƒ Major components to Identity Networking monitoring
RADIUS accounting
NAD logs
RADIUS logs
NAD CLI
SNMP on NAD
ƒ Major components of Identity Networking Troubleshooting
Correlated log reports ACS View
Third party log analysis and reporting
SNMP on NAP
NAD CLI

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 92

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
802.1X with RADIUS Accounting
Supplicant 802.1X Process RADIUS Process
1 Authenticate

2 EAPOL-Success 2 Access-Accept

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 93

802.1X with RADIUS Accounting
Supplicant 802.1X Process RADIUS Process
1 Authenticate

2 EAPOL-Success 2 Access-Accept

3 Accounting Request

4 Accounting Response

ƒ Accounting-request packets
ƒ Contains one or more AV pairs to report various events and related
information to the RADIUS server
ƒ Tracking user-level events are used in the same mechanism
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 94

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
802.1X with RADIUS Accounting
ƒ Similar to other accounting and tracking mechanisms that already
exist using RADIUS
Can now be done through 802.1X
ƒ Increases network session awareness
ƒ Provide information into a management infrastructure about who
logs in, session duration, support basic billing usage reporting, etc.
ƒ Provides a means to map the information of authenticated

Identity, Port, MAC, Switch
Identity IP
=

IP, Port, MAC, Switch Switch + Port = Location

IOS
aaa accounting dot1x default start-stop group radius

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 95

Cisco Secure ACS View

ƒ Turnkey appliance
ƒ Capable of managing large volumes of Cisco Secure
ACS data.
ƒ Generate historical reports and monitoring real-time
data sent from ACS servers.
ƒ Collects and correlates data from multiple Cisco Secure
ACS servers and logs.
ƒ Provides sophisticated reporting, alerting and
troubleshooting functions for Cisco Secure ACS
deployments.
ƒ Currently for ACS 4.2 only.
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 96

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Reports

ƒ Cisco Secure ACS View provides pre-defined reports
and supports custom queries on-demand or on a
scheduled basis.
ƒ ACS View reports include:
• Authentication Reports
• Session Reports
• Device Administration Reports
• ACS Configuration Reports
• ACS Administration Reports

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 97

Alerts
Cisco Secure ACS View Supports the Following
User-Defined Alerts:
ƒ Failed (or passed) authentications over a specified
length of time for a user, user group, ACS server, etc.
ƒ Authentication inactivity over a specified length of time
for a user, user group, ACS server, network access
device, network device group, etc.
ƒ Specific TACACS+ command execution for a user, user
group, network access device or network device group
ƒ Specific ACS server administration operations on
specified ACS servers

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 98

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
ACS View

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 99

Simple Homegrown Tools

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 100

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Troubleshooting:
Identify Points of Failure
ƒ It is important to understand the failure point in the picture
ƒ It is important to understand which issue causes what failures
ƒ In most case, description of the issue symptom can be vague or
misleading and you must correlate separate pieces of information
for problem resolution.

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 101

ACS Problem —
Certificate Trust Issues
ƒ One of the most common issues seen in deployment
ƒ Indicates that the CA certificate is not installed and trusted on the
supplicant

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 102

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
802.1X Port Config
ID-3560#show run int fa0/1 ID-3560#show dot1x int fa0/1 details
Building configuration...
Dot1x Info for FastEthernet0/1
-----------------------------------
Current configuration : 217 bytes PAE = AUTHENTICATOR
! PortControl = AUTO
interface FastEthernet0/1 ControlDirection = Both
HostMode = MULTI_DOMAIN
switchport access vlan 20 ReAuthentication = Enabled
switchport mode access QuietPeriod = 60
switchport voice vlan 99 ServerTimeout = 30
dot1x mac-auth-bypass SuppTimeout = 30
dot1x pae authenticator ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
dot1x port-control auto MaxReq = 2
dot1x host-mode multi-domain TxPeriod = 15
dot1x timeout tx-period 15 RateLimitPeriod = 0
dot1x critical
dot1x critical recovery action initialize Dot1x Authenticator Client List
-------------------------------
dot1x auth-fail vlan 50 Domain = DATA
dot1x critical vlan 50 Supplicant = 000d.60fc.9c38
spanning-tree portfast Auth SM State = AUTHENTICATED
End Auth BEND SM State = IDLE

Port Status = AUTHORIZED
ReAuthPeriod = 3600
ReAuthAction = Reauthenticate
TimeToNextReauth = 1333
Authentication Method = Dot1x
Posture = Healthy
Authorized By = Authentication Server
Vlan Policy = 10

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 103

802.1X Authorization Failure 1
ƒ In case that network authorization is NOT ENABLED on a NAD
ƒ ACS Message Type: Authen Successful
ƒ AFC: There is no AFC associated with this error since authentication
succeeds
ƒ User Experience: Balloon message “Windows cannot connect you to the
network (contact your network administrator)”
Following CLI is missing aaa authorization network default group radius

ƒ VLAN assignment succeeds but assigns port to VLAN 0
ƒ Session Timeout (Radius Attribute 27) is not assigned to port Reauthentication
timer value

ƒ Consequently there is no VLAN 0, therefore default port VLAN is used for
authorization, and if there is no DHCP setup for this VLAN then client can’t obtain
IP address.
ƒ Also Reauthentication Timer becomes 0. This means that there will be no
reauthentication.

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 104

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
802.1X Authorization Failure 1
Feb 27 15:55:16.659: dot1x-ev:dot1x_sendRespToServer: Response sent to the server from 000d.60fc.9c38
Feb 27 15:55:16.668: dot1x-ev:dot1x_vlan_assign_authc_success called on interface FastEthernet0/1
Feb 27 15:55:16.676: dot1x-ev:dot1x_vlan_assign_authc_success: Successfully assigned VLAN 0 to interface FastEthernet0/1
Feb 27 15:55:16.676: dot1x-ev:dot1x_switch_supplicant_add: Adding 000d.60fc.9c38 on FastEthernet0/1 in vlan 1, domain is DATA
Feb 27 15:55:16.676: dot1x-ev:dot1x_switch_addr_add: Added MAC 000d.60fc.9c38 to vlan 1 on interface FastEthernet0/1

ID-3560#show dot1x int fa0/1 d
-- skipped --
Dot1x Authenticator Client List
-------------------------------
Domain = DATA
Supplicant = 000d.60fc.9c38
Auth SM State = AUTHENTICATED Å State machine shows that supplicant is authenticated
Auth BEND SM State = IDLE

Port Status = AUTHORIZED Å State machine shows that port is authorized
ReAuthPeriod = 0 Å Attr. 27 will not overwrite the default, rather switch sets it to 0
ReAuthAction = Terminate
TimeToNextReauth = 0
Authentication Method = Dot1x
Authorized By = Authentication Server
Vlan Policy = N/A Å VLAN is not assigned although switch receives 64, 65, and 81

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 105

802.1X Authorization Failure 2
• In case that invalid Radius attribute is sent via Radius Access-Accept
• ACS Message Type: Authen Successful
• AFC: There is no AFC associated with this error since authentication succeeds
• User Experience: Balloon message “Windows cannot connect you to the network
(contact your network administrator)”
ƒ Radius Access-Accept with invalid Radius Attribute 81 is sent
ƒ Basic rule is that 81 attribute needs to be either “string” or “integer”. If String, it
needs to match the VLAN name that exists on switch. If Integer then it needs match
the VLAN ID that exists on switch

ƒ Passed Authentication reports authentication is successful
ƒ Authorization failure on switch is NEVER reported back to ACS.
Feb 27 16:39:40.839: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
Feb 27 16:39:41.477: %DOT1X_SWITCH-5-ERR_RADIUS_VLAN_NOT_FOUND: Attempt to assign non-existent
VLAN wrong_vlan to dot1x port FastEthernet0/1
Feb 27 16:39:41.930: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 106

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
802.1X Authorization Failure 2
ƒ This is very difficult to troubleshoot since ACS reports successful
authentication but user fails authentication and gets upset /. Only
way to troubleshoot is to use syslog message, if switch console
and debug command is not a choice

Console log message
Feb 27 16:39:40.839: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
Feb 27 16:39:41.477: %DOT1X_SWITCH-5-ERR_RADIUS_VLAN_NOT_FOUND: Attempt to assign non-existent
VLAN wrong_vlan to dot1x port FastEthernet0/1
Feb 27 16:39:41.930: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
Message to Syslog Server

THIS SYSLOG IS ONLY AVAILABLE on 12.2 (44) SE or later version of Cat2K, 3K
IOS. For other platform, debug output is required. (verified with Cat3560 12.2 (44)SE)

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 107

Invalid Radius Secret
ƒ Radius secret is either invalid (wrong with the one configured on ACS) or
corrupted
ƒ ACS Message Type: Bad request from NAS
ƒ AFC: Invalid message authenticator in EAP request
ƒ Others: Very common during deployment phase. The secret key is invalid
on switch configuration or on ACS, or configuration section is corrupted
RDS 02/28/2008 11:45:40 D 7523 2420 0x0 NAS: 10.1.200.2:28166:250 Cleaning lookup entry.
RDS 02/28/2008 11:45:43 D 7421 2452 0x0 NAS: First Request (RequestID:Port) 68:27910 inserted to the lookup table.
RDS 02/28/2008 11:45:43 D 0299 2452 0x0 Request from host 10.1.200.2:1812 code=1, id=68, length=205 on port 1645
RDS 02/28/2008 11:45:43 E 0407 2452 0x0 Request from 10.1.200.2 contains invalid Message-Authenticator, ignoring
RDS 02/28/2008 11:45:43 D 7523 2452 0x0 NAS: 10.1.200.2:27910:68 Cleaning lookup entry.
RDS 02/28/2008 11:45:48 D 7421 2452 0x0 NAS: First Request (RequestID:Port) 68:27910 inserted to the lookup table.
RDS 02/28/2008 11:45:48 D 0299 2452 0x0 Request from host 10.1.200.2:1812 code=1, id=68, length=205 on port 1645
RDS 02/28/2008 11:45:48 E 0407 2452 0x0 Request from 10.1.200.2 contains invalid Message-Authenticator, ignoring
RDS 02/28/2008 11:45:48 D 7523 2452 0x0 NAS: 10.1.200.2:27910:68 Cleaning lookup entry.
RDS 02/28/2008 11:45:53 D 7421 2452 0x0 NAS: First Request (RequestID:Port) 68:27910 inserted to the lookup table.
RDS 02/28/2008 11:45:53 D 0299 2452 0x0 Request from host 10.1.200.2:1812 code=1, id=68, length=205 on port 1645
RDS 02/28/2008 11:45:53 E 0407 2452 0x0 Request from 10.1.200.2 contains invalid Message-Authenticator, ignoring
RDS 02/28/2008 11:45:53 D 7523 2452 0x0 NAS: 10.1.200.2:27910:68 Cleaning lookup entry.
RDS 02/28/2008 11:45:57 D 7421 2452 0x0 NAS: First Request (RequestID:Port) 68:27910 inserted to the lookup table.
RDS 02/28/2008 11:45:57 D 0299 2452 0x0 Request from host 10.1.200.2:1812 code=1, id=68, length=205 on port 1645
RDS 02/28/2008 11:45:57 E 0407 2452 0x0 Request from 10.1.200.2 contains invalid Message-Authenticator, ignoring
RDS 02/28/2008 11:45:57 D 7523 2452 0x0 NAS: 10.1.200.2:27910:68 Cleaning lookup entry.

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 108

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Looking Forward

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 109

Authentication — Today

ƒ Static ordering of authentication methods

• Static fallback on timeout and failure

802.1X timeout/failure
EAP
EAP X

Guest VLAN
Failed Auth VLAN

EAP 802.1X times out

MAB Access Reject
MAB X

URL Web Auth

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 110

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Future — Flexible Authentication
(FlexAuth)

ƒ Flexible ordering of authentication methods
ƒ Flexible fallback of timeout and failure methods

EAP

802.1X failure/timeout
EAP
EAP
EAP X

MAB Access Reject Cat6K IOS (Fall’08)
MAB X Interface gigabitEthernet 1/0/1
authentication fallback dot1x mab webauth
URL Web Auth authentication timeout dot1x mab webauth

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 111

Open Mode
For Each 802.1x Switch Port, the Switch Creates
TWO Virtual Access Points at Each Port

The Controlled Port Is Now Wide Open when any Device
Connects to the Port!

Any Controlled Any

EAPOL Uncontrolled EAPOL

UncontrolledUncontrolled
Port continues to provides a Path for
Port Provides a Path for
Extensible
ExtensibleAuthentication Protocol
Authentication Protocol over LAN
over LAN (EAPOL) (EAPOL)
AND CDP Traffic
Traffic ONLY

Interface gigabitEthernet 1/0/1
authentication open

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 112

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Open Mode
• No checking between “open” and any control mechanism used to
control access.
• Policy Enforcement Techniques to control pre-auth and during-
auth access
ACLs
VLANs

interface fastethernet 1/0/1
access-group default_policy in
ip access-list extended default_policy
10 permit udp dhcpc any any
20 permit udp dns any any
30 permit udp any any eq tftp
30 deny ip any any

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 113

Device Movement/Host Replacement
ƒ EAPOL-Logoff enables Device movement for 802.1X
devices behind IP Phones
ƒ MAB still restrict devices to a single port when
authenticated behind IP phones.
ƒ CDP Notification allows device movement and host
replacement on links that include IP phones for all
authentication methods
ƒ CatOS 8.7(1), Cat6k IOS 12.2(33)XSI “Summer ’08”
ƒ Phone firmware – 8.(4)1
ƒ Phone Models supported
7911,7906, 7940, 7941, 7960, 7961, 7970,7971, 7945, 7965,
7975,7931 (check release notes for final list)
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 114

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Authentication with IPT:
CDP Notification

Port Already Authenticated
1

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 115

Authentication with IPT:
CDP Notification

PC Leaves
2

X X
CDP Notification Transmitted
3

ƒ If an end-user disconnects, an IP phone transmits a
CDP frame to the switch
ƒ Two basic functions needed from phone
Monitor the second port status
Send CDP Second Port Status TLV

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 116

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Authentication with IPT:
CDP Notification


New Authenticated Session
4

ƒ The switch is given an explicit notification of the end of
service
ƒ This closes the current security hole, and promotes
subsequent mobility

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 117

Improved Logging/Monitoring

ƒ Improved Logs for authentication and authorization
events (auth success/failure, etc.)
ƒ Standardized attributes in RADIUS accounting
ƒ Extensions to IEEE-PAE MIB (per mac address re-
authentication)

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 118

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Downloadable ACLs

ƒ Centralized ACL configuration for switches
ƒ Implemented as a Port ACL
Currently requires an interface ACL to be applied

Client Authentication Process ACS

802.1X/MAB Authentication
1

2 RADIUS authorizes port with dACL

dACL downloaded from ACS
3

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 119

URL Redirect RADIUS
Client Authentication Process

802.1X/MAB Authentication
1

2 RADIUS authorizes port with URL redirect

User Initiates Web Connection
3 4
Switch Port Redirects to Web Page
ƒ Requires HTTP on the switch Web Page
ƒ Does not “authenticate” via the web native to the switch
ƒ Mainly used for custom notification at this time
ƒ Future integration with other Cisco products
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 120

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
MAB Inactivity
Cat 3k Now/Cat6K IOS (Fall’08)
Interface gigabitethernet 1/0/1
dot1x mac-auth-bypass timeout inactivity 3600

1 MAB Device Disconnects

X
No traffic detected from PC

ƒ MAB Authenticated Device Disconnects, but link does not go down
because of a hub, IPT device, etc.
ƒ Switch does not detect traffic from mac address for x amount of
time and
ƒ Switch disconnects the session

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 121

Multi-Auth Host Mode
Cat6K IOS (Fall’08)
Interface GigabitEthernet 1/0/1
authentication host-mode multi-auth

*

Client 1 Authentication

Client 2 Authentication

ƒ Works with FlexAuth (802.1X, MAB, Web Auth)
ƒ VMware support
ƒ No support for guest VLAN and failed auth VLAN
ƒ Limited to ACLs for authorization for each data domain device
* Remember switches discard EAPOL by default

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 122

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Deployment
Case Study

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 123

Identity Networking Deployment
Case Study

ƒ Retailer required to only allow their assets to connect to
the network due to lack of physical security
ƒ Selected 802.1X as the technical solution after
evaluation
ƒ Primarily an MSFT desktop and server environment;
small group of MAC OSX for designers
ƒ Approximately 14,000 ports at home office and
remote stores
ƒ Cisco IP Telephony environment
ƒ Pervasive Wireless environment

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 124

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Identity Networking Deployment
Case Study (Cont.)
ƒ Selected Machine Authentication only for wired and wireless
ƒ Leveraged the automatic provisioning of machine certificates in
Active Directory to provision the machine credentials (automatic
user certificates also possible)
ƒ Manually provisioned non AD devices if possible
ƒ Failed authentication VLAN and unknown MAC addresses
assigned to “guest” VLAN on wired only at home office; no “guest”
VLAN at remote sites
ƒ No guest WLAN access
ƒ IAB used for AAA failures for remote office survivability
ƒ Multiple Supplicants; tried to leverage native OS supplicant

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 125

Identity Networking Deployment
Case Study (Cont.)
ƒ Lab Work
IP Telephony handled by CDP exceptions
PXE tested and handled via MAB
Tested “Guest VLAN” backhaul and Proxy for AUP
ƒ No Wake On LAN
ƒ Decided to handle credential re-provisioning via SSL
VPN account triggered via help desk ticket
ƒ Bought 3rd party tool to build MAC address database
ƒ Extended SIM for reporting
ƒ Decided on access layer only deployment since data
center had physical security

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 126

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Identity Networking Deployment
Methodology
ƒ Conducted POC with Network/Desktop Operations
ƒ Pre-production pilot with all of IT
Monitored Failed Authentications/Unknown MACs via group reports to
monitor for supplicant configurations issues and unknown devices
Ran trend reports on IPT and PXE support calls to judge impact
ƒ Deployed supplicant configuration/credentials
before switches
ƒ Deployed “Internet” VLAN with appropriate backhaul to Internet
Edge
ƒ Deployed 802.1X in “monitor” mode on a per building basis
802.1X, MAB, Unknown MAB, Failed VLAN all went to default
port VLAN
Continued Trend reporting for other services
ƒ Deployed 802.1X “guest enforcement”
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 127

Recommended Reading
ƒ Network Security Architectures
ƒ Network Security
Fundamentals
ƒ Network Security Principles
and Practices
ƒ Cisco Access Control Security:
AAA Administration Services
ƒ Cisco Wireless LAN Security
ƒ Cisco Network Admission
Control, Vol. I and II

Available Onsite at the Cisco Company Store
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 128

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Complete Your Online
Session Evaluation
ƒ Give us your feedback and you could win Don’t forget to activate
fabulous prizes. Winners announced daily. your Cisco Live virtual
account for access to
ƒ Receive 20 Passport points for each session all session material
evaluation you complete. on-demand and return
for our live virtual event
ƒ Complete your session evaluation online now in October 2008.
(open a browser through our wireless network Go to the Collaboration
to access our portal) or visit one of the Internet Zone in World of
stations throughout the Convention Center. Solutions or visit
www.cisco-live.com.

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 129

Summary
ƒ Identity Networking improves enterprise security
ƒ Identity Networking improves enterprise visibility
ƒ Identity Networking is a platform for other security initiatives, i.e. NAC
ƒ Keys to success:
Understand your security requirements
Understand the Windows boot process
Choose the right authorization for your requirements
Understand implications of IP Telephony
Expend effort up front to identify and plan for impact of 802.1X

Identity Networking Is
Deployable Today
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 130

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr
Q and A

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 131

BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 132

© 2006, Cisco Systems, Inc. All rights reserved.
14657_05_2008_c1.scr