Upload
vuhuong
View
306
Download
5
Embed Size (px)
Citation preview
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Advanced 802.1X
Design and Troubleshooting BRKSEC-3005
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Legos and IEEE 802.1X Same pieces, different castles
Basic Realistic
2
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Agenda
Deployment Considerations
‒ Authentication
‒ Authorization
Deployment Scenarios
‒ Monitor Mode
‒ Low Impact Mode
‒ Closed Mode
Troubleshooting
‒ Methodology
‒ Flows
For Your Reference
Real World Example
5
Deployment Considerations Authentication
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Authorization
Authentication
Policy
Teamwork & Organization
Credentials, DBs, EAP,
Supplicants, Agentless, Order/Priority
Windows GPO, machine auth, PXE, WoL, VM
Network, IT,
Desktop
Desktops
Multiple Endpoints
Confidentiality
Thinking About Authentication
8
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
EAPoL Start
EAP-Response Identity: Alice
EAPoL Request Identity
RADIUS Access Request
[AVP: EAP-Response: Alice]
EAP-Request: PEAP
EAP-Response: PEAP
EAP Success
RADIUS Access-Accept
[AVP: EAP Success]
[AVP: VLAN 10, dACL-n]
RADIUS Access-Challenge
[AVP: EAP-Request PEAP]
RADIUS Access Request
[AVP: EAP-Response: PEAP]
Multiple Challenge-Request Exchanges Possible
Beginning
Middle
End
Layer 2 Point-to-Point Layer 3 Link
Authenticator Authentication Server Supplicant
EAP over LAN (EAPoL)
RADIUS
IEEE 802.1X Provides Port-Based Access
Control Using Authentication
(“Switch”) (“AAA /RADIUS Server”) (“Client”)
9
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Choosing Credentials for 802.1X
Username/Pwd Directory
alice c1sC0L1v Certificate
Authority
Token Server
Deployment Best Practices
Reuse Existing Credentials
Understand the Limitations of Existing Systems
Common Types
Passwords
Certificates
Tokens
Deciding Factors
Security Policy
Validation
Distribution & Maintenance
10
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Credentials May Have Systemic Limitations
Possible Solutions To Multiple-Domain Issues: 1. Establish two-way trust between mycorp.com & mycorp.uk
2. Use RADIUS proxy to send requests from *.mycorp.com to US ACS
3. Use certs with global Enterprise CA and don’t check AD
mycorp.com mycorp.uk 1) Two-way trust
2) RADIUS proxy alice.mycorp.com
3) mycorp root CA
alice c1sC0L1v
√
Root Cause: Alice is not a member of mycorp.uk
Alice, director of US Sales, gets no access in London office
11
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Mutual Authentication
• Server must validate client’s identity and vice versa
Security
• Client credentials cannot be snooped or cracked.
How To Submit Credentials
host/alice-xp.mycorp.com MachinePwd
server CA
Server Cert Authentication: Signed by trusted CA Belongs to allowed server
Encrypted Tunnel
Client Authentication: Known Username Valid password
server CA
Server Cert Authentication: Signed by trusted CA Belongs to allowed server
client CA
Client Cert Authentication: Signed by trusted CA Additional checks
PEAP-MSCHAPv2 EAP-TLS
12
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Users and Machines Can Have Credentials
alice
User Authentication Machine Authentication
host\XP2
• Enables Devices To Access Network Prior To (or In the Absence of) User Login
• Enables Critical Device Traffic (DHCP, NFS, Machine GPO)
• Is Required In Managed Wired Environments
• Enables User-Based Access Control and Visibility
• If Enabled, Should Be In Addition To Device Authentication
13
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Power On
Kernel Loading Windows HAL Loading Device Driver Loading
Why You Must Enable Machine Auth In A
Managed Environment
Obtain Network Address (Static, DHCP)
Determine Site and DC (DNS, LDAP)
Establish Secure Channel to AD
(LDAP, SMB)
Kerberos Authentication (Machine Account)
Computer GPOs Loading (Async)
GPO based Startup Script Execution
Certificate Auto Enrollment Time Synchronization Dynamic DNS Update
GINA
Components that depend on network connectivity
Kerberos Auth (User Account)
User GPOs Loading (Async)
GPO based Logon Script Execution (SMB)
Machine Authentication
User Authentication
14
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Example 1: Call Center Objective: Differentiated Access for Agents
Conditions: Shared Use PCs (desktop)
Business Case & Security Policy Determines
Whether You Need User Auth
Machine + User
Example 2: Enterprise Campus Objective: Access for Corporate Assets Only Conditions: One Laptop = One User
Machine Only
Bonus Question: Could this customer enable password-based user authentication if they wanted to?
15
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Massive Outage After OS Upgrade
Understanding Your Supplicant is Essential
Best Practice: Make Friends With Your Desktop Team
• XP SP2: single service & profile for all 802.1X (wired/wireless)
• XP SP3/Vista/Win7: separate services and profiles for wired and wireless.
• wired service is disabled by default • http://support.microsoft.com/kb/953650
• Switch expects 3 failures by default • XP SP3, Vista, Win7: 20 minute block timer on first
EAP failure • http://support.microsoft.com/kb/957931 • (config-if)#authentication event fail retry 0
Auth Fail VLAN Doesn’t Work
Open Source
Hardware
Native
Premium
16
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Unauthenticated
Real Networks Can’t Live on 802.1X Alone
Default Access Control is Binary
802.1X Passed
SSC
Employee (bad credential)
802.1X
SSC
Employee Guest
Managed Assets
Rogue
17
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
EAPoL: EAP Request-Identity
Any Packet
RADIUS Access-Accept
RADIUS Access-Request
[AVP: 00.0a.95.7f.de.06 ]
Switch RADIUS Server
IEEE 802.1X Timeout
1
MAB 2
EAPoL: EAP Request-Identity
EAPoL: EAP Request-Identity
MAC Authentication Bypass (MAB) “Authentication” for Clientless Devices
00.0a.95.7f.de.06
How Are MACs “Authenticated” ?
18
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
MAB is PAP…or you can optimize
RADIUS Access-Request
MAB as PAP •works with any RADIUS server •password = username
MAB as “Host Lookup” •ACS/ISE optimization •no need for fake passwords
Differentiates MAB Request
19
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
IEEE 802.1X with MAB
MAB enables differentiated access control
MAB leverages centralized policy on AAA server
• Default timeout is 30 seconds with three retries (90 seconds total)
• 90 seconds > DHCP timeout.
Dependency on IEEE 802.1X timeout -> delayed network access
MAB requires a database of known MAC addresses
Contractor VLAN
Printer VLAN
MAC Database
RADIUS LDAP ACS
20
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Timeout interface GigabitEthernet1/4
dot1x max-reauth-req 2 dot1x timeout tx-period 30
3 Options For MAB-Related Delays
First packet from device will trigger MAB
802.1X MAB
MAB Fails MAB 802.1X
interface GigabitEthernet1/4 authentication order mab dot1x authentication priority* dot1x mab
(max-reauth-req + 1) * tx-period
Change the Timeout
“FlexAuth”
*Priority Matters! www.cisco.com/go/ibns -> Whitepapers
Short Enough To Prevent Timeouts Long Enough To Allow 802.1X Devices to Authenticate
Low Impact Deployment Scenario
Prepare For Additional Control Plane Traffic
21
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
MAC Databases: Device Discovery
Find It
• Leverage Existing Asset Database
• e.g. Purchasing Department, CUCM
Build It
• Bootstrap methods to gather data
• e.g. SNMP, Syslog, Accounting
Buy It
• Automated Device Discovery
• e.g. ISE
22
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Building Your MAB Database Export Phone MACs From CUCM
23
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Building Your MAB Database Wildcard Rules Based on MAC Prefixes
00-04-0D-9D-BE-59
Organizationally Unique Identifier (OUI) • Assigned by IEEE • Identifies device vendor and possible device type
25
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
SNMP, DHCP, MAC OUI SNMP, DHCP, MAC OUI
Building Your MAB Database Profiling Tools Are Evolving
Profiler
RADIUS Access-Request
LDAP
ISE
RADIUS Accounting
IOS Sensor
15.0(1)SE1
ISE 1.1
26
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
1)No Access 2)Switch-based Web-Auth 3)Guest VLAN
To Fail or Not to Fail MAB? Two options for unknown MAC addresses
RADIUS-Access Request (MAB)
RADIUS-Access Reject
MAB Fails – control of session passes to switch
29
RADIUS-Access Request (MAB)
RADIUS-Access Accept
Guest Policy
Unknown MAC…Apply Guest Policy
MAC is Unknown but MAB “Passes”
• AAA server determines policy for unknown endpoints (e.g. network access levels, re-auth policy) • Good for centralized control & visibility of guest policy (VLAN, ACL)
Deployment Considerations Authorization
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Authorization
Authentication
Policy
Teamwork & Organization
Pre-Auth, VLAN, ACL, Failed Auth, AAA down
Desktops
Multiple Endpoints
Phones, Link State,
VMs, Desktop Switches
Confidentiality
Thinking About Authorization
31
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Default: Closed
Authorization Options: Pre-Authentication
?
Open
Selectively Open
switch(config-if)#authentication open switch(config-if)#ip access-group PRE-AUTH in
switch(config-if)#authentication open
32
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Authorization Options: Passed Authentication
Default: Open
Dynamic ACL
Dynamic VLAN
Alice
33
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Default: Closed
Authorization Options: Failed 802.1X
?
Auth-Fail VLAN
Next-method*
switch(config-if)#authentication event fail action authorize vlan 50
switch(config-if)#authentication event fail action next-method
*Final authorization determined by results of next method
35
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Default: Closed
Authorization Options: No Client
?
Guest VLAN
Next-method*
switch(config-if)#authentication event no-response action authorize vlan 51
switch(config-if)#mab
*Final authorization determined by results of next method
36
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Default: Closed
Authorization Options: AAA Server Dead
?
Critical VLAN
switch(config-if)#authentication event server dead action authorize vlan 52
37
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Multiple MACs not allowed to ensure validity of authenticated session
Hubs, VMWare, Phones, Grat Arp…
Applies in Open and Closed Mode
interface fastEthernet 3/48 dot1x pae authenticator authentication port-control auto
VM
Default: Single Host Mode
Authorization: Single MAC Filtering
38
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
interface fastEthernet 3/48 dot1x pae authenticator authentication port-control auto authentication host-mode multi-domain
Multi-Domain Authentication (MDA) Host Mode
Single device per port Single device per domain per port
IEEE 802.1X MDA
MDA replaces CDP Bypass Supports Cisco & 3rd Party Phones Phones and PCs use 802.1X or MAB
Data Domain
Voice Domain
Modifying Single-MAC Filtering For IP Phones
39
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
MAC –based enforcement for each device
802.1X and/or MAB
interface fastEthernet 3/48
dot1x pae authenticator
authentication port-control auto
authentication host-mode multi-auth
VM
Multi-Authentication Host Mode
Modifying Single-MAC Filtering For Virtualized
Endpoints
40
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Authorization Summary Authentication
Status
Default
Authorization
Alternative 1 Alternative 2
Pre-802.1X / MAB Closed Open Selectively
Open
Successful 802.1X Open Dynamic
VLAN
Dynamic
ACL
Successful MAB Open Dynamic
VLAN
Dynamic
ACL
Failed 802.1X Closed Auth-Fail
VLAN
Next
Method
Failed MAB Closed Guest
VLAN
Next
Method
No 802.1X
(no client)
Closed Guest
VLAN
Next
Method
No 802.1X, MAB
(server down)
Closed Critical
VLAN
Sin
gle
-ho
st
Mu
lti-
Au
th
Mu
lti-
Do
mai
n-A
uth
?
41
Deployment Scenarios Implementing Phased Deployments
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Authorization
Authentication
Policy
Teamwork & Organization
Credentials, DBs, EAP,
Supplicants, Agentless, Order/Priority
Pre-Auth, VLAN, ACL, Failed Auth, AAA down
Windows GPO, machine auth, PXE, WoL, VM
Definition, Enforcement, Rollout
Network, IT,
Desktop
Desktops
Multiple Endpoints
Phones, Link State,
VMs, Desktop Switches
Confidentiality
Encryption
Thinking About Deployment Scenarios
43
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Three Deployment Scenarios
Monitor Mode
• Authentication Without Access Control
Low Impact Mode
• Minimal Impact to Network and Users
Closed Mode
• Logical Isolation
• Formerly “High Security”
44
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Monitor Mode: How To
Enable 802.1X & MAB
Enable Open Access
All traffic in addition to EAP is allowed
Like not having 802.1X enabled except authentications still occur
Enable Multi-Auth Host-Mode
No Authorization
Monitor Mode Goals
No Impact to Existing Network Access
See… …what is on the network …who has a supplicant …who has good credentials …who has bad credentials
Deterrence through accountability
Scenario 1: Monitor Mode Overview
SSC
45
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Monitor Mode: Switch
interface GigabitEthernet1/4
switchport access vlan 60
switchport mode access
switchport voice vlan 61
authentication host-mode multi-auth
authentication open
authentication port-control auto
mab
dot1x pae authenticator
authentication violation restrict
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default group radius
radius-server host 10.100.10.150 auth-port 1645 acct-port 1646 key cisco
radius-server vsa send authentication
authentication mac-move permit
Basic 802.1X/MAB
Monitor Mode
Switch Global Config
Switch Interface Config
46
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Monitor Mode: AAA Server and Endpoints
Should be fully configured
except for authorization policy:
Communication with AAA clients
(i.e. switches)
Communication with credential
repository (e.g. AD, MAC
Database)
PKI (CA certs, server cert)
EAP Configuration
MAB Configuration
Should be fully configured:
PKI (CA certs, client cert) or
other credentials
Supplicants configured &
installed everywhere supported
Enable machine auth
Enable user auth if needed
AAA Server Endpoints
47
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
RADIUS Authentication & Accounting Logs Passed/failed 802.1X
Who has bad credentials? Misconfigurations?
Passed/Failed MAB attempts What don’t I know?
Monitor Mode: Next Steps
SSC
Monitor Mode Next Steps
Improve Accuracy
Evaluate Remaining Risk
Leverage Information
Prepare for Access Control
48
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Information Pays For Itself
ROI Without Access Control
RADIUS Attribute Example Value
Framed-IP-Address(8) 10.100.41.200
User-Name(1) scadora
Acct-Session-Time(46) 27
Acct-Input-Octets(42) 2614
Acct-Output-Octets(43) 2469
Acct-Input-Packets(47) 7
Acct-Output-Packets(48) 18
RADIUS Attribute Example Value
Acct-Status-Type(40) Interim-Update
NAS-Port-Type(61) Ethernet
NAS-Port-Id(87) FastEthernet2/48
Called-Station-Id(30) 00-1F-6C-3E-56-8F
Calling-Station-Id(31) 00-1E-4A-A9-00-A8
Service-Type(6) Framed-User
NAS-IP-Address(4) 10.100.10.4
49
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Preparing for Access Control: Fix 802.1X
Observed Failures:
Root cause: untrusted or self-signed cert on AAA server Fix: Import server cert signed by enterprise CA
Helpful supplicant:
SSC/AC3.0/Win7
Not as helpful:
XP SP2
50
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Preparing for Access Control: Learn MACs
MAC.CSV
Observed Failure
Fix
51
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Monitor Mode In a Nutshell
• Authentication without Authorization Summary
• Extensive Network Visibility
• No Impact to Endpoints or Network Benefits
• No Access Control Limitations
• Monitor the Network
• Evaluate Remaining Risk
• Prepare for Access Control Next Steps
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Low Impact Mode: How To
Start from Monitor Mode
Add ACLs, dACLs and flex-auth
Limit number of devices connecting to port
Add new features to support IP Phones
Low Impact Mode Goals
Begin to control/differentiate network access
Minimize Impact to Existing Network Access
Retain Visibility of Monitor Mode
“Low Impact” == no need to re-architect your network
Keep existing VLAN design
Minimize LAN changes
Scenario 2: Low Impact Mode
53
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Low Impact Mode: Switch
Block General Access Until Successful 802.1X, MAB or WebAuth
Pinhole explicit tcp/udp ports to allow desired access
interface GigabitEthernet1/4
switchport access vlan 60
switchport mode access
switchport voice vlan 61
ip access-group PRE-AUTH in
authentication open
authentication port-control auto
mab
dot1x pae authenticator
authentication violation restrict
ip device-tracking
Switch Interface Config
Pre-Authentication Port Authorization State
From Monitor Mode
For Low Impact
Switch Global Config (add to Monitor Mode)
55
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Pre-Auth ACL Considerations
Pre-auth port ACL is arbitrary and can progress as you better understand the traffic on your network
Recommendations: use least restrictive ACL that you can; time-sensitive traffic is a good candidate for ACL.
Approach 1: Selectively block traffic
Selectively protect certain assets/subnets
Low risk of inadvertently blocking wanted traffic
Example: Block unauthenticated users from Finance servers
Approach 2: Selectively allow traffic
More secure, better control
May block wanted traffic
Example: Only allow pre-auth access for PXE devices to boot
56
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Low Impact Mode: AAA Server
Configure downloadable ACLs for authenticated users
permit ip host 10.100.20.200 any permit tcp any any established permit udp any any eq bootps permit udp any host 10.100.10.116 eq domain permit udp any host 10.100.10.117 eq tftp
SSC
Pre-Auth ACL
Switch dynamically substitutes endpoint’s address
• Contents of dACL are arbitrary.
• Can have as many unique dACLs are
there are user permission groups
• Same principles as pre-auth port ACL
57
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Example: Using Low Impact Mode to
bootstrap a new phone
• Pre-auth ACL allows just enough access for config, CTL
• New config enables 802.1X on phone
• After 802.1X, phone has full access
permit ip host 10.100.20.200 any permit udp any any eq bootps permit udp any host 10.100.10.238 eq tftp permit udp any host 10.100.10.238 range 32768 61000
Pre-Auth ACL
10.100.10.238
58
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Dynamic ACL Types for Authentication
ACL Configuration Notes 802.1X/MAB Web-Auth
Downloadable
ACL •On ACS •Centralized
•No size limitation*
•Requires ACS
•3K: 12.2(50)SE
•4K: 12.2(50)SG
•6K: 12.2(33)SXI
•3K: 12.2(50)SE
•4K: 12.2(50)SG
•6K: 12.2(33)SXI
PerUser •On AAA server •Centralized
•Length limited to
RADIUS packet size*
•Supports 3rd party AAA
servers
•3K: 12.2(50)SE
•4K: 12.2(52)SG
•6K: 12.2(33)SXI3
•Not Supported
Filter-id •ACL name on
AAA server
•ACL contents on
switch
•Distributed
•No size limitation*
•Supports 3rd party AAA
servers
•3K: 12.2(50)SE
•4K: 12.2(52)SG
•6K: 12.2(33)SXI3
•3K: 12.2(50)SE
•4K: Not Supported
•6K: Not Supported
Proxy •On AAA server •Centralized
•Web-Auth only
•Length limited to
RADIUS packet size*
•Supports 3rd party AAA
servers
•Not Supported •3K: 12.2(35)SE
•4K: 12.2(50)SG
•6K: Not supported
*Size refers to defined length of ACL. TCAM limits on switch still apply.
59
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
For wired deployments, use downloadable ACLs
For wired and wireless, and if no ACS/ISE or no
WebAuth, use Filter-ID ACLs (distributed)
If no ACS/ISE or no Webauth, use per-user ACLs
(centralized)
Try to avoid WebAuth Proxy ACLs
ACL Rules of Thumb
60
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Handling dACLs without PACLs
SSC
%AUTHMGR-5-FAIL A switch that receives a dACL for a port without a PACL will fail authorization.
The switch will automatically attach a default PACL called “Auth-Default-ACL” and then apply dACL.
%EPM-6-AUTH_ACL: POLICY Auth-Default-ACL
dACL-n
Tip: Use For Graceful Transition
from Monitor Mode
61
Before12.2(54)SG and12.2(55)SE
After 12.2(54)SG and12.2(55)SE
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
permit udp any any eq bootps permit udp any host 10.100.10.116 eq domain permit udp any host 10.100.10.117 eq tftp
SSC
port
ACL
Reduce dynamic ACL configuration
62
Switch(config)#epm access-control open
If the RADIUS server returns a dynamic ACL, dynamic ACL is applied.
If no dynamic ACL returned, switch automatically creates a “permit ip host any” entry for the authenticated host.
Default behavior:
With “open directive” configured:
12.2(54)SG
12.2(55)SE
permit ip any any
If no dynamic ACL is downloaded, Pre-Auth Port ACL controls the port.
Every endpoint must be assigned a dynamic ACL.
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Low Impact: Failed Authentication
Reminder: Devices that fail 802.1X will have
restricted access (Pre-Auth ACL)
Question: Is that sufficient access?
Alternative: configure a failback authentication
method (e.g. MAB) with appropriate
authorization policy
interface GigabitEthernet1/4
switchport access vlan 60
switchport mode access
switchport voice vlan 61
ip access-group PRE-AUTH in
authentication event fail action next-method
authentication open
authentication port-control auto
mab
dot1x pae authenticator
Switch Interface Config
SSC
Cert expired
Can’t get to IT website!
SSC
MAB passed
HTTP now allowed
Cert expired
63
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Low Impact: Tune the Host Mode
Reminder: with Multi-Auth, multiple devices are allowed per port
Suggestion: in Low Impact mode, transition to Multi-domain (for
IP Telephony) or Single-host (non-IPT).
interface GigabitEthernet1/4
switchport access vlan 60
switchport mode access
switchport voice vlan 61
ip access-group PRE-AUTH in
authentication host-mode multi-domain
authentication open
authentication event fail action next
authentication port-control auto
mab
dot1x pae authenticator
Switch Interface Config
64
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Low Impact In a Nutshell
• Default open + pre-auth ACL
• Differentiated access control using dynamic ACLs
Summary
• Minimal Impact to Endpoints
• Minimal Impact to Network
• No L2 Isolation
• Some access prior to authentication
Benefits & Limitations
• Start with least restrictive port ACLs
• Use downloadable ACLs if you have ACS
• Use Open Directive to reduce dACL config Recommendations
65
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Closed: How To
Return to default “closed” access
Timers or authentication order change
Implement identity-based VLAN assignment
Closed Mode Goals
No access before authentication
Rapid access for non-802.1X-capable corporate assets
Logical isolation of traffic at the access edge
Scenario 3: Closed Mode
Network Virtualization Solution
See BRKRST-2033 for more on Network Virtualization
66
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Closed Mode: Switch
interface GigabitEthernet1/4
switchport access vlan 60
switchport mode access
switchport voice vlan 61
no authentication open
authentication event fail authorize vlan 63
authentication event no-response authorize vlan 63
authentication event server dead action authorize vlan 63
authentication port-control auto
mab
dot1x pae authenticator
dot1x timer tx-period 10
aaa authorization network default group radius
vlan 60
name data
vlan 61
name voice
vlan 62
name video
vlan 63
name fail-guest-critical
Auth-Fail VLAN
Guest VLAN*
Critical VLAN
*Not needed if AAA server has Unknown MAC policy
Switch Global Config (add to Monitor Mode)
Switch Interface Config
Beware tx-period in Closed Mode
68
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Closed Mode: AAA Server
If no VLAN sent, switch will use static switchport VLAN
Configure dynamic VLANs for any user that should be in different
VLAN
69
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Dynamic VLANs Impact Your Network
VLAN 10: DATA
VLAN 20: VOICE
VLAN 30: MACHINE
VLAN 40: ENG
VLAN 50: UNAUTH
10.10.10.x/24
10.10.20.x/24
10.10.30.x/24
10.10.40.x/24
10.10.50.x/24
Network Interface
10.10.10.x/24 G0/1
10.10.20.x/24 G0/2
10.10.30.x/24 G0/3
10.10.40.x/24 G0/4
10.10.50.x/24 G0/5
More VLANs To Trunk (Multi-Layer Deployments)
More Subnets to Route
Every Assignable VLAN Must Be Defined on Every Access Switch
Best Practice: Use the Fewest Possible Number of VLANs
70
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Dynamic VLANs Can Impact Endpoints
Non-802.1X Endpoints
• Unaware of VLAN changes, no mechanism to change IP address
• Best Practice: Dynamic VLAN in Closed Mode only
Older 802.1X Endpoints (e.g. Windows XP)
• Supplicants can renew IP address on VLAN change but OS and underlying processes may not handle IP address change gracefully
• Best Practice: Use same VLAN for User and Machine Authentication (Windows)
Newer 802.1X Endpoints (e.g. Windows Vista, 7)
• Supplicant and OS can handle VLAN/IP address changes
• Best Practice: Use the VLAN policy that best matches your security policy.
71
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
802.1X, Dynamic VLANs, and WoL
interface fastEthernet 3/48
dot1x pae authenticator
authentication port-control auto
authentication control-direction in
Unidirectional Access Control
802.1X + WoL Challenge:
• Device flaps link when sleeping
• 802.1X session cleared
• No network access (closed mode)
• WoL packet can’t get through
802.1X + WoL + dVLAN:
• Devices flap link when they sleep
• 802.1X Session Cleared
• VLAN reverts to access VLAN
• WoL packet goes to dVLAN subnet
• Don’t assign VLANs to WoL devices
• Use Low Impact Mode
• Use hardware (Intel AMT) supplicant
Dynamic VLAN + WoL Solutions
72
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Avoid VLAN Name Changes with User
Distribution
Access-Accept:
VLAN: corporate 30
switch1
switch2 31
vlan 30
name corporate
vlan 31
name corporate-2
vlan group corporate vlan-list 31
Traditional VLAN Assignment Is
by VLAN Name
User Distribution Assigns by
VLAN Group (or Name)
• Allows Flexible Adaption in Existing Environments
• No Need to Reconfigure Existing VLANs
• Also Enables Load Balancing 73
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Limited Dynamic VLAN Assignment Now
Available for Multi-Auth
Access-Accept:
VLAN: BLUE
VM
Access-Accept:
VLAN: BLUE
Access-Accept
12.2(55)SE 15.0(2)SG
12.2(33)SXJ
• First successful authentication “locks” the Data VLAN
• Subsequent endpoints must get assigned same VLAN or no VLAN
75
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
switch(config-if)#authentication event server dead action authorize vlan 52 Critical VLAN
switch(config-if)#authentication event server dead action reinitialize vlan 52
12.2(52)SE 15.0(2)SG
12.2(33)SXJ1
Critical VLAN Now Supported With Multi-Auth
76
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Phones Rely on RADIUS Server
00.18.ba.c7.bc.ee
RADIUS-Access
Request: 00.18.ba.c7.bc.ee
RADIUS-Access Accept
device-traffic-class=voice
Voice VLAN Enabled “Only the VSA can
save the phone!”
00.18.ba.c7.bc.ee
DataVLAN Enabled interface fastEthernet 3/48
dot1x pae authenticator
authentication port-control auto
authentication event server dead action authorize Does Not Save
Phones 77
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Critical Voice VLAN Saves Phones When AAA
Server Dies 00.18.ba.c7.bc.ee
DataVLAN Enabled
interface fastEthernet 3/48
dot1x pae authenticator
authentication port-control auto
authentication event server dead action authorize
authentication event server dead action authorize voice
Voice VLAN Enabled
#show authentication session int f3/48
…
Critical Authorization is in effect for domain(s) DATA and VOICE
15.0(1)SE 15.0(2)SG
12.2(33)SXJ1
78
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Extending the Network Edge
Hubs on an 802.1X network: • introduce multiple MACs per port • may not actually be hubs • are not managed devices
Ideally, extended edge: • Extends trust and policy • Uses a managed device • Works on any access port
79
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Network Edge Authentication Topology (NEAT)
Supplicant Switch (SSw)
EAP-Response: SSw RADIUS Access Request
[AVP: EAP-Response: SSw
RADIUS Access-Accept
[device-traffic-class=switch]
EAP-Response: Alice
RADIUS Access Request
[AVP: EAP-Response: Alice
RADIUS Access-Accept
[VLAN Yellow]
CISP: Allow Alice’s MAC
1) NEAT-capable sSW authenticates itself to Authenticator Switch (ASw).
2) ASw converts port to trunk
3) SSw authenticates users and devices in conference room
4) ASw learns authenticated MACs via Client Information Signaling Protocol (CISP)
1)
3)
4)
2)
80
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Closed In a Nutshell
• Default closed
• Differentiated access control using dynamic VLANs
Summary
• Logical Isolation at L2
• No Access for Unauthorized Endpoints
• Impact to Network
• Impact to Endpoints
Benefits & Limitations
• Use fewest VLANs possible
• Know which devices can’t change VLANs
• User Distribution helps with VLAN names
• Enable Critical Voice VLAN
• Consider NEAT as needed
Recommendations
82
Troubleshooting Failed Authorizations Failed Authentications Timeout-related Issues Server-dead Issues IP Telephony Issues
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Troubleshooting In Perspective
Enterprise Customer
70,000 Endpoints
Windows Native Supplicant
PEAP-MSCHAPv2
Additional Support Staff:
‒ < 5 Hours / Week
‒ “The typical user is unaware of
the 802.1X implementation.”
84
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Troubleshooting Methodology
1
4
7 8
5
2 3
6
9
SSC
C:\Documents And Settings\All Users\Application Data\Cisco\Cisco Secure Services Client
C:\ProgramData\Cisco\Cisco Secure Services Client
netsh ras set tracing eapol enable netsh ras set tracing rastls enable
%systemroot%\tracing\EAPoL.log Mic
roso
ft
Nat
ive
SSC
Develop & Document a Methodology
Be aware of role dependencies
Start where info density is highest
Good AAA server can diagnose most failed authentications
Switch (CLI, SNMP, syslog) helps with:
Failed authorizations
Current port status
Client side info sometimes helpful
Sniffer Traces Often Definitive
85
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
802.1X Passed Authentication: Expected
Start 802.1X
AAA-based Authz?
Switch config’d
for authz?
Rcv’d dACL?
R’cv’d dynamic VLAN?
Port ACL defined on
switch?
VLAN defined on
switch?
Port ACL + dACL Dynamic VLAN Static Port Config: Switchport VLAN +
Port ACL (if any) Fin
al P
ort
St
atu
s
N
Y
Y Y
N
Y
Y Y
Au
the
nti
cati
on
Pro
cess
802.1X
Pass
Closed Mode
Low Impact Mode
86
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
802.1X Passed Authentication Problems Dynamic Authorization Not Enabled
Start 802.1X
AAA-based Authz?
Switch config’d
for authz?
Static Port Config: Switchport VLAN +
Port ACL (if any) Fin
al P
ort
St
atu
s
Y
N
Au
the
nti
cati
on
Pro
cess
802.1X Pass
88
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Authorization Problem 1: Configuration
Detection: Difficult to detect (no indication that 802.1X is to blame)
Root Cause: Incomplete Switch Config Resolution: (config)# aaa authorization network default group radius
End User
• Access: default port config
• “I don’t have enough access” or “I have too much access”
AAA Server
• Authentication Passed
Access Switch
• Port is authorized but without dynamic VLAN or dACL
• No syslog -- this is not an error
89
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
802.1X Passed Authentication Problems ACL Not Configured
Start 802.1X
AAA-based Authz?
Switch config’d
for authz?
Rcv’d dACL?
Port ACL defined on
switch?
Authz Fail: Quiet Period
Static Port Config: Switchport VLAN +
Port ACL (if any) Fin
al P
ort
St
atu
s
Y
N
Y Y
N
Au
the
nti
cati
on
Pro
cess
802.1X Pass
ACL Enhancement?
N
90
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Authorization Problem 2: Authentication Passed but ACL Authorization Failed
Detection: Repeating Successful Authentications, Switch syslogs, Absence of Accounting Root Cause: Incorrect Switch Config, pre-12.2(54)SG Resolution: (config-if)# ip access-group PRE-AUTH in
End User
• Pre-Authentication Access only
AAA Server
• Authentication Passed
Access Switch
• %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0014.5e95.d6cc) on Interface Gi1/13
• %AUTHMGR-5-FAIL: Authorization failed for client (0014.5e95.d6cc) on Interface Gi1/13
• With “epm logging” configured:
• %EPM-4-POLICY_APP_FAILURE: IP=0.0.0.0| MAC=0014.5e95.d6cc |POLICY_TYPE=Named ACL| POLICY_NAME=xACSACLx-IP-PERMIT-ANY-4999ced8 | RESULT=FAILURE| REASON=Interface ACL not configured
91
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
802.1X Passed Authentication Problems Bad VLAN Assignment
Start 802.1X
AAA-based Authz?
Switch config’d
for authz?
Rcv’d dACL?
R’cv’d dynamic VLAN?
Port ACL defined on
switch?
VLAN defined on
switch?
Authz Fail: Quiet Period
Static Port Config: Switchport VLAN +
Port ACL (if any) Fin
al P
ort
St
atu
s
Y
N
Y Y
N
Y
N N
Au
the
nti
cati
on
Pro
cess
802.1X Pass
92
Or VLAN
Group!
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Authorization Problem 3: Authentication Passed but VLAN Authorization Failed
Detection: Repeating Successful Authentications, Switch syslogs, Absence of Accounting Root Cause: Incorrect Switch Config Resolution: (config-vlan)# name Employee
End User
• Pre-Authentication Access only
AAA Server
• Authentication Passed
Access Switch
• %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0014.5e95.d6cc) on Interface Gi1/13
• %DOT1X_SWITCH-5-ERR_VLAN_NOT_FOUND: Attempt to assign non-existent or shutdown VLAN Employee to 802.1x port GigabitEthernet1/13
• %AUTHMGR-5-FAIL: Authorization failed for client (0014.5e95.d6cc) on Interface Gi1/13
93
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Syslog Collector Can Help Here!
94
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
When Syslogs Are Too Much of A Good Thing
• Device-level syslog filtering & programmable framework
• Limited platform support
Embedded Syslog Manager (ESM)
• #no [authentication | dot1x | mab] syslog verbose
• limited filtering
Syslog suppression CLI
• #logging trap 5
• Filters all syslogs (not just authentication syslogs)
Filter by severity
95
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
802.1X Failed Authentication Flow
Start 802.1X
Event fail action
config’d?
Auth Fail VLAN
conf’d?
MAB pass?
Web-Auth config’d?
Auth Fail VLAN1,4 Pre-Auth Access2
Fin
al P
ort
S
tatu
s
Y
Y
Au
the
nti
cati
on
Pro
cess
802.1X Fail
Restart Timer
config’d?
Restart Timer
Expires
AAA Based
Authz 2,3,4 1Subject to change on receipt of EAPoL-Logoff 2All subsequent EAP traffic will be dropped until reauth or link down 3See 802.1X Passed Flowchart for details 4May be impacted by supplicant behavior
Valid username
/ pwd?
Valid dACL & priv-lvl=15?
dACL + fallback ACL2,4
fallback ACL2
N
Y
N
Y
Y
N
N
> Max Attempt?
Y
N
Y
N
N
Quiet Period Expires
Y
N Closed Mode
Low Impact Mode
96
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
802.1X Failed Authentication Overview
Detection: End User, AAA records, Switch syslogs Root Cause: EAP negotiation or credential issue Resolution: depends on root cause
End User
• Pre-Authentication Access only
AAA Server
• Best source of info for 802.1X failures
• Start Troubleshooting here!
Access Switch
• *Mar 5 11:31:41: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0014.5e95.d6cc) on Interface Gi1/13
97
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
802.1X Failures: Incompatible EAP Methods
Applies to:
All 802.1X authentications
Bonus Question:
Why is there a passed auth
record after the failure?
Resolution: Configure at least one common EAP method (inner & outer) on ACS and supplicant
Error: Supplicant configured for PEAP, AAA for EAP-TLS
Error: Supplicant configured for PEAP-MSCHAPv2, AAA for PEAP-GTC
12750 Failed to negotiate EAP for inner method because EAP-MSCHAP not allowed under
PEAP configuration in the Allowed Protocols
98
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Error: Known User, Password Expired
Error: Unknown User
802.1X Credential Failures: Passwords
Applies to: Password-based EAP methods (PEAP-MSCHAPv2, MD5, EAP-FAST)
Bonus Question:Why is there a passed auth record after this failure?
Error: Known User, Bad Password
99
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
802.1X Credential Failures: Server Certs
Applies to:
EAP methods that use server-side TLS
tunnel: e.g. EAP-TLS, PEAP
Typical Error Messages: 12321 PEAP failed SSL/TLS handshake because
the client rejected the ISE local-certificate
11514 Unexpectedly received empty TLS
message; treating as a rejection by the client
server
CA
EAP-Response TLS-Alert:
“Unknown CA”
Windows Tip:If unclicking this box helps, the supplicant doesn’t trust the server cert!
• Helpful supplicants (SSC/AC3.0/Win7) send TLS-Alerts.
• Helpful AAA servers (ACS/ISE) reflect Alert in logs
• Less helpful supplicants (XP SP2) send bad TLS messages.
• Helpful AAA servers (ISE) display possible reasons
Most Common Root Causes: •AAA server cert is self-signed •AAA server cert signed by a CA chain
that client doesn’t trust •AAA server cert disallowed by client’s
trusted server rules •AAA server cert expired •AAA server cert lacks Server Auth EKU
100
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
802.1X Failures: Client Certificate
Applies to:
EAP methods that use client-side
TLS tunnel: e.g. EAP-TLS
Typical Error Message: 12514 EAP-TLS failed SSL/TLS handshake
because of an unknown CA in the client
certificates chain
12515 EAP-TLS failed SSL/TLS handshake
because of an expired CRL associated with a CA
in the client certificates chain
12516 EAP-TLS failed SSL/TLS handshake
because of an expired certificate in the client
certificates chain
server CA
Server Cert Authentication: Signed by trusted CA Belongs to allowed server
client CA
Most Common Root Causes: •Client cert signed by a CA chain that
AAA server doesn’t trust •Client cert expired •Client cert CRL expired
101
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
802.1X Failure vs. 802.1X Timeout
An 802.1X failure occurs when the AAA server rejects the request:
A timeout occurs when an endpoint can’t speak 802.1X:
EAPoL Start
EAPoL Response Identity
EAPoL Request Identity
RADIUS Access Request
EAP Failure RADIUS Access Reject
SSC
EAPoL Request Identity
EAP Who?
102
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Guest VLAN†
802.1X Timeout Authentication Flow Start 802.1X
MAB config’d?
MAB pass?
Fin
al P
ort
S
tatu
s A
uth
en
tica
tio
n P
roce
ss 802.1X
Time out
AAA Based Authz*
Web-Auth config’d?
Event no-responseconfig’d?
Valid username
/ pwd?
Valid dACL & priv-lvl=15?
dACL + fallback ACL
fallback ACL
N
Y
Y
N
Y
Y
Y
N
N
N
Pre-Auth Access
†
Restart Timer
Expires
Y
N
Restart Timer
config’d?
N
Y
Closed Mode
Low Impact Mode
*See 802.1X Passed Flowchart for details †Subject to change on receipt of EAPoL-Start if 802.1X has priority
103
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Common Timeout-Related Problems
Too long
Symptoms
• No IP address
• PXE fail
Root Cause
• DHCP timeout < 802.1X timeout
Solutions
• Shorten timers, MAB first.
• Low Impact Mode.
Too short
Symptoms
• Wrong access levels
• Excessive control traffic
Root Cause
• Switch gives up on 802.1X too soon
Solutions
• Enable EAPoL-Starts
• 802.1X has priority
Just right
Requirement
• Testing in your network
Alternatives
• Low Impact Mode
• MAB first
104
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
802.1X Server Dead Flow
Start 802.1X
Event server dead
config’d?
Fin
al P
ort
S
tatu
s A
uth
en
tica
tio
n P
roce
ss AAA dead
N
Pre-Auth Access
Y
Critical VLAN
Re-auth 802.1X
AAA dead
N
Pre-Auth Access
Y
Existing Auth
Event server dead
config’d?
105
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Misconfigurations Can Lead to Appearance of
Dead Server Symptoms ACS5 Log / Root Cause / Resolution
All authentications fail from a switch
or groups of switches.
Switch declares a functioning AAA
server dead.
Switch may deploy Critical VLAN.
Root Cause: AAA server does not accept RADIUS requests from this switch
Resolution: Configure AAA server to accept requests from this switch.
Root Cause: Shared secret is not the same on switch and AAA server
Resolution: Configure same shared secret on switch and AAA server
107
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
802.1X Passed Auth for IP Phones: Expected Behavior with Multi-Domain Authentication (MDA)
Start 802.1X
AAA-based Authz?
Switch config’d
for authz?
Rcv’d dACL?
R’cv’d dynamic VLAN?
Port ACL defined on
switch?
VLAN defined on
switch?
Static Voice VLAN, Port ACL + dACL
Dynamic Voice VLAN
Fin
al P
ort
St
atu
s
Y
Y
Y
N
Y
Y Y
Au
the
nti
cati
on
Pro
cess
802.1X Pass
Rcv’d device-traffic-
class=voice?
Static Voice VLAN
Closed Mode
Low Impact Mode
N
Y
109
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Y N
Rcv’d device-traffic-
class=voice?
802.1X Passed Authentication for IP Phones Authorization Problems with MDA
Start 802.1X
AAA-based Authz?
Switch config’d
for authz?
Rcv’d dACL?
R’cv’d dynamic VLAN?
Port ACL defined on
switch?
VLAN defined on
switch?
Fin
al P
ort
St
atu
s
Y
Y
N
Y
Au
the
nti
cati
on
Pro
cess
802.1X Pass
Access to DATA VLAN only
N N
Authz Fail: Quiet Period
N
Y
PC behind phone?
N
Security Violation
Y PC
behind phone?
Y N
N
110
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
802.1X Failure Flow for IP Phones with MDA Start 802.1X
Event fail action next-
method?
MAB pass?
Pre-Auth Access
Fin
al P
ort
S
tatu
s
Y
Au
the
nti
cati
on
Pro
cess
802.1X Fail?
Restart Timer
config’d?
Restart Timer
Expires
AAA Based Authz*
*See 802.1X IP Phone Passed Flowchart for details
Y
N
PC Behind Phone?
Security Violation
N
N
Y
N
Event fail action VLAN?
Auth-Fail VLAN
Y Web-Auth
config’d?
data VLAN, fallback ACL
Y Y
N N
111
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
802.1X Timeout Flow for IP Phones
Start 802.1X
MAB config’d?
MAB pass?
Pre-Auth Access
Fin
al P
ort
S
tatu
s
Y
Au
the
nti
cati
on
Pro
cess
802.1X
Time Out
Restart Timer
config’d?
Restart Timer
Expires
AAA Based Authz*
*See 802.1X IP Phone Passed Flowchart for details
Y
N
PC Behind Phone?
Security Violation
N N
Y
N
Event no-response
VLAN?
Guest VLAN
Y
Web-Auth
config’d?
data VLAN, fallback ACL
Y Y
N
N
112
Conclusion
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Key Takeaways
• Monitor mode before access control
• Least restrictive ACLs, fewest VLANs
Start Simple and Evolve
Optimize Deployment Scenarios With New Features
• Know where every device & user should / could end up
• Start at a central point, work outward as required – a good AAA server is invaluable
Document Expected Flows for your Implementation
114
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Authorization
Authentication
Policy
Teamwork & Organization
Credentials, DBs, EAP,
Supplicants, Agentless, Order/Priority
Pre-Auth, VLAN, ACL, Failed Auth, AAA down
Windows GPO, machine auth, PXE, WoL, VM
Definition, Enforcement, Rollout
Network, IT,
Desktop
Desktops
Multiple Endpoints
Phones, Link State,
VMs, Desktop Switches
Confidentiality
Encryption
Most Important: Think at the System-Level
115
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Where To Find Out More
Deployment Scenario Design
Guide
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638
/whitepaper_C11-530469.html
Deployment Scenario Config
Guide
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638
/Whitepaper_c11-532065.html
IEEE 802.1X Deep Dive http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638
/guide_c07-627531.html
MAB Deep Dive http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638
/config_guide_c17-663759.html
Web Auth Deep Dive http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638
/app_note_c27-577494.html
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638
/app_note_c27-577490.html
Flex Auth App Note http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638
/application_note_c27- 573287_ps6638_Products_White_Paper.html
IP Telephony Deep Dive http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638
/config_guide_c17-605524.html
MACSec Deep Dive http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638
/deploy_guide_c17-663760.html
www.cisco.com/go/ibns
www.cisco.com/go/trustsec
116
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Complete Your Online
Session Evaluation Give us your feedback and you
could win fabulous prizes.
Winners announced daily.
Receive 20 Passport points for each
session evaluation you complete.
Complete your session evaluation
online now (open a browser through
our wireless network to access our
portal) or visit one of the Internet
stations throughout the Convention
Center.
Don’t forget to activate your
Cisco Live Virtual account for access to
all session material, communities, and
on-demand and live activities throughout
the year. Activate your account at the
Cisco booth in the World of Solutions or visit
www.ciscolive.com.
117
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public
Final Thoughts
Get hands-on experience with the Walk-in Labs located in World of
Solutions, booth 1042
Come see demos of many key solutions and products in the main Cisco
booth 2924
Visit www.ciscoLive365.com after the event for updated PDFs, on-
demand session videos, networking, and more!
Follow Cisco Live! using social media:
‒ Facebook: https://www.facebook.com/ciscoliveus
‒ Twitter: https://twitter.com/#!/CiscoLive
‒ LinkedIn Group: http://linkd.in/CiscoLI
118
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public