Advanced 802.1X Design and Troubleshootingd2zmdbbm9feqrf.cloudfront.net/2012/usa/pdf/BRKSEC-3005.pdfSupplicant Authenticator Authentication Server EAP over LAN RADIUS (EAPoL) IEEE

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3005 Cisco Public

Advanced 802.1X

Design and Troubleshooting BRKSEC-3005


Legos and IEEE 802.1X Same pieces, different castles

Basic Realistic

2


Agenda

Deployment Considerations

‒ Authentication

‒ Authorization

Deployment Scenarios

‒ Monitor Mode

‒ Low Impact Mode

‒ Closed Mode

Troubleshooting

‒ Methodology

‒ Flows

For Your Reference

Real World Example

5

Deployment Considerations Authentication


Authorization

Authentication

Policy

Teamwork & Organization

Credentials, DBs, EAP,

Supplicants, Agentless, Order/Priority

Windows GPO, machine auth, PXE, WoL, VM

Network, IT,

Desktop

Desktops

Multiple Endpoints

Confidentiality

Thinking About Authentication

8


EAPoL Start

EAP-Response Identity: Alice

EAPoL Request Identity

RADIUS Access Request

[AVP: EAP-Response: Alice]

EAP-Request: PEAP

EAP-Response: PEAP

EAP Success

RADIUS Access-Accept

[AVP: EAP Success]

[AVP: VLAN 10, dACL-n]

RADIUS Access-Challenge

[AVP: EAP-Request PEAP]


[AVP: EAP-Response: PEAP]

Multiple Challenge-Request Exchanges Possible

Beginning

Middle

End

Layer 2 Point-to-Point Layer 3 Link

Authenticator Authentication Server Supplicant

EAP over LAN (EAPoL)

RADIUS

IEEE 802.1X Provides Port-Based Access

Control Using Authentication

(“Switch”) (“AAA /RADIUS Server”) (“Client”)

9


Choosing Credentials for 802.1X

Username/Pwd Directory

alice c1sC0L1v Certificate

Authority

Token Server

Deployment Best Practices

Reuse Existing Credentials

Understand the Limitations of Existing Systems

Common Types

Passwords

Certificates

Tokens

Deciding Factors

Security Policy

Validation

Distribution & Maintenance

10


Credentials May Have Systemic Limitations

Possible Solutions To Multiple-Domain Issues: 1. Establish two-way trust between mycorp.com & mycorp.uk

2. Use RADIUS proxy to send requests from *.mycorp.com to US ACS

3. Use certs with global Enterprise CA and don’t check AD

mycorp.com mycorp.uk 1) Two-way trust

2) RADIUS proxy alice.mycorp.com

3) mycorp root CA

alice c1sC0L1v

√

Root Cause: Alice is not a member of mycorp.uk

Alice, director of US Sales, gets no access in London office

11


Mutual Authentication

• Server must validate client’s identity and vice versa

Security

• Client credentials cannot be snooped or cracked.

How To Submit Credentials

host/alice-xp.mycorp.com MachinePwd

server CA

Server Cert Authentication: Signed by trusted CA Belongs to allowed server

Encrypted Tunnel

Client Authentication: Known Username Valid password

server CA


client CA

Client Cert Authentication: Signed by trusted CA Additional checks

PEAP-MSCHAPv2 EAP-TLS

12


Users and Machines Can Have Credentials

alice

User Authentication Machine Authentication

host\XP2

• Enables Devices To Access Network Prior To (or In the Absence of) User Login

• Enables Critical Device Traffic (DHCP, NFS, Machine GPO)

• Is Required In Managed Wired Environments

• Enables User-Based Access Control and Visibility

• If Enabled, Should Be In Addition To Device Authentication

13


Power On

Kernel Loading Windows HAL Loading Device Driver Loading

Why You Must Enable Machine Auth In A

Managed Environment

Obtain Network Address (Static, DHCP)

Determine Site and DC (DNS, LDAP)

Establish Secure Channel to AD

(LDAP, SMB)

Kerberos Authentication (Machine Account)

Computer GPOs Loading (Async)

GPO based Startup Script Execution

Certificate Auto Enrollment Time Synchronization Dynamic DNS Update

GINA

Components that depend on network connectivity

Kerberos Auth (User Account)

User GPOs Loading (Async)

GPO based Logon Script Execution (SMB)

Machine Authentication

User Authentication

14


Example 1: Call Center Objective: Differentiated Access for Agents

Conditions: Shared Use PCs (desktop)

Business Case & Security Policy Determines

Whether You Need User Auth

Machine + User

Example 2: Enterprise Campus Objective: Access for Corporate Assets Only Conditions: One Laptop = One User

Machine Only

Bonus Question: Could this customer enable password-based user authentication if they wanted to?

15


Massive Outage After OS Upgrade

Understanding Your Supplicant is Essential

Best Practice: Make Friends With Your Desktop Team

• XP SP2: single service & profile for all 802.1X (wired/wireless)

• XP SP3/Vista/Win7: separate services and profiles for wired and wireless.

• wired service is disabled by default • http://support.microsoft.com/kb/953650

• Switch expects 3 failures by default • XP SP3, Vista, Win7: 20 minute block timer on first

EAP failure • http://support.microsoft.com/kb/957931 • (config-if)#authentication event fail retry 0

Auth Fail VLAN Doesn’t Work

Open Source

Hardware

Native

Premium

16

http://support.microsoft.com/kb/953650

http://support.microsoft.com/kb/957931


Unauthenticated

Real Networks Can’t Live on 802.1X Alone

Default Access Control is Binary

802.1X Passed

SSC

Employee (bad credential)

802.1X

SSC

Employee Guest

Managed Assets

Rogue

17


EAPoL: EAP Request-Identity

Any Packet


RADIUS Access-Request

[AVP: 00.0a.95.7f.de.06 ]

Switch RADIUS Server

IEEE 802.1X Timeout

1

MAB 2



MAC Authentication Bypass (MAB) “Authentication” for Clientless Devices

00.0a.95.7f.de.06

How Are MACs “Authenticated” ?

18


MAB is PAP…or you can optimize


MAB as PAP •works with any RADIUS server •password = username

MAB as “Host Lookup” •ACS/ISE optimization •no need for fake passwords

Differentiates MAB Request

19


IEEE 802.1X with MAB

MAB enables differentiated access control

MAB leverages centralized policy on AAA server

• Default timeout is 30 seconds with three retries (90 seconds total)

• 90 seconds > DHCP timeout.

Dependency on IEEE 802.1X timeout -> delayed network access

MAB requires a database of known MAC addresses

Contractor VLAN

Printer VLAN

MAC Database

RADIUS LDAP ACS

20


Timeout interface GigabitEthernet1/4

dot1x max-reauth-req 2 dot1x timeout tx-period 30

3 Options For MAB-Related Delays

First packet from device will trigger MAB

802.1X MAB

MAB Fails MAB 802.1X

interface GigabitEthernet1/4 authentication order mab dot1x authentication priority* dot1x mab

(max-reauth-req + 1) * tx-period

Change the Timeout

“FlexAuth”

*Priority Matters! www.cisco.com/go/ibns -> Whitepapers

Short Enough To Prevent Timeouts Long Enough To Allow 802.1X Devices to Authenticate

Low Impact Deployment Scenario

Prepare For Additional Control Plane Traffic

21

http://www.cisco.com/go/ibns


MAC Databases: Device Discovery

Find It

• Leverage Existing Asset Database

• e.g. Purchasing Department, CUCM

Build It

• Bootstrap methods to gather data

• e.g. SNMP, Syslog, Accounting

Buy It

• Automated Device Discovery

• e.g. ISE

22


Building Your MAB Database Export Phone MACs From CUCM

23


Building Your MAB Database Wildcard Rules Based on MAC Prefixes

00-04-0D-9D-BE-59

Organizationally Unique Identifier (OUI) • Assigned by IEEE • Identifies device vendor and possible device type

25


SNMP, DHCP, MAC OUI SNMP, DHCP, MAC OUI

Building Your MAB Database Profiling Tools Are Evolving

Profiler


LDAP

ISE

RADIUS Accounting

IOS Sensor

15.0(1)SE1

ISE 1.1

26


1)No Access 2)Switch-based Web-Auth 3)Guest VLAN

To Fail or Not to Fail MAB? Two options for unknown MAC addresses

RADIUS-Access Request (MAB)

RADIUS-Access Reject

MAB Fails – control of session passes to switch

29

RADIUS-Access Request (MAB)

RADIUS-Access Accept

Guest Policy

Unknown MAC…Apply Guest Policy

MAC is Unknown but MAB “Passes”

• AAA server determines policy for unknown endpoints (e.g. network access levels, re-auth policy) • Good for centralized control & visibility of guest policy (VLAN, ACL)

Deployment Considerations Authorization


Authorization

Authentication

Policy


Pre-Auth, VLAN, ACL, Failed Auth, AAA down

Desktops

Multiple Endpoints

Phones, Link State,

VMs, Desktop Switches

Confidentiality

Thinking About Authorization

31


Default: Closed

Authorization Options: Pre-Authentication

?

Open

Selectively Open

switch(config-if)#authentication open switch(config-if)#ip access-group PRE-AUTH in

switch(config-if)#authentication open

32


Authorization Options: Passed Authentication

Default: Open

Dynamic ACL

Dynamic VLAN

Alice

33


Default: Closed

Authorization Options: Failed 802.1X

?

Auth-Fail VLAN

Next-method*

switch(config-if)#authentication event fail action authorize vlan 50

switch(config-if)#authentication event fail action next-method

*Final authorization determined by results of next method

35


Default: Closed

Authorization Options: No Client

?

Guest VLAN

Next-method*

switch(config-if)#authentication event no-response action authorize vlan 51

switch(config-if)#mab

*Final authorization determined by results of next method

36


Default: Closed

Authorization Options: AAA Server Dead

?

Critical VLAN

switch(config-if)#authentication event server dead action authorize vlan 52

37


Multiple MACs not allowed to ensure validity of authenticated session

Hubs, VMWare, Phones, Grat Arp…

Applies in Open and Closed Mode

interface fastEthernet 3/48 dot1x pae authenticator authentication port-control auto

VM

Default: Single Host Mode

Authorization: Single MAC Filtering

38


interface fastEthernet 3/48 dot1x pae authenticator authentication port-control auto authentication host-mode multi-domain

Multi-Domain Authentication (MDA) Host Mode

Single device per port Single device per domain per port

IEEE 802.1X MDA

MDA replaces CDP Bypass Supports Cisco & 3rd Party Phones Phones and PCs use 802.1X or MAB

Data Domain

Voice Domain

Modifying Single-MAC Filtering For IP Phones

39


MAC –based enforcement for each device

802.1X and/or MAB

interface fastEthernet 3/48

dot1x pae authenticator

authentication port-control auto

authentication host-mode multi-auth

VM

Multi-Authentication Host Mode

Modifying Single-MAC Filtering For Virtualized

Endpoints

40


Authorization Summary Authentication

Status

Default

Authorization

Alternative 1 Alternative 2

Pre-802.1X / MAB Closed Open Selectively

Open

Successful 802.1X Open Dynamic

VLAN

Dynamic

ACL

Successful MAB Open Dynamic

VLAN

Dynamic

ACL

Failed 802.1X Closed Auth-Fail

VLAN

Next

Method

Failed MAB Closed Guest

VLAN

Next

Method

No 802.1X

(no client)

Closed Guest

VLAN

Next

Method

No 802.1X, MAB

(server down)

Closed Critical

VLAN

Sin

gle

-ho

st

Mu

lti-

Au

th

Mu

lti-

Do

mai

n-A

uth

?

41

Deployment Scenarios Implementing Phased Deployments


Authorization

Authentication

Policy






Definition, Enforcement, Rollout

Network, IT,

Desktop

Desktops

Multiple Endpoints

Phones, Link State,


Confidentiality

Encryption

Thinking About Deployment Scenarios

43


Three Deployment Scenarios

Monitor Mode

• Authentication Without Access Control

Low Impact Mode

• Minimal Impact to Network and Users

Closed Mode

• Logical Isolation

• Formerly “High Security”

44


Monitor Mode: How To

Enable 802.1X & MAB

Enable Open Access

All traffic in addition to EAP is allowed

Like not having 802.1X enabled except authentications still occur

Enable Multi-Auth Host-Mode

No Authorization

Monitor Mode Goals

No Impact to Existing Network Access

See… …what is on the network …who has a supplicant …who has good credentials …who has bad credentials

Deterrence through accountability

Scenario 1: Monitor Mode Overview

SSC

45


Monitor Mode: Switch

interface GigabitEthernet1/4

switchport access vlan 60

switchport mode access

switchport voice vlan 61

authentication host-mode multi-auth

authentication open


mab


authentication violation restrict

aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default group radius

radius-server host 10.100.10.150 auth-port 1645 acct-port 1646 key cisco

radius-server vsa send authentication

authentication mac-move permit

Basic 802.1X/MAB

Monitor Mode

Switch Global Config

Switch Interface Config

46


Monitor Mode: AAA Server and Endpoints

Should be fully configured

except for authorization policy:

Communication with AAA clients

(i.e. switches)

Communication with credential

repository (e.g. AD, MAC

Database)

PKI (CA certs, server cert)

EAP Configuration

MAB Configuration

Should be fully configured:

PKI (CA certs, client cert) or

other credentials

Supplicants configured &

installed everywhere supported

Enable machine auth

Enable user auth if needed

AAA Server Endpoints

47


RADIUS Authentication & Accounting Logs Passed/failed 802.1X

Who has bad credentials? Misconfigurations?

Passed/Failed MAB attempts What don’t I know?

Monitor Mode: Next Steps

SSC

Monitor Mode Next Steps

Improve Accuracy

Evaluate Remaining Risk

Leverage Information

Prepare for Access Control

48


Information Pays For Itself

ROI Without Access Control

RADIUS Attribute Example Value

Framed-IP-Address(8) 10.100.41.200

User-Name(1) scadora

Acct-Session-Time(46) 27

Acct-Input-Octets(42) 2614

Acct-Output-Octets(43) 2469

Acct-Input-Packets(47) 7

Acct-Output-Packets(48) 18

RADIUS Attribute Example Value

Acct-Status-Type(40) Interim-Update

NAS-Port-Type(61) Ethernet

NAS-Port-Id(87) FastEthernet2/48

Called-Station-Id(30) 00-1F-6C-3E-56-8F

Calling-Station-Id(31) 00-1E-4A-A9-00-A8

Service-Type(6) Framed-User

NAS-IP-Address(4) 10.100.10.4

49


Preparing for Access Control: Fix 802.1X

Observed Failures:

Root cause: untrusted or self-signed cert on AAA server Fix: Import server cert signed by enterprise CA

Helpful supplicant:

SSC/AC3.0/Win7

Not as helpful:

XP SP2

50


Preparing for Access Control: Learn MACs

MAC.CSV

Observed Failure

Fix

51


Monitor Mode In a Nutshell

• Authentication without Authorization Summary

• Extensive Network Visibility

• No Impact to Endpoints or Network Benefits

• No Access Control Limitations

• Monitor the Network

• Evaluate Remaining Risk

• Prepare for Access Control Next Steps


Low Impact Mode: How To

Start from Monitor Mode

Add ACLs, dACLs and flex-auth

Limit number of devices connecting to port

Add new features to support IP Phones

Low Impact Mode Goals

Begin to control/differentiate network access

Minimize Impact to Existing Network Access

Retain Visibility of Monitor Mode

“Low Impact” == no need to re-architect your network

Keep existing VLAN design

Minimize LAN changes

Scenario 2: Low Impact Mode

53


Low Impact Mode: Switch

Block General Access Until Successful 802.1X, MAB or WebAuth

Pinhole explicit tcp/udp ports to allow desired access





ip access-group PRE-AUTH in

authentication open


mab


authentication violation restrict

ip device-tracking


Pre-Authentication Port Authorization State

From Monitor Mode

For Low Impact

Switch Global Config (add to Monitor Mode)

55


Pre-Auth ACL Considerations

Pre-auth port ACL is arbitrary and can progress as you better understand the traffic on your network

Recommendations: use least restrictive ACL that you can; time-sensitive traffic is a good candidate for ACL.

Approach 1: Selectively block traffic

Selectively protect certain assets/subnets

Low risk of inadvertently blocking wanted traffic

Example: Block unauthenticated users from Finance servers

Approach 2: Selectively allow traffic

More secure, better control

May block wanted traffic

Example: Only allow pre-auth access for PXE devices to boot

56


Low Impact Mode: AAA Server

Configure downloadable ACLs for authenticated users

permit ip host 10.100.20.200 any permit tcp any any established permit udp any any eq bootps permit udp any host 10.100.10.116 eq domain permit udp any host 10.100.10.117 eq tftp

SSC

Pre-Auth ACL

Switch dynamically substitutes endpoint’s address

• Contents of dACL are arbitrary.

• Can have as many unique dACLs are

there are user permission groups

• Same principles as pre-auth port ACL

57


Example: Using Low Impact Mode to

bootstrap a new phone

• Pre-auth ACL allows just enough access for config, CTL

• New config enables 802.1X on phone

• After 802.1X, phone has full access

permit ip host 10.100.20.200 any permit udp any any eq bootps permit udp any host 10.100.10.238 eq tftp permit udp any host 10.100.10.238 range 32768 61000

Pre-Auth ACL

10.100.10.238

58


Dynamic ACL Types for Authentication

ACL Configuration Notes 802.1X/MAB Web-Auth

Downloadable

ACL •On ACS •Centralized

•No size limitation*

•Requires ACS

•3K: 12.2(50)SE

•4K: 12.2(50)SG

•6K: 12.2(33)SXI

•3K: 12.2(50)SE

•4K: 12.2(50)SG

•6K: 12.2(33)SXI

PerUser •On AAA server •Centralized

•Length limited to

RADIUS packet size*

•Supports 3rd party AAA

servers

•3K: 12.2(50)SE

•4K: 12.2(52)SG

•6K: 12.2(33)SXI3

•Not Supported

Filter-id •ACL name on

AAA server

•ACL contents on

switch

•Distributed

•No size limitation*


servers

•3K: 12.2(50)SE

•4K: 12.2(52)SG

•6K: 12.2(33)SXI3

•3K: 12.2(50)SE

•4K: Not Supported

•6K: Not Supported

Proxy •On AAA server •Centralized

•Web-Auth only

•Length limited to

RADIUS packet size*


servers

•Not Supported •3K: 12.2(35)SE

•4K: 12.2(50)SG

•6K: Not supported

*Size refers to defined length of ACL. TCAM limits on switch still apply.

59


For wired deployments, use downloadable ACLs

For wired and wireless, and if no ACS/ISE or no

WebAuth, use Filter-ID ACLs (distributed)

If no ACS/ISE or no Webauth, use per-user ACLs

(centralized)

Try to avoid WebAuth Proxy ACLs

ACL Rules of Thumb

60


Handling dACLs without PACLs

SSC

%AUTHMGR-5-FAIL A switch that receives a dACL for a port without a PACL will fail authorization.

The switch will automatically attach a default PACL called “Auth-Default-ACL” and then apply dACL.

%EPM-6-AUTH_ACL: POLICY Auth-Default-ACL

dACL-n

Tip: Use For Graceful Transition

from Monitor Mode

61

Before12.2(54)SG and12.2(55)SE

After 12.2(54)SG and12.2(55)SE


permit udp any any eq bootps permit udp any host 10.100.10.116 eq domain permit udp any host 10.100.10.117 eq tftp

SSC

port

ACL

Reduce dynamic ACL configuration

62

Switch(config)#epm access-control open

If the RADIUS server returns a dynamic ACL, dynamic ACL is applied.

If no dynamic ACL returned, switch automatically creates a “permit ip host any” entry for the authenticated host.

Default behavior:

With “open directive” configured:

12.2(54)SG

12.2(55)SE

permit ip any any

If no dynamic ACL is downloaded, Pre-Auth Port ACL controls the port.

Every endpoint must be assigned a dynamic ACL.


Low Impact: Failed Authentication

Reminder: Devices that fail 802.1X will have

restricted access (Pre-Auth ACL)

Question: Is that sufficient access?

Alternative: configure a failback authentication

method (e.g. MAB) with appropriate

authorization policy






authentication event fail action next-method

authentication open


mab



SSC

Cert expired

Can’t get to IT website!

SSC

MAB passed

HTTP now allowed

Cert expired

63


Low Impact: Tune the Host Mode

Reminder: with Multi-Auth, multiple devices are allowed per port

Suggestion: in Low Impact mode, transition to Multi-domain (for

IP Telephony) or Single-host (non-IPT).






authentication host-mode multi-domain

authentication open

authentication event fail action next


mab



64


Low Impact In a Nutshell

• Default open + pre-auth ACL

• Differentiated access control using dynamic ACLs

Summary

• Minimal Impact to Endpoints

• Minimal Impact to Network

• No L2 Isolation

• Some access prior to authentication

Benefits & Limitations

• Start with least restrictive port ACLs

• Use downloadable ACLs if you have ACS

• Use Open Directive to reduce dACL config Recommendations

65


Closed: How To

Return to default “closed” access

Timers or authentication order change

Implement identity-based VLAN assignment

Closed Mode Goals

No access before authentication

Rapid access for non-802.1X-capable corporate assets

Logical isolation of traffic at the access edge

Scenario 3: Closed Mode

Network Virtualization Solution

See BRKRST-2033 for more on Network Virtualization

66


Closed Mode: Switch





no authentication open

authentication event fail authorize vlan 63

authentication event no-response authorize vlan 63

authentication event server dead action authorize vlan 63


mab


dot1x timer tx-period 10

aaa authorization network default group radius

vlan 60

name data

vlan 61

name voice

vlan 62

name video

vlan 63

name fail-guest-critical

Auth-Fail VLAN

Guest VLAN*

Critical VLAN

*Not needed if AAA server has Unknown MAC policy

Switch Global Config (add to Monitor Mode)


Beware tx-period in Closed Mode

68


Closed Mode: AAA Server

If no VLAN sent, switch will use static switchport VLAN

Configure dynamic VLANs for any user that should be in different

VLAN

69


Dynamic VLANs Impact Your Network

VLAN 10: DATA

VLAN 20: VOICE

VLAN 30: MACHINE

VLAN 40: ENG

VLAN 50: UNAUTH

10.10.10.x/24

10.10.20.x/24

10.10.30.x/24

10.10.40.x/24

10.10.50.x/24

Network Interface

10.10.10.x/24 G0/1

10.10.20.x/24 G0/2

10.10.30.x/24 G0/3

10.10.40.x/24 G0/4

10.10.50.x/24 G0/5

More VLANs To Trunk (Multi-Layer Deployments)

More Subnets to Route

Every Assignable VLAN Must Be Defined on Every Access Switch

Best Practice: Use the Fewest Possible Number of VLANs

70


Dynamic VLANs Can Impact Endpoints

Non-802.1X Endpoints

• Unaware of VLAN changes, no mechanism to change IP address

• Best Practice: Dynamic VLAN in Closed Mode only

Older 802.1X Endpoints (e.g. Windows XP)

• Supplicants can renew IP address on VLAN change but OS and underlying processes may not handle IP address change gracefully

• Best Practice: Use same VLAN for User and Machine Authentication (Windows)

Newer 802.1X Endpoints (e.g. Windows Vista, 7)

• Supplicant and OS can handle VLAN/IP address changes

• Best Practice: Use the VLAN policy that best matches your security policy.

71


802.1X, Dynamic VLANs, and WoL




authentication control-direction in

Unidirectional Access Control

802.1X + WoL Challenge:

• Device flaps link when sleeping

• 802.1X session cleared

• No network access (closed mode)

• WoL packet can’t get through

802.1X + WoL + dVLAN:

• Devices flap link when they sleep

• 802.1X Session Cleared

• VLAN reverts to access VLAN

• WoL packet goes to dVLAN subnet

• Don’t assign VLANs to WoL devices

• Use Low Impact Mode

• Use hardware (Intel AMT) supplicant

Dynamic VLAN + WoL Solutions

72


Avoid VLAN Name Changes with User

Distribution

Access-Accept:

VLAN: corporate 30

switch1

switch2 31

vlan 30

name corporate

vlan 31

name corporate-2

vlan group corporate vlan-list 31

Traditional VLAN Assignment Is

by VLAN Name

User Distribution Assigns by

VLAN Group (or Name)

• Allows Flexible Adaption in Existing Environments

• No Need to Reconfigure Existing VLANs

• Also Enables Load Balancing 73


Limited Dynamic VLAN Assignment Now

Available for Multi-Auth

Access-Accept:

VLAN: BLUE

VM

Access-Accept:

VLAN: BLUE

Access-Accept

12.2(55)SE 15.0(2)SG

12.2(33)SXJ

• First successful authentication “locks” the Data VLAN

• Subsequent endpoints must get assigned same VLAN or no VLAN

75


switch(config-if)#authentication event server dead action authorize vlan 52 Critical VLAN

switch(config-if)#authentication event server dead action reinitialize vlan 52

12.2(52)SE 15.0(2)SG

12.2(33)SXJ1

Critical VLAN Now Supported With Multi-Auth

76


Phones Rely on RADIUS Server

00.18.ba.c7.bc.ee

RADIUS-Access

Request: 00.18.ba.c7.bc.ee

RADIUS-Access Accept

device-traffic-class=voice

Voice VLAN Enabled “Only the VSA can

save the phone!”

00.18.ba.c7.bc.ee

DataVLAN Enabled interface fastEthernet 3/48



authentication event server dead action authorize Does Not Save

Phones 77


Critical Voice VLAN Saves Phones When AAA

Server Dies 00.18.ba.c7.bc.ee

DataVLAN Enabled




authentication event server dead action authorize

authentication event server dead action authorize voice

Voice VLAN Enabled

#show authentication session int f3/48

…

Critical Authorization is in effect for domain(s) DATA and VOICE

15.0(1)SE 15.0(2)SG

12.2(33)SXJ1

78


Extending the Network Edge

Hubs on an 802.1X network: • introduce multiple MACs per port • may not actually be hubs • are not managed devices

Ideally, extended edge: • Extends trust and policy • Uses a managed device • Works on any access port

79


Network Edge Authentication Topology (NEAT)

Supplicant Switch (SSw)

EAP-Response: SSw RADIUS Access Request

[AVP: EAP-Response: SSw


[device-traffic-class=switch]

EAP-Response: Alice


[AVP: EAP-Response: Alice


[VLAN Yellow]

CISP: Allow Alice’s MAC

1) NEAT-capable sSW authenticates itself to Authenticator Switch (ASw).

2) ASw converts port to trunk

3) SSw authenticates users and devices in conference room

4) ASw learns authenticated MACs via Client Information Signaling Protocol (CISP)

1)

3)

4)

2)

80


Closed In a Nutshell

• Default closed

• Differentiated access control using dynamic VLANs

Summary

• Logical Isolation at L2

• No Access for Unauthorized Endpoints

• Impact to Network

• Impact to Endpoints

Benefits & Limitations

• Use fewest VLANs possible

• Know which devices can’t change VLANs

• User Distribution helps with VLAN names

• Enable Critical Voice VLAN

• Consider NEAT as needed

Recommendations

82

Troubleshooting Failed Authorizations Failed Authentications Timeout-related Issues Server-dead Issues IP Telephony Issues


Troubleshooting In Perspective

Enterprise Customer

70,000 Endpoints

Windows Native Supplicant

PEAP-MSCHAPv2

Additional Support Staff:

‒ < 5 Hours / Week

‒ “The typical user is unaware of

the 802.1X implementation.”

84


Troubleshooting Methodology

1

4

7 8

5

2 3

6

9

SSC

C:\Documents And Settings\All Users\Application Data\Cisco\Cisco Secure Services Client

C:\ProgramData\Cisco\Cisco Secure Services Client

netsh ras set tracing eapol enable netsh ras set tracing rastls enable

%systemroot%\tracing\EAPoL.log Mic

roso

ft

Nat

ive

SSC

Develop & Document a Methodology

Be aware of role dependencies

Start where info density is highest

Good AAA server can diagnose most failed authentications

Switch (CLI, SNMP, syslog) helps with:

Failed authorizations

Current port status

Client side info sometimes helpful

Sniffer Traces Often Definitive

85


802.1X Passed Authentication: Expected

Start 802.1X

AAA-based Authz?

Switch config’d

for authz?

Rcv’d dACL?

R’cv’d dynamic VLAN?

Port ACL defined on

switch?

VLAN defined on

switch?

Port ACL + dACL Dynamic VLAN Static Port Config: Switchport VLAN +

Port ACL (if any) Fin

al P

ort

St

atu

s

N

Y

Y Y

N

Y

Y Y

Au

the

nti

cati

on

Pro

cess

802.1X

Pass

Closed Mode

Low Impact Mode

86


802.1X Passed Authentication Problems Dynamic Authorization Not Enabled

Start 802.1X

AAA-based Authz?

Switch config’d

for authz?

Static Port Config: Switchport VLAN +


al P

ort

St

atu

s

Y

N

Au

the

nti

cati

on

Pro

cess

802.1X Pass

88


Authorization Problem 1: Configuration

Detection: Difficult to detect (no indication that 802.1X is to blame)

Root Cause: Incomplete Switch Config Resolution: (config)# aaa authorization network default group radius

End User

• Access: default port config

• “I don’t have enough access” or “I have too much access”

AAA Server

• Authentication Passed

Access Switch

• Port is authorized but without dynamic VLAN or dACL

• No syslog -- this is not an error

89


802.1X Passed Authentication Problems ACL Not Configured

Start 802.1X

AAA-based Authz?

Switch config’d

for authz?

Rcv’d dACL?

Port ACL defined on

switch?

Authz Fail: Quiet Period



al P

ort

St

atu

s

Y

N

Y Y

N

Au

the

nti

cati

on

Pro

cess

802.1X Pass

ACL Enhancement?

N

90


Authorization Problem 2: Authentication Passed but ACL Authorization Failed

Detection: Repeating Successful Authentications, Switch syslogs, Absence of Accounting Root Cause: Incorrect Switch Config, pre-12.2(54)SG Resolution: (config-if)# ip access-group PRE-AUTH in

End User

• Pre-Authentication Access only

AAA Server


Access Switch

• %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0014.5e95.d6cc) on Interface Gi1/13

• %AUTHMGR-5-FAIL: Authorization failed for client (0014.5e95.d6cc) on Interface Gi1/13

• With “epm logging” configured:

• %EPM-4-POLICY_APP_FAILURE: IP=0.0.0.0| MAC=0014.5e95.d6cc |POLICY_TYPE=Named ACL| POLICY_NAME=xACSACLx-IP-PERMIT-ANY-4999ced8 | RESULT=FAILURE| REASON=Interface ACL not configured

91


802.1X Passed Authentication Problems Bad VLAN Assignment

Start 802.1X

AAA-based Authz?

Switch config’d

for authz?

Rcv’d dACL?


Port ACL defined on

switch?

VLAN defined on

switch?




al P

ort

St

atu

s

Y

N

Y Y

N

Y

N N

Au

the

nti

cati

on

Pro

cess

802.1X Pass

92

Or VLAN

Group!


Authorization Problem 3: Authentication Passed but VLAN Authorization Failed

Detection: Repeating Successful Authentications, Switch syslogs, Absence of Accounting Root Cause: Incorrect Switch Config Resolution: (config-vlan)# name Employee

End User


AAA Server


Access Switch

• %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0014.5e95.d6cc) on Interface Gi1/13

• %DOT1X_SWITCH-5-ERR_VLAN_NOT_FOUND: Attempt to assign non-existent or shutdown VLAN Employee to 802.1x port GigabitEthernet1/13

• %AUTHMGR-5-FAIL: Authorization failed for client (0014.5e95.d6cc) on Interface Gi1/13

93


Syslog Collector Can Help Here!

94


When Syslogs Are Too Much of A Good Thing

• Device-level syslog filtering & programmable framework

• Limited platform support

Embedded Syslog Manager (ESM)

• #no [authentication | dot1x | mab] syslog verbose

• limited filtering

Syslog suppression CLI

• #logging trap 5

• Filters all syslogs (not just authentication syslogs)

Filter by severity

95


802.1X Failed Authentication Flow

Start 802.1X

Event fail action

config’d?

Auth Fail VLAN

conf’d?

MAB pass?

Web-Auth config’d?

Auth Fail VLAN1,4 Pre-Auth Access2

Fin

al P

ort

S

tatu

s

Y

Y

Au

the

nti

cati

on

Pro

cess

802.1X Fail

Restart Timer

config’d?

Restart Timer

Expires

AAA Based

Authz 2,3,4 1Subject to change on receipt of EAPoL-Logoff 2All subsequent EAP traffic will be dropped until reauth or link down 3See 802.1X Passed Flowchart for details 4May be impacted by supplicant behavior

Valid username

/ pwd?

Valid dACL & priv-lvl=15?

dACL + fallback ACL2,4

fallback ACL2

N

Y

N

Y

Y

N

N

> Max Attempt?

Y

N

Y

N

N

Quiet Period Expires

Y

N Closed Mode

Low Impact Mode

96


802.1X Failed Authentication Overview

Detection: End User, AAA records, Switch syslogs Root Cause: EAP negotiation or credential issue Resolution: depends on root cause

End User


AAA Server

• Best source of info for 802.1X failures

• Start Troubleshooting here!

Access Switch

• *Mar 5 11:31:41: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0014.5e95.d6cc) on Interface Gi1/13

97


802.1X Failures: Incompatible EAP Methods

Applies to:

All 802.1X authentications

Bonus Question:

Why is there a passed auth

record after the failure?

Resolution: Configure at least one common EAP method (inner & outer) on ACS and supplicant

Error: Supplicant configured for PEAP, AAA for EAP-TLS

Error: Supplicant configured for PEAP-MSCHAPv2, AAA for PEAP-GTC

12750 Failed to negotiate EAP for inner method because EAP-MSCHAP not allowed under

PEAP configuration in the Allowed Protocols

98


Error: Known User, Password Expired

Error: Unknown User

802.1X Credential Failures: Passwords

Applies to: Password-based EAP methods (PEAP-MSCHAPv2, MD5, EAP-FAST)

Bonus Question:Why is there a passed auth record after this failure?

Error: Known User, Bad Password

99


802.1X Credential Failures: Server Certs

Applies to:

EAP methods that use server-side TLS

tunnel: e.g. EAP-TLS, PEAP

Typical Error Messages: 12321 PEAP failed SSL/TLS handshake because

the client rejected the ISE local-certificate

11514 Unexpectedly received empty TLS

message; treating as a rejection by the client

server

CA

EAP-Response TLS-Alert:

“Unknown CA”

Windows Tip:If unclicking this box helps, the supplicant doesn’t trust the server cert!

• Helpful supplicants (SSC/AC3.0/Win7) send TLS-Alerts.

• Helpful AAA servers (ACS/ISE) reflect Alert in logs

• Less helpful supplicants (XP SP2) send bad TLS messages.

• Helpful AAA servers (ISE) display possible reasons

Most Common Root Causes: •AAA server cert is self-signed •AAA server cert signed by a CA chain

that client doesn’t trust •AAA server cert disallowed by client’s

trusted server rules •AAA server cert expired •AAA server cert lacks Server Auth EKU

100


802.1X Failures: Client Certificate

Applies to:

EAP methods that use client-side

TLS tunnel: e.g. EAP-TLS

Typical Error Message: 12514 EAP-TLS failed SSL/TLS handshake

because of an unknown CA in the client

certificates chain

12515 EAP-TLS failed SSL/TLS handshake

because of an expired CRL associated with a CA

in the client certificates chain

12516 EAP-TLS failed SSL/TLS handshake

because of an expired certificate in the client

certificates chain

server CA


client CA

Most Common Root Causes: •Client cert signed by a CA chain that

AAA server doesn’t trust •Client cert expired •Client cert CRL expired

101


802.1X Failure vs. 802.1X Timeout

An 802.1X failure occurs when the AAA server rejects the request:

A timeout occurs when an endpoint can’t speak 802.1X:

EAPoL Start

EAPoL Response Identity



EAP Failure RADIUS Access Reject

SSC


EAP Who?

102


Guest VLAN†

802.1X Timeout Authentication Flow Start 802.1X

MAB config’d?

MAB pass?

Fin

al P

ort

S

tatu

s A

uth

en

tica

tio

n P

roce

ss 802.1X

Time out

AAA Based Authz*

Web-Auth config’d?

Event no-responseconfig’d?

Valid username

/ pwd?

Valid dACL & priv-lvl=15?

dACL + fallback ACL

fallback ACL

N

Y

Y

N

Y

Y

Y

N

N

N

Pre-Auth Access

†

Restart Timer

Expires

Y

N

Restart Timer

config’d?

N

Y

Closed Mode

Low Impact Mode

*See 802.1X Passed Flowchart for details †Subject to change on receipt of EAPoL-Start if 802.1X has priority

103


Common Timeout-Related Problems

Too long

Symptoms

• No IP address

• PXE fail

Root Cause

• DHCP timeout < 802.1X timeout

Solutions

• Shorten timers, MAB first.

• Low Impact Mode.

Too short

Symptoms

• Wrong access levels

• Excessive control traffic

Root Cause

• Switch gives up on 802.1X too soon

Solutions

• Enable EAPoL-Starts

• 802.1X has priority

Just right

Requirement

• Testing in your network

Alternatives

• Low Impact Mode

• MAB first

104


802.1X Server Dead Flow

Start 802.1X

Event server dead

config’d?

Fin

al P

ort

S

tatu

s A

uth

en

tica

tio

n P

roce

ss AAA dead

N

Pre-Auth Access

Y

Critical VLAN

Re-auth 802.1X

AAA dead

N

Pre-Auth Access

Y

Existing Auth

Event server dead

config’d?

105


Misconfigurations Can Lead to Appearance of

Dead Server Symptoms ACS5 Log / Root Cause / Resolution

All authentications fail from a switch

or groups of switches.

Switch declares a functioning AAA

server dead.

Switch may deploy Critical VLAN.

Root Cause: AAA server does not accept RADIUS requests from this switch

Resolution: Configure AAA server to accept requests from this switch.

Root Cause: Shared secret is not the same on switch and AAA server

Resolution: Configure same shared secret on switch and AAA server

107


802.1X Passed Auth for IP Phones: Expected Behavior with Multi-Domain Authentication (MDA)

Start 802.1X

AAA-based Authz?

Switch config’d

for authz?

Rcv’d dACL?


Port ACL defined on

switch?

VLAN defined on

switch?

Static Voice VLAN, Port ACL + dACL

Dynamic Voice VLAN

Fin

al P

ort

St

atu

s

Y

Y

Y

N

Y

Y Y

Au

the

nti

cati

on

Pro

cess

802.1X Pass

Rcv’d device-traffic-

class=voice?

Static Voice VLAN

Closed Mode

Low Impact Mode

N

Y

109


Y N

Rcv’d device-traffic-

class=voice?

802.1X Passed Authentication for IP Phones Authorization Problems with MDA

Start 802.1X

AAA-based Authz?

Switch config’d

for authz?

Rcv’d dACL?


Port ACL defined on

switch?

VLAN defined on

switch?

Fin

al P

ort

St

atu

s

Y

Y

N

Y

Au

the

nti

cati

on

Pro

cess

802.1X Pass

Access to DATA VLAN only

N N


N

Y

PC behind phone?

N

Security Violation

Y PC

behind phone?

Y N

N

110


802.1X Failure Flow for IP Phones with MDA Start 802.1X

Event fail action next-

method?

MAB pass?

Pre-Auth Access

Fin

al P

ort

S

tatu

s

Y

Au

the

nti

cati

on

Pro

cess

802.1X Fail?

Restart Timer

config’d?

Restart Timer

Expires

AAA Based Authz*

*See 802.1X IP Phone Passed Flowchart for details

Y

N

PC Behind Phone?

Security Violation

N

N

Y

N

Event fail action VLAN?

Auth-Fail VLAN

Y Web-Auth

config’d?

data VLAN, fallback ACL

Y Y

N N

111


802.1X Timeout Flow for IP Phones

Start 802.1X

MAB config’d?

MAB pass?

Pre-Auth Access

Fin

al P

ort

S

tatu

s

Y

Au

the

nti

cati

on

Pro

cess

802.1X

Time Out

Restart Timer

config’d?

Restart Timer

Expires

AAA Based Authz*

*See 802.1X IP Phone Passed Flowchart for details

Y

N

PC Behind Phone?

Security Violation

N N

Y

N

Event no-response

VLAN?

Guest VLAN

Y

Web-Auth

config’d?

data VLAN, fallback ACL

Y Y

N

N

112

Conclusion


Key Takeaways

• Monitor mode before access control

• Least restrictive ACLs, fewest VLANs

Start Simple and Evolve

Optimize Deployment Scenarios With New Features

• Know where every device & user should / could end up

• Start at a central point, work outward as required – a good AAA server is invaluable

Document Expected Flows for your Implementation

114


Authorization

Authentication

Policy






Definition, Enforcement, Rollout

Network, IT,

Desktop

Desktops

Multiple Endpoints

Phones, Link State,


Confidentiality

Encryption

Most Important: Think at the System-Level

115


Where To Find Out More

Deployment Scenario Design

Guide

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638

/whitepaper_C11-530469.html

Deployment Scenario Config

Guide


/Whitepaper_c11-532065.html

IEEE 802.1X Deep Dive http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638

/guide_c07-627531.html

MAB Deep Dive http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638

/config_guide_c17-663759.html

Web Auth Deep Dive http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638

/app_note_c27-577494.html


/app_note_c27-577490.html

Flex Auth App Note http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638

/application_note_c27- 573287_ps6638_Products_White_Paper.html

IP Telephony Deep Dive http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638

/config_guide_c17-605524.html

MACSec Deep Dive http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638

/deploy_guide_c17-663760.html

www.cisco.com/go/ibns

www.cisco.com/go/trustsec

116

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/whitepaper_C11-530469.html




http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/Whitepaper_c11-532065.html




http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/guide_c07-627531.html




http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.html




http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/app_note_c27-577494.html








http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/application_note_c27- 573287_ps6638_Products_White_Paper.html









http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/deploy_guide_c17-663760.html




http://www.cisco.com/go/ibns

http://www.cisco.com/go/trustsec


Complete Your Online

Session Evaluation Give us your feedback and you

could win fabulous prizes.

Winners announced daily.

Receive 20 Passport points for each

session evaluation you complete.

Complete your session evaluation

online now (open a browser through

our wireless network to access our

portal) or visit one of the Internet

stations throughout the Convention

Center.

Don’t forget to activate your

Cisco Live Virtual account for access to

all session material, communities, and

on-demand and live activities throughout

the year. Activate your account at the

Cisco booth in the World of Solutions or visit

www.ciscolive.com.

117

http://www.ciscolive.com


Final Thoughts

Get hands-on experience with the Walk-in Labs located in World of

Solutions, booth 1042

Come see demos of many key solutions and products in the main Cisco

booth 2924

Visit www.ciscoLive365.com after the event for updated PDFs, on-

demand session videos, networking, and more!

Follow Cisco Live! using social media:

‒ Facebook: https://www.facebook.com/ciscoliveus

‒ Twitter: https://twitter.com/#!/CiscoLive

‒ LinkedIn Group: http://linkd.in/CiscoLI

118

http://www.ciscolive365.com/

https://www.facebook.com/ciscoliveus

https://twitter.com/

http://linkd.in/CiscoLI
