Catalyst 4500/4900 Bootcamp · • Identity — Introduction •Authentication...

Catalyst 4500/4900 Bootcamp

Chapter 4: IdentityMarch 2009

Laleh Masnavi

Technical Marketing Engineer

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp 1

Campus Switching Solutions Technology Group

AgendaAgenda

• Identity — Introductiony

•Authentication Mechanisms—Overview

IEEE 802.1X

Mac Authentication Bypass (MAB)

Webauth

Fl ibl R ll O t• Flexible Roll OutFlexible Authentication

Open Mode Accessp

• IP Telephony IntegrationIPT & 802.1X Challenges

Multi‐Domain Authentication (MDA)

Proxy EAPoL Log‐off

Inactivity Timer

2© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp

Inactivity Timer

CDP 2nd Port Notification

Identity Based Networking Services (IBNS)Identity Based Networking Services (IBNS)

The IBNS consists of a bundle of Identity features which make IEEE 802.1X easier for customers to deploy.

End point discoveryCatalyst 4500/4900 Series Security802.1X, MAB,

WebAuth

Wired and wireless supplicant Central Policy server


End to end system available from Cisco

Changing Business EnvironmentChanging Business EnvironmentDrives Network Access Control Demands

Unknownor Guest

RemoteSite

SiSi

Data Center

Partners

Employees EWAN

Corporate

Wireless LANSubcontractor

SiSiCorporate

LAN

DMZ

Enterprise Network

Public

Consultant

DMZ PublicInternet

B i


BusinessPartners

Basic IBNS Deployment ScenariosBasic IBNS Deployment Scenarios

IBNS on the Catalyst 4500 series offers a complete authentication y psolution for customers wanting to better secure access to their network.

Secure Access for Voice Devices

Uni‐Directional Control P t t i iti t t Voice DevicesPort to initiate system backups

Guest VLANGuest VLANaccess for transient workers

Web Auth Proxy access for clients

MAC A th B fInaccessible Auth


with HTTP access MAC Auth Bypass for clients with no 802.1X support

Bypass when access to the AAA server is down

Advanced Considerations for IBNS DeploymentAdvanced Considerations for IBNS Deployment

Secure Access for Voice Devices

Uni‐Directional Control P t t i iti t t

Identity Feature Set• 802.1X with Multi‐host• 802.1X with Multi‐auth

Voice DevicesPort to initiate system backups

Guest VLAN

• Guest VLAN• Wake On LAN (WoL)• 802.1X with Voice VLAN IDPXE bGuest VLAN

access for transient workers

• PXE boot• Multi Domain Auth (MDA)• Flexible Authentication• Mac Auth Bypass (MAB)• Mac Auth Bypass (MAB)• WebauthPolicy Enforcement

• VLAN assignmentPVLAN i

AAA• Inaccessible Auth BypassA i

Web Auth Proxy access for clients

MAC A th B fInaccessible Auth

• PVLAN assignment• QoS policy• ACL assignment• URL redirect

Infrastructure Integration• 802.1X with Port Security• 802.1X with DAI

• Accounting• Radius supplied timers• Downloadable ACLs• DNS resolution for


with HTTP access MAC Auth Bypass for clients with no 802.1X support

Bypass when access to the AAA server is down

• URL redirect• Guest VLAN• Auth‐Fail VLAN

• 802.1X with IP Source Guard• 802.1X with DHCP Relay

• DNS resolution for RADIUS server

AgendaAgenda



IEEE 802.1X


Webauth


Open Mode Accessp




Inactivity Timer


Inactivity Timer


IEEE 802 1X

• The foundation of identity based network services

IEEE 802.1X

y

•A client‐server‐based link‐layer protocol used for transporting higher‐level protocols

•Works between the supplicant (client) and the authenticator (Catalyst 4500 switch) by maintaining backend communication to an authentication (RADIUS) serverauthentication (RADIUS) server

802.1X

Host (Supplicant)

Switch(Authenticator)

Cisco Secure ACSAuthentication Server


(Authenticator)

IEEE 802 1X

Until the client is authenticated, 802.1X access control only allows

IEEE 802.1X

, yExtensible Authentication Protocol over LAN (EAPOL) traffic from the port to which the client is connected.

Af h i i i f l l ffi h h hAfter authentication is successful, normal traffic can pass through the port.

802.1X

Host Cisco Secure ACSAuthentication Server

EAP trafficl ffi


Drop BucketNormal traffic

IEEE 802 1X EAP Message ExchangeIEEE 802.1X — EAP Message Exchange

EAPOL Start

EAPOL Request Identity

EAPOL Response Identity RADIUS Access Request

EAP Request One Time PWD RADIUS Access Challenge

EAPOL Response OTP RADIUS Access Request

EAP Success RADIUS Access AcceptEAP Success RADIUS Access Accept

EAPOL Logoff

Port Authorized


EAPOL Logoff

Port Unauthorized

MAC Authentication Bypass (MAB)Devices that cannot authenticate themselves using 802.1X, but require

k h

MAC Authentication Bypass (MAB)

network access can use MAB to authorize using 802.1X

• MAB uses the connecting device MAC address to grant/deny networkaccess.access.

• Used on ports where devices do not have 802.1X supplicantfunctionality, such as printers and fax machines.

• A set of three EAPOLs is sent before transitioning from 802.1Xauthentication method to MAB.

MAB th i d li kMAB authorized links

N li t


Non‐supplicant


MAC Authentication Bypass (MAB)MAC Authentication Bypass (MAB)

The MAC address of the connected devices are pre‐connected devices are pre‐configured in ACS by the network administrator.

MAB th i d li kMAB authorized links

N li tACS User Setup


Non‐supplicant


p

IEEE 802 1X and MABMAB802.1X

IEEE 802.1X and MAB

• port‐based feature• can be enabled if 802.1X is

configured on a port

Three entities: • client (supplicant)

th ti t ( it h) configured on a port• authenticator (switch)• authentication server (ACS)

Authenticatorl f

MABenabled here

PC sends its credentials to

relays info toAuth Server

credentials to Authenticator

Database:User: 0013.468e.4453User: 0011 2582 52bd

MAB authorized linksUser: 0011.2582.52bd

0013.468e.4453Non‐supplicant

13© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp0011.2582.52bd

SupplicantCisco Secure ACS

Authentication Server


MAB Sample Configuration

C4500-E(config)# aaa new-model

MAB— Sample Configuration

C4500-E(config)# aaa authentication dot1x default group radius

C4500-E(config)# aaa accounting dot1x default start-stop group radius

C4500-E(config)# aaa session-id common

C4500-E(config)# dot1x system-auth-control

C4500-E(config)# dot1x critical eapol

C4500-E(config)# ip radius source-interface Vlan81

C4500-E(config)# radius-server host 10.5.5.18 auth-port 1645 acct-port 1646 key key

C4500-E(config-if)# authentication host-mode multi-host C4500-E(config-if)#

C4500 E(config if)# a thentication po t cont ol a toC4500-E(config-if)# authentication port-control auto

C4500-E(config-if)# authentication periodic

C4500-E(config-if)# authentication timer reauthenticate 10

C4500-E(config-if)# mabC4500 E(config if)# mab

C4500-E(config-if)# dot1x pae authenticator

C4500-E(config-if)# dot1x timeout tx-period 2

C4500-E(config-if)# spanning-tree portfast


MAB debug dot1x event

4d01h: dot1x-ev:dot1x_mgr_if_state_change: GigabitEthernet3/23 has changed to UP

MAB— debug dot1x event

4d01h: dot1x-ev:GigabitEthernet3/23:Sending EAPOL packet to group PAE address

4d01h: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on GigabitEthernet3/23


One set of EAPOLssent before

1

24d01h: dot1x ev:GigabitEthernet3/23:Sending EAPOL packet to group PAE address



4d01h d 1 d 1 d l di k i bi h 3/23

transitioning to MAB.

A set of EAPOLsconsists of 3.3

2


4d01h: dot1x-ev:Received an EAP Timeout on GigabitEthernet3/23 for mac 0000.0000.0000

...

4d01h: dot1x-ev:dot1x_switch_addr_add: Added MAC 0011.2582.52bd to vlan 100 on interface GigabitEthernet3/23

4d01h: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Gi3/23

4d01h: dot1x-ev:Received successful Authz complete for 0011.2582.52bd

Device has beenDevice has been authorized viaauthorized via MABMAB


Device has been Device has been authorized via authorized via MABMAB

IEEE 802 1X and MAB Port Authorizationshow dot1x int <mod/port> details command displays the administrative and operational status for the interface As shown below the port has been

IEEE 802.1X and MAB Port Authorization

C4500 E# h d t1 i t i 3/23 d t ilC4500 E# h d t1 i t i 3/23 d t il

operational status for the interface. As shown below, the port has been authorized using two different authentication methods:

C4500 E# h d t1 i t i 3/23 d t ilC4500 E# h d t1 i t i 3/23 d t ilC4500-E# show dot1x int gig 3/23 detail

Dot1x Info for GigabitEthernet3/23

-----------------------------------

PAE = AUTHENTICATOR

PortControl = AUTO

ControlDirection = Both

C4500-E# show dot1x int gig 3/23 detail


-----------------------------------

PAE = AUTHENTICATOR

PortControl = AUTO




-----------------------------------

PAE = AUTHENTICATOR

PortControl = AUTO




-----------------------------------

PAE = AUTHENTICATOR

PortControl = AUTO


HostMode = MULTI_HOST

ReAuthentication = Disabled

QuietPeriod = 60

ServerTimeout = 30

SuppTimeout = 30

ReAuthPeriod = 10 (Locally configured)



QuietPeriod = 60

ServerTimeout = 30

SuppTimeout = 30




QuietPeriod = 60

ServerTimeout = 30

SuppTimeout = 30




QuietPeriod = 60

ServerTimeout = 30

SuppTimeout = 30

ReAuthPeriod = 10 (Locally configured)ReAuthPeriod 10 (Locally configured)

ReAuthMax = 2

MaxReq = 2

TxPeriod = 2

RateLimitPeriod = 0

Mac-Auth-Bypass = Enabled

ReAuthPeriod 10 (Locally configured)

ReAuthMax = 2

MaxReq = 2

TxPeriod = 2

RateLimitPeriod = 0



ReAuthMax = 2

MaxReq = 2

TxPeriod = 2

RateLimitPeriod = 0



ReAuthMax = 2

MaxReq = 2

TxPeriod = 2

RateLimitPeriod = 0


Dot1x Authenticator Client List

-------------------------------

Supplicant = 0013.468e.4453

Auth SM State = AUTHENTICATED

Auth BEND SM Stat = IDLE

Port Status = AUTHORIZED


-------------------------------

Supplicant = 0013.468e.4453





-------------------------------

Supplicant = 0011.2582.52bd





-------------------------------

Supplicant = 0011.2582.52bd





Authentication Method = Dot1x

Authorized By = Authentication Server

Vlan Policy = N/A



Vlan Policy = N/A

Authentication Method = MAB


Vlan Policy = N/A



Vlan Policy = N/A

Web based Authentication (Webauth)Non‐supplicant and unmanaged devices can authenticate via a standalone webauthmethod.

Web‐based Authentication (Webauth)

Authenticator intercepts ingress HTTP packet from host, and sends an HTML Login Page. User keys in the credentials. HTTP response is parsed, user credentials validated.

The internal HTTP server of the switch hosts four HTML pages for delivery to the end user to notify the user of four different states of the authentication process: Login Success Fail and ExpireLogin, Success, Fail, and Expire.

Cisco Secure ACS


HTTP RADIUS

Authenticator(Switch)

Authentication Server

Non‐supplicant

Customizable WebauthThe four default internal HTML pages can be substituted for custom HTML

b di t d t URL f l th ti ti

Customizable Webauth

pages, or can be redirected to a URL upon a successful authentication, replacing the internal Success page.

Ci S ACS

HTTP RADIUS

Cisco Secure ACSAuthentication ServerAuthenticator

(Switch)

Non‐supplicant


Non supplicant

Customizable WebauthSample custom HTML pages and configs:

C4500 E( fi )# i d i i htt l i fil b tfl h t ht

Customizable Webauth

C4500-E(config)# ip admission proxy http login page file bootflash:custpage.htm

C4500-E(config)# ip admission proxy http success page file bootflash:custsucc.htm

C4500-E(config)# ip admission proxy http fail page file bootflash:custfail.htm

C4500-E(config)# ip admission proxy http login expired page file bootflash: custexpr.htm


AgendaAgenda



IEEE 802.1X


Webauth


Open Mode Accessp




Inactivity Timer


Inactivity Timer


Flexible AuthenticationFlexible Authentication

Radius

EAP1X

802.1x times out or fails

802.1X

Employee Partner

F lt

Valid MAC Address

Guest802.1XValidMAC

Unknown MAC Access Accept

interface GigabitEthernet3/41authentication host-mode multi-domainauthentication order dot1x mab webauth

interface GigabitEthernet3/41authentication host-mode multi-domainauthentication order dot1x mab webauth

MAB

URLWEB

80Client

Valid Host

Guest User

Faculty

SubContractor

Guest User

802.1XClientMACAddr

Webauth

MAB

authentication order dot1x mab webauthauthentication priority dot1x mab webauthauthentication port-control autoauthentication violation restrictauthentication fallback WEB-AUTHmab

authentication order dot1x mab webauthauthentication priority dot1x mab webauthauthentication port-control autoauthentication violation restrictauthentication fallback WEB-AUTHmab

Host Asset

O fi ti dd ll ll h t d

Benefit:

One configuration addresses all use cases, all host modesControllable sequence of access control mechanisms, with flexible failure and fallback authorizationChoice of policy enforcement mechanisms:

21© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp 21

Benefit:Greater flexibility &

deterministic behavior

Choice of policy enforcement mechanisms: VLAN, downloadable per‐user ACL, URLSupport single‐host and multi‐auth scenarios


Radius

EAP1X

802 1X

Employee Partner

Valid MAC Address

802 1XHost

EAP Credentials Sent & Validated

Port Authorized802.1X Client

Valid Host

Guest User

Faculty

SubContractor

802.1XClient

Host Change

Host Asset

Th d d i it f th th ti ti th d ld

Benefit:

The order and priority of the authentication methods could be configured.Order – specifies the fallback order of authentication methods. Default order: dot1x, mab, and webauth.




, ,Priority – specifies the relative priority of authentication methods. Default priority: dot1x, mab, and webauth.


Radius

EAP1X

802.1x times out or fails

802.1X

Employee Partner

F lt

Valid MAC Address

ValidKnown MAC - Access

AcceptHost MAB

80Client

Valid Host

Guest User

Faculty

SubContractor

MACAddr

p

Port AuthorizedChange MAB

Host Asset

O t i M lti th d ith b th f MAB d

Benefit:

On a port in Multi‐auth mode, either or both of MAB and Webauth can be configured as fallback authentication methods for non‐802.1X hosts.




Default Fallback Sequence

ip device tracking probe interval 300

Default Fallback Sequence802.1X MAB Webauth

p g pip device trackingip auth-proxy absolute-timer 1000ip admission absolute-timer 1000ip admission name web-auth proxy http inactivity-time 1000!dot1x system-auth-control!


!fallback profile webauth-fallbackip access-group FOO inip admission web-auth!interface g 1/12switchport access vlan 100

it h t dswitchport mode accessswitchport voice vlan 10authentication host-mode multi-authauthentication order dot1x mab webauthauthentication port-control autoauthentication fallback webauth-fallbackmabdot1x pae authenticatordot1x timeout tx-period 15spanning-tree portfast!ip access-list extended FOOpermit icmp any anydeny ip any any*Nov 20 09 51 31 171 %DOT1X 5 FAIL Authentication failed for client (0019 bb2f 1c9e) on Interface Gi1/12deny ip any any*Nov 20 09:51:31.171: %DOT1X‐5‐FAIL: Authentication failed for client (0019.bb2f.1c9e) on Interface Gi1/12

*Nov 20 09:51:31.171: %AUTHMGR‐7‐RESULT: Authentication result 'no‐response' from 'dot1x' for client (0019.bb2f.1c9e) on Interface Gi1/12*Nov 20 09:51:31.171: %AUTHMGR‐7‐FAILOVER: Failing over from 'dot1x' for client (0019.bb2f.1c9e) on Interface Gi1/12*Nov 20 09:51:31.171: %AUTHMGR‐5‐START: Starting 'mab' for client (0019.bb2f.1c9e) on Interface Gi1/12*Nov 20 09:51:33.215: %MAB‐5‐FAIL: Authentication failed for client (0019.bb2f.1c9e) on Interface Gi1/12*Nov 20 09:51:33 215: %AUTHMGR 7 RESULT: Authentication result 'fail' from 'mab' for client (0019 bb2f 1c9e) on Interface Gi1/12


Nov 20 09:51:33.215: %AUTHMGR‐7‐RESULT: Authentication result fail from mab for client (0019.bb2f.1c9e) on Interface Gi1/12*Nov 20 09:51:33.215: %AUTHMGR‐7‐FAILOVER: Failing over from 'mab' for client (0019.bb2f.1c9e) on Interface Gi1/12*Nov 20 09:51:33.215: %AUTHMGR‐5‐START: Starting 'webauth' for client (0019.bb2f.1c9e) on Interface Gi1/12*Nov 20 09:51:33.215: %AUTHMGR‐7‐RESULT: Authentication result 'success' from 'webauth' for client (0019.bb2f.1c9e) on Interface Gi1/12

Displaying the Host Authentication StatusDisplaying the Host Authentication Status


Switch# show ip admission cache

Displays the Authentication Entry for the Client PCDisplays the Authentication Entry for the Client PC

Authentication Proxy Cache

Total Sessions: 1 Init Sessions: 0

Client IP 10.100.1.21 Port 1382, timeout 1000, state ESTAB

Cisco Secure ACSAuthentication ServerAuthenticator

(Switch)


(Switch)

Client

Verifying Auth Session for an InterfaceSwitch# show authentication sessions int g1/12

Interface: GigabitEthernet1/12MAC Address: 0019.bb2f.1c9eIP Address: 10.100.1.21

Verifying Auth Session for an Interface

Status: Authz SuccessDomain: DATA

Oper host mode: multi-authOper control dir: both

Authorized By: Authentication ServerVlan Policy: N/A

Session timeout: N/A


Session timeout: N/AIdle timeout: N/A

Common Session ID: 0A6401320000000F005E0D58Acct Session ID: 0x00000018

Handle: 0x8D00000FRunnable methods list:

Method Stated t1 F il ddot1x Failed overmab Failed overwebauth Authc Success

----------------------------------------Interface: GigabitEthernet1/12

MAC Address: 0013.7f16.36f0IP Address: 10.10.1.11User-Name: CP-7970G-SEP00137F1636F0

Status: Authz SuccessDomain: VOICE

Oper host mode: multi-authOper control dir: both

Authorized By: Authentication ServerSession timeout: N/A

When When bothbothPC PC and Phoneand Phone

Session timeout: N/AIdle timeout: N/A

Common Session ID: 0A6401320000000E00594F00Acct Session ID: 0x00000017

Handle: 0x5E00000ERunnable methods list:

Method Stated t1 A th S

AreAreauthenticatedauthenticated


dot1x Authc Successmab Not runwebauth Not run

IEEE 802 1X Default Security Behavior

D f l 802 1 Ch llD f l 802 1 Ch ll

IEEE 802.1X Default Security Behavior

Default 802.1x ChallengeDefault 802.1x Challenge

Devices w/out supplicantsCan’t send EAPoLCan t send EAPoL

No EAPoL = No Access One Physical Port ‐>Two Virtual portsUncontrolled port (EAPoL only)Controlled port (everything else)

Offlineinterface fastEthernet 3/48

authentication port-control auto

No EAPoL / No Access


802 1X/MAB Open Mode

O M d (N R t i ti )O M d (N R t i ti )

802.1X/MAB — Open Mode

Open Mode (No Restrictions)Open Mode (No Restrictions)

802.1X & MAB EnabledOpen Mode ‐ EnabledOpen Mode Enabled• All traffic in addition to EAP is ALLOWED

RADIUS accounting logs provide visibility:Passed/Failed 802.1X/EAP attempts

• List of valid dot1x capable• List of non-dotx capable

Passed/Failed MAB attempts• List of Valid MACs


List of Valid MACs• List of Invalid or unknown MACs

Low Impact Access Control

S l i l O AS l i l O A

Low Impact Access ControlWith Open Mode and ACLs

Selectively Open AccessSelectively Open Access

Open Mode (Pinhole)• On Specific TCP/UDP PortsOn Specific TCP/UDP Ports• Restrict to Specific AddressesEAP Allowed (Controlled Port)

Pinhole explicit tcp/udp ports to allow desired

access

Block General Access Until Successful 802.1X, MAB

or WebAuth


Open Mode on 802 1X PortOpen Mode on 802.1X PortWith Downloadable ACLs

Wired Ethernet

ACS/AAA

DHCP10.100.10.116

Catalyst 4500802.1X*

Ethernet Port

End PointsDHCPDNS

PXEServer

10.100.10.117

(Before Authentication)C4500-E# show tcam interface g1/13 acl in ip

permit tcp any any established match-anypermit udp any any eq bootpspermit udp any host 10 100 10 116 eq domain

t e et o tEAPEAP

DHCPDNS

DHCPDNS

PXEPXESlide Source: Ken Hook

IP: 10 100 60 200 permit udp any host 10.100.10.116 eq domainpermit udp any host 10.100.10.117 eq tftpdeny ip any any

IP: 10.100.60.200

interface range gigE 1/0/1 - 24switchport access vlan 30switchport voice vlan 31

ip access-group UNAUTH inauthentication host-mode multi-auth

authentication openth ti ti t t l t

ip access-list extended UNAUTHpermit tcp any any establishedpermit udp any any eq bootps

permit udp any host 10.100.10.116 eq domainpermit udp any host 10 100 10 117 eq tftp


SampleOpen Mode Configs

* W k Fl A th & MDA E bl d P t

authentication port-control automab

permit udp any host 10.100.10.117 eq tftp

Open Mode on 802 1X PortOpen Mode on 802.1X PortWith Downloadable ACLs

Wired Ethernet

ACS/AAA

DHCP10.100.10.116

Catalyst 4500802.1X*

Ethernet Port

End PointsDHCPDNS

PXEServer

10.100.10.117

(Before Authentication)C4500-E# show tcam interface g1/13 acl in ip

permit tcp any any established match-anypermit udp any any eq bootpspermit udp any host 10 100 10 116 eq domain

t e et o t

Slide Source: Ken Hook

(After Authentication)C4500-E# show tcam interface g1/13 acl in ip

permit ip host 10.100.60.200 anypermit tcp any any established match-anypermit udp any any eq bootpsIP: 10 100 60 200

ANYANY

permit udp any host 10.100.10.116 eq domainpermit udp any host 10.100.10.117 eq tftpdeny ip any any

permit udp any any eq bootpspermit udp any host 10.100.10.116 eq domainpermit udp any host 10.100.10.117 eq tftpdeny ip any any

IP: 10.100.60.200

interface range gigE 1/0/1 - 24switchport access vlan 30switchport voice vlan 31

ip access-group UNAUTH inauthentication host-mode multi-auth

authentication openth ti ti t t l t

ip access-list extended UNAUTHpermit tcp any any establishedpermit udp any any eq bootps

permit udp any host 10.100.10.116 eq domainpermit udp any host 10 100 10 117 eq tftp


SampleOpen Mode Configs

* W k Fl A th & MDA E bl d P t

authentication port-control automab

permit udp any host 10.100.10.117 eq tftp

Default Security: Single MAC FilteringDefault Security: Single MAC Filtering

Not allowed to ensure validitry of

Multiple Multiple MACsMACs on Porton Port Security violations defeat the “no

impact” goal of it dauthenticated session

• Hubs, VMWare, Phones, Grat Arp…

Applies in Open and Closed Mode

monitor mode.

pp p

interface fastEthernet 3/48authentication port control autoauthentication port-control auto

VM


VM

Modifying Single MAC Requirement

M lti lM lti l MACMAC P tP t

Modifying Single‐MAC Requirement

MAC –based enforcement for each device

Multiple Multiple MACsMACs on Porton Port

each device• 802.1X or MAB

interface fastEthernet 3/48authentication port-control auto

authentication host-mode multi-auth

VM Use with caution!


Agenda

• Identity — Introduction

Agenda

y


IEEE 802.1X


Webauth


Open Mode Accessp




Inactivity Timer


Inactivity Timer


IPT & 802 1X: Fundamental ChallengesIPT & 802.1X: Fundamental Challenges

“The operation of Port Access Control assumes that the Ports on

One device per port1

which it operate offer a point‐to‐point connection between a single Supplicant and a single Authenticator. It is this assumption that allows the authentication decision to be made on a per‐Port

basis.”

IEEE 802.1X rev 2004

802.1X State Machine depends on Link State2

Two devices per port1

?????

Security Violation

PC Link State is Unknown to Switch2


IPT Breaks the Point‐to‐Point Model

Multi Domain Authentication (MDA)Multi‐Domain Authentication (MDA)Solving the two‐devices‐per‐port problem

Single device per port Single device per domain per portIEEE 802.1X MDA

Phone authenticates in Voice Domain,tags traffic in VVID

Voice

Data

802.1q

Two Domains Per PortPC authenticates in Data Domain,untagged traffic in PVID

• MDA replaces CDP Bypass• Supports Cisco & 3rd Party Phones


• Phones and PCs use 802.1X or MAB

MDA for Cisco IP Phones using MABMDA for Cisco IP Phones using MAB

1

2

CDP

EAP

No Supplicant on Phone

23 Access-Request: Phone MAC

Access-Accept: Phone VSA 4EAP

56

interface GigE 1/0/5switchport mode accessswitchport access vlan 2

1) Phone learns VVID from CDP2) 802.1X times out

switchport voice vlan 12authentication host-mode multi-domainauthentication port-control autodot1x pae authenticatormab)

3) Switch learns phone’s MAC, initiates MAB4) ACS returns Access‐Accept with Phone VSA. 5) Phone traffic allowed on either VLAN until it sends tagged packet then only voice VLAN


5) Phone traffic allowed on either VLAN until it sends tagged packet, then only voice VLAN6) (Asynchronously) PC authenticates using 802.1X or MAB. Authenticated PC traffic

allowed on data VLAN only

The Link State Issue

Port authorized for

The Link State Issue

A

Port authorized for 0011.2233.4455 only1) Legitimate users cause security violation

A

B Security ViolationS:0011.2233.4455

i t f Gi E 1/0/5S:6677.8899.AABB

2) H k f MAC t i ith t th ti ti

interface GigE 1/0/5authentication host-mode multi-domain

A

2) Hackers can spoof MAC to gain access without authenticating

ASecurity HoleS:0011.2233.4455


S:0011.2233.4455

Solution 1: Proxy EAPoL LogoffDomain = DATA

Supplicant = 0011.2233.4455Port Status = AUTHORIZED

Solution 1: Proxy EAPoL‐Logoff

SSC

Port Status AUTHORIZEDAuthentication Method = Dot1x

A

Caveats:Only for 802.1X devices

b hi d hSSC

Domain = DATA

A behind phone

Requires:Logoff‐capable PhonesPC-A Unplugs

EAPol-Logoff

Domain DATAPort Status = UNAUTHORIZED Logoff‐capable Phones

Session cleared immediately by proxy

p g

Domain = DATASupplicant = 6677 8899 AABB

immediately by proxy EAPoL‐Logoff

PC-B Plugs In

SSC

Supplicant 6677.8899.AABBPort Status = AUTHORIZED


B

PC-B Plugs In


B

Solution 2: Inactivity Timeout Option

Domain = DATASupplicant 0011 2233 4455

Solution 2: Inactivity Timeout Option


Authentication Method = MAB interface GigE 1/0/5switchport mode access

switchport access vlan 2switchport voice vlan 12

authentication host-mode multi-domain

Domain = DATASupplicant = 0011 2233 4455

Device Unplugs

authentication port-control autoauthentication timer inactivity [300 | server]

mab



Vulnerable to security violation and/or hole

Caveats:Quiet devices may have to re‐auth; network access denied until re‐auth completes.

Still a window of vulnerability

Domain = DATAPort Status = UNAUTHORIZED

Inactivity Timer Expires

Still a window of vulnerability.

Port Status UNAUTHORIZED

Session cleared. Vulnerability closed.


Solution 3: CDP 2nd Port NotificationDomain = DATA


id-4503#sho cdp neigh g2/1 detail-------------------------

Device ID: SEP0015C696E22C

Solution 3: CDP 2nd Port Notification

Authentication Method = MAB Device ID: SEP0015C696E22CEntry address(es):

IP address: 10.1.200.10Platform: Cisco IP Phone 7971, Capabilities: Host

Phone Two-port Mac RelayInterface: GigabitEthernet2/1,

Port ID (outgoing port): Port 1 Holdtime : 168 sec Second Port Status: Down

Domain = DATADevice A Unplugs

Second Port Status: Down

CDP Link Down

Port Status = UNAUTHORIZED

Phone sends link down TLV to switch.

Link status msg addresses root cause

Session cleared immediately

Works for MAB, 802.1X, and Web‐Auth

Domain = DATASupplicant = 6677.8899.AABB


Device B Plugs In

Nothing to configure

SSC

Port Status AUTHORIZEDAuthentication Method = Dot1x


Authentication Flowchart


Catalyst 4500/4900 Bootcamp · • Identity — Introduction •Authentication...

Documents

Transcript of Catalyst 4500/4900 Bootcamp · • Identity — Introduction •Authentication...