Catalyst 4500/4900 Bootcamp
Chapter 4: IdentityMarch 2009
Laleh Masnavi
Technical Marketing Engineer
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp 1
Campus Switching Solutions Technology Group
AgendaAgenda
• Identity — Introductiony
•Authentication Mechanisms—Overview
IEEE 802.1X
Mac Authentication Bypass (MAB)
Webauth
Fl ibl R ll O t• Flexible Roll OutFlexible Authentication
Open Mode Accessp
• IP Telephony IntegrationIPT & 802.1X Challenges
Multi‐Domain Authentication (MDA)
Proxy EAPoL Log‐off
Inactivity Timer
2© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
Inactivity Timer
CDP 2nd Port Notification
Identity Based Networking Services (IBNS)Identity Based Networking Services (IBNS)
The IBNS consists of a bundle of Identity features which make IEEE 802.1X easier for customers to deploy.
End point discoveryCatalyst 4500/4900 Series Security802.1X, MAB,
WebAuth
Wired and wireless supplicant Central Policy server
3© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
End to end system available from Cisco
Changing Business EnvironmentChanging Business EnvironmentDrives Network Access Control Demands
Unknownor Guest
RemoteSite
SiSi
Data Center
Partners
Employees EWAN
Corporate
Wireless LANSubcontractor
SiSiCorporate
LAN
DMZ
Enterprise Network
Public
Consultant
DMZ PublicInternet
B i
4© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
BusinessPartners
Basic IBNS Deployment ScenariosBasic IBNS Deployment Scenarios
IBNS on the Catalyst 4500 series offers a complete authentication y psolution for customers wanting to better secure access to their network.
Secure Access for Voice Devices
Uni‐Directional Control P t t i iti t t Voice DevicesPort to initiate system backups
Guest VLANGuest VLANaccess for transient workers
Web Auth Proxy access for clients
MAC A th B fInaccessible Auth
5© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
with HTTP access MAC Auth Bypass for clients with no 802.1X support
Bypass when access to the AAA server is down
Advanced Considerations for IBNS DeploymentAdvanced Considerations for IBNS Deployment
Secure Access for Voice Devices
Uni‐Directional Control P t t i iti t t
Identity Feature Set• 802.1X with Multi‐host• 802.1X with Multi‐auth
Voice DevicesPort to initiate system backups
Guest VLAN
• Guest VLAN• Wake On LAN (WoL)• 802.1X with Voice VLAN IDPXE bGuest VLAN
access for transient workers
• PXE boot• Multi Domain Auth (MDA)• Flexible Authentication• Mac Auth Bypass (MAB)• Mac Auth Bypass (MAB)• WebauthPolicy Enforcement
• VLAN assignmentPVLAN i
AAA• Inaccessible Auth BypassA i
Web Auth Proxy access for clients
MAC A th B fInaccessible Auth
• PVLAN assignment• QoS policy• ACL assignment• URL redirect
Infrastructure Integration• 802.1X with Port Security• 802.1X with DAI
• Accounting• Radius supplied timers• Downloadable ACLs• DNS resolution for
6© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
with HTTP access MAC Auth Bypass for clients with no 802.1X support
Bypass when access to the AAA server is down
• URL redirect• Guest VLAN• Auth‐Fail VLAN
• 802.1X with IP Source Guard• 802.1X with DHCP Relay
• DNS resolution for RADIUS server
AgendaAgenda
• Identity — Introductiony
•Authentication Mechanisms—Overview
IEEE 802.1X
Mac Authentication Bypass (MAB)
Webauth
Fl ibl R ll O t• Flexible Roll OutFlexible Authentication
Open Mode Accessp
• IP Telephony IntegrationIPT & 802.1X Challenges
Multi‐Domain Authentication (MDA)
Proxy EAPoL Log‐off
Inactivity Timer
7© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
Inactivity Timer
CDP 2nd Port Notification
IEEE 802 1X
• The foundation of identity based network services
IEEE 802.1X
y
•A client‐server‐based link‐layer protocol used for transporting higher‐level protocols
•Works between the supplicant (client) and the authenticator (Catalyst 4500 switch) by maintaining backend communication to an authentication (RADIUS) serverauthentication (RADIUS) server
802.1X
Host (Supplicant)
Switch(Authenticator)
Cisco Secure ACSAuthentication Server
8© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
(Authenticator)
IEEE 802 1X
Until the client is authenticated, 802.1X access control only allows
IEEE 802.1X
, yExtensible Authentication Protocol over LAN (EAPOL) traffic from the port to which the client is connected.
Af h i i i f l l ffi h h hAfter authentication is successful, normal traffic can pass through the port.
802.1X
Host Cisco Secure ACSAuthentication Server
EAP trafficl ffi
9© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
Drop BucketNormal traffic
IEEE 802 1X EAP Message ExchangeIEEE 802.1X — EAP Message Exchange
EAPOL Start
EAPOL Request Identity
EAPOL Response Identity RADIUS Access Request
EAP Request One Time PWD RADIUS Access Challenge
EAPOL Response OTP RADIUS Access Request
EAP Success RADIUS Access AcceptEAP Success RADIUS Access Accept
EAPOL Logoff
Port Authorized
10© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
EAPOL Logoff
Port Unauthorized
MAC Authentication Bypass (MAB)Devices that cannot authenticate themselves using 802.1X, but require
k h
MAC Authentication Bypass (MAB)
network access can use MAB to authorize using 802.1X
• MAB uses the connecting device MAC address to grant/deny networkaccess.access.
• Used on ports where devices do not have 802.1X supplicantfunctionality, such as printers and fax machines.
• A set of three EAPOLs is sent before transitioning from 802.1Xauthentication method to MAB.
MAB th i d li kMAB authorized links
N li t
11© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
Non‐supplicant
Cisco Secure ACSAuthentication Server
MAC Authentication Bypass (MAB)MAC Authentication Bypass (MAB)
The MAC address of the connected devices are pre‐connected devices are pre‐configured in ACS by the network administrator.
MAB th i d li kMAB authorized links
N li tACS User Setup
12© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
Non‐supplicant
Cisco Secure ACSAuthentication Server
p
IEEE 802 1X and MABMAB802.1X
IEEE 802.1X and MAB
• port‐based feature• can be enabled if 802.1X is
configured on a port
Three entities: • client (supplicant)
th ti t ( it h) configured on a port• authenticator (switch)• authentication server (ACS)
Authenticatorl f
MABenabled here
PC sends its credentials to
relays info toAuth Server
credentials to Authenticator
Database:User: 0013.468e.4453User: 0011 2582 52bd
MAB authorized linksUser: 0011.2582.52bd
0013.468e.4453Non‐supplicant
13© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp0011.2582.52bd
SupplicantCisco Secure ACS
Authentication Server
Cisco Secure ACSAuthentication Server
MAB Sample Configuration
C4500-E(config)# aaa new-model
MAB— Sample Configuration
C4500-E(config)# aaa authentication dot1x default group radius
C4500-E(config)# aaa accounting dot1x default start-stop group radius
C4500-E(config)# aaa session-id common
C4500-E(config)# dot1x system-auth-control
C4500-E(config)# dot1x critical eapol
C4500-E(config)# ip radius source-interface Vlan81
C4500-E(config)# radius-server host 10.5.5.18 auth-port 1645 acct-port 1646 key key
C4500-E(config-if)# authentication host-mode multi-host C4500-E(config-if)#
C4500 E(config if)# a thentication po t cont ol a toC4500-E(config-if)# authentication port-control auto
C4500-E(config-if)# authentication periodic
C4500-E(config-if)# authentication timer reauthenticate 10
C4500-E(config-if)# mabC4500 E(config if)# mab
C4500-E(config-if)# dot1x pae authenticator
C4500-E(config-if)# dot1x timeout tx-period 2
C4500-E(config-if)# spanning-tree portfast
14© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
MAB debug dot1x event
4d01h: dot1x-ev:dot1x_mgr_if_state_change: GigabitEthernet3/23 has changed to UP
MAB— debug dot1x event
4d01h: dot1x-ev:GigabitEthernet3/23:Sending EAPOL packet to group PAE address
4d01h: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on GigabitEthernet3/23
4d01h: dot1x-ev:GigabitEthernet3/23:Sending EAPOL packet to group PAE address
One set of EAPOLssent before
1
24d01h: dot1x ev:GigabitEthernet3/23:Sending EAPOL packet to group PAE address
4d01h: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on GigabitEthernet3/23
4d01h: dot1x-ev:GigabitEthernet3/23:Sending EAPOL packet to group PAE address
4d01h d 1 d 1 d l di k i bi h 3/23
transitioning to MAB.
A set of EAPOLsconsists of 3.3
2
4d01h: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on GigabitEthernet3/23
4d01h: dot1x-ev:Received an EAP Timeout on GigabitEthernet3/23 for mac 0000.0000.0000
...
4d01h: dot1x-ev:dot1x_switch_addr_add: Added MAC 0011.2582.52bd to vlan 100 on interface GigabitEthernet3/23
4d01h: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Gi3/23
4d01h: dot1x-ev:Received successful Authz complete for 0011.2582.52bd
Device has beenDevice has been authorized viaauthorized via MABMAB
15© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
Device has been Device has been authorized via authorized via MABMAB
IEEE 802 1X and MAB Port Authorizationshow dot1x int <mod/port> details command displays the administrative and operational status for the interface As shown below the port has been
IEEE 802.1X and MAB Port Authorization
C4500 E# h d t1 i t i 3/23 d t ilC4500 E# h d t1 i t i 3/23 d t il
operational status for the interface. As shown below, the port has been authorized using two different authentication methods:
C4500 E# h d t1 i t i 3/23 d t ilC4500 E# h d t1 i t i 3/23 d t ilC4500-E# show dot1x int gig 3/23 detail
Dot1x Info for GigabitEthernet3/23
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
C4500-E# show dot1x int gig 3/23 detail
Dot1x Info for GigabitEthernet3/23
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
C4500-E# show dot1x int gig 3/23 detail
Dot1x Info for GigabitEthernet3/23
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
C4500-E# show dot1x int gig 3/23 detail
Dot1x Info for GigabitEthernet3/23
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = MULTI_HOST
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 10 (Locally configured)
HostMode = MULTI_HOST
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 10 (Locally configured)
HostMode = MULTI_HOST
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 10 (Locally configured)
HostMode = MULTI_HOST
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 10 (Locally configured)ReAuthPeriod 10 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 2
RateLimitPeriod = 0
Mac-Auth-Bypass = Enabled
ReAuthPeriod 10 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 2
RateLimitPeriod = 0
Mac-Auth-Bypass = Enabled
ReAuthPeriod 10 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 2
RateLimitPeriod = 0
Mac-Auth-Bypass = Enabled
ReAuthPeriod 10 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 2
RateLimitPeriod = 0
Mac-Auth-Bypass = Enabled
Dot1x Authenticator Client List
-------------------------------
Supplicant = 0013.468e.4453
Auth SM State = AUTHENTICATED
Auth BEND SM Stat = IDLE
Port Status = AUTHORIZED
Dot1x Authenticator Client List
-------------------------------
Supplicant = 0013.468e.4453
Auth SM State = AUTHENTICATED
Auth BEND SM Stat = IDLE
Port Status = AUTHORIZED
Dot1x Authenticator Client List
-------------------------------
Supplicant = 0011.2582.52bd
Auth SM State = AUTHENTICATED
Auth BEND SM Stat = IDLE
Port Status = AUTHORIZED
Dot1x Authenticator Client List
-------------------------------
Supplicant = 0011.2582.52bd
Auth SM State = AUTHENTICATED
Auth BEND SM Stat = IDLE
Port Status = AUTHORIZED
16© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
Authentication Method = Dot1x
Authorized By = Authentication Server
Vlan Policy = N/A
Authentication Method = Dot1x
Authorized By = Authentication Server
Vlan Policy = N/A
Authentication Method = MAB
Authorized By = Authentication Server
Vlan Policy = N/A
Authentication Method = MAB
Authorized By = Authentication Server
Vlan Policy = N/A
Web based Authentication (Webauth)Non‐supplicant and unmanaged devices can authenticate via a standalone webauthmethod.
Web‐based Authentication (Webauth)
Authenticator intercepts ingress HTTP packet from host, and sends an HTML Login Page. User keys in the credentials. HTTP response is parsed, user credentials validated.
The internal HTTP server of the switch hosts four HTML pages for delivery to the end user to notify the user of four different states of the authentication process: Login Success Fail and ExpireLogin, Success, Fail, and Expire.
Cisco Secure ACS
17© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
HTTP RADIUS
Authenticator(Switch)
Authentication Server
Non‐supplicant
Customizable WebauthThe four default internal HTML pages can be substituted for custom HTML
b di t d t URL f l th ti ti
Customizable Webauth
pages, or can be redirected to a URL upon a successful authentication, replacing the internal Success page.
Ci S ACS
HTTP RADIUS
Cisco Secure ACSAuthentication ServerAuthenticator
(Switch)
Non‐supplicant
18© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
Non supplicant
Customizable WebauthSample custom HTML pages and configs:
C4500 E( fi )# i d i i htt l i fil b tfl h t ht
Customizable Webauth
C4500-E(config)# ip admission proxy http login page file bootflash:custpage.htm
C4500-E(config)# ip admission proxy http success page file bootflash:custsucc.htm
C4500-E(config)# ip admission proxy http fail page file bootflash:custfail.htm
C4500-E(config)# ip admission proxy http login expired page file bootflash: custexpr.htm
19© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
AgendaAgenda
• Identity — Introductiony
•Authentication Mechanisms—Overview
IEEE 802.1X
Mac Authentication Bypass (MAB)
Webauth
Fl ibl R ll O t• Flexible Roll OutFlexible Authentication
Open Mode Accessp
• IP Telephony IntegrationIPT & 802.1X Challenges
Multi‐Domain Authentication (MDA)
Proxy EAPoL Log‐off
Inactivity Timer
20© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
Inactivity Timer
CDP 2nd Port Notification
Flexible AuthenticationFlexible Authentication
Radius
EAP1X
802.1x times out or fails
802.1X
Employee Partner
F lt
Valid MAC Address
Guest802.1XValidMAC
Unknown MAC Access Accept
interface GigabitEthernet3/41authentication host-mode multi-domainauthentication order dot1x mab webauth
interface GigabitEthernet3/41authentication host-mode multi-domainauthentication order dot1x mab webauth
MAB
URLWEB
80Client
Valid Host
Guest User
Faculty
SubContractor
Guest User
802.1XClientMACAddr
Webauth
MAB
authentication order dot1x mab webauthauthentication priority dot1x mab webauthauthentication port-control autoauthentication violation restrictauthentication fallback WEB-AUTHmab
authentication order dot1x mab webauthauthentication priority dot1x mab webauthauthentication port-control autoauthentication violation restrictauthentication fallback WEB-AUTHmab
Host Asset
O fi ti dd ll ll h t d
Benefit:
One configuration addresses all use cases, all host modesControllable sequence of access control mechanisms, with flexible failure and fallback authorizationChoice of policy enforcement mechanisms:
21© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp 21
Benefit:Greater flexibility &
deterministic behavior
Choice of policy enforcement mechanisms: VLAN, downloadable per‐user ACL, URLSupport single‐host and multi‐auth scenarios
Flexible AuthenticationFlexible Authentication
Radius
EAP1X
802 1X
Employee Partner
Valid MAC Address
802 1XHost
EAP Credentials Sent & Validated
Port Authorized802.1X Client
Valid Host
Guest User
Faculty
SubContractor
802.1XClient
Host Change
Host Asset
Th d d i it f th th ti ti th d ld
Benefit:
The order and priority of the authentication methods could be configured.Order – specifies the fallback order of authentication methods. Default order: dot1x, mab, and webauth.
22© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp 22
Benefit:Greater flexibility &
deterministic behavior
, ,Priority – specifies the relative priority of authentication methods. Default priority: dot1x, mab, and webauth.
Flexible AuthenticationFlexible Authentication
Radius
EAP1X
802.1x times out or fails
802.1X
Employee Partner
F lt
Valid MAC Address
ValidKnown MAC - Access
AcceptHost MAB
80Client
Valid Host
Guest User
Faculty
SubContractor
MACAddr
p
Port AuthorizedChange MAB
Host Asset
O t i M lti th d ith b th f MAB d
Benefit:
On a port in Multi‐auth mode, either or both of MAB and Webauth can be configured as fallback authentication methods for non‐802.1X hosts.
23© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp 23
Benefit:Greater flexibility &
deterministic behavior
Default Fallback Sequence
ip device tracking probe interval 300
Default Fallback Sequence802.1X MAB Webauth
p g pip device trackingip auth-proxy absolute-timer 1000ip admission absolute-timer 1000ip admission name web-auth proxy http inactivity-time 1000!dot1x system-auth-control!
Authenticator(Switch)
!fallback profile webauth-fallbackip access-group FOO inip admission web-auth!interface g 1/12switchport access vlan 100
it h t dswitchport mode accessswitchport voice vlan 10authentication host-mode multi-authauthentication order dot1x mab webauthauthentication port-control autoauthentication fallback webauth-fallbackmabdot1x pae authenticatordot1x timeout tx-period 15spanning-tree portfast!ip access-list extended FOOpermit icmp any anydeny ip any any*Nov 20 09 51 31 171 %DOT1X 5 FAIL Authentication failed for client (0019 bb2f 1c9e) on Interface Gi1/12deny ip any any*Nov 20 09:51:31.171: %DOT1X‐5‐FAIL: Authentication failed for client (0019.bb2f.1c9e) on Interface Gi1/12
*Nov 20 09:51:31.171: %AUTHMGR‐7‐RESULT: Authentication result 'no‐response' from 'dot1x' for client (0019.bb2f.1c9e) on Interface Gi1/12*Nov 20 09:51:31.171: %AUTHMGR‐7‐FAILOVER: Failing over from 'dot1x' for client (0019.bb2f.1c9e) on Interface Gi1/12*Nov 20 09:51:31.171: %AUTHMGR‐5‐START: Starting 'mab' for client (0019.bb2f.1c9e) on Interface Gi1/12*Nov 20 09:51:33.215: %MAB‐5‐FAIL: Authentication failed for client (0019.bb2f.1c9e) on Interface Gi1/12*Nov 20 09:51:33 215: %AUTHMGR 7 RESULT: Authentication result 'fail' from 'mab' for client (0019 bb2f 1c9e) on Interface Gi1/12
24© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
Nov 20 09:51:33.215: %AUTHMGR‐7‐RESULT: Authentication result fail from mab for client (0019.bb2f.1c9e) on Interface Gi1/12*Nov 20 09:51:33.215: %AUTHMGR‐7‐FAILOVER: Failing over from 'mab' for client (0019.bb2f.1c9e) on Interface Gi1/12*Nov 20 09:51:33.215: %AUTHMGR‐5‐START: Starting 'webauth' for client (0019.bb2f.1c9e) on Interface Gi1/12*Nov 20 09:51:33.215: %AUTHMGR‐7‐RESULT: Authentication result 'success' from 'webauth' for client (0019.bb2f.1c9e) on Interface Gi1/12
Displaying the Host Authentication StatusDisplaying the Host Authentication Status
Authenticator(Switch)
Switch# show ip admission cache
Displays the Authentication Entry for the Client PCDisplays the Authentication Entry for the Client PC
Authentication Proxy Cache
Total Sessions: 1 Init Sessions: 0
Client IP 10.100.1.21 Port 1382, timeout 1000, state ESTAB
Cisco Secure ACSAuthentication ServerAuthenticator
(Switch)
25© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
(Switch)
Client
Verifying Auth Session for an InterfaceSwitch# show authentication sessions int g1/12
Interface: GigabitEthernet1/12MAC Address: 0019.bb2f.1c9eIP Address: 10.100.1.21
Verifying Auth Session for an Interface
Status: Authz SuccessDomain: DATA
Oper host mode: multi-authOper control dir: both
Authorized By: Authentication ServerVlan Policy: N/A
Session timeout: N/A
Authenticator(Switch)
Session timeout: N/AIdle timeout: N/A
Common Session ID: 0A6401320000000F005E0D58Acct Session ID: 0x00000018
Handle: 0x8D00000FRunnable methods list:
Method Stated t1 F il ddot1x Failed overmab Failed overwebauth Authc Success
----------------------------------------Interface: GigabitEthernet1/12
MAC Address: 0013.7f16.36f0IP Address: 10.10.1.11User-Name: CP-7970G-SEP00137F1636F0
Status: Authz SuccessDomain: VOICE
Oper host mode: multi-authOper control dir: both
Authorized By: Authentication ServerSession timeout: N/A
When When bothbothPC PC and Phoneand Phone
Session timeout: N/AIdle timeout: N/A
Common Session ID: 0A6401320000000E00594F00Acct Session ID: 0x00000017
Handle: 0x5E00000ERunnable methods list:
Method Stated t1 A th S
AreAreauthenticatedauthenticated
26© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
dot1x Authc Successmab Not runwebauth Not run
IEEE 802 1X Default Security Behavior
D f l 802 1 Ch llD f l 802 1 Ch ll
IEEE 802.1X Default Security Behavior
Default 802.1x ChallengeDefault 802.1x Challenge
Devices w/out supplicantsCan’t send EAPoLCan t send EAPoL
No EAPoL = No Access One Physical Port ‐>Two Virtual portsUncontrolled port (EAPoL only)Controlled port (everything else)
Offlineinterface fastEthernet 3/48
authentication port-control auto
No EAPoL / No Access
27© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
802 1X/MAB Open Mode
O M d (N R t i ti )O M d (N R t i ti )
802.1X/MAB — Open Mode
Open Mode (No Restrictions)Open Mode (No Restrictions)
802.1X & MAB EnabledOpen Mode ‐ EnabledOpen Mode Enabled• All traffic in addition to EAP is ALLOWED
RADIUS accounting logs provide visibility:Passed/Failed 802.1X/EAP attempts
• List of valid dot1x capable• List of non-dotx capable
Passed/Failed MAB attempts• List of Valid MACs
28© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
List of Valid MACs• List of Invalid or unknown MACs
Low Impact Access Control
S l i l O AS l i l O A
Low Impact Access ControlWith Open Mode and ACLs
Selectively Open AccessSelectively Open Access
Open Mode (Pinhole)• On Specific TCP/UDP PortsOn Specific TCP/UDP Ports• Restrict to Specific AddressesEAP Allowed (Controlled Port)
Pinhole explicit tcp/udp ports to allow desired
access
Block General Access Until Successful 802.1X, MAB
or WebAuth
29© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
Open Mode on 802 1X PortOpen Mode on 802.1X PortWith Downloadable ACLs
Wired Ethernet
ACS/AAA
DHCP10.100.10.116
Catalyst 4500802.1X*
Ethernet Port
End PointsDHCPDNS
PXEServer
10.100.10.117
(Before Authentication)C4500-E# show tcam interface g1/13 acl in ip
permit tcp any any established match-anypermit udp any any eq bootpspermit udp any host 10 100 10 116 eq domain
t e et o tEAPEAP
DHCPDNS
DHCPDNS
PXEPXESlide Source: Ken Hook
IP: 10 100 60 200 permit udp any host 10.100.10.116 eq domainpermit udp any host 10.100.10.117 eq tftpdeny ip any any
IP: 10.100.60.200
interface range gigE 1/0/1 - 24switchport access vlan 30switchport voice vlan 31
ip access-group UNAUTH inauthentication host-mode multi-auth
authentication openth ti ti t t l t
ip access-list extended UNAUTHpermit tcp any any establishedpermit udp any any eq bootps
permit udp any host 10.100.10.116 eq domainpermit udp any host 10 100 10 117 eq tftp
30© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
SampleOpen Mode Configs
* W k Fl A th & MDA E bl d P t
authentication port-control automab
permit udp any host 10.100.10.117 eq tftp
Open Mode on 802 1X PortOpen Mode on 802.1X PortWith Downloadable ACLs
Wired Ethernet
ACS/AAA
DHCP10.100.10.116
Catalyst 4500802.1X*
Ethernet Port
End PointsDHCPDNS
PXEServer
10.100.10.117
(Before Authentication)C4500-E# show tcam interface g1/13 acl in ip
permit tcp any any established match-anypermit udp any any eq bootpspermit udp any host 10 100 10 116 eq domain
t e et o t
Slide Source: Ken Hook
(After Authentication)C4500-E# show tcam interface g1/13 acl in ip
permit ip host 10.100.60.200 anypermit tcp any any established match-anypermit udp any any eq bootpsIP: 10 100 60 200
ANYANY
permit udp any host 10.100.10.116 eq domainpermit udp any host 10.100.10.117 eq tftpdeny ip any any
permit udp any any eq bootpspermit udp any host 10.100.10.116 eq domainpermit udp any host 10.100.10.117 eq tftpdeny ip any any
IP: 10.100.60.200
interface range gigE 1/0/1 - 24switchport access vlan 30switchport voice vlan 31
ip access-group UNAUTH inauthentication host-mode multi-auth
authentication openth ti ti t t l t
ip access-list extended UNAUTHpermit tcp any any establishedpermit udp any any eq bootps
permit udp any host 10.100.10.116 eq domainpermit udp any host 10 100 10 117 eq tftp
31© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
SampleOpen Mode Configs
* W k Fl A th & MDA E bl d P t
authentication port-control automab
permit udp any host 10.100.10.117 eq tftp
Default Security: Single MAC FilteringDefault Security: Single MAC Filtering
Not allowed to ensure validitry of
Multiple Multiple MACsMACs on Porton Port Security violations defeat the “no
impact” goal of it dauthenticated session
• Hubs, VMWare, Phones, Grat Arp…
Applies in Open and Closed Mode
monitor mode.
pp p
interface fastEthernet 3/48authentication port control autoauthentication port-control auto
VM
32© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
VM
Modifying Single MAC Requirement
M lti lM lti l MACMAC P tP t
Modifying Single‐MAC Requirement
MAC –based enforcement for each device
Multiple Multiple MACsMACs on Porton Port
each device• 802.1X or MAB
interface fastEthernet 3/48authentication port-control auto
authentication host-mode multi-auth
VM Use with caution!
33© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
Agenda
• Identity — Introduction
Agenda
y
•Authentication Mechanisms—Overview
IEEE 802.1X
Mac Authentication Bypass (MAB)
Webauth
Fl ibl R ll O t• Flexible Roll OutFlexible Authentication
Open Mode Accessp
• IP Telephony IntegrationIPT & 802.1X Challenges
Multi‐Domain Authentication (MDA)
Proxy EAPoL Log‐off
Inactivity Timer
34© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
Inactivity Timer
CDP 2nd Port Notification
IPT & 802 1X: Fundamental ChallengesIPT & 802.1X: Fundamental Challenges
“The operation of Port Access Control assumes that the Ports on
One device per port1
which it operate offer a point‐to‐point connection between a single Supplicant and a single Authenticator. It is this assumption that allows the authentication decision to be made on a per‐Port
basis.”
IEEE 802.1X rev 2004
802.1X State Machine depends on Link State2
Two devices per port1
?????
Security Violation
PC Link State is Unknown to Switch2
35© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
IPT Breaks the Point‐to‐Point Model
Multi Domain Authentication (MDA)Multi‐Domain Authentication (MDA)Solving the two‐devices‐per‐port problem
Single device per port Single device per domain per portIEEE 802.1X MDA
Phone authenticates in Voice Domain,tags traffic in VVID
Voice
Data
802.1q
Two Domains Per PortPC authenticates in Data Domain,untagged traffic in PVID
• MDA replaces CDP Bypass• Supports Cisco & 3rd Party Phones
36© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
• Phones and PCs use 802.1X or MAB
MDA for Cisco IP Phones using MABMDA for Cisco IP Phones using MAB
1
2
CDP
EAP
No Supplicant on Phone
23 Access-Request: Phone MAC
Access-Accept: Phone VSA 4EAP
56
interface GigE 1/0/5switchport mode accessswitchport access vlan 2
1) Phone learns VVID from CDP2) 802.1X times out
switchport voice vlan 12authentication host-mode multi-domainauthentication port-control autodot1x pae authenticatormab)
3) Switch learns phone’s MAC, initiates MAB4) ACS returns Access‐Accept with Phone VSA. 5) Phone traffic allowed on either VLAN until it sends tagged packet then only voice VLAN
37© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
5) Phone traffic allowed on either VLAN until it sends tagged packet, then only voice VLAN6) (Asynchronously) PC authenticates using 802.1X or MAB. Authenticated PC traffic
allowed on data VLAN only
The Link State Issue
Port authorized for
The Link State Issue
A
Port authorized for 0011.2233.4455 only1) Legitimate users cause security violation
A
B Security ViolationS:0011.2233.4455
i t f Gi E 1/0/5S:6677.8899.AABB
2) H k f MAC t i ith t th ti ti
interface GigE 1/0/5authentication host-mode multi-domain
A
2) Hackers can spoof MAC to gain access without authenticating
ASecurity HoleS:0011.2233.4455
38© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
S:0011.2233.4455
Solution 1: Proxy EAPoL LogoffDomain = DATA
Supplicant = 0011.2233.4455Port Status = AUTHORIZED
Solution 1: Proxy EAPoL‐Logoff
SSC
Port Status AUTHORIZEDAuthentication Method = Dot1x
A
Caveats:Only for 802.1X devices
b hi d hSSC
Domain = DATA
A behind phone
Requires:Logoff‐capable PhonesPC-A Unplugs
EAPol-Logoff
Domain DATAPort Status = UNAUTHORIZED Logoff‐capable Phones
Session cleared immediately by proxy
p g
Domain = DATASupplicant = 6677 8899 AABB
immediately by proxy EAPoL‐Logoff
PC-B Plugs In
SSC
Supplicant 6677.8899.AABBPort Status = AUTHORIZED
Authentication Method = Dot1x
B
PC-B Plugs In
39© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
B
Solution 2: Inactivity Timeout Option
Domain = DATASupplicant 0011 2233 4455
Solution 2: Inactivity Timeout Option
Supplicant = 0011.2233.4455Port Status = AUTHORIZED
Authentication Method = MAB interface GigE 1/0/5switchport mode access
switchport access vlan 2switchport voice vlan 12
authentication host-mode multi-domain
Domain = DATASupplicant = 0011 2233 4455
Device Unplugs
authentication port-control autoauthentication timer inactivity [300 | server]
mab
Supplicant = 0011.2233.4455Port Status = AUTHORIZED
Authentication Method = MAB
Vulnerable to security violation and/or hole
Caveats:Quiet devices may have to re‐auth; network access denied until re‐auth completes.
Still a window of vulnerability
Domain = DATAPort Status = UNAUTHORIZED
Inactivity Timer Expires
Still a window of vulnerability.
Port Status UNAUTHORIZED
Session cleared. Vulnerability closed.
40© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
Solution 3: CDP 2nd Port NotificationDomain = DATA
Supplicant = 0011.2233.4455Port Status = AUTHORIZED
id-4503#sho cdp neigh g2/1 detail-------------------------
Device ID: SEP0015C696E22C
Solution 3: CDP 2nd Port Notification
Authentication Method = MAB Device ID: SEP0015C696E22CEntry address(es):
IP address: 10.1.200.10Platform: Cisco IP Phone 7971, Capabilities: Host
Phone Two-port Mac RelayInterface: GigabitEthernet2/1,
Port ID (outgoing port): Port 1 Holdtime : 168 sec Second Port Status: Down
Domain = DATADevice A Unplugs
Second Port Status: Down
CDP Link Down
Port Status = UNAUTHORIZED
Phone sends link down TLV to switch.
Link status msg addresses root cause
Session cleared immediately
Works for MAB, 802.1X, and Web‐Auth
Domain = DATASupplicant = 6677.8899.AABB
Port Status = AUTHORIZED
Device B Plugs In
Nothing to configure
SSC
Port Status AUTHORIZEDAuthentication Method = Dot1x
41© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
42© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
Authentication Flowchart
43© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential4500 Bootcamp
Top Related