802.1X - The Cisco Learning Network

© 2009, Cisco Systems, Inc. All rights reserved. 

TECSEC-2041.scr 

Identity and Security Group Access 

with 802.1X and TrustSec 

TECSEC-2041 

TECSEC-2041 

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 

Welcome to Las Vegas 

TECSEC-2041 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 

2 

1

Your Speakers 



Craig Hyps 

Technical Marketing Engineer 

chyps@cisco.com 

Kevin Gagnon 

Product Manager 

kegagnon@cisco.com 


3 

Session Abstract 

Mitsunori Sagae 


msagae@cisco.com 

Fay-Ann Lee 


faylee@cisco.com 

Aaron Woland 


aawoland@cisco.com 

This session is a deep dive on 802.1X and the technologies that 

make up Cisco‘s TrustSec solution. This includes the functions of 

access control and the application of policy derived from end-point 

profiling, Security Group Tags (SGTs), Network Device Admission 

Control (NDAC), guest access, change of authorization, and 

MACSec. With these technologies businesses can address many 

existing and emerging network access control issues, such as 

regulatory compliance, virtualization, and guest services. 

A basic knowledge of 802.1X is assumed. 


4 

2

Session Objectives 



At the end of the session, you should understand: 

• How 802.1X and Security Group Access (SGA) works 

• The benefits of deploying 802.1X and SGA 

• How to configure and deploy 802.1X and SGA using Cisco 

switches, Identity Services Engine (ISE) 1.0 and various 

supplicants 

• How to integrate technologies such as IP telephony, guest 

access, PXE, etc 

• The value and application of deployment scenarios 

• Advanced SGA features and some future functionality 

• How to make this work when you get back to your lab 

You should also: 

• Provide us with feedback! 


5 

What We Won‟t Be Covering 

AAA authentication on routers 

IPSec authentication 

In-depth concepts on identity management and single sign-on 

(upper layer identity) 

PKI and X509 certificates 

Kerberos 

LDAP 

Active Directory design 

NAC Framework, NAC Appliance, and NAP 

Wireless Security 

Specific details of the EAP methods 


6 

3

Agenda 

Identity and Security Group 

Access (SGA) 

Overview 

802.1X, EAP, and RADIUS 

User and Machine Authentication 

Non-802.1X Users & Devices 

SGTs/SGACLs 

ACME Case Study – Phase 0 

Existing Environment 

Pre-deployment Considerations 

Phase 1 – Monitor Mode and 

SGA 

Multi-Auth 

Open Access 

Monitoring & Remediation 




7 

How the Demo Will Work 

USER PC: 

Win7 

MAC 

Cisco IP Phone 

SCREEN 1 

AnyConnect 3.0 Network Access Manager 

Phase 2 – Low Impact Mode 

and SGA 

Selectively Open Access 

Flex Auth 

IP Telephony 

Phase 3 – High Security Mode 

and SGA 

Closed Access 

Dynamic VLAN assignment 

Real Customer Case Study 

Data Center 

Server to Server/VDI 

Inter Data Center 

Advanced Features/Look 

Forward 

SCREEN 2 

SERVERS : 

ISE 

Active Directory 

SWITCH Console 


8 

4



For Reference Slides 

There are more slides in the hand-outs than presented during the 

class 

These slides are for reference and are indicated by the book icon on 

the top right corner (as on this slide) 

The demo slides with screen dump outline key points of the demo. 

More details will be found in white papers given as reference. 


9 

Schedule 

In Session: 8:00 am 10:00 am 

Break: 10:00 am 10:15 am 

In Session: 10:15 am 12:00 pm 

Lunch: 12:00 pm 1:00 pm 

In Session: 1:00 pm 2:30 pm 

Break: 2:30 pm 2:45 pm 

In Session: 2:45 pm 5:00 pm 

For Your 

Reference 


10 

5

Housekeeping 



We value your feedback- don't forget to complete your online 

session evaluations after each session & complete the Overall 

Conference Evaluation which will be available online from 

Thursday 

Visit the World of Solutions 

Please remember this is a 'non-smoking' venue! 

Please switch off your mobile phones 

Please make use of the recycling bins provided 

Please remember to wear your badge at all times 


11 

After Today – Consider your 802.1X and 

SGA Deployment 

After this, you will find that SGA: 

• is deployable 

• has new, advanced features to handle many use cases 

Next Steps: 

• Work with your Cisco SE and your Cisco Partners 

• Quantify what you want to achieve with 802.1X and SGA 

Take time to understand and specify: 

• Existing networking environment 

• Supplicants 

• RADIUS servers and backend data base 

• Deployment scenarios where SGA enhances 802.1X 

• Capability of your switching infrastructure 


12 

6

Q & A 

TECSEC-2041 




Identity and Authentication 

Overview 

TECSEC-2041 


7



1 

2 

3 

4 

Why Identity Is Important 

Who are you? 

802.1X (or supplementary method) 

authenticates the user 

Where can you go? 

Based on authentication, user is 

placed in correct VLAN 

What service level to you receive? 

The user can be given per-user 

services (ACLs today, more to come) 

What are you doing? 

The user‘s identity and location can 

be used for tracking and accounting 


15 

What does Identity allow you to do? 

Keep the Outsiders 

Out 

Keep the Insiders 

Honest 

Personalize the 

Network 

Increase Network 

Visibility 

Ensure that only allowed types of user and machine connect to key resources 

Provide guest network access in a controlled and specific manner 

Deliver differentiated network services to meet security policy needs, for examples 

like: 

• Ensure compliance requirements (PCI, etc.) for user authentication are met 

• Facilitate voice/data traffic separation in the campus 

• Ensure that only employees with legitimate devices access classified systems 

• Ensure that contractors/business partners get appropriate access 

Provide user and access device visibility to network security operations 

For Your 

Reference 


16 

8



Access Control Technology Evolution 

Security Group Access (SGA) 

Network-wide Role-Based Access Control 

Topology Independent Access Management 

Trusted domain establishment via Network Device 

Admission Control 

802.1AE based Link Encryption 

Identity-Based Access Control 

Flexible authentication options: 

802.1X, MAB, WebAuth, FlexAuth 

Comprehensive post-admission control options: 

dACL, VLAN assignment, URL redirect, QoS… 

Integration of Profiling / Guest Access Services 

Network Address-based Access Control 

ACL, VACL, PACL, PBACL etc 

Cisco Access Control Solution 

Network Admission Control (NAC) 

Posture validation endpoint policy compliance 


17 

Why Security Group Access is important 

Extends Identity visibility and controls across the network 

Identity information from the access layer can be used across the network or in the Data 

Center 

Builds upon Identity controls deployed in the access layer 

Provide more granular identity-based controls than is possible purely at the access 

layer 

Controls can be enabled selectively to protect specific resources 

Provides very high-scale access control capabilities 


18 

9



Why Security Group Access is important 

Provide powerful segmentation capabilities in the Data Center 

Logical separation of resources across common infrastructure 

Leverages wire-rate enforcement capabilities in Nexus switches 

Provides role-based access controls independently of the network design or 

topology 

Roles could be technology or service, e.g. voice, building services, risk profile or 

business role 

Security Access Policies could be decoupled from IP addresses, subnets, VLANs, WLAN, 

VPN etc. 

New Security Group-based policy model can bring dramatic reductions in Access 

Control management effort 

Allows control of user-to-system communications AND system-to-system (e.g. for server 

segmentation) 

Eliminate ACL rule changes for some system moves/changes 


19 

IEEE 802.1X: The Foundation of Identity 

Supplicant 

(802.1X Client) 

EAP over LAN 

(EAPoL) 

Authenticator 

(e.g. Switch, 

Access Point) 

RADIUS 

IEEE 802.1 working group standard 

Provides port-based access control using authentication 

Enforcement via MAC-based filtering 

and port-state monitoring 

Authentication 

Server 

Defines encapsulation for Extensible 

Authentication Protocol (EAP) over 

IEEE 802 media— ―EAPoL‖ 


20 

R 

A 

D 

I 

U 

S 

10



Default Port State without 802.1X 

No Authentication Required 

No visibility 

No Access Control 

? 

USER 

? 


21 

Default Security with 802.1X 

Before Authentication 

No visibility (yet) 

Strict Access Control 

? 

USER 

? 

ALL traffic except EAPoL is dropped 

One Physical Port ->Two Virtual ports 

Uncontrolled port (EAPoL only) 

Controlled port (everything else) 

interface fastEthernet 3/48 

authentication port control auto 

dot1x pae-authenticator 


22 

11



Default Security with 802.1X 

After Authentication 

User/Device is Known 

Identity-based Access Control 

• Single MAC per port 

? 

Looks the 

same as 

without 

802.1X 

Authenticated User: Sally 

Authenticated Machine: XP-ssales-45 


authentication port-control auto 


Having read your mind Sally, that 

is true, unless you apply an 

authorization, access is wide 

open. We can restrict access via 

dynamic VLAN assignment or 

downloadable ACLs 


23 

Identity and Authentication 

802.1X, EAP, and RADIUS 

TECSEC-2041 


12

A Closer Look at 802.1X 

Supplicant 

AC 



EAP ID-Request 

Authenticator 

Layer 2 Point-to-Point Layer 3 Link 

EAPoL Start 

EAP ID-Response RADIUS Access-Request 

[AVP: EAP-Response: Alice] 

EAP-Request:PEAP 

EAP-Response: PEAP 

EAP Success 

EAPoL Logoff 

Port Unauthorized 

RADIUS Access-Challenge 

[AVP: EAP-Request PEAP] 

Authentication Server 

RADIUS Access-Request 

[AVP: EAP-Response: PEAP] 

RADIUS Access-Accept 

[AVP: EAP Success] 

[AVP: VLAN 10, dACL-nnn] 

Port Authorized 


Multiple 

Challenge- 

Request 

Exchanges 

Possible 


25 

What Does EAP Do? 

Establishes and manages connection 

Allows authentication by encapsulating various types of authentication 

exchanges 

• Actual authentication exchanges are called EAP Methods 

Provides a flexible link layer security framework 

• Can run over any link layer (PPP, 802, etc.) 

Defined by RFC 3748 

Supplicant 

EAP Payload 

EAP Payload 

RADIUS 

802.1X Header 

UDP 

Ethernet Header 

IP Header 

Authenticator 


Server 


26 

R 

A 

D 

I 

U 

S 

13



EAP Authentication Methods 

Challengeresponse-based 

Certificatebased 

Tunneling 

methods 

Other 

• EAP-MD5: uses MD5 based challenge-response for authentication 

• LEAP: username/password authentication 

• EAP-MSCHAPv2: username/password MSCHAPv2 challengeresponse 

authentication 

• EAP-TLS: X.509 v3 PKI certificates and the TLS mechanism for 


• EAP-PEAP: encapsulates other EAP types in an encrypted tunnel 

• EAP-TTLS: encapsulates other EAP types in an encrypted tunnel 

• EAP-FAST: designed to not require client certificates 

• EAP-GTC: generic token and OTP authentication 

• GSS-API : Kerberos 


27 

Tunneling Methods 

Some EAP methods setup an encrypted tunnel and pass 

credentials through the tunnel 

Anonymous outer identity - Provides the ability to completely 

obfuscate the user‘s credentials 

AC / ACS – Yes 

Windows Native / IAS - No 

Some EAP methods require an EAP method inside the tunnel 

(PEAP and FAST) 

Some EAP methods does not require an EAP method inside the 

tunnel (TTLS) – used with legacy RADIUS 


28 

14



EAP Nomenclature and Abbreviations 

What we say What we mean 

TLS EAP-TLS 

MSCHAPv2 EAP-MSCHAPv2 

GTC EAP-GTC 

PEAP-TLS EAP-PEAP with EAP-TLS inside the encrypted tunnel 

PEAP-MSCHAPv2 EAP-PEAP with EAP-MSCHAPv2 inside the encrypted 

tunnel 

PEAP-GTC EAP-PEAP with EAP-GTC inside the encrypted tunnel 

―PEAP‖ In This Techtorial: PEAP-MSCHAPv2 

FAST/MSCHAPv2 EAP-FAST with EAP-MSCHAPv2 inside the encrypted 

tunnel 


29 

EAP Protocols: Feature Support 

EAP-TLS PEAP EAP-FAST 

Single Sign-on Yes Yes Yes 

Login Scripts (Active Directory) Yes Yes Yes 

Password Expiration (AD) N/A Yes Yes 

Client and OS Availability 

AC, XP, Win7 

and Others 

AC, XP, Win7 

and Others 

AC, Win7 and 

Others 

MS DB Support Yes Yes Yes 

LDAP DB Support Yes Yes Yes 

OTP Support No Yes Yes 

Off-line Dictionary Attacks No No No 

Server Certificates Required Yes Yes No 

Client Certificates Required Yes No No 

Computing Impact High Medium Low 


30 

15



Factors that Drive EAP Method 

Use as many methods as needed depending on devices 

Enterprise 

security policy 

Client support 


server support 

Identity store 

• Certificate Authority deployment may drive EAP type 

• Two factor authentication may require EAP-TLS 

• Security vs. Convenience Trade-offs 

• Windows supports EAP-TLS, PEAP w/EAP- 

MSCHAPv2, PEAP w/EAP-TLS 

• 3rd party supplicants support a large variety of EAP 

types, but not all 

• RADIUS servers support a large variety of EAP types, 

but not all 

• PEAP w/EAP-MSCHAPv2 can only be used with 

authentication stores that store passwords in 

MSCHAPv2 format 

• Not every identity store supports all the EAP types 


31 

Identity & Authentication: 

Who (or What) Authenticates? 

TECSEC-2041 


16



Problem Statement 

Who should the network authenticate ? 

A user using a device 

A device 

Both the user and the device 

Device boot process and network connectivity assumption 

Boot without using network resource - Standalone 

Boot from the network – Xterm, NetPC, PXE 

Boot and use network resources – networked 

Network File System 

Managed devices : Connection to LDAP, Active Directory 

Device health check : Patch level checker, Central AV system 


33 

Example: Network Assumption 

Microsoft Windows 

Power On 

Obtain Network Address 

(Static, DHCP) 

Determine Site and DC 

(DNS, LDAP) 

Establish Secure 

Channel to AD 

(LDAP, SMB) 

Kerberos Authentication 

(Machine Account) 

Kernel Loading 

Windows HAL Loading 

Device Driver Loading 

Components that depend on 

network connectivity 

Inherent Assumption of 

Network Connectivity 

GPO based Startup 

Script Execution 

Computer GPOs Loading (Async) 

Certificate Auto Enrollment 

Time Synchronization 

Dynamic DNS Update 

GINA 

Earliest Network 

Connectivity with 

User Auth Only 

User GPOs Loading 

(Async) 

GPO based Logon 

Script Execution (SMB) 

Kerberos Auth 

(User Account) 

Components broken with 

802.1X user authentication only 


34 

17

User authentication ONLY 



Possible when no dependency of the device used regarding network resources 

Can run user script to access network resources post login. 

Be careful, this can break Microsoft group and system policies (next chapter) 

Device authentication ONLY 

Mandatory as soon as exist dependency of Network resources 

Authorization is link to the device; not the user using the device 

Device and User 

Power 

Up 

802.1X Device and User authentication 

Authorization is highly flexible 

Advanced features needed on supplicants 

Synchronization needed with others applications & process on the client PC : DHCP, DNS, NFS, 

etc.. 

Switches contexts when going from one to the other 


35 

Microsoft Windows Example 

User and Device Authentication 

User Authentication 

Power 

Up 

Load 

NDIS 

Drivers 

DHCP 

Setup 

Secure 

Channel 

to DC 

Update 

GPOs 

Apply 

Computer 

GPOs 

Present 

GINA 

* No Connectivity to Domain Controller Until User Logs In 

Machine Authentication 

Power 

Up 

Load 

NDIS 

drivers 


Machine 

Auth 

DHCP 

* 802.1X Early in Boot Process 

User + Machine Authentication 

Load 

NDIS 

Drivers 


Machine 

Auth 

DHCP 

Setup 

Secure 

Channel 

to DC 

Setup 

Secure 

Channel 

to DC 

* Users Can Be Individually Authenticated 

Update 

GPOs 

Update 

GPOs 

Apply Apply 

Computer Compute 

r GPOs 

Apply 

Computer 

GPOs 

Windows 

Domain 

Auth 

Present 

GINA 

Present 

GINA 


User 

Auth 

Windows 

Domain 

Auth 

Windows 

Domain 

Auth 

Network Connectivity 

Point of 802.1X Authorization 


User 

Auth 

DHCP 


36 

18



Configuring Machine and/or User Auth 

Microsoft Windows Example 

Mode is supplicant dependent 

Native MS supplicants pre-Win7 

Controlled by registry keys (SP2) or 

XML (SP3 & Vista) & network 

properties authentication tab 

Can be set by GPO (Wireless only for 

XP, Wired and Wireless for Vista) 

Win7 supplicants 

Cisco AnyConnect 3.0 

Can be configured per profile 

Centrally configured via Admin tool 

Deployed via MSI 


37 

Switch State AFTER Machine Auth 

Switch#show auth sess int g1/13 

Interface: GigabitEthernet1/13 

MAC Address: 0014.5e95.d6cc 

IP Address: 10.1.5.201 

User-Name: host/imac-mcs-11 

Status: Authz Success 

Domain: DATA 

Oper host mode: multi-domain 

Oper control dir: both 

Authorised By: Authentication Server 

Vlan Policy: 550 

Session timeout: N/A 

Idle timeout: N/A 

Common Session ID: 0A640A050000167B812E372C 

Acct Session ID: 0x00001681 

Handle: 0x8B00067C 

Runnable methods list: 

Method State 

dot1x Authc Success 

mab Not run 


38 

19



Switch State AFTER User Auth 

Switch#show auth sessions int g1/13 



IP Address: 10.1.50.201 

User-Name: Administrator 


Domain: DATA 







Common Session ID: 0A640A050000167D81321334 


Handle: 0x5200067E 


Method State 


mab Not Run 


39 

Identity & Authentication: 

802.1X Supplicants 

TECSEC-2041 


20



802.1X Supplicants 

Windows Win7— Yes 

Windows Vista —Yes 

Windows XP—Yes 

Windows 2000—Yes 

Windows Mobile 7 — Yes 

Linux —Yes 

HP-UX —Yes 

Solaris —Yes 

HP printers & switches —Yes 

Apple OS X —Yes 

Apple iOS — Yes 

Android —Yes 

Cisco IP Phone —Yes 

Cisco AP —Yes 

Cisco Switches — Yes 


41 

PC Supplicants Types 

Windows 

Solaris 

IP Phones 

7921 

WLAN APs 

Operating System – MAC OS X, XP Wireless Zero 

Config, Vista Native, Win7 Native 

Hardware Specific – Intel Proset, Lenovo Access 

Connections 

Premium – Cisco AnyConnect 3.0, Juniper Odyssey 

Open Source – 

Xsupplicant (Open 1X) – http://open1x.sourceforge.net/ 

WPA supplicant - http://hostap.epitest.fi/wpa_supplicant/ 

Secure W2 - http://www.securew2.com/ 

HP Jet Direct 

Apple 

Pocket PC 


42 

21

Xsupplicant 

Open Source 

No additional up-front cost 

Username / Password 

Manual Connect 


Server Validation 

Wired & wireless 

PEAP, TTLS, FAST, and MD5 

Application – 

Simple Authentication 

No outside support required 




43 

WPA Supplicant 

Open Source 

Linux, BSD, Mac OS X, and Windows 

No additional up-front cost 


EAP-TLS 

EAP-PEAP/MSCHAPv2-TLS–GTC- 

OTP-MD5 

EAP-TTLS/MD5-GTC-OTP- 

MSCHAPV2-TLS-PAP-CHAP 

EAP-SIM EAP-AKA EAP-PSK EAP- 

FAST EAP-PAX EAP-SAKE EAP- 

IKEv2 EAP-GPSK (experimental) 

LEAP 


44 

22

Secure W2 

Open Source 

Windows suite with Windows 

Mobile 5/6 or Pocket PC 

2003/2005 support and 

2000/XP/Vista 

Support available 


Plug-in in existing Microsoft 

802.1X/EAP(EapHost) 



Support of EAP-TTLS and EAP- 

GTC 


45 

Microsoft Native Supplicant: XP SP2 

Integral to operating system 

nothing to deploy except configuration 

No additional cost, licensed as part of OS 

Same service controls wireless and 

wired 802.1X 

Wireless Zero Config (WZC) 

Integrated machine and user profile 

Registry changes required for 

proper operation of wired 802.1X 

EAP Types – PEAP/MSCHAPv2, 

PEAP/TLS, TLS, MD5 


46 

23



Vista & XP SP3 Native Supplicant 



No additional cost, licensed as part of OS 

Separate services for wireless and wired 



Wired AutoConfig (DOT3SVC) 

Machine & User Authentication 

PEAP-MSCHAPv2,PEAP-TLS, EAP-TLS 

Recommendations 

Use NDIS 6 NIC drivers 

Vista SP1 

Auth Fail Hot-Fix: 


47 

Windows 7 Native 


http://support.microsoft.com/default.aspx?scid=kb;en-us;957931&sd=rss&spid=11712 


No additional cost, licensed as part 

of OS 

Separate services for wireless and 

wired 802.1X 


Wired AutoConfig (DOT3SVC) 


PEAP-MSCHAPv2,PEAP-TLS, 

EAP-TLS 


48 

24

Mac OSX - 10.6 

Wired and wireless support 

Username / Password, 

Certificates, & Tokens 



Machine or User Authentication 

Broad EAP type support 

No up-front licensing cost 

Apple supported 

End-user focused 


49 

Intel Proset 

Driver Intimacy 

Adapter settings 

Radio On / Off 

No additional up-front costs 

Username / Password, Soft 

Certificates, Smartcards, & Tokens 

Broad EAP Type Support 

Wireless Only 

Supported by Intel 

Requires Intel NIC 


50 

25

Odyssey 



Certificates, Smartcards, & 

Tokens 



Up-front licensing cost 

Juniper supported 

Technical user focused 

Applications – 

Enterprise environments 




51 

Cisco AnyConnect 3.0 – Network 

Access Manager (NAM) 


Part of larger VPN/Web Security bundle 


Certificates, Smartcards, & 

Tokens 



Cisco supported 

End-user focused 

Applications – 

Enterprise environments 


52 

26



Identity Services Engine 

TECSEC-2041 


Identity Services Engine (ISE) 

Policy Management for TrustSec 

Integrated Identity, Profiling, Posture & Guest 

802.1X for Identity 

Profiling Directly Integrated 

Posture from NAC Appliance 

Full Secure Guest Lifecycle Management 

For more on ISE: BRKSEC-2041 


54 

27

ISE Capabilities 

Session Directory 

User ID 

Location 

Device (& IP/MAC) 

Access Rights 

Tracks Active Users & Devices 



Policy Extensibility 

Link in Policy Information Points 

Flexible Service 

Deployment 

Admin 

Console 

Distributed PDPs 

Optimize Where Services Run 

Manage Security 

Group Access 

SGT Public Private 

Staff Permit Permit 

Guest Permit Deny 

Keep Existing Logical Design 

System-wide Monitoring 

& Troubleshooting 

Consolidate Data, 3 Click Drill-In 


55 

ISE Architecture 

Logging 

Admin 

View/ 

Configure 

Policies 

All-in-One 

HA Pair 

View Logs/ 

Reports 

Endpoint Enforce 

Resource 

Access 

Request 

Request/ 

Response 

Context 

Monitor 

Policy 


56 

M&T 

Logging 

Logging 

Query 

Attributes 

Resource 

Access 

External 

Data 

28



Configuration of Windows 7 for user and machine authentication 

using PEAP-MSCHAPv2 

Switch & ISE Configurations 

ISE ―View‖ Logs 

DEMO Time 

TECSEC-2041 


Configure Windows 7 for 802.1X 

Machine and User Authentication 

1.Enable 802.1X wired services on the Win7-PC client: 

a.Launch Services. 

b.Open the Wired AutoConfig service from the list: 

c.Change Startup type: to Automatic and click Apply. 

d.Click Start and ensure that Service status = Started. 

e.Click OK and close the Services window. 

2.Enable 802.1X authentication on the Win7-PC client: 

Open the Lab Tools shortcut from the Windows desktop. 

Open the Network Connections shortcut from the Lab Tools window. 

Right-click on the entry for the Local Area Connection and select 

Properties. If prompted by Windows 7 User Account Control (UAC), 

enter the Domain Administrator credentials admin / cisco123. 

Select the Authentication tab at the top of the Properties window. 


58 

29





Verify that 802.1X 

authentication is enabled 

(checked) for Enable 

IEEE802.1X authentication. 

Verify that authentication 

method is set to Microsoft: 

Protected EAP (PEAP) and 

then click Settings to open 

the PEAP Properties page. 


59 



Under Select Authentication 

Method:, click Configure 

and verify that the EAP 

MSCHAPv2 Properties are 

set to enable Automatically 

use my Windows login 

name and password (and 

domain if any). 


60 

30





Click OK twice to close the 

PEAP Properties page and 

then click Additional 

Settings: 


61 



Verify that the Specify 

authentication mode setting 

is enabled (checked) and 

set to User or computer 

authentication. 

Click OK twice to save 

changes and exit the LAN 

Properties page. 


62 

31

SSC AC 

Demo Topology 

VLAN 315 

widget 

SSC 

VLAN 340 

unauth 

VLAN 320 

ACME 



VLAN 350 

critical 

VLAN 321 

voice 

ACME Servers 

VLAN 310 

mgmt 

AD/DHCP 

CA/ DNS 

Windows 2008 

ISE Call Manager 


63 

Demo Topology 

Gig 1/0/1 

3750X 

10.2.2.0/24 

.2 

te1/1/1 

.1 

2/2 

10.2.3.0/24 

SSC AC 

Fa 0/1 

.2 

G0/1 

.1 

1/27 

.2 

2/1 

10.2.1.0/24 

.10 

3/1 

SGT 7 SGT 6 

ACME 

10.3.10.0/24 

ISE Call Manager 


64 

.1 

2/1 

10.1.200.0/24 

.1 

HR 

.1 

3/46 

.20 

1/22 

UCS 

AD/DHCP 

CA/ DNS 

Windows 2008 

32

Demo Topology 

VLAN ID Name Subnet 

310 MGMT 10.3.10.0/24 

315 Widget 10.3.15.0/24 

320 ACME 10.3.20.0/24 

321 VOICE 10.3.21.0/24 

340 UNAUTH 10.3.40.0/24 

350 CRITICAL 10.3.50.0/24 



Domain: demo.local 

AD/DHCP/DNS: 10.3.10.10 

ISE: 10.3.10.20 

ACS: 10.3.10.21 

Call Manager: 10.3.10.40 

ACME Server: 10.1.200.10 

HR Server: 10.1.200.20 


65 

Switch Port Before Config 

interface GigabitEthernet1/0/4 

description Dot1x 

switchport access vlan 2 

switchport mode access 

switchport voice vlan 200 

srr-queue bandwidth share 10 10 60 20 

srr-queue bandwidth shape 10 0 0 0 

queue-set 2 

mls qos trust device cisco-phone 

mls qos trust cos 

auto qos voip cisco-phone 

spanning-tree portfast spanning-tree 

bpduguard enable ip verify source 

ip dhcp snooping limit rate 10 end 


66 

33



Switch Port After Config 

aaa new-model 

aaa authentication dot1x default group radius 

aaa authorization network default group radius 

dot1x system-auth-control 

radius-server attribute 8 include-in-access-req 

radius-server host 192.168.10.5 auth-port 1645 acct-port 1646 key cisco 

radius-server vsa send authentication 


description Sample Dot1x 




dot1x pae authenticator 


srr-queue … 


67 

Switch Port Before Auth 

Switch#show authentication session gi1/0/15 

Interface: GigabitEthernet1/0/15 

MAC Address: Unknown 

IP Address: Unknown 

Status: Running 

Domain: UNKNOWN 

Oper host mode: single-host 




Common Session ID: 0A640A050000163C37C0ED38 

Acct Session ID: 0x0000163E 

Handle: 0xD600063D 


Method State 

dot1x Running 


68 

34



Switch Port After Auth 

Switch#show authentication sessions interface g1/0/15 



IP Address: 10.1.2.200 

User-Name: admin 


Domain: DATA 



Authorized By: Authentication Server 

Vlan Policy: N/A 



Common Session ID: 0A640A050000163D37C44E6C 

Acct Session ID: 0x0000163F 

Handle: 0x5D00063E 


Method State 



69 

ISE – Switch as AAA Client Setup 


70 

35



ISE – Create User in Internal Store 


71 

ISE – Identity Store Sequence 


72 

36



ISE – 802.1X AuthC Policy 


73 

ISE – 802.1X Authz Policy 


74 

37



Auth Details Report 


75 

Identity & Authentication 

Non-802.1X Capable Devices & 

Users 

TECSEC-2041 


38



Default Security: Consequences 

Default 802.1X Challenge 

Devices w/out supplicants 

Can‘t send EAPoL 

No EAPoL = No Access 

Offline 

No EAPoL / No Access 

One Physical Port ->Two Virtual ports 

Uncontrolled port (EAPoL only) 

Controlled port (everything else) 





77 

MAC Authentication Bypass (MAB) for 

Non-802.1X Devices 

No Response 

MAC: 00.0a.95.7f.de.06 

EAP-Identity-Request 



Switchport is open for one packet to learn MAC 

Link up 

Switch Fallbacks to MAB 

RADIUS-Access Request: 

MAC: 00.0a.95.7f.de.06 

MAB requires creating and maintaining MAC database 

Default 802.1X timeout = 90 seconds (configurable) 

• 90 sec > default MSFT DHCP timeout 

• 90 sec > default PXE timeout 

RADIUS-Access Accept 


78 

1 

2 

3 

4 

5 

6 

802.1X times out 

Switch Learns MAC 

7 

Significant 

Deployment 

Barriers 

39



802.1X with MAB 

Deployment Considerations 

MAB enables differentiated access control 

MAB leverages centralized policy on AAA server 

Dependency on 802.1X timeout -> delayed network access 

• Default timeout is 30 seconds with three retries (90 seconds total) 

• 90 seconds > DHCP timeout. 

MAB requires a database of known MAC addresses 

Printer VLAN 

Guest VLAN 

RADIUS 

ISE 

LDAP 

MAC 

Database 


79 

Considerations: MAC Databases 

Method What is it? Advantages Problems Use Case 

OUI 

Wildcards 

Use 3-Byte 

Identifier 

ISE Local 

database with 

RADIUS 

Server 

Active 

Directory 

Device 

Profiling 

Central 

Directory 

Service 

Automatic 

building of 

MAC database 

LDAP Central 

directory 

Easy to add 

lots of devices 

Readily 

available 

Central 

repository 

No granularity ‗Add all HP 

printers‘ 

No central 

repository for all 

IDs 

Should have 

support for [IEEE 

802] object, 

password 

complexity GPO 

Automated Need certain 

methods to make it 

reliably identify 

devices 

Standards 

based 

Manually populated 

and maintained 

‗RADIUS 

only‘ 

‗All in one‘ 

‗handle 

unknown 

devices‘ 

‗leverage 

existing db‘ 


80 

40

MAB 

DEMO Time 

TECSEC-2041 




ISE – MAB Service AuthC Policy 


82 

41



ISE – MAB Authz Policy 


83 

Switch: Adding „MAB‟ 


description Dot1x Demo with MAB and Guest VLAN 






authentication event no-response action authorize vlan 40 

dot1x timeout tx-period 10 

dot1x max-reauth-req 2 

mab 

spanning-tree portfast 


84 

42



Switch: MAB Success 

Switch#show authentication session int g1/0/15 



IP Address: 10.1.2.200 

User-Name: 00-14-5E-95-D6-CC 


Domain: DATA 







Common Session ID: 0A640A05000016475BE3EF40 

Acct Session ID: 0x0000164A 

Handle: 0xFE000648 


Method State 

dot1x Failed over 

mab Authc Success 


85 

ISE: MAB Success 


86 

43



Local Web Auth (LWA) for non-1X User 

1 

―Flex Auth‖: 

Multiple Triggers 

Single Port Config 

•802.1X Timeout 

•802.1X Failure 

•MAB Failure 

Switch 

Port Enabled, 

2 

ACL Applied 

Host Acquires IP Address, Triggers Session State 

3 

4 

Host Opens Browser 

Login Page 

Host Sends Password 

6 

Switch Applies New ACL Policy 

5 

DHCP/DNS 

Switch Queries AAA Server 

AAA Server Returns Policy 

AAA Server 

Server 

authorizes 

user 


87 

802.1X with LWA 


LWA is only for users (not devices) 

• browser required 

• manual entry of username/password 

LWA can be a fallback from 802.1X or MAB. 

LWA and Guest VLAN* are mutually exclusive 

LWA supports ACL authorization only – No VLAN change 

LWA behind an IP Phone requires Multi-Domain 

Authentication* (MDA) or Multi-Auth 

LWA supports limited web portal customization 

No native support for advanced services including AUP, CP, 

Change Password, Self-Registration, or Device Registration. 

No Change of Authorization (COA) support; therefore access 

policy cannot be changed based on posture or profiling state. 

* To be discussed in later sections 


88 

44



Central Web Auth (CWA) for non-1X User 

1 

―Flex Auth‖: 

Multiple Triggers 

Single Port Config 

•802.1X Timeout 

•802.1X Failure 

•MAB Success 

Host Acquires IP Address 

3 

4 

Switch 

DHCP/DNS 

Host Opens Browser – Switch redirects browser to ISE CWA page 

Login Page 

Host Sends Username/Password 

6 

MAB re-auth 

MAC Success 

2 

5 

Web Auth Success results in CoA; 

ISE PDP 

AuthC success; AuthZ for unknown user 

returned: URL Redirect + dACL/VLAN. 

Session lookup—policy matched 

Authorization dACL/VLAN returned. 

AUP 

process, if 

configured 

Server 

authorizes 

user 


89 

Centralized Web Authentication (CWA) 


90 

45



802.1X with CWA 


CWA is only for users (not devices) 

• browser required 

• manual entry of username/password 

CWA can be a fallback from 802.1X as part of MAB. 

Web-Auth and Guest VLAN* are mutually exclusive 

CWA supports ACL and VLAN authorization 

VLAN change requires IP refresh via browser applet or agent 

CWA behind an IP Phone requires Multi-Domain 

Authentication* (MDA) or Multi-Auth 

Native support for advanced services including AUP, Change 

Password, Self-Registration, or Device Registration. 

Supports integrated client provisioning, posture and profiling 

with COA support (dynamic reauthorization of access policy) 


91 

Web-Auth 

Demo Time 

TECSEC-2041 


* To be discussed in later sections 

46



ISE – Create dACL for Web-Auth 


93 

ISE – Create Web-Auth Authz Profile 


94 

47



ISE – Web-Auth to use the Default 

Authc Policy 


95 

ISE – Web-Auth Authz to use Default 


96 

48



Switch: Local Web auth Configuration 

ip admission name RULE1 proxy http 

ip device tracking 

ip http server 

ip http secure-server 

fallback profile WEB-AUTH 

ip access-group DEFAULT-ACCESS in 

ip admission RULE1 

aaa authentication login default group radius 

aaa authentication login line-console none 

aaa authorization auth-proxy default group radius 

ip access-list extended DEFAULT-ACCESS 

remark Allow DHCP 

permit udp any eq bootpc any eq bootps 

remark Allow DNS 

permit udp any any eq domain 

remark Allow HTTP 

permit tcp any any eq www 

remark Allow ICMP for test purposes 

permit icmp any any 

remark Implicit Deny 

deny ip any any 

line con 0 

login authentication line-console 


description Dot1x Demo with MAB and Web-Auth 






no authentication event no-response 


dot1x max-req 

mab 


authentication fallback WEB-AUTH 


radius-server host x.x.x.x auth-port 1645 acct-port 1646 key xxxx 



97 

Switch: Central Web auth Configuration 


















line con 0 








authent event fail action next-method 

authentication host-mode multi-domain 

authentication open 

authentication order mab dot1x 

authentication priority dot1x mab 


authentication violation restrict 

mab 




radius-server attribute 6 on-for-login-auth 


radius-server attribute 25 access-request include 




98 

49



Web Auth User Experience 


99 

Identity & Authentication 

Further Restrictions 

TECSEC-2041 


50



Default Security: More Consequences 

Only one MAC is allowed to 

authenticate on a port 

• VMWare, Phones, Hubs, Grat Arp… 

VM 





101 

Authorization 

TECSEC-2041 


51



Various Authorization Mechanisms 

Identity provides various authorization 

mechanisms for policy enforcement. 

Three major enforcement mechanisms: 

• Dynamic VLAN assignment – Ingress 

• Downloadable per session ACL – Ingress 

• Security Group Access Control List 

(SGACL) – Egress 

Session-Based on-demand 

authorization: Change of Authorization 

(RFC3576) 

• Disconnect Message 

• Re-authentication 

• Port Bounce 

• Port Down 


103 

Access Layer Authorization 

Primarily done with VLANs today 

VLANs with 802.1X are ubiquitous 

Very simple policy management for small numbers of groups 

Downloadable ACLs (dACLs) are now of interest because it allows 

customers to avoid changing their network 

dACLs scale to a point and then become ineffective due to the 

number of destinations 

Download all destinations that you need to protect or none 

If you have to download destinations, in moderate scale you need to download only 

the destinations relevant to the location of the access device. This must be done 

to keep TCAM utilization to a minimum 


104 

52



Drivers for scaling Access Control 

NAC 

Effective way to isolate quarantine hosts from healthy hosts 

Less operational cost in policy and network operations 

Guest 

Effective way to isolate guests from one another within whatever traffic 

isolation technique the guests require 

―Normal‖ enterprise security isolation for local services. 

In retail stores only authorized users/devices should access the store 

controller. 

Embedded Devices that have not traditionally been on 

the enterprise IP network 

HVAC, Video Surveillance, etc. 


105 

Challenge of Ingress Access Control 

802.1X/MAB/Web Auth 

VLAN 

Assignment 

ACL 

Download 

• Can I create / manage the new VLANs or IP Address scope? 

• How do I deal with DHCP refresh in new subnet? 

• How do I manage ACL on VLAN interface? 

• Does protocol such as PXE or WOL work with VLAN assignment? 

• Any impact to the route summarization? 

• Who‘s going to maintain ACLs? 

• What if my destination IP addresses are changed? 

• Does my switch have enough TCAM to handle all request? 

Traditional access authorization methods leave some deployment concerns 

Detailed design before deployment is required, otherwise… 

Not so flexible for changes required by today‘s business 

Access control project ends up with redesigning whole network 


106 

53



If VLANs are used for the use cases 


VLAN 

Assignment 

Per Use Case 

Embedded VLAN 

Guest VLAN 

Quarantine VLAN 

Enterprise VLAN1 

Enterprise VLAN2 

Voice VLAN 

• One VLAN per use case. Now there are at a minimum 4 additional VLANs 

• A user in multiple groups doesn‘t map to a single VLAN cleanly 

• This notion of ―VLAN Proliferation‖ is such a problem that there is a EAB group 

formed on it. 

• VLAN change has significant impact on end hosts 

• Significant network redesign 


107 

If dACLs are used for the use cases 


ACE per 

use case 

host 

Embedded Host Range(s) 

NAC Host Range(s) 

Enterprise Server Role (s) 

Guest Role (s) 

• Significant overhead to maintain ACLs at ingress (outside of firewall) 

• TCAM implications at ingress (one ACE for every host/range to protect on the 

network) 


108 

54



Security Group Access 

I‟m a contractor 

My group is IT Admin 


Contactor 

& IT Admin 

SGT = 100 

SGT = 100 

SGACL 

Security Group Based Access Control allows customers 

To keep existing logical design at access layer 

To change / apply policy to meet today‘s business requirement 

To distribute policy from central management server 

Database (SGT=4) 

IT Server (SGT=10) 


109 

Security Group Access 

Key Features 

Security Group Based 

Access Control 

Authenticated 

Networking 

Environment 

Confidentiality 

and 

Integrity 

SGT capable device 

Topology independent access control based on roles 

Scalable ingress tagging (SGT) / egress filtering 

(SGACL) 

Centralized Policy Management / Distributed Policy 

Enforcement 

Endpoint admission enforced via 802.1X authentication, 

MAB, Web Auth (Cisco Identity compatibility) 

Network device admission control based on 802.1X 

creates trusted networking environment 

Only trusted network imposes Security Group TAG 

Encryption based on IEEE802.1AE (AES-GCM 128-Bit) 

Wire rate hop by hop layer 2 encryption 

Key management based on 802.11n (SAP) standardized 

in 802.1X-2010 


110 

55



Security Group Based Access Control 

Security 

Group 

Tag 

SG SGACL 

Customer Benefits 

Unique 16 bit (65K) tag assigned to unique role 

Represents privilege of the source user, device, or entity 

Tagged at ingress of TrustSec domain 

Filtered (SGACL) at egress of TrustSec domain 

No IP address required in ACE (IP address is bound to SGT) 

Policy (ACL) is distributed from central policy server (ACS) or 

configured locally on TrustSec device 

Provides topology independent policy 

Flexible and scalable policy based on user role 

Centralized Policy Management for Dynamic policy provisioning 

Egress filtering results to reduce TCAM impact 


111 

Layer 2 SGT Frame Format 

Cisco Meta Data 

Authenticated 

802.1AE Header CMD ICV are the L2 802.1AE + TrustSec overhead 

Frame is always tagged at ingress port of SGT capable device 

Tagging process prior to other L2 service such as QoS 

No impact IP MTU/Fragmentation 

Encrypted 

DMAC SMAC 802.1AE Header 802.1Q CMD ETYPE PAYLOAD ICV CRC 

CMD EtherType Version Length SGT Opt Type SGT Value Other CMD Options 

Ethernet Frame field 

L2 Frame MTU Impact: ~ 40 bytes = less than baby giant frame (~1600 bytes 

with 1552 bytes MTU) 


112 

56



Traditional Access Control 

User (Source) 

Managers 

S1 

S2 

S3 

HR Rep 

S4 

IT Admins 

Servers (Destination) 

D1 

D2 

D3 

D4 

D5 

D6 

Sales 

permit tcp S1 D1 eq https 

permit tcp S1 D1 eq 8081 


deny ip S1 D1 


113 

HR 

Finance 

Network Admin manages every IP source to IP destination 

relationship explicitly 

# of ACEs = (# of sources) * (# of Destinations) * permissions 

S1 to D1 Access Control 

ACE # grows as # users/servers 

increases 

How SGACL simplifies Access Control 

Security Group 


User Servers 

(Source) 

(Destination) 

x 100 

x 100 

x 100 

x 100 

MGMT A 

(SGT10) 

MGMT B 

(SGT20) 

HR Rep 

(SGT30) 

IT Admins 

(SGT40) 

SGACL 

Sales SRV 

(SGT400) 

HR SRV 

(SGT500) 

Finance SRV 

(SGT600) 

• Network Admin manages every source “group” to destination 

“group” relationship 

• This abstracts the network topology from the policy and reducing 

the number of policy rules necessary for the admin to maintain 

• The network automates the alignment of users/servers to groups 

10 Network 

Resources 


Resources 


Resources 


114 

57



Security Group Access – 

SGT Assignment 

TECSEC-2041 


SGT Assignment 

Campus/Mobile endpoints 

Every endpoint that touches TrustSec domain is classified with SGT 

SGT can be sent to switch via RADIUS authorization after: 

Data Center / Servers 

• via 802.1X Authentication 

• via MAC Authentication Bypass 

• via Web Authentication Bypass 

• Or Static IP-to-SGT binding on SW 

• via Manual IP-to-SGT binding on TrustSec device 

• via IP-to-Port Mapping 

Full integration with 

Cisco Identity 

Solution 

Every server that touches TrustSec domain is classified with SGT 

SGT is usually assigned to those servers: 

Just like VLAN Assignment 

or dACL, we assign SGT in 

authorization process 


116 

58



Assigning Users / Servers to SGTs 



User Servers 

(Source) 

(Destination) 

HR 

(SGT 8) 

IT Admin 

(SGT 5) 

ACME 

(SGT 10) 

Guest 

(SGT 15) 

SGACL 

HR Server 

(SGT 10) 

IT Portal 

(SGT 4) 

Internal Portal 

(SGT 9) 

Public Portal 

(SGT 8) 


117 

Security Group Access – 

SGACL Policy 

TECSEC-2041 


59



1 

How To Create SGT Policy 

Source 

SGT 

Destination 

SGT 

HR User (SGT 4) 

IT Admin (SGT 7) 

Public Portal 

(SGT 8) 

Internal Portal 

(SGT 9) 

ACME Portal 

(SGT 5) 

HR Server 

(SGT 6) 

Web Web No Access Web 

IT Maintenance ACL 

File Share 

Web 

SSH 

RDP 

File Share 

permit tcp dst eq 443 


permit tcp Web dst eq 22 

permit tcp SSH dst eq 3389 


permit tcp RDP dst eq 136 

permit File tcp Share dst eq 137 


permit tcp des eq 139 

deny ip 

Full Access 

SSH 

RDP 

File Share 


119 

SGACL Policy on ACS 


120 

2 

3 

60

Users, 

Endpoints 



Security Group based Access Control 

How Enforcement Works 


IT Admin 

(SGT 7) 

SGA6K-DC#show cts role-based counters 

Role-based IPv4 counters 

From To SW-Denied HW-Denied SW-Permitted HW_Permitted 

* * 0 0 677 13463 

4 5 0 0 0 0 

7 5 634 597 0 0 

3 6 0 0 0 0 

4 6 0 SGT=7 0 0 0 

Catalyst ® 3750-E 

Campus 


Cat 6500 w/ 

SUP 2T 

Core 

Untagged Frame Tagged Frame 

Cat 6500 w/ 

SUP 2T 

Distribution 

Web 

HR Server (SGT 6) 

10.1.200.10 

ISE 1.0 

ACME Server (SGT 5) 

10.1.100.10 

VLAN200 

Active 

Directory 

VLAN200 


121 

Confidentiality and Integrity – 

MACSec based encryption 

TECSEC-2041 


ISE 

61

Authenticated 

User 



Confidentiality and Integrity 

Securing Data Path with MACSec 

Media Access Control Security (MACSec) 

Supplicant 

with 

MACSec 

• Provides ―WLAN / VPN equivalent‖ encryption (128bit AES GCM) to LAN 

connection 

• NIST approved* encryption (IEEE802.1AE) + Key Management (IEEE802.1X- 

2010/MKA) 

• Allows the network to continue to perform auditing (Security Services) 

Guest User 


&^*RTW#(*J^*&*sd#J$%UJ&( 

MACSec Link 

Data sent in clear 

* National Institute of Standards and Technology Special Publication 800-38D 

Encrypt Decrypt 

&^*RTW#(*J^*&*sd#J$%UJWD&( 

MACSec 

Capable Devices 

Note: Cat3750-X currently supports MACSec on downlink only 


123 

Hop-by-Hop Encryption via IEEE 802.1AE 

―Bump-in-the-wire‖ model 

-Packets are encrypted on egress 

-Packets are decrypted on ingress 

-Packets are in the clear in the device 

Allows the network to continue to perform all the packet inspection 

features currently used 

Decrypt at 

Encrypt at 

Ingress 

Egress 

01101001010001001 

everything in clear 

01101001010001001 

128bit AES GCM Encryption 128bit AES GCM 0 Encryption 128bit AES 0GCM 

Encryption 

01001010001001001000101001001110101 

011010010001100010010010001010010011101010 

1 

01101001000110001001001000 


124 

ASIC 

62



802.1AE (MACSec) Tagging 

SGA Frame Format 

DMAC SMAC 802.1AE Header 802.1Q CMD ETYPE PAYLOAD ICV CRC 

0x88e5 

MACSec EtherType TCI/AN SL Packet Number SCI (optional) 

MACSec Tag Format 

Authenticated 

Encrypted 


125 

Network Device Admission Control 

TECSEC-2041 


63



TrustSec is based on “Trust” 

Any member of TrustSec domain needs to establish 

trust relationship to its peer, otherwise not trusted 

Only SGT from trusted member can be ―trusted‖ 

and processed by its peer 

SGT from distrusted device is tagged as 

―Unknown‖, a special SGT (value is zero) 

A process of authenticating is called ―Endpoint 

Admission Control‖ (e.g. SGT tagging via 802.1X) 

A process of authenticating network device is called 

―Network Device Admission Control‖ or NDAC in 

short 


127 


NDAC 

Customer Benefits 

Network Device Admission Control (NDAC) provides 

strong mutual authentication (EAP-FAST) to form 

trusted domain 

Only SGT from trusted peer is honored 

Authentication leads to Security Association Protocol 

(SAP) to negotiate keys and cipher suite for encryption 

automatically (mechanism defined in 802.11i) 

Trusted device acquires trust and policies from ISE server 

802.1X-2010 will ultimately replace SAP 

Mitigate rogue network devices, establish trusted network 

fabric to ensure SGT integrity and its privilege 

Automatic key and cipher suite negotiation for strong 802.1AE 

based encryption 


128 

64

SGT Assignment for 802.1X 

Demo Time 

TECSEC-2041 




Phase 0: Pre-Deployment 

TECSEC-2041 


65



Introduction to ACME Corp. 

Fictional Company, publishing house. 

Employees, free lancers, guests are using the 

corporate network infrastructure. 

The same infrastructure is used for other devices 

as well. 

„One network to support them all.‟ 

No access control in place as of today, 

everybody with physical access can connect. 

The CIO decided to limit access. Only 

known devices must be allowed on the network 


131 

ACME‟s Business Environment 

GLOBAL WORK FORCE 

Security Camera G/W 

Agentless asset 

MAC: F5 AB 8B 65 00 D4 

Sergei Balazov 

Contractor 

IT 

Wireline 

10am 

Vicky Sanchez 

Employee 

Marketing 

Wireline 

3pm 

Employees, Contractors, Phones, Printers 

SENSITIVE RESOURCES 

Network, Devices & Applications 

Susan Kowalski 

Employee 

CEO 

Remote Access 

10pm 

Rossi Barks 

Employee 

HR 

Wireline 

11am 

MULTIPLE ACCESS METHODS 

From different devices, location & time 

ALL NEED CONTROLLING 

Bill Graves 

Employee 

R&D 

Wireless 

2pm 

Frank Lee 

Guest 

Wireless 

9am 

Laptop 

Managed asset 

Main Laboratory 

11am 

Francois Didier 

Consultant 

HQ - Strategy 

Remote Access 

6pm 

IP Phone G/W 

Printer 

Managed asset 

Agentless asset 

Finance dept. 

MAC: B2 CF 81 A4 02 D7 

TECSEC-2041 © 2011 Cisco and/or its affiliates. All rights reserved. 12:00pm Cisco Public 

132 

66

ACME‟s Goals 

The Mission: 



Prevent Anonymous / Unauthorized 

Access 

Increase Network Visibility 

Increase Network Security 

Solution deployment should be 

transparent to end users 

Employee end-user behavior should not change. 

Legacy devices must not be locked out. 

Best authentication method based on device 

capabilities should be chosen. 


133 

ACME‟s Data Center environment 

ACME are also planning to consolidate applications and 

servers in two new Data Centers: 

To centralize sensitive data and applications 

Reduce operational cost and improve performance 

Deliver new services including Virtual Desktop Infrastructure 

Data Center teams plan to use Cisco Nexus infrastructure for 

virtualization performance reasons 


134 

67



ACME‟s Environment: Devices 

PC devices are primarily running in a Microsoft 

Windows environment. 

IP Telephony is Cisco, 50% are 802.1X ready 

and support EAP-TLS / certificate based 

authentication. No Certs deployed so far (MICs 

only). 

Printers are not-802.1X capable, must be 

discovered and authenticated via their MAC 

address. 

All sorts of other (legacy) devices from 

freelancers (Macs, Linux machines, …) and 

generic devices (e.g. building control). 


135 

ACME‟s Environment: Network 

ACME recently did a refresh on their access 

network. 

Devices are up-to-date and are running latest 

available code. 

Devices are configured according to L2 best 

practice (DHCP snooping, DAI, VLAN != VVLAN != 

Management VLAN). 

For conference rooms, only corporate owned and 

authorized devices may be cascaded to provide 

additional ports (Extended Edge concept). 


136 

68



ACME‟s Environment: Back-End 

Windows 2008 Active Directory 

Environment managed via AD Group Policy Objects 

(GPOs) 

GPOs enabled centralized management & distribution of 

policy for users, computers and other objects in the 

directory. 

Certificate Infrastructure is in place, Microsoft 

CA running on AD. 

ISE 1.0 will be used to provide AAA services. 


137 

ACME‟s Environment: Credentials 

Corporate machines are registered 

with the Windows domain 

Computers & Users log in with Name 

and Password to the domain 

Additional authentication is enforced 

at the application layer 

No authentication at all for all other 

devices 


138 

69



ACME‟s Environment: Data Center 

plans 

Current DC access controls use ACLs in routers and 

firewalls extensively 

ACME would like to reduce the SecOps effort in managing 

ACLs – as server adds, moves and changes are frequent 

ACME are planning to use Cat 6500 w/ SUP 2T switches in 

new Data Center core and distribution roles. 

Centralized VDI is intended for use by certain types of user 

– ACME intend to use VMware hypervisors and Connection 

Brokers 


139 

Considerations 

What Authentication Method(s) 

should be used? 

Which Operating Systems are to 

be supported? 

Where are Credentials stored? 

One Store vs. Many Stores 

How to Build and Manage a MAC 

Database? 

What authorization methods 

scale to meet ultimate goals? 

How do we discover what is out 

on our network? 


140 

70



Considerations: Authentication Method 

Method What‟s required? Pros Cons 

802.1X Supplicant 

Credentials 

MAB MAC address 

database 

Web-Auth Portal (on switches 

or on a guest 

server) 

Highest Security Supplicant may not be 

available on every 

platform 

Works for all 

devices 

No supplicant 

needed, every 

device w/ 

browser can be 

used 

Weak, can be easily 

snooped, DB needs to 

be created and 

maintained 

Relies on initial 

connectivity, VLAN / IP 

address change after 

authentication is 

problematic 


141 

Further Considerations for 802.1X 

Authentication: EAP Methods 

Method What‟s required? Pros Cons 

EAP-MD5 Password stored 

at each device 

EAP-TLS Certificate 

distribution 

PEAP Username 

Password from 

Windows 

Chosen by ACME for 

operational efficiency 

Most devices with 

802.1X support 

do at least EAP- 

MD5 

Most secure 

method 

Readily available 

in Windows 

environments 

Difficult to maintain 

(password changes) 

Certificate cost, 

distribution, renewal 

Usually inner method 

is username / pw (MS- 

CHAPv2) 


142 

71



Considerations: Operating Systems 


143 

Considerations: Operating Systems 

OS (corporate 

asset) 

Windows XP 

and newer 

Supplicant Methods 

supported 

Built-in or 3 rd 

party 

Older Windows No support MAB or WebAuth 

Apple Mac OS X Built-in TTLS, TLS, FAST, 

PEAP, LEAP, MD5 

802.1X-capable 

Cisco phones 

Remark 

MD5, TLS, PEAP No MD5 w/ Vista 

and newer 

Built-in MD5, FAST, TLS TLS for this one 

only 

Other devices various various various 

OS (noncorporate 

asset) 

Supplicant Methods 

supported 

Remark 

All n/a MAB or WebAuth Guest Access 


144 

72



Considerations: MAC Databases 

What to use? 

OUI 

Individual 

MAC address 

How? 

Where to 

store? 

RADIUS 

Radius Server 

Server 


LDAP 

PCs Non-PCs 

ACME‟s Choice 

UPS Phone Printer AP 

How to 

maintain? 

Manually 

(semi) 

Automatic 


145 

ACME‟s Starting Point 

CREDENTIAL STORE 

EAP-TYPE 

UNMANAGED DEVICES 

DATA CENTER 


146 

73



ACME Summary & Goal 

Enforce admission control to 

wired network 

Use central identity store, Active 

Directory 

Provide consistent access 

solution for all devices 

Provide consistent classification 

for authorization across campus 

and Data Center 


147 

Device Discovery & Classification 

(Endpoint Profiling) 

TECSEC-2041 


74



Considerations for Profiling Endpoints 

Passive assessment or active polling/scanning? 

What is performing the data collection and what can be collected? 

Dedicated collection devices or existing infrastructure? Must traffic pass inline? 

SNMP data? DHCP? RADIUS? Packet capture for deeper analysis? 

Which attributes constitute device type X? 

Is MAC OUI alone good enough? What about DHCP data, location, connection 

protocols, or network traffic? 

How do I weight certain attributes and combine multiple matching attributes? 

Does it meet my security requirements? 


149 

Considerations for Profiling Endpoints 

Can I collect the needed attributes to make a decision? 

Will additional collection devices need to be deployed? 

Do I need to adjust my policy? (balancing cost with risk) 

What is the network or endpoint load impact? 

How is my profile for Device X created, maintained, updated? 

How does system respond to changing or conflicting profiles? 

―Chicken and egg‖ phenomenon for policy based on profile 


150 

75



ISE Profiling Services 

Integrated into existing policy server appliances—dedicated or on 

same appliances 

Data Sources 

RADIUS SNMP Queries/Traps HTTP Span 

Netflow v5/v9 DHCP Span/Helper/Proxy DNS Lookup 

Distributed collection and central aggregation and correlation 

Pre-built profile library 

Option to create custom conditions and profiles 

Hierarchical policy definition (by unique dev type or parent type); 

Examples: 

Cisco 7960 phone > Any Cisco IP Phone > Any IP Phone 

iPad > i-Devices (iPhone, iPod, iPad) > Any mobile device 


151 

ISE Profile Library 

TECSEC-2041 © 2011 Cisco and/or its affiliates. All rights reserved. © 2011 Cisco and/or its 

affiliates. All rights 

Cisco Public 

152 

76







153 





154 

77




Device Attributes 

More attributes 

And more attributes 

Still more attributes! 

© 2011 Cisco and/or its 



155 

Phase 1: Monitor Mode 

TECSEC-2041 


78



802.1X Authentication Default Behavior 

Supplicant Authenticator Authentication Server 

Layer 2 Point-to-Point 

EAPoL Start 


Layer 3 Link 




EAP Transaction 

DHCP / DNS / other traffic 

Authorization 

MAC Address Learned in FWDing state 

After port is authorized, endpoint MAC address is learned and endpoint can 

communicate to network 


157 

What is Monitor Mode 

Monitor Mode: One of the deployment modes to enable Access Control 

without ANY ENFORCEMENT 



EAPoL Start 




Layer 3 Link 





Authorization 

―Authentication Open‖ allows MAC address to be learned and placed into forwarding 

state when link the endpoint is connected. 


158 

79



Why Cisco Invented Monitor Mode? 

@ ACME, BEFORE Monitor Mode is available … 

ACME IT Mgr. 

I‘ve done my 

homework in Proof of 

Concept Lab and it 

looks good. I‘m turning 

on 802.1X tomorrow… 

Enabled 802.1X 

Help Desk call increased by 40% 

I can‘t connect to my 

network. It says 

Authentication failed 

but I don‘t know how 

to fix. My presentation 

is in 2 hours… 


159 

How Monitor Mode Helps 

@ ACME, AFTER Monitor Mode is available … 

ACME IT Mgr. 

Thanks to Monitor 

Mode, I can turn on 

my 802.1X without 

interrupting any 

user traffic 

Benefit: 

It monitors the network, see who‘s 

on, address future connectivity 

problems by installing supplicants 

and credentials, creating MAB 

database 

ACME authentications can be monitored 

View Trends of Passed (should be high) 

View Trends of Failures (should be low) 

View Trends of Unknown MAC Addresses (should start high 

and lower as MAC Addresses are added to the database) 


160 

80



Enabling Monitor Mode – RADIUS 

Server 

Configure PKI and Identity Servers 

Create 802.1X & MAB Policies 

- Every user in AD is 

permitted 

- Separate Rules can be 

used for reporting 


161 

Enabling Monitor Mode – Managed Assets 

Roll out Root CA Cert to 

Managed Assets via GPO 

Activate PEAP configuration 

for User authentication via GPO 

Activate Wired Auth Service on 

Windows machines via GPO 

All managed assets should be provisioned before the switches are configured 

for access control 


162 

81

Phased Rollout 



Device discovery and classification 

Deploy supplicant configuration components first 

Configure RADIUS server second 

Deploy switches third 

Possibly start with one floor at a time 

Validating via case load that monitor mode is working as expected 

After successful floor rollouts expand to multiple floors or a building 

at a time 


163 

Monitor Mode – Monitoring and 

Reporting 

Monitor the network, see who‘s on, address future connectivity 

problems by installing supplicants and credentials, creating MAB 

database 

RADIUS accounting logs provide visibility: 

• Passed/Failed 802.1X/EAP attempts 

• List of valid dot1x capable 

• List of non-dotx capable 

• Passed/Failed MAB attempts 

• List of Valid MACs 

• List of Invalid or unknown MACs 

TO DO Before implementing access control: 

•Confirm that all these should be on network 

•Install supplicants on X, Y, Z clients 

•Upgrade credentials on failed 802.1X clients 

•Update MAC database with failed MABs 

… 


164 

82



ISE Reports Authentications Details 


165 

Active Monitoring 

Network Visibility is not just about passed/failed authentications 

The RADIUS server can have a session directory provided by 

RADIUS accounting. 

This provides ACME with a view of all active sessions as the session 

enter and leave the network 

This information can be used along with other security information for 

better incident response 


166 

83



802.1X with RADIUS Accounting 

Supplicant 802.1X Process 

1 Authenticate 

2 EAPOL-Success 

2 Access-Accept 

3 Accounting Request 

4 Accounting Response 

RADIUS Process 

PC Switch ACS 


167 

802.1X with RADIUS Accounting 

Similar to other accounting and tracking mechanisms that already 

exist using RADIUS 

Can now be done through 802.1X 

Increases network session awareness 

Provide information into a management infrastructure about who logs 

in, session duration, support basic billing usage reporting, etc. 

Provides a means to map the information of authenticated 

Identity, Port, MAC, Switch 

IP, Port, MAC, Switch 

= 

Identity IP 

Switch + Port = Location 

IOS 

aaa accounting dot1x default start-stop group radius 


168 

84



Simple Homegrown Tools 

Switches logs all passed/failed sessions via syslog 

RADIUS servers typically all log information in plain text 

Relatively easy to run scripts against this information to 

create monitoring views 

Scripts can create database of mac addresses seen 

from the network 


169 

Simple Homegrown Tools 


170 

85

Monitoring With ISE 



Tip: Interactive Viewer Is Your Friend 

Launch It, Then Right Click Inside the Report for Customization Options 

Detailed Reports Are Lifesavers 


171 

ISE Details Report 


172 

86



Monitor Mode: Network Access Table 

Endpoints Authentication Status 

All (including PXE) Pre-Auth 

Employees 802.1X Success 

Corporate Asset MAB Success 

Phones 802.1X or MAB Success 

Employees 802.1X Fail -> MAB 

Sponsored Guest 802.1X Fail/Timeout -> 

MAB Fail 

Unknown / 

Unauthorized 

802.1X Fail/Timeout -> 

MAB Fail 

All None (AAA server down) 


173 

DEMO Time 

Open Mode & Multi-Auth 

TECSEC-2041 


Authorization Implementation 

Enterprise Access Open authentication 



Voice Access Open authentication 





87



Switch Configuration: Open Access 

+ Multi-Auth 

interface GigabitEthernet1/13 

description Dot1x Demo with Open Access 




authentication host-mode multi-auth 






175 

Security Group Access with 

Monitor Mode 

TECSEC-2041 


88



ACME Summary & Goal Update 

Enforce admission control to wired 

network 

Use central identity store, Active Directory 

Provide coherent access solution for all 

devices 

Provide coherent classification for 

authorization across campus and Data 

Center 

ACME decides to enable filtering for 

single user and user group for visibility 

Only HR users should be able to access HR 

resources – Privacy/Regulatory Compliance 


177 

SGA and Monitor Mode Interop 

Understanding Ingress & Egress Enforcement 

Ingress Enforcement 

VLAN Assignment 

Downloadable ACL 

Users, 

Endpoints 

Monitor Mode 

Catalyst ® Switches 

(3K/4K/6K) 

TrustSec Domain 

Campus 


ISE 1.0 

Cat 6500 w/ 

SUP 2T 

Monitor Mode is enabled on ―ingress enforcement point‖ 

Monitor Mode can co-exist with SGA by 

1. Permitting traffic with SGACL at egress enforcement point 

2. Controlling traffic with SGACL at egress enforcement point 

Egress Enforcement 

Security Group ACL 


178 

89



Non-SGACL Capable Platform Support 

with SXP 

SGT native tagging requires hardware (ASIC) support 

Non-SGACL hardware capable devices can still receive 

SGT attributes from ACS for authenticated users or 

devices, and then forward the IP-to-SGT binding to a 

TrustSec SGACL capable device for tagging & 

enforcement 

SGT eXchange Protocol (SXP) is used to exchange IPto-SGT 

bindings between TrustSec capable and 

incapable device 

Currently Catalyst 6500, 4500/4900, 3750, 3560 and 

Nexus 7000 switch platform support SXP 

SXP accelerates deployment of SGACL by without 

extensive hardware upgrade for SGA 


179 

SGT Assignment - Campus 

How the SGT is assigned to role dynamically 

HR 

Admin 

10.1.10.100/24 

MAC:0050.56BC.14AE 


MAC Address Port SGT 

0050.56BC.14AE Fa2/12 10/000A 

DHCP Request / Response 

MAC Address Port SGT IP Address 

0050.56BC.14AE Fa2/1 10/000A 10.1.10.100 

Cat6503 

802.1X User Authentication 

Port Open! 

Cat6503 

RADIUS 

Access-Accept with VSA 

DHCP Snooping / ARP Snooping 

SXP Binding Table 

Tagging 

NX7010 


180 

ISE 1.0 

SRC: 10.1.10.100 SGT (10/000A) 10.1.10.100 

Auth OK! 

HR-User: SGT (10/000A) 

90

Packets are tagged 

with SGT based on 

source IP Address 



IP-SGT Binding Exchange with SXP 

ACME User HR User 

Data Center 

8 

Non TrustSec 

capable device 

30 

SXP SXP 

HR Server ACME Server ACME Server Directory 

Service 

111 222 333 

Once SGT is tagged, 

then SGACL can be 

applied 

Switch builds 

binding table 

TrustSec 


ISE 1.0 

TCP-based SXP is established between Non- 

TrustSec capable and TrustSec-Capable devices 

User is assigned to SGT 

Switch binds endpoint IP address and assigned SGT 

Switch uses SXP to send binding table to TrustSec 


TrustSec capable device tags packet based on 

source IP address when packet appears on 

forwarding table 

SXP IP-SGT Binding Table 

IP Address SGT Interface 

User A 

10.1.10.1 8 Gig 2/10 

10.1.10.4 10 Gig 2/11 

Untagged Traffic 

CMD Tagged Traffic 

User C 

Untagged Traffic 

CMD Tagged Traffic 


181 


Open Mode and Multi-Auth at the access layer 

with Monitor and Reporting 

TrustSec can integrate easily by assigning SGT to 

a session, but having permit any any in the 

permission matrix for all allowed flows. 

Default for ―unknown‖ SGTs is permit any any 

Does not have an impact on access layer 

functions (PXE, WoL, etc.) 

Final phase after full Identity Solution deployment 

is to turn on default security for TrustSec in the 

Data Center. 


182 

91



SGA with Monitor Mode Use Case 1 

Zero Enforcement 

Users, 

Endpoints 

Monitor Mode 





(3K/4K/6K) 

Campus 


AUTH=OK 

SGT=8 

ISE 1.0 

Cat 6500 w/ 

SUP 2T 

SRC \ DST 



HR Server 

(111) 

HR Server 

1. User connects to network 

2. Monitor mode allows traffic from endpoint before authentication 

3. Authentication is performed and results are logged by ACS 

4. Traffic traverse to Data Center and hits SGACL at egress 

enforcement point 

5. All traffics are permitted with SGACL. No impact to the user traffic 

ACME Server 

ACME Server 

(222) 

ACME-User(8) Permit all Permit all 

HR-User (10) Permit all Permit all 

Unknown (0) Permit all Permit all 

ACME Server 


183 

Default Authorization for Egress Policy 

When no policy is assigned to Egress Policy Matrix, then ACS is going 

to assign policy defined in ―Default Policy‖ 

By default policy permits all traffic 

Blank cell means no 

specific policy is assigned 


184 

92



Default Authorization for Egress Policy 

When no policy is assigned to Egress Policy Matrix, then ISE is going 


By default policy permits all traffic 


185 

Defined Authorization for Egress Policy 

When no policy is assigned to Egress Policy Matrix, then ISE is going 



186 

93



Unauthorized User Handling 

Successfully authenticated user can get authorized with valid SGT 

value 

Jim HR User SGT 10 (HR-User) 

John IT Admin Group SGT 8 (ACME User) 

Open Mode allows traffic from someone who does not 

authenticate 

Steve Visitor??? SGT 0 (unknown) 

When using Open mode, make sure to minimize impact to source SGT 

unknown (0), a special SGT value reserved in the system 


187 

Handling Unknown SGT 

Unknown SGT is assigned when 

1. Policy results in unknown SGT 

2. When SGACL capable device is unable to lookup source IP address in its 

master IP-to-SGT binding table 

Common use cases where Unknown SGT is assigned 

Endpoint authentication fails and assigned to default SGT (Unknown) 

Endpoint authorized to locally significant VLAN (Failed-Auth-VLAN, Guest 

VLAN, or Critical VLAN) 

When SXP connection is down and listener receives packet from unknown 

source IP Address 

When there is no static IP-to-SGT binding associated to traffic received 

When access device does not support SXP 


188 

94



What does “Unknown” mean? 

Even source SGT is unknown, there is a policy associated with it 

Example: IT Admin to IT Server Policy 

Unknown User policy for 

HR Server 


189 


SGACL Enforcement 

Users, 

Endpoints 

Monitor Mode 





(3K/4K/6K) 

Campus 


AUTH=OK 

SGT=10 

ISE 1.0 

Cat 6500 w/ 

SUP 2T 

SRC \ DST 

ACME 

User(8) 

HR User 

(10) 



HR Server 

(111) 

HR Server 

ACME Server 


2. Monitor mode allows traffic from endpoint before authentication 

3. Authentication is performed and results are logged by ACS 

4. Traffic traverse to Data Center and hits SGACL at egress enforcement point 

5. Only permitted traffic path (source SGT to destination SGT) is allowed 

ACME Server 

(222) 

Deny all Permit all 

Permit all Permit all 

Unknown (0) Deny all Deny all 

ACME Server 


190 

95




With SGACL Enforcement 

How it works 

1. All traffic from all end users are allowed with Monitor Mode 

2. Authentication is still performed and results are logged by ACS 

3. Traffic traverses to Data Center and hits SGACL at egress enforcement 

point 

4. Traffic is allowed to a destination servers ONLY WHEN SGACL permits 

services 

When to use 

Best to use when end-to-end SGA environment is available (without 

enforcement point, we can‘t enforce traffic!) 

Best method to control traffic path without any impact to user traffic at 

ingress level 

Scalable than Low Impact Mode as it does not require any ACL occupying 

TCAM space 

Known Limitation / Concern 

Unauthenticated traffic may traverse in your network (but treated as 

Unknown traffic, SGT 0 


191 

DEMO Time 

Open Mode & SGA 

TECSEC-2041 


96



Low Impact Mode 

TECSEC-2041 


ACME‟s Goals: Phase 2 

Maintain Visibility 

Control Access to Sensitive Assets 

Preserve Network Access for Managed Assets 

Special Case: PXE boot 

Preserve Current Network Architecture 

No changes to VLAN infrastructure 

ACME‘s Goals Can Be Met With 



194 

97



Default Behavior Review 



EAPoL Start 


Layer 3 Link 






Authorization 


After port is authorized, endpoint MAC address is learned and endpoint can 

communicate to network 


195 

Access Control & Clientless Devices 

The Timing Problem With MAB 

• MAB depends on 802.1X timeout 

• Many devices are time-sensitive 

• DHCP is especially finicky 

The Low Impact Solution 

• Provide access to time-critical services before authentication 

• Continue to restrict access to other services until after 


ACME‘s Time-Critical Services 

• DHCP, DNS, TFTP 

• This is enough for PXE devices to boot before MAB completes 


196 

98



What is Low Impact Mode 

Low Impact Mode: One of the deployment modes to enable Access Control by 

differentiating enforcement before and after authentication 



Allow only required traffic with Pre-Auth ACL 

EAPoL Start 




Layer 3 Link 





Authorization with dACL 

Downloaded ACL will replace interface ACL 

―Authentication Open‖ still allows MAC address to be learned and pre defined interface 

ACL only allows specific traffic (such as DHCP and DNS) before authentication 


197 

Low Impact Mode Implementation 

Selectively Open Access 

Open Mode (Pinhole) 

On specific TCP/UDP ports 

Restrict to specific addresses 

EAP Allowed (Controlled Port) 

Download general-access ACL upon authentication 



ip access-group PRE-AUTH-ACL in 


Block General Access Until 

Successful 802.1X, MAB 

or WebAuth 

Pinhole explicit tcp/udp 

ports to allow desired 

access 


198 

99



PRE-AUTH-ACL 

dACLs Open Port After Authentication 

Configure downloadable ACLs (dACL) for authenticated users 

Switch dynamically substitutes endpoint‘s address 

permit ip host 10.100.20.200 any 

permit tcp any any established 

permit udp any any eq bootps 

permit udp any host 10.100.10.116 eq domain 

permit udp any host 10.100.10.117 eq tftp 

Contents of dACL are arbitrary 

Can have as many unique dACLs are there are user permission groups 

Same principles as pre-auth port ACL 

RADIUS Access-Accept: 

ACL: AUTH 

Request: 

AUTH ACL Contents 

Accept: 

―permit ip any any‖ 

ISE 1.x 


199 

Low Impact: Network Access Table 






Employees 802.1X Fail -> MAB or 

Web-Auth Success 


MAB Fail -> Web-Auth 

Success 

Unknown / 

Unauthorized 



Fail 


Limited Access Pre-Auth ACL 

Enterprise Access Permit-Any dACL 


Voice Access 

Enterprise Access 

Limited + Internet 

Access 

Limited Access 

Pre-Auth ACL 

All None (AAA server down) Limited Access Pre-Auth ACL 


200 

100

DEMO Time 

Low impact mode 

pre-Auth ACL 

dACL 

TECSEC-2041 




Switch Configuration: 

Open Access with dACL 


description Dot1x Demo with Open Access 




ip access-group UNAUTH in 

authentication event fail action next-method 



authentication order dot1x mab 




dot1x max-req 2 

mab 


ip device-tracking 

ip access-list extended UNAUTH 






202 

101



ISE Configuration: 

Modify Default Permit Access to include dACL 


203 

ISE Configuration 

Modify Phone Policy to include dACL 


204 

102



Switch Output: 

dACL with source address substitution 

Switch#sh access-lists 

Extended IP access list UNAUTH 

10 permit tcp any any established 

20 permit udp any any eq bootps 

30 permit udp any host 10.100.10.116 eq domain 

40 permit udp any host 10.100.10.117 eq tftp 

Extended IP access list xACSACLx-IP-PERMIT-IP-ANY-ANY-4936eb9e (per-user) 

10 permit ip any any 

Switch#sh show tcam int g1/13 acl in ip 

* Global Defaults not shared 

Entries from Bank 0 

… 

permit ip host 10.1.2.201 any 

permit tcp any any fragments 

permit udp any any fragments 

permit tcp any any established match-any 






205 

Low Impact Mode: 

Flex Auth 

TECSEC-2041 


103



Flexible Authentication: “Flex-Auth” 

One Configuration Fits Most 

Configurable behavior after 

802.1X timeout : 

1) Next-Method 

Configurable order and 

priority of authentication 

methods 

Flex-Auth enables a 

single configuration 

for most use cases 


802.1X failure: 

Configurable behavior 

before & after AAA server 

dies 


207 

802.1X Failure vs. 802.1X Timeout 

An 802.1X failure occurs when the AAA server rejects the request: 

SSC 

EAPoL Start 

EAPoL Response Identity 

A timeout occurs when an endpoint can‘t speak 802.1X: 

EAP Who? 

EAPoL Request Identity 

EAP Failure 


RADIUS Access Request 

RADIUS Access Reject 


208 

104



Default Behavior on 802.1X Timeout 

with LWA 

After 802.1X times out, port automatically falls back to ―nextmethod‖ 

if another method is configured. 

802.1X & MAB 802.1X & Web Auth 802.1X, MAB, Web-Auth 



Timeout 

MAB 



Timeout 

Local 

Web-Auth 



Timeout 

MAB 


209 

Default Behavior on 802.1X Timeout 

with CWA 

MAB 

Fails 

Local 

Web-Auth 

After 802.1X times out, port automatically falls back to ―nextmethod‖ 

if another method is configured. 

802.1X & MAB 802.1X & Web Auth 802.1X, MAB, Web-Auth 



Timeout 

MAB 



Timeout 

Local 

Web-Auth 

Web-Auth is not a “next-method”, instead it 

is an authorization “result” sent by ISE 

based on successful MAB authentication 



Timeout 

MAB 

MAB 

succeeds 

Central 

Web-Auth 


210 

105



Flex-Auth for 802.1X Failures 






1) Next-Method 1) Next-Method 



methods 






dies 


211 

Default Security After 802.1X Failure 

? 

Before Authentication 

After 802.1X Failure 

? 

All traffic except EAPoL is dropped 

All traffic except EAPoL is dropped 


212 

106



Why Provide Access to Devices that 

Fail? 

Employees‘ credentials expire or get entered incorrectly 

As 802.1X becomes more prevalent, more guests will fail auth 

because they have 802.1X enabled by default. 

Many enterprises require guests and failed corporate assets get 

conditional access to the network 



Certificate Expired! 

User Unknown! 


213 

The Problem? 

Authentication Failures - Architecture Issues 

EAP is between supplicant and EAP-Server. 

While not precluded by the EAP architecture, switches today are NOT EAP- 

Servers. They are Authenticators ONLY. 

This means they serve as a transport truck (aka pass-through mode) for EAP via 

802.1X + RADIUS and rely on the authentication server to be the EAP-Server. 

EAP starts on the EAP-Server at step 4 on previous slide. 

EAP stops at step 6 on the server, and at step 7 on supplicant on the previous 

slide. 

After step 7, switch places port into HELD state (60-sec by default) which 

continues to deny all access. 

It does NOT matter if traffic attempts to enter a network while in the HELD state. 

Since switches operate in pass-through mode, messing around with the result 

of the authentication conversation can be challenging! 

This is because the switch does NOT have visibility into what is actually going on, 

nor should it. 


214 

107

? 

MAC 



Failed Auth with Flex-auth: Next-method 


User Authenticated via MAB 

Access determined by MAB result 

Supplicant expected to ―fail open‖ 

Allow single packet 

to learn MAC 

6506-2(config-if)#authentication event fail action next-method 

6506-2(config-if)#authentication order dot1x mab 


215 

Flex-Auth Sequencing (LWA) 

Default Order: 802.1X First Flex-Auth Order: MAB First 

By default, the 

switch attempts 

most secure 

auth method 

first. 

Timeout can 

mean 

significant 

delay before 

MAB. 



Timeout / 

Fail 

MAB 

MAB 

fails 

ISE sends 

Web Auth 

Alternative 

order does 

MAB on first 

packet from 

device 

MAB 


216 

MAB 

fails 



Timeout 

ISE sends 

Web Auth 

108



Flex-Auth Sequencing (CWA) 

Default Order: 802.1X First Flex-Auth Order: MAB First 

By default, the 

switch attempts 

most secure 

auth method 

first. 

Timeout can 

mean 

significant 

delay before 

MAB. 



Timeout / 

Fail 

MAB 

MAB 

Succeeds 

Central 

Web Auth 

Alternative 

order does 

MAB on first 

packet from 

device 

MAB 

MAB 

Succeeds 

Central 

Web Auth 


217 

EAPOL 

Start 


Flex-Auth Order with Flex-Auth Priority 

MAB 

MAB 

fails 


MAB 

passes 

Default Priority: 802.1X 

ignored after successful MAB 

Port 

Authorized 

by MAB 

Flex-Auth Priority: 802.1X 

starts despite successful MAB 

EAPoL-Start 

Received 

Priority determines which method can preempt other methods. 

By default, method sequence determines priority (first method has 

highest priority). 

If MAB has priority, EAPoL-Starts will be ignored if MAB passes. 


218 

109




Web Auth 

Guest 

Employee 

TECSEC-2041 


What ACME Expects for Web Auth 

Customizable 

Login Page 

802.1X/MAB 

Compatibility 

Parity for 

Wired / WLAN 

Centralized Web 

Page Management 

Flexible 

Access Policies 

Centralized Accounting 

Integrated Web Authentication 

ISE Administration 

and Policy Services 

Sponsored 

Guest Credentials 


Existing Credential Stores 


220 

M&T 

PAP 

110



Introducing…Web-Auth‟s New Best Friend 

Multi-Function Standalone Appliance 

Customizable Hotspot Hosting 

ISE 

Identity Services Engine (ISE) 

Sponsored Guest Access Provisioning, Verification, Management 


221 

Old Way: Local Login Pages 

Default (Auth-Proxy Banner) 

ip admission auth-proxy-banner http ^C Here is 

what the auth-proxy-banner looks like ^C 

Fixed Text 

Text only 


222 

111

Enhanced Web Auth – Centralized Login 

Page 



1. 

Cisco ISE 

4. 

2. 

New with ISE 1.0! 

switch 

1. Guest opens Web browser 

2. Web traffic is intercepted 

by switch and redirected to 

ISE Guest Services. 

3. ISE returns centralized 

web login page 


223 

Web Authentication Can Be Used For 

Guests and/or Employees 

Guest 

Employee 

ISE 


224 

3. 

ISE 

• ISE can use Identity Sequences to check the Local Guest Account 

Repository then Active Directory. 

• ISE can assign different levels of access to Guest and Employee 


112












MAB Success/Continue 

-> Web-Auth Success 

Unknown / 

Unauthorized 


MAB Success/Continue 

-> Web-Auth Fail 



225 

DEMO Time 





Voice Access 



Access 


Next-Method for 802.1X Timeout & Fail 

TECSEC-2041 


Permit-Any dACL 

Permit-Internet dACL 

Pre-Auth ACL 


113



802.1X Adding next-method Feature 


description Dot1x Demo with Auth-Fail VLAN 










mab 



227 

802.1X: Next-method on fail 

Switch#show authentication sessions interface g1/13 



IP Address: 10.1.2.201 



Domain: DATA 







Common Session ID: 0A640A0500001651613D5C04 


Handle: 0x1B000652 


Method State 




228 

114



802.1X: “View” of next-method fail over 

to successful MAB 


229 

802.1X Changing Default Order & 

Priority 


description Dot1x Demo with Non-Default Order 






mab 


… 

• Changing Order 

Automatically 

Changes Default 

Priority 

Switch(config)#interface g1/13 

Switch(config-if)#no shut 

*Dec 5 10:33:15: %AUTHMGR-5-START: Starting 'mab' for client (0014.5e95.d6cc) 

on Interface Gi1/13 

*Dec 5 10:33:15: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' 

for client (0014.5e95.d6cc) on Interface Gi1/13 

Switch(config)#do show auth sess 

Interface MAC Address Method Domain Status 

Gi1/13 0014.5e95.d6cc mab DATA Authz Success 

*Dec 5 11:11:24: dot1x-packet(Gi1/13): Received an EAPOL frame 

Switch(config)#do show auth sess 


Gi1/13 0014.5e95.d6cc mab DATA Authz Success 

EAPoL-Start 

is ignored 


230 

115



802.1X Changing Default Priority 

Switch(config-if)#authentication priority dot1x mab 

*Dec 5 11:13:08: dot1x-packet(Gi1/13): Received an EAPOL frame 

*Dec 5 11:13:08: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client 

(0014.5e95.d6cc) on Interface Gi1/13 

*Dec 5 11:13:08: %AUTHMGR-5-START: Starting 'dot1x' for client (0014.5e95.d6cc) 

on Interface Gi1/13 

Switch(config-if)#do show auth s 


Gi1/13 0014.5e95.d6cc dot1x DATA Authz Success 


231 

ISE – Create dACL for Web-Auth 

• In this example, all 

HTTP/HTTPS 

permitted; any web 

traffic from user 

can be redirected 

to Web Auth Portal 

on TCP/8443 

• In addition to DNS 

and ping, traffic to 

ISE web auth 

portal @ 

10.1.100.21 

(TCP/8443) is 

explicitly permitted. 


232 

116



ISE – Create Authz Profile for Web-Auth 

Port DACL = Traffic 

permitted/denied 

per unique host, 

per switch port 

(ACL is centrally defined) 

Of the traffic permitted 

in Port DACL, the 

Redirect ACL = Traffic to be 

redirected to web service. 

(ACL is locally defined on switch) 

Attr Details show 

actual RADIUS 

attributes returned 

to access device 


233 

ISE – Create Authz Policy for Web-Auth 

• In this example, if no other policy rule matches, the Default policy is to 

redirect users to Central Web Authentication services. 


234 

117



ACS – Create Web-Auth Authz Profile 

(1) 


235 

Switch: Local Web Auth Configuration 

ip admission name RULE1 proxy http 




fallback profile WEB-AUTH 


ip admission RULE1 















line con 0 









no authentication event no-response 


dot1x max-req 

mab 







236 

118



Switch: Central Web Auth Configuration 

aaa authentication dot1x default group radius 

aaa authorization network default group radius 

aaa accounting dot1x default start-stop group radius 








remark Allow HTTPS 

permit tcp any any eq 443 





ip access-list extended ACL-WEBAUTH-REDIRECT 

deny ip any host X.X.X.X 

permit ip any any 










authentication host-mode multi-auth 



authentication priority dot1x mab 


mab 



aaa server radius dynamic-author 

client X.X.X.X server-key cisco123 

radius-server attribute 6 on-for-login-auth 


radius-server attribute 25 access-request include 


radius-server vsa send accounting 



237 

Web Auth User Experience 


238 

119



ISE Web Auth User Experience 


239 


IP Telephony 

TECSEC-2041 


120

Voice Ports 



802.1X & IPT: A Special Case 

With Voice Ports, a port can belong to two VLANs, while still allowing 

the separation of voice/data traffic while enabling you to configure 


An access port able to handle two VLANs 

Native or Port VLAN Identifier (PVID) / Authenticated by 802.1X 

Auxiliary or Voice VLAN Identifier (VVID) / Authenticated by 802.1X 

Hardware configured with voice VLAN ID 

Untagged 802.3 

Tagged 802.1q 


241 

IPT & 802.1X: Fundamental Challenges 

―The operation of Port Access Control 

assumes that the Ports on which it operate 

offer a point-to-point connection between a 

single Supplicant and a single Authenticator. 

It is this assumption that allows the 

authentication decision to be made on a per- 

Port basis.‖ 

IEEE 802.1X rev 2004 

1 

Two devices per port 

Security Violation 

1 

One device per port 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 

SYST 1X 

15X 17X 

31X 33X 

47X 

1 3 

RPS 

MASTR 

STAT 

DUPLX 

SPEED 

STACK 

2 4 

MODE 

2X 

16X 18X 

32X 34X 

48X 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 

SYST 1X 

15X 17X 

31X 33X 

47X 

1 3 

RPS 

MASTR 

STAT 

DUPLX 

SPEED 

STACK 

2 4 

MODE 

2X 

16X 18X 

32X 34X 

48X 

IPT Breaks the Point-to-Point Model 


242 

2 

2 

Catalyst 3750 SERIES 


Link State Dependency 

????? 

PC Link State is Unknown to Switch 

121



First Solution: CDP Bypass 

Data VLAN 

Voice VLAN 


243 

CDP 





Benefits Deployment Considerations 

Access to voice VLAN after phone sends CDP CDP-capable hackers get full access, too. 

Default behavior: Cisco IP Phones get access 

if voice VLAN configured 

No visibility, No access control 

Works for all Cisco phone models Incompatible with dynamic VVID, 

downloadable ACLs (dACLs), PC Web Auth 

Second Solution: Multi-Domain 

Authentication (MDA) Host Mode 

IEEE 802.1X 

Single device per port Single device per domain per port 

Data Domain 

• Phones and PCs use 802.1X or MAB 

• MDA is a subset of Multi-Auth 

MDA 

Voice Domain 




244 

122



MDA with MAC Authentication Bypass (MAB) 

00.18.ba.c7.bc.ee 

No Response 

No Response 

No Response 




Fallback to MAB 

Learn MAC 

Voice VLAN Enabled 

√ 

Link up 

RADIUS-Access 

Request: 00.18.ba.c7.bc.ee 

RADIUS-Access Accept 

device-traffic-class=voice 


245 

0:00 0:01 0:05 0:10 0:20 0:30 

0:00 0:01 0:05 0:10 0:20 0:30 

0:00 0:01 0:05 0:10 0:20 0:30 

Timeout 

Timeout 

Timeout 


No client, no credential needed -> Works 

for all Cisco phone models 

Dependency on AAA server 

Enables visibility, access control Must create & maintain phone MAC database 

Compatible with 802.1X features Default 802.1X timeout = 90 seconds latency 

(mitigated by Low Impact Mode) 

MDA with 802.1X 

Supplicant 

EAPoL Start 



EAPoL Response Identity 


EAP-Response: TLS 

EAP-Request: TLS Client Hello 

EAP Success 

―Voice VSA‖ 

Authenticator AAA Server 


[AVP: EAP-Response: CP-79xx-xxxxxxxx 

RADIUS Access-Challenge 

[AVP: EAP-Response: TLS] 


[AVP: EAP-Request: TLS Server Hello] 

RADIUS Access-Accept 

[AVP: device-traffic-class=voice] 

[AVP: voice VLAN 10, dACL-n] 


Actual 

Exchanges 

depend on EAP 

Method (MD5, 

TLS, FAST) 

Strong Authentication with Minimal Delay Choice of EAP Method impacts deployability 

Can be deployed without touching the phone 

or creating a database. 

Requires: 7970G, 79x1, 79x2, 79x5 with 

X.509 cert support & firmware 8.5(2) 

Compatible with 802.1X features AAA server dependency 


246 

123

MDA in Action 

PC 

Authenticated 

by 802.1X 

Phone 

authenticated 

by MAB 

Either 802.1X or MAB for phone 



3750-1(config-if)#do sh dot1x int G1/0/5 details 

 

Dot1x Authenticator Client List 

------------------------------- 

Domain = DATA 

Supplicant = 0014.5e42.66df 

Auth SM State = AUTHENTICATED 

Auth BEND SM State = IDLE 

Port Status = AUTHORIZED 

Authentication Method = Dot1x 

Authorized By = Authentication Server 

Domain = VOICE 

Supplicant = 0016.9dc3.08b8 

Auth SM State = AUTHENTICATED 

Auth BEND SM State = IDLE 


Authentication Method = MAB 

Authorized By = Authentication Server 

Any combination of 802.1X, MAB, Guest-VLAN, Auth-Fail-VLAN, IAB for PC 


247 

Implementation Details 

The access port on the switch allows two VLANs, i.e. PVID for 

data traffic and VVID for voice traffic 

LLDP processed by switch on uncontrolled port 

Not used for 802.1X exemption criteria (at all) 

CDP processed by switch on uncontrolled port 

Not used for 802.1X exemption criteria (when MDA is used) 

Guest-VLAN works on PVID only (Re: limited to data devices) 

Auth-Fail-VLAN works on PVID only (Re: limited to data 

devices) 

Critical VLAN works for one domain only (Re: limited to data 

devices) 


248 

124



Summary: Multiple Hosts per Port 

Host Mode Enforcement Deployment Considerations 

Single Single MAC address per port • Second MAC address triggers a security violation 

• VMs on the host must share the same MAC 

address. 

• CDP Bypass is the only IPT solution. 

Multi-Domain Auth 

(MDA) 

One Voice Device + 

One Data Device per port 

Multi-Auth Superset of MDA with 

multiple Data Devices per 

port 

Multi-Host One authenticated device 

allows any number of 

subsequent MAC addresses. 

• Same as single host mode except phone 

authenticates 

• Supports third party phones 

• Authenticates every MAC address in the data 

domain. 

• VMs on the host may use different MAC 

addresses. 

• One VLAN (default port VLAN) for all devices on 

the port 

• Not recommended 

• VMs on the host may use different MAC 

addresses. 

• CDP Bypass is the only IPT solution. 


249 











Success 

Unknown / 

Unauthorized 



Fail 





Voice Access MDA with Voice VSA + 




Access 



Permit-Internet dACL 

Pre-Auth ACL 

All None (AAA server down) Limited Access Pre-Auth ACL 


250 

125



IPT & 802.1X: The Link-State Problem 

1) Legitimate users cause security violation 

A 

S:0011.2233.4455 

A 

S:0011.2233.4455 

B 

S:6677.8899.AABB 

S:0011.2233.4455 

F0/2 authorized for 

0011.2233.4455 only 

Security Violation 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 

SYST 1X 

15X 17X 

31X 33X 

47X 

1 3 

RPS 

MASTR 

STAT 

DUPLX 

SPEED 

STACK 

2 4 

MODE 

2X 

16X 18X 

32X 34X 

48X 

2) Hackers can spoof MAC to gain access without authenticating 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 

SYST 1X 

15X 17X 

31X 33X 

47X 

1 3 

RPS 

MASTR 

STAT 

DUPLX 

SPEED 

STACK 

2 4 

MODE 

2X 

16X 18X 

32X 34X 

48X 

Security Hole 

0011.2233.4455 already 

authorized on F0/2 


251 

Partial Solution: Proxy EAPoL-Logoff 

B 

A 

SSC 

PC-A Unplugs 

Session cleared 

immediately by 

proxy EAPoL-Logoff 

PC-B Plugs In 

SSC 

Domain = DATA 

Supplicant = 0011.2233.4455 



EAPol-Logoff 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 

SYST 1X 

15X 17X 

31X 33X 

47X 

1 3 

RPS 

MASTR 

STAT 

DUPLX 

SPEED 

STACK 

2 4 

MODE 

2X 

16X 18X 

32X 34X 

48X 

Domain = DATA 

Port Status = UNAUTHORIZED 



A 

S:0011.2233.4455 


252 



1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 

SYST 1X 

15X 

RPS 

MASTR 

STAT 

DUPLX 

SPEED 

STACK 

MODE 

2X 

16X 

17X 

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 

31X 

18X 

32X 

33X 

43 44 45 46 47 48 

47X 

1 3 

2 4 

34X 

48X 

Domain = DATA 

Supplicant = 6677.8899.AABB 




1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 

SYST 1X 

15X 17X 

31X 33X 

47X 

1 3 

RPS 

MASTR 

STAT 

DUPLX 

SPEED 

STACK 

2 4 

MODE 

2X 

16X 18X 

32X 34X 

48X 

Caveats: 

• Only for 802.1X 

devices behind phone 

Requires: 

Logoff-capable Phones 

126



Partial Solution: Inactivity Timeout Options 

Device 

Unplugs 

Vulnerable to security 

violation and/or hole 

Inactivity Timer 

Expires 

Session cleared. 

Vulnerability closed. 

Domain = DATA 

Supplicant = 0011.2233.4455 



Domain = DATA 

Supplicant = 0011.2233.4455 



1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 

SYST 1X 

15X 17X 

31X 33X 

47X 

1 3 

RPS 

MASTR 

STAT 

DUPLX 

SPEED 

STACK 

2 4 

MODE 

2X 

16X 18X 

32X 34X 

48X 


253 



1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 

SYST 1X 

15X 

RPS 

MASTR 

STAT 

DUPLX 

SPEED 

STACK 

MODE 

2X 

16X 

17X 

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 

31X 

18X 

32X 

33X 

43 44 45 46 47 48 

47X 

1 3 

2 4 

34X 

48X 

Domain = DATA 



1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 

SYST 1X 

15X 17X 

31X 33X 

47X 

1 3 

RPS 

MASTR 

STAT 

DUPLX 

SPEED 

STACK 

2 4 

MODE 

2X 

16X 18X 

32X 34X 

48X 

Partial Solution: MAC Move 

PC MAC: 00-1C-25-BA-6D-3B 

Office 

Conference Room 

Intermediary Deice 

1 PC Connects and Authenticates 

2 CAM Table updated (MAC/Port) 

3 PC Moved to new location 

4 PC Authenticates 

5 Previous Session deleted and CAM 

Table updated with new entry 

interface GigE 1/0/5 






authentication timer inactivity [300 | server] 

mab 

Caveats: 

Quiet devices may have to reauth; 

network access denied 

until re-auth completes. 

Still a window of vulnerability. 

3K: 12.2(50)SE* 

4K: 12.2(50)SG 

6K: 12.2(33)SXI 

Wiring Closet 

CAM TABLE 

MAC Addr Switchport 

00-1C-25-BA-6D-3B 

00-1C-25-BA-6D-3B 

Best Practice: Combine MAC 

Move with Inactivity Timer 

Gigabit Ethernet 1/0/1 


ISE - AAA RADIUS 


254 

127

PC(A) MAC: 00-1C-25-BA-6D-3B 

Office 



A 

Partial Solution: MAC Replace 

1 PC A connects (assume 802.1X/MAB process occurs) 

2 Authentication Succeeds 

3 CAM Table updated (MAC/Port) 

4 PC A disconnects 

B PC(B) MAC: 00-1C-25-BA-6E-4C 

5 PC B connects 

Intermediary Deice 

6 Authentication succeeds 

7 CAM updated with new MAC Address 

CAM TABLE 

MAC Addr Switchport 

00-1C-25-BA-6D-3B 

00-1C-25-BA-6E-4C 

Wiring Closet 


ISE - AAA RADIUS 


255 

Full Solution: CDP 2 nd Port Notification 

Device A Unplugs 

Phone sends link 

down TLV to switch. 

Device B Plugs In 

Domain = DATA 

Supplicant = 0011.2233.4455 



CDP Link Down 


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 

SYST 1X 

15X 

RPS 

MASTR 

STAT 

DUPLX 

SPEED 

STACK 

MODE 

2X 

16X 

17X 

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 

31X 

18X 

32X 

33X 

43 44 45 46 47 48 

47X 

1 3 

2 4 

34X 

48X 

Domain = DATA 



1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 

SYST 1X 

15X 

RPS 

MASTR 

STAT 

DUPLX 

SPEED 

STACK 

MODE 

2X 

16X 

17X 

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 

31X 

18X 

32X 

33X 

43 44 45 46 47 48 

47X 

1 3 

2 4 

34X 

48X 

Domain = DATA 

Supplicant = 6677.8899.AABB 




1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 

SYST 1X 

15X 

RPS 

MASTR 

STAT 

DUPLX 

SPEED 

STACK 

MODE 

2X 

16X 

17X 

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 

31X 

18X 

32X 

33X 

43 44 45 46 47 48 

47X 

1 3 

2 4 

34X 

48X 

id-4503#sho cdp neigh g2/1 detail 

------------------------- 

Device ID: SEP0015C696E22C 

Entry address(es): 

IP address: 10.1.200.10 

Platform: Cisco IP Phone 7971, Capabilities: Host 

Phone Two-port Mac Relay 

Interface: GigabitEthernet2/1, 

Port ID (outgoing port): Port 1 Holdtime : 168 sec 

Second Port Status: Down 

Link status msg addresses 

root cause 

Session cleared immediately. 

Works for MAB, 802.1X, and 

Web-Auth. 

Nothing to configure 

IP Phone: 8.4(1) 

3K: 12.2(50)SE 

4K: 12.2(50)SG 

6K: 12.2(33)SXI 


256 

128

DEMO Time 

MDA 

Phone with MAB 

TECSEC-2041 





Create Phone Group 


258 

129




Add 7960 to Host Database in Phone Group 


259 


Create Phone Authorization Profile 


260 

130




Add Phone Authz Policy Entry 


261 


Add Phone Authz Policy Entry 


262 

131



Switch Configuration 


description Dot1x Demo with MDA 











mab 



263 

Cisco IP-Phone 802.1X 

Phone Booting 


264 

132

Access Via the Security 

Settings Menu 





265 


802.1X Off by Default 


266 

133




Set EAP-MD5 Password 


267 


Device ID must = ACS User ID 


268 

134

Checking Status 




269 

Checking Status 

#show auth s int g1/13 


MAC Address: 001b.d513.031c 

IP Address: 10.1.200.200 

User-Name: 00-1B-D5-13-03-1C 


Domain: VOICE 






Common Session ID: 0A640A050000167067461170 


Handle: 0x64000671 


Method State 



webauth Not run 


270 

135

DEMO Time 

CDP 2 nd Port Notifications 

TECSEC-2041 




Security Group Access with 


TECSEC-2041 


136



Challenge of Ingress Access Control 

List 

Users, 

Endpoints 



dACL Content 


(3K/4K/6K) 


permit protocol any to Site A Servers eq services 

permit protocol any to Site B Servers eq services 

deny protocol any to Site C Servers eq services 

permit protocol any to Site D Servers eq services 

ISE 1.0 

Campus 


Internet 

Switch needs to be aware of all network segment + address that 

need to be protected 

More dACL ACEs consume limited TCAM space on switches 

Simple Networks/Policy can use dACL only 


273 

Site A 

Site D 

SGA and Low Impact Mode Interop 

Reviewing Ingress & Egress Enforcement 




Users, 

Endpoints 



(3K/4K/6K) 


Campus 


ISE 1.0 

Cat 6500 w/ 

SUP 2T 

Low Impact Mode is enabled on ―ingress enforcement point‖ 

Low Impact Mode can co-exist with SGA by 

1. Keep the dACL very simple 

2. Control traffic with SGACL at egress enforcement point 


274 

Site B 

Site C 



137





•Low Impact Mode allows customer to permit necessary 

traffic (boot strap services such as PXE, WoL, etc) before 

authentication for current service continuity 

•TrustSec SGA integration eases dACL challenges by 

reducing number of ACEs needs to be downloaded to 

ingress port 

•Low Impact Mode could simply allow employee to have 

full access to the corporate network while restricting guest 

user to have Internet access only, for instance 

•Egress access control with SGT differentiates service 

among Employee group based on individual role 

Difference between Monitor and Low Impact Mode is to enable very basic 

enforcement at ingress interface while keeping openness for easy deployment 


275 

SGA with Low Impact Mode Use Case 

Selective Access with SGT Enforcement 





Users, 

Endpoints 



(3K/4K/6K) 





Campus 


AUTH=OK 

ACL=Permit IP Any 

SGT=10 

ISE 1.0 

SRC \ DST 

ACME 

User(10) 

HR User 

(10) 

Internet 

Cat 6500 w/ 

SUP 2T 

HR Server 

(111) 

ACME Server 

(222) 



HR Server 

ACME Server 

Unknown 

(0) 

Deny all Permit all Permit all 

Permit all Permit all Permit all 


2. Pre-Auth ACL only allows selective service before authentication 

3. Authentication is performed and results are logged by ACS. dACL is downloaded 

along with SGT 



Guest (30) Deny all Deny all Permit all 

ACME Server 


276 

138



SGA with Low Impact Mode Use Case 

Selective Access with SGT Enforcement 





Users, 

Endpoints 



(3K/4K/6K) 





AUTH=OK 

SGT=30 

Campus 


ISE 1.0 

SRC \ DST 

ACME 

User(10) 

HR User 

(10) 

Internet 

Cat 6500 w/ 

SUP 2T 

HR Server 

(111) 

ACME Server 

(222) 



HR Server 

ACME Server 

Unknown 

(0) 

Deny all Permit all Permit all 

Permit all Permit all Permit all 








ACME Server 


277 

Location Based Access Control 

with Security Group Access 

TECSEC-2041 


139



More Flexible Policy with Role-Based 

Access Control 

Identity 

Information 

Identity: 


Administrator 

Identity: 

Full-Time 

Employee 

Identity: 

Guest 

+ 

Other 

Conditions 

Access 

Privilege 

Engineering 

Everyone Has a Different Role 

Time and Date 

Human Resources 

Susan Kowalski 

Employee 

Sales Director 

Location 

Access Type 

Rossi Barks 

Employee 

HR 

Vicky Sanchez 

Employee 

Marketing 

Finance 

Francois Didier 

Home Access Employee 

Consultant 

Guest 

Deny Access 


279 

Policy for Today‟s Business Requirement 

Identity 

Information 

Identity: 


Administrator 

Identity: 

Full-Time 

Employee 

Identity: 

Guest 

+ 

Other 

Conditions 

Time and Date 

Location 

Access Type 

Access 

Privilege 

Consultant 


Finance 

Marketing 

Guest 

Deny Access 


280 

140

Identity 

Information 

Identity: 


Administrator 

Identity: 

Full-Time 

Employee 

Identity: 

Guest 



Role + Rule–Based Access Control 

Example: Human Resources Role 

+ 

Other 

Conditions 

Time and Date 

Location: Campus 

Access Type: 

Wired 

Access 

Privilege 

Rossi BarksEngineering 

Employee 

HR 


Finance 

Home Access 

Guest 

Deny Access 


281 

Role + Rule–Based Access Control 

Example: Human Resources Role 

Identity 

Information 

Identity: 


Administrator 

Identity: 

Full-Time 

Employee 

Identity: 

Guest 

+ 

Other 

Conditions 

Time and Date 

Location: Off-site 

Access Type: 

Wired 

Access 

Privilege 

Rossi BarksEngineering 

Employee 

HR 


Finance 

Home Access 

Guest 

Deny Access 


282 

141



Policy Elements Sample 

Rossi Barks 

Type: Reg. Employee 

Title: Sr. HR Advisor 

Group: HR Admin Group 

Dept ID: 240087 

Office: 408-878-9097 

Mail: rbarks@stsam.org 

Policy Conditions 

Access Type 

Location 

Date and Time 

Network Device Type 

NAD IP Address 

EAP Auth Method 

Authentication Status 

AD Group 

LDAP Attributes 

RADIUS Attribute 

: 

: 


283 

Access Rule Enforcement 

Network Access Authorization Policy provides 

powerful ―IF-THEN-ELSE‖ policy condition to 

apply detailed corporate policy. 

Authorization profile provides ingress policy 

enforcement methods. 

Security group can be assigned to endpoint at 

the same time. 

Authorization Methods 

Downloadable ACL (Ingress) 

SGACL (Egress) 


284 

142



SGA with Location 

Privacy Requirements – Require Proper Location 

HR User 

not in proper 

locale 


(3K/4K/6K) 

Campus 


SRC \ DST 

ISE 1.0 

Cat 6500 w/ 

SUP 2T 

HR Server 

(111) 

ACME Server 

(222) 



HR Server 

ACME Server 

Unknown 

(0) 

HR Off Site (8) Deny all Permit all Permit all 

HR User (10) Permit all Permit all Permit all 








ACME Server 


285 

DEMO Time 

Low Impact Mode with SGA 

TECSEC-2041 

AUTH=OK 

SGT=8 


X 

143



Phase 3: High Security Access 

Control 

TECSEC-2041 


Phase 3: ACME Acquires Widget, Inc. 

New Security Policy & Network 

Requirements: 

Regulatory Requirements dictate 

logically separate networks until 

all operating countries approve 

acquisition. 

New regulatory/privacy 

requirements on IT staff with 

―multi-national‖ acquisition 


288 

144

Phase 3: ACME Acquires Widget, Inc. 

New Security Policy & Network 

Requirements: 

VLAN Segmentation 

• ACME on the ACME VLAN 



• Widget employees on the WIDGET VLAN 

• Share use machines on MACHINE VLAN. 

• Unauthenticated devices on RESTRICTED 

VLAN only. 

Branch Survivability 

• ―fail open‖ when AAA server is unreachable. 

ACME‘s Goals Can Be Met With 

High Security Mode 


289 

How this will happen 

Policy Change Solution Change 

VLAN Segmentation Dynamic Identity-based VLAN 

assignment 

No unauthenticated traffic on DATA 

VLAN 

Unauthenticated devices on 

RESTRICTED VLAN only 

Open mode -> Closed Mode 

Local authorization (AuthFail 

VLAN, Guest VLAN) – Unknown 

SGT 

Branch Survivability Critical Auth VLAN – Unknown 

SGT 


290 

145



High Security: Network Access Table 



ACME 802.1X Success 



Widget 802.1X Success 

Unknown / 

Unauthorized 


MAB Fail 



None 


291 

Dynamic Authorization 


Identity- 

Based 

VLAN Name 

Standards- 

Based 

Tunnel 

Attributes 



Voice Access 

Widget Access 



• Assigned VLAN is based on identity at time of 


• Identity can be individual or group 

• VLANs assigned by name (not number); allows for 

more flexible VLAN management 

• Assigned VLAN must match switch configuration; 

mismatch results in authentication failure. 

• Usage for VLANs is specified in the IEEE 802.1X 

standard 

• RFC 2868 defines tunnel attributes that AAA server 

uses to send to VLAN name to switch 

• [64] Tunnel-type—―VLAN‖ (13) 

• [65] Tunnel-medium-type—―802‖ (6) 

• [81] Tunnel-private-group-ID— 


292 

146



Identity Networking Feature Overview 

Employee 

Servers 

Employee Contractor Guest 

“Guest” VLAN 

Tunneled to 

Internet DMZ 

Identity 

Services 

Engine 

Dynamic VLAN assignment 

Dynamic security policy 

assignment using ACLs 

Identity Networking-based 

user/port accounting 


293 

Segmenting Users, Devices and Networks 

Dept: 

HR 

Overlapping 

Address Space in 

Dept-HR and Dept- 

ENGR Can Co-Exist 

Internet 

Si 

Si 

Si 

Guest 

Dept Dept: 1 

ENGR 

VoIP on an 

Ultra-Secure 

Segment 

Encrypted 

Voice 

Problem: 

Campus-wide VLANs are not 

always the optimal design when 

building networks that can support 

roaming or ―Guest‖ VLANs—is 

there another option? 

Cisco Solution: 

Once the ―Identity‖ has been 

established, map the VLAN to 

―Policy Domains‖ or internal Virtual 

Networks 

Internal Networks use the same 

infrastructure, but can‘t ―See‖ each 

other; security, QoS and 

administrative policies are 

maintained 


294 

147

“Guest” VLAN 

Tunneled to 

Internet DMZ 



Ho Segmenting Users, Devices and Networks 

Dept: 

HR 

Overlapping 

Address Space in 

Dept-HR and Dept- 

ENGR Can Co-Exist 

Internet 

Si 

Si 

Si 

Guest 

Dept Dept: 1 

ENGR 

VoIP on an 

Ultra-Secure 

Segment 

Encrypted 

Voice 

Use the Network to Provide 

Isolation and Simplified Policy 

Enforcement 

GRE tunnels and policy routing 

VRF-Lite end-to-end—(virtual 

route forwarding) 

VRF-Lite at the distribution with 

MPLS L3 VPNs at 

the core 

MPLS L3 VPNs end-to-end 


295 

Network Virtualization with SGA 

Business continuity for 

Data Centers 

Widget, Inc. 

Virtual Virtual 

Virtual 

Physical Network 

Definition: 1 to Many. One network supports many virtual networks 

ACME High-level Technical Requirements 

ACME 

Separate Widget and ACME networks until regulatory agencies approve acquisition in multiple countries 

Dynamic VLAN assignment allows Widget/ACME employees to be placed in the correct network 


296 

148



SGA Integration with Network 

Virtualization 

Fine-tuning of network policy yields 

greater scalability 

Virtual Network used for coarse-grained 

virtualization of ACME vs. Widget networks 

SGA enhances policy control by providing 

fine-grained virtualization of user/groups 

within the existing virtual domains 

Servers are separated by color 

Traffic will gravitate towards correct server 

across integrated core 

One SGA namespace per network 

SGTs must be unique per virtual 

network 

―acme employee‖ = SGT 10 while ―Widget 

employee‖ = SGT 20 

Widget ACME 


297 

802.1X User Distribution 

Enhances Dynamic VLAN Assignment 

Addresses Two Use Cases: 

Allow mapping the RADIUS 

provided VLAN name to different 

VLANs on different switches (no 

need to re-configure RADIUS provided 

VLAN name). 

Allow distribution of RADIUS 

provided VLAN to multiple 

different VLANs locally available 

on the same logical switch (load 

balancing) (reduces broadcast 

domain) 

Different VLANs on Different Switches 


298 

SW1 

SW2 

VLAN 20 ACME-DATA-SW1 

VLAN 30 ACME-DATA-SW2 

Large Number of Ports 

VLAN 40 ACME-GROUP-1 



ACME-DATA 

ACME-DATA 

149



User Distribution “Mapping” Can Simplify 

Migration to Dynamic VLANs 

Traditional VLAN assignment 

is by VLAN name 

VLAN Name Number 

ACME 30 

…. …. 


30 

User VLAN 

Alice ACME 

AAA Server 

AAA 

Server 

SW1 SW2 

Allows flexible adoption in existing environments 

No need to reconfigure existing VLANs 

Simplifies Policy in AAA Server 

User distribution assigns 

by VLAN group (or name) 

VLAN Name Number 

ACME-2 40 

…. …. 


VLAN Group Number 

ACME 40 

…. …. 


299 

User Distribution: “Distribution” 

corporate 

RADIUS Attribute: 

corporate maps to 

VLAN 20, 21 & 22 

RADIUS 

Dist 

User 

Attribute: 

corporate 

Algorithm 

AAA 

Server 

AAA Server 

high port 

density 

VLAN 20 corp-1 VLAN VLAN 

VLAN 21 corp-2 

VLAN 22 corp-3 

22 20 

VLAN 21 

Allows highly scalable 802.1X-based VLAN assignment in a large scale 

campus LAN deployment 


300 

40 

Evenly Distributed 

150



Configuring VLAN groups 

Switch(config)# vlan group vlan-list 

: Name for the VLAN group starting with an alphabet 

: Comma separated VLANs or a range of VLANs or a 

single VLAN 

Switch(config)#vlan group corporate vlan-list 4 

Switch(config)#vlan group corporate vlan-list 40-50 

Switch(config)#vlan group corporate vlan-list 12,52,75 


301 








Machines 802.1X Success 

Unknown / 

Unauthorized 


MAB Fail 


None Closed Mode 

All None (AAA server down) Enterprise Access 

Enterprise Access Default DATA VLAN 


Voice Access Voice VLAN 

Widget Access Widget VLAN 

Machine Access 



302 

151

DEMO Time 



Closed Mode with VLAN assignment 

TECSEC-2041 



Modify Contractor Profile to assign VLAN 


304 

152




Modify Default Profile to assign VLAN 


305 

Switch Output: Contractor 




IP Address: 10.1.50.201 



Domain: DATA 







Common Session ID: 

0A640A05000016777A900AB0 

Acct Session ID: 0x0000167D 

Handle: 0xE0000678 


Method State 



6506-2# 


306 

153



Switch Output: Employee 




IP Address: 10.1.20.201 



Domain: DATA 







Common Session ID: 

0A640A05000016777A900AB0 

Acct Session ID: 0x0000167D 

Handle: 0xE0000678 


Method State 


mab Not Run 

6506-2# 


307 

User and Machine/Device 

Authorization 

TECSEC-2041 


154



802.1X & Dynamic VLANs 


VLAN 

Proliferation 

Address 

Changes 

*VSS removes this requirement 

• Every access switch must support every assignable 

VLAN 

• In multi-layer deployments, all these VLANs must be 

trunked to distribution layer. 

• Every new VLAN will require a new subnet on every 

access switch (routed access & multi-layer*) 

• SGA is one means to help reduce this by classifying 

by SGT rather than VLAN 

• Devices that change VLANs as a result of 

authentication MUST be capable of getting a new 

address on the new VLAN. 

• Most supplicants CAN get a new address 

• Most clientless devices CANNOT 

• Even successful address changes can cause 

problems with end host functionality. 

• SGA is one means to help authorize devices that 

can‘t change VLANs 


309 

802.1X and VLAN assignment 

DHCP Renewal - Microsoft Windows example 

When using dynamic VLAN assignment with user & machine 

authentication, the host‘s VLAN can change when user logs in. 

IP address may need to change also 

Supplicant behavior has been addressed by Microsoft 

Windows XP: install service pack 1a + KB 826942 

Windows 2000: install service pack 4 

Needed for VLAN assignment with Wireless Zero Config 

Updated supplicants trigger DHCP IP address renewal 

Successful authentication causes client to ping default gateway (three times) with a sub-second 

timeout 

Lack of echo reply will trigger a DHCP IP renew 

Successful echo reply will leave IP as is 

Prerenewal ping prevents lost connections when subnet stays the same when client may be 

WLAN roaming 


310 

155

User 



Coping with VLAN Change 

DHCP Renewal - Microsoft Windows Example 


Device ISE Identity Store 

Device Authentication 


USER Login Req. 

Send Credentials 

Accept 

ICMP Echo (x3) for Default GW 

from ―Old IP‖ as Soon as 

EAP-Success Frame Is Rcvd 

DHCP-Request (D=255.255.255.255) 

(After Pings Have Gone Unanswered) 

DHCP-Discover (D=255.255.255.255) 

Forward Credentials to ACS Server 

Auth Successful (EAP—Success) 

Actual technique is 

supplicant dependent 

User VLAN Assignment 

DHCP-NAK (Wrong Subnet) 

At This Point, DHCP Proceeds Normally 


311 

VLAN Changes Can Disrupt Desktop 

Operation 

In Legacy (pre-Vista) Microsoft environments, changing the VLAN 

can break user and/or machine GPOs. 

Windows 7 cannot re-negotiate secure connection with AD if IP 

address changes during GPO download. 

What‘s a GPO? And 

why should I care 

about breaking it? 

A Group Policy Object (GPO) is used to deliver and apply 

configurations or policy settings to a set of targeted users and 

computer within an Active Directory environment. Windows Admins 

use GPOs for system compliancy and security enforcement , e.g.: 

Network Device mapping 

Applying Logon / Logoff scripts to workstations 

Batch mechanism to trigger applications 

Security compliance enforcement such as password rule, etc. 

Breaking GPOs is a RPE 

(Resume Producing Event) 


312 

156



“Ideal” Microsoft Boot Process 

If Only It Were This Easy 

Power On 




(DNS, LDAP) 


Channel to AD 

(LDAP, SMB) 






Components that depend on 

network connectivity 

Machine Authentication 

“Pre-Logon” User 









313 

GINA 


(Async) 



Real Boot Process With Fast Logon 

Machine GPOs will Break 

Power On 




(DNS, LDAP) 


Channel to AD 

(LDAP, SMB) 






802.1X Machine 

Auth 

Machine VLAN 

GINA 

X X X 

User VLAN 

Kerberos Auth 





Kerberos Auth 






(Async) 


314 

GINA 

802.1X User 

Auth 



Fast Logon 

Optimization 

Start of 802.1X auth may vary among supplicants Components that are in race condition with 802.1X Auth 

157



Real Boot Process With Race Conditions 

User GPOs can Break 

Power On 




(DNS, LDAP) 


Channel to AD 

(LDAP, SMB) 






802.1X Machine 

Auth 

Machine VLAN 

Kerberos Auth 









(Async) 


315 

GINA 

802.1X User 

Auth 

X X X 



User VLAN 

Start of 802.1X auth may vary among supplicants Components that are in race condition with 802.1X Auth 

Dynamic VLAN Assignment Best Practices 

Vista SP2 or Windows 7: 

• No Restrictions on VLAN assignment 

• Vista and Win7 Can Renegotiate Secure Connection with AD when 

IP Address Changes 

XP and earlier: 

• Use Only Machine Authentication OR… 

• Use the Same VLAN for User and Machine Authentication 

Reconsider ACLs/SGA if you don‘t need traffic isolation. 


316 

158











Unknown / 

Unauthorized 


MAB Fail 



317 

DEMO Time 

Machine VLAN 

TECSEC-2041 







Machine Access MACHINE VLAN 




ISE: using AD groups for Authorization Rules 

159



ISE – Accessing AD Groups 


319 

ISE – New Authz Rules 


320 

160



Switch State AFTER Machine Auth 

Switch#show auth sess int g1/13 



IP Address: 10.1.5.201 

User-Name: host/imac-mcs-11 


Domain: DATA 







Common Session ID: 0A640A050000167B812E372C 


Handle: 0x8B00067C 


Method State 


mab Not run 


321 

Switch State AFTER User Auth 




IP Address: 10.1.50.201 

User-Name: Administrator 


Domain: DATA 







Common Session ID: 0A640A050000167D81321334 


Handle: 0x5200067E 


Method State 


mab Not Run 


322 

161



Additional Considerations for 

Microsoft Windows 

TECSEC-2041 


Microsoft Deployment Considerations 

Boot Process 

Fast Logon Optimization 

Domains / Active Directory 

Machine Group Policies 

User Group Policies 

Logon Scripts 

Best Practices 


324 

162



Windows Boot & Logon Procedure 

Recall Default Security of 802.1X: 

No network connectivity until successful authentication. 

Windows Logon Process and 802.1X are not serialized at all for 

Windows 2000, XP, 2003, Vista, or Window 7 

802.1X may break Windows Logon sequence at some points 

Additional complications: 

Two authentication contexts to consider: Machine and User 

Dynamic VLAN assignment may introduce additional network initialization, 

impacting Windows Logon sequence (Windows was never designed to 

handle this event) 

Clear understanding and proper design is required for 

successful 802.1X deployments. 


325 

Fast Logon Optimization 

Microsoft concept to speed up serialized boot process 

Assumption : 

Always have a network connectivity 

Always get an IP address 

Run applications and services in parallel 

No waiting for 802.1X to complete 

Conclusion: 

Broken story for DHCP, Login script , GPO etc… 


326 

163



Microsoft Machine Group Policy Object 

Group policy is an infrastructure used to deliver and apply one or 

more desired configurations or policy settings to a set of targeted 

users and computer 

within an Active Directory environment 

A Group Policy Object (GPO) is one of the most common methods of 

system compliancy and security enforcement in a Windows 

environment 

GPO is a common use case scenario: 

Network Device mapping 

Applying Logon / Logoff scripts to workstations 

Batch mechanism to trigger applications 

Security compliance enforcement such as password rule, etc. 


327 

More About Group Policy 

Group Policy is processed in the following order: Local 

GPO, then GPOs linked to container in this order; site, domain, 

and OU 

Types of GPO Processing 

Synchronous GPO Processing - A series of processes where one 

process must finish running before the next one begins (e.g. Windows 

2000 or 2003 Application Startup/logon) 

Asynchronous GPO Processing - A series of process where its outcome 

is independent of other process (e.g. Windows XP Application 

Startup/logon) 

Periodic Refresh Processing - GPO is processed periodically (every 90 

minutes with randomized offset of up to 30 minutes by default) 


328 

164



GPO Network Dependency 

Successful GPO loading (without 802.1X involvement) requires following 

elements: 

1. Valid and routable IP address and connectivity to AD 

2. Windows startup serialization (Predictable Windows startup event) 

3. Fallback mechanism (Timeout mechanism, Local Logon, Periodic Policy Refresh, 

etc.) 

Key Protocol conversation during Windows Startup Process 

1. Addressing (DHCP) 

2. Site and Domain Determination (DNS, LDAP) 

3. Secure Channel Establishment to AD (SMB) 

4. Authentication (Kerberos) 

5. Time Synchronization (NTP) 

6. Policy Application (LDAP, SMB) 

Unstable network connectivity introduces instability in policy 

loading process 


329 

Group Policy Objects 

GPO: Group Policy Object 

Customize properties of the machine and the user regarding a 

specific group 

GPUPDATE - DOS command to force GPO updates (typically used 

when doing proof of concept) 

GPO update can also be scheduled by changing a registry value 

User + Machine GPO update 

Load 

NDIS 

Drivers 

DHCP 

Setup 

Secure 

Channel 

to DC 

Update 

GPOs 

Apply 

Computer 

GPOs 

Present 

GINA 

Windows 

Domain 

Auth 

DHCP 

Update 

GPOs 

Apply 

user 

GPOs 


330 

165



Logon / Logoff Scripts 

Two different logon scripts: 

NT4 

AD – related to GPO 

Machine and User 

Scripts are only executed during logon/logoff phases 

Example : network disk drive mapping 

User + Machine login script 

Load 

NDIS 

Drivers 

DHCP 

Setup 

Secure 

Channel 

to DC 

Update 

GPOs 

Apply 

Computer 

login 

script 

Present 

GINA 

Windows 

Domain 

Auth 

DHCP 

Update 

GPOs 


331 

Microsoft Authentication Best Practices 

Machine authentication using PEAP 

Uses account information for the computer created at the time the machine 

is added to the domain 

Computer must be a member of the domain 

If doing mutual authentication, the computer must trust the signing CA of 

the RADIUS server‘s cert 

Machine authentication using EAP-TLS 

Authenticates the computer using certs 

The computer must have a valid cert 

If doing mutual authentication, the computer must trust the signing CA of 

the RADIUS server‘s cert 

Easiest way to deploy is using MS-CA and Windows GPOs 

Apply 

user 

login 

script 


332 

166



High Security: Unknown Devices 

TECSEC-2041 


Flex-Auth for Unknown Devices 

Agentless Devices in High Security Mode 




2) Guest VLAN 



methods 








dies 


334 

167

Client 



Non-802.1X Client 

Guest VLAN 

X 


D = 01.80.c2.00.00.03 

1 Upon link up 

X 


D = 01.80.c2.00.00.03 

2 30-seconds 

X 

√ 


D = 01.80.c2.00.00.03 

EAP-Success 

D = 01.80.c2.00.00.03 

3 30-seconds 

4 30-seconds 

Any 802.1X-enabled switchport will send EAPOL-Identity-Request frames on the 

wire (whether a supplicant is there or not) 

A device is only deployed into the guest VLAN based on the lack of response to the 

switch‘s EAP-Request-Identity frames (which can be thought of as 802.1X hellos) 

No further security or authentication to be applied. It‘s as if the administrator deconfigured 

802.1X, and hard-set the port into the specified VLAN 

Port Deployed 

into VLAN 51 


Process 


335 

Adding Guest VLAN Access 

interface GigabitE 3/13 




description Dot1x Demo with Guest VLAN 








dot1x max-reauth-req 2 

Timer tune is necessary for DHCP timeout on client 


336 

168



802.1X with Guest VLAN 


When a port moves to Guest VLAN, any number of additional MACs are 

allowed on the port without authenticating 

Guest VLAN is a switch-local authorization -> centralized policy on AAA 

server is not enforced 

Guest VLAN does not differentiate, e.g. guest users get the same access 

as a corporate printer 

Guest VLAN can be fallback after 802.1X timeout and MAB fail 

802.1X timeout dependency -> delayed network access. 

SGA Interop – SGT will be “Unknown” 

• Default timeout is 30 seconds with three retries (90 seconds total) 

• 90 seconds > DHCP timeout. 

Guest VLAN 


337 

Guest VLAN, LWA & CWA - Mutually 

Exclusive 


MAB 

MAB 

fails 

Guest 

VLAN 




mab 

authentication event no-response action 

authorize vlan 40 


MAB 

MAB 

fails 

Local 

Web Auth 




mab 




timeout 

MAB 

MAB 

success 

Central 

Web Auth 




mab 


338 

169



Non-802.1X Devices: Summary 

Solution For 

Devices 

or 

Users? 

Guest 

VLAN 

MAB Devices 

only 

Local Web- 

Auth 

Centralized 

Web-Auth 

Differentiated 

Access? 

Authz 

Type 

Authorization 

Method 

Both No Local Static Guest VLAN 

only 

Users 

only 

Users 

only 

Yes Centralized Dynamic VLAN 

and / or 

Dynamic ACL 

Credentials 

Required 

None 

MAC 

address 

Yes Centralized Dynamic ACL only Username / 

Password 

Yes Centralized Dynamic VLAN 

and / or 

Dynamic ACL 


339 

Tuning 802.1X Timeouts for MAB, 

Web-Auth and Guest VLAN 

Username / 

Password 

max-reauth-req: sets the maximum number of times (default: 2) that 

the switch retransmits an EAP-Identity-Request frame on the wire 

before receiving a response from the connected client 

tx-period: sets the number of seconds (default: 30) that the switch 

waits for a response to an EAP-Identity-Request frame from the client 

before retransmitting 

the request 

Guest VLAN Deployment (max-reauth-req + 1) * tx-period 


340 

170



Guest VLAN on the Switch 

Switch#sh vlan 

VLAN Name Status Ports 

---- -------------------------------- --------- ------------------------------- 

1 default active Gi1/0/2, Gi1/0/3, Gi1/0/4 

Gi1/0/5, Gi1/0/6, Gi1/0/7 

Gi1/0/8, Gi1/0/9, Gi1/0/10 

Gi1/0/11, Gi1/0/12, Gi1/0/16 

Gi1/0/18, Gi1/0/20, Gi1/0/22 

Gi1/0/23 

2 access active Gi1/0/13, Gi1/0/15, Gi1/0/17 

Gi1/0/19, Gi1/0/21 

5 machines active 

10 servers active Gi1/0/14, Gi1/0/24 

20 contractors active 

30 auth-fail active 

40 guest active 

50 employees active 

60 printers active 

100 critical active 

110 voice active Gi1/0/21 

500 outside active Gi1/0/1 

1002 fddi-default act/unsup 

1003 token-ring-default act/unsup 


341 

802.1X Guest Support 

Switch#dot1x initialize interface gi1/0/15 

Switch# 

06:26:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface 

GigabitEthernet1/0/15, changed state to down 

06:26:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan2, 

changed state to down 

After EAPoL Times Out 

06:31:55: %LINEPROTO-5-UPDOWN: Line protocol on Interface 

GigabitEthernet1/0/15, changed state to up 


342 

171



802.1X Guest Support 

Switch#sh vlan 

VLAN Name Status Ports 

---- -------------------------------- --------- ------------------------------- 

1 default active Gi1/0/2, Gi1/0/3, Gi1/0/4 

Gi1/0/5, Gi1/0/6, Gi1/0/7 

Gi1/0/8, Gi1/0/9, Gi1/0/10 

Gi1/0/11, Gi1/0/12, Gi1/0/16 

Gi1/0/18, Gi1/0/20, Gi1/0/22 

Gi1/0/23 

2 access active Gi1/0/13, Gi1/0/17, Gi1/0/19 

Gi1/0/21 

5 machines active 

10 servers active Gi1/0/14, Gi1/0/24 

20 contractors active 

30 auth-fail active 

40 guest active Gi1/0/15 

50 employees active 

60 printers active 

100 critical active 

110 voice active Gi1/0/21 

500 outside active Gi1/0/1 

1002 fddi-default act/unsup 

1003 token-ring-default act/unsup 


343 


Devices that Fail 802.1X in High Security Mode 




2) Guest VLAN 



methods 







2) AuthFail VLAN 



dies 


344 

172



Failed 802.1X 

Auth-Fail VLAN Is An Alternative to Next-Method 


User Unknown 

Access Restricted to Auth-Fail VLAN 

Supplicant expected to ―fail open‖ 

Now with RADIUS Accounting! 

? 

VLAN 10 

6506-2(config-if)#authentication event fail action authorize vlan 10 


345 

802.1X with Auth-Fail VLAN 


Supplicant cannot exit the Auth-Fail VLAN 

• Only alternatives: switch-initiated re-authentication or port bounce 

No Secondary Authentication Mechanism. 

Auth-Fail VLAN, like Guest VLAN, is a switch-local authorization -> 

centralized policy on AAA server is not enforced 

Switch and AAA server have conflicting views of network (mitigated by new 

RADIUS accounting) 

SGA Interop – SGT will be “Unknown” 

Access Granted 

Auth-fail VLAN 

Access Denied 


346 

173



802.1X Adding „auth-fail‟ Feature 






authentication event fail action authorize vlan 30 






mab 



347 

802.1X Checking „auth-fail‟ Feature 




IP Address: 10.1.30.201 

User-Name: Administratorbdg 


Domain: DATA 



Authorised By: Auth Fail Vlan 




Common Session ID: 0A640A050000164C6137E804 

Acct Session ID: 0x0000164F 

Handle: 0xD200064D 


Method State 

dot1x Authc Failed 

mab Not run 

webauth Not run 


348 

174











Unknown / 

Unauthorized 


MAB Fail 







Engineer Access ENG VLAN 

Machine Access Widget VLAN 

Limited Access Auth-Fail VLAN = Guest 

VLAN = UNAUTH VLAN 



349 


Devices are Unknown because AAA is Down 




2) Guest VLAN 



methods 







2) AuthFail VLAN 



dies: 

Critical VLAN 


350 

175



Inaccessible Authentication Bypass 

EAPOL-Start 

EAP-Success 

WAN Internet 

VPN Tunnel 

• Switch detects AAA unavailable by one of two methods 

1. Periodic probe 

2. Failure to respond to AAA request 

• Enables port in critical VLAN if defined, otherwise to switchport 

VLAN 

• Existing sessions retain authorization status 

• Applies to data devices only 

• Recovery action can re-initialize port when AAA returns 


351 

RADIUS Server(s) Inaccessible 

radius-server 10.1.10.50 test username KeepAliveUser key cisco 

radius-server dead-criteria time 15 tries 3 

radius-server deadtime 1 







authentication event server dead action authorize vlan 100 

authentication event server alive action reinitialize 






mab 


Critical VLAN can be anything: 

• Static VLAN 

• Same as guest/auth-fail VLAN 

• New VLAN 

• SGT will be “unknown” 


352 

176











Unknown / 

Unauthorized 


MAB Fail 



353 

DEMO Time 

802.1X Critical 

TECSEC-2041 








Machine Access MACHINE VLAN 

Limited Access Auth-Fail VLAN = Guest 

VLAN = UNAUTH VLAN 

Enterprise Access Critical VLAN 

177

802.1X: AAA Service Dies 

*Dec 4 14:01:02: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.100.10.150:1812,1813 is not responding. 

*Dec 4 14:01:07: %AUTHMGR-5-START: Starting 'mab' for client (0014.5e95.d6cc) on Interface Gi1/13 

*Dec 4 14:01:07: %RADIUS-3-NOSERVERS: No Radius hosts configured or no valid server present 

*Dec 4 14:01:07: %MAB-5-FAIL: Authentication failed for client (0014.5e95.d6cc) on Interface Gi1/13 

*Dec 4 14:01:07: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client 


*Dec 4 14:01:08: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0014.5e95.d6cc) on 

Interface Gi1/13 

*Dec 4 14:01:07: %AUTHMGR-SP-5-VLANASSIGN: VLAN 100 assigned to Interface Gi1/13 






IP Address: 10.1.100.201 



Domain: DATA 

Oper host mode: multi-host 


Authorised By: Critical Auth 




Common Session ID: 0A643D050000165C61E7FB88 


Handle: 0x8800065D 


Method State 

mab Authc Failed 


355 

802.1X: AAA Server Returns 

*Dec 4 14:05:07: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.1.10.50:1812,1813 has returned. 

*Dec 4 14:05:15: %AUTHMGR-5-START: Starting 'mab' for client (0014.5e95.d6cc) on Interface Gi1/13 

*Dec 4 14:05:15: %MAB-5-SUCCESS: Authentication successful for client (0014.5e95.d6cc) on Interface 

Gi1/13 

*Dec 4 14:05:15: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client 


*Dec 4 14:05:16: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0014.5e95.d6cc) on Interface 

Gi1/13 

Switch#show authentication sessions int g1/13 



IP Address: 10.100.60.201 



Domain: DATA 







Common Session ID: 0A640A050000166061F5AF98 


Handle: 0x95000661 


Method State 



356 

178

Data Center 

TECSEC-2041 




Security Group Access Controls in the 

Data Center 

Network-based functions to provide controls based on the role of the resource 

• Security policy defined by groups (instead of topology or design etc.) 

• Resources are mapped into Security Groups 

• Group-based policy rules do not change when resources are moved 

• Potential for much reduced SecOps effort in the DC 

Segmentation 

• Logical separation of resources across common DC infrastructure 

• Segment servers into logical zones 

• Control access to these different logical DC entities based on role 

• Apply controls to physical or virtual systems (Virtual servers, VDI…) 


358 

179

Traditional Access Control 

User (Source) 

Managers 



S1 

S2 

S3 

HR Rep 

S4 

Public Sites 

Servers (Destination) 

D1 

D2 

D3 

D4 

D5 

D6 

Sales 

permit tcp S1 D1 eq https 



deny ip S1 D1 


359 

HR 

Finance 

Network Admin manages every IP source to IP destination 

relationship explicitly (User->Server and Server->Server) 

# of ACEs = (# of sources) * (# of Destinations) * permissions 

S1 to D1 Access Control 

ACE # grows as # of permission 

statement increases 

Security Group-based Access Controls: 

User-System and System-System policy 

User 

Groups 

VDI user 

groups 

x100 


Role A 

(SGT10) 

Role B 

(SGT20) 

HR users 

(SGT30) 

Storage 

SGACL 


Prod 

(SGT400) 

Dev 

(SGT500) 

ERP (SOX 

compliant)(S 

GT600) 

System 

groups 

• Network Admin manages every source “group” to destination “group” 

relationship – abstracting topology from the policy 

Production 

systems 

Development 

systems 

Compliance 

critical 

server 

groups 

• The network automates the alignment of users/servers to groups within the DC 


360 

180



ACME Data Center security challenges 

All DC access control lists and firewall rules are IP address-based 

Server moves/changes require changes to rule base 

Rule table growth has made management more difficult 

Risk of human error leads to change review/approval processes 

Operational effort of moves/changes 

Business increasingly global with more external business 

relationships to save costs 

Editorial system development has moved offshore – developers need controlled 

access to specific development systems 

ACME now dependent on external translation and localization services 

Intellectual property protection now a higher priority 


361 

ACME Data Center projects 

Consolidation of services into regional DCs planned 

Improve resiliency and performance 

Centralize intellectual property protection 

ACME has had challenges managing developers accessing 

production servers during normal business hours. 

ACME needs to only allow developers access to development 

servers and production users to production servers. 

External developers and translation vendors to be given access to 

hosted Virtual Desktop Infrastructure 

Keep intellectual property within ACME data centers 

Virtual Desktops to have LAN access specific to the 3 rd party role (developers, 

translators and support vendors) 

Server access to be granted specifically based on the 3 rd party role 

ACME also seeks reduction in SecOps effort and faster response to 

change requests 


362 

181



ACME Data Center Uses Cases 

TECSEC-2041 


ACME Alignment with current SGA 

capabilities 

Campus LAN to Data Center Deployment 

Support ACME acquisition of Widget 

Support developer/production access control use case 

Data Center Consolidation 

Support High Bandwidth DC Interconnect 

Support Security Policy of encrypting Inter-Data Center connections 

Intra Data Center Deployment 

Support Segmented Server Access 

ACME/Widget Server Isolation 

Development/Production Server Isolation within DC 

Support VDI Initiative 


364 

182



ACME Campus LAN Deployment 

Use Case 1 

TrustSec to cover campus network as well 

as Data Center network 

Support for Campus / Branch access 

Source SGT assigned via 802.1X, MAB, 

or Web Authentication 

Server SGT assigned via IPM or statically 

IP-to-SGT binding table is exchanged 

between Campus access switch and Data 

Center TrustSec capable device 

SRC \ DST 

Server A 

(111) 

Campus Access 

SGT Assignment via 

802.1X, MAB, Web Auth 

Branch Access 

Server B 

(222) 

User A (10) Permit all SGACL-B 

User B (20) Deny all SGACL-C 

Cat35750/E 

ISR w/ EtherSwitch 

Cat6500 Cat4500 

File Server 

WEB Server 

111 222 

SQL Server 

Cat6500 

Cat4500 

Nexus 7010 

Data Center 

Directory 

Service 



365 

Data Center Use Case: 

Server Categorization and Segmentation 

Grouping of Servers based on policy and Traffic Filtering 

• Classified vs. Unclassified Servers 

• Production vs. Non-Production Servers 

• Private vs. Public Servers 

• Engineering vs. Business Operation Servers 

• Application specific servers (Web vs. Mail Clusters) 

• PCI segment vs. Others 

S1 S2 

S3 

VLAN100 

SGT/DGT ACME (222) Widget (333) 

ACME HR (222) - SGACL-B 

Widget (333) No FTP - 

SGT: ACME (222) SGT: Widget (333) 

SGACL 

FTP Session 

Nexus 7000 


366 

10 

S6 S7 

S8 

VLAN200 

20 

SXP 

ISE 

183



ACME Intra Data Center Deployment 

Use Case 3 

TrustSec to cover Intra Data Center for 

server traffic segmentation 

Manual server IP address to SGT binding 

on Nexus 7000 or IPM (Identity Port 

Mapping to ACS for centralized SGT 

management 

Server connected to same access switch 

can be segmented using Private VLAN 

feature to distribution switch 

SRC \ DST 

Server A 

(111) 

Serer B 

(222) 

Server C 

(333) 

Server A 

(111) 

Server B 

(222) 

Branch Access 

Campus Access 

Cat35750/E 

ISR w/ EtherSwitch 

or standalone switch 


SGT Assignment via IPM 

or statically 

Server C 

(333) 

--- SGACL-A Permit all 

Permit all --- SGACL-B 

Cat6500 Cat4500 

File Server 

WEB Server 

Deny all Deny all --- 111 222 

SQL Server 

Cat6500 

Cat4500 

Nexus 7010 

Data Center 

Directory 

Service 


367 

SXP 

Data Center Use Case: 

Security Policy for Intra-VLAN Traffic 

Enforcing dynamic policy to servers within same subnet 

SGT: Production (20) SGT: Development (30) 

S1 

S2 

SGT/DGT Production 

(20) 

Production 

(20) 

SGACL 

Nexus 7K 

Develop (30) 

- Deny All 

Develop (30) Deny All - 


368 

S3 

S4 

VLAN100 

333 

ISE 

184



Intra Data Center Deployment Detail 

10 

200 

SGACL 

Enforcement 

Options 

P Promiscuous Port 

Primary VLAN 

Secondary VLAN 

(Isolate) 

Nexus 7000 

222 

Dev-SVR 

SVI 

(VLAN 10) 

P 

802.1q 

Trunk 

Cat4K, 6K 

333 

Prod-SVR 

SGT/DGT Dev-SVR (222) Prod-SVR (333) 

Dev-SVR (222) Permit Deny 

Prod-SVR (333) Deny Permit 

Dynamic policy enforcement 

between servers within same 

isolated VLAN (Private 

VLAN) 

Dynamic policy enforcement 

between servers in different 

community VLANs 


369 

Virtual Desktop Infrastructure (VDI) 

TECSEC-2041 


185



ACME VDI Use Case 

ACME plans to move large amount of application access to a Virtual 

Desktop Infrastructure (VDI) environment (terminal services) 

ACME goal to implement security policy based on user (ID) groups 

and server/resource groups 

This is the same goal that ACME has in the campus access layer 

Would like the solution to work with any VDI connection broker 

Would like to have the solution accommodate a highly dynamic server 

environment (virtualized or not) 


371 

Background: Connection Brokers 

Thin client connection 

(e.g. RDP) 

Connection 

Broker 

User 

credentials 

Groups of Hosted 

Virtual Machines 


Corporate 

network 

Receives connection requests from thin-clients typically using RDP, PCoIP or ICA 

protocols 

Authenticates the user, typically against AD 

Maps the user to a pool of Virtual Machines or a specific VM 

Hands off the user to the allocated VM (incl. passing login credentials) 


372 

186



Applying 802.1X to VDI 

Thin client 

Connection 

Brokers 

User 

credentials 

Groups of VMs 

VM pool 

assignment 


802.1X machine 

authenticated 

Create AD machine groups to match the roles needed 

VM access layer 

(Catalyst 6k, 4k or 3k) 

VM 

credentials 

Role assigned 

based on AD m/c 

group 

Connection Broker derives mapping for each user (group) from AD info 

Connection Brokers allocates user to relevant VM pool 

Switch port uses 802.1X Multi-Auth and Open Mode 

802.1X machine auth gives AD machine group and implied role of user 


373 

Adding Security Group Access Controls 

Thin client 

Connection 

Brokers 

User 

credentials 

Groups of 

VMs 

VM pool 

assignment 

Active 

Directory 

802.1X m/c 

auth 

VM 

credentials 

VM access 

layer 

Nexus 7000 

applying SG- 

ACLS 

SXP 

Role assigned 

based on VM 

pool 

TrustSec SXP enabled on VM access switch propagates IP-role mapping 

User - System access rules defined in ACS TrustSec Egress Policy Matrix 


374 

ACS 

ACS 

Role-based 

access to 

server groups 

187

VDI Notes 



Technologies involves: 

802.1X supplicant triggered on VDI VM workstation 

Access layer switch running open mode and multi-authentication 

(Catalyst only at the moment) 

ACS provides Active Directory lookup and user role assignment and 

SGACL policies 

Cat3k/4k/6k TrustSec role assignment and Nexus 7k policy enforcement 

Assume that 802.1X supplicants generally do NOT support 802.1X User 

Auth for logins via RDP, PCoIP or ICA 

Use of AD machine groups and VM pools specific to each required role 

allows machine authentication to imply the role of the user 


375 

Background: Connection Brokers 

• User logs into the thin client (no user 

authentication performed for this example) 

• User initiates a connection to Connection 

Broker via RDP, PCoIP protocols 

• Broker queries Active Directory for VM pool 

assignment 

• Broker redirects user to an available VM in the 

VM pool 

• User is now able to the remotely view and 

control the VM 

Pools of VMs 

Connection Broker 

File Server 

Cat4500 

WEB Server 

SQL Server 

Campus Access 

Data Center 

Directory 

Service 


376 

ISE 

188



Applying 802.1x and SGA to VDI 

• User logs into VM which triggers 802.1x 


• Authentication succeeds. Authorization 

assigns the SGT for the user. 

• Traffic hits the egress enforcement point 

• Only permitted traffic path (source SGT to 

destination SGT) is allowed 

SRC \ DST 

File 

Server(111) 

Web Server 

(222) 

User A (10) Permit all Deny All 

User B (20) Deny all SGACL-C 

Pools of VMs 

Connection Broker 

File Server 

Cat4500 

WEB Server 

SQL Server 

Campus Access 

Data Center 

Directory 

Service 


377 

SGA and VDI 

DEMO Time 

TECSEC-2041 


RDP 

802.1x 

Auth=OK 

SXP 

SGT=10 

WEB Server 

User A 

ISE 

189



Data Center Interconnect 

TECSEC-2041 


Encrypted Inter-DC Link with 802.1AE 

Can SGA encrypt the link between multiple Data 

Center for secure backup / DR purpose? 

802.1AE technology can be used to encrypt pointto-point 

link with following conditions 

• 10Gbps or 1Gbps link between Nexus 7000s if both 

Nexus 7Ks are connected with dark fibre or passive 

repeater between DCs so that L2 frame is not 

manipulated 

• Or use EoMPLS Pseudowire to encapsulate 802.1AE 

frame between two Data Centers 


380 

190

TrustSec for Secure Data Center Interconnect 

Dual Access with dark Fibre Connectivity 



DC-1 DC-2 

Nexus 7010 Nexus 7010 

e1/25 

vPC 



381 

TrustSec for Secure Data Center Interconnect 

Dual Access with MPLS Connectivity 

DC-1 DC-2 


vPC 

PE Device 

MPLS 

PE Device 

PE Device PE Device 



382 

vPC 

vPC 

191

TECSEC-2041 




(NDAC) Details 


NDAC Authentication / SAP 

Supplicant 

Device 

Role Determination 

EAPOL (EAP-FAST) 

Authenticator 

Device 

EAP-FAST Tunnel Tear 

Down 

Policy Acquisition 

Key 

Establishment 

On-Going Key Refresh 

EAP-FAST Tunnel 


SAP 

TrustSec Enabled 


RADIUS 

Policy 


384 

ISE 

192



TrustSec Domain Establishment 

Device Authentication (1) 

Seed Device 

EAP-FAST over 

RADIUS 

Authorization 

(PAC, Env Data, 

ISE 

Policy) 

ISE 

NDAC validates peer identity before 

peer becomes the circle of Trust! 

The first device to communicate with ISE 

is called TrustSec Seed Device 

NDAC uses EAP-FAST/MSCHAPv2 for 


Credential (including PAC) is stored in 

hardware key store 


385 

TrustSec Domain Establishment 

Device Authentication (2) 

Supplicant 

Non-Seed Device 

802.1X NDAC 

Supplicant 


Seed 

Device 

Authenticator 

Supplicant 


Seed Device 

Authenticator 


ISE 

As device connects to its peer, TrustSec domain 

expands its border of trust 

If the device does not have information to connect to 

ISE, the device is called non-Seed Device 

When next device connects to device, Role 

determination process occurs per link basis, and 

both Authenticator and Supplicant role are 

determined. 

First peer to gain ISE server connectivity wins 

authenticator role. Once authenticator role is 

determined, the device terminates supplicant role by 

itself. 

In case of tie, lower MAC address wins 


386 

193



TrustSec Functional Flow 

Flow to establish Link connectivity in TrustSec domain 


NDAC Process Initiation 

A TrustSec device connects to ACS. Seed Device acquires 

policy from ACS. 

Supplicant device connects to Authenticator device 

PAC Provisioning 

Peer Authentication 

Env Data Download 

Peer Authorization 

SAP Negotiation 


387 


EAP-FAST Phase 0 PAC Provisioning 

(only required if there is no PAC available) 

EAP-FAST Phase 1 & 2 Authentication 

Environment Data Download 

Peer Policy Download 

SAP Key / Cipher suit Negotiation 

TrustSec Link Establishment 

The automatic role-determination requires that a device run both the supplicant and 

authenticator engines simultaneously when authentication first starts 

At the start, the authenticator engine of one device will be engaging in an EAPOL 

conversation with the supplicant engine of its peer device and vice versa. 

On each device, a role determination agent monitors the two simultaneous EAPOL 

conversations. 

In the EAP protocol, only the initial Request-ID is originated by the authenticator, all other 

EAP requests come from the AS. So when a device receives an EAP request other than 

the Request-ID, it deduces that its peer has been able to reach the authentication server 

and therefore the peer is capable of being an authenticator. 

Similarly, if the device itself has contacted the server and is ready to relay an EAP 

request to its peer, it is capable of being an authenticator. Using this indication, there is 

no need for an extra server reachability test. When a device decides to be authenticator, 

it will terminate its supplicant engine, and vice versa. 

The tie breaker can be a simple comparison of the two devices‘ MAC addresses used as 

source MAC address in sending the EAPOL packets. The one with the lower MAC 

address wins the authenticator role. 


388 

194



Seed Device Selection 

Seed Device Selection Rule: 

Any TrustSec capable device can be a seed device when 

it‘s configured to be so 

Any TrustSec capable device which communicated with ISE 

(layer 3 connectivity) becomes Seed Device 

In order to become seed device, TrustSec device still needs 

to perform NDAC to get PAC provisioned, authenticated, 

and policy provisioned in authorization 

Once seed device receives environment data, it becomes 

seed device 


389 

Seed Device 

Seed Device is a CTS capable device which is 

configured with knowledge of at least one ISE 

The seed device is typically the device directly 

connected to ISE 

Seed Device often has Public Server List 

Public Server List 

Only need to be configured on the seed device via CLI 

PAC provisioning using configured shared-secret 

Has lower priority than Private Server List 


390 

195



Sample Seed Device Configuration 

SGA-ISE1 

10.3.10.20/24 

SGA6K-DC 

10.3.10.1/24 

L3 connectivity 

Seed Device 

RADIUS Shared Secret: cisco123 

Device ID / Password: SGA6K-DC / trustsec123 

SGA6K-DC# cts credential id SGA6K-DC password trustsec123 

SGA6K-DC(config)# radius-server host 10.3.10.20 auth-port 1812 acct-port 1813 pac key cisco123 

SGA6K-DC(config)# aaa group server radius SGA-RADIUS 

SGA6K-DC(config-radius)# server 10.3.10.20 PUBLIC SERVER LIST 

SGA6K-DC(config-radius)# exit 

SGA6K-DC(config)# cts authorization list sga-mlist 

SGA6K-DC(config)# aaa authentication dot1x default group SGA-RADIUS 

SGA6K-DC(config)# aaa authorization network sga-mlist group SGA-RADIUS 

SGA6K-DC(config)# aaa accounting dot1x default group SGA-RADIUS 


391 


Non Seed Device is a CTS capable device which 

has no knowledge of ISE 

Non Seed Device dynamically learns about ISE 

servers IP address (so called Private Server List) 

Private Server list 

Dynamically learned 

During EAP-FAST authentication as supplicant role 

Env-data download from the ISE 

Assuming all servers belong in the same cluster, contain 

same A-ID and share the same PAC 

Has higher priority over Public Server List 


392 

196



Sample Non-Seed Device Configuration 

SGA6K-CORE 

Non Seed 

Device 

Seed Device 

SGA6K-CORE # cts credential id SGA6K-CORE password trustsec123 

SGA6K-CORE(config)# aaa new-model 

SGA6K-CORE(config)# radius-server vsa send authentication 

SGA6K-CORE(config)# interface te2/1 

SGA6K-CORE(config-if)# cts dot1x 

SGA6K-CORE(config-if)# shut 

SGA6K-CORE(config-if)# no shut 

SGA6K-CORE(config-if)# end 

SGA-ISE1 

10.2.1.0 

.2 .1 

.20 

10.3.10.0/24 

.1 

SGA6K-DC 

Device ID / Password: SGA6K-CORE / trustsec123 


393 

NDAC EAP-FAST 

PAC Provisioning 

SGA-ISE1 

10.3.10.20/24 

SGA6K-DC 

10.3.10.1/24 

L3 connectivity 

Seed Device 

Same command needs to be configured on the other 

end of the interface on SGA6K-DC 

SGA6K-DC#show cts pac 

AID: 219FD818BE250A4F86D769CDCB4C5ADA 

PAC-Info: 

PAC-type = Cisco Trustsec 


I-ID: SGA6K-DC 

A-ID-Info: TS ISE 1 

Credential Lifetime: 22:48:30 PDT Aug 30 2011 

PAC-Opaque: 

000200B00003000100040010219FD818BE250A4F86D769CDCB4C5ADA0 

00600940003010076CBE741F94025F47A0CFA0C55A52592000000134D 

E0ABF000093A808067B62574D8A9E9D63E0F4E3D0B9BE8FE896C244DD 

20403DD47069D0BDC398D9C46B017847CE51C7383FFF11998815C9D49 

4990004FDB7B26DC74B8DBA632EB4DC3979F056BB2D929653398DD843 

CA0078CEA8E05599242A7F24A0CAF20165D1BED5B9935F9CFDA8C447D 

6EBFF14E7CF7CE1AAC 

Refresh timer is set for 12w4d 


394 

197



Environment Data 

TrustSec Environment Data is a collection of 

information or policies that assists a device to 

function as a TrustSec node. 

Environment Data is downloaded to 

Environment Data includes 

Server List 

Device SGT 

Expiry Timeout 


395 

Environment Data 

SGA6K-DC 

10.3.10.1/24 

Seed Device 

SGA6K-DC#show cts pac 


PAC-Info: 

PAC-type = Cisco Trustsec 


I-ID: SGA6K-DC 

A-ID-Info: TS ISE1 

Credential Lifetime: 22:48:30 PDT Aug 30 2011 

SGA-ISE1 

10.3.10.20/24 

SGA6K-DC#show cts environment-data 

CTS Environment Data 

==================== 

Current state = COMPLETE 

Last status = Successful 

Local Device SGT: 

SGT tag = 2-00 

Server List Info: 

Installed list: CTSServerList1-0001, 1 server(s): 

*Server: 10.3.10.20, port 1812, A-ID 219FD818BE250A4F86D769CDCB4C5ADA 

Status = ALIVE 

auto-test = TRUE, idle-time = 60 mins, deadtime = 20 secs 

 


396 

ISE 

198

Device SGT 



Device SGT represents security group to which the device 

(switch or any other TrustSec device) itself belongs to and 

exchanged with neighbor device as a token of trusted device. 

Device SGT is also used / tagged for traffic originating from 

the device. 

Device SGT can be manually assigned via CLI on the device, 

OR centrally provisioned by ISE 


397 

Sample: Device SGT Assignment 



==================== 







- Omitted - 

SGA6K-DC 

10.3.10.1/24 

Seed Device 

SGA-ISE1 

10.3.10.20/24 


398 

199



Environment Data – Expiry Timer 


399 

NDAC Completion 

SGA6K-CORE 

10.2.1.2 



==================== 







*Server: 10.3.10.20, port 1812, A-ID 219FD818BE250A4F86D769CDCB4C5ADA 

Status = ALIVE 

auto-test = TRUE, idle-time = 60 mins, deadtime = 20 secs 

Multicast Group SGT Table: 

Security Group Name Table: 

0001-43 : 

7-99 : 80 -> IT_Admin 

6-99 : 80 -> HR_Server 

5-99 : 80 -> ACME_Server 

4-99 : 80 -> HR_User 

3-99 : 80 -> ACME_User 

2-99 : 80 -> Device 

unicast-unknown-99 : 80 -> Unknown 

Any : 80 -> ANY 

Transport type = CTS_TRANSPORT_IP_UDP 

Environment Data Lifetime = 86400 secs 

Last update time = 23:15:57 PDT Wed Jun 1 2011 

Env-data expires in 0:22:41:39 (dd:hr:mm:sec) 

Env-data refreshes in 0:22:41:39 (dd:hr:mm:sec) 

Cache data applied = NONE 

State Machine is running 

10.2.1.1 

SGA6K-DS 


400 

200



NDAC Consideration 

NDAC was developed as part of TrustSec and is 

Cisco proprietary but in large part based on 802.1X. 

NDAC does not require hardware support but 

optionally may leverage a hardware credential 

store. 

SAP is Cisco proprietary and based on the key 

exchange mechanism defined in 802.11i. 802.1X- 

REV will succeed and replace SAP as early as 

CY10. 

Interoperability with other 802.1AE devices 

becomes more broadly available once 802.1X-REV 

is supported by Cisco. Manual keying is supported 

in the interim 


401 

Security Association Protocol 

(SAP) 

TECSEC-2041 


201



NDAC Authentication / SAP 

Supplicant 

Device 


EAPOL (EAP-FAST) 

Authenticator 

Device 

EAP-FAST Tunnel Tear 

Down 

Policy Acquisition 

Key 

Establishment 

On-Going Key Refresh 

EAP-FAST Tunnel 


SAP 

TrustSec Enabled 


RADIUS 

Policy 


403 

Technical Details 

Security Association Protocol 

Security Association Protocol (SAP) to negotiate keys 

and cipher suite for encryption automatically 

Negotiation starts after successful authentication / 

authorization for NDAC 

Protocol communication only happens between 

Supplicant and Authenticator (No ISE involvement) 

At the end of SAP, both supplicant and authenticator 

have same session key 

Session key is used to encrypt traffic on the link 

Session key is derived from the PMK (learned by both 

device from ISE during authentication) and some 

random numbers shared during SAP 

Perform rekey periodically 


404 

ISE 

202

Technical Details 

SAP Negotiation 



SAP negotiates cipher suite. Following mode 

available 

SAP Mode Description 

GCM Galois / Counter Mode (GCM) encryption and 

authentication mode (Default) 

GMAC GCM authentication Mode (No encryption) 

No Encapsulation No encapsulation and no security group tag (SGT) 

insertion 

Null Encapsulation without authentication or encryption 


405 

SAP with Manual Keying 

SGA6K-CORE 

SAP can be configured on port 

No ISE involved 

10.2.1.2 

SGA6K-CORE#show run int ten2/1 

interface TenGigabitEthernet2/1 

ip address 10.2.1.2 255.255.255.0 

cts manual 

policy static sgt 2 trusted 

sap pmk 

1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234 

567890ABCDEF 

end 

10.2.1.1 

32 byte of PMK (Private Master Key) needs to match on both side 

Same SAP Modes are available for manual keying 

Make sure device SGT and trusted keyword is configured 

SGA6K-DC 

SGA6K-DC#show run int ten2/1 

interface TenGigabitEthernet2/1 

ip address 10.2.1.1 255.255.255.0 

cts manual 

policy static sgt 2 trusted 

sap pmk 

1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF12345 

67890ABCDEF 

end 


406 

203



Verification of Manual Keying 

SGA6K-CORE#show cts interface tenGigabitEthernet 2/1 

Global Dot1x feature is Enabled 

Interface TenGigabitEthernet2/1: 

CTS is enabled, mode: MANUAL 

IFC state: OPEN 

Authentication Status: NOT APPLICABLE 

Peer identity: "unknown" 

Peer's advertised capabilities: "sap" 

Authorization Status: SUCCEEDED 

Peer SGT: 2 

Peer SGT assignment: Trusted 

SAP Status: SUCCEEDED 

Version: 2 

Configured pairwise ciphers: 

gcm-encrypt 

null 

Replay protection: enabled 

Replay protection mode: STRICT 

Selected cipher: gcm-encrypt 

- Omitted - 

SGA6K-CORE 

10.2.1.2 

SGA6K-DC#show cts interface tenGigabitEthernet 2/1 

Global Dot1x feature is Enabled 

Interface TenGigabitEthernet2/1: 

CTS is enabled, mode: MANUAL 

IFC state: OPEN 

Authentication Status: NOT APPLICABLE 

Peer identity: "unknown" 

Peer's advertised capabilities: "sap" 

Authorization Status: SUCCEEDED 

Peer SGT: 2 

Peer SGT assignment: Trusted 

SAP Status: SUCCEEDED 

Version: 2 

Configured pairwise ciphers: 

gcm-encrypt 

null 

Replay protection: enabled 

Replay protection mode: STRICT 

Selected cipher: gcm-encrypt 

- Omitted - 

10.2.1.1 

SGA6K-DC 


407 

Switch to Switch MACSec Demo 

DEMO Time 

TECSEC-2041 


204



Advanced Features 

CoA 

TECSEC-2041 


Change of Authorization (CoA) 

Use Cases: 

How do we reauthorize the port when we discover it is an iPad? 

How do we change access policy when we determine the end-point 

is compliant with posture policy? 

How do we reauthorize the port once we have your identity through 

central web authentication? 

Problem: A RADIUS server cannot start a conversation with the 

authenticator. The authenticator (RADIUS Client) must start a 

conversation with the RADIUS server 

Solution: CoA (RFC 3576 – Dynamic Authz ext to RADIUS) allows 

the RADIUS server to start the conversation with the authenticator. 


410 

205



RADIUS Change of Authorization (CoA) 

Dynamic session 

control from a 

Policy server 

1 End point fails authentication, 

gets assigned to Auth-FailVLAN 

2 Re-authenticate End point remediates session itself 

Terminate session 

Terminate session with port bounce 

3 A RADIUS CoA is issued with Reauthenticate 

Disable host port 

Session Query 

4 Client For is authenticated Active Services via dot1x and assigned 

a Corp VLAN 

For Complete Identity 

Service Specific 

Service Activate 

Service De-activate 

Service Query 

Auth Fail 

VLAN Corp 

VLAN 


411 

RADIUS Change of Authorization (CoA) 

RFC 3576: Defines ―Packet of Disconnect‖ 

• Terminates session 

Cisco has extended support for CoA 

• Terminate session 

• Re-authenticate 

• Port bounce 

• Port down 

Each type of Action has specific use case support 


412 

206

CoA – Use Cases 



Failed Authentication with Failed Auth VLAN 

• CoA can reauth or terminate a session can retrigger 

authentication to try authentication after remediation 

Adding new MAC addresses to the network 

• After Profiling or other change order an agentless devices may 

need it‘s IP changed 

• CoA with Port Bounce can be used to reset the IP stack on an 

agentless device 

Abnormal/Destructive behavior is observed on 

the network 

• CoA with Port Down is a emergency shut off of a port. It can 

only be re-enabled by CLI 


413 

DEMO Time 

AuthFail VLAN + CoA 

TECSEC-2041 


207



Advanced Features 

Monitoring & Troubleshooting 

TECSEC-2041 


Dashboard Overview 


416 

208



Monitoring and Troubleshooting 

Monitoring 

User Reporting 

ISE Monitoring & Troubleshooting Dashboard 

Where, when, how connected 

How long, how often 

Last passed, last failed 

Switch Log Reporting 

System Reporting 

Pass/Fail ratio 

Device Reporting 

Profile History 

Status of profiled device 

IOS Switches ISE Servers 

SNMP, Syslog, CLI, Netflow 

Troubleshooting 

Expert Troubleshooting Tool 

Troubleshooting Workflow 

–Authentication Failure 

–Authorization Failure 

Switch log failure analysis 

Syslog 

Alerts 

Unknown NAS 

New ISE, new NAD 

External DB unavailable 

Failed Auths thresholds 

Passed auths thresholds 

AAA down 


417 

ISE Uses Multiple Sources of Information For 

Monitoring/Troubleshooting 

Sources 

• RADIUS logs 

• Syslog from ISE(s) 

• Syslog from Switches 

• CLI 

• SNMP 

• API 

ISE Tools 

• Authentication 

Reports 

• Session Directory 

• Configuration 

Validator 

• Network Device & 

Session Details 

• Expert Troubleshooter 

• tcpdump 


418 

209



Monitor>Authentications 


419 



420 

210





421 

Authentication Details 


422 

211



Authentication Steps 


423 

Endpoint Profiler Report 

RADIUS proxy information in the 

AAA Diagnostics report 


424 

212



Endpoint Profiler Summary 


425 

TrustSec Troubleshooting Tool 


426 

213

DEMO Time 

Expert Troubleshooter 

TECSEC-2041 




ACME SXP Design 

TECSEC-2041 


214



SGT Exchange Protocol Detail (1) 

Uses TCP for transport protocol 

TCP port 64999 for connection initiation 

Support Single/Multi-Hop (SXP relay) SXP 

connection 

Use MD5 for authentication and integrity check 

Two roles: Speaker (initiator) and Listener 

(receiver) 


429 

SXP Flow 

IP Src: 10.1.3.2 Dst: 10.1.3.1 

TCP Src Port: 16277 Dst Port: 64999 

Flags: 0x02 (SYN) 

IP Src: 10.1.3.1 Dst: 10.1.3.2 

IP Src: 10.1.3.2 Dst: 10.1.3.1 


Flags: 0x12 (SYN, ACK) 


Flags: 0x10 (ACK) 

TCP SYN 

Speaker 

TCP SYN-ACK 

Listener 

TCP ACK 

CTS3K 

CTS7K 

10.1.10.100 (SGT6) 10.1.3.2 

10.1.3.1 

SXP OPEN 

IP Src: 10.1.3.2 Dst: 10.1.3.1 


Flags: 0x10 ( ACK) 

SXP OPEN_RESP 

SXP Type: Open 

Version: 1 

SXP UPDATE 

IP Src: 10.1.3.1 Dst: 10.1.3.2 

Device ID: CTS3K 


Flags: 0x18 (PSH, ACK) 

SXP Type: Open_Resp 

Version: 1 

IP Src: 10.1.3.2 Dst: 10.1.3.1 


Flags: 0x10 (ACK) 

SXP Type: Update 

Update Type: Install 

IP Address: 10.1.10.100 SGT: 6 

Device ID: CTS7K 


430 

ISE 

215



SXP Connection Types 

Single-Hop SXP 

Multi-Hop SXP 

SXP 

Speaker Listener 

Non-TrustSec Domain 

TrustSec Enabled SW TrustSec Capable HW 

Speaker 

TrustSec 

Enabled SW 

Speaker 

TrustSec 

Enabled SW 

SXP 

Listener Speaker 

Listener 

TrustSec 

Enabled SW 

SXP 

TrustSec Capable HW 


431 

SXP 

SXP Configuration Sample 

CTS3K-AS(config)#cts sxp enable 

CTS3K-AS(config)#cts sxp default password 

CTS3K-AS(config)#cts sxp connection peer 10.2.2.1 source 10.2.2.2 password default mode peer listener 

SXP 



SGA3K SGA6K-CORE 

10.2.2.2 10.2.2.1 

SGA6K-DC(config)#cts sxp enable 

SGA6K-DC(config)#cts sxp default password 

SGA6K-DC(config)#cts sxp connection peer 10.2.2.2 source 10.2.2.1 password default mode local listener 


432 

ISE 

ISE 

ISE 

216



SXP Connection Verification 

SGA3K-AC#show cts sxp connections 

SXP : Enabled 

Default Password : Set 

Default Source IP: Not Set 

Connection retry open period: 120 secs 

Reconcile period: 120 secs 

Retry open timer is not running 

---------------------------------------------- 

Peer IP : 10.2.2.1 

Source IP : 10.2.2.2 

Conn status : On 

Local mode : SXP Speaker 

Connection inst# : 1 

TCP conn fd : 1 

TCP conn password: default SXP password 

- Omitted - 

SXP 



Catalyst 3K SGA6K-CORE 

10.2.2.2 10.2.2.1 


433 

ACME SXP WAN Design 

Approximately 300 remote sites 

SGA6K-CORE#show cts sxp connections 

SXP : Enabled 

Default Password : Set 

Default Source IP: Not Set 

Connection retry open period: 120 secs 

Reconcile period: 120 secs 

Retry open timer is not running 

---------------------------------------------- 

Peer IP : 10.2.2.2 

Source IP : 10.2.2.1 

Conn status : On 

Conn version : 1 

Local mode : SXP Listener 

Connection inst# : 2 

TCP conn fd : 1 

- Omitted- 

ACME is concentrating on the campus to Data 

Center use case. Remote to remote SGT 

communication is a later phase of the project 

ACME chooses to use an SXP relay mode to keep 

the peering in the data Center Nexus 7000s to a 

minimum 


434 

ISE 

217



ACME SXP WAN Deployment 

ASR1K- avail in 3.4 

6K w/ SUP 2T 

ACME has 600 peers per 

Cat6K 

SXP has no loop detection 

at the moment 

SXP 

Data Center 

. . . 


435 

Endpoint MACsec 

TECSEC-2041 

SXP 

SXP 

Listener-1 

Speaker-1 


6K 

N7K 

ASR1K ASR1K 

WAN 

6K w/ SUP 2T 

NDAC/SAP 

802.1AE 

Encryption 

SXP 

Listener-2 

SXP 

Speaker-300 

Note: For illustration purposes only 

218

Non- 

MACSec 

enabled 



802.1X-2010 / 802.1AE – MACSec and MKA 

1 User bob connects 

2 Bob‘s policy indicates end point must encrypt 

3 Key exchange using MKA, 802.1AE encryption complete 

User is placed in Corp VLAN 

Session is secured 

4 User steve connects 

5 Steve‘s policy indicates end point must encrypt 

6 End point is not MACSec enabled 

Assigned to Guest VLAN 

Wiring Closet 

Switch 

Campus 

LAN 

802.1X-Rev Components 

- MACSec enabled switches 

- AAA server 802.1X-Rev aware 

User: steve 

User: Policy: bobencryption 

Policy: encryption 

- Supplicant supporting MKA and 802.1AE 

encryption 


437 

Endpoint MACsec 


438 

ISE 

ISE 

CAK – Connectivity Association Key 

SAK – Secure Association Key 

219

AnyConnect 3.0 

AnyConnect 3.0 provides 



Unified access interface for SSL-VPN, 

IPSec and 802.1X for LAN / WLAN 

Support MACSec / MKA (802.1X- 

REV) for data encryption in software 

(Performance is based on CPU of the 

endpoint) 

MACSec capable hardware (network 

interface card) enhance performance 

with AnyConnect 3.0 

For TrustSec: 

• MACSec: 

•Hardware encryption – Requires AnyConnect and MACSec-ready hardware: (Intel 

82576 Gigabit Ethernet Controller, Intel 82599 10 Gigabit Ethernet Controller, Intel 

ICH10 - Q45 Express Chipset (1Gbe LOM) (Dell, Lenovo, Fujitsu, and HP have 

desktops shipping with this LOM.) 

•Software encryption – Requires AnyConnect and uses CPU of PC 


439 

MACsec Interoperability Notes 

Note: Proxy EAPoL-Logoff Cannot Be Used With MACSec. 

If a device behind a phone has been secured with MACSec, proxy EAPoL-Logoff 

messages sent from phones will be ignored. 

Best Practice Recommendation: Use CDP Enhancement for 

Second Port Disconnect for IP Telephony Deployments 

This feature works for all authentication methods with and without MACSec, takes 

effect as soon as the endpoint disconnects, and requires no configuration. 

Best Practice Recommendation: Disable Periodic Re- 

Authentication for MACSec endpoints 

Because MACSec continuously ensures the validity of the authenticated session, 

there is typically no need to use re-authentication as a de facto keepalive 

mechanism. 

Note: MACSec is not supported with multi-auth and multi-host 

modes 


440 

220



MACsec Recommendations 

Best Practice Recommendation: Use default policy in Monitor 

Mode 

To minimize configuration on the switch and Authentication server, use the default 

policy settings for MACSec in monitor mode. 

Best Practice Recommendation: Set “should-secure” in low 

impact mode 

To ensure that MACSec capable connections are secured while preventing legacy 

devices from getting locked out of the network, set the MACSec policy for switch 

ports and supplicants to ―should-secure‖ by default. 

Best Practice Recommendation: Set “should-secure” in high 

security mode 

To ensure that MACSec capable connections are secured while preventing legacy 

devices from getting locked out of the network, set the MACSec policy for switch 

ports and supplicants to ―should-secure‖ by default. 


441 

Policy Based Encryption using MACSec 

Using AnyConnect 3.0 

AC3.0 

Finance Admin 

Using Normal Supplicant 

No MACSec 

Supplicant 

Finance Admin 

Normal 

Supplicant on 

Personal 

Laptop 

&^*RTW#(*J^*&*sd#J$%UJ&( 


Fall Back to Insecure VLAN 


442 

LAN 

Everything is sent in clear therefore you can see LAN everything on wire 


MACSec in Action 

Cat3750 

X 

Cat3750 

X 

Finance Admin 

= 

Must Encrypt 


Successful! 

Finance Admin 

= 

Must Encrypt 


Successful! 

ISE 1.0 

ISE 1.0 

221

Authenticated 

User 



Clarification of MKA and SAP 

positioning 

Supplicant 

802.1X-2010 MKA 

MKA and SAP are not interoperable 

For the time being Cisco is recommending MKA for 

host facing ports and SAP for switch to switch ports 

MKA is the direction Cisco is moving for switch to 

switch links as well 

802.1X-2010 MKA 

&^*RTW#(*J^*&*sd#J$%UJ&( 

MACSec Link 

&^*RTW#(*J^*&*sd#J$%UJWD&( 

NDAC-SAP 


443 

AnyConnect 3.0 MACSec Demo 

DEMO Time 

TECSEC-2041 


&^*RTW In the clear Server 

222



SGA & Posture Integration 

TECSEC-2041 


Posture and Access Layer SGACL 

SGACL 

Users, 

Endpoints 


(3K-X/4K) 

Remediation 

Campus 


AUTH=OK 

SGT=20 

1. Remediation Server boots – Switch assigns IP address 

2.2.2.2 SGT 222 based on port identity (from ISE) or 

local definition (on switch) 

2. User connects to network and authenticates – deemed 

noncompliant by ISE – results logged in ISE 

3. Traffic from user traverses to Data Center and hits 

SGACL at egress enforcement point 

4. Traffic destined for DHCP/DNS are allowed. Traffic 

destined for Enterprise Servers is denied 

5. Traffic destined for remediation in access layer is 

permitted 

6. NAC Agent indicates to ISE that device is now compliant 


446 

ISE1.0 

SRC \ DST 

Employee 

Compliant 

(10) 

Cat 6500 w/ 

SUP 2T 

Employee- 

Noncompliant 

(20) 

Unknown (0) 


Services 

(111) 



Remediation 

(222) 

Enterprise 

Servers 

Permit Any Permit Any Permit Any 

Permit DHCP 

Permit DNS 

Permit DHCP 

Permit DNS 

Network Services 

Enterprise Server 


Permit Any Deny All 

Deny All Deny All 

223



Posture and Access Layer SGACL 

SGACL 

Users, 

Endpoints 


(3K/4K) 

Remediation 

Campus 


AUTH=OK 

SGT=10 

1. ISE triggers a COA to reauthenticates the session 

2. ISE authenticates the user and notes the device is 

compliant. ISE authorizes an SGT = 10 

Cat 6500 w/ 

SUP 2T 


447 

ISE1.0 

SRC \ DST 

Employee 

Compliant 

(10) 

Employee- 

Noncompliant 

(20) 

Unknown (0) 

Enterprise 

Services 

(111) 



Remediation 

(222) 

Enterprise 

Servers 

Permit Any Permit Any Permit Any 

Permit DHCP 

Permit DNS 

Permit DHCP 

Permit DNS 

General Guest and Access Layer 

SGACL 

SGACL 

Guest 


(3K-X/4K) 

Enterprise User 

1. Guest connects to the network – 802.1X 

fails/timeouts 

2. Switch MAC authenticates the device to ISE 

– results logged in ISE 

3. Traffic from user traverses to Data Center 

and hits SGACL at egress enforcement point 

4. Traffic destined for DHCP/DNS and Internet 

are allowed. Traffic destined for Enterprise 

Servers is denied 

Campus 


AUTH=OK 

SGT=20 

SRC \ DST 

Enterprise 

User (10) 

Guest (20) 

Unknown 

(0) 

Cat 6500 w/ 

SUP 2T 

Enterprise Services 

Enterprise 

Server 


Permit Any Deny All 



448 

ISE1.0 

Internet 


Services (111) 

Internet (222) 



Enterprise 

Servers 

(333) 

Enterprise 

Users (10) 

Permit Any Permit Any Permit Any Permit Any 

Permit DHCP 

Permit DNS 

Permit DHCP 

Permit DNS 

Permit DHCP 

Permit DNS 

Permit Ipsec 

Permit HTTP 

Permit HTTPS 


Deny All 


Enterprise 

Server 


Deny All 

Deny All 

224



Enterprise User Policy and Access 

Layer SGACL (1) 

SGACL 

Enterprise 

User 


(3K-X/4K) 

PCI User 

1. Enterprise User is authenticated and 

assigned SGT 10 

2. Traffic from Enterprise Users traverses to 

Data Center and hits SGACL at egress 


3. Traffic destined for DHCP/DNS and 

Enterprise Servers are permitted. Traffic 

destined for PCI Servers is denied 

Campus 


AUTH=OK 

SGT=10 

SRC \ DST 

Enterprise 

User (10) 

Cat 6500 w/ 

SUP 2T 


449 

ISE1.0 



Enterprise 

Server (222) 



PCI Servers 

(333) 

Enterprise 

Users (10) 

Permit Any Permit Any Deny All Permit Any 

PCI User (20) Permit Any Permit Any 

Unknown (0) 

Permit DHCP 

Permit DNS 

Permit 

HTTPS 


Enterprise User Policy and Access 

Layer SGACL(2) 

SGACL 

Enterprise 

User 


(3K-X/4K) 

PCI User 

1. PCI User is authenticated and assigned SGT 

20 

2. Traffic from PCI Users traverses to Data 

Center and hits SGACL at egress 


3. Traffic destined for DHCP/DNS, Enterprise 

Servers and PCI Servers are permitted. 

Traffic destined for Enterprise Users in the 

access layer is permitted. 

Campus 


AUTH=OK 

SGT=20 

SRC \ DST 

Enterprise 

User (10) 

Cat 6500 w/ 

SUP 2T 


Enterprise 

Server 


Permit Any 

Deny All 


450 

ISE1.0 



Enterprise 

Server (222) 



PCI Servers 

(333) 

Enterprise 

Users (10) 

Permit Any Permit Any Deny All Permit Any 

PCI User (20) Permit Any Permit Any 

Unknown (0) 

Permit DHCP 

Permit DNS 


Permit 

HTTPS 


Enterprise 

Server 


Permit Any 

Deny All 

225



ISE – Nexus 7000 IP/SGT Policy 

Management 

• How do you manage static IP/SGT definitions 

across multiple DC switches? 

• ISE 1.0 will allow the SGA admin to manage 

IP/SGT or DNS/SGT mappings 

Note: Support limited to Nexus 7000 


451 

ISE – Nexus 7000 IP/SGT Policy 

Management 

• SGA Admin designates 

if the device should 

have IP/SGT pushed 


452 

226

ISE Quick View 

DEMO Time 

TECSEC-2041 




Platform Support 

TECSEC-2041 


227



SGT/SGACL Component Support Matrix 

Platforms Available Feature OS OS Version Notes 

Nexus 7000 series Switch SGACL, 802.1AE + SAP, 

NDAC, SXP, IPM, EAC 

Catalyst 6500E Switch 

(Supervisor 2T) 2T) 

SGACL, 802.1AE + SAP, 

NDAC, SXP, IP, EAC 

EAC: Endpoint Admission Control (SGT Assignment) 

Cisco NX-OS®5.0.2a. Advanced Service 

Package license is is required 

Enforcement Device, DC 

Distribution DC Distribution 

Cisco IOS® 12.2 (50) (33) SY SX? Or Or later later release. Need Enforcement Device, DC 

MACSec capable linecard 

Distribution DC Distribution 

Catalyst 6500E Switch 

NDAC (No SAP), SXP, 

EAC Cisco IOS® 12.2 (33) SXI3 or or later release. IP IP Campus / DC / DC Access 

(Supervisor 32, 32, 720, 720-VSS) 720- EAC 

Base K9 K9 image required 

switch 

VSS) 

Catalyst 49xx switches SXP, EAC Cisco IOS® 12.2 (50) SG7 or later release. DC Access switch 

Catalyst 49xx switches 

Catalyst 4500 Switch 

SXP, EAC 

SXP, EAC 

Cisco IOS® 12.2 (50) SG7 or later release. 

Cisco IOS® 12.2 (53) SG7 or later release. 

DC Access switch 

Campus Access Switch 

(Supervisor Catalyst 4500 6L-E Switch or 6-E) SXP, EAC Cisco IOS® 12.2 (53) SG7 or later release. Campus Access 

(Supervisor 6L-E or 6-E) 

Catalyst 3560-X / 3750-X SXP, EAC Cisco IOS® 12.2 (53) SE2 or later release. 

Switch 


Switches Catalyst 3560-X / 3750-X SXP, EAC Cisco IOS® 12.2 (53) SE2 or later release. Campus Access 

Switches 

Catalyst 3560(E) / 3750(E) SXP, EAC Cisco IOS® 12.2 (53) SE1 or later release. 

Switch 


Switches Catalyst 3560(E) / 3750(E) SXP, EAC Cisco IOS® 12.2 (53) SE1 or later release. Campus Access 

Switches 

Catalyst Blade Module 3x00 SXP, EAC Cisco IOS® 12.2 (53) SE1 or later release. 

Switch 

DC Access Switch 

Switches Catalyst Blade Module 3x00 SXP, EAC Cisco IOS® 12.2 (53) SE1 or later release. DC Access Switch 

Switches 

Cisco EtherSwitch service SXP, EAC Cisco IOS® 12.2 (53) SE1 or later release. IP Branch Access Switch 

module Cisco for EtherSwitch ISR Routers service SXP, EAC Base Cisco K9 IOS® image 12.2 required. (53) SE1 or later release. IP Branch Access Switch 

module for ISR Routers 

Cisco ASR 1000 SXP, SGT 

Base K9 image required. 

Cisco IOS XE® 3.4 or later release. Remote Access Headend 

Cisco Identity Service Engine 

Cisco (ISE) Identity Service Engine 

(ISE) 

Centralized Policy 

Centralized Management Policy for TrustSec 

Management for TrustSec 

ISE Version 1.0 with Advanced License required. 

ISE Version 1.0 with Advanced License required. 

CSACS1120 appliance or ESX Server 3.5 or 4.0 

Policy Server 

Policy Server 

Cisco Secure ACS Centralized Policy 

is ACS supported Version 5.1 with TrustSec license Policy Server 

Cisco Secure ACS 


Centralized Policy 


required. CSACS1120 appliance or ESX Server 

ACS 3.5 Version or 4.0 is 5.1 supported with TrustSec license 

required. CSACS1120 appliance or ESX Server 

3.5 or 4.0 is supported 

Policy Server 

SGT 


455 

SGA Phased Migration 

Customer Rollout Phase 1 

Access Layer Distribution Layer Core Layer Data Center 

L2 Switch 

L2 Switch 

L2 Switch 

SGA Capabilities Legend 

SXP SXP 

L2/3 Dist 

Switch 

L2/3 Dist 

Switch 

L2/3 High Speed 

Core Switch 


Core Switch 

Non-SGA SGA Software 

SGA Hardware 

L2/3 DC 

Aggregation Switch 

L2/3 DC 


WAN/Internet Edge DMZ 

L2/3 Switch 

Remote Access 

SSL/IPSec VPN 

L2/3 Switch 

Remote Access 

Router 

L2 DC Access 

L2 DC Access 

L2 DC Access 

L2 DC Access 

ISE v1.0 

(AAA & SGA Policy Mgr) 


456 

Internet 

SXP 

SGT 

Remote SXP 

228



SGT 

SGT 

SGT 

SGT 




L2 Switch 

L2 Switch 

L2 Switch 


SXP L3 TrustSec SXP 

L2/3 Dist 

Switch 

L2/3 Dist 

Switch 


Core Switch 


Core Switch 


SGA Hardware 

L3 TrustSec 

L2/3 DC 


L2/3 DC 



L2/3 Switch 

Remote Access 

SSL/IPSec VPN 

L2/3 Switch 

Remote Access 

Router 

L2 DC Access 

L2 DC Access 

L2 DC Access 

L2 DC Access 

ISE v1.0 

(AAA & SGA Policy Mgr) 


457 



802.1AE/SAP 802.1AE/SAP 802.1AE/SAP 

802.1AE/SAP 

L2 Switch 

L2 Switch 

L2 Switch 

L2/3 Dist 

Switch 

L2/3 Dist 

Switch 

Internet 




Core Switch 


Core Switch 


SGA Hardware 

L2/3 DC 


L2/3 DC 


L2/3 Switch 

Remote Access 

SSL/IPSec VPN 

SGT 


L2/3 Switch 

Site-to-Site Access 

SSL/IPSec VPN 

Remote SXP 

ISE v1.0 

(AAA & CTS Policy Mgr) 


458 

Internet 

802.1AE/SAP 

SGT 

L2 DC Access 

L2 DC Access 

L2 DC Access 

L2 DC Access 

802.1AE/SAP 

SGA Capable IPSec/VPN 

229

TECSEC-2041 



Session Summary 



In a Nutshell 

Authorization 

Authentication SGA, Pre-Auth, 

Phones 

EAP, PKI, DBs 

Supplicants, 

Re-Auth, 

Agentless 

PXE, WoL, VM, 

Windows GPO, 

login scripts, 

VLAN, ACL, Failed 

Auth, AAA down 

Teamwork: 

Network, IT, Desktop 

Policy: 

definition & enforcement 

MDA, voice 

VSA, MAB 

behind phone 

Guest solution? 

Implicit reliance 

machine auth, 

on wired? 

Desktops remote desktop 

Guests 

Policy & 

Organization 


460 

230

Summary 



802.1X/SGA improves enterprise security 

802.1X/SGA improves enterprise visibility 

802.1X/SGA deployable now 

New features have significantly simplified deployment 

Deployment scenarios can be used as a starting point 

802.1X/SGA is not only a network project, it affects the 

whole IT organization 


461 

Follow Up on Your 802.1X/SGA 

Deployment 

You have seen that 802.1X/SGA: 

• is deployable 

• has new, advanced features to handle many use cases 

Next Steps: 

• Work with your Cisco SE and your Cisco Partners 

• Quantify what you want to achieve with 802.1X/SGA 

Take time to understand and specify: 

• Existing networking environment 

• Supplicants 

• RADIUS servers and backend data base 

• Deployment scenarios 

• Capability of your switching infrastructure 


462 

231



Recommended Reading 

Continue your Cisco Live 

learning experience with further 

reading from Cisco Press 

Check the Recommended 

Reading flyer for suggested 

books 


463 

Visit the Cisco Store for 

Related Titles 

http://theciscostores.com 


464 4 

6 

232



Recommended Reading 

Cisco Wireless LAN Security - 

http://www.ciscopress.com/bookstore/product.asp?isbn=1587051540 

Cisco Internetwork Troubleshooting - 


Cisco Secure Internet Security Solutions - 


Managing Cisco Network Security - 


Cisco LAN Switch Security: What Hackers Know About Your Switches - 



465 

Complete Your Online 

Session Evaluation 

Receive 25 Cisco Preferred Access points for each session 

evaluation you complete. 

Give us your feedback and you could win fabulous prizes. 

Points are calculated on a daily basis. Winners will be notified 

by email after July 22nd. 

Complete your session evaluation online now (open a browser 

through our wireless network to access our portal) or visit one 

of the Internet stations throughout the Convention Center. 

Don’t forget to activate your Cisco Live and Networkers 

Virtual account for access to all session materials, 

communities, and on-demand and live activities throughout 

the year. Activate your account at any internet station or visit 

www.ciscolivevirtual.com. 


466 

233

Thank you. 




467 

234

802.1X - The Cisco Learning Network

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?