802.1X - The Cisco Learning Network
802.1X - The Cisco Learning Network
802.1X - The Cisco Learning Network
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Identity and Security Group Access<br />
with <strong>802.1X</strong> and TrustSec<br />
TECSEC-2041<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
Welcome to Las Vegas<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
2<br />
1
Your Speakers<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Craig Hyps<br />
Technical Marketing Engineer<br />
chyps@cisco.com<br />
Kevin Gagnon<br />
Product Manager<br />
kegagnon@cisco.com<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
3<br />
Session Abstract<br />
Mitsunori Sagae<br />
Technical Marketing Engineer<br />
msagae@cisco.com<br />
Fay-Ann Lee<br />
Technical Marketing Engineer<br />
faylee@cisco.com<br />
Aaron Woland<br />
Technical Marketing Engineer<br />
aawoland@cisco.com<br />
This session is a deep dive on <strong>802.1X</strong> and the technologies that<br />
make up <strong>Cisco</strong>‘s TrustSec solution. This includes the functions of<br />
access control and the application of policy derived from end-point<br />
profiling, Security Group Tags (SGTs), <strong>Network</strong> Device Admission<br />
Control (NDAC), guest access, change of authorization, and<br />
MACSec. With these technologies businesses can address many<br />
existing and emerging network access control issues, such as<br />
regulatory compliance, virtualization, and guest services.<br />
A basic knowledge of <strong>802.1X</strong> is assumed.<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
4<br />
2
Session Objectives<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
At the end of the session, you should understand:<br />
• How <strong>802.1X</strong> and Security Group Access (SGA) works<br />
• <strong>The</strong> benefits of deploying <strong>802.1X</strong> and SGA<br />
• How to configure and deploy <strong>802.1X</strong> and SGA using <strong>Cisco</strong><br />
switches, Identity Services Engine (ISE) 1.0 and various<br />
supplicants<br />
• How to integrate technologies such as IP telephony, guest<br />
access, PXE, etc<br />
• <strong>The</strong> value and application of deployment scenarios<br />
• Advanced SGA features and some future functionality<br />
• How to make this work when you get back to your lab<br />
You should also:<br />
• Provide us with feedback!<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
5<br />
What We Won‟t Be Covering<br />
AAA authentication on routers<br />
IPSec authentication<br />
In-depth concepts on identity management and single sign-on<br />
(upper layer identity)<br />
PKI and X509 certificates<br />
Kerberos<br />
LDAP<br />
Active Directory design<br />
NAC Framework, NAC Appliance, and NAP<br />
Wireless Security<br />
Specific details of the EAP methods<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
6<br />
3
Agenda<br />
Identity and Security Group<br />
Access (SGA)<br />
Overview<br />
<strong>802.1X</strong>, EAP, and RADIUS<br />
User and Machine Authentication<br />
Non-<strong>802.1X</strong> Users & Devices<br />
SGTs/SGACLs<br />
ACME Case Study – Phase 0<br />
Existing Environment<br />
Pre-deployment Considerations<br />
Phase 1 – Monitor Mode and<br />
SGA<br />
Multi-Auth<br />
Open Access<br />
Monitoring & Remediation<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
7<br />
How the Demo Will Work<br />
USER PC:<br />
Win7<br />
MAC<br />
<strong>Cisco</strong> IP Phone<br />
SCREEN 1<br />
AnyConnect 3.0 <strong>Network</strong> Access Manager<br />
Phase 2 – Low Impact Mode<br />
and SGA<br />
Selectively Open Access<br />
Flex Auth<br />
IP Telephony<br />
Phase 3 – High Security Mode<br />
and SGA<br />
Closed Access<br />
Dynamic VLAN assignment<br />
Real Customer Case Study<br />
Data Center<br />
Server to Server/VDI<br />
Inter Data Center<br />
Advanced Features/Look<br />
Forward<br />
SCREEN 2<br />
SERVERS :<br />
ISE<br />
Active Directory<br />
SWITCH Console<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
8<br />
4
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
For Reference Slides<br />
<strong>The</strong>re are more slides in the hand-outs than presented during the<br />
class<br />
<strong>The</strong>se slides are for reference and are indicated by the book icon on<br />
the top right corner (as on this slide)<br />
<strong>The</strong> demo slides with screen dump outline key points of the demo.<br />
More details will be found in white papers given as reference.<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
9<br />
Schedule<br />
In Session: 8:00 am 10:00 am<br />
Break: 10:00 am 10:15 am<br />
In Session: 10:15 am 12:00 pm<br />
Lunch: 12:00 pm 1:00 pm<br />
In Session: 1:00 pm 2:30 pm<br />
Break: 2:30 pm 2:45 pm<br />
In Session: 2:45 pm 5:00 pm<br />
For Your<br />
Reference<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
10<br />
5
Housekeeping<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
We value your feedback- don't forget to complete your online<br />
session evaluations after each session & complete the Overall<br />
Conference Evaluation which will be available online from<br />
Thursday<br />
Visit the World of Solutions<br />
Please remember this is a 'non-smoking' venue!<br />
Please switch off your mobile phones<br />
Please make use of the recycling bins provided<br />
Please remember to wear your badge at all times<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
11<br />
After Today – Consider your <strong>802.1X</strong> and<br />
SGA Deployment<br />
After this, you will find that SGA:<br />
• is deployable<br />
• has new, advanced features to handle many use cases<br />
Next Steps:<br />
• Work with your <strong>Cisco</strong> SE and your <strong>Cisco</strong> Partners<br />
• Quantify what you want to achieve with <strong>802.1X</strong> and SGA<br />
Take time to understand and specify:<br />
• Existing networking environment<br />
• Supplicants<br />
• RADIUS servers and backend data base<br />
• Deployment scenarios where SGA enhances <strong>802.1X</strong><br />
• Capability of your switching infrastructure<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
12<br />
6
Q & A<br />
TECSEC-2041<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
Identity and Authentication<br />
Overview<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
7
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
1<br />
2<br />
3<br />
4<br />
Why Identity Is Important<br />
Who are you?<br />
<strong>802.1X</strong> (or supplementary method)<br />
authenticates the user<br />
Where can you go?<br />
Based on authentication, user is<br />
placed in correct VLAN<br />
What service level to you receive?<br />
<strong>The</strong> user can be given per-user<br />
services (ACLs today, more to come)<br />
What are you doing?<br />
<strong>The</strong> user‘s identity and location can<br />
be used for tracking and accounting<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
15<br />
What does Identity allow you to do?<br />
Keep the Outsiders<br />
Out<br />
Keep the Insiders<br />
Honest<br />
Personalize the<br />
<strong>Network</strong><br />
Increase <strong>Network</strong><br />
Visibility<br />
Ensure that only allowed types of user and machine connect to key resources<br />
Provide guest network access in a controlled and specific manner<br />
Deliver differentiated network services to meet security policy needs, for examples<br />
like:<br />
• Ensure compliance requirements (PCI, etc.) for user authentication are met<br />
• Facilitate voice/data traffic separation in the campus<br />
• Ensure that only employees with legitimate devices access classified systems<br />
• Ensure that contractors/business partners get appropriate access<br />
Provide user and access device visibility to network security operations<br />
For Your<br />
Reference<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
16<br />
8
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Access Control Technology Evolution<br />
Security Group Access (SGA)<br />
<strong>Network</strong>-wide Role-Based Access Control<br />
Topology Independent Access Management<br />
Trusted domain establishment via <strong>Network</strong> Device<br />
Admission Control<br />
802.1AE based Link Encryption<br />
Identity-Based Access Control<br />
Flexible authentication options:<br />
<strong>802.1X</strong>, MAB, WebAuth, FlexAuth<br />
Comprehensive post-admission control options:<br />
dACL, VLAN assignment, URL redirect, QoS…<br />
Integration of Profiling / Guest Access Services<br />
<strong>Network</strong> Address-based Access Control<br />
ACL, VACL, PACL, PBACL etc<br />
<strong>Cisco</strong> Access Control Solution<br />
<strong>Network</strong> Admission Control (NAC)<br />
Posture validation endpoint policy compliance<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
17<br />
Why Security Group Access is important<br />
Extends Identity visibility and controls across the network<br />
Identity information from the access layer can be used across the network or in the Data<br />
Center<br />
Builds upon Identity controls deployed in the access layer<br />
Provide more granular identity-based controls than is possible purely at the access<br />
layer<br />
Controls can be enabled selectively to protect specific resources<br />
Provides very high-scale access control capabilities<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
18<br />
9
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Why Security Group Access is important<br />
Provide powerful segmentation capabilities in the Data Center<br />
Logical separation of resources across common infrastructure<br />
Leverages wire-rate enforcement capabilities in Nexus switches<br />
Provides role-based access controls independently of the network design or<br />
topology<br />
Roles could be technology or service, e.g. voice, building services, risk profile or<br />
business role<br />
Security Access Policies could be decoupled from IP addresses, subnets, VLANs, WLAN,<br />
VPN etc.<br />
New Security Group-based policy model can bring dramatic reductions in Access<br />
Control management effort<br />
Allows control of user-to-system communications AND system-to-system (e.g. for server<br />
segmentation)<br />
Eliminate ACL rule changes for some system moves/changes<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
19<br />
IEEE <strong>802.1X</strong>: <strong>The</strong> Foundation of Identity<br />
Supplicant<br />
(<strong>802.1X</strong> Client)<br />
EAP over LAN<br />
(EAPoL)<br />
Authenticator<br />
(e.g. Switch,<br />
Access Point)<br />
RADIUS<br />
IEEE 802.1 working group standard<br />
Provides port-based access control using authentication<br />
Enforcement via MAC-based filtering<br />
and port-state monitoring<br />
Authentication<br />
Server<br />
Defines encapsulation for Extensible<br />
Authentication Protocol (EAP) over<br />
IEEE 802 media— ―EAPoL‖<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
20<br />
R<br />
A<br />
D<br />
I<br />
U<br />
S<br />
10
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Default Port State without <strong>802.1X</strong><br />
No Authentication Required<br />
No visibility<br />
No Access Control<br />
?<br />
USER<br />
?<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
21<br />
Default Security with <strong>802.1X</strong><br />
Before Authentication<br />
No visibility (yet)<br />
Strict Access Control<br />
?<br />
USER<br />
?<br />
ALL traffic except EAPoL is dropped<br />
One Physical Port ->Two Virtual ports<br />
Uncontrolled port (EAPoL only)<br />
Controlled port (everything else)<br />
interface fastEthernet 3/48<br />
authentication port control auto<br />
dot1x pae-authenticator<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
22<br />
11
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Default Security with <strong>802.1X</strong><br />
After Authentication<br />
User/Device is Known<br />
Identity-based Access Control<br />
• Single MAC per port<br />
?<br />
Looks the<br />
same as<br />
without<br />
<strong>802.1X</strong><br />
Authenticated User: Sally<br />
Authenticated Machine: XP-ssales-45<br />
interface fastEthernet 3/48<br />
authentication port-control auto<br />
dot1x pae-authenticator<br />
Having read your mind Sally, that<br />
is true, unless you apply an<br />
authorization, access is wide<br />
open. We can restrict access via<br />
dynamic VLAN assignment or<br />
downloadable ACLs<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
23<br />
Identity and Authentication<br />
<strong>802.1X</strong>, EAP, and RADIUS<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
12
A Closer Look at <strong>802.1X</strong><br />
Supplicant<br />
AC<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
EAP ID-Request<br />
Authenticator<br />
Layer 2 Point-to-Point Layer 3 Link<br />
EAPoL Start<br />
EAP ID-Response RADIUS Access-Request<br />
[AVP: EAP-Response: Alice]<br />
EAP-Request:PEAP<br />
EAP-Response: PEAP<br />
EAP Success<br />
EAPoL Logoff<br />
Port Unauthorized<br />
RADIUS Access-Challenge<br />
[AVP: EAP-Request PEAP]<br />
Authentication Server<br />
RADIUS Access-Request<br />
[AVP: EAP-Response: PEAP]<br />
RADIUS Access-Accept<br />
[AVP: EAP Success]<br />
[AVP: VLAN 10, dACL-nnn]<br />
Port Authorized<br />
Port Unauthorized<br />
Multiple<br />
Challenge-<br />
Request<br />
Exchanges<br />
Possible<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
25<br />
What Does EAP Do?<br />
Establishes and manages connection<br />
Allows authentication by encapsulating various types of authentication<br />
exchanges<br />
• Actual authentication exchanges are called EAP Methods<br />
Provides a flexible link layer security framework<br />
• Can run over any link layer (PPP, 802, etc.)<br />
Defined by RFC 3748<br />
Supplicant<br />
EAP Payload<br />
EAP Payload<br />
RADIUS<br />
<strong>802.1X</strong> Header<br />
UDP<br />
Ethernet Header<br />
IP Header<br />
Authenticator<br />
Authentication<br />
Server<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
26<br />
R<br />
A<br />
D<br />
I<br />
U<br />
S<br />
13
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
EAP Authentication Methods<br />
Challengeresponse-based<br />
Certificatebased<br />
Tunneling<br />
methods<br />
Other<br />
• EAP-MD5: uses MD5 based challenge-response for authentication<br />
• LEAP: username/password authentication<br />
• EAP-MSCHAPv2: username/password MSCHAPv2 challengeresponse<br />
authentication<br />
• EAP-TLS: X.509 v3 PKI certificates and the TLS mechanism for<br />
authentication<br />
• EAP-PEAP: encapsulates other EAP types in an encrypted tunnel<br />
• EAP-TTLS: encapsulates other EAP types in an encrypted tunnel<br />
• EAP-FAST: designed to not require client certificates<br />
• EAP-GTC: generic token and OTP authentication<br />
• GSS-API : Kerberos<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
27<br />
Tunneling Methods<br />
Some EAP methods setup an encrypted tunnel and pass<br />
credentials through the tunnel<br />
Anonymous outer identity - Provides the ability to completely<br />
obfuscate the user‘s credentials<br />
AC / ACS – Yes<br />
Windows Native / IAS - No<br />
Some EAP methods require an EAP method inside the tunnel<br />
(PEAP and FAST)<br />
Some EAP methods does not require an EAP method inside the<br />
tunnel (TTLS) – used with legacy RADIUS<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
28<br />
14
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
EAP Nomenclature and Abbreviations<br />
What we say What we mean<br />
TLS EAP-TLS<br />
MSCHAPv2 EAP-MSCHAPv2<br />
GTC EAP-GTC<br />
PEAP-TLS EAP-PEAP with EAP-TLS inside the encrypted tunnel<br />
PEAP-MSCHAPv2 EAP-PEAP with EAP-MSCHAPv2 inside the encrypted<br />
tunnel<br />
PEAP-GTC EAP-PEAP with EAP-GTC inside the encrypted tunnel<br />
―PEAP‖ In This Techtorial: PEAP-MSCHAPv2<br />
FAST/MSCHAPv2 EAP-FAST with EAP-MSCHAPv2 inside the encrypted<br />
tunnel<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
29<br />
EAP Protocols: Feature Support<br />
EAP-TLS PEAP EAP-FAST<br />
Single Sign-on Yes Yes Yes<br />
Login Scripts (Active Directory) Yes Yes Yes<br />
Password Expiration (AD) N/A Yes Yes<br />
Client and OS Availability<br />
AC, XP, Win7<br />
and Others<br />
AC, XP, Win7<br />
and Others<br />
AC, Win7 and<br />
Others<br />
MS DB Support Yes Yes Yes<br />
LDAP DB Support Yes Yes Yes<br />
OTP Support No Yes Yes<br />
Off-line Dictionary Attacks No No No<br />
Server Certificates Required Yes Yes No<br />
Client Certificates Required Yes No No<br />
Computing Impact High Medium Low<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
30<br />
15
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Factors that Drive EAP Method<br />
Use as many methods as needed depending on devices<br />
Enterprise<br />
security policy<br />
Client support<br />
Authentication<br />
server support<br />
Identity store<br />
• Certificate Authority deployment may drive EAP type<br />
• Two factor authentication may require EAP-TLS<br />
• Security vs. Convenience Trade-offs<br />
• Windows supports EAP-TLS, PEAP w/EAP-<br />
MSCHAPv2, PEAP w/EAP-TLS<br />
• 3rd party supplicants support a large variety of EAP<br />
types, but not all<br />
• RADIUS servers support a large variety of EAP types,<br />
but not all<br />
• PEAP w/EAP-MSCHAPv2 can only be used with<br />
authentication stores that store passwords in<br />
MSCHAPv2 format<br />
• Not every identity store supports all the EAP types<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
31<br />
Identity & Authentication:<br />
Who (or What) Authenticates?<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
16
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Problem Statement<br />
Who should the network authenticate ?<br />
A user using a device<br />
A device<br />
Both the user and the device<br />
Device boot process and network connectivity assumption<br />
Boot without using network resource - Standalone<br />
Boot from the network – Xterm, NetPC, PXE<br />
Boot and use network resources – networked<br />
<strong>Network</strong> File System<br />
Managed devices : Connection to LDAP, Active Directory<br />
Device health check : Patch level checker, Central AV system<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
33<br />
Example: <strong>Network</strong> Assumption<br />
Microsoft Windows<br />
Power On<br />
Obtain <strong>Network</strong> Address<br />
(Static, DHCP)<br />
Determine Site and DC<br />
(DNS, LDAP)<br />
Establish Secure<br />
Channel to AD<br />
(LDAP, SMB)<br />
Kerberos Authentication<br />
(Machine Account)<br />
Kernel Loading<br />
Windows HAL Loading<br />
Device Driver Loading<br />
Components that depend on<br />
network connectivity<br />
Inherent Assumption of<br />
<strong>Network</strong> Connectivity<br />
GPO based Startup<br />
Script Execution<br />
Computer GPOs Loading (Async)<br />
Certificate Auto Enrollment<br />
Time Synchronization<br />
Dynamic DNS Update<br />
GINA<br />
Earliest <strong>Network</strong><br />
Connectivity with<br />
User Auth Only<br />
User GPOs Loading<br />
(Async)<br />
GPO based Logon<br />
Script Execution (SMB)<br />
Kerberos Auth<br />
(User Account)<br />
Components broken with<br />
<strong>802.1X</strong> user authentication only<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
34<br />
17
User authentication ONLY<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Possible when no dependency of the device used regarding network resources<br />
Can run user script to access network resources post login.<br />
Be careful, this can break Microsoft group and system policies (next chapter)<br />
Device authentication ONLY<br />
Mandatory as soon as exist dependency of <strong>Network</strong> resources<br />
Authorization is link to the device; not the user using the device<br />
Device and User<br />
Power<br />
Up<br />
<strong>802.1X</strong> Device and User authentication<br />
Authorization is highly flexible<br />
Advanced features needed on supplicants<br />
Synchronization needed with others applications & process on the client PC : DHCP, DNS, NFS,<br />
etc..<br />
Switches contexts when going from one to the other<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
35<br />
Microsoft Windows Example<br />
User and Device Authentication<br />
User Authentication<br />
Power<br />
Up<br />
Load<br />
NDIS<br />
Drivers<br />
DHCP<br />
Setup<br />
Secure<br />
Channel<br />
to DC<br />
Update<br />
GPOs<br />
Apply<br />
Computer<br />
GPOs<br />
Present<br />
GINA<br />
* No Connectivity to Domain Controller Until User Logs In<br />
Machine Authentication<br />
Power<br />
Up<br />
Load<br />
NDIS<br />
drivers<br />
<strong>802.1X</strong><br />
Machine<br />
Auth<br />
DHCP<br />
* <strong>802.1X</strong> Early in Boot Process<br />
User + Machine Authentication<br />
Load<br />
NDIS<br />
Drivers<br />
<strong>802.1X</strong><br />
Machine<br />
Auth<br />
DHCP<br />
Setup<br />
Secure<br />
Channel<br />
to DC<br />
Setup<br />
Secure<br />
Channel<br />
to DC<br />
* Users Can Be Individually Authenticated<br />
Update<br />
GPOs<br />
Update<br />
GPOs<br />
Apply Apply<br />
Computer Compute<br />
r GPOs<br />
Apply<br />
Computer<br />
GPOs<br />
Windows<br />
Domain<br />
Auth<br />
Present<br />
GINA<br />
Present<br />
GINA<br />
<strong>802.1X</strong><br />
User<br />
Auth<br />
Windows<br />
Domain<br />
Auth<br />
Windows<br />
Domain<br />
Auth<br />
<strong>Network</strong> Connectivity<br />
Point of <strong>802.1X</strong> Authorization<br />
<strong>802.1X</strong><br />
User<br />
Auth<br />
DHCP<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
36<br />
18
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Configuring Machine and/or User Auth<br />
Microsoft Windows Example<br />
Mode is supplicant dependent<br />
Native MS supplicants pre-Win7<br />
Controlled by registry keys (SP2) or<br />
XML (SP3 & Vista) & network<br />
properties authentication tab<br />
Can be set by GPO (Wireless only for<br />
XP, Wired and Wireless for Vista)<br />
Win7 supplicants<br />
<strong>Cisco</strong> AnyConnect 3.0<br />
Can be configured per profile<br />
Centrally configured via Admin tool<br />
Deployed via MSI<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
37<br />
Switch State AFTER Machine Auth<br />
Switch#show auth sess int g1/13<br />
Interface: GigabitEthernet1/13<br />
MAC Address: 0014.5e95.d6cc<br />
IP Address: 10.1.5.201<br />
User-Name: host/imac-mcs-11<br />
Status: Authz Success<br />
Domain: DATA<br />
Oper host mode: multi-domain<br />
Oper control dir: both<br />
Authorised By: Authentication Server<br />
Vlan Policy: 550<br />
Session timeout: N/A<br />
Idle timeout: N/A<br />
Common Session ID: 0A640A050000167B812E372C<br />
Acct Session ID: 0x00001681<br />
Handle: 0x8B00067C<br />
Runnable methods list:<br />
Method State<br />
dot1x Authc Success<br />
mab Not run<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
38<br />
19
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Switch State AFTER User Auth<br />
Switch#show auth sessions int g1/13<br />
Interface: GigabitEthernet1/13<br />
MAC Address: 0014.5e95.d6cc<br />
IP Address: 10.1.50.201<br />
User-Name: Administrator<br />
Status: Authz Success<br />
Domain: DATA<br />
Oper host mode: multi-domain<br />
Oper control dir: both<br />
Authorised By: Authentication Server<br />
Vlan Policy: 50<br />
Session timeout: N/A<br />
Idle timeout: N/A<br />
Common Session ID: 0A640A050000167D81321334<br />
Acct Session ID: 0x00001683<br />
Handle: 0x5200067E<br />
Runnable methods list:<br />
Method State<br />
dot1x Authc Success<br />
mab Not Run<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
39<br />
Identity & Authentication:<br />
<strong>802.1X</strong> Supplicants<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
20
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
<strong>802.1X</strong> Supplicants<br />
Windows Win7— Yes<br />
Windows Vista —Yes<br />
Windows XP—Yes<br />
Windows 2000—Yes<br />
Windows Mobile 7 — Yes<br />
Linux —Yes<br />
HP-UX —Yes<br />
Solaris —Yes<br />
HP printers & switches —Yes<br />
Apple OS X —Yes<br />
Apple iOS — Yes<br />
Android —Yes<br />
<strong>Cisco</strong> IP Phone —Yes<br />
<strong>Cisco</strong> AP —Yes<br />
<strong>Cisco</strong> Switches — Yes<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
41<br />
PC Supplicants Types<br />
Windows<br />
Solaris<br />
IP Phones<br />
7921<br />
WLAN APs<br />
Operating System – MAC OS X, XP Wireless Zero<br />
Config, Vista Native, Win7 Native<br />
Hardware Specific – Intel Proset, Lenovo Access<br />
Connections<br />
Premium – <strong>Cisco</strong> AnyConnect 3.0, Juniper Odyssey<br />
Open Source –<br />
Xsupplicant (Open 1X) – http://open1x.sourceforge.net/<br />
WPA supplicant - http://hostap.epitest.fi/wpa_supplicant/<br />
Secure W2 - http://www.securew2.com/<br />
HP Jet Direct<br />
Apple<br />
Pocket PC<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
42<br />
21
Xsupplicant<br />
Open Source<br />
No additional up-front cost<br />
Username / Password<br />
Manual Connect<br />
User Authentication<br />
Server Validation<br />
Wired & wireless<br />
PEAP, TTLS, FAST, and MD5<br />
Application –<br />
Simple Authentication<br />
No outside support required<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
43<br />
WPA Supplicant<br />
Open Source<br />
Linux, BSD, Mac OS X, and Windows<br />
No additional up-front cost<br />
Wired & wireless<br />
EAP-TLS<br />
EAP-PEAP/MSCHAPv2-TLS–GTC-<br />
OTP-MD5<br />
EAP-TTLS/MD5-GTC-OTP-<br />
MSCHAPV2-TLS-PAP-CHAP<br />
EAP-SIM EAP-AKA EAP-PSK EAP-<br />
FAST EAP-PAX EAP-SAKE EAP-<br />
IKEv2 EAP-GPSK (experimental)<br />
LEAP<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
44<br />
22
Secure W2<br />
Open Source<br />
Windows suite with Windows<br />
Mobile 5/6 or Pocket PC<br />
2003/2005 support and<br />
2000/XP/Vista<br />
Support available<br />
Wired & wireless<br />
Plug-in in existing Microsoft<br />
<strong>802.1X</strong>/EAP(EapHost)<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Support of EAP-TTLS and EAP-<br />
GTC<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
45<br />
Microsoft Native Supplicant: XP SP2<br />
Integral to operating system<br />
nothing to deploy except configuration<br />
No additional cost, licensed as part of OS<br />
Same service controls wireless and<br />
wired <strong>802.1X</strong><br />
Wireless Zero Config (WZC)<br />
Integrated machine and user profile<br />
Registry changes required for<br />
proper operation of wired <strong>802.1X</strong><br />
EAP Types – PEAP/MSCHAPv2,<br />
PEAP/TLS, TLS, MD5<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
46<br />
23
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Vista & XP SP3 Native Supplicant<br />
Integral to operating system<br />
nothing to deploy except configuration<br />
No additional cost, licensed as part of OS<br />
Separate services for wireless and wired<br />
<strong>802.1X</strong><br />
Wireless Zero Config (WZC)<br />
Wired AutoConfig (DOT3SVC)<br />
Machine & User Authentication<br />
PEAP-MSCHAPv2,PEAP-TLS, EAP-TLS<br />
Recommendations<br />
Use NDIS 6 NIC drivers<br />
Vista SP1<br />
Auth Fail Hot-Fix:<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
47<br />
Windows 7 Native<br />
Integral to operating system<br />
http://support.microsoft.com/default.aspx?scid=kb;en-us;957931&sd=rss&spid=11712<br />
nothing to deploy except configuration<br />
No additional cost, licensed as part<br />
of OS<br />
Separate services for wireless and<br />
wired <strong>802.1X</strong><br />
Wireless Zero Config (WZC)<br />
Wired AutoConfig (DOT3SVC)<br />
Machine & User Authentication<br />
PEAP-MSCHAPv2,PEAP-TLS,<br />
EAP-TLS<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
48<br />
24
Mac OSX - 10.6<br />
Wired and wireless support<br />
Username / Password,<br />
Certificates, & Tokens<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Machine or User Authentication<br />
Broad EAP type support<br />
No up-front licensing cost<br />
Apple supported<br />
End-user focused<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
49<br />
Intel Proset<br />
Driver Intimacy<br />
Adapter settings<br />
Radio On / Off<br />
No additional up-front costs<br />
Username / Password, Soft<br />
Certificates, Smartcards, & Tokens<br />
Broad EAP Type Support<br />
Wireless Only<br />
Supported by Intel<br />
Requires Intel NIC<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
50<br />
25
Odyssey<br />
Wired and wireless support<br />
Username / Password, Soft<br />
Certificates, Smartcards, &<br />
Tokens<br />
Machine & User Authentication<br />
Broad EAP type support<br />
Up-front licensing cost<br />
Juniper supported<br />
Technical user focused<br />
Applications –<br />
Enterprise environments<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
51<br />
<strong>Cisco</strong> AnyConnect 3.0 – <strong>Network</strong><br />
Access Manager (NAM)<br />
Wired and wireless support<br />
Part of larger VPN/Web Security bundle<br />
Username / Password, Soft<br />
Certificates, Smartcards, &<br />
Tokens<br />
Machine & User Authentication<br />
Broad EAP type support<br />
<strong>Cisco</strong> supported<br />
End-user focused<br />
Applications –<br />
Enterprise environments<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
52<br />
26
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Identity Services Engine<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
Identity Services Engine (ISE)<br />
Policy Management for TrustSec<br />
Integrated Identity, Profiling, Posture & Guest<br />
<strong>802.1X</strong> for Identity<br />
Profiling Directly Integrated<br />
Posture from NAC Appliance<br />
Full Secure Guest Lifecycle Management<br />
For more on ISE: BRKSEC-2041<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
54<br />
27
ISE Capabilities<br />
Session Directory<br />
User ID<br />
Location<br />
Device (& IP/MAC)<br />
Access Rights<br />
Tracks Active Users & Devices<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Policy Extensibility<br />
Link in Policy Information Points<br />
Flexible Service<br />
Deployment<br />
Admin<br />
Console<br />
Distributed PDPs<br />
Optimize Where Services Run<br />
Manage Security<br />
Group Access<br />
SGT Public Private<br />
Staff Permit Permit<br />
Guest Permit Deny<br />
Keep Existing Logical Design<br />
System-wide Monitoring<br />
& Troubleshooting<br />
Consolidate Data, 3 Click Drill-In<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
55<br />
ISE Architecture<br />
Logging<br />
Admin<br />
View/<br />
Configure<br />
Policies<br />
All-in-One<br />
HA Pair<br />
View Logs/<br />
Reports<br />
Endpoint Enforce<br />
Resource<br />
Access<br />
Request<br />
Request/<br />
Response<br />
Context<br />
Monitor<br />
Policy<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
56<br />
M&T<br />
Logging<br />
Logging<br />
Query<br />
Attributes<br />
Resource<br />
Access<br />
External<br />
Data<br />
28
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Configuration of Windows 7 for user and machine authentication<br />
using PEAP-MSCHAPv2<br />
Switch & ISE Configurations<br />
ISE ―View‖ Logs<br />
DEMO Time<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
Configure Windows 7 for <strong>802.1X</strong><br />
Machine and User Authentication<br />
1.Enable <strong>802.1X</strong> wired services on the Win7-PC client:<br />
a.Launch Services.<br />
b.Open the Wired AutoConfig service from the list:<br />
c.Change Startup type: to Automatic and click Apply.<br />
d.Click Start and ensure that Service status = Started.<br />
e.Click OK and close the Services window.<br />
2.Enable <strong>802.1X</strong> authentication on the Win7-PC client:<br />
Open the Lab Tools shortcut from the Windows desktop.<br />
Open the <strong>Network</strong> Connections shortcut from the Lab Tools window.<br />
Right-click on the entry for the Local Area Connection and select<br />
Properties. If prompted by Windows 7 User Account Control (UAC),<br />
enter the Domain Administrator credentials admin / cisco123.<br />
Select the Authentication tab at the top of the Properties window.<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
58<br />
29
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Configure Windows 7 for <strong>802.1X</strong><br />
Machine and User Authentication<br />
Verify that <strong>802.1X</strong><br />
authentication is enabled<br />
(checked) for Enable<br />
IEEE<strong>802.1X</strong> authentication.<br />
Verify that authentication<br />
method is set to Microsoft:<br />
Protected EAP (PEAP) and<br />
then click Settings to open<br />
the PEAP Properties page.<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
59<br />
Configure Windows 7 for <strong>802.1X</strong><br />
Machine and User Authentication<br />
Under Select Authentication<br />
Method:, click Configure<br />
and verify that the EAP<br />
MSCHAPv2 Properties are<br />
set to enable Automatically<br />
use my Windows login<br />
name and password (and<br />
domain if any).<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
60<br />
30
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Configure Windows 7 for <strong>802.1X</strong><br />
Machine and User Authentication<br />
Click OK twice to close the<br />
PEAP Properties page and<br />
then click Additional<br />
Settings:<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
61<br />
Configure Windows 7 for <strong>802.1X</strong><br />
Machine and User Authentication<br />
Verify that the Specify<br />
authentication mode setting<br />
is enabled (checked) and<br />
set to User or computer<br />
authentication.<br />
Click OK twice to save<br />
changes and exit the LAN<br />
Properties page.<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
62<br />
31
SSC AC<br />
Demo Topology<br />
VLAN 315<br />
widget<br />
SSC<br />
VLAN 340<br />
unauth<br />
VLAN 320<br />
ACME<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
VLAN 350<br />
critical<br />
VLAN 321<br />
voice<br />
ACME Servers<br />
VLAN 310<br />
mgmt<br />
AD/DHCP<br />
CA/ DNS<br />
Windows 2008<br />
ISE Call Manager<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
63<br />
Demo Topology<br />
Gig 1/0/1<br />
3750X<br />
10.2.2.0/24<br />
.2<br />
te1/1/1<br />
.1<br />
2/2<br />
10.2.3.0/24<br />
SSC AC<br />
Fa 0/1<br />
.2<br />
G0/1<br />
.1<br />
1/27<br />
.2<br />
2/1<br />
10.2.1.0/24<br />
.10<br />
3/1<br />
SGT 7 SGT 6<br />
ACME<br />
10.3.10.0/24<br />
ISE Call Manager<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
64<br />
.1<br />
2/1<br />
10.1.200.0/24<br />
.1<br />
HR<br />
.1<br />
3/46<br />
.20<br />
1/22<br />
UCS<br />
AD/DHCP<br />
CA/ DNS<br />
Windows 2008<br />
32
Demo Topology<br />
VLAN ID Name Subnet<br />
310 MGMT 10.3.10.0/24<br />
315 Widget 10.3.15.0/24<br />
320 ACME 10.3.20.0/24<br />
321 VOICE 10.3.21.0/24<br />
340 UNAUTH 10.3.40.0/24<br />
350 CRITICAL 10.3.50.0/24<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Domain: demo.local<br />
AD/DHCP/DNS: 10.3.10.10<br />
ISE: 10.3.10.20<br />
ACS: 10.3.10.21<br />
Call Manager: 10.3.10.40<br />
ACME Server: 10.1.200.10<br />
HR Server: 10.1.200.20<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
65<br />
Switch Port Before Config<br />
interface GigabitEthernet1/0/4<br />
description Dot1x<br />
switchport access vlan 2<br />
switchport mode access<br />
switchport voice vlan 200<br />
srr-queue bandwidth share 10 10 60 20<br />
srr-queue bandwidth shape 10 0 0 0<br />
queue-set 2<br />
mls qos trust device cisco-phone<br />
mls qos trust cos<br />
auto qos voip cisco-phone<br />
spanning-tree portfast spanning-tree<br />
bpduguard enable ip verify source<br />
ip dhcp snooping limit rate 10 end<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
66<br />
33
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Switch Port After Config<br />
aaa new-model<br />
aaa authentication dot1x default group radius<br />
aaa authorization network default group radius<br />
dot1x system-auth-control<br />
radius-server attribute 8 include-in-access-req<br />
radius-server host 192.168.10.5 auth-port 1645 acct-port 1646 key cisco<br />
radius-server vsa send authentication<br />
interface GigabitEthernet1/0/15<br />
description Sample Dot1x<br />
switchport access vlan 2<br />
switchport mode access<br />
switchport voice vlan 200<br />
dot1x pae authenticator<br />
authentication port-control auto<br />
srr-queue …<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
67<br />
Switch Port Before Auth<br />
Switch#show authentication session gi1/0/15<br />
Interface: GigabitEthernet1/0/15<br />
MAC Address: Unknown<br />
IP Address: Unknown<br />
Status: Running<br />
Domain: UNKNOWN<br />
Oper host mode: single-host<br />
Oper control dir: both<br />
Session timeout: N/A<br />
Idle timeout: N/A<br />
Common Session ID: 0A640A050000163C37C0ED38<br />
Acct Session ID: 0x0000163E<br />
Handle: 0xD600063D<br />
Runnable methods list:<br />
Method State<br />
dot1x Running<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
68<br />
34
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Switch Port After Auth<br />
Switch#show authentication sessions interface g1/0/15<br />
Interface: GigabitEthernet1/0/15<br />
MAC Address: 0014.5e95.d6cc<br />
IP Address: 10.1.2.200<br />
User-Name: admin<br />
Status: Authz Success<br />
Domain: DATA<br />
Oper host mode: single-host<br />
Oper control dir: both<br />
Authorized By: Authentication Server<br />
Vlan Policy: N/A<br />
Session timeout: N/A<br />
Idle timeout: N/A<br />
Common Session ID: 0A640A050000163D37C44E6C<br />
Acct Session ID: 0x0000163F<br />
Handle: 0x5D00063E<br />
Runnable methods list:<br />
Method State<br />
dot1x Authc Success<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
69<br />
ISE – Switch as AAA Client Setup<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
70<br />
35
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
ISE – Create User in Internal Store<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
71<br />
ISE – Identity Store Sequence<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
72<br />
36
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
ISE – <strong>802.1X</strong> AuthC Policy<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
73<br />
ISE – <strong>802.1X</strong> Authz Policy<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
74<br />
37
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Auth Details Report<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
75<br />
Identity & Authentication<br />
Non-<strong>802.1X</strong> Capable Devices &<br />
Users<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
38
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Default Security: Consequences<br />
Default <strong>802.1X</strong> Challenge<br />
Devices w/out supplicants<br />
Can‘t send EAPoL<br />
No EAPoL = No Access<br />
Offline<br />
No EAPoL / No Access<br />
One Physical Port ->Two Virtual ports<br />
Uncontrolled port (EAPoL only)<br />
Controlled port (everything else)<br />
interface fastEthernet 3/48<br />
authentication port-control auto<br />
dot1x pae authenticator<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
77<br />
MAC Authentication Bypass (MAB) for<br />
Non-<strong>802.1X</strong> Devices<br />
No Response<br />
MAC: 00.0a.95.7f.de.06<br />
EAP-Identity-Request<br />
EAP-Identity-Request<br />
EAP-Identity-Request<br />
Switchport is open for one packet to learn MAC<br />
Link up<br />
Switch Fallbacks to MAB<br />
RADIUS-Access Request:<br />
MAC: 00.0a.95.7f.de.06<br />
MAB requires creating and maintaining MAC database<br />
Default <strong>802.1X</strong> timeout = 90 seconds (configurable)<br />
• 90 sec > default MSFT DHCP timeout<br />
• 90 sec > default PXE timeout<br />
RADIUS-Access Accept<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
78<br />
1<br />
2<br />
3<br />
4<br />
5<br />
6<br />
<strong>802.1X</strong> times out<br />
Switch Learns MAC<br />
7<br />
Significant<br />
Deployment<br />
Barriers<br />
39
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
<strong>802.1X</strong> with MAB<br />
Deployment Considerations<br />
MAB enables differentiated access control<br />
MAB leverages centralized policy on AAA server<br />
Dependency on <strong>802.1X</strong> timeout -> delayed network access<br />
• Default timeout is 30 seconds with three retries (90 seconds total)<br />
• 90 seconds > DHCP timeout.<br />
MAB requires a database of known MAC addresses<br />
Printer VLAN<br />
Guest VLAN<br />
RADIUS<br />
ISE<br />
LDAP<br />
MAC<br />
Database<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
79<br />
Considerations: MAC Databases<br />
Method What is it? Advantages Problems Use Case<br />
OUI<br />
Wildcards<br />
Use 3-Byte<br />
Identifier<br />
ISE Local<br />
database with<br />
RADIUS<br />
Server<br />
Active<br />
Directory<br />
Device<br />
Profiling<br />
Central<br />
Directory<br />
Service<br />
Automatic<br />
building of<br />
MAC database<br />
LDAP Central<br />
directory<br />
Easy to add<br />
lots of devices<br />
Readily<br />
available<br />
Central<br />
repository<br />
No granularity ‗Add all HP<br />
printers‘<br />
No central<br />
repository for all<br />
IDs<br />
Should have<br />
support for [IEEE<br />
802] object,<br />
password<br />
complexity GPO<br />
Automated Need certain<br />
methods to make it<br />
reliably identify<br />
devices<br />
Standards<br />
based<br />
Manually populated<br />
and maintained<br />
‗RADIUS<br />
only‘<br />
‗All in one‘<br />
‗handle<br />
unknown<br />
devices‘<br />
‗leverage<br />
existing db‘<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
80<br />
40
MAB<br />
DEMO Time<br />
TECSEC-2041<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
ISE – MAB Service AuthC Policy<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
82<br />
41
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
ISE – MAB Authz Policy<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
83<br />
Switch: Adding „MAB‟<br />
interface GigabitEthernet1/0/15<br />
description Dot1x Demo with MAB and Guest VLAN<br />
switchport access vlan 2<br />
switchport mode access<br />
switchport voice vlan 200<br />
dot1x pae authenticator<br />
authentication port-control auto<br />
authentication event no-response action authorize vlan 40<br />
dot1x timeout tx-period 10<br />
dot1x max-reauth-req 2<br />
mab<br />
spanning-tree portfast<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
84<br />
42
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Switch: MAB Success<br />
Switch#show authentication session int g1/0/15<br />
Interface: GigabitEthernet1/0/15<br />
MAC Address: 0014.5e95.d6cc<br />
IP Address: 10.1.2.200<br />
User-Name: 00-14-5E-95-D6-CC<br />
Status: Authz Success<br />
Domain: DATA<br />
Oper host mode: single-host<br />
Oper control dir: both<br />
Authorised By: Authentication Server<br />
Vlan Policy: N/A<br />
Session timeout: N/A<br />
Idle timeout: N/A<br />
Common Session ID: 0A640A05000016475BE3EF40<br />
Acct Session ID: 0x0000164A<br />
Handle: 0xFE000648<br />
Runnable methods list:<br />
Method State<br />
dot1x Failed over<br />
mab Authc Success<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
85<br />
ISE: MAB Success<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
86<br />
43
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Local Web Auth (LWA) for non-1X User<br />
1<br />
―Flex Auth‖:<br />
Multiple Triggers<br />
Single Port Config<br />
•<strong>802.1X</strong> Timeout<br />
•<strong>802.1X</strong> Failure<br />
•MAB Failure<br />
Switch<br />
Port Enabled,<br />
2<br />
ACL Applied<br />
Host Acquires IP Address, Triggers Session State<br />
3<br />
4<br />
Host Opens Browser<br />
Login Page<br />
Host Sends Password<br />
6<br />
Switch Applies New ACL Policy<br />
5<br />
DHCP/DNS<br />
Switch Queries AAA Server<br />
AAA Server Returns Policy<br />
AAA Server<br />
Server<br />
authorizes<br />
user<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
87<br />
<strong>802.1X</strong> with LWA<br />
Deployment Considerations<br />
LWA is only for users (not devices)<br />
• browser required<br />
• manual entry of username/password<br />
LWA can be a fallback from <strong>802.1X</strong> or MAB.<br />
LWA and Guest VLAN* are mutually exclusive<br />
LWA supports ACL authorization only – No VLAN change<br />
LWA behind an IP Phone requires Multi-Domain<br />
Authentication* (MDA) or Multi-Auth<br />
LWA supports limited web portal customization<br />
No native support for advanced services including AUP, CP,<br />
Change Password, Self-Registration, or Device Registration.<br />
No Change of Authorization (COA) support; therefore access<br />
policy cannot be changed based on posture or profiling state.<br />
* To be discussed in later sections<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
88<br />
44
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Central Web Auth (CWA) for non-1X User<br />
1<br />
―Flex Auth‖:<br />
Multiple Triggers<br />
Single Port Config<br />
•<strong>802.1X</strong> Timeout<br />
•<strong>802.1X</strong> Failure<br />
•MAB Success<br />
Host Acquires IP Address<br />
3<br />
4<br />
Switch<br />
DHCP/DNS<br />
Host Opens Browser – Switch redirects browser to ISE CWA page<br />
Login Page<br />
Host Sends Username/Password<br />
6<br />
MAB re-auth<br />
MAC Success<br />
2<br />
5<br />
Web Auth Success results in CoA;<br />
ISE PDP<br />
AuthC success; AuthZ for unknown user<br />
returned: URL Redirect + dACL/VLAN.<br />
Session lookup—policy matched<br />
Authorization dACL/VLAN returned.<br />
AUP<br />
process, if<br />
configured<br />
Server<br />
authorizes<br />
user<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
89<br />
Centralized Web Authentication (CWA)<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
90<br />
45
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
<strong>802.1X</strong> with CWA<br />
Deployment Considerations<br />
CWA is only for users (not devices)<br />
• browser required<br />
• manual entry of username/password<br />
CWA can be a fallback from <strong>802.1X</strong> as part of MAB.<br />
Web-Auth and Guest VLAN* are mutually exclusive<br />
CWA supports ACL and VLAN authorization<br />
VLAN change requires IP refresh via browser applet or agent<br />
CWA behind an IP Phone requires Multi-Domain<br />
Authentication* (MDA) or Multi-Auth<br />
Native support for advanced services including AUP, Change<br />
Password, Self-Registration, or Device Registration.<br />
Supports integrated client provisioning, posture and profiling<br />
with COA support (dynamic reauthorization of access policy)<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
91<br />
Web-Auth<br />
Demo Time<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
* To be discussed in later sections<br />
46
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
ISE – Create dACL for Web-Auth<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
93<br />
ISE – Create Web-Auth Authz Profile<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
94<br />
47
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
ISE – Web-Auth to use the Default<br />
Authc Policy<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
95<br />
ISE – Web-Auth Authz to use Default<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
96<br />
48
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Switch: Local Web auth Configuration<br />
ip admission name RULE1 proxy http<br />
ip device tracking<br />
ip http server<br />
ip http secure-server<br />
fallback profile WEB-AUTH<br />
ip access-group DEFAULT-ACCESS in<br />
ip admission RULE1<br />
aaa authentication login default group radius<br />
aaa authentication login line-console none<br />
aaa authorization auth-proxy default group radius<br />
ip access-list extended DEFAULT-ACCESS<br />
remark Allow DHCP<br />
permit udp any eq bootpc any eq bootps<br />
remark Allow DNS<br />
permit udp any any eq domain<br />
remark Allow HTTP<br />
permit tcp any any eq www<br />
remark Allow ICMP for test purposes<br />
permit icmp any any<br />
remark Implicit Deny<br />
deny ip any any<br />
line con 0<br />
login authentication line-console<br />
interface GigabitEthernet1/0/15<br />
description Dot1x Demo with MAB and Web-Auth<br />
switchport access vlan 2<br />
switchport voice vlan 200<br />
switchport mode access<br />
dot1x pae authenticator<br />
authentication port-control auto<br />
no authentication event no-response<br />
dot1x timeout tx-period 10<br />
dot1x max-req<br />
mab<br />
spanning-tree portfast<br />
authentication fallback WEB-AUTH<br />
radius-server attribute 8 include-in-access-req<br />
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key xxxx<br />
radius-server vsa send authentication<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
97<br />
Switch: Central Web auth Configuration<br />
ip device tracking<br />
ip http server<br />
ip http secure-server<br />
aaa authentication login default group radius<br />
aaa authentication login line-console none<br />
aaa authorization auth-proxy default group radius<br />
ip access-list extended DEFAULT-ACCESS<br />
remark Allow DHCP<br />
permit udp any eq bootpc any eq bootps<br />
remark Allow DNS<br />
permit udp any any eq domain<br />
remark Allow HTTP<br />
permit tcp any any eq www<br />
remark Allow ICMP for test purposes<br />
permit icmp any any<br />
remark Implicit Deny<br />
deny ip any any<br />
line con 0<br />
login authentication line-console<br />
interface GigabitEthernet1/0/15<br />
description Dot1x Demo with MAB and Web-Auth<br />
switchport access vlan 2<br />
switchport mode access<br />
switchport voice vlan 200<br />
ip access-group DEFAULT-ACCESS in<br />
authent event fail action next-method<br />
authentication host-mode multi-domain<br />
authentication open<br />
authentication order mab dot1x<br />
authentication priority dot1x mab<br />
authentication port-control auto<br />
authentication violation restrict<br />
mab<br />
dot1x pae authenticator<br />
dot1x timeout tx-period 10<br />
spanning-tree portfast<br />
radius-server attribute 6 on-for-login-auth<br />
radius-server attribute 8 include-in-access-req<br />
radius-server attribute 25 access-request include<br />
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key xxxx<br />
radius-server vsa send authentication<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
98<br />
49
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Web Auth User Experience<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
99<br />
Identity & Authentication<br />
Further Restrictions<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
50
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Default Security: More Consequences<br />
Only one MAC is allowed to<br />
authenticate on a port<br />
• VMWare, Phones, Hubs, Grat Arp…<br />
VM<br />
interface fastEthernet 3/48<br />
authentication port-control auto<br />
dot1x pae authenticator<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
101<br />
Authorization<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
51
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Various Authorization Mechanisms<br />
Identity provides various authorization<br />
mechanisms for policy enforcement.<br />
Three major enforcement mechanisms:<br />
• Dynamic VLAN assignment – Ingress<br />
• Downloadable per session ACL – Ingress<br />
• Security Group Access Control List<br />
(SGACL) – Egress<br />
Session-Based on-demand<br />
authorization: Change of Authorization<br />
(RFC3576)<br />
• Disconnect Message<br />
• Re-authentication<br />
• Port Bounce<br />
• Port Down<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
103<br />
Access Layer Authorization<br />
Primarily done with VLANs today<br />
VLANs with <strong>802.1X</strong> are ubiquitous<br />
Very simple policy management for small numbers of groups<br />
Downloadable ACLs (dACLs) are now of interest because it allows<br />
customers to avoid changing their network<br />
dACLs scale to a point and then become ineffective due to the<br />
number of destinations<br />
Download all destinations that you need to protect or none<br />
If you have to download destinations, in moderate scale you need to download only<br />
the destinations relevant to the location of the access device. This must be done<br />
to keep TCAM utilization to a minimum<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
104<br />
52
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Drivers for scaling Access Control<br />
NAC<br />
Effective way to isolate quarantine hosts from healthy hosts<br />
Less operational cost in policy and network operations<br />
Guest<br />
Effective way to isolate guests from one another within whatever traffic<br />
isolation technique the guests require<br />
―Normal‖ enterprise security isolation for local services.<br />
In retail stores only authorized users/devices should access the store<br />
controller.<br />
Embedded Devices that have not traditionally been on<br />
the enterprise IP network<br />
HVAC, Video Surveillance, etc.<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
105<br />
Challenge of Ingress Access Control<br />
<strong>802.1X</strong>/MAB/Web Auth<br />
VLAN<br />
Assignment<br />
ACL<br />
Download<br />
• Can I create / manage the new VLANs or IP Address scope?<br />
• How do I deal with DHCP refresh in new subnet?<br />
• How do I manage ACL on VLAN interface?<br />
• Does protocol such as PXE or WOL work with VLAN assignment?<br />
• Any impact to the route summarization?<br />
• Who‘s going to maintain ACLs?<br />
• What if my destination IP addresses are changed?<br />
• Does my switch have enough TCAM to handle all request?<br />
Traditional access authorization methods leave some deployment concerns<br />
Detailed design before deployment is required, otherwise…<br />
Not so flexible for changes required by today‘s business<br />
Access control project ends up with redesigning whole network<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
106<br />
53
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
If VLANs are used for the use cases<br />
<strong>802.1X</strong>/MAB/Web Auth<br />
VLAN<br />
Assignment<br />
Per Use Case<br />
Embedded VLAN<br />
Guest VLAN<br />
Quarantine VLAN<br />
Enterprise VLAN1<br />
Enterprise VLAN2<br />
Voice VLAN<br />
• One VLAN per use case. Now there are at a minimum 4 additional VLANs<br />
• A user in multiple groups doesn‘t map to a single VLAN cleanly<br />
• This notion of ―VLAN Proliferation‖ is such a problem that there is a EAB group<br />
formed on it.<br />
• VLAN change has significant impact on end hosts<br />
• Significant network redesign<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
107<br />
If dACLs are used for the use cases<br />
<strong>802.1X</strong>/MAB/Web Auth<br />
ACE per<br />
use case<br />
host<br />
Embedded Host Range(s)<br />
NAC Host Range(s)<br />
Enterprise Server Role (s)<br />
Guest Role (s)<br />
• Significant overhead to maintain ACLs at ingress (outside of firewall)<br />
• TCAM implications at ingress (one ACE for every host/range to protect on the<br />
network)<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
108<br />
54
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Security Group Access<br />
I‟m a contractor<br />
My group is IT Admin<br />
<strong>802.1X</strong>/MAB/Web Auth<br />
Contactor<br />
& IT Admin<br />
SGT = 100<br />
SGT = 100<br />
SGACL<br />
Security Group Based Access Control allows customers<br />
To keep existing logical design at access layer<br />
To change / apply policy to meet today‘s business requirement<br />
To distribute policy from central management server<br />
Database (SGT=4)<br />
IT Server (SGT=10)<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
109<br />
Security Group Access<br />
Key Features<br />
Security Group Based<br />
Access Control<br />
Authenticated<br />
<strong>Network</strong>ing<br />
Environment<br />
Confidentiality<br />
and<br />
Integrity<br />
SGT capable device<br />
Topology independent access control based on roles<br />
Scalable ingress tagging (SGT) / egress filtering<br />
(SGACL)<br />
Centralized Policy Management / Distributed Policy<br />
Enforcement<br />
Endpoint admission enforced via <strong>802.1X</strong> authentication,<br />
MAB, Web Auth (<strong>Cisco</strong> Identity compatibility)<br />
<strong>Network</strong> device admission control based on <strong>802.1X</strong><br />
creates trusted networking environment<br />
Only trusted network imposes Security Group TAG<br />
Encryption based on IEEE802.1AE (AES-GCM 128-Bit)<br />
Wire rate hop by hop layer 2 encryption<br />
Key management based on 802.11n (SAP) standardized<br />
in <strong>802.1X</strong>-2010<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
110<br />
55
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Security Group Based Access Control<br />
Security<br />
Group<br />
Tag<br />
SG SGACL<br />
Customer Benefits<br />
Unique 16 bit (65K) tag assigned to unique role<br />
Represents privilege of the source user, device, or entity<br />
Tagged at ingress of TrustSec domain<br />
Filtered (SGACL) at egress of TrustSec domain<br />
No IP address required in ACE (IP address is bound to SGT)<br />
Policy (ACL) is distributed from central policy server (ACS) or<br />
configured locally on TrustSec device<br />
Provides topology independent policy<br />
Flexible and scalable policy based on user role<br />
Centralized Policy Management for Dynamic policy provisioning<br />
Egress filtering results to reduce TCAM impact<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
111<br />
Layer 2 SGT Frame Format<br />
<strong>Cisco</strong> Meta Data<br />
Authenticated<br />
802.1AE Header CMD ICV are the L2 802.1AE + TrustSec overhead<br />
Frame is always tagged at ingress port of SGT capable device<br />
Tagging process prior to other L2 service such as QoS<br />
No impact IP MTU/Fragmentation<br />
Encrypted<br />
DMAC SMAC 802.1AE Header 802.1Q CMD ETYPE PAYLOAD ICV CRC<br />
CMD EtherType Version Length SGT Opt Type SGT Value Other CMD Options<br />
Ethernet Frame field<br />
L2 Frame MTU Impact: ~ 40 bytes = less than baby giant frame (~1600 bytes<br />
with 1552 bytes MTU)<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
112<br />
56
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Traditional Access Control<br />
User (Source)<br />
Managers<br />
S1<br />
S2<br />
S3<br />
HR Rep<br />
S4<br />
IT Admins<br />
Servers (Destination)<br />
D1<br />
D2<br />
D3<br />
D4<br />
D5<br />
D6<br />
Sales<br />
permit tcp S1 D1 eq https<br />
permit tcp S1 D1 eq 8081<br />
permit tcp S1 D1 eq 445<br />
deny ip S1 D1<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
113<br />
HR<br />
Finance<br />
<strong>Network</strong> Admin manages every IP source to IP destination<br />
relationship explicitly<br />
# of ACEs = (# of sources) * (# of Destinations) * permissions<br />
S1 to D1 Access Control<br />
ACE # grows as # users/servers<br />
increases<br />
How SGACL simplifies Access Control<br />
Security Group<br />
Security Group<br />
User Servers<br />
(Source)<br />
(Destination)<br />
x 100<br />
x 100<br />
x 100<br />
x 100<br />
MGMT A<br />
(SGT10)<br />
MGMT B<br />
(SGT20)<br />
HR Rep<br />
(SGT30)<br />
IT Admins<br />
(SGT40)<br />
SGACL<br />
Sales SRV<br />
(SGT400)<br />
HR SRV<br />
(SGT500)<br />
Finance SRV<br />
(SGT600)<br />
• <strong>Network</strong> Admin manages every source “group” to destination<br />
“group” relationship<br />
• This abstracts the network topology from the policy and reducing<br />
the number of policy rules necessary for the admin to maintain<br />
• <strong>The</strong> network automates the alignment of users/servers to groups<br />
10 <strong>Network</strong><br />
Resources<br />
10 <strong>Network</strong><br />
Resources<br />
10 <strong>Network</strong><br />
Resources<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
114<br />
57
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Security Group Access –<br />
SGT Assignment<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
SGT Assignment<br />
Campus/Mobile endpoints<br />
Every endpoint that touches TrustSec domain is classified with SGT<br />
SGT can be sent to switch via RADIUS authorization after:<br />
Data Center / Servers<br />
• via <strong>802.1X</strong> Authentication<br />
• via MAC Authentication Bypass<br />
• via Web Authentication Bypass<br />
• Or Static IP-to-SGT binding on SW<br />
• via Manual IP-to-SGT binding on TrustSec device<br />
• via IP-to-Port Mapping<br />
Full integration with<br />
<strong>Cisco</strong> Identity<br />
Solution<br />
Every server that touches TrustSec domain is classified with SGT<br />
SGT is usually assigned to those servers:<br />
Just like VLAN Assignment<br />
or dACL, we assign SGT in<br />
authorization process<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
116<br />
58
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Assigning Users / Servers to SGTs<br />
Security Group<br />
Security Group<br />
User Servers<br />
(Source)<br />
(Destination)<br />
HR<br />
(SGT 8)<br />
IT Admin<br />
(SGT 5)<br />
ACME<br />
(SGT 10)<br />
Guest<br />
(SGT 15)<br />
SGACL<br />
HR Server<br />
(SGT 10)<br />
IT Portal<br />
(SGT 4)<br />
Internal Portal<br />
(SGT 9)<br />
Public Portal<br />
(SGT 8)<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
117<br />
Security Group Access –<br />
SGACL Policy<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
59
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
1<br />
How To Create SGT Policy<br />
Source<br />
SGT<br />
Destination<br />
SGT<br />
HR User (SGT 4)<br />
IT Admin (SGT 7)<br />
Public Portal<br />
(SGT 8)<br />
Internal Portal<br />
(SGT 9)<br />
ACME Portal<br />
(SGT 5)<br />
HR Server<br />
(SGT 6)<br />
Web Web No Access Web<br />
IT Maintenance ACL<br />
File Share<br />
Web<br />
SSH<br />
RDP<br />
File Share<br />
permit tcp dst eq 443<br />
permit tcp dst eq 80<br />
permit tcp Web dst eq 22<br />
permit tcp SSH dst eq 3389<br />
permit tcp dst eq 135<br />
permit tcp RDP dst eq 136<br />
permit File tcp Share dst eq 137<br />
permit tcp dst eq 138<br />
permit tcp des eq 139<br />
deny ip<br />
Full Access<br />
SSH<br />
RDP<br />
File Share<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
119<br />
SGACL Policy on ACS<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
120<br />
2<br />
3<br />
60
Users,<br />
Endpoints<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Security Group based Access Control<br />
How Enforcement Works<br />
<strong>802.1X</strong><br />
IT Admin<br />
(SGT 7)<br />
SGA6K-DC#show cts role-based counters<br />
Role-based IPv4 counters<br />
From To SW-Denied HW-Denied SW-Permitted HW_Permitted<br />
* * 0 0 677 13463<br />
4 5 0 0 0 0<br />
7 5 634 597 0 0<br />
3 6 0 0 0 0<br />
4 6 0 SGT=7 0 0 0<br />
Catalyst ® 3750-E<br />
Campus<br />
<strong>Network</strong><br />
Cat 6500 w/<br />
SUP 2T<br />
Core<br />
Untagged Frame Tagged Frame<br />
Cat 6500 w/<br />
SUP 2T<br />
Distribution<br />
Web<br />
HR Server (SGT 6)<br />
10.1.200.10<br />
ISE 1.0<br />
ACME Server (SGT 5)<br />
10.1.100.10<br />
VLAN200<br />
Active<br />
Directory<br />
VLAN200<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
121<br />
Confidentiality and Integrity –<br />
MACSec based encryption<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
ISE<br />
61
Authenticated<br />
User<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Confidentiality and Integrity<br />
Securing Data Path with MACSec<br />
Media Access Control Security (MACSec)<br />
Supplicant<br />
with<br />
MACSec<br />
• Provides ―WLAN / VPN equivalent‖ encryption (128bit AES GCM) to LAN<br />
connection<br />
• NIST approved* encryption (IEEE802.1AE) + Key Management (IEEE<strong>802.1X</strong>-<br />
2010/MKA)<br />
• Allows the network to continue to perform auditing (Security Services)<br />
Guest User<br />
<strong>802.1X</strong><br />
&^*RTW#(*J^*&*sd#J$%UJ&(<br />
MACSec Link<br />
Data sent in clear<br />
* National Institute of Standards and Technology Special Publication 800-38D<br />
Encrypt Decrypt<br />
&^*RTW#(*J^*&*sd#J$%UJWD&(<br />
MACSec<br />
Capable Devices<br />
Note: Cat3750-X currently supports MACSec on downlink only<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
123<br />
Hop-by-Hop Encryption via IEEE 802.1AE<br />
―Bump-in-the-wire‖ model<br />
-Packets are encrypted on egress<br />
-Packets are decrypted on ingress<br />
-Packets are in the clear in the device<br />
Allows the network to continue to perform all the packet inspection<br />
features currently used<br />
Decrypt at<br />
Encrypt at<br />
Ingress<br />
Egress<br />
01101001010001001<br />
everything in clear<br />
01101001010001001<br />
128bit AES GCM Encryption 128bit AES GCM 0 Encryption 128bit AES 0GCM<br />
Encryption<br />
01001010001001001000101001001110101<br />
011010010001100010010010001010010011101010<br />
1<br />
01101001000110001001001000<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
124<br />
ASIC<br />
62
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
802.1AE (MACSec) Tagging<br />
SGA Frame Format<br />
DMAC SMAC 802.1AE Header 802.1Q CMD ETYPE PAYLOAD ICV CRC<br />
0x88e5<br />
MACSec EtherType TCI/AN SL Packet Number SCI (optional)<br />
MACSec Tag Format<br />
Authenticated<br />
Encrypted<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
125<br />
<strong>Network</strong> Device Admission Control<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
63
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
TrustSec is based on “Trust”<br />
Any member of TrustSec domain needs to establish<br />
trust relationship to its peer, otherwise not trusted<br />
Only SGT from trusted member can be ―trusted‖<br />
and processed by its peer<br />
SGT from distrusted device is tagged as<br />
―Unknown‖, a special SGT (value is zero)<br />
A process of authenticating is called ―Endpoint<br />
Admission Control‖ (e.g. SGT tagging via <strong>802.1X</strong>)<br />
A process of authenticating network device is called<br />
―<strong>Network</strong> Device Admission Control‖ or NDAC in<br />
short<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
127<br />
<strong>Network</strong> Device Admission Control<br />
NDAC<br />
Customer Benefits<br />
<strong>Network</strong> Device Admission Control (NDAC) provides<br />
strong mutual authentication (EAP-FAST) to form<br />
trusted domain<br />
Only SGT from trusted peer is honored<br />
Authentication leads to Security Association Protocol<br />
(SAP) to negotiate keys and cipher suite for encryption<br />
automatically (mechanism defined in 802.11i)<br />
Trusted device acquires trust and policies from ISE server<br />
<strong>802.1X</strong>-2010 will ultimately replace SAP<br />
Mitigate rogue network devices, establish trusted network<br />
fabric to ensure SGT integrity and its privilege<br />
Automatic key and cipher suite negotiation for strong 802.1AE<br />
based encryption<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
128<br />
64
SGT Assignment for <strong>802.1X</strong><br />
Demo Time<br />
TECSEC-2041<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
Phase 0: Pre-Deployment<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
65
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Introduction to ACME Corp.<br />
Fictional Company, publishing house.<br />
Employees, free lancers, guests are using the<br />
corporate network infrastructure.<br />
<strong>The</strong> same infrastructure is used for other devices<br />
as well.<br />
„One network to support them all.‟<br />
No access control in place as of today,<br />
everybody with physical access can connect.<br />
<strong>The</strong> CIO decided to limit access. Only<br />
known devices must be allowed on the network<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
131<br />
ACME‟s Business Environment<br />
GLOBAL WORK FORCE<br />
Security Camera G/W<br />
Agentless asset<br />
MAC: F5 AB 8B 65 00 D4<br />
Sergei Balazov<br />
Contractor<br />
IT<br />
Wireline<br />
10am<br />
Vicky Sanchez<br />
Employee<br />
Marketing<br />
Wireline<br />
3pm<br />
Employees, Contractors, Phones, Printers<br />
SENSITIVE RESOURCES<br />
<strong>Network</strong>, Devices & Applications<br />
Susan Kowalski<br />
Employee<br />
CEO<br />
Remote Access<br />
10pm<br />
Rossi Barks<br />
Employee<br />
HR<br />
Wireline<br />
11am<br />
MULTIPLE ACCESS METHODS<br />
From different devices, location & time<br />
ALL NEED CONTROLLING<br />
Bill Graves<br />
Employee<br />
R&D<br />
Wireless<br />
2pm<br />
Frank Lee<br />
Guest<br />
Wireless<br />
9am<br />
Laptop<br />
Managed asset<br />
Main Laboratory<br />
11am<br />
Francois Didier<br />
Consultant<br />
HQ - Strategy<br />
Remote Access<br />
6pm<br />
IP Phone G/W<br />
Printer<br />
Managed asset<br />
Agentless asset<br />
Finance dept.<br />
MAC: B2 CF 81 A4 02 D7<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. 12:00pm <strong>Cisco</strong> Public<br />
132<br />
66
ACME‟s Goals<br />
<strong>The</strong> Mission:<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Prevent Anonymous / Unauthorized<br />
Access<br />
Increase <strong>Network</strong> Visibility<br />
Increase <strong>Network</strong> Security<br />
Solution deployment should be<br />
transparent to end users<br />
Employee end-user behavior should not change.<br />
Legacy devices must not be locked out.<br />
Best authentication method based on device<br />
capabilities should be chosen.<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
133<br />
ACME‟s Data Center environment<br />
ACME are also planning to consolidate applications and<br />
servers in two new Data Centers:<br />
To centralize sensitive data and applications<br />
Reduce operational cost and improve performance<br />
Deliver new services including Virtual Desktop Infrastructure<br />
Data Center teams plan to use <strong>Cisco</strong> Nexus infrastructure for<br />
virtualization performance reasons<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
134<br />
67
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
ACME‟s Environment: Devices<br />
PC devices are primarily running in a Microsoft<br />
Windows environment.<br />
IP Telephony is <strong>Cisco</strong>, 50% are <strong>802.1X</strong> ready<br />
and support EAP-TLS / certificate based<br />
authentication. No Certs deployed so far (MICs<br />
only).<br />
Printers are not-<strong>802.1X</strong> capable, must be<br />
discovered and authenticated via their MAC<br />
address.<br />
All sorts of other (legacy) devices from<br />
freelancers (Macs, Linux machines, …) and<br />
generic devices (e.g. building control).<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
135<br />
ACME‟s Environment: <strong>Network</strong><br />
ACME recently did a refresh on their access<br />
network.<br />
Devices are up-to-date and are running latest<br />
available code.<br />
Devices are configured according to L2 best<br />
practice (DHCP snooping, DAI, VLAN != VVLAN !=<br />
Management VLAN).<br />
For conference rooms, only corporate owned and<br />
authorized devices may be cascaded to provide<br />
additional ports (Extended Edge concept).<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
136<br />
68
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
ACME‟s Environment: Back-End<br />
Windows 2008 Active Directory<br />
Environment managed via AD Group Policy Objects<br />
(GPOs)<br />
GPOs enabled centralized management & distribution of<br />
policy for users, computers and other objects in the<br />
directory.<br />
Certificate Infrastructure is in place, Microsoft<br />
CA running on AD.<br />
ISE 1.0 will be used to provide AAA services.<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
137<br />
ACME‟s Environment: Credentials<br />
Corporate machines are registered<br />
with the Windows domain<br />
Computers & Users log in with Name<br />
and Password to the domain<br />
Additional authentication is enforced<br />
at the application layer<br />
No authentication at all for all other<br />
devices<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
138<br />
69
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
ACME‟s Environment: Data Center<br />
plans<br />
Current DC access controls use ACLs in routers and<br />
firewalls extensively<br />
ACME would like to reduce the SecOps effort in managing<br />
ACLs – as server adds, moves and changes are frequent<br />
ACME are planning to use Cat 6500 w/ SUP 2T switches in<br />
new Data Center core and distribution roles.<br />
Centralized VDI is intended for use by certain types of user<br />
– ACME intend to use VMware hypervisors and Connection<br />
Brokers<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
139<br />
Considerations<br />
What Authentication Method(s)<br />
should be used?<br />
Which Operating Systems are to<br />
be supported?<br />
Where are Credentials stored?<br />
One Store vs. Many Stores<br />
How to Build and Manage a MAC<br />
Database?<br />
What authorization methods<br />
scale to meet ultimate goals?<br />
How do we discover what is out<br />
on our network?<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
140<br />
70
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Considerations: Authentication Method<br />
Method What‟s required? Pros Cons<br />
<strong>802.1X</strong> Supplicant<br />
Credentials<br />
MAB MAC address<br />
database<br />
Web-Auth Portal (on switches<br />
or on a guest<br />
server)<br />
Highest Security Supplicant may not be<br />
available on every<br />
platform<br />
Works for all<br />
devices<br />
No supplicant<br />
needed, every<br />
device w/<br />
browser can be<br />
used<br />
Weak, can be easily<br />
snooped, DB needs to<br />
be created and<br />
maintained<br />
Relies on initial<br />
connectivity, VLAN / IP<br />
address change after<br />
authentication is<br />
problematic<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
141<br />
Further Considerations for <strong>802.1X</strong><br />
Authentication: EAP Methods<br />
Method What‟s required? Pros Cons<br />
EAP-MD5 Password stored<br />
at each device<br />
EAP-TLS Certificate<br />
distribution<br />
PEAP Username<br />
Password from<br />
Windows<br />
Chosen by ACME for<br />
operational efficiency<br />
Most devices with<br />
<strong>802.1X</strong> support<br />
do at least EAP-<br />
MD5<br />
Most secure<br />
method<br />
Readily available<br />
in Windows<br />
environments<br />
Difficult to maintain<br />
(password changes)<br />
Certificate cost,<br />
distribution, renewal<br />
Usually inner method<br />
is username / pw (MS-<br />
CHAPv2)<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
142<br />
71
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Considerations: Operating Systems<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
143<br />
Considerations: Operating Systems<br />
OS (corporate<br />
asset)<br />
Windows XP<br />
and newer<br />
Supplicant Methods<br />
supported<br />
Built-in or 3 rd<br />
party<br />
Older Windows No support MAB or WebAuth<br />
Apple Mac OS X Built-in TTLS, TLS, FAST,<br />
PEAP, LEAP, MD5<br />
<strong>802.1X</strong>-capable<br />
<strong>Cisco</strong> phones<br />
Remark<br />
MD5, TLS, PEAP No MD5 w/ Vista<br />
and newer<br />
Built-in MD5, FAST, TLS TLS for this one<br />
only<br />
Other devices various various various<br />
OS (noncorporate<br />
asset)<br />
Supplicant Methods<br />
supported<br />
Remark<br />
All n/a MAB or WebAuth Guest Access<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
144<br />
72
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Considerations: MAC Databases<br />
What to use?<br />
OUI<br />
Individual<br />
MAC address<br />
How?<br />
Where to<br />
store?<br />
RADIUS<br />
Radius Server<br />
Server<br />
Active Directory<br />
LDAP<br />
PCs Non-PCs<br />
ACME‟s Choice<br />
UPS Phone Printer AP<br />
How to<br />
maintain?<br />
Manually<br />
(semi)<br />
Automatic<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
145<br />
ACME‟s Starting Point<br />
CREDENTIAL STORE<br />
EAP-TYPE<br />
UNMANAGED DEVICES<br />
DATA CENTER<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
146<br />
73
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
ACME Summary & Goal<br />
Enforce admission control to<br />
wired network<br />
Use central identity store, Active<br />
Directory<br />
Provide consistent access<br />
solution for all devices<br />
Provide consistent classification<br />
for authorization across campus<br />
and Data Center<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
147<br />
Device Discovery & Classification<br />
(Endpoint Profiling)<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
74
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Considerations for Profiling Endpoints<br />
Passive assessment or active polling/scanning?<br />
What is performing the data collection and what can be collected?<br />
Dedicated collection devices or existing infrastructure? Must traffic pass inline?<br />
SNMP data? DHCP? RADIUS? Packet capture for deeper analysis?<br />
Which attributes constitute device type X?<br />
Is MAC OUI alone good enough? What about DHCP data, location, connection<br />
protocols, or network traffic?<br />
How do I weight certain attributes and combine multiple matching attributes?<br />
Does it meet my security requirements?<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
149<br />
Considerations for Profiling Endpoints<br />
Can I collect the needed attributes to make a decision?<br />
Will additional collection devices need to be deployed?<br />
Do I need to adjust my policy? (balancing cost with risk)<br />
What is the network or endpoint load impact?<br />
How is my profile for Device X created, maintained, updated?<br />
How does system respond to changing or conflicting profiles?<br />
―Chicken and egg‖ phenomenon for policy based on profile<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
150<br />
75
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
ISE Profiling Services<br />
Integrated into existing policy server appliances—dedicated or on<br />
same appliances<br />
Data Sources<br />
RADIUS SNMP Queries/Traps HTTP Span<br />
Netflow v5/v9 DHCP Span/Helper/Proxy DNS Lookup<br />
Distributed collection and central aggregation and correlation<br />
Pre-built profile library<br />
Option to create custom conditions and profiles<br />
Hierarchical policy definition (by unique dev type or parent type);<br />
Examples:<br />
<strong>Cisco</strong> 7960 phone > Any <strong>Cisco</strong> IP Phone > Any IP Phone<br />
iPad > i-Devices (iPhone, iPod, iPad) > Any mobile device<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
151<br />
ISE Profile Library<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. © 2011 <strong>Cisco</strong> and/or its<br />
affiliates. All rights<br />
<strong>Cisco</strong> Public<br />
152<br />
76
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
ISE Profile Library<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. © 2011 <strong>Cisco</strong> and/or its<br />
affiliates. All rights<br />
<strong>Cisco</strong> Public<br />
153<br />
ISE Profile Library<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. © 2011 <strong>Cisco</strong> and/or its<br />
affiliates. All rights<br />
<strong>Cisco</strong> Public<br />
154<br />
77
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
ISE Profile Library<br />
Device Attributes<br />
More attributes<br />
And more attributes<br />
Still more attributes!<br />
© 2011 <strong>Cisco</strong> and/or its<br />
affiliates. All rights<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
155<br />
Phase 1: Monitor Mode<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
78
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
<strong>802.1X</strong> Authentication Default Behavior<br />
Supplicant Authenticator Authentication Server<br />
Layer 2 Point-to-Point<br />
EAPoL Start<br />
EAP ID-Request<br />
Layer 3 Link<br />
EAP ID-Response RADIUS Access-Request<br />
Port Authorized<br />
Port Unauthorized<br />
EAP Transaction<br />
DHCP / DNS / other traffic<br />
Authorization<br />
MAC Address Learned in FWDing state<br />
After port is authorized, endpoint MAC address is learned and endpoint can<br />
communicate to network<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
157<br />
What is Monitor Mode<br />
Monitor Mode: One of the deployment modes to enable Access Control<br />
without ANY ENFORCEMENT<br />
Supplicant Authenticator Authentication Server<br />
Layer 2 Point-to-Point<br />
EAPoL Start<br />
EAP ID-Request<br />
Port Unauthorized<br />
DHCP / DNS / other traffic<br />
Layer 3 Link<br />
EAP ID-Response RADIUS Access-Request<br />
Port Authorized<br />
EAP Transaction<br />
MAC Address Learned in FWDing state<br />
Authorization<br />
―Authentication Open‖ allows MAC address to be learned and placed into forwarding<br />
state when link the endpoint is connected.<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
158<br />
79
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Why <strong>Cisco</strong> Invented Monitor Mode?<br />
@ ACME, BEFORE Monitor Mode is available …<br />
ACME IT Mgr.<br />
I‘ve done my<br />
homework in Proof of<br />
Concept Lab and it<br />
looks good. I‘m turning<br />
on <strong>802.1X</strong> tomorrow…<br />
Enabled <strong>802.1X</strong><br />
Help Desk call increased by 40%<br />
I can‘t connect to my<br />
network. It says<br />
Authentication failed<br />
but I don‘t know how<br />
to fix. My presentation<br />
is in 2 hours…<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
159<br />
How Monitor Mode Helps<br />
@ ACME, AFTER Monitor Mode is available …<br />
ACME IT Mgr.<br />
Thanks to Monitor<br />
Mode, I can turn on<br />
my <strong>802.1X</strong> without<br />
interrupting any<br />
user traffic<br />
Benefit:<br />
It monitors the network, see who‘s<br />
on, address future connectivity<br />
problems by installing supplicants<br />
and credentials, creating MAB<br />
database<br />
ACME authentications can be monitored<br />
View Trends of Passed (should be high)<br />
View Trends of Failures (should be low)<br />
View Trends of Unknown MAC Addresses (should start high<br />
and lower as MAC Addresses are added to the database)<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
160<br />
80
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Enabling Monitor Mode – RADIUS<br />
Server<br />
Configure PKI and Identity Servers<br />
Create <strong>802.1X</strong> & MAB Policies<br />
- Every user in AD is<br />
permitted<br />
- Separate Rules can be<br />
used for reporting<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
161<br />
Enabling Monitor Mode – Managed Assets<br />
Roll out Root CA Cert to<br />
Managed Assets via GPO<br />
Activate PEAP configuration<br />
for User authentication via GPO<br />
Activate Wired Auth Service on<br />
Windows machines via GPO<br />
All managed assets should be provisioned before the switches are configured<br />
for access control<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
162<br />
81
Phased Rollout<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Device discovery and classification<br />
Deploy supplicant configuration components first<br />
Configure RADIUS server second<br />
Deploy switches third<br />
Possibly start with one floor at a time<br />
Validating via case load that monitor mode is working as expected<br />
After successful floor rollouts expand to multiple floors or a building<br />
at a time<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
163<br />
Monitor Mode – Monitoring and<br />
Reporting<br />
Monitor the network, see who‘s on, address future connectivity<br />
problems by installing supplicants and credentials, creating MAB<br />
database<br />
RADIUS accounting logs provide visibility:<br />
• Passed/Failed <strong>802.1X</strong>/EAP attempts<br />
• List of valid dot1x capable<br />
• List of non-dotx capable<br />
• Passed/Failed MAB attempts<br />
• List of Valid MACs<br />
• List of Invalid or unknown MACs<br />
TO DO Before implementing access control:<br />
•Confirm that all these should be on network<br />
•Install supplicants on X, Y, Z clients<br />
•Upgrade credentials on failed <strong>802.1X</strong> clients<br />
•Update MAC database with failed MABs<br />
…<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
164<br />
82
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
ISE Reports Authentications Details<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
165<br />
Active Monitoring<br />
<strong>Network</strong> Visibility is not just about passed/failed authentications<br />
<strong>The</strong> RADIUS server can have a session directory provided by<br />
RADIUS accounting.<br />
This provides ACME with a view of all active sessions as the session<br />
enter and leave the network<br />
This information can be used along with other security information for<br />
better incident response<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
166<br />
83
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
<strong>802.1X</strong> with RADIUS Accounting<br />
Supplicant <strong>802.1X</strong> Process<br />
1 Authenticate<br />
2 EAPOL-Success<br />
2 Access-Accept<br />
3 Accounting Request<br />
4 Accounting Response<br />
RADIUS Process<br />
PC Switch ACS<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
167<br />
<strong>802.1X</strong> with RADIUS Accounting<br />
Similar to other accounting and tracking mechanisms that already<br />
exist using RADIUS<br />
Can now be done through <strong>802.1X</strong><br />
Increases network session awareness<br />
Provide information into a management infrastructure about who logs<br />
in, session duration, support basic billing usage reporting, etc.<br />
Provides a means to map the information of authenticated<br />
Identity, Port, MAC, Switch<br />
IP, Port, MAC, Switch<br />
=<br />
Identity IP<br />
Switch + Port = Location<br />
IOS<br />
aaa accounting dot1x default start-stop group radius<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
168<br />
84
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Simple Homegrown Tools<br />
Switches logs all passed/failed sessions via syslog<br />
RADIUS servers typically all log information in plain text<br />
Relatively easy to run scripts against this information to<br />
create monitoring views<br />
Scripts can create database of mac addresses seen<br />
from the network<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
169<br />
Simple Homegrown Tools<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
170<br />
85
Monitoring With ISE<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Tip: Interactive Viewer Is Your Friend<br />
Launch It, <strong>The</strong>n Right Click Inside the Report for Customization Options<br />
Detailed Reports Are Lifesavers<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
171<br />
ISE Details Report<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
172<br />
86
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Monitor Mode: <strong>Network</strong> Access Table<br />
Endpoints Authentication Status<br />
All (including PXE) Pre-Auth<br />
Employees <strong>802.1X</strong> Success<br />
Corporate Asset MAB Success<br />
Phones <strong>802.1X</strong> or MAB Success<br />
Employees <strong>802.1X</strong> Fail -> MAB<br />
Sponsored Guest <strong>802.1X</strong> Fail/Timeout -><br />
MAB Fail<br />
Unknown /<br />
Unauthorized<br />
<strong>802.1X</strong> Fail/Timeout -><br />
MAB Fail<br />
All None (AAA server down)<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
173<br />
DEMO Time<br />
Open Mode & Multi-Auth<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
Authorization Implementation<br />
Enterprise Access Open authentication<br />
Enterprise Access Open authentication<br />
Enterprise Access Open authentication<br />
Voice Access Open authentication<br />
Enterprise Access Open authentication<br />
Enterprise Access Open authentication<br />
Enterprise Access Open authentication<br />
Enterprise Access Open authentication<br />
87
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Switch Configuration: Open Access<br />
+ Multi-Auth<br />
interface GigabitEthernet1/13<br />
description Dot1x Demo with Open Access<br />
switchport access vlan 2<br />
switchport mode access<br />
switchport voice vlan 200<br />
authentication host-mode multi-auth<br />
authentication open<br />
authentication port-control auto<br />
dot1x pae authenticator<br />
spanning-tree portfast<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
175<br />
Security Group Access with<br />
Monitor Mode<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
88
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
ACME Summary & Goal Update<br />
Enforce admission control to wired<br />
network<br />
Use central identity store, Active Directory<br />
Provide coherent access solution for all<br />
devices<br />
Provide coherent classification for<br />
authorization across campus and Data<br />
Center<br />
ACME decides to enable filtering for<br />
single user and user group for visibility<br />
Only HR users should be able to access HR<br />
resources – Privacy/Regulatory Compliance<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
177<br />
SGA and Monitor Mode Interop<br />
Understanding Ingress & Egress Enforcement<br />
Ingress Enforcement<br />
VLAN Assignment<br />
Downloadable ACL<br />
Users,<br />
Endpoints<br />
Monitor Mode<br />
Catalyst ® Switches<br />
(3K/4K/6K)<br />
TrustSec Domain<br />
Campus<br />
<strong>Network</strong><br />
ISE 1.0<br />
Cat 6500 w/<br />
SUP 2T<br />
Monitor Mode is enabled on ―ingress enforcement point‖<br />
Monitor Mode can co-exist with SGA by<br />
1. Permitting traffic with SGACL at egress enforcement point<br />
2. Controlling traffic with SGACL at egress enforcement point<br />
Egress Enforcement<br />
Security Group ACL<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
178<br />
89
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Non-SGACL Capable Platform Support<br />
with SXP<br />
SGT native tagging requires hardware (ASIC) support<br />
Non-SGACL hardware capable devices can still receive<br />
SGT attributes from ACS for authenticated users or<br />
devices, and then forward the IP-to-SGT binding to a<br />
TrustSec SGACL capable device for tagging &<br />
enforcement<br />
SGT eXchange Protocol (SXP) is used to exchange IPto-SGT<br />
bindings between TrustSec capable and<br />
incapable device<br />
Currently Catalyst 6500, 4500/4900, 3750, 3560 and<br />
Nexus 7000 switch platform support SXP<br />
SXP accelerates deployment of SGACL by without<br />
extensive hardware upgrade for SGA<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
179<br />
SGT Assignment - Campus<br />
How the SGT is assigned to role dynamically<br />
HR<br />
Admin<br />
10.1.10.100/24<br />
MAC:0050.56BC.14AE<br />
<strong>802.1X</strong><br />
MAC Address Port SGT<br />
0050.56BC.14AE Fa2/12 10/000A<br />
DHCP Request / Response<br />
MAC Address Port SGT IP Address<br />
0050.56BC.14AE Fa2/1 10/000A 10.1.10.100<br />
Cat6503<br />
<strong>802.1X</strong> User Authentication<br />
Port Open!<br />
Cat6503<br />
RADIUS<br />
Access-Accept with VSA<br />
DHCP Snooping / ARP Snooping<br />
SXP Binding Table<br />
Tagging<br />
NX7010<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
180<br />
ISE 1.0<br />
SRC: 10.1.10.100 SGT (10/000A) 10.1.10.100<br />
Auth OK!<br />
HR-User: SGT (10/000A)<br />
90
Packets are tagged<br />
with SGT based on<br />
source IP Address<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
IP-SGT Binding Exchange with SXP<br />
ACME User HR User<br />
Data Center<br />
8<br />
Non TrustSec<br />
capable device<br />
30<br />
SXP SXP<br />
HR Server ACME Server ACME Server Directory<br />
Service<br />
111 222 333<br />
Once SGT is tagged,<br />
then SGACL can be<br />
applied<br />
Switch builds<br />
binding table<br />
TrustSec<br />
capable device<br />
ISE 1.0<br />
TCP-based SXP is established between Non-<br />
TrustSec capable and TrustSec-Capable devices<br />
User is assigned to SGT<br />
Switch binds endpoint IP address and assigned SGT<br />
Switch uses SXP to send binding table to TrustSec<br />
capable device<br />
TrustSec capable device tags packet based on<br />
source IP address when packet appears on<br />
forwarding table<br />
SXP IP-SGT Binding Table<br />
IP Address SGT Interface<br />
User A<br />
10.1.10.1 8 Gig 2/10<br />
10.1.10.4 10 Gig 2/11<br />
Untagged Traffic<br />
CMD Tagged Traffic<br />
User C<br />
Untagged Traffic<br />
CMD Tagged Traffic<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
181<br />
SGA and Monitor Mode Interop<br />
Open Mode and Multi-Auth at the access layer<br />
with Monitor and Reporting<br />
TrustSec can integrate easily by assigning SGT to<br />
a session, but having permit any any in the<br />
permission matrix for all allowed flows.<br />
Default for ―unknown‖ SGTs is permit any any<br />
Does not have an impact on access layer<br />
functions (PXE, WoL, etc.)<br />
Final phase after full Identity Solution deployment<br />
is to turn on default security for TrustSec in the<br />
Data Center.<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
182<br />
91
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
SGA with Monitor Mode Use Case 1<br />
Zero Enforcement<br />
Users,<br />
Endpoints<br />
Monitor Mode<br />
authentication port-control auto<br />
authentication open<br />
dot1x pae authenticator<br />
Catalyst ® Switches<br />
(3K/4K/6K)<br />
Campus<br />
<strong>Network</strong><br />
AUTH=OK<br />
SGT=8<br />
ISE 1.0<br />
Cat 6500 w/<br />
SUP 2T<br />
SRC \ DST<br />
Egress Enforcement<br />
Security Group ACL<br />
HR Server<br />
(111)<br />
HR Server<br />
1. User connects to network<br />
2. Monitor mode allows traffic from endpoint before authentication<br />
3. Authentication is performed and results are logged by ACS<br />
4. Traffic traverse to Data Center and hits SGACL at egress<br />
enforcement point<br />
5. All traffics are permitted with SGACL. No impact to the user traffic<br />
ACME Server<br />
ACME Server<br />
(222)<br />
ACME-User(8) Permit all Permit all<br />
HR-User (10) Permit all Permit all<br />
Unknown (0) Permit all Permit all<br />
ACME Server<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
183<br />
Default Authorization for Egress Policy<br />
When no policy is assigned to Egress Policy Matrix, then ACS is going<br />
to assign policy defined in ―Default Policy‖<br />
By default policy permits all traffic<br />
Blank cell means no<br />
specific policy is assigned<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
184<br />
92
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Default Authorization for Egress Policy<br />
When no policy is assigned to Egress Policy Matrix, then ISE is going<br />
to assign policy defined in ―Default Policy‖<br />
By default policy permits all traffic<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
185<br />
Defined Authorization for Egress Policy<br />
When no policy is assigned to Egress Policy Matrix, then ISE is going<br />
to assign policy defined in ―Default Policy‖<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
186<br />
93
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Unauthorized User Handling<br />
Successfully authenticated user can get authorized with valid SGT<br />
value<br />
Jim HR User SGT 10 (HR-User)<br />
John IT Admin Group SGT 8 (ACME User)<br />
Open Mode allows traffic from someone who does not<br />
authenticate<br />
Steve Visitor??? SGT 0 (unknown)<br />
When using Open mode, make sure to minimize impact to source SGT<br />
unknown (0), a special SGT value reserved in the system<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
187<br />
Handling Unknown SGT<br />
Unknown SGT is assigned when<br />
1. Policy results in unknown SGT<br />
2. When SGACL capable device is unable to lookup source IP address in its<br />
master IP-to-SGT binding table<br />
Common use cases where Unknown SGT is assigned<br />
Endpoint authentication fails and assigned to default SGT (Unknown)<br />
Endpoint authorized to locally significant VLAN (Failed-Auth-VLAN, Guest<br />
VLAN, or Critical VLAN)<br />
When SXP connection is down and listener receives packet from unknown<br />
source IP Address<br />
When there is no static IP-to-SGT binding associated to traffic received<br />
When access device does not support SXP<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
188<br />
94
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
What does “Unknown” mean?<br />
Even source SGT is unknown, there is a policy associated with it<br />
Example: IT Admin to IT Server Policy<br />
Unknown User policy for<br />
HR Server<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
189<br />
SGA with Monitor Mode Use Case 2<br />
SGACL Enforcement<br />
Users,<br />
Endpoints<br />
Monitor Mode<br />
authentication port-control auto<br />
authentication open<br />
dot1x pae authenticator<br />
Catalyst ® Switches<br />
(3K/4K/6K)<br />
Campus<br />
<strong>Network</strong><br />
AUTH=OK<br />
SGT=10<br />
ISE 1.0<br />
Cat 6500 w/<br />
SUP 2T<br />
SRC \ DST<br />
ACME<br />
User(8)<br />
HR User<br />
(10)<br />
Egress Enforcement<br />
Security Group ACL<br />
HR Server<br />
(111)<br />
HR Server<br />
ACME Server<br />
1. User connects to network<br />
2. Monitor mode allows traffic from endpoint before authentication<br />
3. Authentication is performed and results are logged by ACS<br />
4. Traffic traverse to Data Center and hits SGACL at egress enforcement point<br />
5. Only permitted traffic path (source SGT to destination SGT) is allowed<br />
ACME Server<br />
(222)<br />
Deny all Permit all<br />
Permit all Permit all<br />
Unknown (0) Deny all Deny all<br />
ACME Server<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
190<br />
95
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
SGA with Monitor Mode Use Case 2<br />
With SGACL Enforcement<br />
How it works<br />
1. All traffic from all end users are allowed with Monitor Mode<br />
2. Authentication is still performed and results are logged by ACS<br />
3. Traffic traverses to Data Center and hits SGACL at egress enforcement<br />
point<br />
4. Traffic is allowed to a destination servers ONLY WHEN SGACL permits<br />
services<br />
When to use<br />
Best to use when end-to-end SGA environment is available (without<br />
enforcement point, we can‘t enforce traffic!)<br />
Best method to control traffic path without any impact to user traffic at<br />
ingress level<br />
Scalable than Low Impact Mode as it does not require any ACL occupying<br />
TCAM space<br />
Known Limitation / Concern<br />
Unauthenticated traffic may traverse in your network (but treated as<br />
Unknown traffic, SGT 0<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
191<br />
DEMO Time<br />
Open Mode & SGA<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
96
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Low Impact Mode<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
ACME‟s Goals: Phase 2<br />
Maintain Visibility<br />
Control Access to Sensitive Assets<br />
Preserve <strong>Network</strong> Access for Managed Assets<br />
Special Case: PXE boot<br />
Preserve Current <strong>Network</strong> Architecture<br />
No changes to VLAN infrastructure<br />
ACME‘s Goals Can Be Met With<br />
Low Impact Mode<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
194<br />
97
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Default Behavior Review<br />
Supplicant Authenticator Authentication Server<br />
Layer 2 Point-to-Point<br />
EAPoL Start<br />
EAP ID-Request<br />
Layer 3 Link<br />
EAP ID-Response RADIUS Access-Request<br />
Port Authorized<br />
Port Unauthorized<br />
EAP Transaction<br />
DHCP / DNS / other traffic<br />
Authorization<br />
MAC Address Learned in FWDing state<br />
After port is authorized, endpoint MAC address is learned and endpoint can<br />
communicate to network<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
195<br />
Access Control & Clientless Devices<br />
<strong>The</strong> Timing Problem With MAB<br />
• MAB depends on <strong>802.1X</strong> timeout<br />
• Many devices are time-sensitive<br />
• DHCP is especially finicky<br />
<strong>The</strong> Low Impact Solution<br />
• Provide access to time-critical services before authentication<br />
• Continue to restrict access to other services until after<br />
authentication<br />
ACME‘s Time-Critical Services<br />
• DHCP, DNS, TFTP<br />
• This is enough for PXE devices to boot before MAB completes<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
196<br />
98
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
What is Low Impact Mode<br />
Low Impact Mode: One of the deployment modes to enable Access Control by<br />
differentiating enforcement before and after authentication<br />
Supplicant Authenticator Authentication Server<br />
Layer 2 Point-to-Point<br />
Allow only required traffic with Pre-Auth ACL<br />
EAPoL Start<br />
EAP ID-Request<br />
Port Unauthorized<br />
DHCP / DNS / other traffic<br />
Layer 3 Link<br />
EAP ID-Response RADIUS Access-Request<br />
Port Authorized<br />
EAP Transaction<br />
MAC Address Learned in FWDing state<br />
Authorization with dACL<br />
Downloaded ACL will replace interface ACL<br />
―Authentication Open‖ still allows MAC address to be learned and pre defined interface<br />
ACL only allows specific traffic (such as DHCP and DNS) before authentication<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
197<br />
Low Impact Mode Implementation<br />
Selectively Open Access<br />
Open Mode (Pinhole)<br />
On specific TCP/UDP ports<br />
Restrict to specific addresses<br />
EAP Allowed (Controlled Port)<br />
Download general-access ACL upon authentication<br />
authentication port-control auto<br />
authentication open<br />
ip access-group PRE-AUTH-ACL in<br />
dot1x pae authenticator<br />
Block General Access Until<br />
Successful <strong>802.1X</strong>, MAB<br />
or WebAuth<br />
Pinhole explicit tcp/udp<br />
ports to allow desired<br />
access<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
198<br />
99
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
PRE-AUTH-ACL<br />
dACLs Open Port After Authentication<br />
Configure downloadable ACLs (dACL) for authenticated users<br />
Switch dynamically substitutes endpoint‘s address<br />
permit ip host 10.100.20.200 any<br />
permit tcp any any established<br />
permit udp any any eq bootps<br />
permit udp any host 10.100.10.116 eq domain<br />
permit udp any host 10.100.10.117 eq tftp<br />
Contents of dACL are arbitrary<br />
Can have as many unique dACLs are there are user permission groups<br />
Same principles as pre-auth port ACL<br />
RADIUS Access-Accept:<br />
ACL: AUTH<br />
Request:<br />
AUTH ACL Contents<br />
Accept:<br />
―permit ip any any‖<br />
ISE 1.x<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
199<br />
Low Impact: <strong>Network</strong> Access Table<br />
Endpoints Authentication Status<br />
All (including PXE) Pre-Auth<br />
Employees <strong>802.1X</strong> Success<br />
Corporate Asset MAB Success<br />
Phones <strong>802.1X</strong> or MAB Success<br />
Employees <strong>802.1X</strong> Fail -> MAB or<br />
Web-Auth Success<br />
Sponsored Guest <strong>802.1X</strong> Fail/Timeout -><br />
MAB Fail -> Web-Auth<br />
Success<br />
Unknown /<br />
Unauthorized<br />
<strong>802.1X</strong> Fail/Timeout -><br />
MAB Fail -> Web-Auth<br />
Fail<br />
Authorization Implementation<br />
Limited Access Pre-Auth ACL<br />
Enterprise Access Permit-Any dACL<br />
Enterprise Access Permit-Any dACL<br />
Voice Access<br />
Enterprise Access<br />
Limited + Internet<br />
Access<br />
Limited Access<br />
Pre-Auth ACL<br />
All None (AAA server down) Limited Access Pre-Auth ACL<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
200<br />
100
DEMO Time<br />
Low impact mode<br />
pre-Auth ACL<br />
dACL<br />
TECSEC-2041<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
Switch Configuration:<br />
Open Access with dACL<br />
interface GigabitEthernet1/13<br />
description Dot1x Demo with Open Access<br />
switchport access vlan 2<br />
switchport mode access<br />
switchport voice vlan 200<br />
ip access-group UNAUTH in<br />
authentication event fail action next-method<br />
authentication host-mode multi-domain<br />
authentication open<br />
authentication order dot1x mab<br />
dot1x pae authenticator<br />
authentication port-control auto<br />
dot1x timeout tx-period 10<br />
dot1x max-req 2<br />
mab<br />
spanning-tree portfast<br />
ip device-tracking<br />
ip access-list extended UNAUTH<br />
permit tcp any any established<br />
permit udp any any eq bootps<br />
permit udp any host 10.100.10.116 eq domain<br />
permit udp any host 10.100.10.117 eq tftp<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
202<br />
101
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
ISE Configuration:<br />
Modify Default Permit Access to include dACL<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
203<br />
ISE Configuration<br />
Modify Phone Policy to include dACL<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
204<br />
102
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Switch Output:<br />
dACL with source address substitution<br />
Switch#sh access-lists<br />
Extended IP access list UNAUTH<br />
10 permit tcp any any established<br />
20 permit udp any any eq bootps<br />
30 permit udp any host 10.100.10.116 eq domain<br />
40 permit udp any host 10.100.10.117 eq tftp<br />
Extended IP access list xACSACLx-IP-PERMIT-IP-ANY-ANY-4936eb9e (per-user)<br />
10 permit ip any any<br />
Switch#sh show tcam int g1/13 acl in ip<br />
* Global Defaults not shared<br />
Entries from Bank 0<br />
…<br />
permit ip host 10.1.2.201 any<br />
permit tcp any any fragments<br />
permit udp any any fragments<br />
permit tcp any any established match-any<br />
permit udp any any eq bootps<br />
permit udp any host 10.100.10.116 eq domain<br />
permit udp any host 10.100.10.117 eq tftp<br />
deny ip any any<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
205<br />
Low Impact Mode:<br />
Flex Auth<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
103
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Flexible Authentication: “Flex-Auth”<br />
One Configuration Fits Most<br />
Configurable behavior after<br />
<strong>802.1X</strong> timeout :<br />
1) Next-Method<br />
Configurable order and<br />
priority of authentication<br />
methods<br />
Flex-Auth enables a<br />
single configuration<br />
for most use cases<br />
Configurable behavior after<br />
<strong>802.1X</strong> failure:<br />
Configurable behavior<br />
before & after AAA server<br />
dies<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
207<br />
<strong>802.1X</strong> Failure vs. <strong>802.1X</strong> Timeout<br />
An <strong>802.1X</strong> failure occurs when the AAA server rejects the request:<br />
SSC<br />
EAPoL Start<br />
EAPoL Response Identity<br />
A timeout occurs when an endpoint can‘t speak <strong>802.1X</strong>:<br />
EAP Who?<br />
EAPoL Request Identity<br />
EAP Failure<br />
EAPoL Request Identity<br />
RADIUS Access Request<br />
RADIUS Access Reject<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
208<br />
104
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Default Behavior on <strong>802.1X</strong> Timeout<br />
with LWA<br />
After <strong>802.1X</strong> times out, port automatically falls back to ―nextmethod‖<br />
if another method is configured.<br />
<strong>802.1X</strong> & MAB <strong>802.1X</strong> & Web Auth <strong>802.1X</strong>, MAB, Web-Auth<br />
<strong>802.1X</strong><br />
<strong>802.1X</strong><br />
Timeout<br />
MAB<br />
<strong>802.1X</strong><br />
<strong>802.1X</strong><br />
Timeout<br />
Local<br />
Web-Auth<br />
<strong>802.1X</strong><br />
<strong>802.1X</strong><br />
Timeout<br />
MAB<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
209<br />
Default Behavior on <strong>802.1X</strong> Timeout<br />
with CWA<br />
MAB<br />
Fails<br />
Local<br />
Web-Auth<br />
After <strong>802.1X</strong> times out, port automatically falls back to ―nextmethod‖<br />
if another method is configured.<br />
<strong>802.1X</strong> & MAB <strong>802.1X</strong> & Web Auth <strong>802.1X</strong>, MAB, Web-Auth<br />
<strong>802.1X</strong><br />
<strong>802.1X</strong><br />
Timeout<br />
MAB<br />
<strong>802.1X</strong><br />
<strong>802.1X</strong><br />
Timeout<br />
Local<br />
Web-Auth<br />
Web-Auth is not a “next-method”, instead it<br />
is an authorization “result” sent by ISE<br />
based on successful MAB authentication<br />
<strong>802.1X</strong><br />
<strong>802.1X</strong><br />
Timeout<br />
MAB<br />
MAB<br />
succeeds<br />
Central<br />
Web-Auth<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
210<br />
105
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Flex-Auth for <strong>802.1X</strong> Failures<br />
Low Impact Mode<br />
Configurable behavior after<br />
<strong>802.1X</strong> timeout :<br />
Configurable behavior after<br />
<strong>802.1X</strong> failure:<br />
1) Next-Method 1) Next-Method<br />
Configurable order and<br />
priority of authentication<br />
methods<br />
Flex-Auth enables a<br />
single configuration<br />
for most use cases<br />
Configurable behavior<br />
before & after AAA server<br />
dies<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
211<br />
Default Security After <strong>802.1X</strong> Failure<br />
?<br />
Before Authentication<br />
After <strong>802.1X</strong> Failure<br />
?<br />
All traffic except EAPoL is dropped<br />
All traffic except EAPoL is dropped<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
212<br />
106
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Why Provide Access to Devices that<br />
Fail?<br />
Employees‘ credentials expire or get entered incorrectly<br />
As <strong>802.1X</strong> becomes more prevalent, more guests will fail auth<br />
because they have <strong>802.1X</strong> enabled by default.<br />
Many enterprises require guests and failed corporate assets get<br />
conditional access to the network<br />
<strong>802.1X</strong><br />
<strong>802.1X</strong><br />
Certificate Expired!<br />
User Unknown!<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
213<br />
<strong>The</strong> Problem?<br />
Authentication Failures - Architecture Issues<br />
EAP is between supplicant and EAP-Server.<br />
While not precluded by the EAP architecture, switches today are NOT EAP-<br />
Servers. <strong>The</strong>y are Authenticators ONLY.<br />
This means they serve as a transport truck (aka pass-through mode) for EAP via<br />
<strong>802.1X</strong> + RADIUS and rely on the authentication server to be the EAP-Server.<br />
EAP starts on the EAP-Server at step 4 on previous slide.<br />
EAP stops at step 6 on the server, and at step 7 on supplicant on the previous<br />
slide.<br />
After step 7, switch places port into HELD state (60-sec by default) which<br />
continues to deny all access.<br />
It does NOT matter if traffic attempts to enter a network while in the HELD state.<br />
Since switches operate in pass-through mode, messing around with the result<br />
of the authentication conversation can be challenging!<br />
This is because the switch does NOT have visibility into what is actually going on,<br />
nor should it.<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
214<br />
107
?<br />
MAC<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Failed Auth with Flex-auth: Next-method<br />
After <strong>802.1X</strong> Failure<br />
User Authenticated via MAB<br />
Access determined by MAB result<br />
Supplicant expected to ―fail open‖<br />
Allow single packet<br />
to learn MAC<br />
6506-2(config-if)#authentication event fail action next-method<br />
6506-2(config-if)#authentication order dot1x mab<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
215<br />
Flex-Auth Sequencing (LWA)<br />
Default Order: <strong>802.1X</strong> First Flex-Auth Order: MAB First<br />
By default, the<br />
switch attempts<br />
most secure<br />
auth method<br />
first.<br />
Timeout can<br />
mean<br />
significant<br />
delay before<br />
MAB.<br />
<strong>802.1X</strong><br />
<strong>802.1X</strong><br />
Timeout /<br />
Fail<br />
MAB<br />
MAB<br />
fails<br />
ISE sends<br />
Web Auth<br />
Alternative<br />
order does<br />
MAB on first<br />
packet from<br />
device<br />
MAB<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
216<br />
MAB<br />
fails<br />
<strong>802.1X</strong><br />
<strong>802.1X</strong><br />
Timeout<br />
ISE sends<br />
Web Auth<br />
108
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Flex-Auth Sequencing (CWA)<br />
Default Order: <strong>802.1X</strong> First Flex-Auth Order: MAB First<br />
By default, the<br />
switch attempts<br />
most secure<br />
auth method<br />
first.<br />
Timeout can<br />
mean<br />
significant<br />
delay before<br />
MAB.<br />
<strong>802.1X</strong><br />
<strong>802.1X</strong><br />
Timeout /<br />
Fail<br />
MAB<br />
MAB<br />
Succeeds<br />
Central<br />
Web Auth<br />
Alternative<br />
order does<br />
MAB on first<br />
packet from<br />
device<br />
MAB<br />
MAB<br />
Succeeds<br />
Central<br />
Web Auth<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
217<br />
EAPOL<br />
Start<br />
<strong>802.1X</strong><br />
Flex-Auth Order with Flex-Auth Priority<br />
MAB<br />
MAB<br />
fails<br />
<strong>802.1X</strong><br />
MAB<br />
passes<br />
Default Priority: <strong>802.1X</strong><br />
ignored after successful MAB<br />
Port<br />
Authorized<br />
by MAB<br />
Flex-Auth Priority: <strong>802.1X</strong><br />
starts despite successful MAB<br />
EAPoL-Start<br />
Received<br />
Priority determines which method can preempt other methods.<br />
By default, method sequence determines priority (first method has<br />
highest priority).<br />
If MAB has priority, EAPoL-Starts will be ignored if MAB passes.<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
218<br />
109
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Low Impact Mode:<br />
Web Auth<br />
Guest<br />
Employee<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
What ACME Expects for Web Auth<br />
Customizable<br />
Login Page<br />
<strong>802.1X</strong>/MAB<br />
Compatibility<br />
Parity for<br />
Wired / WLAN<br />
Centralized Web<br />
Page Management<br />
Flexible<br />
Access Policies<br />
Centralized Accounting<br />
Integrated Web Authentication<br />
ISE Administration<br />
and Policy Services<br />
Sponsored<br />
Guest Credentials<br />
Active Directory<br />
Existing Credential Stores<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
220<br />
M&T<br />
PAP<br />
110
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Introducing…Web-Auth‟s New Best Friend<br />
Multi-Function Standalone Appliance<br />
Customizable Hotspot Hosting<br />
ISE<br />
Identity Services Engine (ISE)<br />
Sponsored Guest Access Provisioning, Verification, Management<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
221<br />
Old Way: Local Login Pages<br />
Default (Auth-Proxy Banner)<br />
ip admission auth-proxy-banner http ^C Here is<br />
what the auth-proxy-banner looks like ^C<br />
Fixed Text<br />
Text only<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
222<br />
111
Enhanced Web Auth – Centralized Login<br />
Page<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
1.<br />
<strong>Cisco</strong> ISE<br />
4.<br />
2.<br />
New with ISE 1.0!<br />
switch<br />
1. Guest opens Web browser<br />
2. Web traffic is intercepted<br />
by switch and redirected to<br />
ISE Guest Services.<br />
3. ISE returns centralized<br />
web login page<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
223<br />
Web Authentication Can Be Used For<br />
Guests and/or Employees<br />
Guest<br />
Employee<br />
ISE<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
224<br />
3.<br />
ISE<br />
• ISE can use Identity Sequences to check the Local Guest Account<br />
Repository then Active Directory.<br />
• ISE can assign different levels of access to Guest and Employee<br />
Active Directory<br />
112
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Low Impact: <strong>Network</strong> Access Table<br />
Endpoints Authentication Status<br />
All (including PXE) Pre-Auth<br />
Employees <strong>802.1X</strong> Success<br />
Corporate Asset MAB Success<br />
Phones <strong>802.1X</strong> or MAB Success<br />
Employees <strong>802.1X</strong> Fail -> MAB or<br />
Web-Auth Success<br />
Sponsored Guest <strong>802.1X</strong> Fail/Timeout -><br />
MAB Success/Continue<br />
-> Web-Auth Success<br />
Unknown /<br />
Unauthorized<br />
<strong>802.1X</strong> Fail/Timeout -><br />
MAB Success/Continue<br />
-> Web-Auth Fail<br />
All None (AAA server down)<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
225<br />
DEMO Time<br />
Authorization Implementation<br />
Limited Access Pre-Auth ACL<br />
Enterprise Access Permit-Any dACL<br />
Enterprise Access Permit-Any dACL<br />
Voice Access<br />
Enterprise Access<br />
Limited + Internet<br />
Access<br />
Limited Access<br />
Next-Method for <strong>802.1X</strong> Timeout & Fail<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
Permit-Any dACL<br />
Permit-Internet dACL<br />
Pre-Auth ACL<br />
Limited Access Pre-Auth ACL<br />
113
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
<strong>802.1X</strong> Adding next-method Feature<br />
interface GigabitEthernet1/13<br />
description Dot1x Demo with Auth-Fail VLAN<br />
switchport access vlan 2<br />
switchport mode access<br />
switchport voice vlan 200<br />
authentication event fail action next-method<br />
dot1x pae authenticator<br />
authentication port-control auto<br />
authentication event no-response action authorize vlan 40<br />
dot1x timeout tx-period 10<br />
dot1x max-req 2<br />
mab<br />
spanning-tree portfast<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
227<br />
<strong>802.1X</strong>: Next-method on fail<br />
Switch#show authentication sessions interface g1/13<br />
Interface: GigabitEthernet1/13<br />
MAC Address: 0014.5e95.d6cc<br />
IP Address: 10.1.2.201<br />
User-Name: 00-14-5E-95-D6-CC<br />
Status: Authz Success<br />
Domain: DATA<br />
Oper host mode: single-host<br />
Oper control dir: both<br />
Authorised By: Authentication Server<br />
Vlan Policy: N/A<br />
Session timeout: N/A<br />
Idle timeout: N/A<br />
Common Session ID: 0A640A0500001651613D5C04<br />
Acct Session ID: 0x00001654<br />
Handle: 0x1B000652<br />
Runnable methods list:<br />
Method State<br />
dot1x Failed over<br />
mab Authc Success<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
228<br />
114
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
<strong>802.1X</strong>: “View” of next-method fail over<br />
to successful MAB<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
229<br />
<strong>802.1X</strong> Changing Default Order &<br />
Priority<br />
interface GigabitEthernet1/13<br />
description Dot1x Demo with Non-Default Order<br />
switchport access vlan 2<br />
switchport mode access<br />
switchport voice vlan 200<br />
authentication order mab dot1x<br />
authentication port-control auto<br />
mab<br />
dot1x pae authenticator<br />
…<br />
• Changing Order<br />
Automatically<br />
Changes Default<br />
Priority<br />
Switch(config)#interface g1/13<br />
Switch(config-if)#no shut<br />
*Dec 5 10:33:15: %AUTHMGR-5-START: Starting 'mab' for client (0014.5e95.d6cc)<br />
on Interface Gi1/13<br />
*Dec 5 10:33:15: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab'<br />
for client (0014.5e95.d6cc) on Interface Gi1/13<br />
Switch(config)#do show auth sess<br />
Interface MAC Address Method Domain Status<br />
Gi1/13 0014.5e95.d6cc mab DATA Authz Success<br />
*Dec 5 11:11:24: dot1x-packet(Gi1/13): Received an EAPOL frame<br />
Switch(config)#do show auth sess<br />
Interface MAC Address Method Domain Status<br />
Gi1/13 0014.5e95.d6cc mab DATA Authz Success<br />
EAPoL-Start<br />
is ignored<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
230<br />
115
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
<strong>802.1X</strong> Changing Default Priority<br />
Switch(config-if)#authentication priority dot1x mab<br />
*Dec 5 11:13:08: dot1x-packet(Gi1/13): Received an EAPOL frame<br />
*Dec 5 11:13:08: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client<br />
(0014.5e95.d6cc) on Interface Gi1/13<br />
*Dec 5 11:13:08: %AUTHMGR-5-START: Starting 'dot1x' for client (0014.5e95.d6cc)<br />
on Interface Gi1/13<br />
Switch(config-if)#do show auth s<br />
Interface MAC Address Method Domain Status<br />
Gi1/13 0014.5e95.d6cc dot1x DATA Authz Success<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
231<br />
ISE – Create dACL for Web-Auth<br />
• In this example, all<br />
HTTP/HTTPS<br />
permitted; any web<br />
traffic from user<br />
can be redirected<br />
to Web Auth Portal<br />
on TCP/8443<br />
• In addition to DNS<br />
and ping, traffic to<br />
ISE web auth<br />
portal @<br />
10.1.100.21<br />
(TCP/8443) is<br />
explicitly permitted.<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
232<br />
116
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
ISE – Create Authz Profile for Web-Auth<br />
Port DACL = Traffic<br />
permitted/denied<br />
per unique host,<br />
per switch port<br />
(ACL is centrally defined)<br />
Of the traffic permitted<br />
in Port DACL, the<br />
Redirect ACL = Traffic to be<br />
redirected to web service.<br />
(ACL is locally defined on switch)<br />
Attr Details show<br />
actual RADIUS<br />
attributes returned<br />
to access device<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
233<br />
ISE – Create Authz Policy for Web-Auth<br />
• In this example, if no other policy rule matches, the Default policy is to<br />
redirect users to Central Web Authentication services.<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
234<br />
117
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
ACS – Create Web-Auth Authz Profile<br />
(1)<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
235<br />
Switch: Local Web Auth Configuration<br />
ip admission name RULE1 proxy http<br />
ip device tracking<br />
ip http server<br />
ip http secure-server<br />
fallback profile WEB-AUTH<br />
ip access-group DEFAULT-ACCESS in<br />
ip admission RULE1<br />
aaa authentication login default group radius<br />
aaa authentication login line-console none<br />
aaa authorization auth-proxy default group radius<br />
ip access-list extended DEFAULT-ACCESS<br />
remark Allow DHCP<br />
permit udp any eq bootpc any eq bootps<br />
remark Allow DNS<br />
permit udp any any eq domain<br />
remark Allow HTTP<br />
permit tcp any any eq www<br />
remark Allow ICMP for test purposes<br />
permit icmp any any<br />
remark Implicit Deny<br />
deny ip any any<br />
line con 0<br />
login authentication line-console<br />
interface GigabitEthernet1/0/15<br />
description Dot1x Demo with MAB and Web-Auth<br />
switchport access vlan 2<br />
switchport voice vlan 200<br />
switchport mode access<br />
dot1x pae authenticator<br />
authentication port-control auto<br />
no authentication event no-response<br />
dot1x timeout tx-period 10<br />
dot1x max-req<br />
mab<br />
spanning-tree portfast<br />
authentication fallback WEB-AUTH<br />
radius-server attribute 8 include-in-access-req<br />
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key xxxx<br />
radius-server vsa send authentication<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
236<br />
118
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Switch: Central Web Auth Configuration<br />
aaa authentication dot1x default group radius<br />
aaa authorization network default group radius<br />
aaa accounting dot1x default start-stop group radius<br />
ip access-list extended DEFAULT-ACCESS<br />
remark Allow DHCP<br />
permit udp any eq bootpc any eq bootps<br />
remark Allow DNS<br />
permit udp any any eq domain<br />
remark Allow HTTP<br />
permit tcp any any eq www<br />
remark Allow HTTPS<br />
permit tcp any any eq 443<br />
remark Allow ICMP for test purposes<br />
permit icmp any any<br />
remark Implicit Deny<br />
deny ip any any<br />
ip access-list extended ACL-WEBAUTH-REDIRECT<br />
deny ip any host X.X.X.X<br />
permit ip any any<br />
ip device tracking<br />
ip http server<br />
ip http secure-server<br />
interface GigabitEthernet1/0/15<br />
description Dot1x Demo with MAB and Web-Auth<br />
switchport access vlan 2<br />
switchport mode access<br />
switchport voice vlan 200<br />
ip access-group DEFAULT-ACCESS in<br />
authentication host-mode multi-auth<br />
authentication open<br />
authentication order mab dot1x<br />
authentication priority dot1x mab<br />
authentication port-control auto<br />
mab<br />
dot1x pae authenticator<br />
spanning-tree portfast<br />
aaa server radius dynamic-author<br />
client X.X.X.X server-key cisco123<br />
radius-server attribute 6 on-for-login-auth<br />
radius-server attribute 8 include-in-access-req<br />
radius-server attribute 25 access-request include<br />
radius-server host x.x.x.x auth-port 1812 acct-port 1813 key xxxx<br />
radius-server vsa send accounting<br />
radius-server vsa send authentication<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
237<br />
Web Auth User Experience<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
238<br />
119
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
ISE Web Auth User Experience<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
239<br />
Low Impact Mode:<br />
IP Telephony<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
120
Voice Ports<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
<strong>802.1X</strong> & IPT: A Special Case<br />
With Voice Ports, a port can belong to two VLANs, while still allowing<br />
the separation of voice/data traffic while enabling you to configure<br />
<strong>802.1X</strong><br />
An access port able to handle two VLANs<br />
Native or Port VLAN Identifier (PVID) / Authenticated by <strong>802.1X</strong><br />
Auxiliary or Voice VLAN Identifier (VVID) / Authenticated by <strong>802.1X</strong><br />
Hardware configured with voice VLAN ID<br />
Untagged 802.3<br />
Tagged 802.1q<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
241<br />
IPT & <strong>802.1X</strong>: Fundamental Challenges<br />
―<strong>The</strong> operation of Port Access Control<br />
assumes that the Ports on which it operate<br />
offer a point-to-point connection between a<br />
single Supplicant and a single Authenticator.<br />
It is this assumption that allows the<br />
authentication decision to be made on a per-<br />
Port basis.‖<br />
IEEE <strong>802.1X</strong> rev 2004<br />
1<br />
Two devices per port<br />
Security Violation<br />
1<br />
One device per port<br />
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48<br />
SYST 1X<br />
15X 17X<br />
31X 33X<br />
47X<br />
1 3<br />
RPS<br />
MASTR<br />
STAT<br />
DUPLX<br />
SPEED<br />
STACK<br />
2 4<br />
MODE<br />
2X<br />
16X 18X<br />
32X 34X<br />
48X<br />
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48<br />
SYST 1X<br />
15X 17X<br />
31X 33X<br />
47X<br />
1 3<br />
RPS<br />
MASTR<br />
STAT<br />
DUPLX<br />
SPEED<br />
STACK<br />
2 4<br />
MODE<br />
2X<br />
16X 18X<br />
32X 34X<br />
48X<br />
IPT Breaks the Point-to-Point Model<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
242<br />
2<br />
2<br />
Catalyst 3750 SERIES<br />
Catalyst 3750 SERIES<br />
Link State Dependency<br />
?????<br />
PC Link State is Unknown to Switch<br />
121
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
First Solution: CDP Bypass<br />
Data VLAN<br />
Voice VLAN<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
243<br />
CDP<br />
interface fastEthernet 3/48<br />
switchport voice vlan 10<br />
authentication port-control auto<br />
dot1x pae-authenticator<br />
Benefits Deployment Considerations<br />
Access to voice VLAN after phone sends CDP CDP-capable hackers get full access, too.<br />
Default behavior: <strong>Cisco</strong> IP Phones get access<br />
if voice VLAN configured<br />
No visibility, No access control<br />
Works for all <strong>Cisco</strong> phone models Incompatible with dynamic VVID,<br />
downloadable ACLs (dACLs), PC Web Auth<br />
Second Solution: Multi-Domain<br />
Authentication (MDA) Host Mode<br />
IEEE <strong>802.1X</strong><br />
Single device per port Single device per domain per port<br />
Data Domain<br />
• Phones and PCs use <strong>802.1X</strong> or MAB<br />
• MDA is a subset of Multi-Auth<br />
MDA<br />
Voice Domain<br />
interface fastEthernet 3/48<br />
authentication host-mode multi-domain<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
244<br />
122
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
MDA with MAC Authentication Bypass (MAB)<br />
00.18.ba.c7.bc.ee<br />
No Response<br />
No Response<br />
No Response<br />
EAP-Identity-Request<br />
EAP-Identity-Request<br />
EAP-Identity-Request<br />
Fallback to MAB<br />
Learn MAC<br />
Voice VLAN Enabled<br />
√<br />
Link up<br />
RADIUS-Access<br />
Request: 00.18.ba.c7.bc.ee<br />
RADIUS-Access Accept<br />
device-traffic-class=voice<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
245<br />
0:00 0:01 0:05 0:10 0:20 0:30<br />
0:00 0:01 0:05 0:10 0:20 0:30<br />
0:00 0:01 0:05 0:10 0:20 0:30<br />
Timeout<br />
Timeout<br />
Timeout<br />
Benefits Deployment Considerations<br />
No client, no credential needed -> Works<br />
for all <strong>Cisco</strong> phone models<br />
Dependency on AAA server<br />
Enables visibility, access control Must create & maintain phone MAC database<br />
Compatible with <strong>802.1X</strong> features Default <strong>802.1X</strong> timeout = 90 seconds latency<br />
(mitigated by Low Impact Mode)<br />
MDA with <strong>802.1X</strong><br />
Supplicant<br />
EAPoL Start<br />
Layer 2 Point-to-Point Layer 3 Link<br />
Layer 2 Point-to-Point Layer 3 Link<br />
EAPoL Response Identity<br />
EAPoL Request Identity<br />
EAP-Response: TLS<br />
EAP-Request: TLS Client Hello<br />
EAP Success<br />
―Voice VSA‖<br />
Authenticator AAA Server<br />
RADIUS Access Request<br />
[AVP: EAP-Response: CP-79xx-xxxxxxxx<br />
RADIUS Access-Challenge<br />
[AVP: EAP-Response: TLS]<br />
RADIUS Access Request<br />
[AVP: EAP-Request: TLS Server Hello]<br />
RADIUS Access-Accept<br />
[AVP: device-traffic-class=voice]<br />
[AVP: voice VLAN 10, dACL-n]<br />
Benefits Deployment Considerations<br />
Actual<br />
Exchanges<br />
depend on EAP<br />
Method (MD5,<br />
TLS, FAST)<br />
Strong Authentication with Minimal Delay Choice of EAP Method impacts deployability<br />
Can be deployed without touching the phone<br />
or creating a database.<br />
Requires: 7970G, 79x1, 79x2, 79x5 with<br />
X.509 cert support & firmware 8.5(2)<br />
Compatible with <strong>802.1X</strong> features AAA server dependency<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
246<br />
123
MDA in Action<br />
PC<br />
Authenticated<br />
by <strong>802.1X</strong><br />
Phone<br />
authenticated<br />
by MAB<br />
Either <strong>802.1X</strong> or MAB for phone<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
3750-1(config-if)#do sh dot1x int G1/0/5 details<br />
<br />
Dot1x Authenticator Client List<br />
-------------------------------<br />
Domain = DATA<br />
Supplicant = 0014.5e42.66df<br />
Auth SM State = AUTHENTICATED<br />
Auth BEND SM State = IDLE<br />
Port Status = AUTHORIZED<br />
Authentication Method = Dot1x<br />
Authorized By = Authentication Server<br />
Domain = VOICE<br />
Supplicant = 0016.9dc3.08b8<br />
Auth SM State = AUTHENTICATED<br />
Auth BEND SM State = IDLE<br />
Port Status = AUTHORIZED<br />
Authentication Method = MAB<br />
Authorized By = Authentication Server<br />
Any combination of <strong>802.1X</strong>, MAB, Guest-VLAN, Auth-Fail-VLAN, IAB for PC<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
247<br />
Implementation Details<br />
<strong>The</strong> access port on the switch allows two VLANs, i.e. PVID for<br />
data traffic and VVID for voice traffic<br />
LLDP processed by switch on uncontrolled port<br />
Not used for <strong>802.1X</strong> exemption criteria (at all)<br />
CDP processed by switch on uncontrolled port<br />
Not used for <strong>802.1X</strong> exemption criteria (when MDA is used)<br />
Guest-VLAN works on PVID only (Re: limited to data devices)<br />
Auth-Fail-VLAN works on PVID only (Re: limited to data<br />
devices)<br />
Critical VLAN works for one domain only (Re: limited to data<br />
devices)<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
248<br />
124
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Summary: Multiple Hosts per Port<br />
Host Mode Enforcement Deployment Considerations<br />
Single Single MAC address per port • Second MAC address triggers a security violation<br />
• VMs on the host must share the same MAC<br />
address.<br />
• CDP Bypass is the only IPT solution.<br />
Multi-Domain Auth<br />
(MDA)<br />
One Voice Device +<br />
One Data Device per port<br />
Multi-Auth Superset of MDA with<br />
multiple Data Devices per<br />
port<br />
Multi-Host One authenticated device<br />
allows any number of<br />
subsequent MAC addresses.<br />
• Same as single host mode except phone<br />
authenticates<br />
• Supports third party phones<br />
• Authenticates every MAC address in the data<br />
domain.<br />
• VMs on the host may use different MAC<br />
addresses.<br />
• One VLAN (default port VLAN) for all devices on<br />
the port<br />
• Not recommended<br />
• VMs on the host may use different MAC<br />
addresses.<br />
• CDP Bypass is the only IPT solution.<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
249<br />
Low Impact: <strong>Network</strong> Access Table<br />
Endpoints Authentication Status<br />
All (including PXE) Pre-Auth<br />
Employees <strong>802.1X</strong> Success<br />
Corporate Asset MAB Success<br />
Phones <strong>802.1X</strong> or MAB Success<br />
Employees <strong>802.1X</strong> Fail -> MAB or<br />
Web-Auth Success<br />
Sponsored Guest <strong>802.1X</strong> Fail/Timeout -><br />
MAB Fail -> Web-Auth<br />
Success<br />
Unknown /<br />
Unauthorized<br />
<strong>802.1X</strong> Fail/Timeout -><br />
MAB Fail -> Web-Auth<br />
Fail<br />
Authorization Implementation<br />
Limited Access Pre-Auth ACL<br />
Enterprise Access Permit-Any dACL<br />
Enterprise Access Permit-Any dACL<br />
Voice Access MDA with Voice VSA +<br />
Permit-Any dACL<br />
Enterprise Access<br />
Limited + Internet<br />
Access<br />
Limited Access<br />
Permit-Any dACL<br />
Permit-Internet dACL<br />
Pre-Auth ACL<br />
All None (AAA server down) Limited Access Pre-Auth ACL<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
250<br />
125
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
IPT & <strong>802.1X</strong>: <strong>The</strong> Link-State Problem<br />
1) Legitimate users cause security violation<br />
A<br />
S:0011.2233.4455<br />
A<br />
S:0011.2233.4455<br />
B<br />
S:6677.8899.AABB<br />
S:0011.2233.4455<br />
F0/2 authorized for<br />
0011.2233.4455 only<br />
Security Violation<br />
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48<br />
SYST 1X<br />
15X 17X<br />
31X 33X<br />
47X<br />
1 3<br />
RPS<br />
MASTR<br />
STAT<br />
DUPLX<br />
SPEED<br />
STACK<br />
2 4<br />
MODE<br />
2X<br />
16X 18X<br />
32X 34X<br />
48X<br />
2) Hackers can spoof MAC to gain access without authenticating<br />
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48<br />
SYST 1X<br />
15X 17X<br />
31X 33X<br />
47X<br />
1 3<br />
RPS<br />
MASTR<br />
STAT<br />
DUPLX<br />
SPEED<br />
STACK<br />
2 4<br />
MODE<br />
2X<br />
16X 18X<br />
32X 34X<br />
48X<br />
Security Hole<br />
0011.2233.4455 already<br />
authorized on F0/2<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
251<br />
Partial Solution: Proxy EAPoL-Logoff<br />
B<br />
A<br />
SSC<br />
PC-A Unplugs<br />
Session cleared<br />
immediately by<br />
proxy EAPoL-Logoff<br />
PC-B Plugs In<br />
SSC<br />
Domain = DATA<br />
Supplicant = 0011.2233.4455<br />
Port Status = AUTHORIZED<br />
Authentication Method = Dot1x<br />
EAPol-Logoff<br />
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48<br />
SYST 1X<br />
15X 17X<br />
31X 33X<br />
47X<br />
1 3<br />
RPS<br />
MASTR<br />
STAT<br />
DUPLX<br />
SPEED<br />
STACK<br />
2 4<br />
MODE<br />
2X<br />
16X 18X<br />
32X 34X<br />
48X<br />
Domain = DATA<br />
Port Status = UNAUTHORIZED<br />
Catalyst 3750 SERIES<br />
Catalyst 3750 SERIES<br />
A<br />
S:0011.2233.4455<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
252<br />
Catalyst 3750 SERIES<br />
Catalyst 3750 SERIES<br />
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26<br />
SYST 1X<br />
15X<br />
RPS<br />
MASTR<br />
STAT<br />
DUPLX<br />
SPEED<br />
STACK<br />
MODE<br />
2X<br />
16X<br />
17X<br />
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42<br />
31X<br />
18X<br />
32X<br />
33X<br />
43 44 45 46 47 48<br />
47X<br />
1 3<br />
2 4<br />
34X<br />
48X<br />
Domain = DATA<br />
Supplicant = 6677.8899.AABB<br />
Port Status = AUTHORIZED<br />
Authentication Method = Dot1x<br />
Catalyst 3750 SERIES<br />
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48<br />
SYST 1X<br />
15X 17X<br />
31X 33X<br />
47X<br />
1 3<br />
RPS<br />
MASTR<br />
STAT<br />
DUPLX<br />
SPEED<br />
STACK<br />
2 4<br />
MODE<br />
2X<br />
16X 18X<br />
32X 34X<br />
48X<br />
Caveats:<br />
• Only for <strong>802.1X</strong><br />
devices behind phone<br />
Requires:<br />
Logoff-capable Phones<br />
126
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Partial Solution: Inactivity Timeout Options<br />
Device<br />
Unplugs<br />
Vulnerable to security<br />
violation and/or hole<br />
Inactivity Timer<br />
Expires<br />
Session cleared.<br />
Vulnerability closed.<br />
Domain = DATA<br />
Supplicant = 0011.2233.4455<br />
Port Status = AUTHORIZED<br />
Authentication Method = MAB<br />
Domain = DATA<br />
Supplicant = 0011.2233.4455<br />
Port Status = AUTHORIZED<br />
Authentication Method = MAB<br />
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48<br />
SYST 1X<br />
15X 17X<br />
31X 33X<br />
47X<br />
1 3<br />
RPS<br />
MASTR<br />
STAT<br />
DUPLX<br />
SPEED<br />
STACK<br />
2 4<br />
MODE<br />
2X<br />
16X 18X<br />
32X 34X<br />
48X<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
253<br />
Catalyst 3750 SERIES<br />
Catalyst 3750 SERIES<br />
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26<br />
SYST 1X<br />
15X<br />
RPS<br />
MASTR<br />
STAT<br />
DUPLX<br />
SPEED<br />
STACK<br />
MODE<br />
2X<br />
16X<br />
17X<br />
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42<br />
31X<br />
18X<br />
32X<br />
33X<br />
43 44 45 46 47 48<br />
47X<br />
1 3<br />
2 4<br />
34X<br />
48X<br />
Domain = DATA<br />
Port Status = UNAUTHORIZED<br />
Catalyst 3750 SERIES<br />
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48<br />
SYST 1X<br />
15X 17X<br />
31X 33X<br />
47X<br />
1 3<br />
RPS<br />
MASTR<br />
STAT<br />
DUPLX<br />
SPEED<br />
STACK<br />
2 4<br />
MODE<br />
2X<br />
16X 18X<br />
32X 34X<br />
48X<br />
Partial Solution: MAC Move<br />
PC MAC: 00-1C-25-BA-6D-3B<br />
Office<br />
Conference Room<br />
Intermediary Deice<br />
1 PC Connects and Authenticates<br />
2 CAM Table updated (MAC/Port)<br />
3 PC Moved to new location<br />
4 PC Authenticates<br />
5 Previous Session deleted and CAM<br />
Table updated with new entry<br />
interface GigE 1/0/5<br />
switchport mode access<br />
switchport access vlan 2<br />
switchport voice vlan 12<br />
authentication host-mode multi-domain<br />
authentication port-control auto<br />
authentication timer inactivity [300 | server]<br />
mab<br />
Caveats:<br />
Quiet devices may have to reauth;<br />
network access denied<br />
until re-auth completes.<br />
Still a window of vulnerability.<br />
3K: 12.2(50)SE*<br />
4K: 12.2(50)SG<br />
6K: 12.2(33)SXI<br />
Wiring Closet<br />
CAM TABLE<br />
MAC Addr Switchport<br />
00-1C-25-BA-6D-3B<br />
00-1C-25-BA-6D-3B<br />
Best Practice: Combine MAC<br />
Move with Inactivity Timer<br />
Gigabit Ethernet 1/0/1<br />
Gigabit Ethernet 1/0/14<br />
ISE - AAA RADIUS<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
254<br />
127
PC(A) MAC: 00-1C-25-BA-6D-3B<br />
Office<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
A<br />
Partial Solution: MAC Replace<br />
1 PC A connects (assume <strong>802.1X</strong>/MAB process occurs)<br />
2 Authentication Succeeds<br />
3 CAM Table updated (MAC/Port)<br />
4 PC A disconnects<br />
B PC(B) MAC: 00-1C-25-BA-6E-4C<br />
5 PC B connects<br />
Intermediary Deice<br />
6 Authentication succeeds<br />
7 CAM updated with new MAC Address<br />
CAM TABLE<br />
MAC Addr Switchport<br />
00-1C-25-BA-6D-3B<br />
00-1C-25-BA-6E-4C<br />
Wiring Closet<br />
Gigabit Ethernet 1/0/1<br />
ISE - AAA RADIUS<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
255<br />
Full Solution: CDP 2 nd Port Notification<br />
Device A Unplugs<br />
Phone sends link<br />
down TLV to switch.<br />
Device B Plugs In<br />
Domain = DATA<br />
Supplicant = 0011.2233.4455<br />
Port Status = AUTHORIZED<br />
Authentication Method = MAB<br />
CDP Link Down<br />
Catalyst 3750 SERIES<br />
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26<br />
SYST 1X<br />
15X<br />
RPS<br />
MASTR<br />
STAT<br />
DUPLX<br />
SPEED<br />
STACK<br />
MODE<br />
2X<br />
16X<br />
17X<br />
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42<br />
31X<br />
18X<br />
32X<br />
33X<br />
43 44 45 46 47 48<br />
47X<br />
1 3<br />
2 4<br />
34X<br />
48X<br />
Domain = DATA<br />
Port Status = UNAUTHORIZED<br />
Catalyst 3750 SERIES<br />
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26<br />
SYST 1X<br />
15X<br />
RPS<br />
MASTR<br />
STAT<br />
DUPLX<br />
SPEED<br />
STACK<br />
MODE<br />
2X<br />
16X<br />
17X<br />
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42<br />
31X<br />
18X<br />
32X<br />
33X<br />
43 44 45 46 47 48<br />
47X<br />
1 3<br />
2 4<br />
34X<br />
48X<br />
Domain = DATA<br />
Supplicant = 6677.8899.AABB<br />
Port Status = AUTHORIZED<br />
Authentication Method = Dot1x<br />
Catalyst 3750 SERIES<br />
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26<br />
SYST 1X<br />
15X<br />
RPS<br />
MASTR<br />
STAT<br />
DUPLX<br />
SPEED<br />
STACK<br />
MODE<br />
2X<br />
16X<br />
17X<br />
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42<br />
31X<br />
18X<br />
32X<br />
33X<br />
43 44 45 46 47 48<br />
47X<br />
1 3<br />
2 4<br />
34X<br />
48X<br />
id-4503#sho cdp neigh g2/1 detail<br />
-------------------------<br />
Device ID: SEP0015C696E22C<br />
Entry address(es):<br />
IP address: 10.1.200.10<br />
Platform: <strong>Cisco</strong> IP Phone 7971, Capabilities: Host<br />
Phone Two-port Mac Relay<br />
Interface: GigabitEthernet2/1,<br />
Port ID (outgoing port): Port 1 Holdtime : 168 sec<br />
Second Port Status: Down<br />
Link status msg addresses<br />
root cause<br />
Session cleared immediately.<br />
Works for MAB, <strong>802.1X</strong>, and<br />
Web-Auth.<br />
Nothing to configure<br />
IP Phone: 8.4(1)<br />
3K: 12.2(50)SE<br />
4K: 12.2(50)SG<br />
6K: 12.2(33)SXI<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
256<br />
128
DEMO Time<br />
MDA<br />
Phone with MAB<br />
TECSEC-2041<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
ISE Configuration<br />
Create Phone Group<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
258<br />
129
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
ISE Configuration<br />
Add 7960 to Host Database in Phone Group<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
259<br />
ISE Configuration<br />
Create Phone Authorization Profile<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
260<br />
130
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
ISE Configuration<br />
Add Phone Authz Policy Entry<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
261<br />
ISE Configuration<br />
Add Phone Authz Policy Entry<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
262<br />
131
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Switch Configuration<br />
interface GigabitEthernet1/13<br />
description Dot1x Demo with MDA<br />
switchport access vlan 2<br />
switchport mode access<br />
switchport voice vlan 200<br />
authentication event fail action next-method<br />
authentication host-mode multi-domain<br />
authentication order dot1x mab<br />
dot1x pae authenticator<br />
authentication port-control auto<br />
dot1x timeout tx-period 10<br />
dot1x max-req 2<br />
mab<br />
spanning-tree portfast<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
263<br />
<strong>Cisco</strong> IP-Phone <strong>802.1X</strong><br />
Phone Booting<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
264<br />
132
Access Via the Security<br />
Settings Menu<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
<strong>Cisco</strong> IP-Phone <strong>802.1X</strong><br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
265<br />
<strong>Cisco</strong> IP-Phone <strong>802.1X</strong><br />
<strong>802.1X</strong> Off by Default<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
266<br />
133
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
<strong>Cisco</strong> IP-Phone <strong>802.1X</strong><br />
Set EAP-MD5 Password<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
267<br />
<strong>Cisco</strong> IP-Phone <strong>802.1X</strong><br />
Device ID must = ACS User ID<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
268<br />
134
Checking Status<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
269<br />
Checking Status<br />
#show auth s int g1/13<br />
Interface: GigabitEthernet1/3<br />
MAC Address: 001b.d513.031c<br />
IP Address: 10.1.200.200<br />
User-Name: 00-1B-D5-13-03-1C<br />
Status: Authz Success<br />
Domain: VOICE<br />
Oper host mode: multi-domain<br />
Oper control dir: both<br />
Authorised By: Authentication Server<br />
Session timeout: N/A<br />
Idle timeout: N/A<br />
Common Session ID: 0A640A050000167067461170<br />
Acct Session ID: 0x00001676<br />
Handle: 0x64000671<br />
Runnable methods list:<br />
Method State<br />
dot1x Failed over<br />
mab Authc Success<br />
webauth Not run<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
270<br />
135
DEMO Time<br />
CDP 2 nd Port Notifications<br />
TECSEC-2041<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
Security Group Access with<br />
Low Impact Mode<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
136
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Challenge of Ingress Access Control<br />
List<br />
Users,<br />
Endpoints<br />
Ingress Enforcement<br />
Downloadable ACL<br />
dACL Content<br />
Catalyst ® Switches<br />
(3K/4K/6K)<br />
TrustSec Domain<br />
permit protocol any to Site A Servers eq services<br />
permit protocol any to Site B Servers eq services<br />
deny protocol any to Site C Servers eq services<br />
permit protocol any to Site D Servers eq services<br />
ISE 1.0<br />
Campus<br />
<strong>Network</strong><br />
Internet<br />
Switch needs to be aware of all network segment + address that<br />
need to be protected<br />
More dACL ACEs consume limited TCAM space on switches<br />
Simple <strong>Network</strong>s/Policy can use dACL only<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
273<br />
Site A<br />
Site D<br />
SGA and Low Impact Mode Interop<br />
Reviewing Ingress & Egress Enforcement<br />
Ingress Enforcement<br />
VLAN Assignment<br />
Downloadable ACL<br />
Users,<br />
Endpoints<br />
Low Impact Mode<br />
Catalyst ® Switches<br />
(3K/4K/6K)<br />
TrustSec Domain<br />
Campus<br />
<strong>Network</strong><br />
ISE 1.0<br />
Cat 6500 w/<br />
SUP 2T<br />
Low Impact Mode is enabled on ―ingress enforcement point‖<br />
Low Impact Mode can co-exist with SGA by<br />
1. Keep the dACL very simple<br />
2. Control traffic with SGACL at egress enforcement point<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
274<br />
Site B<br />
Site C<br />
Egress Enforcement<br />
Security Group ACL<br />
137
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
SGA and Monitor Mode Interop<br />
Low Impact Mode<br />
•Low Impact Mode allows customer to permit necessary<br />
traffic (boot strap services such as PXE, WoL, etc) before<br />
authentication for current service continuity<br />
•TrustSec SGA integration eases dACL challenges by<br />
reducing number of ACEs needs to be downloaded to<br />
ingress port<br />
•Low Impact Mode could simply allow employee to have<br />
full access to the corporate network while restricting guest<br />
user to have Internet access only, for instance<br />
•Egress access control with SGT differentiates service<br />
among Employee group based on individual role<br />
Difference between Monitor and Low Impact Mode is to enable very basic<br />
enforcement at ingress interface while keeping openness for easy deployment<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
275<br />
SGA with Low Impact Mode Use Case<br />
Selective Access with SGT Enforcement<br />
permit tcp any any established<br />
permit udp any any eq bootps<br />
permit udp any host 10.100.10.116 eq domain<br />
permit udp any host 10.100.10.117 eq tftp<br />
Users,<br />
Endpoints<br />
Low Impact Mode<br />
Catalyst ® Switches<br />
(3K/4K/6K)<br />
authentication port-control auto<br />
authentication open<br />
ip access-group PRE-AUTH-ACL in<br />
dot1x pae authenticator<br />
Campus<br />
<strong>Network</strong><br />
AUTH=OK<br />
ACL=Permit IP Any<br />
SGT=10<br />
ISE 1.0<br />
SRC \ DST<br />
ACME<br />
User(10)<br />
HR User<br />
(10)<br />
Internet<br />
Cat 6500 w/<br />
SUP 2T<br />
HR Server<br />
(111)<br />
ACME Server<br />
(222)<br />
Egress Enforcement<br />
Security Group ACL<br />
HR Server<br />
ACME Server<br />
Unknown<br />
(0)<br />
Deny all Permit all Permit all<br />
Permit all Permit all Permit all<br />
1. User connects to network<br />
2. Pre-Auth ACL only allows selective service before authentication<br />
3. Authentication is performed and results are logged by ACS. dACL is downloaded<br />
along with SGT<br />
4. Traffic traverse to Data Center and hits SGACL at egress enforcement point<br />
5. Only permitted traffic path (source SGT to destination SGT) is allowed<br />
Guest (30) Deny all Deny all Permit all<br />
ACME Server<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
276<br />
138
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
SGA with Low Impact Mode Use Case<br />
Selective Access with SGT Enforcement<br />
permit tcp any any established<br />
permit udp any any eq bootps<br />
permit udp any host 10.100.10.116 eq domain<br />
permit udp any host 10.100.10.117 eq tftp<br />
Users,<br />
Endpoints<br />
Low Impact Mode<br />
Catalyst ® Switches<br />
(3K/4K/6K)<br />
authentication port-control auto<br />
authentication open<br />
ip access-group PRE-AUTH-ACL in<br />
dot1x pae authenticator<br />
AUTH=OK<br />
SGT=30<br />
Campus<br />
<strong>Network</strong><br />
ISE 1.0<br />
SRC \ DST<br />
ACME<br />
User(10)<br />
HR User<br />
(10)<br />
Internet<br />
Cat 6500 w/<br />
SUP 2T<br />
HR Server<br />
(111)<br />
ACME Server<br />
(222)<br />
Egress Enforcement<br />
Security Group ACL<br />
HR Server<br />
ACME Server<br />
Unknown<br />
(0)<br />
Deny all Permit all Permit all<br />
Permit all Permit all Permit all<br />
1. User connects to network<br />
2. Pre-Auth ACL only allows selective service before authentication<br />
3. Authentication is performed and results are logged by ACS. dACL is downloaded<br />
along with SGT<br />
4. Traffic traverse to Data Center and hits SGACL at egress enforcement point<br />
5. Only permitted traffic path (source SGT to destination SGT) is allowed<br />
Guest (30) Deny all Deny all Permit all<br />
ACME Server<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
277<br />
Location Based Access Control<br />
with Security Group Access<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
139
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
More Flexible Policy with Role-Based<br />
Access Control<br />
Identity<br />
Information<br />
Identity:<br />
<strong>Network</strong><br />
Administrator<br />
Identity:<br />
Full-Time<br />
Employee<br />
Identity:<br />
Guest<br />
+<br />
Other<br />
Conditions<br />
Access<br />
Privilege<br />
Engineering<br />
Everyone Has a Different Role<br />
Time and Date<br />
Human Resources<br />
Susan Kowalski<br />
Employee<br />
Sales Director<br />
Location<br />
Access Type<br />
Rossi Barks<br />
Employee<br />
HR<br />
Vicky Sanchez<br />
Employee<br />
Marketing<br />
Finance<br />
Francois Didier<br />
Home Access Employee<br />
Consultant<br />
Guest<br />
Deny Access<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
279<br />
Policy for Today‟s Business Requirement<br />
Identity<br />
Information<br />
Identity:<br />
<strong>Network</strong><br />
Administrator<br />
Identity:<br />
Full-Time<br />
Employee<br />
Identity:<br />
Guest<br />
+<br />
Other<br />
Conditions<br />
Time and Date<br />
Location<br />
Access Type<br />
Access<br />
Privilege<br />
Consultant<br />
Human Resources<br />
Finance<br />
Marketing<br />
Guest<br />
Deny Access<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
280<br />
140
Identity<br />
Information<br />
Identity:<br />
<strong>Network</strong><br />
Administrator<br />
Identity:<br />
Full-Time<br />
Employee<br />
Identity:<br />
Guest<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Role + Rule–Based Access Control<br />
Example: Human Resources Role<br />
+<br />
Other<br />
Conditions<br />
Time and Date<br />
Location: Campus<br />
Access Type:<br />
Wired<br />
Access<br />
Privilege<br />
Rossi BarksEngineering<br />
Employee<br />
HR<br />
Human Resources<br />
Finance<br />
Home Access<br />
Guest<br />
Deny Access<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
281<br />
Role + Rule–Based Access Control<br />
Example: Human Resources Role<br />
Identity<br />
Information<br />
Identity:<br />
<strong>Network</strong><br />
Administrator<br />
Identity:<br />
Full-Time<br />
Employee<br />
Identity:<br />
Guest<br />
+<br />
Other<br />
Conditions<br />
Time and Date<br />
Location: Off-site<br />
Access Type:<br />
Wired<br />
Access<br />
Privilege<br />
Rossi BarksEngineering<br />
Employee<br />
HR<br />
Human Resources<br />
Finance<br />
Home Access<br />
Guest<br />
Deny Access<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
282<br />
141
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Policy Elements Sample<br />
Rossi Barks<br />
Type: Reg. Employee<br />
Title: Sr. HR Advisor<br />
Group: HR Admin Group<br />
Dept ID: 240087<br />
Office: 408-878-9097<br />
Mail: rbarks@stsam.org<br />
Policy Conditions<br />
Access Type<br />
Location<br />
Date and Time<br />
<strong>Network</strong> Device Type<br />
NAD IP Address<br />
EAP Auth Method<br />
Authentication Status<br />
AD Group<br />
LDAP Attributes<br />
RADIUS Attribute<br />
:<br />
:<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
283<br />
Access Rule Enforcement<br />
<strong>Network</strong> Access Authorization Policy provides<br />
powerful ―IF-THEN-ELSE‖ policy condition to<br />
apply detailed corporate policy.<br />
Authorization profile provides ingress policy<br />
enforcement methods.<br />
Security group can be assigned to endpoint at<br />
the same time.<br />
Authorization Methods<br />
Downloadable ACL (Ingress)<br />
SGACL (Egress)<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
284<br />
142
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
SGA with Location<br />
Privacy Requirements – Require Proper Location<br />
HR User<br />
not in proper<br />
locale<br />
Catalyst ® Switches<br />
(3K/4K/6K)<br />
Campus<br />
<strong>Network</strong><br />
SRC \ DST<br />
ISE 1.0<br />
Cat 6500 w/<br />
SUP 2T<br />
HR Server<br />
(111)<br />
ACME Server<br />
(222)<br />
Egress Enforcement<br />
Security Group ACL<br />
HR Server<br />
ACME Server<br />
Unknown<br />
(0)<br />
HR Off Site (8) Deny all Permit all Permit all<br />
HR User (10) Permit all Permit all Permit all<br />
Guest (30) Deny all Deny all Permit all<br />
1. User connects to network<br />
2. Pre-Auth ACL only allows selective service before authentication<br />
3. Authentication is performed and results are logged by ACS. dACL is downloaded<br />
along with SGT<br />
4. Traffic traverse to Data Center and hits SGACL at egress enforcement point<br />
5. Only permitted traffic path (source SGT to destination SGT) is allowed<br />
ACME Server<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
285<br />
DEMO Time<br />
Low Impact Mode with SGA<br />
TECSEC-2041<br />
AUTH=OK<br />
SGT=8<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
X<br />
143
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Phase 3: High Security Access<br />
Control<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
Phase 3: ACME Acquires Widget, Inc.<br />
New Security Policy & <strong>Network</strong><br />
Requirements:<br />
Regulatory Requirements dictate<br />
logically separate networks until<br />
all operating countries approve<br />
acquisition.<br />
New regulatory/privacy<br />
requirements on IT staff with<br />
―multi-national‖ acquisition<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
288<br />
144
Phase 3: ACME Acquires Widget, Inc.<br />
New Security Policy & <strong>Network</strong><br />
Requirements:<br />
VLAN Segmentation<br />
• ACME on the ACME VLAN<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
• Widget employees on the WIDGET VLAN<br />
• Share use machines on MACHINE VLAN.<br />
• Unauthenticated devices on RESTRICTED<br />
VLAN only.<br />
Branch Survivability<br />
• ―fail open‖ when AAA server is unreachable.<br />
ACME‘s Goals Can Be Met With<br />
High Security Mode<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
289<br />
How this will happen<br />
Policy Change Solution Change<br />
VLAN Segmentation Dynamic Identity-based VLAN<br />
assignment<br />
No unauthenticated traffic on DATA<br />
VLAN<br />
Unauthenticated devices on<br />
RESTRICTED VLAN only<br />
Open mode -> Closed Mode<br />
Local authorization (AuthFail<br />
VLAN, Guest VLAN) – Unknown<br />
SGT<br />
Branch Survivability Critical Auth VLAN – Unknown<br />
SGT<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
290<br />
145
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
High Security: <strong>Network</strong> Access Table<br />
Endpoints Authentication Status<br />
All (including PXE) Pre-Auth<br />
ACME <strong>802.1X</strong> Success<br />
Corporate Asset MAB Success<br />
Phones <strong>802.1X</strong> or MAB Success<br />
Widget <strong>802.1X</strong> Success<br />
Unknown /<br />
Unauthorized<br />
<strong>802.1X</strong> Fail/Timeout -><br />
MAB Fail<br />
All None (AAA server down)<br />
Authorization Implementation<br />
None<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
291<br />
Dynamic Authorization<br />
VLAN Assignment<br />
Identity-<br />
Based<br />
VLAN Name<br />
Standards-<br />
Based<br />
Tunnel<br />
Attributes<br />
Enterprise Access<br />
Enterprise Access<br />
Voice Access<br />
Widget Access<br />
Limited Access<br />
Enterprise Access<br />
• Assigned VLAN is based on identity at time of<br />
authentication<br />
• Identity can be individual or group<br />
• VLANs assigned by name (not number); allows for<br />
more flexible VLAN management<br />
• Assigned VLAN must match switch configuration;<br />
mismatch results in authentication failure.<br />
• Usage for VLANs is specified in the IEEE <strong>802.1X</strong><br />
standard<br />
• RFC 2868 defines tunnel attributes that AAA server<br />
uses to send to VLAN name to switch<br />
• [64] Tunnel-type—―VLAN‖ (13)<br />
• [65] Tunnel-medium-type—―802‖ (6)<br />
• [81] Tunnel-private-group-ID—<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
292<br />
146
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Identity <strong>Network</strong>ing Feature Overview<br />
Employee<br />
Servers<br />
Employee Contractor Guest<br />
“Guest” VLAN<br />
Tunneled to<br />
Internet DMZ<br />
Identity<br />
Services<br />
Engine<br />
Dynamic VLAN assignment<br />
Dynamic security policy<br />
assignment using ACLs<br />
Identity <strong>Network</strong>ing-based<br />
user/port accounting<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
293<br />
Segmenting Users, Devices and <strong>Network</strong>s<br />
Dept:<br />
HR<br />
Overlapping<br />
Address Space in<br />
Dept-HR and Dept-<br />
ENGR Can Co-Exist<br />
Internet<br />
Si<br />
Si<br />
Si<br />
Guest<br />
Dept Dept: 1<br />
ENGR<br />
VoIP on an<br />
Ultra-Secure<br />
Segment<br />
Encrypted<br />
Voice<br />
Problem:<br />
Campus-wide VLANs are not<br />
always the optimal design when<br />
building networks that can support<br />
roaming or ―Guest‖ VLANs—is<br />
there another option?<br />
<strong>Cisco</strong> Solution:<br />
Once the ―Identity‖ has been<br />
established, map the VLAN to<br />
―Policy Domains‖ or internal Virtual<br />
<strong>Network</strong>s<br />
Internal <strong>Network</strong>s use the same<br />
infrastructure, but can‘t ―See‖ each<br />
other; security, QoS and<br />
administrative policies are<br />
maintained<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
294<br />
147
“Guest” VLAN<br />
Tunneled to<br />
Internet DMZ<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Ho Segmenting Users, Devices and <strong>Network</strong>s<br />
Dept:<br />
HR<br />
Overlapping<br />
Address Space in<br />
Dept-HR and Dept-<br />
ENGR Can Co-Exist<br />
Internet<br />
Si<br />
Si<br />
Si<br />
Guest<br />
Dept Dept: 1<br />
ENGR<br />
VoIP on an<br />
Ultra-Secure<br />
Segment<br />
Encrypted<br />
Voice<br />
Use the <strong>Network</strong> to Provide<br />
Isolation and Simplified Policy<br />
Enforcement<br />
GRE tunnels and policy routing<br />
VRF-Lite end-to-end—(virtual<br />
route forwarding)<br />
VRF-Lite at the distribution with<br />
MPLS L3 VPNs at<br />
the core<br />
MPLS L3 VPNs end-to-end<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
295<br />
<strong>Network</strong> Virtualization with SGA<br />
Business continuity for<br />
Data Centers<br />
Widget, Inc.<br />
Virtual Virtual<br />
Virtual<br />
Physical <strong>Network</strong><br />
Definition: 1 to Many. One network supports many virtual networks<br />
ACME High-level Technical Requirements<br />
ACME<br />
Separate Widget and ACME networks until regulatory agencies approve acquisition in multiple countries<br />
Dynamic VLAN assignment allows Widget/ACME employees to be placed in the correct network<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
296<br />
148
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
SGA Integration with <strong>Network</strong><br />
Virtualization<br />
Fine-tuning of network policy yields<br />
greater scalability<br />
Virtual <strong>Network</strong> used for coarse-grained<br />
virtualization of ACME vs. Widget networks<br />
SGA enhances policy control by providing<br />
fine-grained virtualization of user/groups<br />
within the existing virtual domains<br />
Servers are separated by color<br />
Traffic will gravitate towards correct server<br />
across integrated core<br />
One SGA namespace per network<br />
SGTs must be unique per virtual<br />
network<br />
―acme employee‖ = SGT 10 while ―Widget<br />
employee‖ = SGT 20<br />
Widget ACME<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
297<br />
<strong>802.1X</strong> User Distribution<br />
Enhances Dynamic VLAN Assignment<br />
Addresses Two Use Cases:<br />
Allow mapping the RADIUS<br />
provided VLAN name to different<br />
VLANs on different switches (no<br />
need to re-configure RADIUS provided<br />
VLAN name).<br />
Allow distribution of RADIUS<br />
provided VLAN to multiple<br />
different VLANs locally available<br />
on the same logical switch (load<br />
balancing) (reduces broadcast<br />
domain)<br />
Different VLANs on Different Switches<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
298<br />
SW1<br />
SW2<br />
VLAN 20 ACME-DATA-SW1<br />
VLAN 30 ACME-DATA-SW2<br />
Large Number of Ports<br />
VLAN 40 ACME-GROUP-1<br />
VLAN 41 ACME-GROUP-2<br />
VLAN 42 ACME-GROUP-3<br />
ACME-DATA<br />
ACME-DATA<br />
149
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
User Distribution “Mapping” Can Simplify<br />
Migration to Dynamic VLANs<br />
Traditional VLAN assignment<br />
is by VLAN name<br />
VLAN Name Number<br />
ACME 30<br />
…. ….<br />
<strong>802.1X</strong><br />
30<br />
User VLAN<br />
Alice ACME<br />
AAA Server<br />
AAA<br />
Server<br />
SW1 SW2<br />
Allows flexible adoption in existing environments<br />
No need to reconfigure existing VLANs<br />
Simplifies Policy in AAA Server<br />
User distribution assigns<br />
by VLAN group (or name)<br />
VLAN Name Number<br />
ACME-2 40<br />
…. ….<br />
<strong>802.1X</strong><br />
VLAN Group Number<br />
ACME 40<br />
…. ….<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
299<br />
User Distribution: “Distribution”<br />
corporate<br />
RADIUS Attribute:<br />
corporate maps to<br />
VLAN 20, 21 & 22<br />
RADIUS<br />
Dist<br />
User<br />
Attribute:<br />
corporate<br />
Algorithm<br />
AAA<br />
Server<br />
AAA Server<br />
high port<br />
density<br />
VLAN 20 corp-1 VLAN VLAN<br />
VLAN 21 corp-2<br />
VLAN 22 corp-3<br />
22 20<br />
VLAN 21<br />
Allows highly scalable <strong>802.1X</strong>-based VLAN assignment in a large scale<br />
campus LAN deployment<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
300<br />
40<br />
Evenly Distributed<br />
150
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Configuring VLAN groups<br />
Switch(config)# vlan group vlan-list <br />
: Name for the VLAN group starting with an alphabet<br />
: Comma separated VLANs or a range of VLANs or a<br />
single VLAN<br />
Switch(config)#vlan group corporate vlan-list 4<br />
Switch(config)#vlan group corporate vlan-list 40-50<br />
Switch(config)#vlan group corporate vlan-list 12,52,75<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
301<br />
High Security: <strong>Network</strong> Access Table<br />
Endpoints Authentication Status<br />
All (including PXE) Pre-Auth<br />
ACME <strong>802.1X</strong> Success<br />
Corporate Asset MAB Success<br />
Phones <strong>802.1X</strong> or MAB Success<br />
Widget <strong>802.1X</strong> Success<br />
Machines <strong>802.1X</strong> Success<br />
Unknown /<br />
Unauthorized<br />
<strong>802.1X</strong> Fail/Timeout -><br />
MAB Fail<br />
Authorization Implementation<br />
None Closed Mode<br />
All None (AAA server down) Enterprise Access<br />
Enterprise Access Default DATA VLAN<br />
Enterprise Access Default DATA VLAN<br />
Voice Access Voice VLAN<br />
Widget Access Widget VLAN<br />
Machine Access<br />
Limited Access<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
302<br />
151
DEMO Time<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Closed Mode with VLAN assignment<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
ISE Configuration:<br />
Modify Contractor Profile to assign VLAN<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
304<br />
152
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
ISE Configuration:<br />
Modify Default Profile to assign VLAN<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
305<br />
Switch Output: Contractor<br />
Switch#show auth sessions int g1/13<br />
Interface: GigabitEthernet1/13<br />
MAC Address: 0014.5e95.d6cc<br />
IP Address: 10.1.50.201<br />
User-Name: 00-14-5E-95-D6-CC<br />
Status: Authz Success<br />
Domain: DATA<br />
Oper host mode: multi-domain<br />
Oper control dir: both<br />
Authorized By: Authentication Server<br />
Vlan Policy: 50<br />
Session timeout: N/A<br />
Idle timeout: N/A<br />
Common Session ID:<br />
0A640A05000016777A900AB0<br />
Acct Session ID: 0x0000167D<br />
Handle: 0xE0000678<br />
Runnable methods list:<br />
Method State<br />
dot1x Failed over<br />
mab Authc Success<br />
6506-2#<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
306<br />
153
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Switch Output: Employee<br />
Switch#show auth sessions int g1/13<br />
Interface: GigabitEthernet1/13<br />
MAC Address: 0014.5e95.d6cc<br />
IP Address: 10.1.20.201<br />
User-Name: 00-14-5E-95-D6-CC<br />
Status: Authz Success<br />
Domain: DATA<br />
Oper host mode: multi-domain<br />
Oper control dir: both<br />
Authorized By: Authentication Server<br />
Vlan Policy: 20<br />
Session timeout: N/A<br />
Idle timeout: N/A<br />
Common Session ID:<br />
0A640A05000016777A900AB0<br />
Acct Session ID: 0x0000167D<br />
Handle: 0xE0000678<br />
Runnable methods list:<br />
Method State<br />
dot1x Authc Success<br />
mab Not Run<br />
6506-2#<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
307<br />
User and Machine/Device<br />
Authorization<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
154
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
<strong>802.1X</strong> & Dynamic VLANs<br />
Deployment Considerations<br />
VLAN<br />
Proliferation<br />
Address<br />
Changes<br />
*VSS removes this requirement<br />
• Every access switch must support every assignable<br />
VLAN<br />
• In multi-layer deployments, all these VLANs must be<br />
trunked to distribution layer.<br />
• Every new VLAN will require a new subnet on every<br />
access switch (routed access & multi-layer*)<br />
• SGA is one means to help reduce this by classifying<br />
by SGT rather than VLAN<br />
• Devices that change VLANs as a result of<br />
authentication MUST be capable of getting a new<br />
address on the new VLAN.<br />
• Most supplicants CAN get a new address<br />
• Most clientless devices CANNOT<br />
• Even successful address changes can cause<br />
problems with end host functionality.<br />
• SGA is one means to help authorize devices that<br />
can‘t change VLANs<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
309<br />
<strong>802.1X</strong> and VLAN assignment<br />
DHCP Renewal - Microsoft Windows example<br />
When using dynamic VLAN assignment with user & machine<br />
authentication, the host‘s VLAN can change when user logs in.<br />
IP address may need to change also<br />
Supplicant behavior has been addressed by Microsoft<br />
Windows XP: install service pack 1a + KB 826942<br />
Windows 2000: install service pack 4<br />
Needed for VLAN assignment with Wireless Zero Config<br />
Updated supplicants trigger DHCP IP address renewal<br />
Successful authentication causes client to ping default gateway (three times) with a sub-second<br />
timeout<br />
Lack of echo reply will trigger a DHCP IP renew<br />
Successful echo reply will leave IP as is<br />
Prerenewal ping prevents lost connections when subnet stays the same when client may be<br />
WLAN roaming<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
310<br />
155
User<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Coping with VLAN Change<br />
DHCP Renewal - Microsoft Windows Example<br />
User Authentication<br />
Device ISE Identity Store<br />
Device Authentication<br />
Active Directory<br />
USER Login Req.<br />
Send Credentials<br />
Accept<br />
ICMP Echo (x3) for Default GW<br />
from ―Old IP‖ as Soon as<br />
EAP-Success Frame Is Rcvd<br />
DHCP-Request (D=255.255.255.255)<br />
(After Pings Have Gone Unanswered)<br />
DHCP-Discover (D=255.255.255.255)<br />
Forward Credentials to ACS Server<br />
Auth Successful (EAP—Success)<br />
Actual technique is<br />
supplicant dependent<br />
User VLAN Assignment<br />
DHCP-NAK (Wrong Subnet)<br />
At This Point, DHCP Proceeds Normally<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
311<br />
VLAN Changes Can Disrupt Desktop<br />
Operation<br />
In Legacy (pre-Vista) Microsoft environments, changing the VLAN<br />
can break user and/or machine GPOs.<br />
Windows 7 cannot re-negotiate secure connection with AD if IP<br />
address changes during GPO download.<br />
What‘s a GPO? And<br />
why should I care<br />
about breaking it?<br />
A Group Policy Object (GPO) is used to deliver and apply<br />
configurations or policy settings to a set of targeted users and<br />
computer within an Active Directory environment. Windows Admins<br />
use GPOs for system compliancy and security enforcement , e.g.:<br />
<strong>Network</strong> Device mapping<br />
Applying Logon / Logoff scripts to workstations<br />
Batch mechanism to trigger applications<br />
Security compliance enforcement such as password rule, etc.<br />
Breaking GPOs is a RPE<br />
(Resume Producing Event)<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
312<br />
156
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
“Ideal” Microsoft Boot Process<br />
If Only It Were This Easy<br />
Power On<br />
Obtain <strong>Network</strong> Address<br />
(Static, DHCP)<br />
Determine Site and DC<br />
(DNS, LDAP)<br />
Establish Secure<br />
Channel to AD<br />
(LDAP, SMB)<br />
Kerberos Authentication<br />
(Machine Account)<br />
Kernel Loading<br />
Windows HAL Loading<br />
Device Driver Loading<br />
Components that depend on<br />
network connectivity<br />
Machine Authentication<br />
“Pre-Logon” User<br />
Authentication<br />
GPO based Startup<br />
Script Execution<br />
Certificate Auto Enrollment<br />
Time Synchronization<br />
Dynamic DNS Update<br />
Computer GPOs Loading (Async)<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
313<br />
GINA<br />
User GPOs Loading<br />
(Async)<br />
GPO based Logon<br />
Script Execution (SMB)<br />
Real Boot Process With Fast Logon<br />
Machine GPOs will Break<br />
Power On<br />
Obtain <strong>Network</strong> Address<br />
(Static, DHCP)<br />
Determine Site and DC<br />
(DNS, LDAP)<br />
Establish Secure<br />
Channel to AD<br />
(LDAP, SMB)<br />
Kerberos Authentication<br />
(Machine Account)<br />
Kernel Loading<br />
Windows HAL Loading<br />
Device Driver Loading<br />
<strong>802.1X</strong> Machine<br />
Auth<br />
Machine VLAN<br />
GINA<br />
X X X<br />
User VLAN<br />
Kerberos Auth<br />
(User Account)<br />
GPO based Startup<br />
Script Execution<br />
Computer GPOs Loading (Async)<br />
Kerberos Auth<br />
(User Account)<br />
Certificate Auto Enrollment<br />
Time Synchronization<br />
Dynamic DNS Update<br />
User GPOs Loading<br />
(Async)<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
314<br />
GINA<br />
<strong>802.1X</strong> User<br />
Auth<br />
GPO based Logon<br />
Script Execution (SMB)<br />
Fast Logon<br />
Optimization<br />
Start of <strong>802.1X</strong> auth may vary among supplicants Components that are in race condition with <strong>802.1X</strong> Auth<br />
157
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Real Boot Process With Race Conditions<br />
User GPOs can Break<br />
Power On<br />
Obtain <strong>Network</strong> Address<br />
(Static, DHCP)<br />
Determine Site and DC<br />
(DNS, LDAP)<br />
Establish Secure<br />
Channel to AD<br />
(LDAP, SMB)<br />
Kerberos Authentication<br />
(Machine Account)<br />
Kernel Loading<br />
Windows HAL Loading<br />
Device Driver Loading<br />
<strong>802.1X</strong> Machine<br />
Auth<br />
Machine VLAN<br />
Kerberos Auth<br />
(User Account)<br />
GPO based Startup<br />
Script Execution<br />
Computer GPOs Loading (Async)<br />
Certificate Auto Enrollment<br />
Time Synchronization<br />
Dynamic DNS Update<br />
User GPOs Loading<br />
(Async)<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
315<br />
GINA<br />
<strong>802.1X</strong> User<br />
Auth<br />
X X X<br />
GPO based Logon<br />
Script Execution (SMB)<br />
User VLAN<br />
Start of <strong>802.1X</strong> auth may vary among supplicants Components that are in race condition with <strong>802.1X</strong> Auth<br />
Dynamic VLAN Assignment Best Practices<br />
Vista SP2 or Windows 7:<br />
• No Restrictions on VLAN assignment<br />
• Vista and Win7 Can Renegotiate Secure Connection with AD when<br />
IP Address Changes<br />
XP and earlier:<br />
• Use Only Machine Authentication OR…<br />
• Use the Same VLAN for User and Machine Authentication<br />
Reconsider ACLs/SGA if you don‘t need traffic isolation.<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
316<br />
158
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
High Security: <strong>Network</strong> Access Table<br />
Endpoints Authentication Status<br />
All (including PXE) Pre-Auth<br />
ACME <strong>802.1X</strong> Success<br />
Corporate Asset MAB Success<br />
Phones <strong>802.1X</strong> or MAB Success<br />
Widget <strong>802.1X</strong> Success<br />
Machines <strong>802.1X</strong> Success<br />
Unknown /<br />
Unauthorized<br />
<strong>802.1X</strong> Fail/Timeout -><br />
MAB Fail<br />
All None (AAA server down)<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
317<br />
DEMO Time<br />
Machine VLAN<br />
TECSEC-2041<br />
Authorization Implementation<br />
None Closed Mode<br />
Enterprise Access Default DATA VLAN<br />
Enterprise Access Default DATA VLAN<br />
Voice Access Voice VLAN<br />
Widget Access Widget VLAN<br />
Machine Access MACHINE VLAN<br />
Limited Access<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
Enterprise Access<br />
ISE: using AD groups for Authorization Rules<br />
159
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
ISE – Accessing AD Groups<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
319<br />
ISE – New Authz Rules<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
320<br />
160
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Switch State AFTER Machine Auth<br />
Switch#show auth sess int g1/13<br />
Interface: GigabitEthernet1/13<br />
MAC Address: 0014.5e95.d6cc<br />
IP Address: 10.1.5.201<br />
User-Name: host/imac-mcs-11<br />
Status: Authz Success<br />
Domain: DATA<br />
Oper host mode: multi-domain<br />
Oper control dir: both<br />
Authorised By: Authentication Server<br />
Vlan Policy: 5<br />
Session timeout: N/A<br />
Idle timeout: N/A<br />
Common Session ID: 0A640A050000167B812E372C<br />
Acct Session ID: 0x00001681<br />
Handle: 0x8B00067C<br />
Runnable methods list:<br />
Method State<br />
dot1x Authc Success<br />
mab Not run<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
321<br />
Switch State AFTER User Auth<br />
Switch#show auth sessions int g1/13<br />
Interface: GigabitEthernet1/13<br />
MAC Address: 0014.5e95.d6cc<br />
IP Address: 10.1.50.201<br />
User-Name: Administrator<br />
Status: Authz Success<br />
Domain: DATA<br />
Oper host mode: multi-domain<br />
Oper control dir: both<br />
Authorised By: Authentication Server<br />
Vlan Policy: 50<br />
Session timeout: N/A<br />
Idle timeout: N/A<br />
Common Session ID: 0A640A050000167D81321334<br />
Acct Session ID: 0x00001683<br />
Handle: 0x5200067E<br />
Runnable methods list:<br />
Method State<br />
dot1x Authc Success<br />
mab Not Run<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
322<br />
161
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Additional Considerations for<br />
Microsoft Windows<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
Microsoft Deployment Considerations<br />
Boot Process<br />
Fast Logon Optimization<br />
Domains / Active Directory<br />
Machine Group Policies<br />
User Group Policies<br />
Logon Scripts<br />
Best Practices<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
324<br />
162
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Windows Boot & Logon Procedure<br />
Recall Default Security of <strong>802.1X</strong>:<br />
No network connectivity until successful authentication.<br />
Windows Logon Process and <strong>802.1X</strong> are not serialized at all for<br />
Windows 2000, XP, 2003, Vista, or Window 7<br />
<strong>802.1X</strong> may break Windows Logon sequence at some points<br />
Additional complications:<br />
Two authentication contexts to consider: Machine and User<br />
Dynamic VLAN assignment may introduce additional network initialization,<br />
impacting Windows Logon sequence (Windows was never designed to<br />
handle this event)<br />
Clear understanding and proper design is required for<br />
successful <strong>802.1X</strong> deployments.<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
325<br />
Fast Logon Optimization<br />
Microsoft concept to speed up serialized boot process<br />
Assumption :<br />
Always have a network connectivity<br />
Always get an IP address<br />
Run applications and services in parallel<br />
No waiting for <strong>802.1X</strong> to complete<br />
Conclusion:<br />
Broken story for DHCP, Login script , GPO etc…<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
326<br />
163
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Microsoft Machine Group Policy Object<br />
Group policy is an infrastructure used to deliver and apply one or<br />
more desired configurations or policy settings to a set of targeted<br />
users and computer<br />
within an Active Directory environment<br />
A Group Policy Object (GPO) is one of the most common methods of<br />
system compliancy and security enforcement in a Windows<br />
environment<br />
GPO is a common use case scenario:<br />
<strong>Network</strong> Device mapping<br />
Applying Logon / Logoff scripts to workstations<br />
Batch mechanism to trigger applications<br />
Security compliance enforcement such as password rule, etc.<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
327<br />
More About Group Policy<br />
Group Policy is processed in the following order: Local<br />
GPO, then GPOs linked to container in this order; site, domain,<br />
and OU<br />
Types of GPO Processing<br />
Synchronous GPO Processing - A series of processes where one<br />
process must finish running before the next one begins (e.g. Windows<br />
2000 or 2003 Application Startup/logon)<br />
Asynchronous GPO Processing - A series of process where its outcome<br />
is independent of other process (e.g. Windows XP Application<br />
Startup/logon)<br />
Periodic Refresh Processing - GPO is processed periodically (every 90<br />
minutes with randomized offset of up to 30 minutes by default)<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
328<br />
164
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
GPO <strong>Network</strong> Dependency<br />
Successful GPO loading (without <strong>802.1X</strong> involvement) requires following<br />
elements:<br />
1. Valid and routable IP address and connectivity to AD<br />
2. Windows startup serialization (Predictable Windows startup event)<br />
3. Fallback mechanism (Timeout mechanism, Local Logon, Periodic Policy Refresh,<br />
etc.)<br />
Key Protocol conversation during Windows Startup Process<br />
1. Addressing (DHCP)<br />
2. Site and Domain Determination (DNS, LDAP)<br />
3. Secure Channel Establishment to AD (SMB)<br />
4. Authentication (Kerberos)<br />
5. Time Synchronization (NTP)<br />
6. Policy Application (LDAP, SMB)<br />
Unstable network connectivity introduces instability in policy<br />
loading process<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
329<br />
Group Policy Objects<br />
GPO: Group Policy Object<br />
Customize properties of the machine and the user regarding a<br />
specific group<br />
GPUPDATE - DOS command to force GPO updates (typically used<br />
when doing proof of concept)<br />
GPO update can also be scheduled by changing a registry value<br />
User + Machine GPO update<br />
Load<br />
NDIS<br />
Drivers<br />
DHCP<br />
Setup<br />
Secure<br />
Channel<br />
to DC<br />
Update<br />
GPOs<br />
Apply<br />
Computer<br />
GPOs<br />
Present<br />
GINA<br />
Windows<br />
Domain<br />
Auth<br />
DHCP<br />
Update<br />
GPOs<br />
Apply<br />
user<br />
GPOs<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
330<br />
165
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Logon / Logoff Scripts<br />
Two different logon scripts:<br />
NT4<br />
AD – related to GPO<br />
Machine and User<br />
Scripts are only executed during logon/logoff phases<br />
Example : network disk drive mapping<br />
User + Machine login script<br />
Load<br />
NDIS<br />
Drivers<br />
DHCP<br />
Setup<br />
Secure<br />
Channel<br />
to DC<br />
Update<br />
GPOs<br />
Apply<br />
Computer<br />
login<br />
script<br />
Present<br />
GINA<br />
Windows<br />
Domain<br />
Auth<br />
DHCP<br />
Update<br />
GPOs<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
331<br />
Microsoft Authentication Best Practices<br />
Machine authentication using PEAP<br />
Uses account information for the computer created at the time the machine<br />
is added to the domain<br />
Computer must be a member of the domain<br />
If doing mutual authentication, the computer must trust the signing CA of<br />
the RADIUS server‘s cert<br />
Machine authentication using EAP-TLS<br />
Authenticates the computer using certs<br />
<strong>The</strong> computer must have a valid cert<br />
If doing mutual authentication, the computer must trust the signing CA of<br />
the RADIUS server‘s cert<br />
Easiest way to deploy is using MS-CA and Windows GPOs<br />
Apply<br />
user<br />
login<br />
script<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
332<br />
166
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
High Security: Unknown Devices<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
Flex-Auth for Unknown Devices<br />
Agentless Devices in High Security Mode<br />
Configurable behavior after<br />
<strong>802.1X</strong> timeout :<br />
1) Next-Method<br />
2) Guest VLAN<br />
Configurable order and<br />
priority of authentication<br />
methods<br />
Flex-Auth enables a<br />
single configuration<br />
for most use cases<br />
Configurable behavior after<br />
<strong>802.1X</strong> failure:<br />
Configurable behavior<br />
before & after AAA server<br />
dies<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
334<br />
167
Client<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Non-<strong>802.1X</strong> Client<br />
Guest VLAN<br />
X<br />
EAP-Identity-Request<br />
D = 01.80.c2.00.00.03<br />
1 Upon link up<br />
X<br />
EAP-Identity-Request<br />
D = 01.80.c2.00.00.03<br />
2 30-seconds<br />
X<br />
√<br />
EAP-Identity-Request<br />
D = 01.80.c2.00.00.03<br />
EAP-Success<br />
D = 01.80.c2.00.00.03<br />
3 30-seconds<br />
4 30-seconds<br />
Any <strong>802.1X</strong>-enabled switchport will send EAPOL-Identity-Request frames on the<br />
wire (whether a supplicant is there or not)<br />
A device is only deployed into the guest VLAN based on the lack of response to the<br />
switch‘s EAP-Request-Identity frames (which can be thought of as <strong>802.1X</strong> hellos)<br />
No further security or authentication to be applied. It‘s as if the administrator deconfigured<br />
<strong>802.1X</strong>, and hard-set the port into the specified VLAN<br />
Port Deployed<br />
into VLAN 51<br />
<strong>802.1X</strong><br />
Process<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
335<br />
Adding Guest VLAN Access<br />
interface GigabitE 3/13<br />
authentication port-control auto<br />
authentication event no-response action authorize vlan 51<br />
interface GigabitEthernet1/0/15<br />
description Dot1x Demo with Guest VLAN<br />
switchport access vlan 2<br />
switchport mode access<br />
switchport voice vlan 200<br />
dot1x pae authenticator<br />
authentication port-control auto<br />
authentication event no-response action authorize vlan 40<br />
dot1x timeout tx-period 10<br />
dot1x max-reauth-req 2<br />
Timer tune is necessary for DHCP timeout on client<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
336<br />
168
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
<strong>802.1X</strong> with Guest VLAN<br />
Deployment Considerations<br />
When a port moves to Guest VLAN, any number of additional MACs are<br />
allowed on the port without authenticating<br />
Guest VLAN is a switch-local authorization -> centralized policy on AAA<br />
server is not enforced<br />
Guest VLAN does not differentiate, e.g. guest users get the same access<br />
as a corporate printer<br />
Guest VLAN can be fallback after <strong>802.1X</strong> timeout and MAB fail<br />
<strong>802.1X</strong> timeout dependency -> delayed network access.<br />
SGA Interop – SGT will be “Unknown”<br />
• Default timeout is 30 seconds with three retries (90 seconds total)<br />
• 90 seconds > DHCP timeout.<br />
Guest VLAN<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
337<br />
Guest VLAN, LWA & CWA - Mutually<br />
Exclusive<br />
<strong>802.1X</strong><br />
MAB<br />
MAB<br />
fails<br />
Guest<br />
VLAN<br />
interface GigabitE 3/13<br />
authentication port-control auto<br />
dot1x pae authenticator<br />
mab<br />
authentication event no-response action<br />
authorize vlan 40<br />
<strong>802.1X</strong><br />
MAB<br />
MAB<br />
fails<br />
Local<br />
Web Auth<br />
interface GigabitE 3/13<br />
authentication port-control auto<br />
dot1x pae authenticator<br />
mab<br />
authentication fallback WEB-AUTH<br />
<strong>802.1X</strong><br />
<strong>802.1X</strong><br />
timeout<br />
MAB<br />
MAB<br />
success<br />
Central<br />
Web Auth<br />
interface GigabitE 3/13<br />
authentication port-control auto<br />
dot1x pae authenticator<br />
mab<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
338<br />
169
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Non-<strong>802.1X</strong> Devices: Summary<br />
Solution For<br />
Devices<br />
or<br />
Users?<br />
Guest<br />
VLAN<br />
MAB Devices<br />
only<br />
Local Web-<br />
Auth<br />
Centralized<br />
Web-Auth<br />
Differentiated<br />
Access?<br />
Authz<br />
Type<br />
Authorization<br />
Method<br />
Both No Local Static Guest VLAN<br />
only<br />
Users<br />
only<br />
Users<br />
only<br />
Yes Centralized Dynamic VLAN<br />
and / or<br />
Dynamic ACL<br />
Credentials<br />
Required<br />
None<br />
MAC<br />
address<br />
Yes Centralized Dynamic ACL only Username /<br />
Password<br />
Yes Centralized Dynamic VLAN<br />
and / or<br />
Dynamic ACL<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
339<br />
Tuning <strong>802.1X</strong> Timeouts for MAB,<br />
Web-Auth and Guest VLAN<br />
Username /<br />
Password<br />
max-reauth-req: sets the maximum number of times (default: 2) that<br />
the switch retransmits an EAP-Identity-Request frame on the wire<br />
before receiving a response from the connected client<br />
tx-period: sets the number of seconds (default: 30) that the switch<br />
waits for a response to an EAP-Identity-Request frame from the client<br />
before retransmitting<br />
the request<br />
Guest VLAN Deployment (max-reauth-req + 1) * tx-period<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
340<br />
170
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Guest VLAN on the Switch<br />
Switch#sh vlan<br />
VLAN Name Status Ports<br />
---- -------------------------------- --------- -------------------------------<br />
1 default active Gi1/0/2, Gi1/0/3, Gi1/0/4<br />
Gi1/0/5, Gi1/0/6, Gi1/0/7<br />
Gi1/0/8, Gi1/0/9, Gi1/0/10<br />
Gi1/0/11, Gi1/0/12, Gi1/0/16<br />
Gi1/0/18, Gi1/0/20, Gi1/0/22<br />
Gi1/0/23<br />
2 access active Gi1/0/13, Gi1/0/15, Gi1/0/17<br />
Gi1/0/19, Gi1/0/21<br />
5 machines active<br />
10 servers active Gi1/0/14, Gi1/0/24<br />
20 contractors active<br />
30 auth-fail active<br />
40 guest active<br />
50 employees active<br />
60 printers active<br />
100 critical active<br />
110 voice active Gi1/0/21<br />
500 outside active Gi1/0/1<br />
1002 fddi-default act/unsup<br />
1003 token-ring-default act/unsup<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
341<br />
<strong>802.1X</strong> Guest Support<br />
Switch#dot1x initialize interface gi1/0/15<br />
Switch#<br />
06:26:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface<br />
GigabitEthernet1/0/15, changed state to down<br />
06:26:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan2,<br />
changed state to down<br />
After EAPoL Times Out<br />
06:31:55: %LINEPROTO-5-UPDOWN: Line protocol on Interface<br />
GigabitEthernet1/0/15, changed state to up<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
342<br />
171
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
<strong>802.1X</strong> Guest Support<br />
Switch#sh vlan<br />
VLAN Name Status Ports<br />
---- -------------------------------- --------- -------------------------------<br />
1 default active Gi1/0/2, Gi1/0/3, Gi1/0/4<br />
Gi1/0/5, Gi1/0/6, Gi1/0/7<br />
Gi1/0/8, Gi1/0/9, Gi1/0/10<br />
Gi1/0/11, Gi1/0/12, Gi1/0/16<br />
Gi1/0/18, Gi1/0/20, Gi1/0/22<br />
Gi1/0/23<br />
2 access active Gi1/0/13, Gi1/0/17, Gi1/0/19<br />
Gi1/0/21<br />
5 machines active<br />
10 servers active Gi1/0/14, Gi1/0/24<br />
20 contractors active<br />
30 auth-fail active<br />
40 guest active Gi1/0/15<br />
50 employees active<br />
60 printers active<br />
100 critical active<br />
110 voice active Gi1/0/21<br />
500 outside active Gi1/0/1<br />
1002 fddi-default act/unsup<br />
1003 token-ring-default act/unsup<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
343<br />
Flex-Auth for Unknown Devices<br />
Devices that Fail <strong>802.1X</strong> in High Security Mode<br />
Configurable behavior after<br />
<strong>802.1X</strong> timeout :<br />
1) Next-Method<br />
2) Guest VLAN<br />
Configurable order and<br />
priority of authentication<br />
methods<br />
Flex-Auth enables a<br />
single configuration<br />
for most use cases<br />
Configurable behavior after<br />
<strong>802.1X</strong> failure:<br />
1) Next-Method<br />
2) AuthFail VLAN<br />
Configurable behavior<br />
before & after AAA server<br />
dies<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
344<br />
172
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Failed <strong>802.1X</strong><br />
Auth-Fail VLAN Is An Alternative to Next-Method<br />
After <strong>802.1X</strong> Failure<br />
User Unknown<br />
Access Restricted to Auth-Fail VLAN<br />
Supplicant expected to ―fail open‖<br />
Now with RADIUS Accounting!<br />
?<br />
VLAN 10<br />
6506-2(config-if)#authentication event fail action authorize vlan 10<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
345<br />
<strong>802.1X</strong> with Auth-Fail VLAN<br />
Deployment Considerations<br />
Supplicant cannot exit the Auth-Fail VLAN<br />
• Only alternatives: switch-initiated re-authentication or port bounce<br />
No Secondary Authentication Mechanism.<br />
Auth-Fail VLAN, like Guest VLAN, is a switch-local authorization -><br />
centralized policy on AAA server is not enforced<br />
Switch and AAA server have conflicting views of network (mitigated by new<br />
RADIUS accounting)<br />
SGA Interop – SGT will be “Unknown”<br />
Access Granted<br />
Auth-fail VLAN<br />
Access Denied<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
346<br />
173
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
<strong>802.1X</strong> Adding „auth-fail‟ Feature<br />
interface GigabitEthernet1/13<br />
description Dot1x Demo with Auth-Fail VLAN<br />
switchport access vlan 2<br />
switchport mode access<br />
switchport voice vlan 200<br />
authentication event fail action authorize vlan 30<br />
dot1x pae authenticator<br />
authentication port-control auto<br />
authentication event no-response action authorize vlan 40<br />
dot1x timeout tx-period 10<br />
dot1x max-req 2<br />
mab<br />
spanning-tree portfast<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
347<br />
<strong>802.1X</strong> Checking „auth-fail‟ Feature<br />
Switch#show authentication sessions interface g1/13<br />
Interface: GigabitEthernet1/13<br />
MAC Address: 0014.5e95.d6cc<br />
IP Address: 10.1.30.201<br />
User-Name: Administratorbdg<br />
Status: Authz Success<br />
Domain: DATA<br />
Oper host mode: single-host<br />
Oper control dir: both<br />
Authorised By: Auth Fail Vlan<br />
Vlan Policy: 30<br />
Session timeout: N/A<br />
Idle timeout: N/A<br />
Common Session ID: 0A640A050000164C6137E804<br />
Acct Session ID: 0x0000164F<br />
Handle: 0xD200064D<br />
Runnable methods list:<br />
Method State<br />
dot1x Authc Failed<br />
mab Not run<br />
webauth Not run<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
348<br />
174
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
High Security: <strong>Network</strong> Access Table<br />
Endpoints Authentication Status<br />
All (including PXE) Pre-Auth<br />
ACME <strong>802.1X</strong> Success<br />
Corporate Asset MAB Success<br />
Phones <strong>802.1X</strong> or MAB Success<br />
Widget <strong>802.1X</strong> Success<br />
Machines <strong>802.1X</strong> Success<br />
Unknown /<br />
Unauthorized<br />
<strong>802.1X</strong> Fail/Timeout -><br />
MAB Fail<br />
All None (AAA server down)<br />
Authorization Implementation<br />
None Closed Mode<br />
Enterprise Access Default DATA VLAN<br />
Enterprise Access Default DATA VLAN<br />
Voice Access Voice VLAN<br />
Engineer Access ENG VLAN<br />
Machine Access Widget VLAN<br />
Limited Access Auth-Fail VLAN = Guest<br />
VLAN = UNAUTH VLAN<br />
Enterprise Access<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
349<br />
Flex-Auth for Unknown Devices<br />
Devices are Unknown because AAA is Down<br />
Configurable behavior after<br />
<strong>802.1X</strong> timeout :<br />
1) Next-Method<br />
2) Guest VLAN<br />
Configurable order and<br />
priority of authentication<br />
methods<br />
Flex-Auth enables a<br />
single configuration<br />
for most use cases<br />
Configurable behavior after<br />
<strong>802.1X</strong> failure:<br />
1) Next-Method<br />
2) AuthFail VLAN<br />
Configurable behavior<br />
before & after AAA server<br />
dies:<br />
Critical VLAN<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
350<br />
175
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Inaccessible Authentication Bypass<br />
EAPOL-Start<br />
EAP-Success<br />
WAN Internet<br />
VPN Tunnel<br />
• Switch detects AAA unavailable by one of two methods<br />
1. Periodic probe<br />
2. Failure to respond to AAA request<br />
• Enables port in critical VLAN if defined, otherwise to switchport<br />
VLAN<br />
• Existing sessions retain authorization status<br />
• Applies to data devices only<br />
• Recovery action can re-initialize port when AAA returns<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
351<br />
RADIUS Server(s) Inaccessible<br />
radius-server 10.1.10.50 test username KeepAliveUser key cisco<br />
radius-server dead-criteria time 15 tries 3<br />
radius-server deadtime 1<br />
interface GigabitEthernet1/13<br />
description Dot1x Demo with Auth-Fail VLAN<br />
switchport access vlan 2<br />
switchport mode access<br />
switchport voice vlan 200<br />
authentication event fail action next-method<br />
authentication event server dead action authorize vlan 100<br />
authentication event server alive action reinitialize<br />
authentication order dot1x mab<br />
dot1x pae authenticator<br />
authentication port-control auto<br />
dot1x timeout tx-period 10<br />
dot1x max-req 2<br />
mab<br />
spanning-tree portfast<br />
Critical VLAN can be anything:<br />
• Static VLAN<br />
• Same as guest/auth-fail VLAN<br />
• New VLAN<br />
• SGT will be “unknown”<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
352<br />
176
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
High Security: <strong>Network</strong> Access Table<br />
Endpoints Authentication Status<br />
All (including PXE) Pre-Auth<br />
ACME <strong>802.1X</strong> Success<br />
Corporate Asset MAB Success<br />
Phones <strong>802.1X</strong> or MAB Success<br />
Widget <strong>802.1X</strong> Success<br />
Machines <strong>802.1X</strong> Success<br />
Unknown /<br />
Unauthorized<br />
<strong>802.1X</strong> Fail/Timeout -><br />
MAB Fail<br />
All None (AAA server down)<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
353<br />
DEMO Time<br />
<strong>802.1X</strong> Critical<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
Authorization Implementation<br />
None Closed Mode<br />
Enterprise Access Default DATA VLAN<br />
Enterprise Access Default DATA VLAN<br />
Voice Access Voice VLAN<br />
Widget Access Widget VLAN<br />
Machine Access MACHINE VLAN<br />
Limited Access Auth-Fail VLAN = Guest<br />
VLAN = UNAUTH VLAN<br />
Enterprise Access Critical VLAN<br />
177
<strong>802.1X</strong>: AAA Service Dies<br />
*Dec 4 14:01:02: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.100.10.150:1812,1813 is not responding.<br />
*Dec 4 14:01:07: %AUTHMGR-5-START: Starting 'mab' for client (0014.5e95.d6cc) on Interface Gi1/13<br />
*Dec 4 14:01:07: %RADIUS-3-NOSERVERS: No Radius hosts configured or no valid server present<br />
*Dec 4 14:01:07: %MAB-5-FAIL: Authentication failed for client (0014.5e95.d6cc) on Interface Gi1/13<br />
*Dec 4 14:01:07: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client<br />
(0014.5e95.d6cc) on Interface Gi1/13<br />
*Dec 4 14:01:08: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0014.5e95.d6cc) on<br />
Interface Gi1/13<br />
*Dec 4 14:01:07: %AUTHMGR-SP-5-VLANASSIGN: VLAN 100 assigned to Interface Gi1/13<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Switch#show authentication sessions interface g1/13<br />
Interface: GigabitEthernet1/13<br />
MAC Address: 0014.5e95.d6cc<br />
IP Address: 10.1.100.201<br />
User-Name: 00-14-5E-95-D6-CC<br />
Status: Authz Success<br />
Domain: DATA<br />
Oper host mode: multi-host<br />
Oper control dir: both<br />
Authorised By: Critical Auth<br />
Vlan Policy: 100<br />
Session timeout: N/A<br />
Idle timeout: N/A<br />
Common Session ID: 0A643D050000165C61E7FB88<br />
Acct Session ID: 0x00001660<br />
Handle: 0x8800065D<br />
Runnable methods list:<br />
Method State<br />
mab Authc Failed<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
355<br />
<strong>802.1X</strong>: AAA Server Returns<br />
*Dec 4 14:05:07: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.1.10.50:1812,1813 has returned.<br />
*Dec 4 14:05:15: %AUTHMGR-5-START: Starting 'mab' for client (0014.5e95.d6cc) on Interface Gi1/13<br />
*Dec 4 14:05:15: %MAB-5-SUCCESS: Authentication successful for client (0014.5e95.d6cc) on Interface<br />
Gi1/13<br />
*Dec 4 14:05:15: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client<br />
(0014.5e95.d6cc) on Interface Gi1/13<br />
*Dec 4 14:05:16: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0014.5e95.d6cc) on Interface<br />
Gi1/13<br />
Switch#show authentication sessions int g1/13<br />
Interface: GigabitEthernet1/13<br />
MAC Address: 0014.5e95.d6cc<br />
IP Address: 10.100.60.201<br />
User-Name: 00-14-5E-95-D6-CC<br />
Status: Authz Success<br />
Domain: DATA<br />
Oper host mode: single-host<br />
Oper control dir: both<br />
Authorised By: Authentication Server<br />
Vlan Policy: N/A<br />
Session timeout: N/A<br />
Idle timeout: N/A<br />
Common Session ID: 0A640A050000166061F5AF98<br />
Acct Session ID: 0x00001664<br />
Handle: 0x95000661<br />
Runnable methods list:<br />
Method State<br />
mab Authc Success<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
356<br />
178
Data Center<br />
TECSEC-2041<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
Security Group Access Controls in the<br />
Data Center<br />
<strong>Network</strong>-based functions to provide controls based on the role of the resource<br />
• Security policy defined by groups (instead of topology or design etc.)<br />
• Resources are mapped into Security Groups<br />
• Group-based policy rules do not change when resources are moved<br />
• Potential for much reduced SecOps effort in the DC<br />
Segmentation<br />
• Logical separation of resources across common DC infrastructure<br />
• Segment servers into logical zones<br />
• Control access to these different logical DC entities based on role<br />
• Apply controls to physical or virtual systems (Virtual servers, VDI…)<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
358<br />
179
Traditional Access Control<br />
User (Source)<br />
Managers<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
S1<br />
S2<br />
S3<br />
HR Rep<br />
S4<br />
Public Sites<br />
Servers (Destination)<br />
D1<br />
D2<br />
D3<br />
D4<br />
D5<br />
D6<br />
Sales<br />
permit tcp S1 D1 eq https<br />
permit tcp S1 D1 eq 8081<br />
permit tcp S1 D1 eq 445<br />
deny ip S1 D1<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
359<br />
HR<br />
Finance<br />
<strong>Network</strong> Admin manages every IP source to IP destination<br />
relationship explicitly (User->Server and Server->Server)<br />
# of ACEs = (# of sources) * (# of Destinations) * permissions<br />
S1 to D1 Access Control<br />
ACE # grows as # of permission<br />
statement increases<br />
Security Group-based Access Controls:<br />
User-System and System-System policy<br />
User<br />
Groups<br />
VDI user<br />
groups<br />
x100<br />
Security Group<br />
Role A<br />
(SGT10)<br />
Role B<br />
(SGT20)<br />
HR users<br />
(SGT30)<br />
Storage<br />
SGACL<br />
Security Group<br />
Prod<br />
(SGT400)<br />
Dev<br />
(SGT500)<br />
ERP (SOX<br />
compliant)(S<br />
GT600)<br />
System<br />
groups<br />
• <strong>Network</strong> Admin manages every source “group” to destination “group”<br />
relationship – abstracting topology from the policy<br />
Production<br />
systems<br />
Development<br />
systems<br />
Compliance<br />
critical<br />
server<br />
groups<br />
• <strong>The</strong> network automates the alignment of users/servers to groups within the DC<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
360<br />
180
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
ACME Data Center security challenges<br />
All DC access control lists and firewall rules are IP address-based<br />
Server moves/changes require changes to rule base<br />
Rule table growth has made management more difficult<br />
Risk of human error leads to change review/approval processes<br />
Operational effort of moves/changes<br />
Business increasingly global with more external business<br />
relationships to save costs<br />
Editorial system development has moved offshore – developers need controlled<br />
access to specific development systems<br />
ACME now dependent on external translation and localization services<br />
Intellectual property protection now a higher priority<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
361<br />
ACME Data Center projects<br />
Consolidation of services into regional DCs planned<br />
Improve resiliency and performance<br />
Centralize intellectual property protection<br />
ACME has had challenges managing developers accessing<br />
production servers during normal business hours.<br />
ACME needs to only allow developers access to development<br />
servers and production users to production servers.<br />
External developers and translation vendors to be given access to<br />
hosted Virtual Desktop Infrastructure<br />
Keep intellectual property within ACME data centers<br />
Virtual Desktops to have LAN access specific to the 3 rd party role (developers,<br />
translators and support vendors)<br />
Server access to be granted specifically based on the 3 rd party role<br />
ACME also seeks reduction in SecOps effort and faster response to<br />
change requests<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
362<br />
181
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
ACME Data Center Uses Cases<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
ACME Alignment with current SGA<br />
capabilities<br />
Campus LAN to Data Center Deployment<br />
Support ACME acquisition of Widget<br />
Support developer/production access control use case<br />
Data Center Consolidation<br />
Support High Bandwidth DC Interconnect<br />
Support Security Policy of encrypting Inter-Data Center connections<br />
Intra Data Center Deployment<br />
Support Segmented Server Access<br />
ACME/Widget Server Isolation<br />
Development/Production Server Isolation within DC<br />
Support VDI Initiative<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
364<br />
182
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
ACME Campus LAN Deployment<br />
Use Case 1<br />
TrustSec to cover campus network as well<br />
as Data Center network<br />
Support for Campus / Branch access<br />
Source SGT assigned via <strong>802.1X</strong>, MAB,<br />
or Web Authentication<br />
Server SGT assigned via IPM or statically<br />
IP-to-SGT binding table is exchanged<br />
between Campus access switch and Data<br />
Center TrustSec capable device<br />
SRC \ DST<br />
Server A<br />
(111)<br />
Campus Access<br />
SGT Assignment via<br />
<strong>802.1X</strong>, MAB, Web Auth<br />
Branch Access<br />
Server B<br />
(222)<br />
User A (10) Permit all SGACL-B<br />
User B (20) Deny all SGACL-C<br />
Cat35750/E<br />
ISR w/ EtherSwitch<br />
Cat6500 Cat4500<br />
File Server<br />
WEB Server<br />
111 222<br />
SQL Server<br />
Cat6500<br />
Cat4500<br />
Nexus 7010<br />
Data Center<br />
Directory<br />
Service<br />
SGACL Enforcement<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
365<br />
Data Center Use Case:<br />
Server Categorization and Segmentation<br />
Grouping of Servers based on policy and Traffic Filtering<br />
• Classified vs. Unclassified Servers<br />
• Production vs. Non-Production Servers<br />
• Private vs. Public Servers<br />
• Engineering vs. Business Operation Servers<br />
• Application specific servers (Web vs. Mail Clusters)<br />
• PCI segment vs. Others<br />
S1 S2<br />
S3<br />
VLAN100<br />
SGT/DGT ACME (222) Widget (333)<br />
ACME HR (222) - SGACL-B<br />
Widget (333) No FTP -<br />
SGT: ACME (222) SGT: Widget (333)<br />
SGACL<br />
FTP Session<br />
Nexus 7000<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
366<br />
10<br />
S6 S7<br />
S8<br />
VLAN200<br />
20<br />
SXP<br />
ISE<br />
183
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
ACME Intra Data Center Deployment<br />
Use Case 3<br />
TrustSec to cover Intra Data Center for<br />
server traffic segmentation<br />
Manual server IP address to SGT binding<br />
on Nexus 7000 or IPM (Identity Port<br />
Mapping to ACS for centralized SGT<br />
management<br />
Server connected to same access switch<br />
can be segmented using Private VLAN<br />
feature to distribution switch<br />
SRC \ DST<br />
Server A<br />
(111)<br />
Serer B<br />
(222)<br />
Server C<br />
(333)<br />
Server A<br />
(111)<br />
Server B<br />
(222)<br />
Branch Access<br />
Campus Access<br />
Cat35750/E<br />
ISR w/ EtherSwitch<br />
or standalone switch<br />
SGACL Enforcement<br />
SGT Assignment via IPM<br />
or statically<br />
Server C<br />
(333)<br />
--- SGACL-A Permit all<br />
Permit all --- SGACL-B<br />
Cat6500 Cat4500<br />
File Server<br />
WEB Server<br />
Deny all Deny all --- 111 222<br />
SQL Server<br />
Cat6500<br />
Cat4500<br />
Nexus 7010<br />
Data Center<br />
Directory<br />
Service<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
367<br />
SXP<br />
Data Center Use Case:<br />
Security Policy for Intra-VLAN Traffic<br />
Enforcing dynamic policy to servers within same subnet<br />
SGT: Production (20) SGT: Development (30)<br />
S1<br />
S2<br />
SGT/DGT Production<br />
(20)<br />
Production<br />
(20)<br />
SGACL<br />
Nexus 7K<br />
Develop (30)<br />
- Deny All<br />
Develop (30) Deny All -<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
368<br />
S3<br />
S4<br />
VLAN100<br />
333<br />
ISE<br />
184
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Intra Data Center Deployment Detail<br />
10<br />
200<br />
SGACL<br />
Enforcement<br />
Options<br />
P Promiscuous Port<br />
Primary VLAN<br />
Secondary VLAN<br />
(Isolate)<br />
Nexus 7000<br />
222<br />
Dev-SVR<br />
SVI<br />
(VLAN 10)<br />
P<br />
802.1q<br />
Trunk<br />
Cat4K, 6K<br />
333<br />
Prod-SVR<br />
SGT/DGT Dev-SVR (222) Prod-SVR (333)<br />
Dev-SVR (222) Permit Deny<br />
Prod-SVR (333) Deny Permit<br />
Dynamic policy enforcement<br />
between servers within same<br />
isolated VLAN (Private<br />
VLAN)<br />
Dynamic policy enforcement<br />
between servers in different<br />
community VLANs<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
369<br />
Virtual Desktop Infrastructure (VDI)<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
185
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
ACME VDI Use Case<br />
ACME plans to move large amount of application access to a Virtual<br />
Desktop Infrastructure (VDI) environment (terminal services)<br />
ACME goal to implement security policy based on user (ID) groups<br />
and server/resource groups<br />
This is the same goal that ACME has in the campus access layer<br />
Would like the solution to work with any VDI connection broker<br />
Would like to have the solution accommodate a highly dynamic server<br />
environment (virtualized or not)<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
371<br />
Background: Connection Brokers<br />
Thin client connection<br />
(e.g. RDP)<br />
Connection<br />
Broker<br />
User<br />
credentials<br />
Groups of Hosted<br />
Virtual Machines<br />
Active Directory<br />
Corporate<br />
network<br />
Receives connection requests from thin-clients typically using RDP, PCoIP or ICA<br />
protocols<br />
Authenticates the user, typically against AD<br />
Maps the user to a pool of Virtual Machines or a specific VM<br />
Hands off the user to the allocated VM (incl. passing login credentials)<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
372<br />
186
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Applying <strong>802.1X</strong> to VDI<br />
Thin client<br />
Connection<br />
Brokers<br />
User<br />
credentials<br />
Groups of VMs<br />
VM pool<br />
assignment<br />
Active Directory<br />
<strong>802.1X</strong> machine<br />
authenticated<br />
Create AD machine groups to match the roles needed<br />
VM access layer<br />
(Catalyst 6k, 4k or 3k)<br />
VM<br />
credentials<br />
Role assigned<br />
based on AD m/c<br />
group<br />
Connection Broker derives mapping for each user (group) from AD info<br />
Connection Brokers allocates user to relevant VM pool<br />
Switch port uses <strong>802.1X</strong> Multi-Auth and Open Mode<br />
<strong>802.1X</strong> machine auth gives AD machine group and implied role of user<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
373<br />
Adding Security Group Access Controls<br />
Thin client<br />
Connection<br />
Brokers<br />
User<br />
credentials<br />
Groups of<br />
VMs<br />
VM pool<br />
assignment<br />
Active<br />
Directory<br />
<strong>802.1X</strong> m/c<br />
auth<br />
VM<br />
credentials<br />
VM access<br />
layer<br />
Nexus 7000<br />
applying SG-<br />
ACLS<br />
SXP<br />
Role assigned<br />
based on VM<br />
pool<br />
TrustSec SXP enabled on VM access switch propagates IP-role mapping<br />
User - System access rules defined in ACS TrustSec Egress Policy Matrix<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
374<br />
ACS<br />
ACS<br />
Role-based<br />
access to<br />
server groups<br />
187
VDI Notes<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Technologies involves:<br />
<strong>802.1X</strong> supplicant triggered on VDI VM workstation<br />
Access layer switch running open mode and multi-authentication<br />
(Catalyst only at the moment)<br />
ACS provides Active Directory lookup and user role assignment and<br />
SGACL policies<br />
Cat3k/4k/6k TrustSec role assignment and Nexus 7k policy enforcement<br />
Assume that <strong>802.1X</strong> supplicants generally do NOT support <strong>802.1X</strong> User<br />
Auth for logins via RDP, PCoIP or ICA<br />
Use of AD machine groups and VM pools specific to each required role<br />
allows machine authentication to imply the role of the user<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
375<br />
Background: Connection Brokers<br />
• User logs into the thin client (no user<br />
authentication performed for this example)<br />
• User initiates a connection to Connection<br />
Broker via RDP, PCoIP protocols<br />
• Broker queries Active Directory for VM pool<br />
assignment<br />
• Broker redirects user to an available VM in the<br />
VM pool<br />
• User is now able to the remotely view and<br />
control the VM<br />
Pools of VMs<br />
Connection Broker<br />
File Server<br />
Cat4500<br />
WEB Server<br />
SQL Server<br />
Campus Access<br />
Data Center<br />
Directory<br />
Service<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
376<br />
ISE<br />
188
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Applying 802.1x and SGA to VDI<br />
• User logs into VM which triggers 802.1x<br />
authentication<br />
• Authentication succeeds. Authorization<br />
assigns the SGT for the user.<br />
• Traffic hits the egress enforcement point<br />
• Only permitted traffic path (source SGT to<br />
destination SGT) is allowed<br />
SRC \ DST<br />
File<br />
Server(111)<br />
Web Server<br />
(222)<br />
User A (10) Permit all Deny All<br />
User B (20) Deny all SGACL-C<br />
Pools of VMs<br />
Connection Broker<br />
File Server<br />
Cat4500<br />
WEB Server<br />
SQL Server<br />
Campus Access<br />
Data Center<br />
Directory<br />
Service<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
377<br />
SGA and VDI<br />
DEMO Time<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
RDP<br />
802.1x<br />
Auth=OK<br />
SXP<br />
SGT=10<br />
WEB Server<br />
User A<br />
ISE<br />
189
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Data Center Interconnect<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
Encrypted Inter-DC Link with 802.1AE<br />
Can SGA encrypt the link between multiple Data<br />
Center for secure backup / DR purpose?<br />
802.1AE technology can be used to encrypt pointto-point<br />
link with following conditions<br />
• 10Gbps or 1Gbps link between Nexus 7000s if both<br />
Nexus 7Ks are connected with dark fibre or passive<br />
repeater between DCs so that L2 frame is not<br />
manipulated<br />
• Or use EoMPLS Pseudowire to encapsulate 802.1AE<br />
frame between two Data Centers<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
380<br />
190
TrustSec for Secure Data Center Interconnect<br />
Dual Access with dark Fibre Connectivity<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
DC-1 DC-2<br />
Nexus 7010 Nexus 7010<br />
e1/25<br />
vPC<br />
Nexus 7010 Nexus 7010<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
381<br />
TrustSec for Secure Data Center Interconnect<br />
Dual Access with MPLS Connectivity<br />
DC-1 DC-2<br />
Nexus 7010 Nexus 7010<br />
vPC<br />
PE Device<br />
MPLS<br />
PE Device<br />
PE Device PE Device<br />
Nexus 7010 Nexus 7010<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
382<br />
vPC<br />
vPC<br />
191
TECSEC-2041<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
<strong>Network</strong> Device Admission Control<br />
(NDAC) Details<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
NDAC Authentication / SAP<br />
Supplicant<br />
Device<br />
Role Determination<br />
EAPOL (EAP-FAST)<br />
Authenticator<br />
Device<br />
EAP-FAST Tunnel Tear<br />
Down<br />
Policy Acquisition<br />
Key<br />
Establishment<br />
On-Going Key Refresh<br />
EAP-FAST Tunnel<br />
Device Authentication<br />
SAP<br />
TrustSec Enabled<br />
<strong>Network</strong><br />
RADIUS<br />
Policy<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
384<br />
ISE<br />
192
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
TrustSec Domain Establishment<br />
Device Authentication (1)<br />
Seed Device<br />
EAP-FAST over<br />
RADIUS<br />
Authorization<br />
(PAC, Env Data,<br />
ISE<br />
Policy)<br />
ISE<br />
NDAC validates peer identity before<br />
peer becomes the circle of Trust!<br />
<strong>The</strong> first device to communicate with ISE<br />
is called TrustSec Seed Device<br />
NDAC uses EAP-FAST/MSCHAPv2 for<br />
authentication<br />
Credential (including PAC) is stored in<br />
hardware key store<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
385<br />
TrustSec Domain Establishment<br />
Device Authentication (2)<br />
Supplicant<br />
Non-Seed Device<br />
<strong>802.1X</strong> NDAC<br />
Supplicant<br />
<strong>802.1X</strong> NDAC<br />
Seed<br />
Device<br />
Authenticator<br />
Supplicant<br />
Non-Seed Device<br />
Seed Device<br />
Authenticator<br />
<strong>802.1X</strong> NDAC<br />
ISE<br />
As device connects to its peer, TrustSec domain<br />
expands its border of trust<br />
If the device does not have information to connect to<br />
ISE, the device is called non-Seed Device<br />
When next device connects to device, Role<br />
determination process occurs per link basis, and<br />
both Authenticator and Supplicant role are<br />
determined.<br />
First peer to gain ISE server connectivity wins<br />
authenticator role. Once authenticator role is<br />
determined, the device terminates supplicant role by<br />
itself.<br />
In case of tie, lower MAC address wins<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
386<br />
193
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
TrustSec Functional Flow<br />
Flow to establish Link connectivity in TrustSec domain<br />
Role Determination<br />
NDAC Process Initiation<br />
A TrustSec device connects to ACS. Seed Device acquires<br />
policy from ACS.<br />
Supplicant device connects to Authenticator device<br />
PAC Provisioning<br />
Peer Authentication<br />
Env Data Download<br />
Peer Authorization<br />
SAP Negotiation<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
387<br />
Role Determination<br />
EAP-FAST Phase 0 PAC Provisioning<br />
(only required if there is no PAC available)<br />
EAP-FAST Phase 1 & 2 Authentication<br />
Environment Data Download<br />
Peer Policy Download<br />
SAP Key / Cipher suit Negotiation<br />
TrustSec Link Establishment<br />
<strong>The</strong> automatic role-determination requires that a device run both the supplicant and<br />
authenticator engines simultaneously when authentication first starts<br />
At the start, the authenticator engine of one device will be engaging in an EAPOL<br />
conversation with the supplicant engine of its peer device and vice versa.<br />
On each device, a role determination agent monitors the two simultaneous EAPOL<br />
conversations.<br />
In the EAP protocol, only the initial Request-ID is originated by the authenticator, all other<br />
EAP requests come from the AS. So when a device receives an EAP request other than<br />
the Request-ID, it deduces that its peer has been able to reach the authentication server<br />
and therefore the peer is capable of being an authenticator.<br />
Similarly, if the device itself has contacted the server and is ready to relay an EAP<br />
request to its peer, it is capable of being an authenticator. Using this indication, there is<br />
no need for an extra server reachability test. When a device decides to be authenticator,<br />
it will terminate its supplicant engine, and vice versa.<br />
<strong>The</strong> tie breaker can be a simple comparison of the two devices‘ MAC addresses used as<br />
source MAC address in sending the EAPOL packets. <strong>The</strong> one with the lower MAC<br />
address wins the authenticator role.<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
388<br />
194
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Seed Device Selection<br />
Seed Device Selection Rule:<br />
Any TrustSec capable device can be a seed device when<br />
it‘s configured to be so<br />
Any TrustSec capable device which communicated with ISE<br />
(layer 3 connectivity) becomes Seed Device<br />
In order to become seed device, TrustSec device still needs<br />
to perform NDAC to get PAC provisioned, authenticated,<br />
and policy provisioned in authorization<br />
Once seed device receives environment data, it becomes<br />
seed device<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
389<br />
Seed Device<br />
Seed Device is a CTS capable device which is<br />
configured with knowledge of at least one ISE<br />
<strong>The</strong> seed device is typically the device directly<br />
connected to ISE<br />
Seed Device often has Public Server List<br />
Public Server List<br />
Only need to be configured on the seed device via CLI<br />
PAC provisioning using configured shared-secret<br />
Has lower priority than Private Server List<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
390<br />
195
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Sample Seed Device Configuration<br />
SGA-ISE1<br />
10.3.10.20/24<br />
SGA6K-DC<br />
10.3.10.1/24<br />
L3 connectivity<br />
Seed Device<br />
RADIUS Shared Secret: cisco123<br />
Device ID / Password: SGA6K-DC / trustsec123<br />
SGA6K-DC# cts credential id SGA6K-DC password trustsec123<br />
SGA6K-DC(config)# radius-server host 10.3.10.20 auth-port 1812 acct-port 1813 pac key cisco123<br />
SGA6K-DC(config)# aaa group server radius SGA-RADIUS<br />
SGA6K-DC(config-radius)# server 10.3.10.20 PUBLIC SERVER LIST<br />
SGA6K-DC(config-radius)# exit<br />
SGA6K-DC(config)# cts authorization list sga-mlist<br />
SGA6K-DC(config)# aaa authentication dot1x default group SGA-RADIUS<br />
SGA6K-DC(config)# aaa authorization network sga-mlist group SGA-RADIUS<br />
SGA6K-DC(config)# aaa accounting dot1x default group SGA-RADIUS<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
391<br />
Non-Seed Device<br />
Non Seed Device is a CTS capable device which<br />
has no knowledge of ISE<br />
Non Seed Device dynamically learns about ISE<br />
servers IP address (so called Private Server List)<br />
Private Server list<br />
Dynamically learned<br />
During EAP-FAST authentication as supplicant role<br />
Env-data download from the ISE<br />
Assuming all servers belong in the same cluster, contain<br />
same A-ID and share the same PAC<br />
Has higher priority over Public Server List<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
392<br />
196
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Sample Non-Seed Device Configuration<br />
SGA6K-CORE<br />
Non Seed<br />
Device<br />
Seed Device<br />
SGA6K-CORE # cts credential id SGA6K-CORE password trustsec123<br />
SGA6K-CORE(config)# aaa new-model<br />
SGA6K-CORE(config)# radius-server vsa send authentication<br />
SGA6K-CORE(config)# interface te2/1<br />
SGA6K-CORE(config-if)# cts dot1x<br />
SGA6K-CORE(config-if)# shut<br />
SGA6K-CORE(config-if)# no shut<br />
SGA6K-CORE(config-if)# end<br />
SGA-ISE1<br />
10.2.1.0<br />
.2 .1<br />
.20<br />
10.3.10.0/24<br />
.1<br />
SGA6K-DC<br />
Device ID / Password: SGA6K-CORE / trustsec123<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
393<br />
NDAC EAP-FAST<br />
PAC Provisioning<br />
SGA-ISE1<br />
10.3.10.20/24<br />
SGA6K-DC<br />
10.3.10.1/24<br />
L3 connectivity<br />
Seed Device<br />
Same command needs to be configured on the other<br />
end of the interface on SGA6K-DC<br />
SGA6K-DC#show cts pac<br />
AID: 219FD818BE250A4F86D769CDCB4C5ADA<br />
PAC-Info:<br />
PAC-type = <strong>Cisco</strong> Trustsec<br />
AID: 219FD818BE250A4F86D769CDCB4C5ADA<br />
I-ID: SGA6K-DC<br />
A-ID-Info: TS ISE 1<br />
Credential Lifetime: 22:48:30 PDT Aug 30 2011<br />
PAC-Opaque:<br />
000200B00003000100040010219FD818BE250A4F86D769CDCB4C5ADA0<br />
00600940003010076CBE741F94025F47A0CFA0C55A52592000000134D<br />
E0ABF000093A808067B62574D8A9E9D63E0F4E3D0B9BE8FE896C244DD<br />
20403DD47069D0BDC398D9C46B017847CE51C7383FFF11998815C9D49<br />
4990004FDB7B26DC74B8DBA632EB4DC3979F056BB2D929653398DD843<br />
CA0078CEA8E05599242A7F24A0CAF20165D1BED5B9935F9CFDA8C447D<br />
6EBFF14E7CF7CE1AAC<br />
Refresh timer is set for 12w4d<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
394<br />
197
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Environment Data<br />
TrustSec Environment Data is a collection of<br />
information or policies that assists a device to<br />
function as a TrustSec node.<br />
Environment Data is downloaded to<br />
Environment Data includes<br />
Server List<br />
Device SGT<br />
Expiry Timeout<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
395<br />
Environment Data<br />
SGA6K-DC<br />
10.3.10.1/24<br />
Seed Device<br />
SGA6K-DC#show cts pac<br />
AID: 219FD818BE250A4F86D769CDCB4C5ADA<br />
PAC-Info:<br />
PAC-type = <strong>Cisco</strong> Trustsec<br />
AID: 219FD818BE250A4F86D769CDCB4C5ADA<br />
I-ID: SGA6K-DC<br />
A-ID-Info: TS ISE1<br />
Credential Lifetime: 22:48:30 PDT Aug 30 2011<br />
SGA-ISE1<br />
10.3.10.20/24<br />
SGA6K-DC#show cts environment-data<br />
CTS Environment Data<br />
====================<br />
Current state = COMPLETE<br />
Last status = Successful<br />
Local Device SGT:<br />
SGT tag = 2-00<br />
Server List Info:<br />
Installed list: CTSServerList1-0001, 1 server(s):<br />
*Server: 10.3.10.20, port 1812, A-ID 219FD818BE250A4F86D769CDCB4C5ADA<br />
Status = ALIVE<br />
auto-test = TRUE, idle-time = 60 mins, deadtime = 20 secs<br />
<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
396<br />
ISE<br />
198
Device SGT<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Device SGT represents security group to which the device<br />
(switch or any other TrustSec device) itself belongs to and<br />
exchanged with neighbor device as a token of trusted device.<br />
Device SGT is also used / tagged for traffic originating from<br />
the device.<br />
Device SGT can be manually assigned via CLI on the device,<br />
OR centrally provisioned by ISE<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
397<br />
Sample: Device SGT Assignment<br />
SGA6K-DC#show cts environment-data<br />
CTS Environment Data<br />
====================<br />
Current state = COMPLETE<br />
Last status = Successful<br />
Local Device SGT:<br />
SGT tag = 2-00<br />
Server List Info:<br />
Installed list: CTSServerList1-0001, 1 server(s):<br />
- Omitted -<br />
SGA6K-DC<br />
10.3.10.1/24<br />
Seed Device<br />
SGA-ISE1<br />
10.3.10.20/24<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
398<br />
199
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Environment Data – Expiry Timer<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
399<br />
NDAC Completion<br />
SGA6K-CORE<br />
10.2.1.2<br />
SGA6K-DC#show cts environment-data<br />
CTS Environment Data<br />
====================<br />
Current state = COMPLETE<br />
Last status = Successful<br />
Local Device SGT:<br />
SGT tag = 2-00<br />
Server List Info:<br />
Installed list: CTSServerList1-0001, 1 server(s):<br />
*Server: 10.3.10.20, port 1812, A-ID 219FD818BE250A4F86D769CDCB4C5ADA<br />
Status = ALIVE<br />
auto-test = TRUE, idle-time = 60 mins, deadtime = 20 secs<br />
Multicast Group SGT Table:<br />
Security Group Name Table:<br />
0001-43 :<br />
7-99 : 80 -> IT_Admin<br />
6-99 : 80 -> HR_Server<br />
5-99 : 80 -> ACME_Server<br />
4-99 : 80 -> HR_User<br />
3-99 : 80 -> ACME_User<br />
2-99 : 80 -> Device<br />
unicast-unknown-99 : 80 -> Unknown<br />
Any : 80 -> ANY<br />
Transport type = CTS_TRANSPORT_IP_UDP<br />
Environment Data Lifetime = 86400 secs<br />
Last update time = 23:15:57 PDT Wed Jun 1 2011<br />
Env-data expires in 0:22:41:39 (dd:hr:mm:sec)<br />
Env-data refreshes in 0:22:41:39 (dd:hr:mm:sec)<br />
Cache data applied = NONE<br />
State Machine is running<br />
10.2.1.1<br />
SGA6K-DS<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
400<br />
200
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
NDAC Consideration<br />
NDAC was developed as part of TrustSec and is<br />
<strong>Cisco</strong> proprietary but in large part based on <strong>802.1X</strong>.<br />
NDAC does not require hardware support but<br />
optionally may leverage a hardware credential<br />
store.<br />
SAP is <strong>Cisco</strong> proprietary and based on the key<br />
exchange mechanism defined in 802.11i. <strong>802.1X</strong>-<br />
REV will succeed and replace SAP as early as<br />
CY10.<br />
Interoperability with other 802.1AE devices<br />
becomes more broadly available once <strong>802.1X</strong>-REV<br />
is supported by <strong>Cisco</strong>. Manual keying is supported<br />
in the interim<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
401<br />
Security Association Protocol<br />
(SAP)<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
201
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
NDAC Authentication / SAP<br />
Supplicant<br />
Device<br />
Role Determination<br />
EAPOL (EAP-FAST)<br />
Authenticator<br />
Device<br />
EAP-FAST Tunnel Tear<br />
Down<br />
Policy Acquisition<br />
Key<br />
Establishment<br />
On-Going Key Refresh<br />
EAP-FAST Tunnel<br />
Device Authentication<br />
SAP<br />
TrustSec Enabled<br />
<strong>Network</strong><br />
RADIUS<br />
Policy<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
403<br />
Technical Details<br />
Security Association Protocol<br />
Security Association Protocol (SAP) to negotiate keys<br />
and cipher suite for encryption automatically<br />
Negotiation starts after successful authentication /<br />
authorization for NDAC<br />
Protocol communication only happens between<br />
Supplicant and Authenticator (No ISE involvement)<br />
At the end of SAP, both supplicant and authenticator<br />
have same session key<br />
Session key is used to encrypt traffic on the link<br />
Session key is derived from the PMK (learned by both<br />
device from ISE during authentication) and some<br />
random numbers shared during SAP<br />
Perform rekey periodically<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
404<br />
ISE<br />
202
Technical Details<br />
SAP Negotiation<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
SAP negotiates cipher suite. Following mode<br />
available<br />
SAP Mode Description<br />
GCM Galois / Counter Mode (GCM) encryption and<br />
authentication mode (Default)<br />
GMAC GCM authentication Mode (No encryption)<br />
No Encapsulation No encapsulation and no security group tag (SGT)<br />
insertion<br />
Null Encapsulation without authentication or encryption<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
405<br />
SAP with Manual Keying<br />
SGA6K-CORE<br />
SAP can be configured on port<br />
No ISE involved<br />
10.2.1.2<br />
SGA6K-CORE#show run int ten2/1<br />
interface TenGigabitEthernet2/1<br />
ip address 10.2.1.2 255.255.255.0<br />
cts manual<br />
policy static sgt 2 trusted<br />
sap pmk<br />
1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234<br />
567890ABCDEF<br />
end<br />
10.2.1.1<br />
32 byte of PMK (Private Master Key) needs to match on both side<br />
Same SAP Modes are available for manual keying<br />
Make sure device SGT and trusted keyword is configured<br />
SGA6K-DC<br />
SGA6K-DC#show run int ten2/1<br />
interface TenGigabitEthernet2/1<br />
ip address 10.2.1.1 255.255.255.0<br />
cts manual<br />
policy static sgt 2 trusted<br />
sap pmk<br />
1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF12345<br />
67890ABCDEF<br />
end<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
406<br />
203
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Verification of Manual Keying<br />
SGA6K-CORE#show cts interface tenGigabitEthernet 2/1<br />
Global Dot1x feature is Enabled<br />
Interface TenGigabitEthernet2/1:<br />
CTS is enabled, mode: MANUAL<br />
IFC state: OPEN<br />
Authentication Status: NOT APPLICABLE<br />
Peer identity: "unknown"<br />
Peer's advertised capabilities: "sap"<br />
Authorization Status: SUCCEEDED<br />
Peer SGT: 2<br />
Peer SGT assignment: Trusted<br />
SAP Status: SUCCEEDED<br />
Version: 2<br />
Configured pairwise ciphers:<br />
gcm-encrypt<br />
null<br />
Replay protection: enabled<br />
Replay protection mode: STRICT<br />
Selected cipher: gcm-encrypt<br />
- Omitted -<br />
SGA6K-CORE<br />
10.2.1.2<br />
SGA6K-DC#show cts interface tenGigabitEthernet 2/1<br />
Global Dot1x feature is Enabled<br />
Interface TenGigabitEthernet2/1:<br />
CTS is enabled, mode: MANUAL<br />
IFC state: OPEN<br />
Authentication Status: NOT APPLICABLE<br />
Peer identity: "unknown"<br />
Peer's advertised capabilities: "sap"<br />
Authorization Status: SUCCEEDED<br />
Peer SGT: 2<br />
Peer SGT assignment: Trusted<br />
SAP Status: SUCCEEDED<br />
Version: 2<br />
Configured pairwise ciphers:<br />
gcm-encrypt<br />
null<br />
Replay protection: enabled<br />
Replay protection mode: STRICT<br />
Selected cipher: gcm-encrypt<br />
- Omitted -<br />
10.2.1.1<br />
SGA6K-DC<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
407<br />
Switch to Switch MACSec Demo<br />
DEMO Time<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
204
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Advanced Features<br />
CoA<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
Change of Authorization (CoA)<br />
Use Cases:<br />
How do we reauthorize the port when we discover it is an iPad?<br />
How do we change access policy when we determine the end-point<br />
is compliant with posture policy?<br />
How do we reauthorize the port once we have your identity through<br />
central web authentication?<br />
Problem: A RADIUS server cannot start a conversation with the<br />
authenticator. <strong>The</strong> authenticator (RADIUS Client) must start a<br />
conversation with the RADIUS server<br />
Solution: CoA (RFC 3576 – Dynamic Authz ext to RADIUS) allows<br />
the RADIUS server to start the conversation with the authenticator.<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
410<br />
205
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
RADIUS Change of Authorization (CoA)<br />
Dynamic session<br />
control from a<br />
Policy server<br />
1 End point fails authentication,<br />
gets assigned to Auth-FailVLAN<br />
2 Re-authenticate End point remediates session itself<br />
Terminate session<br />
Terminate session with port bounce<br />
3 A RADIUS CoA is issued with Reauthenticate<br />
Disable host port<br />
Session Query<br />
4 Client For is authenticated Active Services via dot1x and assigned<br />
a Corp VLAN<br />
For Complete Identity<br />
Service Specific<br />
Service Activate<br />
Service De-activate<br />
Service Query<br />
Auth Fail<br />
VLAN Corp<br />
VLAN<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
411<br />
RADIUS Change of Authorization (CoA)<br />
RFC 3576: Defines ―Packet of Disconnect‖<br />
• Terminates session<br />
<strong>Cisco</strong> has extended support for CoA<br />
• Terminate session<br />
• Re-authenticate<br />
• Port bounce<br />
• Port down<br />
Each type of Action has specific use case support<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
412<br />
206
CoA – Use Cases<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Failed Authentication with Failed Auth VLAN<br />
• CoA can reauth or terminate a session can retrigger<br />
authentication to try authentication after remediation<br />
Adding new MAC addresses to the network<br />
• After Profiling or other change order an agentless devices may<br />
need it‘s IP changed<br />
• CoA with Port Bounce can be used to reset the IP stack on an<br />
agentless device<br />
Abnormal/Destructive behavior is observed on<br />
the network<br />
• CoA with Port Down is a emergency shut off of a port. It can<br />
only be re-enabled by CLI<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
413<br />
DEMO Time<br />
AuthFail VLAN + CoA<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
207
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Advanced Features<br />
Monitoring & Troubleshooting<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
Dashboard Overview<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
416<br />
208
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Monitoring and Troubleshooting<br />
Monitoring<br />
User Reporting<br />
ISE Monitoring & Troubleshooting Dashboard<br />
Where, when, how connected<br />
How long, how often<br />
Last passed, last failed<br />
Switch Log Reporting<br />
System Reporting<br />
Pass/Fail ratio<br />
Device Reporting<br />
Profile History<br />
Status of profiled device<br />
IOS Switches ISE Servers<br />
SNMP, Syslog, CLI, Netflow<br />
Troubleshooting<br />
Expert Troubleshooting Tool<br />
Troubleshooting Workflow<br />
–Authentication Failure<br />
–Authorization Failure<br />
Switch log failure analysis<br />
Syslog<br />
Alerts<br />
Unknown NAS<br />
New ISE, new NAD<br />
External DB unavailable<br />
Failed Auths thresholds<br />
Passed auths thresholds<br />
AAA down<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
417<br />
ISE Uses Multiple Sources of Information For<br />
Monitoring/Troubleshooting<br />
Sources<br />
• RADIUS logs<br />
• Syslog from ISE(s)<br />
• Syslog from Switches<br />
• CLI<br />
• SNMP<br />
• API<br />
ISE Tools<br />
• Authentication<br />
Reports<br />
• Session Directory<br />
• Configuration<br />
Validator<br />
• <strong>Network</strong> Device &<br />
Session Details<br />
• Expert Troubleshooter<br />
• tcpdump<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
418<br />
209
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Monitor>Authentications<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
419<br />
Monitor>Authentications<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
420<br />
210
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Monitor>Authentications<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
421<br />
Authentication Details<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
422<br />
211
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Authentication Steps<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
423<br />
Endpoint Profiler Report<br />
RADIUS proxy information in the<br />
AAA Diagnostics report<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
424<br />
212
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Endpoint Profiler Summary<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
425<br />
TrustSec Troubleshooting Tool<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
426<br />
213
DEMO Time<br />
Expert Troubleshooter<br />
TECSEC-2041<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
ACME SXP Design<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
214
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
SGT Exchange Protocol Detail (1)<br />
Uses TCP for transport protocol<br />
TCP port 64999 for connection initiation<br />
Support Single/Multi-Hop (SXP relay) SXP<br />
connection<br />
Use MD5 for authentication and integrity check<br />
Two roles: Speaker (initiator) and Listener<br />
(receiver)<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
429<br />
SXP Flow<br />
IP Src: 10.1.3.2 Dst: 10.1.3.1<br />
TCP Src Port: 16277 Dst Port: 64999<br />
Flags: 0x02 (SYN)<br />
IP Src: 10.1.3.1 Dst: 10.1.3.2<br />
IP Src: 10.1.3.2 Dst: 10.1.3.1<br />
TCP Src Port: 64999 Dst Port: 16277<br />
Flags: 0x12 (SYN, ACK)<br />
TCP Src Port: 16277 Dst Port: 64999<br />
Flags: 0x10 (ACK)<br />
TCP SYN<br />
Speaker<br />
TCP SYN-ACK<br />
Listener<br />
TCP ACK<br />
CTS3K<br />
CTS7K<br />
10.1.10.100 (SGT6) 10.1.3.2<br />
10.1.3.1<br />
SXP OPEN<br />
IP Src: 10.1.3.2 Dst: 10.1.3.1<br />
TCP Src Port: 16277 Dst Port: 64999<br />
Flags: 0x10 ( ACK)<br />
SXP OPEN_RESP<br />
SXP Type: Open<br />
Version: 1<br />
SXP UPDATE<br />
IP Src: 10.1.3.1 Dst: 10.1.3.2<br />
Device ID: CTS3K<br />
TCP Src Port: 64999 Dst Port: 16277<br />
Flags: 0x18 (PSH, ACK)<br />
SXP Type: Open_Resp<br />
Version: 1<br />
IP Src: 10.1.3.2 Dst: 10.1.3.1<br />
TCP Src Port: 16277 Dst Port: 64999<br />
Flags: 0x10 (ACK)<br />
SXP Type: Update<br />
Update Type: Install<br />
IP Address: 10.1.10.100 SGT: 6<br />
Device ID: CTS7K<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
430<br />
ISE<br />
215
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
SXP Connection Types<br />
Single-Hop SXP<br />
Multi-Hop SXP<br />
SXP<br />
Speaker Listener<br />
Non-TrustSec Domain<br />
TrustSec Enabled SW TrustSec Capable HW<br />
Speaker<br />
TrustSec<br />
Enabled SW<br />
Speaker<br />
TrustSec<br />
Enabled SW<br />
SXP<br />
Listener Speaker<br />
Listener<br />
TrustSec<br />
Enabled SW<br />
SXP<br />
TrustSec Capable HW<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
431<br />
SXP<br />
SXP Configuration Sample<br />
CTS3K-AS(config)#cts sxp enable<br />
CTS3K-AS(config)#cts sxp default password <br />
CTS3K-AS(config)#cts sxp connection peer 10.2.2.1 source 10.2.2.2 password default mode peer listener<br />
SXP<br />
Speaker Listener<br />
Non-TrustSec Domain<br />
SGA3K SGA6K-CORE<br />
10.2.2.2 10.2.2.1<br />
SGA6K-DC(config)#cts sxp enable<br />
SGA6K-DC(config)#cts sxp default password <br />
SGA6K-DC(config)#cts sxp connection peer 10.2.2.2 source 10.2.2.1 password default mode local listener<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
432<br />
ISE<br />
ISE<br />
ISE<br />
216
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
SXP Connection Verification<br />
SGA3K-AC#show cts sxp connections<br />
SXP : Enabled<br />
Default Password : Set<br />
Default Source IP: Not Set<br />
Connection retry open period: 120 secs<br />
Reconcile period: 120 secs<br />
Retry open timer is not running<br />
----------------------------------------------<br />
Peer IP : 10.2.2.1<br />
Source IP : 10.2.2.2<br />
Conn status : On<br />
Local mode : SXP Speaker<br />
Connection inst# : 1<br />
TCP conn fd : 1<br />
TCP conn password: default SXP password<br />
- Omitted -<br />
SXP<br />
Speaker Listener<br />
Non-TrustSec Domain<br />
Catalyst 3K SGA6K-CORE<br />
10.2.2.2 10.2.2.1<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
433<br />
ACME SXP WAN Design<br />
Approximately 300 remote sites<br />
SGA6K-CORE#show cts sxp connections<br />
SXP : Enabled<br />
Default Password : Set<br />
Default Source IP: Not Set<br />
Connection retry open period: 120 secs<br />
Reconcile period: 120 secs<br />
Retry open timer is not running<br />
----------------------------------------------<br />
Peer IP : 10.2.2.2<br />
Source IP : 10.2.2.1<br />
Conn status : On<br />
Conn version : 1<br />
Local mode : SXP Listener<br />
Connection inst# : 2<br />
TCP conn fd : 1<br />
- Omitted-<br />
ACME is concentrating on the campus to Data<br />
Center use case. Remote to remote SGT<br />
communication is a later phase of the project<br />
ACME chooses to use an SXP relay mode to keep<br />
the peering in the data Center Nexus 7000s to a<br />
minimum<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
434<br />
ISE<br />
217
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
ACME SXP WAN Deployment<br />
ASR1K- avail in 3.4<br />
6K w/ SUP 2T<br />
ACME has 600 peers per<br />
Cat6K<br />
SXP has no loop detection<br />
at the moment<br />
SXP<br />
Data Center<br />
. . .<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
435<br />
Endpoint MACsec<br />
TECSEC-2041<br />
SXP<br />
SXP<br />
Listener-1<br />
Speaker-1<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
6K<br />
N7K<br />
ASR1K ASR1K<br />
WAN<br />
6K w/ SUP 2T<br />
NDAC/SAP<br />
802.1AE<br />
Encryption<br />
SXP<br />
Listener-2<br />
SXP<br />
Speaker-300<br />
Note: For illustration purposes only<br />
218
Non-<br />
MACSec<br />
enabled<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
<strong>802.1X</strong>-2010 / 802.1AE – MACSec and MKA<br />
1 User bob connects<br />
2 Bob‘s policy indicates end point must encrypt<br />
3 Key exchange using MKA, 802.1AE encryption complete<br />
User is placed in Corp VLAN<br />
Session is secured<br />
4 User steve connects<br />
5 Steve‘s policy indicates end point must encrypt<br />
6 End point is not MACSec enabled<br />
Assigned to Guest VLAN<br />
Wiring Closet<br />
Switch<br />
Campus<br />
LAN<br />
<strong>802.1X</strong>-Rev Components<br />
- MACSec enabled switches<br />
- AAA server <strong>802.1X</strong>-Rev aware<br />
User: steve<br />
User: Policy: bobencryption<br />
Policy: encryption<br />
- Supplicant supporting MKA and 802.1AE<br />
encryption<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
437<br />
Endpoint MACsec<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
438<br />
ISE<br />
ISE<br />
CAK – Connectivity Association Key<br />
SAK – Secure Association Key<br />
219
AnyConnect 3.0<br />
AnyConnect 3.0 provides<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Unified access interface for SSL-VPN,<br />
IPSec and <strong>802.1X</strong> for LAN / WLAN<br />
Support MACSec / MKA (<strong>802.1X</strong>-<br />
REV) for data encryption in software<br />
(Performance is based on CPU of the<br />
endpoint)<br />
MACSec capable hardware (network<br />
interface card) enhance performance<br />
with AnyConnect 3.0<br />
For TrustSec:<br />
• MACSec:<br />
•Hardware encryption – Requires AnyConnect and MACSec-ready hardware: (Intel<br />
82576 Gigabit Ethernet Controller, Intel 82599 10 Gigabit Ethernet Controller, Intel<br />
ICH10 - Q45 Express Chipset (1Gbe LOM) (Dell, Lenovo, Fujitsu, and HP have<br />
desktops shipping with this LOM.)<br />
•Software encryption – Requires AnyConnect and uses CPU of PC<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
439<br />
MACsec Interoperability Notes<br />
Note: Proxy EAPoL-Logoff Cannot Be Used With MACSec.<br />
If a device behind a phone has been secured with MACSec, proxy EAPoL-Logoff<br />
messages sent from phones will be ignored.<br />
Best Practice Recommendation: Use CDP Enhancement for<br />
Second Port Disconnect for IP Telephony Deployments<br />
This feature works for all authentication methods with and without MACSec, takes<br />
effect as soon as the endpoint disconnects, and requires no configuration.<br />
Best Practice Recommendation: Disable Periodic Re-<br />
Authentication for MACSec endpoints<br />
Because MACSec continuously ensures the validity of the authenticated session,<br />
there is typically no need to use re-authentication as a de facto keepalive<br />
mechanism.<br />
Note: MACSec is not supported with multi-auth and multi-host<br />
modes<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
440<br />
220
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
MACsec Recommendations<br />
Best Practice Recommendation: Use default policy in Monitor<br />
Mode<br />
To minimize configuration on the switch and Authentication server, use the default<br />
policy settings for MACSec in monitor mode.<br />
Best Practice Recommendation: Set “should-secure” in low<br />
impact mode<br />
To ensure that MACSec capable connections are secured while preventing legacy<br />
devices from getting locked out of the network, set the MACSec policy for switch<br />
ports and supplicants to ―should-secure‖ by default.<br />
Best Practice Recommendation: Set “should-secure” in high<br />
security mode<br />
To ensure that MACSec capable connections are secured while preventing legacy<br />
devices from getting locked out of the network, set the MACSec policy for switch<br />
ports and supplicants to ―should-secure‖ by default.<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
441<br />
Policy Based Encryption using MACSec<br />
Using AnyConnect 3.0<br />
AC3.0<br />
Finance Admin<br />
Using Normal Supplicant<br />
No MACSec<br />
Supplicant<br />
Finance Admin<br />
Normal<br />
Supplicant on<br />
Personal<br />
Laptop<br />
&^*RTW#(*J^*&*sd#J$%UJ&(<br />
<strong>802.1X</strong><br />
Fall Back to Insecure VLAN<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
442<br />
LAN<br />
Everything is sent in clear therefore you can see LAN everything on wire<br />
<strong>802.1X</strong><br />
MACSec in Action<br />
Cat3750<br />
X<br />
Cat3750<br />
X<br />
Finance Admin<br />
=<br />
Must Encrypt<br />
Authentication<br />
Successful!<br />
Finance Admin<br />
=<br />
Must Encrypt<br />
Authentication<br />
Successful!<br />
ISE 1.0<br />
ISE 1.0<br />
221
Authenticated<br />
User<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Clarification of MKA and SAP<br />
positioning<br />
Supplicant<br />
<strong>802.1X</strong>-2010 MKA<br />
MKA and SAP are not interoperable<br />
For the time being <strong>Cisco</strong> is recommending MKA for<br />
host facing ports and SAP for switch to switch ports<br />
MKA is the direction <strong>Cisco</strong> is moving for switch to<br />
switch links as well<br />
<strong>802.1X</strong>-2010 MKA<br />
&^*RTW#(*J^*&*sd#J$%UJ&(<br />
MACSec Link<br />
&^*RTW#(*J^*&*sd#J$%UJWD&(<br />
NDAC-SAP<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
443<br />
AnyConnect 3.0 MACSec Demo<br />
DEMO Time<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
&^*RTW In the clear Server<br />
222
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
SGA & Posture Integration<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
Posture and Access Layer SGACL<br />
SGACL<br />
Users,<br />
Endpoints<br />
Catalyst ® Switches<br />
(3K-X/4K)<br />
Remediation<br />
Campus<br />
<strong>Network</strong><br />
AUTH=OK<br />
SGT=20<br />
1. Remediation Server boots – Switch assigns IP address<br />
2.2.2.2 SGT 222 based on port identity (from ISE) or<br />
local definition (on switch)<br />
2. User connects to network and authenticates – deemed<br />
noncompliant by ISE – results logged in ISE<br />
3. Traffic from user traverses to Data Center and hits<br />
SGACL at egress enforcement point<br />
4. Traffic destined for DHCP/DNS are allowed. Traffic<br />
destined for Enterprise Servers is denied<br />
5. Traffic destined for remediation in access layer is<br />
permitted<br />
6. NAC Agent indicates to ISE that device is now compliant<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
446<br />
ISE1.0<br />
SRC \ DST<br />
Employee<br />
Compliant<br />
(10)<br />
Cat 6500 w/<br />
SUP 2T<br />
Employee-<br />
Noncompliant<br />
(20)<br />
Unknown (0)<br />
<strong>Network</strong><br />
Services<br />
(111)<br />
Egress Enforcement<br />
Security Group ACL<br />
Remediation<br />
(222)<br />
Enterprise<br />
Servers<br />
Permit Any Permit Any Permit Any<br />
Permit DHCP<br />
Permit DNS<br />
Permit DHCP<br />
Permit DNS<br />
<strong>Network</strong> Services<br />
Enterprise Server<br />
Enterprise Server<br />
Permit Any Deny All<br />
Deny All Deny All<br />
223
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Posture and Access Layer SGACL<br />
SGACL<br />
Users,<br />
Endpoints<br />
Catalyst ® Switches<br />
(3K/4K)<br />
Remediation<br />
Campus<br />
<strong>Network</strong><br />
AUTH=OK<br />
SGT=10<br />
1. ISE triggers a COA to reauthenticates the session<br />
2. ISE authenticates the user and notes the device is<br />
compliant. ISE authorizes an SGT = 10<br />
Cat 6500 w/<br />
SUP 2T<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
447<br />
ISE1.0<br />
SRC \ DST<br />
Employee<br />
Compliant<br />
(10)<br />
Employee-<br />
Noncompliant<br />
(20)<br />
Unknown (0)<br />
Enterprise<br />
Services<br />
(111)<br />
Egress Enforcement<br />
Security Group ACL<br />
Remediation<br />
(222)<br />
Enterprise<br />
Servers<br />
Permit Any Permit Any Permit Any<br />
Permit DHCP<br />
Permit DNS<br />
Permit DHCP<br />
Permit DNS<br />
General Guest and Access Layer<br />
SGACL<br />
SGACL<br />
Guest<br />
Catalyst ® Switches<br />
(3K-X/4K)<br />
Enterprise User<br />
1. Guest connects to the network – <strong>802.1X</strong><br />
fails/timeouts<br />
2. Switch MAC authenticates the device to ISE<br />
– results logged in ISE<br />
3. Traffic from user traverses to Data Center<br />
and hits SGACL at egress enforcement point<br />
4. Traffic destined for DHCP/DNS and Internet<br />
are allowed. Traffic destined for Enterprise<br />
Servers is denied<br />
Campus<br />
<strong>Network</strong><br />
AUTH=OK<br />
SGT=20<br />
SRC \ DST<br />
Enterprise<br />
User (10)<br />
Guest (20)<br />
Unknown<br />
(0)<br />
Cat 6500 w/<br />
SUP 2T<br />
Enterprise Services<br />
Enterprise<br />
Server<br />
Enterprise Server<br />
Permit Any Deny All<br />
Deny All Deny All<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
448<br />
ISE1.0<br />
Internet<br />
<strong>Network</strong><br />
Services (111)<br />
Internet (222)<br />
Egress Enforcement<br />
Security Group ACL<br />
Enterprise<br />
Servers<br />
(333)<br />
Enterprise<br />
Users (10)<br />
Permit Any Permit Any Permit Any Permit Any<br />
Permit DHCP<br />
Permit DNS<br />
Permit DHCP<br />
Permit DNS<br />
Permit DHCP<br />
Permit DNS<br />
Permit Ipsec<br />
Permit HTTP<br />
Permit HTTPS<br />
<strong>Network</strong> Services<br />
Deny All<br />
Deny All Deny All<br />
Enterprise<br />
Server<br />
Enterprise Server<br />
Deny All<br />
Deny All<br />
224
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Enterprise User Policy and Access<br />
Layer SGACL (1)<br />
SGACL<br />
Enterprise<br />
User<br />
Catalyst ® Switches<br />
(3K-X/4K)<br />
PCI User<br />
1. Enterprise User is authenticated and<br />
assigned SGT 10<br />
2. Traffic from Enterprise Users traverses to<br />
Data Center and hits SGACL at egress<br />
enforcement point<br />
3. Traffic destined for DHCP/DNS and<br />
Enterprise Servers are permitted. Traffic<br />
destined for PCI Servers is denied<br />
Campus<br />
<strong>Network</strong><br />
AUTH=OK<br />
SGT=10<br />
SRC \ DST<br />
Enterprise<br />
User (10)<br />
Cat 6500 w/<br />
SUP 2T<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
449<br />
ISE1.0<br />
<strong>Network</strong><br />
Services (111)<br />
Enterprise<br />
Server (222)<br />
Egress Enforcement<br />
Security Group ACL<br />
PCI Servers<br />
(333)<br />
Enterprise<br />
Users (10)<br />
Permit Any Permit Any Deny All Permit Any<br />
PCI User (20) Permit Any Permit Any<br />
Unknown (0)<br />
Permit DHCP<br />
Permit DNS<br />
Permit<br />
HTTPS<br />
Deny All Deny All<br />
Enterprise User Policy and Access<br />
Layer SGACL(2)<br />
SGACL<br />
Enterprise<br />
User<br />
Catalyst ® Switches<br />
(3K-X/4K)<br />
PCI User<br />
1. PCI User is authenticated and assigned SGT<br />
20<br />
2. Traffic from PCI Users traverses to Data<br />
Center and hits SGACL at egress<br />
enforcement point<br />
3. Traffic destined for DHCP/DNS, Enterprise<br />
Servers and PCI Servers are permitted.<br />
Traffic destined for Enterprise Users in the<br />
access layer is permitted.<br />
Campus<br />
<strong>Network</strong><br />
AUTH=OK<br />
SGT=20<br />
SRC \ DST<br />
Enterprise<br />
User (10)<br />
Cat 6500 w/<br />
SUP 2T<br />
<strong>Network</strong> Services<br />
Enterprise<br />
Server<br />
Enterprise Server<br />
Permit Any<br />
Deny All<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
450<br />
ISE1.0<br />
<strong>Network</strong><br />
Services (111)<br />
Enterprise<br />
Server (222)<br />
Egress Enforcement<br />
Security Group ACL<br />
PCI Servers<br />
(333)<br />
Enterprise<br />
Users (10)<br />
Permit Any Permit Any Deny All Permit Any<br />
PCI User (20) Permit Any Permit Any<br />
Unknown (0)<br />
Permit DHCP<br />
Permit DNS<br />
<strong>Network</strong> Services<br />
Permit<br />
HTTPS<br />
Deny All Deny All<br />
Enterprise<br />
Server<br />
Enterprise Server<br />
Permit Any<br />
Deny All<br />
225
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
ISE – Nexus 7000 IP/SGT Policy<br />
Management<br />
• How do you manage static IP/SGT definitions<br />
across multiple DC switches?<br />
• ISE 1.0 will allow the SGA admin to manage<br />
IP/SGT or DNS/SGT mappings<br />
Note: Support limited to Nexus 7000<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
451<br />
ISE – Nexus 7000 IP/SGT Policy<br />
Management<br />
• SGA Admin designates<br />
if the device should<br />
have IP/SGT pushed<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
452<br />
226
ISE Quick View<br />
DEMO Time<br />
TECSEC-2041<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
Platform Support<br />
TECSEC-2041<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
227
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
SGT/SGACL Component Support Matrix<br />
Platforms Available Feature OS OS Version Notes<br />
Nexus 7000 series Switch SGACL, 802.1AE + SAP,<br />
NDAC, SXP, IPM, EAC<br />
Catalyst 6500E Switch<br />
(Supervisor 2T) 2T)<br />
SGACL, 802.1AE + SAP,<br />
NDAC, SXP, IP, EAC<br />
EAC: Endpoint Admission Control (SGT Assignment)<br />
<strong>Cisco</strong> NX-OS®5.0.2a. Advanced Service<br />
Package license is is required<br />
Enforcement Device, DC<br />
Distribution DC Distribution<br />
<strong>Cisco</strong> IOS® 12.2 (50) (33) SY SX? Or Or later later release. Need Enforcement Device, DC<br />
MACSec capable linecard<br />
Distribution DC Distribution<br />
Catalyst 6500E Switch<br />
NDAC (No SAP), SXP,<br />
EAC <strong>Cisco</strong> IOS® 12.2 (33) SXI3 or or later release. IP IP Campus / DC / DC Access<br />
(Supervisor 32, 32, 720, 720-VSS) 720- EAC<br />
Base K9 K9 image required<br />
switch<br />
VSS)<br />
Catalyst 49xx switches SXP, EAC <strong>Cisco</strong> IOS® 12.2 (50) SG7 or later release. DC Access switch<br />
Catalyst 49xx switches<br />
Catalyst 4500 Switch<br />
SXP, EAC<br />
SXP, EAC<br />
<strong>Cisco</strong> IOS® 12.2 (50) SG7 or later release.<br />
<strong>Cisco</strong> IOS® 12.2 (53) SG7 or later release.<br />
DC Access switch<br />
Campus Access Switch<br />
(Supervisor Catalyst 4500 6L-E Switch or 6-E) SXP, EAC <strong>Cisco</strong> IOS® 12.2 (53) SG7 or later release. Campus Access<br />
(Supervisor 6L-E or 6-E)<br />
Catalyst 3560-X / 3750-X SXP, EAC <strong>Cisco</strong> IOS® 12.2 (53) SE2 or later release.<br />
Switch<br />
Campus Access Switch<br />
Switches Catalyst 3560-X / 3750-X SXP, EAC <strong>Cisco</strong> IOS® 12.2 (53) SE2 or later release. Campus Access<br />
Switches<br />
Catalyst 3560(E) / 3750(E) SXP, EAC <strong>Cisco</strong> IOS® 12.2 (53) SE1 or later release.<br />
Switch<br />
Campus Access Switch<br />
Switches Catalyst 3560(E) / 3750(E) SXP, EAC <strong>Cisco</strong> IOS® 12.2 (53) SE1 or later release. Campus Access<br />
Switches<br />
Catalyst Blade Module 3x00 SXP, EAC <strong>Cisco</strong> IOS® 12.2 (53) SE1 or later release.<br />
Switch<br />
DC Access Switch<br />
Switches Catalyst Blade Module 3x00 SXP, EAC <strong>Cisco</strong> IOS® 12.2 (53) SE1 or later release. DC Access Switch<br />
Switches<br />
<strong>Cisco</strong> EtherSwitch service SXP, EAC <strong>Cisco</strong> IOS® 12.2 (53) SE1 or later release. IP Branch Access Switch<br />
module <strong>Cisco</strong> for EtherSwitch ISR Routers service SXP, EAC Base <strong>Cisco</strong> K9 IOS® image 12.2 required. (53) SE1 or later release. IP Branch Access Switch<br />
module for ISR Routers<br />
<strong>Cisco</strong> ASR 1000 SXP, SGT<br />
Base K9 image required.<br />
<strong>Cisco</strong> IOS XE® 3.4 or later release. Remote Access Headend<br />
<strong>Cisco</strong> Identity Service Engine<br />
<strong>Cisco</strong> (ISE) Identity Service Engine<br />
(ISE)<br />
Centralized Policy<br />
Centralized Management Policy for TrustSec<br />
Management for TrustSec<br />
ISE Version 1.0 with Advanced License required.<br />
ISE Version 1.0 with Advanced License required.<br />
CSACS1120 appliance or ESX Server 3.5 or 4.0<br />
Policy Server<br />
Policy Server<br />
<strong>Cisco</strong> Secure ACS Centralized Policy<br />
is ACS supported Version 5.1 with TrustSec license Policy Server<br />
<strong>Cisco</strong> Secure ACS<br />
Management for TrustSec<br />
Centralized Policy<br />
Management for TrustSec<br />
required. CSACS1120 appliance or ESX Server<br />
ACS 3.5 Version or 4.0 is 5.1 supported with TrustSec license<br />
required. CSACS1120 appliance or ESX Server<br />
3.5 or 4.0 is supported<br />
Policy Server<br />
SGT<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
455<br />
SGA Phased Migration<br />
Customer Rollout Phase 1<br />
Access Layer Distribution Layer Core Layer Data Center<br />
L2 Switch<br />
L2 Switch<br />
L2 Switch<br />
SGA Capabilities Legend<br />
SXP SXP<br />
L2/3 Dist<br />
Switch<br />
L2/3 Dist<br />
Switch<br />
L2/3 High Speed<br />
Core Switch<br />
L2/3 High Speed<br />
Core Switch<br />
Non-SGA SGA Software<br />
SGA Hardware<br />
L2/3 DC<br />
Aggregation Switch<br />
L2/3 DC<br />
Aggregation Switch<br />
WAN/Internet Edge DMZ<br />
L2/3 Switch<br />
Remote Access<br />
SSL/IPSec VPN<br />
L2/3 Switch<br />
Remote Access<br />
Router<br />
L2 DC Access<br />
L2 DC Access<br />
L2 DC Access<br />
L2 DC Access<br />
ISE v1.0<br />
(AAA & SGA Policy Mgr)<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
456<br />
Internet<br />
SXP<br />
SGT<br />
Remote SXP<br />
228
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
SGT<br />
SGT<br />
SGT<br />
SGT<br />
SGA Phased Migration<br />
Customer Rollout Phase 2<br />
Access Layer Distribution Layer Core Layer Data Center<br />
L2 Switch<br />
L2 Switch<br />
L2 Switch<br />
SGA Capabilities Legend<br />
SXP L3 TrustSec SXP<br />
L2/3 Dist<br />
Switch<br />
L2/3 Dist<br />
Switch<br />
L2/3 High Speed<br />
Core Switch<br />
L2/3 High Speed<br />
Core Switch<br />
Non-SGA SGA Software<br />
SGA Hardware<br />
L3 TrustSec<br />
L2/3 DC<br />
Aggregation Switch<br />
L2/3 DC<br />
Aggregation Switch<br />
WAN/Internet Edge DMZ<br />
L2/3 Switch<br />
Remote Access<br />
SSL/IPSec VPN<br />
L2/3 Switch<br />
Remote Access<br />
Router<br />
L2 DC Access<br />
L2 DC Access<br />
L2 DC Access<br />
L2 DC Access<br />
ISE v1.0<br />
(AAA & SGA Policy Mgr)<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
457<br />
SGA Phased Migration<br />
Customer Rollout Phase 3<br />
802.1AE/SAP 802.1AE/SAP 802.1AE/SAP<br />
802.1AE/SAP<br />
L2 Switch<br />
L2 Switch<br />
L2 Switch<br />
L2/3 Dist<br />
Switch<br />
L2/3 Dist<br />
Switch<br />
Internet<br />
Access Layer Distribution Layer Core Layer Data Center<br />
SGA Capabilities Legend<br />
L2/3 High Speed<br />
Core Switch<br />
L2/3 High Speed<br />
Core Switch<br />
Non-SGA SGA Software<br />
SGA Hardware<br />
L2/3 DC<br />
Aggregation Switch<br />
L2/3 DC<br />
Aggregation Switch<br />
L2/3 Switch<br />
Remote Access<br />
SSL/IPSec VPN<br />
SGT<br />
WAN/Internet Edge DMZ<br />
L2/3 Switch<br />
Site-to-Site Access<br />
SSL/IPSec VPN<br />
Remote SXP<br />
ISE v1.0<br />
(AAA & CTS Policy Mgr)<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
458<br />
Internet<br />
802.1AE/SAP<br />
SGT<br />
L2 DC Access<br />
L2 DC Access<br />
L2 DC Access<br />
L2 DC Access<br />
802.1AE/SAP<br />
SGA Capable IPSec/VPN<br />
229
TECSEC-2041<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Session Summary<br />
© 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
Deployment Considerations<br />
In a Nutshell<br />
Authorization<br />
Authentication SGA, Pre-Auth,<br />
Phones<br />
EAP, PKI, DBs<br />
Supplicants,<br />
Re-Auth,<br />
Agentless<br />
PXE, WoL, VM,<br />
Windows GPO,<br />
login scripts,<br />
VLAN, ACL, Failed<br />
Auth, AAA down<br />
Teamwork:<br />
<strong>Network</strong>, IT, Desktop<br />
Policy:<br />
definition & enforcement<br />
MDA, voice<br />
VSA, MAB<br />
behind phone<br />
Guest solution?<br />
Implicit reliance<br />
machine auth,<br />
on wired?<br />
Desktops remote desktop<br />
Guests<br />
Policy &<br />
Organization<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
460<br />
230
Summary<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
<strong>802.1X</strong>/SGA improves enterprise security<br />
<strong>802.1X</strong>/SGA improves enterprise visibility<br />
<strong>802.1X</strong>/SGA deployable now<br />
New features have significantly simplified deployment<br />
Deployment scenarios can be used as a starting point<br />
<strong>802.1X</strong>/SGA is not only a network project, it affects the<br />
whole IT organization<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
461<br />
Follow Up on Your <strong>802.1X</strong>/SGA<br />
Deployment<br />
You have seen that <strong>802.1X</strong>/SGA:<br />
• is deployable<br />
• has new, advanced features to handle many use cases<br />
Next Steps:<br />
• Work with your <strong>Cisco</strong> SE and your <strong>Cisco</strong> Partners<br />
• Quantify what you want to achieve with <strong>802.1X</strong>/SGA<br />
Take time to understand and specify:<br />
• Existing networking environment<br />
• Supplicants<br />
• RADIUS servers and backend data base<br />
• Deployment scenarios<br />
• Capability of your switching infrastructure<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
462<br />
231
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Recommended Reading<br />
Continue your <strong>Cisco</strong> Live<br />
learning experience with further<br />
reading from <strong>Cisco</strong> Press<br />
Check the Recommended<br />
Reading flyer for suggested<br />
books<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
463<br />
Visit the <strong>Cisco</strong> Store for<br />
Related Titles<br />
http://theciscostores.com<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
464 4<br />
6<br />
232
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
Recommended Reading<br />
<strong>Cisco</strong> Wireless LAN Security -<br />
http://www.ciscopress.com/bookstore/product.asp?isbn=1587051540<br />
<strong>Cisco</strong> Internetwork Troubleshooting -<br />
http://www.ciscopress.com/bookstore/product.asp?isbn=1578700922<br />
<strong>Cisco</strong> Secure Internet Security Solutions -<br />
http://www.ciscopress.com/bookstore/product.asp?isbn=1587050161<br />
Managing <strong>Cisco</strong> <strong>Network</strong> Security -<br />
http://www.ciscopress.com/bookstore/product.asp?isbn=1578701031<br />
<strong>Cisco</strong> LAN Switch Security: What Hackers Know About Your Switches -<br />
http://www.ciscopress.com/bookstore/product.asp?isbn=1587052563<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
465<br />
Complete Your Online<br />
Session Evaluation<br />
Receive 25 <strong>Cisco</strong> Preferred Access points for each session<br />
evaluation you complete.<br />
Give us your feedback and you could win fabulous prizes.<br />
Points are calculated on a daily basis. Winners will be notified<br />
by email after July 22nd.<br />
Complete your session evaluation online now (open a browser<br />
through our wireless network to access our portal) or visit one<br />
of the Internet stations throughout the Convention Center.<br />
Don’t forget to activate your <strong>Cisco</strong> Live and <strong>Network</strong>ers<br />
Virtual account for access to all session materials,<br />
communities, and on-demand and live activities throughout<br />
the year. Activate your account at any internet station or visit<br />
www.ciscolivevirtual.com.<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
466<br />
233
Thank you.<br />
© 2009, <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
TECSEC-2041.scr<br />
TECSEC-2041 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Public<br />
467<br />
234