Scribd
Upload
599 views105 pages

Advanced IEEE 802.1x PDF

Uploaded by

Anonymous cRxoHJ32Qv
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
599 views105 pages

Advanced IEEE 802.1x PDF

Uploaded by

Anonymous cRxoHJ32Qv
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 105

Advanced 802.

1X
Design and Troubleshooting
BRKSEC-3005

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
Legos and IEEE 802.1X
Same pieces, different castles

Basic Realistic

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Agenda

Deployment Considerations
Authentication
Authorization
Deployment Scenarios
Monitor Mode
Low Impact Mode
Closed Mode For Your Reference
Troubleshooting
Methodology Real World Example
Flows

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Deployment Considerations
Authentication
Thinking About Authentication
Authorization
Authentication Credentials,
DBs, EAP,
Supplicants,
Agentless, Policy
Order/Priority
Network,
IT,
Desktop
Windows GPO,
Desktops machine auth,
PXE, WoL, VM Multiple
Endpoints

Teamwork &
Organization Confidentiality

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
IEEE 802.1X Provides Port-Based Access
Control Using Authentication
Layer 2 Point-to-Point Layer 3 Link
Supplicant Authenticator Authentication Server
(Client) (Switch) (AAA /RADIUS Server)
EAP over LAN RADIUS
(EAPoL)
EAPoL Start
Beginning EAPoL Request Identity

EAP-Response Identity: Alice


RADIUS Access Request
[AVP: EAP-Response: Alice]

EAP-Request: PEAP RADIUS Access-Challenge


Middle [AVP: EAP-Request PEAP]
Multiple
Challenge-
EAP-Response: PEAP Request
RADIUS Access Request Exchanges
[AVP: EAP-Response: PEAP]
Possible

RADIUS Access-Accept
End EAP Success
[AVP: EAP Success]
[AVP: VLAN 10, dACL-n]

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Choosing Credentials for 802.1X
alice
c1sC0L1v Certificate
Authority

Token
Server

Username/Pwd
Directory

Common Types Deciding Factors


Passwords Security Policy
Certificates Validation
Tokens Distribution & Maintenance

Deployment Best Practices


Reuse Existing Credentials
Understand the Limitations of Existing Systems

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Credentials May Have Systemic Limitations

Alice, director of US Sales, gets no access in London office

1) Two-way trust mycorp.uk


mycorp.com

2) RADIUS proxy
alice alice.mycorp.com
c1sC0L1v

3) mycorp root CA

Root Cause: Alice is not a


member of mycorp.uk

Possible Solutions To Multiple-Domain Issues:


1. Establish two-way trust between mycorp.com & mycorp.uk
2. Use RADIUS proxy to send requests from *.mycorp.com to US ACS
3. Use certs with global Enterprise CA and dont check AD
BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
How To Submit Credentials
Mutual Authentication
Server must validate clients identity and vice versa
Security
Client credentials cannot be snooped or cracked.

PEAP-MSCHAPv2 EAP-TLS
Server Cert Authentication:
Server Cert Authentication:
Signed by trusted CA
Signed by trusted CA
Belongs to allowed server
Belongs to allowed server

server server
CA CA

client CA
host/alice-xp.mycorp.com
MachinePwd
Client Authentication:
Known Username Client Cert Authentication:
Valid password Signed by trusted CA
Additional checks
Encrypted Tunnel
BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Users and Machines Can Have Credentials
User Authentication Machine Authentication
alice

host\XP2

Enables Devices To Access Network


Enables User-Based Access Control
Prior To (or In the Absence of) User
and Visibility
Login
If Enabled, Should Be In Addition To
Enables Critical Device Traffic (DHCP,
Device Authentication
NFS, Machine GPO)
Is Required In Managed Wired
Environments

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Why You Must Enable Machine Auth In A
Managed Environment
Certificate Auto Enrollment
Kernel Loading Time Synchronization
Windows HAL Loading Dynamic DNS Update
Device Driver Loading
GINA
Power On Machine Authentication Kerberos Auth
(User Account)

Obtain Network Address User


(Static, DHCP) Authentication
Determine Site and DC
(DNS, LDAP) User GPOs Loading
(Async)
Establish Secure GPO based Logon
Channel to AD Script Execution (SMB)
(LDAP, SMB)

Kerberos Authentication GPO based Startup


(Machine Account) Script Execution
Computer GPOs Loading (Async)

Components that depend on


network connectivity

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Business Case & Security Policy Determines
Whether You Need User Auth

Example 1: Call Center


Objective: Differentiated Access for Agents Machine + User
Conditions: Shared Use PCs (desktop)

Example 2: Enterprise Campus


Objective: Access for Corporate Assets Only Machine Only
Conditions: One Laptop = One User

Bonus Question:
Could this customer enable password-based
user authentication if they wanted to?

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Understanding Your Supplicant is Essential

Open Source Massive Outage After OS Upgrade

XP SP2: single service & profile for all 802.1X


Hardware (wired/wireless)
XP SP3/Vista/Win7: separate services and profiles
for wired and wireless.
wired service is disabled by default
http://support.microsoft.com/kb/953650
Native
Auth Fail VLAN Doesnt Work

Switch expects 3 failures by default


XP SP3, Vista, Win7: 20 minute block timer on first
Premium EAP failure
http://support.microsoft.com/kb/957931
(config-if)#authentication event fail retry 0

Best Practice: Make Friends With Your Desktop Team


BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Real Networks Cant Live on 802.1X Alone

Unauthenticated

SSC
SSC

Employee Guest
Employee (bad credential)

Rogue
802.1X
Managed Assets

802.1X Passed

Default Access Control is Binary

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
MAC Authentication Bypass (MAB)
Authentication for Clientless Devices

00.0a.95.7f.de.06 Switch RADIUS Server

EAPoL: EAP Request-Identity


1 IEEE 802.1X
Timeout EAPoL: EAP Request-Identity
EAPoL: EAP Request-Identity

Any Packet
RADIUS Access-Request
2 MAB [AVP: 00.0a.95.7f.de.06 ]
RADIUS Access-Accept

How Are MACs Authenticated ?

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
MAB is PAPor you can optimize

RADIUS Access-Request

MAB as PAP
works with any RADIUS server
password = username

Differentiates MAB Request

MAB as Host Lookup


ACS/ISE optimization
no need for fake passwords

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
IEEE 802.1X with MAB

MAB enables differentiated access control

MAB leverages centralized policy on AAA server

Dependency on IEEE 802.1X timeout -> delayed network access


Default timeout is 30 seconds with three retries (90 seconds total)
90 seconds > DHCP timeout.

MAB requires a database of known MAC addresses

Printer VLAN

Contractor VLAN RADIUS LDAP


ACS MAC
Database
BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
3 Options For MAB-Related Delays
Change the Timeout

802.1X MAB
interface GigabitEthernet1/4
dot1x max-reauth-req 2 Timeout
dot1x timeout tx-period 30

Short Enough To Prevent Timeouts (max-reauth-req + 1) * tx-period


Long Enough To Allow 802.1X Devices to Authenticate

FlexAuth

MAB
interface GigabitEthernet1/4
authentication order mab dot1x
authentication priority* dot1x mab
MAB
Fails 802.1X
First packet from device will trigger MAB
Prepare For Additional Control Plane Traffic

Low Impact Deployment Scenario


*Priority Matters! www.cisco.com/go/ibns -> Whitepapers
BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
MAC Databases: Device Discovery

Find It
Leverage Existing Asset Database
e.g. Purchasing Department, CUCM

Build It
Bootstrap methods to gather data
e.g. SNMP, Syslog, Accounting

Buy It
Automated Device Discovery
e.g. ISE

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Building Your MAB Database
Export Phone MACs From CUCM

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Building Your MAB Database
Wildcard Rules Based on MAC Prefixes

00-04-0D-9D-BE-59

Organizationally Unique Identifier (OUI)


Assigned by IEEE
Identifies device vendor and possible device type

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Building Your MAB Database
Profiling Tools Are Evolving

ISE

Profiler
SNMP, DHCP, MAC OUI

LDAP
RADIUS Access-Request

RADIUS Accounting

IOS Sensor
15.0(1)SE1
ISE 1.1

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
To Fail or Not to Fail MAB?
Two options for unknown MAC addresses

MAB Fails control of session passes to switch


1)No Access RADIUS-Access Request (MAB)
2)Switch-based Web-Auth
RADIUS-Access Reject
3)Guest VLAN

MAC is Unknown but MAB Passes


Unknown
RADIUS-Access Request (MAB) MACApply
Guest Policy
RADIUS-Access Accept
Guest Policy

AAA server determines policy for unknown endpoints (e.g. network access levels, re-auth policy)
Good for centralized control & visibility of guest policy (VLAN, ACL)

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Deployment Considerations
Authorization
Thinking About Authorization
Pre-Auth,
Authorization
Authentication VLAN, ACL,
Failed Auth,
AAA down
Policy

Desktops Phones,
Link State,
VMs, Multiple
Desktop Switches Endpoints

Teamwork &
Organization Confidentiality

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Authorization Options: Pre-Authentication

Default: Closed

Selectively Open

Open

switch(config-if)#authentication open
switch(config-if)#ip access-group PRE-AUTH in
switch(config-if)#authentication open

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Authorization Options: Passed Authentication

Default: Open

Alice

Dynamic ACL

Dynamic VLAN

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Authorization Options: Failed 802.1X
Default: Closed

Next-method*

Auth-Fail VLAN

switch(config-if)#authentication event fail action next-method

*Final authorization determined by results of next method

switch(config-if)#authentication event fail action authorize vlan 50

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Authorization Options: No Client
Default: Closed

Next-method*

Guest VLAN

switch(config-if)#mab

*Final authorization determined by results of next method

switch(config-if)#authentication event no-response action authorize vlan 51

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Authorization Options: AAA Server Dead

Default: Closed

Critical VLAN

switch(config-if)#authentication event server dead action authorize vlan 52


BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Authorization: Single MAC Filtering

Default: Single Host Mode


Multiple MACs not allowed to ensure
validity of authenticated session
Hubs, VMWare, Phones, Grat Arp
Applies in Open and Closed Mode

interface fastEthernet 3/48


dot1x pae authenticator
authentication port-control auto

VM

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Modifying Single-MAC Filtering For IP Phones
Multi-Domain Authentication (MDA) Host Mode
IEEE 802.1X MDA

Single device per port Single device per domain per port

Voice Domain
Data Domain

MDA replaces CDP Bypass interface fastEthernet 3/48


dot1x pae authenticator
Supports Cisco & 3rd Party Phones authentication port-control auto
Phones and PCs use 802.1X or MAB authentication host-mode multi-domain

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Modifying Single-MAC Filtering For Virtualized
Endpoints
Multi-Authentication Host Mode

MAC based enforcement for


each device
802.1X and/or MAB

interface fastEthernet 3/48


dot1x pae authenticator
authentication port-control auto
authentication host-mode multi-auth
VM

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Authorization Summary
Authentication Default Alternative 1 Alternative 2
Status Authorization

Single-host Pre-802.1X / MAB Closed Open Selectively


Open
Successful 802.1X Open Dynamic Dynamic
VLAN ACL
Multi-Auth

Successful MAB Open Dynamic Dynamic


? VLAN ACL

Failed 802.1X Closed Auth-Fail Next


VLAN Method
Multi-Domain-Auth

Failed MAB Closed Guest Next


VLAN Method

No 802.1X Closed Guest Next


(no client) VLAN Method

No 802.1X, MAB Closed Critical


(server down) VLAN

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Deployment Scenarios
Implementing Phased Deployments
Thinking About Deployment Scenarios
Pre-Auth,
Authorization
Authentication Credentials, VLAN, ACL,
DBs, EAP, Failed Auth,
Supplicants, AAA down
Agentless, Definition, Policy
Order/Priority Enforcement,
Network,
Rollout
IT,
Desktop
Windows GPO,
Desktops machine auth,
Phones,
Link State,
PXE, WoL, VM VMs, Multiple
Desktop Switches Endpoints

Teamwork & Encryption


Organization Confidentiality

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Three Deployment Scenarios

Monitor Low Impact Closed


Mode Mode Mode
Authentication Minimal Impact Logical
Without to Network and Isolation
Access Control Users Formerly High
Security

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Scenario 1: Monitor Mode Overview
Monitor Mode Goals Monitor Mode: How To
No Impact to Existing Network Enable 802.1X & MAB
Access
Enable Open Access
See All traffic in addition to EAP is
what is on the network allowed
who has a supplicant
Like not having 802.1X enabled
who has good credentials
except authentications still occur
who has bad credentials
Enable Multi-Auth Host-Mode
Deterrence through accountability
No Authorization

SSC

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Monitor Mode: Switch

Switch Global Config


aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default group radius
radius-server host 10.100.10.150 auth-port 1645 acct-port 1646 key cisco
radius-server vsa send authentication
authentication mac-move permit

Switch Interface Config


interface GigabitEthernet1/4
switchport access vlan 60
switchport mode access
switchport voice vlan 61
authentication host-mode multi-auth
authentication open Monitor Mode
authentication port-control auto
mab Basic 802.1X/MAB
dot1x pae authenticator
authentication violation restrict

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Monitor Mode: AAA Server and Endpoints
AAA Server Endpoints
Should be fully configured Should be fully configured:
except for authorization policy: PKI (CA certs, client cert) or
Communication with AAA clients other credentials
(i.e. switches) Supplicants configured &
Communication with credential installed everywhere supported
repository (e.g. AD, MAC Enable machine auth
Database)
Enable user auth if needed
PKI (CA certs, server cert)
EAP Configuration
MAB Configuration

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Monitor Mode: Next Steps
Monitor Mode Next Steps
Improve Accuracy
Evaluate Remaining Risk
Leverage Information
Prepare for Access Control

SSC

RADIUS Authentication & Accounting Logs


Passed/failed 802.1X
Who has bad credentials? Misconfigurations?
Passed/Failed MAB attempts
What dont I know?

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Information Pays For Itself
ROI Without Access Control

RADIUS Attribute Example Value RADIUS Attribute Example Value


Framed-IP-Address(8) 10.100.41.200 Acct-Status-Type(40) Interim-Update
User-Name(1) scadora NAS-Port-Type(61) Ethernet
Acct-Session-Time(46) 27 NAS-Port-Id(87) FastEthernet2/48
Acct-Input-Octets(42) 2614 Called-Station-Id(30) 00-1F-6C-3E-56-8F
Acct-Output-Octets(43) 2469 Calling-Station-Id(31) 00-1E-4A-A9-00-A8
Acct-Input-Packets(47) 7 Service-Type(6) Framed-User
Acct-Output-Packets(48) 18 NAS-IP-Address(4) 10.100.10.4

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Preparing for Access Control: Fix 802.1X

Observed Failures:
Helpful supplicant:
SSC/AC3.0/Win7

Not as helpful:
XP SP2

Root cause: untrusted


or self-signed cert on
AAA server

Fix:
Import server cert signed
by enterprise CA

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Preparing for Access Control: Learn MACs
Observed Failure
Fix

MAC.CSV

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Monitor Mode In a Nutshell

Summary Authentication without Authorization

Extensive Network Visibility


Benefits No Impact to Endpoints or Network

Limitations No Access Control

Monitor the Network


Next Steps Evaluate Remaining Risk
Prepare for Access Control
BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
Scenario 2: Low Impact Mode
Low Impact Mode Goals Low Impact Mode: How To
Begin to control/differentiate Start from Monitor Mode
network access
Add ACLs, dACLs and flex-auth
Minimize Impact to Existing
Limit number of devices
Network Access
connecting to port
Retain Visibility of Monitor
Add new features to support IP
Mode
Phones
Low Impact == no need to re-
architect your network
Keep existing VLAN design
Minimize LAN changes

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Low Impact Mode: Switch

Switch Global Config (add to Monitor Mode)


ip device-tracking

Pre-Authentication
Port Authorization State

Pinhole explicit tcp/udp ports


to allow desired access
Switch Interface Config
interface GigabitEthernet1/4
switchport access vlan 60 Block General Access Until Successful
switchport mode access 802.1X, MAB or WebAuth
switchport voice vlan 61
ip access-group PRE-AUTH in For Low Impact
authentication open
authentication port-control auto
mab From Monitor Mode
dot1x pae authenticator
authentication violation restrict
BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Pre-Auth ACL Considerations

Approach 1: Selectively block traffic


Selectively protect certain assets/subnets
Low risk of inadvertently blocking wanted traffic
Example: Block unauthenticated users from Finance servers

Approach 2: Selectively allow traffic


More secure, better control
May block wanted traffic
Example: Only allow pre-auth access for PXE devices to boot

Pre-auth port ACL is arbitrary and can progress as you better


understand the traffic on your network
Recommendations: use least restrictive ACL that you can; time-
sensitive traffic is a good candidate for ACL.
BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Low Impact Mode: AAA Server
Configure downloadable ACLs for authenticated users

Switch dynamically substitutes endpoints address

permit ip host 10.100.20.200 any


permit tcp any any established
Pre-Auth permit udp any any eq bootps
ACL permit udp any host 10.100.10.116 eq domain
permit udp any host 10.100.10.117 eq tftp

SSC

Contents of dACL are arbitrary.


Can have as many unique dACLs are
there are user permission groups
Same principles as pre-auth port ACL

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Example: Using Low Impact Mode to
bootstrap a new phone 10.100.10.238

permit ip host 10.100.20.200 any


permit udp any any eq bootps
Pre-Auth permit udp any host 10.100.10.238 eq tftp
ACL permit udp any host 10.100.10.238 range 32768 61000

Pre-auth ACL allows just enough access for config, CTL


New config enables 802.1X on phone
After 802.1X, phone has full access

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Dynamic ACL Types for Authentication
ACL Configuration Notes 802.1X/MAB Web-Auth
Downloadable On ACS Centralized 3K: 12.2(50)SE 3K: 12.2(50)SE
ACL No size limitation* 4K: 12.2(50)SG 4K: 12.2(50)SG
Requires ACS 6K: 12.2(33)SXI 6K: 12.2(33)SXI
PerUser On AAA server Centralized 3K: 12.2(50)SE Not Supported
Length limited to 4K: 12.2(52)SG
RADIUS packet size* 6K: 12.2(33)SXI3
Supports 3rd party AAA
servers
Filter-id ACL name on Distributed 3K: 12.2(50)SE 3K: 12.2(50)SE
AAA server No size limitation* 4K: 12.2(52)SG 4K: Not Supported
ACL contents on Supports 3rd party AAA 6K: 12.2(33)SXI3 6K: Not Supported
switch servers
Proxy On AAA server Centralized Not Supported 3K: 12.2(35)SE
Web-Auth only 4K: 12.2(50)SG
Length limited to 6K: Not supported
RADIUS packet size*
Supports 3rd party AAA
servers
*Size refers to defined length of ACL. TCAM limits on switch still apply.

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
ACL Rules of Thumb

For wired deployments, use downloadable ACLs


For wired and wireless, and if no ACS/ISE or no
WebAuth, use Filter-ID ACLs (distributed)
If no ACS/ISE or no Webauth, use per-user ACLs
(centralized)
Try to avoid WebAuth Proxy ACLs

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Handling dACLs without PACLs
Before12.2(54)SG and12.2(55)SE
A switch that receives a dACL for a port %AUTHMGR-5-FAIL
without a PACL will fail authorization.

SSC
%EPM-6-AUTH_ACL: POLICY Auth-Default-ACL

dACL-n
Tip: Use For Graceful Transition
After 12.2(54)SG and12.2(55)SE from Monitor Mode
The switch will automatically attach a
default PACL called Auth-Default-ACL
and then apply dACL.

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
Reduce dynamic ACL configuration
Default behavior:
If no dynamic ACL is downloaded, Pre-Auth Port ACL controls the port.
Every endpoint must be assigned a dynamic ACL.
permit ip any any
permit udp any any eq bootps
port permit udp any host 10.100.10.116 eq domain
ACL permit udp any host 10.100.10.117 eq tftp

SSC

Switch(config)#epm access-control open

With open directive configured:


If the RADIUS server returns a dynamic ACL, dynamic ACL is applied. 12.2(54)SG
If no dynamic ACL returned, switch automatically creates a permit ip 12.2(55)SE
host any entry for the authenticated host.

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Low Impact: Failed Authentication

Reminder: Devices that fail 802.1X will have Cert


expired
restricted access (Pre-Auth ACL)
Question: Is that sufficient access? SSC

Alternative: configure a failback authentication Cant get to


IT website!
method (e.g. MAB) with appropriate
authorization policy

Switch Interface Config


interface GigabitEthernet1/4
switchport access vlan 60 Cert MAB
switchport mode access expired passed
switchport voice vlan 61
ip access-group PRE-AUTH in
authentication event fail action next-method SSC
authentication open
HTTP now
authentication port-control auto allowed
mab
dot1x pae authenticator

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Low Impact: Tune the Host Mode

Reminder: with Multi-Auth, multiple devices are allowed per port


Suggestion: in Low Impact mode, transition to Multi-domain (for
IP Telephony) or Single-host (non-IPT).

Switch Interface Config


interface GigabitEthernet1/4
switchport access vlan 60
switchport mode access
switchport voice vlan 61
ip access-group PRE-AUTH in
authentication host-mode multi-domain
authentication open
authentication event fail action next
authentication port-control auto
mab
dot1x pae authenticator

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Low Impact In a Nutshell

Default open + pre-auth ACL


Summary Differentiated access control using dynamic
ACLs

Minimal Impact to Endpoints


Benefits & Minimal Impact to Network
Limitations No L2 Isolation
Some access prior to authentication

Start with least restrictive port ACLs


Recommendations Use downloadable ACLs if you have ACS
Use Open Directive to reduce dACL config

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Scenario 3: Closed Mode
Closed Mode Goals Closed: How To
No access before authentication Return to default closed access
Rapid access for non-802.1X- Timers or authentication order change
capable corporate assets
Implement identity-based VLAN
Logical isolation of traffic at the assignment
access edge

Network Virtualization Solution

See BRKRST-2033 for more on Network Virtualization

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Closed Mode: Switch
Switch Global Config (add to Monitor Mode)
aaa authorization network default group radius

vlan 60
name data
vlan 61
name voice
vlan 62
name video
vlan 63
name fail-guest-critical

Switch Interface Config


interface GigabitEthernet1/4
switchport access vlan 60
switchport mode access
switchport voice vlan 61 Auth-Fail VLAN
no authentication open
authentication event fail authorize vlan 63 Guest VLAN*
authentication event no-response authorize vlan 63
authentication event server dead action authorize vlan 63
authentication port-control auto Critical VLAN
mab
dot1x pae authenticator
Beware tx-period in Closed Mode
dot1x timer tx-period 10
BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved.
*Not needed if AAA server has Unknown MAC policy
Cisco Public 68
Closed Mode: AAA Server

If no VLAN sent, switch will use static switchport VLAN


Configure dynamic VLANs for any user that should be in different
VLAN

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Dynamic VLANs Impact Your Network

Network Interface

10.10.10.x/24 G0/1

10.10.20.x/24 G0/2
10.10.30.x/24 G0/3

10.10.40.x/24 G0/4

10.10.50.x/24 G0/5
VLAN 10: DATA 10.10.10.x/24

VLAN 20: VOICE 10.10.20.x/24

VLAN 30: MACHINE 10.10.30.x/24

VLAN 40: ENG 10.10.40.x/24

VLAN 50: UNAUTH 10.10.50.x/24

More VLANs To Trunk (Multi-Layer Deployments)


More Subnets to Route
Every Assignable VLAN Must Be Defined on Every Access Switch

Best Practice: Use the Fewest Possible Number of VLANs

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Dynamic VLANs Can Impact Endpoints
Non-802.1X Endpoints
Unaware of VLAN changes, no mechanism to change IP address
Best Practice: Dynamic VLAN in Closed Mode only

Older 802.1X Endpoints (e.g. Windows XP)


Supplicants can renew IP address on VLAN change but OS and
underlying processes may not handle IP address change gracefully
Best Practice: Use same VLAN for User and Machine Authentication
(Windows)

Newer 802.1X Endpoints (e.g. Windows Vista, 7)


Supplicant and OS can handle VLAN/IP address changes
Best Practice: Use the VLAN policy that best matches your security
policy.

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
802.1X, Dynamic VLANs, and WoL

802.1X + WoL Challenge: 802.1X + WoL + dVLAN:


Device flaps link when sleeping Devices flap link when they sleep
802.1X session cleared 802.1X Session Cleared
No network access (closed mode) VLAN reverts to access VLAN
WoL packet cant get through WoL packet goes to dVLAN subnet

Unidirectional Access Control Dynamic VLAN + WoL Solutions

Dont assign VLANs to WoL devices


Use Low Impact Mode
Use hardware (Intel AMT) supplicant

interface fastEthernet 3/48


dot1x pae authenticator
authentication port-control auto
authentication control-direction in

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Avoid VLAN Name Changes with User
Distribution
Traditional VLAN Assignment Is vlan 30
by VLAN Name name corporate

30 Access-Accept:
switch1 VLAN: corporate

vlan 31
name corporate-2

User Distribution Assigns by 31


switch2
VLAN Group (or Name)
vlan group corporate vlan-list 31

Allows Flexible Adaption in Existing Environments


No Need to Reconfigure Existing VLANs
Also Enables Load Balancing
BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Limited Dynamic VLAN Assignment Now
Available for Multi-Auth

Access-Accept:
VLAN: BLUE
Access-Accept:
VLAN: BLUE
Access-Accept

VM
12.2(55)SE
15.0(2)SG
12.2(33)SXJ

First successful authentication locks the Data VLAN


Subsequent endpoints must get assigned same VLAN or no VLAN

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Critical VLAN Now Supported With Multi-Auth

12.2(52)SE
Critical VLAN switch(config-if)#authentication event server dead action authorize vlan 52
15.0(2)SG
12.2(33)SXJ1

switch(config-if)#authentication event server dead action reinitialize vlan 52


BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Phones Rely on RADIUS Server
00.18.ba.c7.bc.ee

RADIUS-Access
Request: 00.18.ba.c7.bc.ee
Voice VLAN Enabled Only the VSA can
RADIUS-Access Accept
device-traffic-class=voice
save the phone!

00.18.ba.c7.bc.ee

DataVLAN Enabled interface fastEthernet 3/48


dot1x pae authenticator
authentication port-control auto
authentication event server dead action authorize
Does Not Save
Phones
BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Critical Voice VLAN Saves Phones When AAA
Server Dies
00.18.ba.c7.bc.ee

Voice VLAN Enabled


DataVLAN Enabled
interface fastEthernet 3/48
dot1x pae authenticator
authentication port-control auto
authentication event server dead action authorize
authentication event server dead action authorize voice

15.0(1)SE
15.0(2)SG
12.2(33)SXJ1
#show authentication session int f3/48

Critical Authorization is in effect for domain(s) DATA and VOICE

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Extending the Network Edge

Hubs on an 802.1X network: Ideally, extended edge:


introduce multiple MACs per port Extends trust and policy
may not actually be hubs Uses a managed device
are not managed devices Works on any access port

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Network Edge Authentication Topology (NEAT)
Supplicant
Switch (SSw)

1) EAP-Response: SSw RADIUS Access Request


[AVP: EAP-Response: SSw

2) RADIUS Access-Accept
[device-traffic-class=switch]

3) EAP-Response: Alice
RADIUS Access Request
[AVP: EAP-Response: Alice

RADIUS Access-Accept
[VLAN Yellow]
4) CISP: Allow Alices MAC

1) NEAT-capable sSW authenticates itself to Authenticator Switch (ASw).


2) ASw converts port to trunk
3) SSw authenticates users and devices in conference room
4) ASw learns authenticated MACs via Client Information Signaling Protocol (CISP)

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Closed In a Nutshell

Default closed
Summary Differentiated access control using dynamic
VLANs

Logical Isolation at L2
Benefits & No Access for Unauthorized Endpoints
Limitations Impact to Network
Impact to Endpoints

Use fewest VLANs possible


Know which devices cant change VLANs
Recommendations User Distribution helps with VLAN names
Enable Critical Voice VLAN
Consider NEAT as needed

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Troubleshooting
Failed Authorizations
Failed Authentications
Timeout-related Issues
Server-dead Issues
IP Telephony Issues
Troubleshooting In Perspective

Enterprise Customer
70,000 Endpoints
Windows Native Supplicant
PEAP-MSCHAPv2
Additional Support Staff:
< 5 Hours / Week
The typical user is unaware of
the 802.1X implementation.

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Troubleshooting Methodology
1 2 3

4 5 6
Develop & Document a Methodology
7 8 9

Be aware of role dependencies

Start where info density is highest


Good AAA server can diagnose most failed authentications

Switch (CLI, SNMP, syslog) helps with:


Failed authorizations
Current port status

SSC Client side info sometimes helpful

Microsoft
C:\Documents And Settings\All Users\Application netsh ras set tracing eapol enable

Native
SSC

Data\Cisco\Cisco Secure Services Client netsh ras set tracing rastls enable
C:\ProgramData\Cisco\Cisco Secure Services Client %systemroot%\tracing\EAPoL.log

Sniffer Traces Often Definitive

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
802.1X Passed Authentication: Expected
Start 802.1X
Closed Mode

Authentication Process 802.1X


Pass
Rcvd N
Rcvd
dynamic
dACL?
VLAN?

Low Impact Mode Y Y


Y
Switch
AAA-based Y configd Port ACL VLAN
Authz?
for authz? defined on defined on
switch? switch?

N Y Y
Final Port
Status

Static Port Config: Port ACL + dACL Dynamic VLAN


Switchport VLAN +
Port ACL (if any)

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
802.1X Passed Authentication Problems
Dynamic Authorization Not Enabled

Start 802.1X

Authentication Process
802.1X
Pass

Switch
AAA-based Y configd
Authz?
for authz?

N
Final Port
Status

Static Port Config:


Switchport VLAN +
Port ACL (if any)

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Authorization Problem 1: Configuration

End User
Access: default port config
I dont have enough access or I have too much access

AAA Server
Authentication Passed

Access Switch
Port is authorized but without dynamic VLAN or dACL
No syslog -- this is not an error
Detection: Difficult to detect (no indication that 802.1X is to blame)
Root Cause: Incomplete Switch Config
Resolution: (config)# aaa authorization network default group radius
BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
802.1X Passed Authentication Problems
ACL Not Configured
Start 802.1X
Authentication Process
802.1X
Rcvd
Pass dACL?

Y
Y
Switch
AAA-based Y configd Port ACL
Authz? ACL
for authz? defined on N Enhancement?
switch?
N

N Authz Fail:
Quiet Period
Final Port
Status

Static Port Config:


Switchport VLAN +
Port ACL (if any)

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Authorization Problem 2:
Authentication Passed but ACL Authorization Failed

End User
Pre-Authentication Access only

AAA Server
Authentication Passed

Access Switch
%AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client
(0014.5e95.d6cc) on Interface Gi1/13
%AUTHMGR-5-FAIL: Authorization failed for client (0014.5e95.d6cc) on Interface Gi1/13
With epm logging configured:
%EPM-4-POLICY_APP_FAILURE: IP=0.0.0.0| MAC=0014.5e95.d6cc
|POLICY_TYPE=Named ACL| POLICY_NAME=xACSACLx-IP-PERMIT-ANY-4999ced8 |
RESULT=FAILURE| REASON=Interface ACL not configured

Detection: Repeating Successful Authentications, Switch syslogs, Absence of Accounting


Root Cause: Incorrect Switch Config, pre-12.2(54)SG
Resolution: (config-if)# ip access-group PRE-AUTH in

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
802.1X Passed Authentication Problems
Bad VLAN Assignment
Start 802.1X
Authentication Process
802.1X Rcvd
Rcvd N
Pass dynamic
dACL?
VLAN?

Y Y Or VLAN
Y Group!
Switch
AAA-based Y configd Port ACL VLAN
Authz?
for authz? defined on N N defined on
switch? switch?

Authz Fail:
N Quiet Period
Final Port
Status

Static Port Config:


Switchport VLAN +
Port ACL (if any)

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Authorization Problem 3:
Authentication Passed but VLAN Authorization Failed

End User
Pre-Authentication Access only

AAA Server
Authentication Passed

Access Switch
%AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for
client (0014.5e95.d6cc) on Interface Gi1/13
%DOT1X_SWITCH-5-ERR_VLAN_NOT_FOUND: Attempt to assign non-
existent or shutdown VLAN Employee to 802.1x port GigabitEthernet1/13
%AUTHMGR-5-FAIL: Authorization failed for client (0014.5e95.d6cc) on
Interface Gi1/13

Detection: Repeating Successful Authentications, Switch syslogs, Absence of Accounting


Root Cause: Incorrect Switch Config
Resolution: (config-vlan)# name Employee
BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Syslog Collector Can Help Here!

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
When Syslogs Are Too Much of A Good Thing

Embedded Syslog Manager (ESM)

Device-level syslog filtering & programmable framework


Limited platform support

Syslog suppression CLI

#no [authentication | dot1x | mab] syslog verbose


limited filtering

Filter by severity

#logging trap 5
Filters all syslogs (not just authentication syslogs)

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
802.1X Failed Authentication Flow
Restart
Start 802.1X Timer
Expires

802.1X Web-Auth
N
Authentication Process
Fail configd?

Restart Y
Y Timer
Event fail configd?
> Max
action Y Attempt? N Valid
configd? username N
Closed Mode / pwd? N
Y MAB N
N pass?
Low Impact Mode
Y
Quiet Auth Fail
Period VLAN
Expires N Y Valid dACL &
N
confd? priv-lvl=15?

Y Y
Final Port

AAA dACL + fallback


Auth Fail VLAN1,4
Status

Based ACL2,4 Pre-Auth Access2


Authz 2,3,4
1Subject to change on receipt of EAPoL-Logoff
2All subsequent EAP traffic will be dropped until reauth or link down
3See 802.1X Passed Flowchart for details fallback ACL2
4May be impacted by supplicant behavior

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
802.1X Failed Authentication Overview
End User
Pre-Authentication Access only

AAA Server
Best source of info for 802.1X failures
Start Troubleshooting here!

Access Switch
*Mar 5 11:31:41: %AUTHMGR-7-RESULT: Authentication result 'fail'
from 'dot1x' for client (0014.5e95.d6cc) on Interface Gi1/13

Detection: End User, AAA records, Switch syslogs


Root Cause: EAP negotiation or credential issue
Resolution: depends on root cause

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
802.1X Failures: Incompatible EAP Methods

Applies to: Bonus Question:


All 802.1X authentications Why is there a passed auth
record after the failure?

Error: Supplicant configured for PEAP, AAA for EAP-TLS

Error: Supplicant configured for PEAP-MSCHAPv2, AAA for PEAP-GTC


12750 Failed to negotiate EAP for inner method because EAP-MSCHAP not allowed under
PEAP configuration in the Allowed Protocols
Resolution:
Configure at least one common EAP method (inner & outer) on ACS and supplicant
BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
802.1X Credential Failures: Passwords
Applies to:
Password-based EAP methods (PEAP-MSCHAPv2, MD5, EAP-FAST)
Error: Unknown User

Error: Known User, Bad Password

Error: Known User, Password Expired

Bonus Question:Why is there a passed


auth record after this failure?

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
802.1X Credential Failures: Server Certs
Applies to:
EAP methods that use server-side TLS server

tunnel: e.g. EAP-TLS, PEAP CA

Typical Error Messages: EAP-Response


TLS-Alert:
12321 PEAP failed SSL/TLS handshake because Unknown CA
the client rejected the ISE local-certificate
Helpful supplicants (SSC/AC3.0/Win7) send TLS-Alerts.
Helpful AAA servers (ACS/ISE) reflect Alert in logs Most Common Root Causes:
AAA server cert is self-signed
11514 Unexpectedly received empty TLS AAA server cert signed by a CA chain
message; treating as a rejection by the client that client doesnt trust
Less helpful supplicants (XP SP2) send bad TLS messages. AAA server cert disallowed by clients
Helpful AAA servers (ISE) display possible reasons
trusted server rules
AAA server cert expired
Windows Tip:If unclicking this box helps, the
AAA server cert lacks Server Auth EKU
supplicant doesnt trust the server cert!
BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
802.1X Failures: Client Certificate
Applies to: Server Cert Authentication:
Signed by trusted CA
EAP methods that use client-side Belongs to allowed server

TLS tunnel: e.g. EAP-TLS CA


server

Typical Error Message: client CA


12514 EAP-TLS failed SSL/TLS handshake
because of an unknown CA in the client
certificates chain

12515 EAP-TLS failed SSL/TLS handshake


because of an expired CRL associated with a CA
in the client certificates chain Most Common Root Causes:
Client cert signed by a CA chain that
12516 EAP-TLS failed SSL/TLS handshake
because of an expired certificate in the client AAA server doesnt trust
certificates chain Client cert expired
Client cert CRL expired

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
802.1X Failure vs. 802.1X Timeout

An 802.1X failure occurs when the AAA server rejects the request:

SSC
EAPoL Start
EAPoL Request Identity
EAPoL Response Identity
RADIUS Access Request

EAP Failure RADIUS Access Reject

A timeout occurs when an endpoint cant speak 802.1X:


EAP Who?

EAPoL Request Identity

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
802.1X Timeout Authentication Flow
Start 802.1X
Low Impact Mode
802.1X Web-Auth Y Valid N

Authentication Process
Time out username
configd?
/ pwd?

N Y
MAB N
configd?
Event no-
responsec N Valid dACL &
N
onfigd? priv-lvl=15?
Y

Y Restart Y Restart
MAB Timer Timer Y
pass? N configd? Expires
Closed Mode

Y N
Final Port

AAA
Status

Based dACL + fallback


Guest VLAN Pre-Auth Access
Authz* ACL

fallback ACL
*See 802.1X Passed Flowchart for details
Subject to change on receipt of EAPoL-Start if 802.1X has priority

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Common Timeout-Related Problems

Too long Too short Just right


Symptoms Symptoms Requirement
No IP address Wrong access levels Testing in your network
PXE fail Excessive control traffic

Root Cause Root Cause


DHCP timeout < 802.1X Switch gives up on 802.1X
timeout too soon
Alternatives
Low Impact Mode
Solutions Solutions
MAB first
Shorten timers, MAB first. Enable EAPoL-Starts
Low Impact Mode. 802.1X has priority

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
802.1X Server Dead Flow
Start 802.1X Re-auth 802.1X

AAA dead AAA dead

Authentication Process
Event server Event server
dead N dead N
configd? configd?

Y Y
Final Port
Status

Critical VLAN Pre-Auth Pre-Auth


Access Existing Auth
Access

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Misconfigurations Can Lead to Appearance of
Dead Server
Symptoms ACS5 Log / Root Cause / Resolution
All authentications fail from a switch
or groups of switches.

Switch declares a functioning AAA


server dead.
Root Cause: AAA server does not accept RADIUS requests from this switch
Switch may deploy Critical VLAN. Resolution: Configure AAA server to accept requests from this switch.

Root Cause: Shared secret is not the same on switch and AAA server
Resolution: Configure same shared secret on switch and AAA server

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
802.1X Passed Auth for IP Phones:
Expected Behavior with Multi-Domain Authentication (MDA)
Rcvd device-
Start 802.1X traffic-
class=voice?
Authentication Process

Y Y
802.1X
Pass Rcvd
Rcvd
dACL? N dynamic N
Closed Mode VLAN?

Low Impact Mode Y Y


Switch
AAA-based Y configd
Authz?
for authz?
Port ACL VLAN
defined on defined on
switch? switch?

Y Y
Final Port
Status

Static Voice VLAN, Dynamic Voice Static Voice


Port ACL + dACL VLAN VLAN

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
802.1X Passed Authentication for IP Phones
Authorization Problems with MDA

Y
Start 802.1X
Rcvd device-
traffic- Rcvd
Authentication Process

class=voice? Rcvd
802.1X N dynamic
N dACL?
VLAN?
Pass
Y Y Y

Y Switch
AAA-based
configd
Authz? Port ACL VLAN
for authz? N
N
defined on defined on
switch? switch?
N N

PC PC
N behind Y Y behind N
phone? phone? Authz Fail:
Quiet Period
Final Port
Status

Access to DATA VLAN Security Violation


only

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
802.1X Failure Flow for IP Phones with MDA
Start 802.1X

802.1X

Authentication Process
Fail?

Event fail
action
next- N
method?

Y Event fail N
action
VLAN?
Web- PC Restart Restart
MAB Y
pass? N Auth N Behind N Y Timer Timer
configd? Phone? configd? Expires

Y
Y Y N
Final Port

AAA Security
Status

Based Violation Pre-Auth Access


Authz* data VLAN,
fallback ACL Auth-Fail VLAN

*See 802.1X IP Phone Passed Flowchart for details

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
802.1X Timeout Flow for IP Phones
Start 802.1X

802.1X
Authentication Process
Time Out

MAB
configd? N

Y Event no-
response N
VLAN?
Web- N
MAB PC Restart Restart
pass? N Auth
Y Behind N Timer Y Timer
configd?
Phone? configd? Expires

Y
Y Y N
Final Port

AAA
Status

Based data VLAN, Security Violation


Authz* fallback ACL
Pre-Auth Access
Guest VLAN
*See 802.1X IP Phone Passed Flowchart for details
BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Conclusion
Key Takeaways

Start Simple and Evolve

Monitor mode before access control


Least restrictive ACLs, fewest VLANs

Optimize Deployment Scenarios With New Features

Document Expected Flows for your Implementation

Know where every device & user should / could end up


Start at a central point, work outward as required a good AAA
server is invaluable

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Most Important: Think at the System-Level
Pre-Auth,
Authorization
Authentication Credentials, VLAN, ACL,
DBs, EAP, Failed Auth,
Supplicants, AAA down
Agentless, Definition, Policy
Order/Priority Enforcement,
Network,
Rollout
IT,
Desktop
Windows GPO,
Desktops machine auth,
Phones,
Link State,
PXE, WoL, VM VMs, Multiple
Desktop Switches Endpoints

Teamwork & Encryption


Organization Confidentiality

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
www.cisco.com/go/ibns
Where To Find Out More www.cisco.com/go/trustsec
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638
Deployment Scenario Design /whitepaper_C11-530469.html

Guide
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638
Deployment Scenario Config /Whitepaper_c11-532065.html

Guide
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638
IEEE 802.1X Deep Dive /guide_c07-627531.html

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638
MAB Deep Dive /config_guide_c17-663759.html
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638
Web Auth Deep Dive /app_note_c27-577494.html
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638
/app_note_c27-577490.html
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638
Flex Auth App Note /application_note_c27- 573287_ps6638_Products_White_Paper.html

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638
IP Telephony Deep Dive /config_guide_c17-605524.html

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638
MACSec Deep Dive /deploy_guide_c17-663760.html

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Complete Your Online
Session Evaluation
Give us your feedback and you
could win fabulous prizes.
Winners announced daily.
Receive 20 Passport points for each
session evaluation you complete.
Complete your session evaluation
online now (open a browser through
our wireless network to access our Dont forget to activate your
portal) or visit one of the Internet Cisco Live Virtual account for access to
stations throughout the Convention all session material, communities, and
on-demand and live activities throughout
Center. the year. Activate your account at the
Cisco booth in the World of Solutions or visit
www.ciscolive.com.

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Final Thoughts

Get hands-on experience with the Walk-in Labs located in World of


Solutions, booth 1042
Come see demos of many key solutions and products in the main Cisco
booth 2924
Visit www.ciscoLive365.com after the event for updated PDFs, on-
demand session videos, networking, and more!
Follow Cisco Live! using social media:
Facebook: https://www.facebook.com/ciscoliveus
Twitter: https://twitter.com/#!/CiscoLive
LinkedIn Group: http://linkd.in/CiscoLI

BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
BRKSEC-3005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

You might also like