Migrating Your LAN to IEEE 802.1X Gaweł Mikołajczyk [email protected] Consulting Systems Engineer, Emerging Markets East CCIE #24987, CISSP-ISSAP Session Objectives At the end of the session, you should understand: • How 802.1X works • The benefits of deploying 802.1X • How to configure and deploy 802.1X using Cisco switches, ACS 5.1 and various supplicants. • How to integrate existing technologies such as IP telephony, guest access, PXE, etc • The value and application of deployment scenarios • How to make this work when you get back to your lab You should also: • Provide us with feedback! Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 2 Identity and Authentication Overview Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Why Identity Is Important Who are you? 1 802.1X (or supplementary method) Keep the authenticates the user Outsiders Out Where can you go? Keep the 2 Based on authentication, user is Insiders placed in correct VLAN Honest What service level to you receive? Personalize 3 The user can be given per-user the Network services (ACLs today, more to come) What are you doing? Increase 4 The user‘s identity and location can Network be used for tracking and accounting Visibility Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 4 IEEE 802.1X: The Foundation of Identity EAP over LAN RADIUS R A (EAPoL) D I U S Supplicant Authenticator (802.1X Client) (e.g. Switch, Authentication Access Point) Server IEEE 802.1 working group standard Provides port-based access control using authentication Enforcement via MAC- Defines encapsulation for based filtering and port- Extensible Authentication state monitoring Protocol (EAP) over IEEE 802 media— ―EAPoL‖ Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 5 Default Port State without 802.1X No Authentication Required No visibility No Access Control ? ? USER Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 6 Default Security with 802.1X Before Authentication No visibility (yet) Strict Access Control One Physical Port ->Two Virtual ports Uncontrolled port (EAPoL only) Controlled port (everything else) ? ? interface fastEthernet 3/48 authentication port-control auto dot1x pae authenticator USER ALL traffic except EAPoL is dropped Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 7 Default Security with 802.1X After Authentication User/Device is Known Identity-based Access Control • Single MAC per port Looks the same as without 802.1X interface fastEthernet 3/48 authentication port-control auto dot1x pae authenticator ? Having read your mind Sally, Authenticated User: Sally that is true, unless you apply Authenticated Machine: XP-ssales-45 an authorization, access is wide open. We can restrict access via dynamic VLAN assignment or downloadable ACLs Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 8 Identity and Authentication 802.1X, EAP, and RADIUS Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 A Closer Look at 802.1X Supplicant Authentication Server Authenticator SSC Layer 2 Point-to-Point Layer 3 Link EAPoL Start Port Unauthorized EAP ID-Request EAP ID-Response RADIUS Access-Request [AVP: EAP-Response: Alice] RADIUS Access-Challenge EAP-Request:PEAP [AVP: EAP-Request PEAP] Multiple Challenge- EAP-Response: PEAP Request RADIUS Access-Request Exchanges [AVP: EAP-Response: PEAP] Possible RADIUS Access-Accept [AVP: EAP Success] EAP Success [AVP: VLAN 10, dACL-nnn] Port Authorized EAPoL Logoff Port Unauthorized Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 10 What Does EAP Do? . Establishes and manages connection . Allows authentication by encapsulating various types of authentication exchanges • Actual authentication exchanges are called EAP Methods . Provides a flexible link layer security framework • Can run over any link layer (PPP, 802, etc.) . Defined by RFC 3748 EAP Payload EAP Payload R RADIUS A D 802.1X Header UDP I U Ethernet Header IP Header S Supplicant Authenticator Authentication Server Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 11 EAP Authentication Methods • MD5: uses MD5 based challenge-response for authentication Challenge- • LEAP: username/password authentication response-based • EAP-MSCHAPv2: username/password MSCHAPv2 challenge- response authentication Cryptographic- • EAP-TLS: x.509 v3 PKI certificates and the TLS mechanism for based authentication • PEAP: encapsulates other EAP types in an encrypted tunnel Tunneling • EAP-TTLS: encapsulates other EAP types in an encrypted tunnel methods • EAP-FAST: designed to not require client certificates • EAP-GTC: generic token and OTP authentication Other • EAP-SIM : SIM-based authentication Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 12 Tunneling Methods . Some EAP methods setup an encrypted tunnel and pass credentials through the tunnel . Anonymous outer identity - Provides the ability to completely obfuscate the user‘s credentials SSC / ACS – Yes Windows Native / IAS - No . Some EAP methods require an EAP method inside the tunnel (PEAP and FAST) . Some EAP methods do not require an EAP method inside the tunnel (TTLS) – used with legacy RADIUS Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 13 EAP Protocols: Feature Support EAP-TLS PEAP EAP-FAST Single Sign-on Yes Yes Yes Login Scripts (Active Directory) Yes Yes Yes Password Expiration (AD) N/A Yes Yes SSC, XP, Win7 SSC, XP, Win7 SSC, Win7 and Client and OS Availability and Others and Others Others MS DB Support Yes Yes Yes LDAP DB Support Yes Yes Yes OTP Support No Yes Yes Off-line Dictionary Attacks No No No Server Certificates Required Yes Yes No Client Certificates Required Yes No No Computing Impact High Medium Low Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 14 Factors that Drive EAP Method Use as many methods as needed depending on devices Enterprise • Certificate Authority deployment may drive EAP type • Two factor authentication may require EAP-TLS security policy • Security vs. Convenience Trade-offs • Windows supports EAP-TLS, PEAP w/EAP- MSCHAPv2, PEAP w/EAP-TLS Client support • 3rd party supplicants support a large variety of EAP types, but not all Authentication • RADIUS servers support a large variety of EAP types, server support but not all • PEAP w/EAP-MSCHAPv2 can only be used with authentication stores that store passwords in Identity store MSCHAPv2 format • Not every identity store supports all the EAP types Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 15 Identity & Authentication: Who (or What) Authenticates? Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 Problem Statement . Who should the network authenticate ? A user using a device A device Both the user and the device . Device boot process and network connectivity assumption Boot without using network resource - Standalone Boot from the network – Xterm, NetPC, PXE Boot and use network resources – networked Network File System Managed devices : Connection to LDAP, Active Directory Device health check : Patch level checker, Central AV system Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 17 Example: Network Assumption Microsoft Windows Certificate Auto Enrollment Kernel Loading Time Synchronization Windows HAL Loading Dynamic DNS Update Device Driver Loading GINA Power On Kerberos Auth Inherent Assumption of (User Account) Network Connectivity Obtain Network Address Earliest Network (Static, DHCP) Connectivity with Determine Site and DC User Auth Only (DNS, LDAP) User GPOs Loading (Async) Establish Secure GPO based Logon Channel to AD Script Execution (SMB) (LDAP, SMB) Kerberos Authentication GPO based Startup (Machine Account) Script Execution Computer GPOs Loading (Async) Components that depend on Components broken with network connectivity 802.1X user authentication only Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 18 802.1X Device and User authentication . User authentication ONLY Possible when no dependency of the device used regarding network resources Can run user script to access network resources post login. Be careful, this can breaks Microsoft group and system policies . Device authentication ONLY Mandatory as soon as exist dependency of Network resources Authorization is link to the device; not the user using the device . Device and User Authorization is highly flexible Advanced features needed on supplicants Synchronization needed with others applications & process on the client PC : DHCP, DNS, NFS, etc.. Switches contexts when going from one to the other Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 19 MICROSOFT Windows Example User and Device Authentication User Authentication Setup Load Apply Windows 802.1X Power Secure Update Present NDIS DHCP Computer Domain User Up Channel GPOs GINA Drivers GPOs Auth to DC Auth * No Connectivity to Domain Controller Until User Logs In Machine Authentication Setup Load 802.1X Apply Windows Power Secure Update Present NDIS Machine DHCP ComputerCompute Domain Up Channel GPOs GINA drivers Auth rGPOs GPOs Auth to DC * 802.1X Early in Boot Process User + Machine Authentication Setup Load 802.1X Apply Power Secure Update Present Windows 802.1X NDIS Machine DHCP Computer DHCP Up Channel