Edge Port Security using IEEE 802.1x
Download
Report
Transcript Edge Port Security using IEEE 802.1x
Implementing Network-Edge
Security with 802.1x
Enhancements to all areas of
Organizational Security
Michael Votaw
RCC-E Network Monitoring Team Lead
[email protected]
1
Overview
Network based Authentication
IEEE 802.1X Authentication
RFC 3580 and Enhancements
Network Access Control
Security Tools Enhancements
Network Based Authentication
What are we really talking about?
Types of authentication
- MAC Authentication (MAB)
- IEEE 802.1X
Who, Where, When? – What is the value
History and forensics
Authentication sources - RADIUS
- Microsoft 2003 IAS / Microsoft 2008 NPS
- FreeRADIUS
- Steel-belted RADIUS
- Many, Many, others
The benefits of Automation with this new
information
IEEE 802.1X Authentication
History
- Authored by Members from Microsoft, Cisco, Enterasys, HP
- Ratified in late 2001
What need did it fill? How it is used?
- Centralized command and control
- Port control without the tedious work
- DHCP Phobias
Who supports it?
- Switch Vendors – Extreme/Enterasys, Cisco,
Brocade/Foundry, HP, many others
- Operating systems – Microsoft XP, Vista, 7&8, Mac OS X,
Linux, others
- Devices – IP phones from Avaya, Seimens, Cisco, and many
more
- Devices – Print Servers from HP, Lexmark, Xerox
How does it work?
802.1X Basic Components
User
•Valid user
(AD/RADIUS)
•Printer
•Phone
•Certificate-Based
Supplicant
•Microsoft XP,
Vista, 7 & 8
•Mac OS X
•Linux
•Open1X
•Printers
•Phones
Network Device
•Enterasys
•Cisco
•Foundry
•Extreme
•HP
•Many others
Authentication
Server (RADIUS)
•Windows AD
•FreeRADIUS
•OpenRADIUS
•Steel-Belted
RADIUS
•Many others
802.1X Basic Flow
Username/Password
RADIUS Attributes
-Filter-Id
-Tunnel-Priv-Grp-ID
RADIUS Attributes
-User-Name
-NAS-IP-Address
-NAS-Port
-NAS-Port-Type
Basic 802.1X Port Control
Before Authentication
After Authentication
802.1X Message Exchange
All messages on client
side are ethertype 888E
(EAPOL/PAE)
All messages between
switch and server are
RADIUS packets
Most switch vendors
enhance this with
multi-method and
multi-user
authentication
802.1X Continued
Support for periodic re-auth, and manual re-auth
EAP Types - Industry Standard
- MD5 – basic
- PEAP – Microsoft & Cisco
- Protected EAP, Now dominate in the industry
- EAP-TLS (Transparent LAN Service)
- Requires a digital certificate on each supplicant (see RFC 2716)
EAP Types – Proprietary
- EAP-TTLS (Tunneled TLS Authentication Protocol) - Juniper Software
- TTLS does not require digital cert (see Internet Draft)
- LEAP – Cisco
- Lightweight EAP (proprietary); Cisco moving to PEAP
802.1X on wireless
- Encryption, Rotating keys, Integration of Users and Enterprise Authentication
The Future – 802.1AE
- Key exchange and encryption between clients, switches, and routers
Enhancing 802.1X
Dynamic VLAN support (RFC 3580)
- Dynamically assign a user, phone, or device to a VLAN based on RADIUS response
- Can allow for user mobility throughout the enterprise
Dynamic ACL support
- Restrict unauthorized protocols
- Enhance others with QoS(phone, critical applications)
Multi-User
- Most enterprise-class switches today support multiple users authenticating per port
Multi-Method
- Many vendors support MAC+802.1X to help with supplicant support
PAE Mib
- SNMP access, control, and statistics over the 802.1X experience
Guest Access
- Many vendors support an auth-fail VLAN, or provide alternate access support
Basic Steps for Implementation in a Lab
Setup NPS on Microsoft AD
- Simple configuration
- No Certificates
Enable 8021.X on your network device
- Setup your RADIUS server
- Turn on 802.1X with “dot1x” commands
Setup Windows 7
- Go with Protected EAP
- Don’t validate server certs
- Deselect “Automatically use my windows logon name”
Once tested, move to more secure model using host and server certificates
(strong, mutual authentication)
A phased approach can be used, enabling only some users and network
devices.
Group policy can be employed for configuration of end-systems
Basic NPS Setup
Configuration of RADIUS Clients
NPS Can Permit/Deny Based on Groups
EAP Methods Configured
Adding RADIUS Attributes
Basic Switch Config (Cisco)
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
ip radius source-interface Vlan99
radius-server attribute nas-port format c
radius-server host 192.168.99.4 auth-port 1812 acct-port 1813 key #$TR3g42f34yytV3r4f
radius-server vsa send accounting
radius-server vsa send authentication
interface FastEthernet0/17
switchport mode access
authentication port-control auto
authentication periodic
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast
Basic Switch Configuration (Brocade/Foundry)
dot1x-enable
re-authentication
timeout quiet-period 30
timeout re-authperiod 2000
timeout tx-period 3
auth-fail-vlanid 10
enable ethe 1 to 16
aaa authentication dot1x default radius
hostname fesx448
radius-server host 192.168.5.6 auth-port 1812 acct-port 1813 default key 1 $fl%}lq9}%0qPf:}%fBPfl dot1x
interface ethernet 1
dot1x port-control auto
dot1x disable-filter-strict-security
port-name rm101-sw1-e1
MAC Authentication
Authenticates a device using the source
MAC address of received packets
Overview of Authentication Process
- The authenticator (switch) sends the following as
credentials for authentication:
- Username: Source MAC of end system
- Format of MAC address is XX-XX-XX-XX-XX-XX
- Password: Locally configured password on the switch
- Username and password sent to backend RADIUS server for authentication
- If credentials are valid, RADIUS Access-Accept message (possibly with Filter-ID or Tunnel
attributes) is returned to switch
MAC authentication enables switches to authenticate end systems that do not
support an 802.1X supplicant or web browser (e.g. printers) to the network
- No special software is required for an end system to MAC authenticate
Client Configuration
Network Access Control – The Next Step
NAC and 802.1X are not the same
The 5 functions of NAC
- Detection
- Authentication
- Authorization
- Assessment
- Remediation
802.1X provides a foundation by filling
the first three phases of NAC
Using RFC 3580, control can be exercised
over the VLAN or ACL
Log data can be sent to log servers,
historical and forensic information
Network Access Control – The Next Step
Information now available to NAC solutions…
- MAC address of client
- The Username
- Exact port where request came from
- The IP of the switch
- The method of authentication (MAC, 802.1X)
- The IP address (through DHCP snooping)
- The time of Login
- The time of Logout
- Any VLAN or ACL that was applied
NAC Dashboard – End Systems View
How Network-Auth Enhances Security Tools
Integrate Network Authentication User tracking with Security Information Management capabilities.
Result: Track down systems that cause security breaches with new levels of speed and accuracy.
IEEE 802.1X Conclusion
The primary reason for using 802.1X authentication in your network
is security, protecting against:
- Unauthorized access to a network
- Denial of Service (DoS) attacks
- Theft of services
Support:
- Most all enterprise class switches support 802.1X authentication
- More and more operating systems and network attached devices
25
Reference Information
IEEE 802.1X - Port Based Network Access Control
- http://www.ieee802.org/1/pages/802.1x.html
IEEE 802.1X - Overview
- http://www.ieee802.org/1/files/public/docs2000/P8021XOverview.PDF
RFC 3580 Information
- http://www.ietf.org/rfc/rfc3580.txt
Using 802.1X Port Auth To Control Who Can Connect To Your
Network
- http://www.itdojo.com/synner/pdf/synner2.pdf
802.1X Port-Based Authentication HOWTO. Setting up XSupplicant.
- http://www.linux.org/docs/ldp/howto/8021X-HOWTO/index.html
Configuring IEEE 802.1X for Mac OS X
- http://docs.info.apple.com/article.html?path=Mac/10.5/en/8640.html