ACS - · PDF fileIntroduction –Overall Flow ... Cisco Public ACS Distributed Deployment...

1

© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO

ACS

2


Employee Group

Permissions – Employee_VLANRestrictions – None

NetAdmin Group

Permissions – Full AccessRestrictions – None

Guest Group

Permissions – Guest_VLANRestrictions – Time_of_Day

User Groups

ACS 4.x: Group-Based Policy Model

Group-based policy

User is authenticated & associated to a group

• Authorization based on static permissions

and restrictions for the user‟s group

User subjected to SAME restrictions and gets

SAME permissions ALWAYS

?• Works well if Identity is the

dominant or only condition

• Does not work well for

complex authorisation policies

based on dynamic conditions• Employee gets full access

when on-site & restricted

access when coming in

remotely

3


Group-based Model Forces Group Proliferation

1. Example: 7 groups required for a 3 condition scenario:

2. 2ⁿ - 1 groups required (n is the number of policy conditions)

3. Potentially update 2n-1 groups for a single condition authorization change. ( 4 groups edits in the above example)

Wired users Wired+Wireless Wired+Wireless+

VPN

Wireless users Wireless+VPN

VPN users Wired+VPN

n 2 3 4 5 6

2ⁿ - 1 3 7 15 31 63

4


ACS 5.0 Graphical User Interface

1. Lightweight, secure, intuitive and easy to use web-based GUI

2. Does not require additional client software for GUI access

5


ACS 5.0 Monitoring & Reports Component

1. Integrated advanced monitoring, reporting & troubleshooting capabilities for maximum control and visibility

Easy to use GUI

Flexible presentation tools

2. Consolidation of data across an ACS deployment

6


Authentication Report Snapshot

7


Employee Group

NetAdmin Group

Guest Group

ACS 5 : Rules-Based Policy Model

Location

Job Title Access Type

Time & Date

Engineering

Human Resources

Login VLAN

Guest

Quarantine

Deny Access

+

IdentityOther

ConditionsAuthorization Profiles

CONDITIONS RESULT

ID GROUP LOCATION AZN PROFILE

ENG SJ_CAMPUS SJ_ENG

ENG RTP_CAMPUS RTP_ENG

ENG EXTERNAL EXT

IF NO MATCH DENY ACCESS

CONDITIONS RESULT




ENG EXTERNAL EXT


Policy Rules Policy Elements

Identity is decoupled from permissions

Authorisation based on identity and conditions

specified as policy rules

• IF <condition(s)> THEN <permission>

8


Policy Simplification

1. 7 groups in the group-based model:

1. Become 3 rules in the rules-based model:

ID Group Access Type

Authorisation

Wired users Wired Wired access

Wireless users Wireless Wireless access

VPN users VPN VPN access

Wired users Wired+Wireless Wired+Wireless+

VPN

Wireless users Wireless+VPN

VPN users Wired+VPN

10


ACS

AAA Request

Access Service

AAA Response

Access Services Implement ACS Policy

All authentication/authorisationrequests are processed by an Access Service in ACS 5

11


NAD lookup adds NDG info. such as

Location, NAD Type

Access Service 2

Identity Policy

AuthorizationPolicy

Introduction – Overall Flow (cont.)

Access Service 1

Identity Policy

Group Mapping

External Policy Check

AuthorizationPolicy

Outgoing Response

Service Selection Policy (SSP)

Data extracted from request (e.g. Username, Protocol, NAD IP, etc.)

Service Selection Policy routes processing to the

appropriate service

Handles authentication & identity attributes

Matches normalized identity group

Determines set of attributes that comprise the response

Retrieves additional information from external policy servers (e.g. posture servers)

Protocols filter can reject the request if

it doesn’t match filter authentication protocols settings

12


ACS Service Selection Policy

AAA RequestService

Selection

Access Service 1AAA

Response

Access Service 2

Access Service 3ACS Service Selection

Criteria

AAA protocol

Network device group

ACS server

Request attributes

Date and time

AAA client

Service Selection policy defines to which Access Service ACS should

direct authentication requests

13


Access Service Components

1. Identity Policy

Selects the Identity Store (or stores) to be used for authentication and retrieval of identity attributes

2. Authorization Policy

This is the heart of ACS, where all collected attributes are evaluated to arrive at an authorisation policy decision

Identity Policy

Authorisation PolicyAAA Request

AAA Response

Access Service

14


Identity Policy

Policy to select identity stores that are used to authenticate and retrieve attributes/group info

Flexibility in selection of identity store

Static

“Always use LDAP”

Conditional -

“Use CORP_AD if MSCHAPv2 is used”

Authentication Method Identity Store

X509 Certificate Certificate Profile

MSCHAPv2 CORP_AD

If no match Deny Access

15


Authorisation Policy

ID Group Location Access Type

Time & Date

Compliance Azn Profile

ENGR - - - Compliant ENG

ENGR - - - Not Compliant

PUB, ENG

CONT CAMPUS WIRED DAY Compliant CONT

CONT CAMPUS WIRELESS DAY Compliant CONT_WLAN

PRINTERS CAMPUS WIRED - - PTR

DEFAULT (If no match found) QUAR

First match (permissions cannot be merged)

Discrete columns per condition element

Authorisation profiles may be combined in Rule results

Conflict resolution via precedence order

Allows “hierarchy” of authorisation profiles, reduces proliferation of individual profiles

Default rule (If no match found)

16


ACS 5 Policy Configuration Overview

Access Service

building blocksService Selection

policy and Access

Service definition

18


Network Resources

ACS 4 ACS 5

19


Network Resources

1. ACS 5 supports a single device definition for the same RADIUS and TACACS+ client

2. Change from flat, exclusive, device grouping, to overlapping, multiple, hierarchical grouping

3. ACS 5.1 supports a Default Network Device

Key Changes

20


Powerful ACS 5 Device Grouping

Africa-Southern-SouthAfrica-Firewalls

Africa-Southern-SouthAfrica-Switches

Africa-Southern-SouthAfrica-Routers

Africa-Southern-Namibia-Firewalls

Africa-Southern-Namibia-Switches

Africa-Southern-Namibia-Routers

Africa-Southern-Botswana-Firewalls

Africa-Southern-Botswana-Switches

Africa-Southern-Botswana-Routers

…

All Devices

Routers:

•Router1

•Router2

Switches:

•Switch1

•Switch2

Device Type Hierarchy

All Devices

Africa Devices

SouthAfricaDevices:

•Router2

•Switch2

Location Hierarchy

Asia Devices

SouthernDevices

Flat ACS 4 device

grouping

ACS 5 multiple device

hierarchies

Single attribute to reference all

Southern African devices

Combinenodes in policy to

reference device

intersection

21


Network Devices With Multiple Group Assignment

Adding devices to device groups

22


Default Network Device

ACS will use the Default Network Device for AAA

clients that haven‟t been defined in ACS

24


Users and Identity Stores

ACS 4 ACS 5

25


Employee Group

NetAdmin Group

Guest Group

ACS 5 : Rules-Based Policy Model

Location

Job Title Access Type

Time & Date

Engineering

Human Resources

Login VLAN

Guest

Quarantine

Deny Access

+

IdentityOther

ConditionsAuthorization Profiles

CONDITIONS RESULT




ENG EXTERNAL EXT


CONDITIONS RESULT




ENG EXTERNAL EXT


Policy Rules Policy Elements

Identity is decoupled from permissions

Authorisation based on identity and conditions

specified as policy rules

• IF <condition(s)> THEN <permission>

26


Users and Identity Stores

1. ACS internal users and user-groups are no longer containers of permissions and no longer define access policy

All access policy is rules-based and attribute-driven

2. ACS no longer requires a user to be assigned to a user-group

3. External user-groups are attributes that can be used directly in access policy – group mapping is no longer required

4. ACS 5.x internal users provide extensible schema to define user-level attributes that can be used in access policy rules

5. ACS 5 internal „groups‟ are described in a hierarchical tree where each node is a group attribute that can be assigned to an internal user, and therefore be referenced in access policy

6. Identity Store Sequences are used to combine different identity stores for use in a single authentication/authorization request

Key Changes

27


Extensible ACS User Schema

Custom schema attributes are available as

policy attributes

28


Hierarchical User Grouping

Hierarchical grouping for ACS internal users -also available in policy

29


External Groups - Mapping Not Required

Directory groups selected here

can be used directly in policy

conditions without having to

map them to an ACS group first

Group selection is available for LDAPand AD directories

30


Directory Attributes

Directory attributes

specified here become

available as conditions

and result values in

access policy

31


Different Identity Stores For Authentication And Authorisation

This Identity Store

Sequence allows

authentication to an

OTP server, while

an LDAP directory

is queried for

authorisation

information

33


Policy Elements

ACS 4 ACS 5

34


Policy Elements - Conditions and Authorization Profiles

1. Policy conditions and authorization permissions no longer part of users and user-groups

The ACS 5 model extends the ACS 4 Shared Profile Components concept

All conditions and permissions are defined as reusable components

These reusable components are referenced in the rules-based policy

Key Changes

35


Date & Time Condition Elements

36


RADIUS Attributes In AuthorisationProfiles

37


Dynamic Authorisation ValuesUsing Directory Attributes in Authorisation Profiles

The user‟s directory

attribute, VLAN, will

be queried for the

VLAN Id to be used

Common Tasks

automatically create

the corresponding

RADIUS attributes

in the authorisation

profile

38


ACS Deployment

39


ACS 5.1 Platform Options

1120/1121 Hardware Appliance

One rack-unit (1RU) Linux-based appliance

VMware Appliance

Complete appliance image for installation on VMware ESX 3.5 or 4.0

41


Primary

ACS 5.x Configuration Replication Model

Secondaries

• Incremental replication

• Fully synchronization – no subset options

• Automatically triggered on change

• Flat 2º model – no cascading replication

• Config updates on primary only, except for

AAA password updates

42


ACS Distributed Deployment1. Consists of multiple ACS‟s that are managed together

One Primary and multiple Secondary servers

All ACS instances are identical (run full ACS software version)

Each ACS can play a specific role in the deployment

2. Incremental replication model

Primary ACS is single point of configuration & to monitor secondary servers

Automatic incremental replication to Secondary servers

ACS

Secondary

ACS

Master

ACS

Secondary

ACS

Secondary

Database

downloadIncremental

Replication

44


ACS 5.1 View Dashboard

45


ACS View Detailed Authentication Information

46


ACS 5.1 Identity Stores

1. Internal users

2. Active Directory

3. LDAP directories

4. One-Time Password (OTP) Servers

RSA SecurID

Others (using RADIUS interface)

5. RADIUS proxy servers

6. No ODBC support

49


Low-end of ACS 5.1 Performance (Authentications/second)

Auth Types Identity StoresInternal AD LDAP

PAP 500 100 800CHAP 500 500 N/ATACACS+ 400 160 1200MSCHAP 500 300 N/APEAP-MSCHAP 200 100 N/APEAP-GTC 200 100 300EAP-TLS 200 180 270LEAP 330 280 N/AFAST-MSCHAP 120 120 N/AFAST-GTC 130 110 190MAC-Auth Bypass 750 N/A 2000

50


Performance Notes

1. Expect up to a 50% performance drop on the log collector ACS

2. Expect a 10-50% higher authentication performance on the 1121 appliance

3. Assumes session resume and fast reconnect is enabled where applicable for EAP protocols

51


Minimum ACS Deployment

1. Consists of 2 servers

2. Primary server provides all the configuration, authentication and policy requirements for the network.

3. Second server used as a backup server.

4. Replication from primary ACS to secondary ACS to keep the secondary server in synchronization.

52


Medium Growing ACS Deployment

1. As the AAA traffic grows, add additional Cisco Secure ACS servers

2. Consider splitting server functions - the primary server for configuration and log collection only, using the secondary servers for AAA functions.

53


Larger ACS Deployment

1. In a large, centralized network consider the use of a load balancer

2. Dedicated primary and log collector ACS servers

54


Promoting a Secondary to be a Master

ACS

Secondary

ACS

Master

ACS

Secondary

ACS

Secondary

DB Download

Incremental

Replication

1. Each secondary could take the role of the master

2. Secondary promotion to be a master is manual

3. The master (if not failed) is stopped

Replication is allowed to complete

The promoted secondary notifies all ACS instances

On promotion the secondary interrogates all instances for their replication status

X

Promoted Master

55


Implementing Phased

Deployments

56


What Is a Deployment Scenario?

1. A set of configuration guidelines designed to meet particular deployment goal

Simplify deployments by following a blueprint

Increase efficiency by combining features that interoperate most effectively

Phase deployments for minimal impact to end users

Customize basic blueprint as needed

2. General Principles:

Start simple

Start with minimal restrictions

Evolve as necessary

57


Monitor Mode: How To

Enable 802.1X & MAB

Enable Open Access

All traffic in addition to EAP is allowed

Like not having 802.1X enabled except authentications still occur

Enable Multi-Auth Host-Mode

Disable Authorization

Monitor Mode Goals

No Impact to Existing Network Access

See……what is on the network

…who has a supplicant

…who has good credentials

…who has bad credentials

Deterrence through accountability

Scenario 1: Monitor Mode Overview

SSC

58


Monitor Mode: Network Access Table

Authentication Status

Pre-802.1X

Successful 802.1X

Failed 802.1X

No 802.1X

(no client)

Successful MAB

Successful 802.1X

Successful MAB

Failed MAB

No 802.1X, MAB (server down)

Multi-A

uth

Endpoints

All

Employees

Failed Employees

Contractor/Guest

Corporate Asset

Contractor/Guest

Corporate Asset

Phones

Phones

Contractor/Guest

All

Authorization

(Network Access)

Open

Open

Open

Next-Method (MAB)

Open

Open

Open

Open

Open

59


Monitor Mode: Switch

interface GigabitEthernet1/4

switchport access vlan 60

switchport mode access

switchport voice vlan 61

authentication host-mode multi-auth

authentication open

authentication port-control auto

mab

dot1x pae authenticator

aaa new-model

aaa authentication dot1x default group radius

dot1x system-auth-control

radius-server host 10.100.10.150 auth-port 1645 acct-port 1646 key cisco

radius-server vsa send authentication

Basic 802.1X/MAB

Monitor Mode

Switch Global Config

Switch Interface Config

60


Monitor Mode: AAA Server and Endpoints

1. Should be fully configured except for authorization policy:

Communication with AAA clients (i.e. switches)

Communication with credential repository (e.g. AD, MAC Database)

PKI (CA certs, server cert)

EAP Configuration

MAB Configuration

1. Should be fully configured:

PKI (CA certs, client cert) or other credentials

Supplicants configured & installed everywhere supported

Enable machine auth

Enable user auth if needed

AAA Server Endpoints

61


RADIUS Authentication & Accounting Logs Passed/failed 802.1x/eap attempts

List of valid 802.1X-capable endpointsList of invalid 802.1X-capable endpoints

Passed/Failed MAB attemptsList of Valid MACsList of Invalid or unknown MACs

Monitor Mode: Next Steps

SSC

Monitor Mode Next Steps

Evaluate Remaining Risk

Prepare the Network for Access Control in Later Phases

62


Preparing for Access ControlFix 802.1X Errors

Observed Failure:

Fix:

Import ACS

Server Cert

Signed by

Enterprise CA

63


Preparing for Access ControlPut Valid MACs in MAB Database

MAC.CSV

Observed Failure

Fix

64


Low Impact Mode: How ToLow Impact Mode Goals

Scenario 2: Low Impact Mode

1. Begin to control/differentiate network access

2. Minimize Impact to Existing Network Access

3. Retain Visibility of Monitor Mode

4. “Low Impact” == no need to re-architect your network

Keep existing VLAN design

Minimize LAN changes

1. Start from Monitor Mode

2. Add new features for access-control

downloadable ACLs

flexible auth fail handling

3. Limit number of devices connecting to port

4. Add new features to support IP Phones

65


Low Impact: Network Access Table

Endpoints Authentication Status

All Pre-802.1X

Employees Successful 802.1X

Failed Employees

Contractor/Guest

Failed 802.1X

Corporate Asset

Contractor/Guest

No 802.1X

(no client)

Corporate Asset Successful MAB

Phones Successful 802.1X

Phones Successful MAB

Contractor/Guest Failed MAB

All No 802.1X, MAB (server

down)

Sin

gle

-host

Multi-D

om

ain

-Auth

(with lin

k-s

tate

solu

tion)

Authorization

Selectively Open

Dynamic ACL

Next-Method (MAB)

Next-Method (MAB)

Dynamic ACL

Dynamic ACL + Voice VSA

Dynamic ACL + Voice VSA

Same as Pre-Auth

Same as Pre-Auth

66


Low Impact Mode: Switch

Block General Access Until Successful 802.1X, MAB or WebAuth

Pinhole explicit tcp/udp ports to allow desired access





ip access-group PRE-AUTH in

authentication open


mab


aaa authorization network default group radius

ip device-tracking


Pre-Authentication

Port Authorization State

From Monitor Mode

For Low Impact

Switch Global Config (add to Monitor Mode)

67


Pre-Auth ACL Considerations

Pre-auth port ACL is arbitrary and can progress as you better

understand the traffic on your network

Remember: This ACL will be in force before authentication and

after failed authentications.

Approach 1: Selectively Block traffic

Selectively protect certain assets/subnets

Low risk of inadvertently blocking wanted traffic

Example: Block unauthenticated users from Finance servers

X

X

X

X

Approach 2: Selectively Allow traffic

More secure, better control

May block wanted traffic

Example: Only allow pre-auth access for PXE devices to boot

ACL

Progression

ACL

ACL

68


Low Impact Mode: AAA Server

1. Configure downloadable ACLs for authenticated users

permit ip host 10.100.20.200 anypermit tcp any any establishedpermit udp any any eq bootpspermit udp any host 10.100.10.116 eq domainpermit udp any host 10.100.10.117 eq tftp

SSC

Pre-Auth

ACL

Switch dynamically substitutes endpoint‟s address

• Contents of dACL are arbitrary.

• Can have as many unique dACLs are

there are user permission groups

• Same principles as pre-auth port ACL

69


Low Impact: Failed Authentication

1. Devices that fail 802.1X will have restricted access (Pre-Auth ACL)

2. Policy question: Is that sufficient access?

3. Alternative: configure a failback authentication method (e.g. MAB) with appropriate authorization policy






authentication event fail action next-method

authentication open


mab



SSC

Cert expired

Can‟t get to IT website!

SSC

MABpassed

HTTP now allowed

Cert expired

70


Low Impact: Host Mode

1. With Multi-Auth, port piggybacking cannot be mitigated as effectively.

2. In Low Impact mode, transition to Multi-domain (for IP Telephony) or Single-host (non-IPT).






authentication host-mode multi-domain

authentication open

authentication event fail action next


mab



71


EAP-FAST

with TLS

MIC or LSC • Not supported on ACS 5.0 or 5.1

• Supported on ACS 4.2 with PAC-Free

+ PKI Authz Bypass feature in NAP

802.1X EAP Methods on Phones

Method Phone Credential Deployment Considerations

EAP-MD5 Username / password • Password manually configured on

phone

• Phone name / password must be in

AAA database

EAP-TLS MIC or LSC • Never need to touch the phone: All

config done from CUCM GUI (7.1.2)

• ACS 5 does not require username

lookup after TLS cert validation -> No

need to enter phone names in any

database

72


Cert-based 802.1X Is Easy with Cisco IP Phones and ACS 5!

• Pre-installed on every phone that

supports EAP-TLS & EAP-FAST

• Automatically used if 802.1X enabled

• Export Cisco Man Root Sub CA and

Cisco Root CA from CUCM to ACS

• Easy to match with ACS 5 Authz rule

Manufacturing Installed Certificates

Locally Significant Certificates

CAPF

• LSCs are customer controlled

• CUCM issues LSCs to phones

• CAPF can be self- or CA-signed

• Export CAPF and CA root certs from

CUCM to ACS

• Easy to match with ACS 5 Authz rule

73


Enabling 802.1X on phones

Old Way New Way (CUCM 7.1.2)

• In Phone Config or BAT Template

• Select “Enabled”

• No need to touch the phone

• Phone must be on the network when you

do this.

74


2. Do it the “Old Way”Works for one-offs, not mass deployments

4. Low Impact Mode

3. MAB -> 802.1XUse MAB to get device on network

Grant just enough access to download config file

Phone resets with 802.1X enabled

1. Non 802.1X Staging AreaInitial phone boot-up in network without 802.1X

Enabling 802.1X Post-Deployment

How do you enable 802.1X on a phone via the network if

the phone needs 802.1X to get on the network?

75


Example: Using Low Impact Mode to bootstrap a new phone

permit ip host 10.100.20.200 anypermit udp any any eq bootpspermit udp any host 10.100.10.238 eq tftppermit udp any host 10.100.10.238 range 32768 61000

Pre-Auth

ACL

1. Pre-auth ACL allows just enough access for config, CTL

2. New config enables 802.1X on phone

3. After 802.1X, phone has full access

4. Same idea can give MAB phones access before 802.1X times out

10.100.10.238

76

© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO76

MODE

STACKSPEEDDUPLXSTATMASTRRPSSYST

Catalyst 3750 SERIES

1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3A

B

Port authorized for 0011.2233.4455 only

Security ViolationS:0011.2233.4455

S:6677.8899.AABB

1) Legitimate users cause security violation

MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3A

Security HoleS:0011.2233.4455

S:0011.2233.4455

2) Hackers can spoof MAC to gain access without authenticating

The IP Phone Link State Issue

77


Link State: Three Solutions

CDP Link Down

MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3

MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3

MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3

Proxy EAPoL-LogoffSSC

Inactivity Timer

SessionCleared

SessionCleared

Session Cleared

Proxy EAPoL-LogoffOnly works for 802.1X endpoints

Requires Logoff-capable phone

Inactivity TimerWorks for MAB endpoints

Port vulnerable during timeout

Quiet devices may get kicked off

CDP 2nd Port StatusMAB & 802.1X Endpoints

IP Phone: 8.4(1)

3K: 12.2(50)SE

4K: 12.2(50)SG

6K: 12.2(33)SXI

78


Low Impact In a Nutshell

• Dynamic ACL-based Access Control

• Minimal Impact to Endpoints

• Supports Bootstrap Scenarios

• Minimal Impact to Network

• No VLAN changes

Summary

• Monitor the Network

• Tune ACLs as necessary

• Evaluate Remaining Risk

Next Steps

79


High Security: How To

Return to default “closed” access

Timers or authentication order change

Implement identity-based VLANassignment

High Security Mode Goals

No access before authentication

Rapid access for non-802.1X-capable corporate assets

Logical isolation of traffic at the access edge

Scenario 3: High Security Mode

Network Virtualization Solution

80


High Security Mode: Network Access Table

Endpoint Authentication Status

All Pre-802.1X

Employees Successful 802.1X

Failed Employees,

Contractor, Guest

Failed 802.1X

Corporate Asset,

Contractor,Guest

No 802.1X

(no client)

Corporate Asset Successful MAB

Phones Successful 802.1X

Phones Successful MAB

Contractor/Guest Failed MAB

All No 802.1X, MAB (server

down)

Sin

gle

-host

Multi-D

om

ain

-Auth

(with

lin

k-s

tate

so

lutio

n)

Authorization

Closed

Dynamic VLAN

Guest-Fail-Critical VLAN

Next-Method (on by default

if MAB configured)

Dynamic VLAN

Voice VSA

Voice VSA



81


802.1X and Dynamic VLANsNetwork Deployment Considerations

VLAN 10: DATA

VLAN 20: VOICE

VLAN 30: MACHINE

VLAN 40: ENG

VLAN 50: UNAUTH

10.10.10.x/24

10.10.20.x/24

10.10.30.x/24

10.10.40.x/24

10.10.50.x/24

Network Interface

10.10.10.x/24 G0/1

10.10.20.x/24 G0/2

10.10.30.x/24 G0/3

10.10.40.x/24 G0/4

10.10.50.x/24 G0/5

Every Assignable VLAN Must Be Defined on Every Access Switch More VLANs To Trunk (Multi-Layer* Deployments)

More Subnets to Route (mitigated by VSS*)

Every Assignable VLAN Must Be Defined on Every Access Switch

Best Practice: Use the Fewest Possible Number of VLANs

82


Non-802.1X Endpoints

• Unaware of VLAN changes, no mechanism to change IP address

• Best Practice: Dynamic VLAN in High Security Mode only

Older 802.1X Endpoints (e.g. Windows XP)

• Supplicants can renew IP address on VLAN change but OS and underlying processes may not handle IP address change gracefully

• Best Practice: Use same VLAN for User and Machine Authentication (Windows)

Newer 802.1X Endpoints (e.g. Windows Vista, 7)

• Supplicant and OS can handle VLAN/IP address changes

• Best Practice: Use the VLAN policy that best matches your security policy.

802.1X and Dynamic VLANsEndpoint Deployment Considerations

83


High Security Mode: Switch





no authentication open

authentication event fail authorize vlan 63

authentication event no-response authorize vlan 63

authentication event server dead action authorize vlan 63


mab


aaa authorization network default group radius

vlan 60

name data

vlan 61

name voice

vlan 62

name video

vlan 63

name fail-guest-critical

Auth-Fail VLAN

Guest VLAN*

Critical VLAN

*Not needed if AAA server has Unknown MAC policy

Switch Global Config (add to Monitor Mode)


84


High Security Mode: AAA Server

1. If no VLAN sent, switch will use static switchport VLAN

2. Configure dynamic VLANs for any user that should be in different VLAN

85


interface GigabitEthernet1/4 dot1x max-reauth-req 2 (default)

dot1x timeout tx-period 30 (default)

Clientless Access in Closed ModeTwo Options

Timeout

First packet from device will trigger MAB

802.1X MAB

MAB FailsMAB 802.1X


authentication order mab dot1xauthentication priority dot1x mab

(max-reauth-req + 1) * tx-period

1) Change the Timeout

2) FlexAuth Order

MethodsPriority, Order

Timeout, Failed

AAA Down

Flex-Auth

Note: Priority Matters!www.cisco.com/go/ibns -> Whitepapers

Either Way: Prepare

for Additional

Control Plane Traffic

http://www.cisco.com/go/ibns

86


Sources

IBNS Phased Implementation Configuration Guidehttp://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/Whitepaper_c11-532065.html

Flexible Authentication Order, Priority, and Failed Authentication

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/application_note_c27-573287_ps6638_Products_White_Paper.html

Network Virtualization--Access Control Design Guidehttp://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/AccContr.html

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/Whitepaper_c11-532065.html









http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/AccContr.html

87


Q and A

88


ACS - · PDF fileIntroduction –Overall Flow ... Cisco Public ACS Distributed Deployment...

Documents

Transcript of ACS - · PDF fileIntroduction –Overall Flow ... Cisco Public ACS Distributed Deployment...