ACS - · PDF fileIntroduction –Overall Flow ... Cisco Public ACS Distributed Deployment...
Transcript of ACS - · PDF fileIntroduction –Overall Flow ... Cisco Public ACS Distributed Deployment...
1
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
ACS
2
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Employee Group
Permissions – Employee_VLANRestrictions – None
NetAdmin Group
Permissions – Full AccessRestrictions – None
Guest Group
Permissions – Guest_VLANRestrictions – Time_of_Day
User Groups
ACS 4.x: Group-Based Policy Model
Group-based policy
User is authenticated & associated to a group
• Authorization based on static permissions
and restrictions for the user‟s group
User subjected to SAME restrictions and gets
SAME permissions ALWAYS
?• Works well if Identity is the
dominant or only condition
• Does not work well for
complex authorisation policies
based on dynamic conditions• Employee gets full access
when on-site & restricted
access when coming in
remotely
3
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Group-based Model Forces Group Proliferation
1. Example: 7 groups required for a 3 condition scenario:
2. 2ⁿ - 1 groups required (n is the number of policy conditions)
3. Potentially update 2n-1 groups for a single condition authorization change. ( 4 groups edits in the above example)
Wired users Wired+Wireless Wired+Wireless+
VPN
Wireless users Wireless+VPN
VPN users Wired+VPN
n 2 3 4 5 6
2ⁿ - 1 3 7 15 31 63
4
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
ACS 5.0 Graphical User Interface
1. Lightweight, secure, intuitive and easy to use web-based GUI
2. Does not require additional client software for GUI access
5
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
ACS 5.0 Monitoring & Reports Component
1. Integrated advanced monitoring, reporting & troubleshooting capabilities for maximum control and visibility
Easy to use GUI
Flexible presentation tools
2. Consolidation of data across an ACS deployment
6
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Authentication Report Snapshot
7
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Employee Group
NetAdmin Group
Guest Group
ACS 5 : Rules-Based Policy Model
Location
Job Title Access Type
Time & Date
Engineering
Human Resources
Login VLAN
Guest
Quarantine
Deny Access
+
IdentityOther
ConditionsAuthorization Profiles
CONDITIONS RESULT
ID GROUP LOCATION AZN PROFILE
ENG SJ_CAMPUS SJ_ENG
ENG RTP_CAMPUS RTP_ENG
ENG EXTERNAL EXT
IF NO MATCH DENY ACCESS
CONDITIONS RESULT
ID GROUP LOCATION AZN PROFILE
ENG SJ_CAMPUS SJ_ENG
ENG RTP_CAMPUS RTP_ENG
ENG EXTERNAL EXT
IF NO MATCH DENY ACCESS
Policy Rules Policy Elements
Identity is decoupled from permissions
Authorisation based on identity and conditions
specified as policy rules
• IF <condition(s)> THEN <permission>
8
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Policy Simplification
1. 7 groups in the group-based model:
1. Become 3 rules in the rules-based model:
ID Group Access Type
Authorisation
Wired users Wired Wired access
Wireless users Wireless Wireless access
VPN users VPN VPN access
Wired users Wired+Wireless Wired+Wireless+
VPN
Wireless users Wireless+VPN
VPN users Wired+VPN
10
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
ACS
AAA Request
Access Service
AAA Response
Access Services Implement ACS Policy
All authentication/authorisationrequests are processed by an Access Service in ACS 5
11
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
NAD lookup adds NDG info. such as
Location, NAD Type
Access Service 2
Identity Policy
AuthorizationPolicy
Introduction – Overall Flow (cont.)
Access Service 1
Identity Policy
Group Mapping
External Policy Check
AuthorizationPolicy
Outgoing Response
Service Selection Policy (SSP)
Data extracted from request (e.g. Username, Protocol, NAD IP, etc.)
Service Selection Policy routes processing to the
appropriate service
Handles authentication & identity attributes
Matches normalized identity group
Determines set of attributes that comprise the response
Retrieves additional information from external policy servers (e.g. posture servers)
Protocols filter can reject the request if
it doesn’t match filter authentication protocols settings
12
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
ACS Service Selection Policy
AAA RequestService
Selection
Access Service 1AAA
Response
Access Service 2
Access Service 3ACS Service Selection
Criteria
AAA protocol
Network device group
ACS server
Request attributes
Date and time
AAA client
Service Selection policy defines to which Access Service ACS should
direct authentication requests
13
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Access Service Components
1. Identity Policy
Selects the Identity Store (or stores) to be used for authentication and retrieval of identity attributes
2. Authorization Policy
This is the heart of ACS, where all collected attributes are evaluated to arrive at an authorisation policy decision
Identity Policy
Authorisation PolicyAAA Request
AAA Response
Access Service
14
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Identity Policy
Policy to select identity stores that are used to authenticate and retrieve attributes/group info
Flexibility in selection of identity store
Static
“Always use LDAP”
Conditional -
“Use CORP_AD if MSCHAPv2 is used”
Authentication Method Identity Store
X509 Certificate Certificate Profile
MSCHAPv2 CORP_AD
If no match Deny Access
15
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Authorisation Policy
ID Group Location Access Type
Time & Date
Compliance Azn Profile
ENGR - - - Compliant ENG
ENGR - - - Not Compliant
PUB, ENG
CONT CAMPUS WIRED DAY Compliant CONT
CONT CAMPUS WIRELESS DAY Compliant CONT_WLAN
PRINTERS CAMPUS WIRED - - PTR
DEFAULT (If no match found) QUAR
First match (permissions cannot be merged)
Discrete columns per condition element
Authorisation profiles may be combined in Rule results
Conflict resolution via precedence order
Allows “hierarchy” of authorisation profiles, reduces proliferation of individual profiles
Default rule (If no match found)
16
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
ACS 5 Policy Configuration Overview
Access Service
building blocksService Selection
policy and Access
Service definition
18
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Network Resources
ACS 4 ACS 5
19
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Network Resources
1. ACS 5 supports a single device definition for the same RADIUS and TACACS+ client
2. Change from flat, exclusive, device grouping, to overlapping, multiple, hierarchical grouping
3. ACS 5.1 supports a Default Network Device
Key Changes
20
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Powerful ACS 5 Device Grouping
Africa-Southern-SouthAfrica-Firewalls
Africa-Southern-SouthAfrica-Switches
Africa-Southern-SouthAfrica-Routers
Africa-Southern-Namibia-Firewalls
Africa-Southern-Namibia-Switches
Africa-Southern-Namibia-Routers
Africa-Southern-Botswana-Firewalls
Africa-Southern-Botswana-Switches
Africa-Southern-Botswana-Routers
…
All Devices
Routers:
•Router1
•Router2
Switches:
•Switch1
•Switch2
Device Type Hierarchy
All Devices
Africa Devices
SouthAfricaDevices:
•Router2
•Switch2
Location Hierarchy
Asia Devices
SouthernDevices
Flat ACS 4 device
grouping
ACS 5 multiple device
hierarchies
Single attribute to reference all
Southern African devices
Combinenodes in policy to
reference device
intersection
21
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Network Devices With Multiple Group Assignment
Adding devices to device groups
22
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Default Network Device
ACS will use the Default Network Device for AAA
clients that haven‟t been defined in ACS
24
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Users and Identity Stores
ACS 4 ACS 5
25
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Employee Group
NetAdmin Group
Guest Group
ACS 5 : Rules-Based Policy Model
Location
Job Title Access Type
Time & Date
Engineering
Human Resources
Login VLAN
Guest
Quarantine
Deny Access
+
IdentityOther
ConditionsAuthorization Profiles
CONDITIONS RESULT
ID GROUP LOCATION AZN PROFILE
ENG SJ_CAMPUS SJ_ENG
ENG RTP_CAMPUS RTP_ENG
ENG EXTERNAL EXT
IF NO MATCH DENY ACCESS
CONDITIONS RESULT
ID GROUP LOCATION AZN PROFILE
ENG SJ_CAMPUS SJ_ENG
ENG RTP_CAMPUS RTP_ENG
ENG EXTERNAL EXT
IF NO MATCH DENY ACCESS
Policy Rules Policy Elements
Identity is decoupled from permissions
Authorisation based on identity and conditions
specified as policy rules
• IF <condition(s)> THEN <permission>
26
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Users and Identity Stores
1. ACS internal users and user-groups are no longer containers of permissions and no longer define access policy
All access policy is rules-based and attribute-driven
2. ACS no longer requires a user to be assigned to a user-group
3. External user-groups are attributes that can be used directly in access policy – group mapping is no longer required
4. ACS 5.x internal users provide extensible schema to define user-level attributes that can be used in access policy rules
5. ACS 5 internal „groups‟ are described in a hierarchical tree where each node is a group attribute that can be assigned to an internal user, and therefore be referenced in access policy
6. Identity Store Sequences are used to combine different identity stores for use in a single authentication/authorization request
Key Changes
27
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Extensible ACS User Schema
Custom schema attributes are available as
policy attributes
28
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Hierarchical User Grouping
Hierarchical grouping for ACS internal users -also available in policy
29
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
External Groups - Mapping Not Required
Directory groups selected here
can be used directly in policy
conditions without having to
map them to an ACS group first
Group selection is available for LDAPand AD directories
30
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Directory Attributes
Directory attributes
specified here become
available as conditions
and result values in
access policy
31
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Different Identity Stores For Authentication And Authorisation
This Identity Store
Sequence allows
authentication to an
OTP server, while
an LDAP directory
is queried for
authorisation
information
33
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Policy Elements
ACS 4 ACS 5
34
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Policy Elements - Conditions and Authorization Profiles
1. Policy conditions and authorization permissions no longer part of users and user-groups
The ACS 5 model extends the ACS 4 Shared Profile Components concept
All conditions and permissions are defined as reusable components
These reusable components are referenced in the rules-based policy
Key Changes
35
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Date & Time Condition Elements
36
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
RADIUS Attributes In AuthorisationProfiles
37
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Dynamic Authorisation ValuesUsing Directory Attributes in Authorisation Profiles
The user‟s directory
attribute, VLAN, will
be queried for the
VLAN Id to be used
Common Tasks
automatically create
the corresponding
RADIUS attributes
in the authorisation
profile
38
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
ACS Deployment
39
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
ACS 5.1 Platform Options
1120/1121 Hardware Appliance
One rack-unit (1RU) Linux-based appliance
VMware Appliance
Complete appliance image for installation on VMware ESX 3.5 or 4.0
41
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Primary
ACS 5.x Configuration Replication Model
Secondaries
• Incremental replication
• Fully synchronization – no subset options
• Automatically triggered on change
• Flat 2º model – no cascading replication
• Config updates on primary only, except for
AAA password updates
42
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
ACS Distributed Deployment1. Consists of multiple ACS‟s that are managed together
One Primary and multiple Secondary servers
All ACS instances are identical (run full ACS software version)
Each ACS can play a specific role in the deployment
2. Incremental replication model
Primary ACS is single point of configuration & to monitor secondary servers
Automatic incremental replication to Secondary servers
ACS
Secondary
ACS
Master
ACS
Secondary
ACS
Secondary
Database
downloadIncremental
Replication
44
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
ACS 5.1 View Dashboard
45
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
ACS View Detailed Authentication Information
46
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
ACS 5.1 Identity Stores
1. Internal users
2. Active Directory
3. LDAP directories
4. One-Time Password (OTP) Servers
RSA SecurID
Others (using RADIUS interface)
5. RADIUS proxy servers
6. No ODBC support
49
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Low-end of ACS 5.1 Performance (Authentications/second)
Auth Types Identity StoresInternal AD LDAP
PAP 500 100 800CHAP 500 500 N/ATACACS+ 400 160 1200MSCHAP 500 300 N/APEAP-MSCHAP 200 100 N/APEAP-GTC 200 100 300EAP-TLS 200 180 270LEAP 330 280 N/AFAST-MSCHAP 120 120 N/AFAST-GTC 130 110 190MAC-Auth Bypass 750 N/A 2000
50
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Performance Notes
1. Expect up to a 50% performance drop on the log collector ACS
2. Expect a 10-50% higher authentication performance on the 1121 appliance
3. Assumes session resume and fast reconnect is enabled where applicable for EAP protocols
51
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Minimum ACS Deployment
1. Consists of 2 servers
2. Primary server provides all the configuration, authentication and policy requirements for the network.
3. Second server used as a backup server.
4. Replication from primary ACS to secondary ACS to keep the secondary server in synchronization.
52
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Medium Growing ACS Deployment
1. As the AAA traffic grows, add additional Cisco Secure ACS servers
2. Consider splitting server functions - the primary server for configuration and log collection only, using the secondary servers for AAA functions.
53
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Larger ACS Deployment
1. In a large, centralized network consider the use of a load balancer
2. Dedicated primary and log collector ACS servers
54
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Promoting a Secondary to be a Master
ACS
Secondary
ACS
Master
ACS
Secondary
ACS
Secondary
DB Download
Incremental
Replication
1. Each secondary could take the role of the master
2. Secondary promotion to be a master is manual
3. The master (if not failed) is stopped
Replication is allowed to complete
The promoted secondary notifies all ACS instances
On promotion the secondary interrogates all instances for their replication status
X
Promoted Master
55
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Implementing Phased
Deployments
56
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
What Is a Deployment Scenario?
1. A set of configuration guidelines designed to meet particular deployment goal
Simplify deployments by following a blueprint
Increase efficiency by combining features that interoperate most effectively
Phase deployments for minimal impact to end users
Customize basic blueprint as needed
2. General Principles:
Start simple
Start with minimal restrictions
Evolve as necessary
57
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Monitor Mode: How To
Enable 802.1X & MAB
Enable Open Access
All traffic in addition to EAP is allowed
Like not having 802.1X enabled except authentications still occur
Enable Multi-Auth Host-Mode
Disable Authorization
Monitor Mode Goals
No Impact to Existing Network Access
See……what is on the network
…who has a supplicant
…who has good credentials
…who has bad credentials
Deterrence through accountability
Scenario 1: Monitor Mode Overview
SSC
58
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Monitor Mode: Network Access Table
Authentication Status
Pre-802.1X
Successful 802.1X
Failed 802.1X
No 802.1X
(no client)
Successful MAB
Successful 802.1X
Successful MAB
Failed MAB
No 802.1X, MAB (server down)
Multi-A
uth
Endpoints
All
Employees
Failed Employees
Contractor/Guest
Corporate Asset
Contractor/Guest
Corporate Asset
Phones
Phones
Contractor/Guest
All
Authorization
(Network Access)
Open
Open
Open
Next-Method (MAB)
Open
Open
Open
Open
Open
59
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Monitor Mode: Switch
interface GigabitEthernet1/4
switchport access vlan 60
switchport mode access
switchport voice vlan 61
authentication host-mode multi-auth
authentication open
authentication port-control auto
mab
dot1x pae authenticator
aaa new-model
aaa authentication dot1x default group radius
dot1x system-auth-control
radius-server host 10.100.10.150 auth-port 1645 acct-port 1646 key cisco
radius-server vsa send authentication
Basic 802.1X/MAB
Monitor Mode
Switch Global Config
Switch Interface Config
60
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Monitor Mode: AAA Server and Endpoints
1. Should be fully configured except for authorization policy:
Communication with AAA clients (i.e. switches)
Communication with credential repository (e.g. AD, MAC Database)
PKI (CA certs, server cert)
EAP Configuration
MAB Configuration
1. Should be fully configured:
PKI (CA certs, client cert) or other credentials
Supplicants configured & installed everywhere supported
Enable machine auth
Enable user auth if needed
AAA Server Endpoints
61
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
RADIUS Authentication & Accounting Logs Passed/failed 802.1x/eap attempts
List of valid 802.1X-capable endpointsList of invalid 802.1X-capable endpoints
Passed/Failed MAB attemptsList of Valid MACsList of Invalid or unknown MACs
Monitor Mode: Next Steps
SSC
Monitor Mode Next Steps
Evaluate Remaining Risk
Prepare the Network for Access Control in Later Phases
62
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Preparing for Access ControlFix 802.1X Errors
Observed Failure:
Fix:
Import ACS
Server Cert
Signed by
Enterprise CA
63
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Preparing for Access ControlPut Valid MACs in MAB Database
MAC.CSV
Observed Failure
Fix
64
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Low Impact Mode: How ToLow Impact Mode Goals
Scenario 2: Low Impact Mode
1. Begin to control/differentiate network access
2. Minimize Impact to Existing Network Access
3. Retain Visibility of Monitor Mode
4. “Low Impact” == no need to re-architect your network
Keep existing VLAN design
Minimize LAN changes
1. Start from Monitor Mode
2. Add new features for access-control
downloadable ACLs
flexible auth fail handling
3. Limit number of devices connecting to port
4. Add new features to support IP Phones
65
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Low Impact: Network Access Table
Endpoints Authentication Status
All Pre-802.1X
Employees Successful 802.1X
Failed Employees
Contractor/Guest
Failed 802.1X
Corporate Asset
Contractor/Guest
No 802.1X
(no client)
Corporate Asset Successful MAB
Phones Successful 802.1X
Phones Successful MAB
Contractor/Guest Failed MAB
All No 802.1X, MAB (server
down)
Sin
gle
-host
Multi-D
om
ain
-Auth
(with lin
k-s
tate
solu
tion)
Authorization
Selectively Open
Dynamic ACL
Next-Method (MAB)
Next-Method (MAB)
Dynamic ACL
Dynamic ACL + Voice VSA
Dynamic ACL + Voice VSA
Same as Pre-Auth
Same as Pre-Auth
66
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Low Impact Mode: Switch
Block General Access Until Successful 802.1X, MAB or WebAuth
Pinhole explicit tcp/udp ports to allow desired access
interface GigabitEthernet1/4
switchport access vlan 60
switchport mode access
switchport voice vlan 61
ip access-group PRE-AUTH in
authentication open
authentication port-control auto
mab
dot1x pae authenticator
aaa authorization network default group radius
ip device-tracking
Switch Interface Config
Pre-Authentication
Port Authorization State
From Monitor Mode
For Low Impact
Switch Global Config (add to Monitor Mode)
67
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Pre-Auth ACL Considerations
Pre-auth port ACL is arbitrary and can progress as you better
understand the traffic on your network
Remember: This ACL will be in force before authentication and
after failed authentications.
Approach 1: Selectively Block traffic
Selectively protect certain assets/subnets
Low risk of inadvertently blocking wanted traffic
Example: Block unauthenticated users from Finance servers
X
X
X
X
Approach 2: Selectively Allow traffic
More secure, better control
May block wanted traffic
Example: Only allow pre-auth access for PXE devices to boot
ACL
Progression
ACL
ACL
68
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Low Impact Mode: AAA Server
1. Configure downloadable ACLs for authenticated users
permit ip host 10.100.20.200 anypermit tcp any any establishedpermit udp any any eq bootpspermit udp any host 10.100.10.116 eq domainpermit udp any host 10.100.10.117 eq tftp
SSC
Pre-Auth
ACL
Switch dynamically substitutes endpoint‟s address
• Contents of dACL are arbitrary.
• Can have as many unique dACLs are
there are user permission groups
• Same principles as pre-auth port ACL
69
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Low Impact: Failed Authentication
1. Devices that fail 802.1X will have restricted access (Pre-Auth ACL)
2. Policy question: Is that sufficient access?
3. Alternative: configure a failback authentication method (e.g. MAB) with appropriate authorization policy
interface GigabitEthernet1/4
switchport access vlan 60
switchport mode access
switchport voice vlan 61
ip access-group PRE-AUTH in
authentication event fail action next-method
authentication open
authentication port-control auto
mab
dot1x pae authenticator
Switch Interface Config
SSC
Cert expired
Can‟t get to IT website!
SSC
MABpassed
HTTP now allowed
Cert expired
70
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Low Impact: Host Mode
1. With Multi-Auth, port piggybacking cannot be mitigated as effectively.
2. In Low Impact mode, transition to Multi-domain (for IP Telephony) or Single-host (non-IPT).
interface GigabitEthernet1/4
switchport access vlan 60
switchport mode access
switchport voice vlan 61
ip access-group PRE-AUTH in
authentication host-mode multi-domain
authentication open
authentication event fail action next
authentication port-control auto
mab
dot1x pae authenticator
Switch Interface Config
71
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
EAP-FAST
with TLS
MIC or LSC • Not supported on ACS 5.0 or 5.1
• Supported on ACS 4.2 with PAC-Free
+ PKI Authz Bypass feature in NAP
802.1X EAP Methods on Phones
Method Phone Credential Deployment Considerations
EAP-MD5 Username / password • Password manually configured on
phone
• Phone name / password must be in
AAA database
EAP-TLS MIC or LSC • Never need to touch the phone: All
config done from CUCM GUI (7.1.2)
• ACS 5 does not require username
lookup after TLS cert validation -> No
need to enter phone names in any
database
72
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Cert-based 802.1X Is Easy with Cisco IP Phones and ACS 5!
• Pre-installed on every phone that
supports EAP-TLS & EAP-FAST
• Automatically used if 802.1X enabled
• Export Cisco Man Root Sub CA and
Cisco Root CA from CUCM to ACS
• Easy to match with ACS 5 Authz rule
Manufacturing Installed Certificates
Locally Significant Certificates
CAPF
• LSCs are customer controlled
• CUCM issues LSCs to phones
• CAPF can be self- or CA-signed
• Export CAPF and CA root certs from
CUCM to ACS
• Easy to match with ACS 5 Authz rule
73
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Enabling 802.1X on phones
Old Way New Way (CUCM 7.1.2)
• In Phone Config or BAT Template
• Select “Enabled”
• No need to touch the phone
• Phone must be on the network when you
do this.
74
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
2. Do it the “Old Way”Works for one-offs, not mass deployments
4. Low Impact Mode
3. MAB -> 802.1XUse MAB to get device on network
Grant just enough access to download config file
Phone resets with 802.1X enabled
1. Non 802.1X Staging AreaInitial phone boot-up in network without 802.1X
Enabling 802.1X Post-Deployment
How do you enable 802.1X on a phone via the network if
the phone needs 802.1X to get on the network?
75
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Example: Using Low Impact Mode to bootstrap a new phone
permit ip host 10.100.20.200 anypermit udp any any eq bootpspermit udp any host 10.100.10.238 eq tftppermit udp any host 10.100.10.238 range 32768 61000
Pre-Auth
ACL
1. Pre-auth ACL allows just enough access for config, CTL
2. New config enables 802.1X on phone
3. After 802.1X, phone has full access
4. Same idea can give MAB phones access before 802.1X times out
10.100.10.238
76
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO76
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3A
B
Port authorized for 0011.2233.4455 only
Security ViolationS:0011.2233.4455
S:6677.8899.AABB
1) Legitimate users cause security violation
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3A
Security HoleS:0011.2233.4455
S:0011.2233.4455
2) Hackers can spoof MAC to gain access without authenticating
The IP Phone Link State Issue
77
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Link State: Three Solutions
CDP Link Down
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
Proxy EAPoL-LogoffSSC
Inactivity Timer
SessionCleared
SessionCleared
Session Cleared
Proxy EAPoL-LogoffOnly works for 802.1X endpoints
Requires Logoff-capable phone
Inactivity TimerWorks for MAB endpoints
Port vulnerable during timeout
Quiet devices may get kicked off
CDP 2nd Port StatusMAB & 802.1X Endpoints
IP Phone: 8.4(1)
3K: 12.2(50)SE
4K: 12.2(50)SG
6K: 12.2(33)SXI
78
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Low Impact In a Nutshell
• Dynamic ACL-based Access Control
• Minimal Impact to Endpoints
• Supports Bootstrap Scenarios
• Minimal Impact to Network
• No VLAN changes
Summary
• Monitor the Network
• Tune ACLs as necessary
• Evaluate Remaining Risk
Next Steps
79
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
High Security: How To
Return to default “closed” access
Timers or authentication order change
Implement identity-based VLANassignment
High Security Mode Goals
No access before authentication
Rapid access for non-802.1X-capable corporate assets
Logical isolation of traffic at the access edge
Scenario 3: High Security Mode
Network Virtualization Solution
80
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
High Security Mode: Network Access Table
Endpoint Authentication Status
All Pre-802.1X
Employees Successful 802.1X
Failed Employees,
Contractor, Guest
Failed 802.1X
Corporate Asset,
Contractor,Guest
No 802.1X
(no client)
Corporate Asset Successful MAB
Phones Successful 802.1X
Phones Successful MAB
Contractor/Guest Failed MAB
All No 802.1X, MAB (server
down)
Sin
gle
-host
Multi-D
om
ain
-Auth
(with
lin
k-s
tate
so
lutio
n)
Authorization
Closed
Dynamic VLAN
Guest-Fail-Critical VLAN
Next-Method (on by default
if MAB configured)
Dynamic VLAN
Voice VSA
Voice VSA
Guest-Fail-Critical VLAN
Guest-Fail-Critical VLAN
81
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
802.1X and Dynamic VLANsNetwork Deployment Considerations
VLAN 10: DATA
VLAN 20: VOICE
VLAN 30: MACHINE
VLAN 40: ENG
VLAN 50: UNAUTH
10.10.10.x/24
10.10.20.x/24
10.10.30.x/24
10.10.40.x/24
10.10.50.x/24
Network Interface
10.10.10.x/24 G0/1
10.10.20.x/24 G0/2
10.10.30.x/24 G0/3
10.10.40.x/24 G0/4
10.10.50.x/24 G0/5
Every Assignable VLAN Must Be Defined on Every Access Switch More VLANs To Trunk (Multi-Layer* Deployments)
More Subnets to Route (mitigated by VSS*)
Every Assignable VLAN Must Be Defined on Every Access Switch
Best Practice: Use the Fewest Possible Number of VLANs
82
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Non-802.1X Endpoints
• Unaware of VLAN changes, no mechanism to change IP address
• Best Practice: Dynamic VLAN in High Security Mode only
Older 802.1X Endpoints (e.g. Windows XP)
• Supplicants can renew IP address on VLAN change but OS and underlying processes may not handle IP address change gracefully
• Best Practice: Use same VLAN for User and Machine Authentication (Windows)
Newer 802.1X Endpoints (e.g. Windows Vista, 7)
• Supplicant and OS can handle VLAN/IP address changes
• Best Practice: Use the VLAN policy that best matches your security policy.
802.1X and Dynamic VLANsEndpoint Deployment Considerations
83
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
High Security Mode: Switch
interface GigabitEthernet1/4
switchport access vlan 60
switchport mode access
switchport voice vlan 61
no authentication open
authentication event fail authorize vlan 63
authentication event no-response authorize vlan 63
authentication event server dead action authorize vlan 63
authentication port-control auto
mab
dot1x pae authenticator
aaa authorization network default group radius
vlan 60
name data
vlan 61
name voice
vlan 62
name video
vlan 63
name fail-guest-critical
Auth-Fail VLAN
Guest VLAN*
Critical VLAN
*Not needed if AAA server has Unknown MAC policy
Switch Global Config (add to Monitor Mode)
Switch Interface Config
84
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
High Security Mode: AAA Server
1. If no VLAN sent, switch will use static switchport VLAN
2. Configure dynamic VLANs for any user that should be in different VLAN
85
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
interface GigabitEthernet1/4 dot1x max-reauth-req 2 (default)
dot1x timeout tx-period 30 (default)
Clientless Access in Closed ModeTwo Options
Timeout
First packet from device will trigger MAB
802.1X MAB
MAB FailsMAB 802.1X
interface GigabitEthernet1/4
authentication order mab dot1xauthentication priority dot1x mab
(max-reauth-req + 1) * tx-period
1) Change the Timeout
2) FlexAuth Order
MethodsPriority, Order
Timeout, Failed
AAA Down
Flex-Auth
Note: Priority Matters!www.cisco.com/go/ibns -> Whitepapers
Either Way: Prepare
for Additional
Control Plane Traffic
86
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Sources
IBNS Phased Implementation Configuration Guidehttp://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/Whitepaper_c11-532065.html
Flexible Authentication Order, Priority, and Failed Authentication
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/application_note_c27-573287_ps6638_Products_White_Paper.html
Network Virtualization--Access Control Design Guidehttp://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/AccContr.html
87
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO
Q and A
88
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicCiscoEXPO