802.1x Best Practises

Ing. Peter FeciľakPeter.Fecilak@tuke.sk

29.04.2008, KPI, FEI, TUKE.

Content of the presentation

• Basic terminology- 802.1x- RADIUS server- Dynamic VLAN membership

• Why to implement 802.1x ?

• Problems in 802.1x implementation

• Discussion...

What is 802.1x ?

• IEEE standard for port-based Network Access Control

• Provides port-based authentication

• Supported in wired/wireless environment

802.1x terminology

Radius authentication server

• Provides authentication and other AAA services for end-device by a number of authentication mechanisms

• Each authentication mechanism has its own level of security(EAP/MD5, EAP/LEAP, EAP/PEAP)

• Can be linked to external user/computer database – ActiveDirectory / LDAP / MYSQL

Radius authentication server

• Supports delegation of requests(e.g. eduroam)

• Runs on different platforms

MS Windows:Cisco Secure Access Control Server

Linux:Freeradius / old version of CS ACS

Authenticator – access layer

• Provides port-based authentication and dynamic VLAN membership via RADIUS server(EAP and Radius protocol)

• Three types of VLANs:– Dynamic VLAN from RADIUS– AUTH-FAIL VLAN– GUEST-VLAN

• Catalyst switches supports periodical re-authentication (Steve Riley vulnerability from 2005)

802.1x Supplicant

• Application that provides authentication via EAP against authenticator

• Possible types of authentication:– Computer (domain account)– User (domain account, OTP…)– Computer with user account

802.1x Supplicant

• Supported under Windows and Linux as well

• Linux authentication tools:– Xsupplicant (wired)– WPA_supplicant (wireless)– open1x

802.1x Linux Supplicant

fecilak@travelko:~$ cat /etc/xsupplicant/xsupplicant.conf

default_interface = eth0

default { type = wired allow_types = eap-peap identity = "pfecilak"

eap-peap { inner_id = "pfecilak" root_cert = NONE chunk_size = 1398 random_file = /dev/urandom allow_types = all session_resume = yes

eap-mschapv2 { username = "pfecilak" password = “Moje1Tajne2Heslo3!#" } }}

802.1x Windows Supplicant

• Native 802.1x supplicant under:– MS Windows XP– MS Vista– MS Windows 2000 (latest SP)

• External supplicants:– Cisco Secure Services Agent

802.1x Windows Supplicant

802.1x Windows Supplicant

User-authentication GUI agent:

Why to implement 802.1x ?

• Provide port-based control for accessing network resources (problems with controlling physical access)

• Identify regular network users. Provide them easy access to network resources. Isolate non-regular users from internal infrastructure.

Why to implement 802.1x ?

• Apply different security levels for specified communities of users.

• Provide mobility features via RADIUS and Dynamic VLAN membership

Number of Security Levels

• Identify User/Computer roles and grand them access to network resources as defined by their security level.

Problems in 802.1x implementation

• Devices that does not support 802.1x connected to access-layer causes problems(e.g. hubs/unmanagable switches)

• Computers connected via IP phones that doesn’t support 802.1x has problem with authentication

• Periodical re-authentication can cause problems in large domain

Problems in 802.1x implementation

• Computer authentication with User to VLAN mapping can cause problem during IP settings renewal process

• Authentication tab not shown in local area network configuration(needs Wireless Zero Configuration)

Best practises

• When 802.1x is used mainly in MS Windows domain, use Cisco Secure ACS and computer domain accounts

• Do not use dynamic VLAN membership with User to VLAN mapping. Better is computer authentication with domain account

Best practises

• Scale the number of RADIUS servers concerning whether re-authentication is enabled and the number of end clients that will use 802.1x authentication

• I recommend to use 1 server for 100 computers when re-authentication at every 5 minutes is used

Best practises

Classification to profiles for providing different security-levels:

• User Network– For regular users granting access to network resources

• Visitors Network– For guest access from internal infrastructure granting

only internet access

• Guest/Auth-fail VLAN– Fully isolated network. No network resources can be

accessed.

Discussion/Questions and Answers

Redundant topologies

Redundant topologies

Problem

Solution – redundant gateways

192.168.1.0/24

192.168.1.2

192.168.1.1

Solution – HSRP

192.168.1.0/24

192.168.1.2

192.168.1.1

MasGW-1-1 GW-1-2

Virtual Router

192.168.1.2 192.168.1.1

192.168.1.3

Master Slave

Master192.168.1.3

Slave

SLAVE

MASTER192.168.1.3

First Hop Redundancy Protocols

HSRP

VRRP

GLBP

Example - HSRP

192.168.1.2 192.168.1.1

IP: 192.168.1.100Netmask: 255.255.255.0

Gateway: 192.168.1.3

GW-1-1(config)# interface FastEthernet 0/0GW-1-1(config-if)# ip address 192.168.1.2 255.255.255.0GW-1-1(config-if)# standby 1 priority 80GW-1-1(config-if)# standby 1 preemptGW-1-1(config-if)# standby 1 ip 192.168.1.3GW-1-1(config-if)# no shutdown

GW-1-2(config)# interface FastEthernet 0/0GW-1-2(config-if)# ip address 192.168.1.1 255.255.255.0GW-1-2(config-if)# standby 1 priority 150GW-1-2(config-if)# standby 1 preemptGW-1-2(config-if)# standby 1 ip 192.168.1.3GW-1-2(config-if)# no shutdown

Configuration statements - HSRP

192.168.1.2 192.168.1.1

IP: 192.168.1.100Netmask: 255.255.255.0

Gateway: 192.168.1.3

GW-1-1(config)# interface FastEthernet 0/0GW-1-1(config-if)# ip address 192.168.1.2 255.255.255.0GW-1-1(config-if)# standby 1 priority 80GW-1-1(config-if)# standby 1 preemptGW-1-1(config-if)# standby 1 ip 192.168.1.3GW-1-1(config-if)# no shutdown

GW-1-2(config)# interface FastEthernet 0/0GW-1-2(config-if)# ip address 192.168.1.1 255.255.255.0GW-1-2(config-if)# standby 1 priority 150GW-1-2(config-if)# standby 1 preemptGW-1-2(config-if)# standby 1 ip 192.168.1.3GW-1-2(config-if)# no shutdown

Záver prezentácie

Ďakujem za pozornosť.

Moderné vzdelávanie pre vedomostnú spoločnosť.Projekt je spolufinancovaný zo zdrojov EÚ.