Download - 802.1x Best Practises
Content of the presentation
• Basic terminology- 802.1x- RADIUS server- Dynamic VLAN membership
• Why to implement 802.1x ?
• Problems in 802.1x implementation
• Discussion...
What is 802.1x ?
• IEEE standard for port-based Network Access Control
• Provides port-based authentication
• Supported in wired/wireless environment
802.1x terminology
Radius authentication server
• Provides authentication and other AAA services for end-device by a number of authentication mechanisms
• Each authentication mechanism has its own level of security(EAP/MD5, EAP/LEAP, EAP/PEAP)
• Can be linked to external user/computer database – ActiveDirectory / LDAP / MYSQL
Radius authentication server
• Supports delegation of requests(e.g. eduroam)
• Runs on different platforms
MS Windows:Cisco Secure Access Control Server
Linux:Freeradius / old version of CS ACS
Authenticator – access layer
• Provides port-based authentication and dynamic VLAN membership via RADIUS server(EAP and Radius protocol)
• Three types of VLANs:– Dynamic VLAN from RADIUS– AUTH-FAIL VLAN– GUEST-VLAN
• Catalyst switches supports periodical re-authentication (Steve Riley vulnerability from 2005)
802.1x Supplicant
• Application that provides authentication via EAP against authenticator
• Possible types of authentication:– Computer (domain account)– User (domain account, OTP…)– Computer with user account
802.1x Supplicant
• Supported under Windows and Linux as well
• Linux authentication tools:– Xsupplicant (wired)– WPA_supplicant (wireless)– open1x
802.1x Linux Supplicant
fecilak@travelko:~$ cat /etc/xsupplicant/xsupplicant.conf
default_interface = eth0
default { type = wired allow_types = eap-peap identity = "pfecilak"
eap-peap { inner_id = "pfecilak" root_cert = NONE chunk_size = 1398 random_file = /dev/urandom allow_types = all session_resume = yes
eap-mschapv2 { username = "pfecilak" password = “Moje1Tajne2Heslo3!#" } }}
802.1x Windows Supplicant
• Native 802.1x supplicant under:– MS Windows XP– MS Vista– MS Windows 2000 (latest SP)
• External supplicants:– Cisco Secure Services Agent
802.1x Windows Supplicant
802.1x Windows Supplicant
User-authentication GUI agent:
Why to implement 802.1x ?
• Provide port-based control for accessing network resources (problems with controlling physical access)
• Identify regular network users. Provide them easy access to network resources. Isolate non-regular users from internal infrastructure.
Why to implement 802.1x ?
• Apply different security levels for specified communities of users.
• Provide mobility features via RADIUS and Dynamic VLAN membership
Number of Security Levels
• Identify User/Computer roles and grand them access to network resources as defined by their security level.
Problems in 802.1x implementation
• Devices that does not support 802.1x connected to access-layer causes problems(e.g. hubs/unmanagable switches)
• Computers connected via IP phones that doesn’t support 802.1x has problem with authentication
• Periodical re-authentication can cause problems in large domain
Problems in 802.1x implementation
• Computer authentication with User to VLAN mapping can cause problem during IP settings renewal process
• Authentication tab not shown in local area network configuration(needs Wireless Zero Configuration)
Best practises
• When 802.1x is used mainly in MS Windows domain, use Cisco Secure ACS and computer domain accounts
• Do not use dynamic VLAN membership with User to VLAN mapping. Better is computer authentication with domain account
Best practises
• Scale the number of RADIUS servers concerning whether re-authentication is enabled and the number of end clients that will use 802.1x authentication
• I recommend to use 1 server for 100 computers when re-authentication at every 5 minutes is used
Best practises
Classification to profiles for providing different security-levels:
• User Network– For regular users granting access to network resources
• Visitors Network– For guest access from internal infrastructure granting
only internet access• Guest/Auth-fail VLAN
– Fully isolated network. No network resources can be accessed.
Discussion/Questions and Answers
Redundant topologies
Redundant topologies
Problem
Solution – redundant gateways
192.168.1.0/24
192.168.1.2
192.168.1.1
Solution – HSRP
192.168.1.0/24
192.168.1.2
192.168.1.1
MasGW-1-1 GW-1-2
Virtual Router
192.168.1.2 192.168.1.1
192.168.1.3
Master Slave
Master192.168.1.3
SlaveSLAVE
MASTER192.168.1.3
First Hop Redundancy Protocols
HSRP
VRRP
GLBP
Example - HSRP
192.168.1.2 192.168.1.1
IP: 192.168.1.100Netmask: 255.255.255.0
Gateway: 192.168.1.3
GW-1-1(config)# interface FastEthernet 0/0GW-1-1(config-if)# ip address 192.168.1.2 255.255.255.0GW-1-1(config-if)# standby 1 priority 80GW-1-1(config-if)# standby 1 preemptGW-1-1(config-if)# standby 1 ip 192.168.1.3GW-1-1(config-if)# no shutdown
GW-1-2(config)# interface FastEthernet 0/0GW-1-2(config-if)# ip address 192.168.1.1 255.255.255.0GW-1-2(config-if)# standby 1 priority 150GW-1-2(config-if)# standby 1 preemptGW-1-2(config-if)# standby 1 ip 192.168.1.3GW-1-2(config-if)# no shutdown
Configuration statements - HSRP
192.168.1.2 192.168.1.1
IP: 192.168.1.100Netmask: 255.255.255.0
Gateway: 192.168.1.3
GW-1-1(config)# interface FastEthernet 0/0GW-1-1(config-if)# ip address 192.168.1.2 255.255.255.0GW-1-1(config-if)# standby 1 priority 80GW-1-1(config-if)# standby 1 preemptGW-1-1(config-if)# standby 1 ip 192.168.1.3GW-1-1(config-if)# no shutdown
GW-1-2(config)# interface FastEthernet 0/0GW-1-2(config-if)# ip address 192.168.1.1 255.255.255.0GW-1-2(config-if)# standby 1 priority 150GW-1-2(config-if)# standby 1 preemptGW-1-2(config-if)# standby 1 ip 192.168.1.3GW-1-2(config-if)# no shutdown