Issuu on Google+

Introduction to IEEE 802.1X and Cisco® Identity-Based Networking Services (IBNS) Cisco

© 2008 Cisco Systems, Inc. All rights reserved.

1


Abstract CiscoÂŽ Identity-Based Networking Services (IBNS) provides customized access control for wired LAN networks. Cisco IBNS is increasingly important in campus networks as enterprises look for security, visibility, and convergence at the access edge. Using IEEE 802.1X and supplementary technologies, Cisco IBNS is a network solution that provides the foundation for dynamic, user-differentiated policy and advanced network intelligence.

Š 2008 Cisco Systems, Inc. All rights reserved.

2


Basic Identity Concepts ƒWhat is an identity? • An assertion of who we are • Allows us to differentiate between one another

ƒWhat does an identity look like? • Typical network identities include: Username and password Email address: jdoe@foo.com MAC address: 00-0c-14-a4-9d-33 IP address: 10.0.1.199 Digital certificates

ƒHow do we use identities? • Used to grant appropriate authorizations: rights to services within a given domain

© 2008 Cisco Systems, Inc. All rights reserved.

3


What Is Authentication and Authorization? ƒ Authentication is the process of establishing and confirming the identity of a client requesting services. ƒ Authentication is useful only if used to establish corresponding authorization (for example, access to a bank account).

I want to withdraw 200 euros please. Do you have identification? Yes, I do. Here it is.

Thank you. Here are your euros.

An Authentication System Is Only as Strong as the Method of Verification Used

© 2008 Cisco Systems, Inc. All rights reserved.

4


Applying the Authentication Model to the Network

I Want to Connect to the Network Identification Required Here Is My Identification Identification Verified—Access Granted

Identity-Enabled Networking Š 2008 Cisco Systems, Inc. All rights reserved.

5


Why Is Cisco® IBNS Important for the Campus? Who are you?

1

IEEE 802.1x (or supplementary method) authenticates the user

Where Can You Go?

2

3

4

Based on authentication, user is placed in correct VLAN

Keep the Outsiders Out

Keep the Insiders Honest

What Service Level Do You Receive? Personalize the The user can be given per-user services (access control lists [ACLs] today—more to come)

What Are You Doing? The user’s identity and location can be used for tracking and accounting

© 2008 Cisco Systems, Inc. All rights reserved.

Network

Increase Network Visibility

6


New Business Environment Demands Identity No Boundary for a Global and Mobile Workforce Accountability for Empowered Employees

New and Changing Threats

“A recent Gartner survey indicates that 50% of enterprises plan to implement 802.1X in their wired networks by 2011. Gartner believes that momentum will increase strongly, and that actual enterprise adoption will reach 70% by 2011.” —Gartner, “Findings: Wired 802.1X Adoption on the Rise,” Lawrence Orans and John Pescatore, July 28, 2008

Compliance © 2008 Cisco Systems, Inc. All rights reserved.

Contractors, Partners, and Guests 7


IEEE 802.1X: The Foundation of Cisco® IBNS ƒ Terminology ƒ Components ƒ Protocols I Want to Connect to the Network. Identification required Here is my identification Identification Verified—Access Granted

© 2008 Cisco Systems, Inc. All rights reserved.

8


IEEE 802.1X Terminology Supplicant: IEEE 802.1X

Authentication Server:

Client

RADIUS and AAA Server

• Microsoft Native and Cisco® Secure Services Client (SSC)

• Cisco Secure ACS and Microsoft IAS and NPS

Cisco SSC

Authenticator: Access Device • Cisco Catalyst® Switches and Access Points

Back-End Database • AD, LDAP …

© 2008 Cisco Systems, Inc. All rights reserved.

9


IEEE 802.1X Components Supplicant Cisco® SSC

Authentication Server

Authenticator Layer 4 Link

Layer 2 Point to Point

Hi. Anybody home?

Actual Authentication Method Is Policy Dependent

Who are you? I am Alice.

Send your password in tunnel Here is my encrypted password

RELAY

Alice requests access Tell Alice to send her password in encrypted tunnel

Alice’s encrypted password

Success. You may now send traffic to the network. © 2008 Cisco Systems, Inc. All rights reserved.

Alice checks out. Let Alice on VLAN 10. 10


IEEE 802.1X Protocols Extensible Authentication Protocol (EAP) ƒ A flexible transport protocol used to carry arbitrary authentication information Defined by RFC 3748

Establishes and manages connections Allows authentication by encapsulating various types of authentication exchanges (EAP methods) ƒ EAP provides a flexible link layer security framework Simple encapsulation protocol No dependency on IP Assumes no reordering Can run over loss full or lossless media Can run over any link layer (Point-to-Point Protocol [PPP], IEEE 802, etc.)

ƒ EAP over LAN = EAPoL © 2008 Cisco Systems, Inc. All rights reserved.

11


EAP in Context Supplicant Cisco® SSC

Authentication Server

Authenticator Layer 2 Point to Point

Layer 4 Link

EAPoL Start EAP ID Request EAP ID Response EAP Response: Alice

EAP Request: Send Tunneled Password EAP Response: Tunneled Password EAP Success

© 2008 Cisco Systems, Inc. All rights reserved.

EAP Request: Send Tunneled Password

EAP Response: Tunneled Password EAP Success—Let Alice on VLAN 10 12


IEEE 802.1X Protocols EAP Methods ƒ EAP methods define the credential type and authentication method to be used –Supplicant and authentication server must support the same method –Most common credential types are passwords and X.509 certificates –Certificates often increase complexity of deployment Prevalent EAP Methods

Method

Client Credential

EAP-TLS

Client Not required Highly secure certificate Username Server-certified Does not and password TLS tunnel require client certificate PAC Server PAC Requires no certificates

PEAPMSCHAPv2 EAP-FAST

© 2008 Cisco Systems, Inc. All rights reserved.

Basis for Encryption

Main Benefit

13


Factors Promoting EAP Method ƒ Enterprise security policy Certificate authority deployment Requirements such as two-factor authentication may promote the choice of EAP-TLS

ƒ Client support Windows XP supports EAP-TLS, PEAP with EAP-MSCHAPv2, and PEAP with EAPTLS Third-party supplicants support a large variety of EAP types, but not all

ƒ Authentication server support RADIUS servers support a large variety of EAP types, but not all

ƒ Authentication store PEAP with EAP-MSCHAPv2 can be used only with authentication stores that store passwords in MSCHAPv2 format Not every identity store supports all EAP types

ƒ Customer choice of EAP type affects every other component

© 2008 Cisco Systems, Inc. All rights reserved.

14


EAP Method (PEAP) in Context Supplicant Cisco® SSC

Authentication Server

Authenticator Layer 3 Link

Layer 2 Point to Point

EAPoL Start EAP ID Request EAP ID Response EAP Response: Alice EAP Request: PEAP EAP Request: PEAP EAP Response: PEAP Client Hello PEAP Exchange EAP Success

© 2008 Cisco Systems, Inc. All rights reserved.

EAP Response: PEAP Client Hello

EAP Success—Let Alice on VLAN 10 15


IEEE 802.1X Protocols RADIUS ƒ RADIUS acts as the transport for EAP from the authenticator to the authentication server ƒ RFC describing how RADIUS should support EAP between authenticator and authentication server: RFC 3579

IP Header

UDP Header

RADIUS Header

EAP Payload

ƒ RADIUS is also used to carry policy instructions (authorization) back to the authenticator in the form of AV pairs

IP Header

UDP Header

RADIUS Header

EAP Payload

AV Pairs

ƒ Usage guideline for IEEE 802.1X authenticators use of RADIUS: RFC 3580 ƒ AV pairs = Attribute-value pairs © 2008 Cisco Systems, Inc. All rights reserved.

16


RADIUS in Context Supplicant Cisco® SSC

Authentication Server

Authenticator Layer 2 Point to Point

Layer 3 Link

EAPoL Start EAP ID Request EAP ID Response RADIUS Access Request [AVP: EAP Response: Alice] EAP Request: PEAP EAP Response: PEAP

EAP Success

© 2008 Cisco Systems, Inc. All rights reserved.

RADIUS Access Challenge [AVP: EAP Request: PEAP] RADIUS Access Request [AVP: EAP Response: PEAP]

Multiple ChallengeRequest Exchanges Possible

RADIUS Access Accept [AVP: EAP Success] [AVP: VLAN 10] 17


Next Section Wired IEEE 802.1X Port-Based Access Deployment

Š 2008 Cisco Systems, Inc. All rights reserved.

18


Why Is Identity Difficult in the Wired LAN? ƒ WLANs Relatively new technology Required client from the beginning No old-technology host issues to deal with

ƒ Remote-access VPN Relatively new technology Required a client from the beginning

ƒ Wired Ethernet Networks – Ethernet mature technology widely deployed – Never really required authentication client – 20 years of older protocols, devices, operating systems, and applications, most of which were built with the assumption of open connectivity

ƒ IEEE 802.1X in Wired Environments – A change from all this – Requires prior knowledge of device capabilities before configuring access port (major operating expense challenge)

No old-technology host issues to deal with

Features to Help with Wired IEEE 802.1X Deployments

– FlexAuth: Single-port configuration with flexible authentication technology (IEEE 802.1X, MAB, and WebAuth) – 802.1X open mode: Enhanced IEEE 802.1X authenticator (wired switches, etc.) to address OS, protocol, and management application issues – IP Telephony (IPT) integration enhancements: MDA – Simplification of MAB • Network access point (NAC) profiler: Provides endpoint discovery and profiling

© 2008 Cisco Systems, Inc. All rights reserved.

19


IEEE 802.1X: The Foundation of Identity EAP over LAN (EAPoL) Supplicant (IEEE 802.1X Client)

RADIUS Authenticator (Switch, Access Point, Etc.)

R A D I U S

Authentication Server (Cisco® Secure ACS, Etc.)

9 IEEE 802.1 working group standard 9 Provides port-based access control using authentication Enforcement using MACbased filtering and portstate monitoring © 2008 Cisco Systems, Inc. All rights reserved.

Defines encapsulation for EAP over IEEE 802 media: EAPoL 20


Default Port State Without IEEE 802.1X No Authentication Required

¾ No visibility ¾ No access control

Switch Port

CP DH TP TF B5 KR TP HT

? User

© 2008 Cisco Systems, Inc. All rights reserved.

21


Default Security with 802.1X Before Authentication

¾ No visibility (yet) ¾ Strict access control

Switch Port

One Physical Port >Two Virtual Ports Uncontrolled Port (EAPoL Only) Controlled Port (Everything Else)

CP DH TP TF B5 KR TP L HT Po EA

?

Interface Fast Ethernet 3/48 Authentication Port-Control Auto

User

All Traffic Except EAPoL Is Dropped © 2008 Cisco Systems, Inc. All rights reserved.

22


Default Security with 802.1X After Authentication

¾ User or device is known ¾ Identity-based access control

Switch Port

• Single MAC per port

Looks the Same as Without IEE 802.1X

CP DH TP TF B5 KR TP HT

? Authenticated User: Sally

© 2008 Cisco Systems, Inc. All rights reserved.

Having read your mind Sally, that is true. Unless you apply an authorization, access is wide open. We can restrict access with dynamic VLAN assignment or downloadable ACLs.

Interface Fast Ethernet 3/48 Authentication Port-Control Auto

23


Default Security: Consequences Default IEEE 802.1X Challenge

¾ Devices without supplicants cannot send EAPoL ¾ No EAPoL = No access

C DH

One Physical Port >Two Virtual Ports Uncontrolled Port (EAPoL Only) Controlled Port (Everything Else)

P

TP TF

Offline

Switch Port

L Po A E

Interface Fast Ethernet 3/48 Authentication Port-Control Auto

No EAPoL = No Access

© 2008 Cisco Systems, Inc. All rights reserved.

24


Simplifying IEEE 802.1X Deployments Challenge

Cisco IOS® Software Enhancement

Clientless device

Cisco IOS Software MAB plus NAC Profiler

Host asset management

Cisco IOS Software IEEE 802.1X Open mode

Operation cost

Cisco IOS Software flexible authentication (FlexAuth)

IPT integration

Cisco IOS Software MDA Cisco IOS Software EAPoL logoff and MAB inactivity timer Cisco IOS Software Cisco® Discovery Protocol host connect TLV

© 2008 Cisco Systems, Inc. All rights reserved.

25


Authenticating Clientless Devices: MAC Authentication Bypass (MAB)

End-Point Host No Response No Response

Link Up

EAP ID Request EAP ID Request EAP ID Request

Dot1x and MAB 1 0:30 0:20 0:10 0:05 0:01 0:00 Timeout 2 3

0:30 0:20 0:10 0:05 0:01 0:00

Timeout

4

0:30 0:20 0:10 0:05 0:01 0:00

Timeout

RADIUS

No Response Fallback to MAB

5

Learn MAC

6

Port Enabled

7 8

RADIUS Access Request: 00.0a.95.7f.de.06 RADIUS Access Accept

00.0a.95.7f.de.06

ƒ Same authorizations as IEEE 802.1X (VLAN or ACL)

interface fastEthernet 3/48 authentication port-control auto mab

ƒ Requires current database of known MAC addresses

© 2008 Cisco Systems, Inc. All rights reserved.

26


MAB Limitations and Challenges ƒ MAB requires creation and maintenance of MAC database ƒ Default IEEE 802.1X timeout = 90 seconds 90 seconds: Default MSFT DHCP timeout 90 seconds: Default PXE timeout Current workaround: Timer tuning (always requires testing) max-reauth-req: Maximum number of times (default = 2) that the switch retransmits an EAP ID Request frame on the wire tx-period: Number of seconds (default = 30) that the switch waits for a response to an EAP ID Request frame before retransmitting IEEE 802.1X Timeout = (max-reauth-req + 1) * tx-period

© 2008 Cisco Systems, Inc. All rights reserved.

27


Simplifying MAB Deployments: NAC Profiler Build MAC Database Before Deploying IEEE 802.1X NAC Profiler Collector

interface range gigE 1/0/1 - 24 switchport access vlan 30 switchport voice vlan 31 snmp-server host 10.100.10.215 RO snmp-server enable traps mac-notification snmp-server enable traps snmp linkup linkdown

SNMP

DHCP

Port, MAC Address, Organizational Unique Identifier, and Vendor ID

NAC Profiler Server

interface VLAN 30 ip helper-address 10.100.10.215

Š 2008 Cisco Systems, Inc. All rights reserved.

28


NAC Profiler Query MAC Database After Deploying IEEE 802.1X 1.

IEEE 802.1X times out and switch initiates MAB.

2.

Cisco® Secure Access Control Server (ACS) queries Profiler database

NAC Profiler Server

Profiler validates MAC address.

4.

Cisco Secure ACS sends MAB success.

5.

Switch enables port (with optional authorization). interface range gigE 1/0/1 - 24 switchport access vlan 30 switchport voice vlan 31 authentication port-control auto mab

1 00-18-f8-09-cf-d7

5

Port Enabled

© 2008 Cisco Systems, Inc. All rights reserved.

2

RADIUS Access Request: 00-18-f8-09-cf-d7 RADIUS Access Accept

3 LDAP Success

3.

LDAP : 00-18-f8-09-cf-d7

using LDAP.

4

ACS

29


Next Section Open Mode

Š 2008 Cisco Systems, Inc. All rights reserved.

30


IEEE 802.1X and MAB: Open Mode Open Mode (No Restrictions)

Sw i t

¾ IEEE 802.1X and MAB enabled ¾ Open mode: Enabled

ch P

or t

ƒ All traffic in addition to EAP is allowed CP P DH TFT TP HT

EA

P

RADIUS Accounting Logs Provide Visibility • Passed and failed IEEE 802.1X/EAP attempts • List of valid dot1x capable • List of non-dotx capable

• Passed and failed MAB attempts • List of valid MAC addresses • List of invalid or unknown MAC addresses © 2008 Cisco Systems, Inc. All rights reserved.

31


IEEE 802.1X and MAB: Open Mode r

Selectively Open Access

ic cif

e Sp

¾ Open mode (pin hole)

CP H D PX

S

e erv

r

E

r ve e S

ƒ On specific TCP and UDP ports ƒ Restrict to specific addresses

¾ EAP allowed (controlled port)

C DH

P

TP T H TP F T S TP T H EA

Pin Hole Explicit TCP and UDP Ports to Allow Desired Access

P

Block General Access Until Successful IEEE 802.1X, MAB or WebAuth

© 2008 Cisco Systems, Inc. All rights reserved.

32


Example: Open Mode on IEEE 802.1X Port with Access Control Cisco® Secure ACS and AAA

Wired Ethernet End Points

DHCP DNS

DI RA

Cisco Catalyst® 6500 Series IEEE 802.1X* Ethernet Port EAP

US

PXE Server

10.100.10.117

EAP DHCP ANY DNS ANY

DHCP DNS

PXE

10.100.10.116

PXE Slide Source: Ken Hook

IP: 10.100.60.200

interface range gigE 1/0/1 - 24 switchport access vlan 30 switchport voice vlan 31 ip access-group UNAUTH in authentication host-mode multi-domain authentication open authentication port-control auto mab

(After Authentication) (Before Authentication) 6506-2#show tcam interface g1/13 acl in ip permit permit ip tcphost any 10.100.60.200 any established any match-any permit udp tcp any any established eq bootps match-any permit udp any host any eq 10.100.10.116 bootps eq domain permit udp any host 10.100.10.116 10.100.10.117 eq tftp domain deny permit ip udp any any any host 10.100.10.117 eq tftp deny ip any any

ip access-list extended UNAUTH permit tcp any any established permit udp any any eq bootps permit udp any host 10.100.10.116 eq domain permit udp any host 10.100.10.117 eq tftp Sample Open Mode Configurations

* Works on FlexAuth and MDA Enabled Ports © 2008 Cisco Systems, Inc. All rights reserved.

33


Next Section Flexible Authentication (FlexAuth)

Š 2008 Cisco Systems, Inc. All rights reserved.

34


Flexible Authentication Host Roulette Choice of Policy Enforcement Mechanisms: VLAN, Downloadable per-User ACL, and URL

EAP Credentials Sent and Validated—Port Authorized

Valid MAC Address

Employee

Partner

Host 802.1X Guest Client User Change

Faculty

Valid MAC Addr

Guest User

802.1X Client

Sub Contractor

IEEE 802.1X Times Out or Fails

1X

EAP Unknown MAC Access—Accept with URL Redirect MAB

MAB Known MAC—Access Accept Port Authorized

WEB

Valid Host Asset

• One Configuration Addresses All Use Cases and All Host Modes • Controllable Sequence of Access Control Mechanisms, with Flexible Failure and Fallback Authorization • Choice of Policy Enforcement Mechanisms: VLAN, Downloadable per-User ACL, and URL © 2008 Cisco Systems, Inc. All rights reserved.

URL

interface GigabitEthernet1/13 authentication host-mode multi-domain authentication order dot1x mab webauth authentication priority dot1x mab webauth authentication port-control auto dot1x pae authenticator authentication violation restrict authentication fallback WEB-AUTH mab

Benefit: Greater Flexibility and Deterministic Behavior

35


Next Section IP Telephony Integration

Š 2008 Cisco Systems, Inc. All rights reserved.

36


IP Telephony (IPT) and IEEE 802.1X Fundamental Challenges 1 One Device per Port

Catalyst 3750 SERIES 1 2

k Lin

 Do

SYST RPS MASTR STAT DUPLX SPEED STACK

wn

MODE

3 4

5 6

7 8

9 10

11 12

13 14

15 16

17 18

19 20

21 22

23 24

25 26

27 28

29 30

31 32

33 34

35 36

37 38

39 40

41 42

43 44

45 46

47 48

1X

15X 17X

31X 33X

47X

2X

16X 18X

32X 34X

48X

1

3

2

4

“The operation of Port Access Control assumes that the Ports on which it operate offer a point-to-point connection between a single Supplicant and a single Authenticator. It is this assumption that allows the authentication decision to be made on a per-Port basis.” —IEEE 802.1X, Revision 2004

2 IEEE 802.1X Machine State Depends on Link State

1 Two Devices per Port Catalyst 3750 SERIES 1 2

?????

SYST RPS MASTR STAT DUPLX SPEED STACK MODE

3 4

5 6

7 8

9 10

11 12

13 14

15 16

17 18

19 20

21 22

23 24

25 26

27 28

29 30

31 32

33 34

35 36

37 38

39 40

41 42

43 44

45 46

47 48

1X

15X 17X

31X 33X

47X

2X

16X 18X

32X 34X

48X

1

3

2

4

Security Violation

2 PC Link State Is Unknown to Switch

IPT Breaks the Point-to-Point Model © 2008 Cisco Systems, Inc. All rights reserved.

37


Multidomain Authentication (MDA) Solving the Two-Devices-per-Port Problem MDA

IEEE 802.1X

Single Device per Port

Single Device per Domain per Port

Phone Authenticates in Voice Domain and Tags Traffic in Voice VLAN ID (VVID) IEEE 802.1q

Voice

Catalyst 3750 SERIES 1

SYST RPS MASTR STAT DUPLX SPEED STACK

Data

PC Authenticates in Data Domain and Untagged Traffic in Port VLAN ID (PVID)

MODE

2

3

4

5

6

7

8

9

10

11 12

13 14

15 16

17 18

19 20

21 22

23 24

25 26

27 28

29 30

31 32

33 34

35 36

37 38

39 40

41 42

43 44

45 46

47 48

1X

15X 17X

31X 33X

47X

2X

16X 18X

32X 34X

48X

1

3

2

4

Two Domains per Port

• MDA Replaces Cisco® Discovery Protocol Bypass • Supports Cisco and Third-Party Phones • Phones and PCs Use IEEE 802.1X or MAB © 2008 Cisco Systems, Inc. All rights reserved.

38


MDA for Cisco® IP Phones No Supplicant on Phone Cisco Discovery Protocol EAP

SSC

6

EAP

interface GigE 1/0/5 switchport mode access switchport access vlan 2 switchport voice vlan 12 authentication host-mode multi-domain authentication port-control auto dot1x pae authenticator mab

1 2

3 Access Request: Phone MAC 5

Access Accept: Phone VSA

4

1. 2. 3. 4.

Phone learns VVID from Cisco Discovery Protocol. IEEE 802.1X times out. Switch initiates MAB for phone’s MAC. Cisco Secure ACS returns Access Accept with Vendor Specific Attribute (VSA) for phones (“device-traffic-class=voice”). 5. Switch allows phone traffic on either VLAN until phone sends tagged packet; then only voice VLAN traffic is allowed. 6. Asynchronously, PC authenticates using IEEE 802.1X or MAB. Authenticated PC traffic is allowed on the data VLAN only. © 2008 Cisco Systems, Inc. All rights reserved.

39


MDA in Action 3750-1(config-if)#do 3750-1(config-if)#do sh sh dot1x dot1x int int G1/0/5 G1/0/5 details details <...> <...> Dot1x Dot1x Authenticator Authenticator Client Client List List ------------------------------------------------------------Domain == DATA Domain DATA Supplicant = 0014.5e42.66df Supplicant = 0014.5e42.66df Auth SM State = Auth SM State = AUTHENTICATED AUTHENTICATED Auth BEND SM State = IDLE Auth BEND SM State = IDLE Port Status = Port Status = AUTHORIZED AUTHORIZED Authentication Method = Dot1x Authentication Method = Dot1x Authorized By = Authorized By = Authentication Authentication Server Server Domain Domain Supplicant Supplicant Auth Auth SM SM State State Auth BEND Auth BEND SM SM State State Port Status Port Status Authentication Authentication Method Method Authorized By Authorized By

Š 2008 Cisco Systems, Inc. All rights reserved.

== VOICE VOICE == 0016.9dc3.08b8 0016.9dc3.08b8 == AUTHENTICATED AUTHENTICATED == IDLE IDLE == AUTHORIZED AUTHORIZED == MAB MAB == Authentication Authentication Server Server

40


IPT and IEEE 802.1X The Link-State Problem 1. Legitimate Users Cause Security Violation

Port Authorized for  0011.2233.4455 Only Catalyst 3750 SERIES 1

A S:0011.2233.4455

SYST RPS MASTR STAT DUPLX SPEED STACK MODE

2

3

4

5

6

7

8

9 10

11 12

13 14

15 16

17 18

19 20

21 22

23 24

25 26

27 28

29 30

31 32

33 34

35 36

37 38

39 40

41 42

43 44

45 46

47 48

1X

15X 17X

31X 33X

47X

2X

16X 18X

32X 34X

48X

1

3

2

4

Security Violation

B S:6677.8899.AABB

2. Hackers Can Spoof MAC Address to Gain Access Without Authenticating Catalyst 3750 SERIES 1 2

A

SYST RPS MASTR STAT DUPLX SPEED STACK MODE

3 4

5 6

7 8

9 10

11 12

13 14

15 16

17 18

19 20

21 22

23 24

25 26

27 28

29 30

31 32

33 34

35 36

37 38

39 40

41 42

43 44

45 46

47 48

1X

15X 17X

31X 33X

47X

2X

16X 18X

32X 34X

48X

1

3

2

4

Security Hole S:0011.2233.4455 S:0011.2233.4455

© 2008 Cisco Systems, Inc. All rights reserved.

41


Previous Solution: Proxy EAPoL Logoff Domain = DATA Supplicant = 0011.2233.4455 Port Status = AUTHORIZED Authentication Method = Dot1x

A

SSC

Caveats: • Only for IEEE 802.1X Devices Behind Phone

Catalyst 3750 SERIES 1 2

SYST RPS MASTR STAT DUPLX SPEED STACK MODE

3 4

5 6

7 8

9 10

11 12

13 14

15 16

17 18

19 20

21 22

23 24

25 26

27 28

29 30

31 32

33 34

35 36

37 38

39 40

41 42

43 44

45 46

47 48

1X

15X 17X

31X 33X

47X

2X

16X 18X

32X 34X

48X

1

3

2

4

Requires: Logoff-Capable Phones

PC A Unplugs Domain Port Status

Session Cleared Immediately by Proxy EAPoL Logoff

EAPoL Logoff

PC B Plugs In

B

= DATA = UNAUTHORIZED

Catalyst 3750 SERIES 1

SYST RPS MASTR STAT DUPLX SPEED STACK MODE

2

3

4

5

6

8

7

9 10

11 12

13 14

15 16

17 18

19 20

21 22

23 24

25 26

27 28

29 30

31 32

33 34

35 36

37 38

39 40

41 42

43 44

45 46

47 48

1X

15X 17X

31X 33X

47X

2X

16X 18X

32X 34X

48X

3

2

4

Domain = DATA Supplicant = 6677.8899.AABB Port Status = AUTHORIZED Authentication Method = Dot1x

SSC

Catalyst 3750 SERIES 1 2

SYST RPS MASTR STAT DUPLX SPEED STACK MODE

© 2008 Cisco Systems, Inc. All rights reserved.

1

3 4

5 6

7 8

9 10

11 12

13 14

15 16

17 18

19 20

21 22

23 24

25 26

27 28

29 30

31 32

33 34

35 36

37 38

39 40

41 42

43 44

45 46

47 48

1X

15X 17X

31X 33X

47X

2X

16X 18X

32X 34X

48X

1

3

2

4

42


Previous Solution: MAB Inactivity Timeout Domain = DATA Supplicant = 0011.2233.4455 Port Status = AUTHORIZED Authentication Method = MAB

interface GigE 1/0/5 switchport mode access switchport access vlan 2 switchport voice vlan 12 authentication host-mode multi-domain authentication port-control auto authentication timer inactivity 300 mab

Catalyst 3750 SERIES 1 2

SYST RPS MASTR STAT DUPLX SPEED STACK MODE

3 4

5 6

7 8

9 10

11 12

13 14

15 16

17 18

19 20

21 22

23 24

25 26

27 28

29 30

31 32

33 34

35 36

37 38

39 40

41 42

43 44

45 46

47 48

1X

15X 17X

31X 33X

47X

2X

16X 18X

32X 34X

48X

1

3

2

4

Device Unplugs Domain = DATA Supplicant = 0011.2233.4455 Port Status = AUTHORIZED Authentication Method = MAB

Vulnerable to Security Violations and Holes

Catalyst 3750 SERIES 1

SYST RPS MASTR STAT DUPLX SPEED STACK MODE

Inactivity Timer Expires

Domain Port Status

3

4

5

6

7

8

9 10

11 12

13 14

15 16

17 18

19 20

21 22

23 24

25 26

27 28

29 30

31 32

33 34

35 36

37 38

39 40

41 42

43 44

45 46

47 48

15X 17X

31X 33X

47X

2X

16X 18X

32X 34X

48X

1

3

2

4

= DATA = UNAUTHORIZED

Session Cleared and Vulnerability Closed

Catalyst 3750 SERIES 1 2

SYST RPS MASTR STAT DUPLX SPEED STACK MODE

Š 2008 Cisco Systems, Inc. All rights reserved.

2

1X

Caveats: Quiet devices may have to reauthenticate; network access denied until reauthentication completes Still a window of vulnerability

3 4

5 6

7 8

9 10

11 12

13 14

15 16

17 18

19 20

21 22

23 24

25 26

27 28

29 30

31 32

33 34

35 36

37 38

39 40

41 42

43 44

45 46

47 48

1X

15X 17X

31X 33X

47X

2X

16X 18X

32X 34X

48X

1

3

2

4

43


N EW

New Solution: Cisco® Discovery Protocol Host Connect TLV Domain = DATA Supplicant = 0011.2233.4455 Port Status = AUTHORIZED Authentication Method = MAB

9 Link status message addresses root cause Catalyst 3750 SERIES

2

1

SYST RPS MASTR STAT DUPLX SPEED STACK MODE

4

3

6

5

8

7

9 10

11 12

13 14

15 16

17 18

19 20

21 22

23 24

25 26

27 28

29 30

31 32

33 34

35 36

37 38

39 40

41 42

43 44

45 46

47 48

1X

15X 17X

31X 33X

47X

2X

16X 18X

32X 34X

48X

1

3

2

4

9 Session cleared immediately

Device A Unplugs Domain Port Status

Phone Sends Link Down TLV to Switch

9 Works for MAB and IEEE 802.1X

= DATA = UNAUTHORIZED

Cisco Discovery Protocol Link Down

9 Nothing to configure

Catalyst 3750 SERIES 1

SYST RPS MASTR STAT DUPLX SPEED STACK MODE

2

3

4

5

6

8

7

9 10

11 12

13 14

15 16

17 18

19 20

21 22

23 24

25 26

27 28

29 30

31 32

33 34

35 36

37 38

39 40

41 42

43 44

45 46

47 48

1X

15X 17X

31X 33X

47X

2X

16X 18X

32X 34X

48X

1

3

2

4

9 Cisco on Cisco Value Device B Plugs In Domain = DATA Supplicant = 6677.8899.AABB Port Status = AUTHORIZED Authentication Method = Dot1x

SSC Catalyst 3750 SERIES 1

SYST RPS MASTR STAT DUPLX SPEED STACK MODE

© 2008 Cisco Systems, Inc. All rights reserved.

2

3

4

5

6

7

8

9 10

11 12

13 14

15 16

17 18

19 20

21 22

23 24

25 26

27 28

29 30

31 32

33 34

35 36

37 38

39 40

41 42

43 44

45 46

47 48

1X

15X 17X

31X 33X

47X

2X

16X 18X

32X 34X

48X

1

3

2

4

44


IP Telephony Integration: Summary 1 VVID

2

3

Cisco® Discovery Protocol Notification EAPOL Logoff Supplicant

Inactivity Timers

ƒ Use Case: PC Disconnect Behind an IP Phone ƒ Allows Cisco® and Third-Party IP Phones Without Supplicants to be Identified and Authenticated ƒ First-Hop Switch Snoops Protocols ƒ First-Hop Switch Proxies Requests to Authentication Service

© 2008 Cisco Systems, Inc. All rights reserved.

Customer Benefits • Allows More Devices to Participate in the Identity Network • Eliminates Capital and Operating Expenses for Upgrade and Replacement of All IP Phones

45


Main Points ƒ Cisco® Identity-Based Networking Services (IBNS) provides a security foundation for customers ƒ New Cisco IBNS features simplify deployments and operations

© 2008 Cisco Systems, Inc. All rights reserved.

46


Additional Resources ƒ Cisco® IBNS Website: http://www.cisco.com/go/ibns ƒ Products: Cisco Catalyst® 6500 Series Switches http://www.cisco.com/go/6500 Cisco Catalyst 4500 Series Switches http://www.cisco.com/go/4500 Cisco Catalyst 3750 Series Switches http://www.cisco.com/go/3750 Cisco Catalyst 3560 Series Switches http://www.cisco.com/go/3560 Cisco Catalyst 2960 Series Switches http://www.cisco.com/go/2960

© 2008 Cisco Systems, Inc. All rights reserved.

47


Š 2008 Cisco Systems, Inc. All rights reserved.

48


Cisco Brief