© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Trust and Identity Implementing Cisco IBNS

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Concepts of Cisco IBNS in Action Valid CredentialsInvalid/No Credentials X Authorized User Unauthorized External Wireless User Corporate Resources Corporate Network No Access Identity-Based Authentication

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Cisco IBNS Cisco VPN Concentrators, Cisco IOS Routers, Cisco PIX Firewalls Unified Control of User Identity for the Enterprise Router Cisco Secure ACS Firewall VPN Clients Hard and Soft Tokens Remote Offices OTP Server Internet

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Cisco IBNS Port-Based Access Control Authentication Server (Cisco Secure ACS/RADIUS) Cisco Catalyst Series 2950 (switch) End User (Client) EAPOL-start Login request Login response Check with policy database Policy database informs switch Policy database confirms ID and grants access Switch enables port

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v IEEE 802.1x Standard set by the IEEE working group A framework designed to address and provide port-based access control using authentication Primarily an encapsulation definition for EAP over IEEE 802 media (EAPOL is the key protocol.) Layer 2 protocol for transporting authentication messages (EAP) between supplicant (user/PC) and authenticator (switch or access point) Assumes a secure connection Actual enforcement is via MAC-based filtering and port-state monitoring

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v x Components Authentication Server AuthenticatorSupplicant EAPOLRADIUS

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Uncontrolled Port Provides a Path for Extensible Authentication Protocol over LAN (EAPOL) AND CDP Traffic ONLY 802.1x Operation The uncontrolled port provides a path for (EAPOL) traffic only. For each 802.1x switch port, the switch creates two virtual access points at each port. The controlled port is open only when the device connected to the port has been authorized by 802.1x. Controlled Uncontrolled EAPOL

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v How 802.1x Works Authentication Server (Cisco Secure ACS) Cisco Catalyst 2950 Series Switch (NAD) End User (Client) EAPOLRADIUS The actual authentication conversation occurs between the client and the authentication server using EAP. The authenticator is aware of this activity, but it is just an intermediary.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v How 802.1x Works (Cont.) Authentication Server (Cisco Secure ACS) Cisco Catalyst 2950 (Switch) End User (Client) EAPOL-start EAP Request/Identity EAP Response/Identity Auth Exchange with AAA ServerEAP–Auth Exchange Auth Success/Reject EAP Success/EAP Failure Port Authorized EAPOL–Logoff Port Unauthorized Policies EAP–method dependent

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v What Is EAP? EAPthe Extensible Authentication Protocol A flexible transport protocol used to carry arbitrary authentication informationnot the authentication method itself Typically runs directly over data-link layers such as PPP or IEEE 802 media Originally specified in RFC 2284, obsolete by RFC 3748 Supports multiple authentication types

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Current Prevalent Authentication Methods Challenge-response-based EAP-MD5: Uses MD5-based challenge-response for authentication LEAP: Uses username/password authentication EAP-MS-CHAPv2: uses username/password MSCHAPv2 challenge-response authentication Cryptographic-based EAP-TLS: Uses x.509 v3 PKI certificates and the TLS mechanism for authentication Tunneling methods PEAP: PEAP tunnel mode EAP encapsulator; tunnels other EAP types in an encrypted tunnelmuch like web-based SSL EAP-Tunneled TLS (TTLS): Other EAP methods over an extended EAP-TLS encrypted tunnel EAP-FAST: Recent tunneling method designed to not require certificates at all for deployment Other EAP-GTC: Generic token and OTP authentication

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v EAP Methods EAP-MD5 EAP-TLS PEAP with EAP-MS-CHAPv2 EAP-FAST

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v EAP-MD5 EAPOL-start EAP Request/Identity EAP Response/Identity EAP Request/Challenge EAP Response/Challenge EAP Success EAPOLRADIUS

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v EAP-TLS EAPOL-start EAP Request/Identity EAP Response/Identity EAP Request/TLS start EAP Response EAP Success EAPOLRADIUS EAP Response/TLS client hello EAP Response/TLS Client Hello Protected Tunnel EAP Response/TLS Server Hello, Server Cert, Server Key Exchange, Cert Request, Server Hello Done EAP Response/TLS ClientCert, Client Key Exchange, Cert Verify, Change Ciph Spec, TLS Finished EAP Request/TLS Change_Ciph_Spec,TLS Finished

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v PEAP with MS-CHAPv2 EAPOL-start EAP Request/Identity EAP Response/Identity EAP Request/TLS start EAP-MS-CHAPV2 Response EAP Success EAPOLRADIUS EAP Response/TLS client hello Phase 2 Protected Identity response EAP-MS-CHAPv2 Challenge Phase 1 EAP Response/TLS Server Hello, Server Cert, Server Key Exchange, Server Hello Done EAP Response/Cert Verify, Change Ciph Spec EAP Request/TLS Change_Ciph_Spec [Identity Request]

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v EAP-FAST EAPOL-start EAP Request/Identity EAP Response/Identity EAP-FAST Start Authority[ID] Optional PAC refresh EAP Success EAPOLRADIUS Phase 2 Protected Authentication via EAP-GTC Authetication response Phase 1 EAP-FAST [TLS Client Hello [Client_random, PAC-Opaque]] EAP-Fast [TLS Server Hello [Server_random], Change_Cipher_Spec, TLS Finished EAP-FAST [TLS Change_Ciph_Spec, TLS Finished

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v x and Port Security Cisco Secure ACS/RADIUS Port Security and Identity B = Legitimate User I do not know A, I do know B. A = Attacker Port unauthorized Hub

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v x and VLAN Assignment Identity with VLAN Assignment B = Legitimate User Cisco Secure ACS/RADIUS I do not know A; I do know B, and B gets VLAN 10. A = Attacker Port unauthorized

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v x and the Guest VLAN Identity with Guest VLAN A = Attacker B = Legitimate User Cisco Secure ACS/RADIUS I do not know A, I do know B, and B gets VLAN 10. Port is put into guest VLAN. Remediation Server Non-IEEE 802.1x -compliant (no supplicant)

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v x and the Restricted VLAN Identity with Protected VLAN A = Attacker B = Legitimate User Cisco Secure ACS/RADIUS I do not know A, I do know B, and B gets VLAN 10. Port is put into protected VLAN. Remediation Server Is IEEE 802.1x- compliant, but fails authentication

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configuring 802.1x in Cisco IOS Enable AAA. Configure 802.1x authentication. Configure RADIUS communications. Enable 802.1x globally. Configure interface and enable 802.1x. Verify 802.1x operation.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Enable AAA aaa new-model switch(config)# Enable AAA aaa authentication dot1x [ | default] group radius switch(config)# Create an IEEE 802.1X authentication method list aaa authorization network {default} group radius switch(config)# (Optional ) Configure the switch for user RADIUS authorization for all network-related service requests, such as VLAN assignment

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configure RADIUS Communications radius-server key [string] switch(config)# Specify the authentication and encryption key radius-server host [host name | IP address] switch(config)# Specify the IP address of the RADIUS server radius-server vsa send [accounting | authentication] switch(config)# (Optional) Enable the switch to recognize and use VSAs

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Enable 802.1x Globally dot1x system-auth-control switch(config)# Enable IEEE 802.1x authentication globally on the switch dot1x guest-vlan supplicant switch(config)# (Optional) Enable the optional guest VLAN behavior globally on the switch

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configure Interface and Enable 802.1x switchport mode access / no switchport switch(config-if)# Configure port as an access port dot1x port-control [force-authorized | force-unauthorized | auto] switch(config-if)# Enable IEEE 802.1x authentication on the port dot1x host-mode multi-host switch(config-if)# (Optional) Allow multiple clients on an IEEE 802.1x-authorized port

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configuring Guest and Restricted VLANs dot1x guest-vlan vlan-id switch(config-if)# (Optional) Specify active VLAN as an IEEE 802.1x guest VLAN dot1x auth-fail vlan vlan-id switch(config-if)# (Optional) Specify an active VLAN as an IEEE 802.1x restricted VLAN

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Verify 802.1x Operation show dot1x switch# View the operational status of IEEE 802.1x show dot1x [all | interface] switch# View the IEEE 802.1x status for all ports or a specific port

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Verify 802.1x Operation (Cont.) show dot1x statistics interface [interface] switch# View IEEE 802.1x statistics for a specific port show aaa servers switch# View the status and operational information for all configured AAA servers

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Summary Cisco IBNS combines several Cisco products that offer authentication, access control, and user policies to secure network connectivity and resources x is a standardized framework defined by the IEEE, designed to provide port-based network access x roles include the supplicant, authenticator, and authentication server x uses EAP and RADIUS for authentication. Various types of EAP methods are available for use with 802.1x.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Summary (Cont.) 802.1x works with port security x works with VLAN assignment x works with guest VLANs x works with restricted VLANs. Various commands are used to configure and verify operation of 802.1x on a Cisco Catalyst switch.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v