fbpx

Chapter 1: Identity Management/Secure Access

Chapter 1: Identity Management/Secure Access

AAA Concepts

In the previous section, different techniques are explained to stop an attacker from getting unauthorized access to network infrastructure. Those users who are required to access networking devices for maintenance or for configuration also needs to have authorization as well as a proper audit trail so that the culprit will be identified at the hour of need.  AAA is all about implementing the above-mentioned goals with some centralization command can control. For example, an organization has 100 devices located at different locations geographically. One method is to access these devices one by one and to add a local database containing usernames and passwords of all authorized persons. The second solution is to have a centralized server containing the database with each device pointing to server for taking decision.

AAA Components

AAA is a modular framework and it tries to cater all kinds of traffic over the network either as a network administrator trying to access a networking device or as an end user trying to send data traffic out of local LAN.

The three main components of AAA are:

Authentication: Authentication is the process of proving identity to the system. It is used in every system not just in computer networking. In a banking system, we need to prove the identity by entering the password before making a transaction. Similarly, if a network administrator needs to access a router or a switch and make some changes, some kind of authentication must be defined on the device. The first but least usable practical solution would be to define the usernames and passwords database inside the device. The second option would be the use of some centralized server like Cisco ACS or ISE. In Cisco devices, we can use the combination of both options by defining a method list that states the list of preferred methods for authentication. If one option is not available, then the second option will be used and so on. Examples of these methods are explained in Lab Section of AAA.

Authorization: After authentication of user succeeds, the next problem to deal with is the level of clearance that a user needs to perform his legal actions. Another example in a banking system would perfectly illustrate this. After entering the correct password, we get authorization to withdraw the maximum cash possible depending on the balance available in our bank account. Similarly, there are similar scenarios in computer networking where we need to restrict the access to the user. For example, an end user may need network resources for eight hours a day. Similarly, a network administrator may need commands associated with privilege level 4. Custom lists as well as default method lists are used to define the authorization in Cisco devices.

Accounting: The third element of AAA is accounting or auditing. Whenever a user gets authenticated and authorized to a specific set of commands in Cisco devices, the set of commands he used must be recorded while accessing the specific device during a specific time. Like authentication and authorization, we also use either default or custom method list to define what should be accounted for and where to send this information.

Device Administration

Device administration is a process of AAA for controlling the access to a network device via telnet session, SSH session, console. Imagine a scenario in which your company has an Active Directory for Secure Network Access, and you have privilege 15 (Full Access). In this case, you can do anything you want with the network device. If you have limited access, you are restricted for some particular commands

Network Access

Secure network access is necessary in order to identify the user or endpoint before permitting it to communicate or access the network. Secure Network Access is the main topic covered in this course. AAA has an important role in Network Access authentication and authorization. Nowadays, organizations require remote user, Sites, BYOD and many more. To filter legitimate user AAA Network access authentication is required. AAA authenticates these devices and control what these users are authorized for.

Options for implementing AAA

Cisco provides a number of ways to implement AAA. Over the years, many names have been used for appliance which implements centralized list of usernames and passwords for access. Two examples are ACS server and Radius Server. Today, two kinds of such proprietary servers exist, namely ACS server and ISE. Few open source implementations like Free Radius implemented in Linux is also very popular in ISP environment.

The following are different options of centralized servers:

Cisco Secure ACS solution Engine: In the past, Cisco sold this solution as hardware appliance with Cisco Access Solution (ACS) server preinstalled. However, it can also be installed on virtualized environment like VMWare in production environment. Any network device that wishes to implement AAA becomes the client of this server, which contains usernames passwords, and associated level of authorization with each username. Two protocols are commonly used in communication between client and ACS server namely TACACS+ and RADIUS. Generally, TACACS+ is used for communication between client device and server for giving access to network administrator. Similarly, RADIUS is normally preferred as protocol between device and ACS server for allowing access to end-users of network. However, it is not a hard and fast rule; we can use any of both of them at the same time.

It may be time-consuming to enter every single username, password, and associated level of authorization in ACS, as majority of organizations that can afford ACS have a very large number of employees. ACS has a nice feature of integration with already running databases containing every single username and passwords. An example of this would be integrating AAA with Microsoft Active Directory.

ACS comes in different forms. It can be installed in older versions of ACS already running Windows- based server. Another option is to purchase hardware appliance from Cisco with preinstalled ACS. The third and most convenient option is to install ACS in VMWare on ESXi server. The basic functionality and purpose of ACS remains the same regardless of which method of deployment is used.

ACS in a nutshell:

In order to explain the full process of ACS giving access to a user over the network, consider the scenario on the next page.

Figure 1-1. ACS in working environment.

Consider an end user coming to an office and tries to login in the workstation. Or a network administrator who tries to login to a switch or a router or even a firewall. Assume the router is configured with using ACS as primary tool for AAA and it is also integrated with Microsoft Active Directory (AD) and LDAP servers. So, the request will first come to a router, which in turn prompts a username and password request in front of user. Upon submission, the router will send the requested query to the ACS server, which in turn contact the LDAP or AD for authenticity of provided username and password. Upon green signal from LDAP or AD, ACS can verify the authorization level of that user and gives the green signal to originating network device to allow the specific user for authorized access.

Identity Service Unit (ISE): ISE is used for secure access management like ACS. It is a single policy control point for an entire enterprise including wired and wireless technologies. Before giving access to endpoints or even networking devices itself, ISE checks their identity, location, time, type of device and even health of endpoints to make sure that they comply with company’s policy like antivirus, latest service pack and OS updates etc. Most of the time people prefer ACS to ISE, although ISE can implement AAA but it is not a complete replacement of ACS.

Protocol Selection between ACS and Client: In general, TACACS+ is preferred over RADIUS when you need to give access to the network administrator, say, CLI access of some router as well as do some authorization of a specific group of commands, and ensure audit trail. This is due to its granular control in authorizing which commands should be allowed.

When configuring for end-clients to enable them to send their traffic over the network, RADIUS is always preferred over TACACS+. It is not compulsory to follow this convention. TACACS+ and RADIUS can also be used simultaneously between ACS server and its client devices.

This table summarizes and compares the unique features of RADIUS and TACACS+.

TACACS+ RADIUS
TCP port 49. UDP ports.

1812/1645 for authentication

1813/1646 for accounting.

Encrypts full payload Encrypts only passwords.
Cisco proprietary Open Standard.
Use for Device Administration Use for Network Access
Separate Authentication and Authorization Combine Authentication and Authorization

Table 1. Comparison between RADIUS and TACACS+

TACACS+

TACACS is a set of protocol created and intended for controlling access to Unix terminals. Cisco created a new protocol called TACACS+, which was released as an open standard in the early 1990s. TACACS+ may be derived from TACACS, but it is a completely separate and non-backward-compatible protocol designed for AAA. Although TACACS+ is mainly used for device administration AAA, you can use it for some types of network access AAA.

TACACS+ Authentication Messages

Action of Determination of a user is called Authentication. It may be by using Username and Password combination or like modern authentication requirement such as a one-time password or a challenge. When using TACACS+ for authentication, only three types of packets are exchanged between the client (the network device) and the server:

 Authentication START-This packet is used to begin the authentication request between the AAA client and the AAA server.

 Authentication REPLY-Messages sent from the AAA server to the AAA client.

 Authentication CONTINUE-Messages from the AAA client used to respond to the AAA server requests for username and password.

 Authorization REQUEST-Fixed set of fields describing the authenticity of the user, and a variable set of arguments that describes the services and options for which authorization is requested.).

 Authorization RESPONSE-It contains a variable set of response arguments.

 Accounting REQUEST-It conveys information used to provide accounting for a service provided to a user.).

 Accounting REPLY-It is used to indicate that the accounting function on the server has completed and securely.

Figure 1-2. TACACS+ Packets

RADIUS

RADIUS is an IETF standard for AAA. As with TACACS+, RADIUS follows a client/server model in which the client initiates the requests to the server. RADIUS is the protocol of choice for network access AAA, and it’s time to get very familiar with RADIUS. If you connect to a secure wireless network regularly, RADIUS is most likely being used between the wireless device and the AAA server. Why? Because RADIUS is the transport protocol for EAP, along with many other authentication protocols.

Originally, RADIUS was used to extend the authentications from the Layer-2 Point-to-Point Protocol (PPP) used between the end user and the Network Access …

Figure 1-3. RADIUS Packets

TACACS+ vs RADIUS: Two protocols used in ACS as a language of communication between a networking device and ACS server are RADIUS and TACACS+. TACACS+ stands for Terminal Access Control Access Control Server and it is Cisco proprietary. Anytime TACACS+ is used for communication between device and server, it will encrypt the full payload of packet before sending it over the network.

Another possible protocol to be used is RADIUS which is an acronym for Remote Authentication Dial-in User Service. RADIUS is an open standard meaning that all vendors can use it in their AAA implementation. One main difference between RADIUS and TACACS+ is that RADIUS only encrypts password and sends other RADIUS packets as clear text over the network.

UDP and TCP

RADIUS uses UDP as a transport protocol while TACACS+ uses TCP. There are several advantages of TCP over UDP. As the characteristic of TCP and UDP, TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional variables such as re-transmit attempts and time-outs to compensate for best-effort transport. But it lacks the level of built-in support that a TCP transport offers:

  • TCP provides separate acknowledgment within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.
  • TCP provides immediate indication of a crashed, or not running, server by a reset (RST).
  • Using TCP keepalives, server crashes can be detected out-of-band with actual requests.
  • Connections to multiple servers can be maintained simultaneously,
  • TCP is more scalable and adapts to growing, as well as congested, networks.

Packet Encryption

RADIUS Protocol encrypts the password of the access-request packet only from Client to server. The remaining packet is unencrypted. Hence, other information can be captured by a third party.

TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.

Authentication and Authorization

RADIUS combines authentication and authorization processes. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.

TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.

During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.

Multiprotocol Support

RADIUS does not support these protocols:

  • AppleTalk Remote Access (ARA) protocol
  • NetBIOS Frame Protocol Control protocol
  • Novell Asynchronous Services Interface (NASI)
  • X.25 PAD connection

TACACS+ offers multiprotocol support.

Router Management

RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.

TACACS+ provides two methods to control the authorization of router commands on a per-user or per-group basis. The first method is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second method is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed.

Interoperability

Due to various interpretations of the RADIUS Request for Comments (RFCs), compliance with the RADIUS RFCs does not guarantee interoperability. Even though several vendors implement RADIUS clients, this does not mean they are interoperable. Cisco implements most RADIUS attributes and consistently adds more. If customers use only the standard RADIUS attributes in their servers, they can interoperate between several vendors as long as these vendors implement the same attributes. However, many vendors implement extensions that are proprietary attributes. If a customer uses one of these vendor-specific extended attributes, interoperability is not possible.

Active Directory (AD)

In a network, keeping track of everything is a very difficult, and time consuming task. If the network is wide enough, it becomes impossible to manage and find resources on a network. Microsoft Windows 2000 server launches Active Directory (AD) to replace Domain functionality. Active Directory is like a phonebook. As a phonebook stores information like Name, Contact No, Business, similarly, Active Directory stores the information about organization, sites, system, user, share and much more. It is much more flexible as well. Active Directory is the more efficient way to perform these tasks. Another advantage of Active Directory is it can be replicated between multiple domain controllers.

Components of Active Directory:

  • Name space or Console tree:

Active Directory as define stores information about multiple users and allow the clients to find objects within namespace or console tree. Namespace or Console tree is like DNS, resolving hostname to IP address, similarly, namespace resolve Network object to object themselves.

  • Object:

Object may be a User, Resource, or System that can be tracked within Active Directory. These Objects can share common attributes.

  • Attributes:

In an Active Directory, Attributes describe objects like username, full name, description, hostname, IP address and location etc. It may depend upon the type of object.

  • Schema:

The Schema is the set of attributes for any particular object type. It differentiates object classes from each other.

  • Name:

Each object has a name. These are LDAP distinguished names. LDAP distinguished names allow any object within a directory to be identified uniquely regardless of its type.

  • Site:

Sites correspond to logical IP subnets, and as such, they can be used by applications to locate the closest server on a network. Using site information from Active Directory can profoundly reduce the traffic on wide area networks.

Lightweight Directory Access Protocol (LDAP)

The Lightweight Directory Access Protocol LDAP is an open standard, application protocol. LDAP is for accessing and maintaining distributed directory information services. A directory service plays an important role by allowing the sharing of information like user, system, network, service etc. throughout the network. LDAP provide a central place to store usernames and passwords. Applications and Services connect to the LDAP server to validate users.

Identity Management

Identity Stores:

An Identity Store is a store or database that is used to authenticate users or endpoints. This Identity Store may reside in AAA Server (Internal Identity store) or additional external database (External Identity Store) can also connect. These Identity Stores can also be used for attributes required for authorizing policies.

  • Internal Identity Store

Internal identity store or local database that can be used for internal username and password accounts like Cisco ISE has an internal user database. User accounts stored in the internal user database are referred to as internal users in this Internal Identity store. The internal user database can be used as an internal identity store for local authentication and authorization policies.

  • External Identity Store

External Identity stores are the external databases which are used for authentication for internal and external users. Some external identity stores are LDAP, Active Directory, RSA SecureID Token Server and RADIUS Identity Server. Attributes, Configuration parameters can be defined over External Identity store user records.

Other Identity stores Options:

One-Time passwords:

OTP stands for One-Time Password. OTP are valid for single use for login or sign up or transaction etc. from a device. Due to its one-time validity, it is more secure than ordinary password- based authentication such as they are not vulnerable to replay attacks as well as OTP also ensure sessions are not intercepted or impersonated. These one-time passwords are made difficult to memorize or decode to make them stronger. One-Time password depends upon the algorithm of pseudo randomness and hash functions. They are very hard to reverse hence difficult for attackers to get data used for hashing. Generation of One-Time password may use any of these approaches:

  • Time-Synchronization (Valid for short interval)
  • Algorithm to generate new password based on previous password (Predefined Order)
  • Algorithm to generate new password based on a challenge. (Random number)

To send user a new OTP, several channels can be used such as Security tokens, Software’s, Out-of-band channels etc.

Public Key Infrastructure (PKI)

Figure 1-4. PKI

Public-key cryptography is also called asymmetric-key cryptography. In Public Key Cryptography, a key pair is used to encrypt and decrypt content. Two key pairs are used in Public Key Cryptography technique named as Public Key and Private key. These Public and Private keys are related to each other so that the data encrypted with one key can only be decrypted with the other key. Public key can be distributed and private key must be kept secure and secret. Any one try to communicate with another will encrypt the content with Public key of the receiver and receiver will decrypt the content by its private key. Public Key infrastructure (PKI) depends upon software and hardware. A trusted third party called as Certificate Authority (CA) is also used integrity and the ownership of public keys. This Certificate Authority issues encrypted, signed binary certificates.

Element Description
Certification Authority Acts as the root of trust in a public key infrastructure and provides services that authenticate the identity of individuals, computers, and other entities in a network.
Registration Authority Is certified by a root CA to issue certificates for specific uses permitted by the root. In a Microsoft PKI, a registration authority (RA) is usually called a subordinate CA.
Certificate Database Saves certificate requests and issued and revoked certificates and certificate requests on the CA or RA.
Certificate Store Saves issued certificates and pending or rejected certificate requests on the local computer.
Key Archival Server Saves encrypted private keys in the certificate database for recovery after loss.

Table 2. Elements of PKI

Implement Accounting:

In an AAA model, accounting features is also very much important in security. Accounting command enables  tracking the commands, services and resources used by user while accessing the network. Accounting is the measure of resources consumed by a user during access. In accounting, it includes amount of time, amount of data user has send or received during a session. This accounting is carried in the form of logs of session statistics and usage information. This accounting data is used for authorization control, analysis of resources utilization, billing and planning as well. This accounting is also very much helpful to troubleshoot if network devices are not functioning properly. An example is when someone tries to access the network device and issued a wrong command which stops the device forwarding the packets. Accounting logs will verify the user who is responsible to issue that command. AAA Accounting is disabled by default.

AAA Accounting Types

  • Network

To enable Accounting for all network-related service requests (including SLIP, PPP, PPP NCPs, and ARAP protocols), use the network keyword.

  • Exec

To create a method list that provides accounting records about user EXEC terminal sessions on the network access server, including username, date, start and stop times, use the exec keyword.

  • Commands

To create a method list that provides accounting information about specific, individual EXEC commands associated with a specific privilege level, use the commands keyword.

  • Connection

To create a method list that provides accounting information about all outbound connections made from the network access server, use the connection keyword.

  • Resource

To create a method, provide accounting records for calls that have passed user authentication or calls that failed to be authenticated.

Accounting Commands

Generating records when Client is authenticated and after client disconnection.

Router(config)# aaa accounting network default start-stop group radius local

Generates records when client disconnected

Router(config)# aaa accounting network default stop group radius local

Generates records for authentication and negotiation failure

Router(config)# aaa accounting send stop-record authentication failure

It enables full resources accounting

Router(config)# aaa accounting resource start-stop

Wired/Wireless 802.1x

802.1x Port-Based Authenticaiton

IEEE 802.1x is a Port-Based Authentication. This Port-Based Authentication prevents unauthorized user or client devices to access the network. Client may be Wired or Wireless. In 802.1x authentication, authentication is a Client and Server based authentication protocol, which prevents or restricts unauthorized supplicants or Clients from accessing the network via connecting to LAN through publicly accessible ports. Authentication server (RADIUS) validates each client connected to publically accessible port of Authenticator switch, also called as Network Access Switch (NAS) before permitting the access. 802.1x authentication required authentication server configured for Remote Authentication Dial-In User Service (RADIUS). It is necessary that switch can communicate Authentication server for 802.1x authentication. When Client is successfully authenticated, normal traffic can pass through the port.

Figure 1-5. 802.1x Devices role

Client:

Client, also known as Supplicant is 802.1x Port-Based Authentication. Client is the Workstation that is connected through Network Access Switch (NAS) to the LAN and request for accessing the network resources. This Workstation or Client must be using 802.1x Client software.

Authenticator:

Authenticator is basically a device that authenticates Client to restrict or permit to use network resources. Normally Network Access Switch (NAS) plays the role of Authenticator. Authenticator controls the access of Client depending upon the status of Authentication. Switches get requests from Clients, it forwards this identity information to authentication server, which validate and verify the information. This Switch encapsulate and de-capsulate the frames using Extensible Authentication Protocol (EAP) to communicate RADIUS authentication server.

Enabling Router for Dot1x Authentication

Router# configure terminal

Router(config)# aaa new-model

Router(config)# aaa authentication dot1x default group radius

Router(config)# dot1x system-auth-control

Router(config)# interface [Interface-name]

Router(config-if)# dot1x port-control auto

Router(config-if)# end

Authentication Server:

Authentication server (RADIUS) performs the real authentication of the Supplicant or Client. Authentication server check for the identity of the Client, if verifies, allow the user by acknowledging the switch that this client is authorized to access the LAN. (The only supported Authentication server is RADIUS with EAP Extensions)

Configuring RADIUS server on Router

Router# configure terminal

Router(config)# ip radius source-interface [Source-Interface]

Router(config)# radius-server host [Server-IP Address]

Router(config)# radius-server key [Server-Key]

Router(config)# end

Attribute-Value (AV) Pairs

The authenticator sent the information of 802.1x authentication to the Authentication server is represented as Attribute-Value Pairs (AV-Pairs). These Attribute Value Pairs provide information to different applications for use. Authenticator Switch configured for Accounting sends these AV pairs. Three types of RADIUS accounting packets are

START  –  Sent when new user session start

INTERIM  –  Sent During a session for Updates

STOP   –  When Session terminates

Attribute Number AV Pair Name START INTERIM STOP
Attribute [1] User-Name Always Always Always
Attribute [4] NAS-IP-Address Always Always Always
Attribute [5] NAS-Port Always Always Always
Attribute [6] Service-Type Always Always Always
Attribute [8] Framed-IP-Address Never Sometimes Sometimes
Attribute [25] Class Always Always Always
Attribute [30] Called-Station-ID Always Always Always
Attribute [31] Calling-Station-ID Always Always Always
Attribute [40] Acct-Status-Type Always Always Always
Attribute [41] Acct-Delay-Time Always Always Always
Attribute [42] Acct-Input-Octets Never Always Always
Attribute [43] Acct-Output-Octets Never Always Always
Attribute [44] Acct-Session-ID Always Always Always
Attribute [45] Acct-Authentic Always Always Always
Attribute [46] Acct-Session-Time Never Never Always
Attribute [47] Acct-Input-Packets Never Always Always
Attribute [48] Acct-Output-Packets Never Always Always
Attribute [49] Acct-Terminate-Cause Never Never Always
Attribute [61] NAS-Port-Type Always Always Always

Table 3. Accounting AV pairs

Periodic Reauthentication

Router(config)# interface [Interface-name]

Router(config-if)# dot1x reauthentication

Router(config-if)# dot1x timeout reauth-period [Period]

Router(config-if)# end

Router# show dot1x all

Router-Client Transmission Time

Router(config)# interface [Interface-name]

Router(config-if)# dot1x timeout tx-period [Period]

Router(config-if)# end

Troubleshooting Dot1x from NAD

Router# show dot1x all

Extensible authentication protocol (EAP)

EAP-MD-5 (Message Digest) Challenge is an EAP authentication. EAP-MD5 provides base-level EAP support, it is not recommended for Wi-Fi LAN implementations. It provides only one-way authentication. There is no mutual authentication of Wi-Fi client and the network. It does not provide a means to derive dynamic, per session wired equivalent privacy (WEP) keys.

EAP-TLS (Transport Layer Security) provides certificate-based and mutual authentication process between client and the network. EAP-TLS relies on certificates of client-side and server-side for authentication. It can dynamically generate user-based and session-based WEP keys to secure subsequent communications.

EAP-TTLS (Tunnelled Transport Layer Security) is an extension of EAP-TLS. This security method provides for certificate-based, mutual authentication of the client and network through an encrypted channel (or tunnel), as well as a means to derive dynamic, per-user, per-session WEP keys. Unlike EAP-TLS, EAP-TTLS requires only server-side certificates.

EAP-FAST (Flexible Authentication via Secure Tunnelling) mutual authentication is achieved by means of a PAC (Protected Access Credential) instead of using a certificate, which can be managed dynamically by the authentication server. The PAC can be provisioned (distributed one time) to the client either manually or automatically.

Extensible Authentication Protocol Method for GSM Subscriber Identity (EAP-SIM) is a mechanism for authentication and session key distribution. EAP-SIM uses the Global System for Mobile Communications (GSM) Subscriber Identity Module (SIM). EAP-SIM uses a dynamic session-based WEP key, which is derived from the client adapter and RADIUS server, to encrypt data. EAP-SIM requires you to enter a user verification code, or PIN, for communication with the Subscriber Identity Module (SIM) card. A SIM card is a special smart card that is used by Global System for Mobile Communications (GSM) based digital cellular networks.

EAP-AKA (Extensible Authentication Protocol Method for UMTS Authentication and Key Agreement) is an EAP mechanism for authentication and session key distribution, using the Universal Mobile Telecommunications System (UMTS) Subscriber Identity Module (USIM). The USIM card is a special smart card used with cellular networks to validate a given user with the network.

LEAP (Lightweight Extensible Authentication Protocol), is an EAP authentication type used primarily in Cisco Aironet* WLANs. It encrypts data transmissions using dynamically generated WEP keys, and supports mutual authentication. Heretofore proprietary, Cisco has licensed LEAP to a variety of other manufacturers through their Cisco Compatible Extensions program.

PEAP (Protected Extensible Authentication Protocol) provides a method to transport securely authentication data, including legacy password-based protocols, via 802.11 Wi-Fi networks. PEAP accomplishes this by using tunnelling between PEAP clients and an authentication server. Like the competing standard Tunnelled Transport Layer Security (TTLS), PEAP authenticates Wi-Fi LAN clients using only server-side certificates, thus simplifying the implementation and administration of a secure Wi-Fi LAN. Microsoft, Cisco and RSA Security developed PEAP.

Lab 1.1: Configuring Dot1x Port-based Authentication Using Cisco ISE

Case Study:

In a small network of an organization, Administrator is deploying 802.1x Port-based Authentication. Router is used as Network Access Device (NAD) and Dot1x Client is using Window 7 PC. Requirement of the Lab is to configure 802.1x Port-based Authentication with Microsoft Challenge Handshake Authentication Protocol (MS-CHAP v2) for Window7 Client. Cisco ISE Internal Datastore can be used for User registry.

Topology Diagram:

Configuring Core Router

Router(config)#hostname Core-Router

Core-Router(config)#int fastethernet 1/0

Core-Router(config-if)#ip address 192.168.0.1 255.255.255.252

Core-Router(config-if)#no sh

Core-Router(config-if)#ex

*Mar  1 00:03:10.271: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up

*Mar  1 00:03:11.271: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up

Core-Router(config)#int fastethernet 0/0

Core-Router(config-if)#ip add 10.0.0.2 255.255.255.252

Core-Router(config-if)#no sh

Core-Router(config-if)#ex

*Mar  1 00:03:56.663: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up

*Mar  1 00:03:57.663: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

Core-Router(config)#int fastethernet 0/1

Core-Router(config-if)#ip address 192.168.54.1 255.255.255.0

Core-Router(config-if)#no sh

Core-Router(config-if)#ex

*Mar  1 00:04:12.211: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up

*Mar  1 00:04:12.211: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

Core-Router(config)#int fa 2/0

Core-Router(config-if)#ip address 200.0.0.2 255.255.255.252

Core-Router(config-if)#no sh

Core-Router(config-if)#ex

*Mar  1 00:04:32.201: %LINK-3-UPDOWN: Interface FastEthernet2/0, changed state to up

*Mar  1 00:04:32.211: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2/0, changed state to up

Core-Router(config)#router eigrp 10

Core-Router(config-router)# network 10.0.0.0 0.0.0.3

Core-Router(config-router)# network 192.168.0.0 0.0.0.3

Core-Router(config-router)# network 192.168.54.0

Core-Router(config-router)# network 200.0.0.0 0.0.0.3

Core-Router(config-router)# no auto-summary

Core-Router(config-router)#ex

Core-Router(config)#end

Configuring NAD Router

Router(config)#hostname NAD

NAD(config)#interface fastethernet 0/0

NAD(config-if)#ip add 192.168.0.2 255.255.255.252

NAD(config-if)#no shutdown

NAD(config-if)#ex

*Mar  1 00:10:27.383: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up

*Mar  1 00:10:28.383: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

NAD(config)#interface fastethernet 0/1

NAD(config-if)#ip address 172.16.0.254 255.255.0.0

NAD(config-if)#no sh

NAD(config-if)#ex

*Mar  1 00:10:57.895: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up

*Mar  1 00:10:58.895: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

NAD(config)#router eigrp 10

NAD(config-router)#network 1.1.1.1 0.0.0.0

NAD(config-router)#network 172.16.0.0 0.0.255.255

NAD(config-router)#network 192.168.0.0 0.0.0.3

NAD(config-router)#no auto-summary

NAD(config-router)#ex

NAD(config)#interface loopback 0

*Mar  1 00:11:28.639: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up

NAD(config-if)#ip address 1.1.1.1 255.255.255.255

NAD(config-if)#ex

NAD(config)#aaa new-model

NAD(config)#aaa authentication dot1x default group radius

NAD(config)#dot1x system-auth-control

NAD(config)#ip radius source-interface loopback 0

NAD(config)#radius-server host 192.168.54.70

NAD(config)#radius-server key cisco123

NAD(config)#interface FastEthernet0/1

NAD(config-if)#dot1x ?

credentials       Credentials profile configuration

default           Configure Dot1x with default values for this port

host-mode         Set the Host mode for 802.1x on this interface

max-reauth-req    Max No.of Reauthentication Attempts

max-req           Max No.of Retries

max-start         Max No. of EAPOL-Start requests

pae               Set 802.1x interface pae type

port-control      set the port-control value

reauthentication  Enable or Disable Reauthentication for this port

timeout           Various Timeouts

NAD(config-if)#dot1x timeout reauth-period ?

<1-65535>  Enter a value between 1 and 65535

server     Obtain re-authentication timeout value from the server

NAD(config-if)#dot1x timeout reauth-period 4000

NAD(config-if)#dot1x port-control auto

NAD(config-if)#dot1x host-mode single-host

NAD(config-if)# dot1x reauthentication

NAD(config-if)# dot1x timeout tx-period 60

NAD(config-if)#dot1x pae authenticator

NAD(config-if)#ex

Configuring Cisco ISE

Go to the Management-Station and check if IP Address is properly configured. If not, Set the IP address to 10.0.0.1 /30 and gateway 10.0.0.2 as shown in the figure below

Now check the connectivity between Management-Station and ISE server by Pinging.

Now go to Internet Explorer and go to URL https://192.168.54.70

Click on Continue to this Website

Username : admin

Password : Cisco123

After Successful Login, Go to Administration > Network Resources > Network Devices to add the Device (NAD-Router), which will request to authenticate Dot1x Client as shown below.

Click on Add button to add Device

Configure NAME of the device, IP address configured as Source-Interface on NAD.

Scroll down to set Authentication settings. Set Password configured as Server key on NAD device “cisco123” and save settings.

Now go to Administrations > Identity Management > Groups > User identity Groups > Add

Create New Group For Dot1x Users.

Check if the group is successfully added

Now go to Administrations > Identity Management > Identities > add

Set Username and Password for Dot1x Port-based Authentication.

Username : ipspecialist

Password: [email protected]$$word:10

Scroll down and Select the user group to Dot1x-Group and Save Settings.

Now go to Policy > Policy Elements > Results > Authentication > Allowed Protocols > Default Network Access and Edit, Check MS-CHAP v2 and Uncheck EAP-TLS from all Locations.

Check MS-CHAPv2 and UnCheck EAP-TLS. There will be three Locations of EAP-TLS that are to be unchecked. Now save the settings

No need to change in default ISE Authentication policy. Check if Settings are same.

Dot1x Client Configuration:

Now, Go to Dot1x-Client PC and from start menu, Search for Service.msc

Go to Wired Auto Config and Start the service.

Go to Control Panel, Select the network Adapter and go to its properties.

Authentication tab should appear after running Wired Auto Config service. Go to Authentication tab and Make sure IEEE 802.1x Authentication is enabled with EAP(PEAP). Now Go to Settings for more settings

Uncheck Server certificate validation, Set Authentication method EAP-MSCHAP-v2. Click Configure button and Uncheck to Auto usage of Windows Session credentials.

Click on Additional Settings button to set Credentials

Set Authentication mode to User Authentication and Click on Save Credentials to Save Credentials. Username is configured as “ipspecialist” and password is “[email protected]$$word:10“.

Set IP address manually.

Verification:

Go to Control Panel > Network And Sharing > Change Adapter Settings

Network is identified and set as Network 3.

ISE Dashboard showing Successful Authentication count

Operation > Authentication showing Authentication session

NAD# show dot1x all

Dot1x parameters configured on interface fast Ethernet 0/1

NAD# Show radius statistics

1645 and 1646 are RADIUS port for Authentication and Accounting.

NAD# Show dot1x interface fastethernet 0/1 details

Supplicant MAC address is shown, Authentication status is authenticated, Port Status is authorized and Authentication method is Dot1x.

NAD# Show dot1x interface FastEthernet0/1 statistics

Showing packet count of dot1x for FastEthernet0/1 Authentication.

Ping from Client PC to other Destination for Testing Network Connectivity

802.1x Phasing

  • Monitor Mode:

Monitor mode is the Phase 1 of 802.1x phasing. It works likes audit. Administrator uses this mode to verify that all devices are authenticating properly by using Logging data for verification. Authentication may be 802.1x or MAC authentication bypass (MAB). Monitor mode uses RADIUS accounting packets and Open Authentication and Multi Authentication feature to provide visibility to the administrator to monitor if a device which is authenticated successfully but failed due any misconfiguration. The administrator will be informed by logging so that issue can be resolved prior to moving to next phases

Figure 1-6. Monitor Mode

  • Low Impact Mode:

In Low Impact Mode, Security is added over the framework built in Monitor mode by configuring ACL to the switch ports. These ACL restricts the port to very limited network access prior the authentication. When user or device is authenticated successfully, additional resources may have granted. In Low impact mode, host connected to the port may be allowed to use Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) and to route to the internet and blocked to use internal resources. After authentication, a downloadable ACL may allow all traffic.

Figure 1-7. Low Impact Mode

  • Closed Mode:

Closed mode is also lies in the 2nd phase. Closed mode is formerly called High Security mode. This mode is recommended mode for IT environment with experience in deployment of 802.1x. Difference between Closed mode and other modes that Interface command authentication open is not used hence any traffic before authentication will be dropped including DHCP, DNS, ARP etc.

Figure 1-8. Closed Mode

MAC Authentication Bypass

MAB is termed as MAC authentication bypass, which allow you to control devices to access the network at layer 2. MAB is the endpoint authentication process in which Network access device is configured to authenticate Endpoint devices by using Authenticator (RADIUS) server. MAB ensures network visibility till the authentication process is completed. Port status at the end of the authentication process will be Authorized or Unauthorized depending upon the Condition if MAC address is successfully authenticated or not. This visibility may be helpful for audits, forensics, troubleshooting and Network statistics. By Using MAB, customized services can be delivered dynamically to the End point MAC addresses. Authenticated MAC address can be dynamically authorized for particular VLAN; specific ACL can also be configured. All dynamic authorization method that can be used for IEEE 802.1x authentication will also work with MAB. MAB can be implemented over the 802.1x supported devices as well as over the devices which do not support 802.1x authentication, MAB can be deployed as standalone authentication. As MAB is working over MAC address, it is independent of Usernames and passwords. MAC database must be configured, maintained and up to date for MAB authentication. It is not a strong authentication process because it can be overcome by MAC address spoofing. MAC authentication bypass is to be enabled on a port, which can dynamically enabled or disabled depending upon MAC authentication.

Figure 1-9. MAB

Session Initiation:

First of all, Switch Port begins the authentication session when it detects the link turn to up state. By initiating the authentication, the Switch sends Extensible Authentication Protocol (EAP) request identity message to the device or endpoint accessing the network. In case the switch does not receive a reply from the endpoint, it will retransmit the packet till maximum number of retries and IEEE 802.1x authentication is timeout and proceed to MAB.

MAC Address learning:

During MAC authentication Bypass process, Switch opens the port to detect single Packet for learning MAC address of the Endpoint. As it learns the MAC address of the source Authentication process proceeds further. In 802.1x authentication phase, only EAP packet is allowed. Hence, the Switch was unable to learn the MAC address. Switch can use Layer 2, Layer 3 with exception of bridging frames like CDP, LLDP, STP or DTP. As soon as switch learns MAC address, it will start discarding packet again and send the access-request packet to the RADIUS server

Authentication session:

Access-Request packets are Password Authentication Protocol (PAP) by default. This request includes the Source MAC address of the Endpoint in three attributes: Attribute 1, Attribute 2 and Attribute 31, which are Username, Password and Calling Station ID respectively. MAC address is the same in all of these attributes. Authentication server (RADIUS) may use different attribute for authentication. Some Server may use Attribute 31 while other uses Attribute 1 and 2. As MAB uses PAP protocol and attribute Username and password as authentication, MAB requests are differentiated by setting attribute 6 (Service type) to attribute 10 (call-check) in a MAB access request.

RADIUS Attribute Format Example
1 (Username) 12 hexadecimal digits, all lowercase, and no punctuation aabbccdd0011
2 (Password) Same as the username but encrypted \xf2\xb8\x9c\x9c\x13\xdd#
31 (Calling-Station-Id) 6 groups of 2 hexadecimal digits, all uppercase, and separated by hyphens AA-BB-CC-DD-00-11

Table 4. MAC address format in RADIUS attributes

Single-Host Mode

If the port of Network access device is configured as single-host mode, only a single MAC or IP address can be authenticated (by any method) configured on a port. If a different or multiple MAC addresses are detected on the port after an endpoint has authenticated with MAB, then a security violation will be triggered on the port. This is the default behaviour.

Configuring Host-Mode

Router(config)# interface [Interface-name]

Router(config-if)# dot1x host-mode ?

multi-auth   Multiple Authentication Mode

multi-host   Multiple Host Mode

single-host  Single Host Mode

Router(config-if)# dot1x host-mode single-host

Router(config-if)# end

Multi-domain Authentication Host Mode

Multi-domain authentication was specifically designed to address the requirements of IP telephony or voice VLAN. When multi-domain authentication is configured, two endpoints are allowed on the port, one in the voice VLAN and one in the data VLAN. Either, both, or none of the endpoints can be authenticated with MAB. Additional MAC addresses will trigger a security violation.

Multi-Authentication Host Mode

If the port is configured for multi-authentication (multi-auth) host mode, then multiple endpoints can be authenticated in the data VLAN. Each new MAC address that appears on the port will be separately authenticated. Any, all, or none of the endpoints can be authenticated with MAB. Multi-auth host mode can be used for bridged virtual environments or to support hubs.

Multi-host Mode

Unlike multi-auth host mode, which authenticates every MAC address, multi host mode authenticates the first MAC address and then allows an unlimited number of other MAC addresses. Because of the security implications of multi host mode, multi-auth host mode typically is a better choice than multi host mode.

Lab 1.2: MAC Authentication  Bypass (MAB)

Case Study:

In an organization, Administrator deploying MAC Authentication Bypass. Router is used as Network Access Device (NAD). Endpoint PCs including Switch is considered in Endpoint Devices. Requirement of the Lab is to configure MAB Authentication with. Cisco ISE Internal Datastore can be used for Endpoint registry.

Topology Diagram:

Core-Router Configuration

Router(config)#hostname Core-Router

Core-Router(config)#interface FastEthernet 0/0

Core-Router(config-if)#ip add 192.168.54.1 255.255.255.0

Core-Router(config-if)#no sh

Core-Router(config-if)#ex

*Mar  1 00:11:23.391: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up

*Mar  1 00:11:24.391: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

Core-Router(config)#Interface FastEthernet 0/1

Core-Router(config-if)#ip add 10.0.0.2 255.255.255.252

Core-Router(config-if)#no sh

Core-Router(config-if)#ex

*Mar  1 00:11:48.143: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up

*Mar  1 00:11:49.143: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

Core-Router(config)#Interface FastEthernet 1/0

Core-Router(config-if)#ip add 200.0.0.2 255.255.255.252

Core-Router(config-if)#no sh

Core-Router(config-if)#ex

*Mar  1 00:12:15.455: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up

*Mar  1 00:12:16.455: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up

Core-Router(config)#Interface FastEthernet 2/0

Core-Router(config-if)#ip add 192.168.10.3 255.255.255.0

Core-Router(config-if)#no sh

Core-Router(config-if)#ex

*Mar  1 00:12:43.687: %LINK-3-UPDOWN: Interface FastEthernet2/0, changed state to up

*Mar  1 00:12:44.687: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2/0, changed state to up

*Mar  1 00:12:52.451: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet2/0 (not half duplex), with Switch Ethernet0/0 (half duplex).

Core-Router(config)#no cdp run

*Mar  1 00:13:35.487: %LINK-3-UPDOWN: Interface FastEthernet2/0, changed state to up

*Mar  1 00:13:36.487: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2/0, changed state to up

Core-Router(config)#router ospf 10

Core-Router(config-router)#network 192.168.54.0 0.0.0.255 area 0

Core-Router(config-router)#network 10.0.0.0 0.0.0.3 area 0

Core-Router(config-router)#network 200.0.0.0 0.0.0.3 area 0

Core-Router(config-router)#network 192.168.10.0 0.0.0.255 area 0

Core-Router(config-router)#ex

Core-Router(config)#

*Mar  1 00:14:39.039: %OSPF-5-ADJCHG: Process 10, Nbr 192.168.10.1 on FastEthernet2/0 from LOADING to FULL, Loading Done

Employee-Router Configuration

Router(config)#hostname Employee-Router

Employee-Router(config)#interface FastEthernet 0/0

Employee-Router(config-if)#ip add 192.168.10.2 255.255.255.0

Employee-Router(config-if)#no sh

Employee-Router(config-if)#ex

Employee-Router(config)#

*Mar  1 00:12:49.559: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up

*Mar  1 00:12:50.559: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

Employee-Router(config)#interface FastEthernet 0/1

Employee-Router(config-if)#ip add 192.168.20.254 255.255.255.0

Employee-Router(config-if)#no sh

Employee-Router(config-if)#ex

*Mar  1 00:13:15.127: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up

*Mar  1 00:13:16.127: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

Employee-Router(config)#router ospf 10

Employee-Router(config-router)#network 192.168.20.0 0.0.0.255 area 0

Employee-Router(config-router)#network 192.168.10.0 0.0.0.255 area 0

Employee-Router(config-router)#ex

*Mar  1 00:13:44.191: %OSPF-5-ADJCHG: Process 10, Nbr 192.168.10.1 on FastEthernet0/0 from LOADING to FULL, Loading Done

*Mar  1 00:13:44.195: %OSPF-5-ADJCHG: Process 10, Nbr 200.0.0.2 on FastEthernet0/0 from LOADING to FULL, Loading Done

NAD Router Configuration:

Router(config)#hostname NAD-Router

NAD-Router(config)#interface FastEthernet 0/0

NAD-Router(config-if)#ip add 192.168.10.1 255.255.255.0

NAD-Router(config-if)#no sh

NAD-Router(config-if)#ex

*Mar  1 00:05:37.719: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up

*Mar  1 00:05:38.719: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

NAD-Router(config)#interface FastEthernet 0/1

NAD-Router(config-if)#ip add 192.168.0.254 255.255.255.0

NAD-Router(config-if)#no sh

NAD-Router(config-if)#ex

*Mar  1 00:06:05.619: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up

*Mar  1 00:06:06.619: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

NAD-Router(config)#router ospf 10

NAD-Router(config-router)#network 192.168.0.0 0.0.0.255 area 0

NAD-Router(config-router)#network 192.168.10.0 0.0.0.255 area 0

NAD-Router(config-router)#network 1.1.1.1 0.0.0.0 area 0

NAD-Router(config-router)#ex

NAD-Router(config)#interface loopback 0

*Mar  1 00:07:52.731: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up

NAD-Router(config-if)#ip add 1.1.1.1 255.255.255.255

NAD-Router(config-if)#ex

NAD-Router(config)#

NAD-Router(config)#aaa new-model

NAD-Router(config)#aaa authentication dot1x default group radius

NAD-Router(config)#dot1x system-auth-control

NAD-Router(config)#ip radius source-interface loopback 0

NAD-Router(config)#radius-server host 192.168.54.70

NAD-Router(config)#radius-server key cisco123

NAD-Router(config)#interface Fastethernet 0/1

NAD-Router(config-if)#dot1x port-control auto

NAD-Router(config-if)#dot1x pae authenticator

NAD-Router(config-if)#dot1x reauthentication

NAD-Router(config-if)#dot1x timeout tx-period 60

NAD-Router(config-if)#dot1x timeout reauth-period 4000

NAD-Router(config-if)#ex

Switch-3 Configuration:

Switch-3(config)# interface Ethernet 0/0

Switch-3(config-if)#switchport mode access

Switch-3(config-if)# dot1x pae supplicant

Collection MAC Addresses

Go to Endpoint PC-1 and issue the command show IP

Go to Endpoint PC-2 and issue the command show IP

Go to Endpoint PC-3 and issue the command show IP

Go to Switch-3and issue the command show Interface Ethernet 0/0

Configuring Cisco ISE

Go to the Management-Station and check if IP Address is properly configured. If not, Set the IP address to 10.0.0.1 /30 and gateway 10.0.0.2 as shown in the figure below

Now check the connectivity between Management-Station and ISE server by Pinging.

Now go to Internet Explorer and go to URL https://192.168.54.70

Click on Continue to this Website

Username : admin

Password : Cisco123

After Successful Login, Go to Administration > Network Resources > Network Devices to add the Device (NAD-Router), which will request to authenticate Dot1x Client as shown below.

Click on Add button to add Device

Configure NAME of the device, IP address configured as Source-Interface on NAD.

Scroll down to set Authentication settings. Set Password configured as Server key on NAD device “cisco123” and save settings.

Go to Administration > Identity Management > Identities > Endpoint and Add MAC Addresses of All Endpoints as shown in figure below

MAC Address Configuration of Endpoint should look like this.

Go to Policy >  Authorization and Create a New Authorization policy for MAB

Check the Default Authentication Policy if it is configured the same

Verification:

Go to Cisco ISE Operation > Authentication

EndPoint ID 00:50:79:66:68:0D , 00:50:79:66:68:0C , 00:50:79:66:68:0B and AA:BB:CC:00:70:00 are authenticated with Network Device NAD-Router through interface fastethernet 0/1.

Cisco ISE Dashboard showing 4 Successful Authentications.

Ping from Endpoint-1 to Simulated Internet Address for Checking Layer3 connectivity.

NAD-Router#show dot1x interface fastEthernet 0/1 details

On Interface Fast Ethernet 0/1, configured as Authenticator, and MAC Authentication is enabled. Supplicant 0050:7966:680d which is MAC address of EndPoint-3 is authenticated, Port Status is authorized and Authentication method is MAB.

Supplicant 0050:7966:680C which is MAC address of EndPoint-2 is authenticated, Port Status is authorized and Authentication method is MAB. Similarly, Supplicant 0050:7966:680B which is MAC address of EndPoint-1  and Supplicant AABB:CC80:7000 is MAC address of Switch-3 which are authenticated, Port Status is authorized and Authentication method is MAB.

Network Authorization Enforcement

Downlaodable Access Control List (dACL)

Downloadable Access Control List dACLs are the strong tools for Network Administrators to limit the access dynamically as user access the network. By using downloadable ACL, users can be restricted according to the related policies. These Downloadable ACLs can be assigned to different groups as well as individual users. The main advantage of this downloadable ACL is that it has to be configured on authentication server only, and can be downloaded on multiple devices in a network as it provides single point of configuration. Changes and modification will also have done on a single device instead of modifying the configuration on all devices. dACL is related to the authentication process. As a User or device is authenticated, dACL related the Policy configured with that authentication information applies to the Endpoint. For Example, a User is configured over authentication server to be permitted for HTTP access only. When User establishes the connection, it will first have authenticated. As the user is authenticated, server will check for the policies attached to this authentication process. dACL will be configured for the user to permit HTTP access only. User will only access HTTP.

Configuring Downloadable ACL

  • Click Policy, and click Policy Elements.
  • Click Results.
  • Expand Authorization, and click Downloadable ACLs.
  • Click the Add button in order to create a new downloadable ACL.
  • In the Name field, enter a name for the DACL. This example uses DACL.

Figure 1-10. Configuring Downloadable ACL

Dynamic VLAN

VLAN can be assigned statically as well as dynamically. In Static VLAN assignment, Port is configured in a specific VLAN independent of MAC address or user connected through that port. In Dynamic assignment of VLAN, VLAN Membership Policy Server (VMPS) act as a Centralized server for the assignment of VLANs to the port dynamically depending on the MAC address of the Endpoint device connect through that Port. If the Endpoint switched from one port to another port of the access switch, Older port will automatically remove from configured VLAN and New port will automatically have assigned to that VLAN. VMPS use UDP port as a transport to listen VLAN Query Protocol (VQP). When VMPS server receives the request, it searches for the match in its database for the MAC address to VLAN mapping.

In case VLAN is configured on the port, VMPS sends VLAN name to the Client device, else it sends access denied response if it is not in secure mode. If server is in secure mode, it turns the port down. In access-denied response, Switch blocks the traffic coming from that port.

There are three modes of VMPS server

  1. Open Mode

If VLAN is allowed on the port, VLAN name is sent as response to the client, else access denied response is send. If VLAN does not match against the condition and fall-back VLAN is configured, fall-back VLAN name is send as response to the client. If fall-back is not configured, Access-denied response is send to the client.

  1. Secure Mode

In secure mode, Port-shutdown response is sent instead of Access-denied. For Example if VLAN in the database does not match, the port is shutdown.

  1. Multiple Mode

Multiple host (MAC addresses) can also be configured on a port, if they are all assigned to same VLAN. In this case, if link goes down, port will become unassigned and will be reassigned when link turn up.

This example shows how to define the primary and secondary VMPS servers:

 Switch# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# vmps server 192.168.1.100 primary

Switch(config)# vmps server 192.168.1.101

Switch(config)# end

This example shows how to configure a dynamic access port and then verify the entry:

 Switch# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# interface fa1/1

Switch(config-if)# switchport mode access

Switch(config-if)# switchport access vlan dynamic

Switch(config-if)# end

Troubleshooting commands for VMPS are

Switch# show vmps

Switch# show vmps statistics

Switch# show interface [Interface] switchport

Security Group Access (SGA)

SGA stands for Security Group Access (SGA). SGA security solution in which a Cloud or group of trusted device within a network by using Device and Users identity information. Each device in a SGA group or cloud is verified and authenticated by its adjacent peers or neighbours. This authentication communication is secured, encrypted. Integrity checks and path replay protection make it more secure. SGA packets are tagged for identification and proper encryption. This SGA packet tag is called Security Group Tag (SGT).

Some of the key features of Security Group Access are as follows:

Figure 1-11. SGA

  • Network Device Admission Control (NDAC):

In a trusted Cloud of Authenticated network devices, each device of SGA is authenticated for its credentials by its peer devices. Network device admission control NDAC uses 802.1x Authentication. As Extensible Authentication protocol method, EAP-FAST (Extensible Authentication Protocol-Flexible Authentication via Secure Tunnelling) is used.

  • Endpoint Admission Control (EAC):

As an authentication process for the user or endpoint to access the SGA trusted network cloud, following authentication can be used

  1. IEEE 802.1x Port-Based Authentication
  2. MAC authentication Bypass (MAB)
  3. Web Authentication (WebAuth)
  • Security Group (SG)

Creating Groups of Users, Endpoints, device and resources that will share Access Control Policies.

  • Security Group Tags (SGT)

A 16-bit Unique Security Group Number is assigned which is global in a SGA Domain. This SGT number is automatically generated.

  • Security Group Access Control List (SGACL)

Administrator can permit and deny resources, control the network access, limit and restrict the Security group by using Access control list related to the security groups.

Change of Authorization (CoA)

Change of Authorization (CoA) is a process for changing the attributes, which are related to the Authentication, Authorization and Accounting (AAA). This is the feature of RADIUS server. When an Endpoint is authenticated, after some time a user is changed or a new user connected just after previous user get disconnected. Policy change for the user or user group is called as Change of Authorization (CoA). In this CoA process, re-authentication is initialized and new policy is applied. Request of Change of Authorization (CoA) is send by External Server with Administrative access to the authenticator server, which causes dynamically reconfiguration of session, authorization and accounting. Change of Authorization request allows session identification, re-authentication of hosts and termination of sessions.

There are two possible responses of the Change of Authorization (CoA) request, which are: –

  1. CoA acknowledgment (ACK) [CoA-ACK]
  2. CoA non-acknowledgment (NAK) [CoA-NAK]

CoA acknowledgment (ACK) [CoA-ACK]

If an authorization state is changed successfully, a positive acknowledgment (ACK) is sent. The attributes returned within a CoA ACK can vary based on the CoA Request.

CoA non-acknowledgment (NAK) [CoA-NAK]

A negative acknowledgment (NAK) indicates a failure to change the authorization state and can include attributes that indicate the reason for the failure.

Session Re-authentication:

Re-authentication of session will check for device response for the session, session identification attribute requested for. if 802.1x is authenticated currently, device will respond with Extensible Authentication Protocol over Lan (EAPol). In case of MAB authentication, device will send access request to the server. If session is under authentication, device terminates the authentication and restart authentication.

Session Termination

CoA Disconnect-Request end the session. Host port is not disabled during this termination. CoA disconnect request locate the desired session. If session is located, session is terminated and device reply with Disconnect-Ack message. If session is not located, device is returned with Disconnect-NAK message. This session termination request is session oriented hence contain session identification attributes.

CoA Request Bounce Port:

When more than one host are connected through a port, and VLAN change occur. this will affect all of the host causing DHCP renegotiation. If a device (Such as printer) which do not detect the change of authentication port is connected through that port, CoA Request Bounce port disable the port and re-enable it (Port-Bounce) and return with CoA-ACK message

Command for Configuring CoA

Switch(config)# aaa server radius dynamic-author

Enters dynamic authorization local server configuration mode and specifies a RADIUS client from which a device accepts Change of Authorization (CoA) and disconnect requests. Configures the device as a AAA server to facilitate interaction with an external policy server.

Commands for troubleshooting CoA

Command Purpose
debug aaa coa Displays debug information for CoA processing.
debug aaa pod Displays debug messages related to packet of disconnect (POD) packets.
debug radius Displays information associated with RADIUS.
show aaa attributes protocol radius Displays the mapping between an authentication, authorization, and accounting (AAA) attribute number and the corresponding AAA attribute name.

Table 5. CoA Monitoring and Troubleshooting commands

Mind Map

Central Web Authorization

Central Web Authentication is the process in which web- based authentication and the authentication server RADIUS does authorization. In Central Web Authentication, Web based authentication is redirected when a client accessing the network is failed to authenticate via 802.1x or MAC authentication bypass. Central Web Authentication offers a central web authenticating device i.e. RADIUS server which provides authentication and authorization using Web portal. When Client is failed to authenticate via Dot1x or MAB, Client is redirected to Web Portal where it can log in on the guest portal. Authorization profile configured on the Authentication server will authorize this guest login. Major advantages of Central Web Authentication are, it configures along with dot1x and MAB authentication. A Central device sends attributes for web redirection instead of Local Web authentication. In the process of Central Web Authentication, when client failed to authenticate via dot1x or MAB, and logs in via redirection to Web Portal, Change of Authorization CoA can bounce the port for new authentication so that Server will learn the user authenticated by Webauth and apply the attribute like dynamic VLAN assignment or dACL.

Creating Authorization Profile for Central Web Authorization

  • Click Policy, and click Policy Elements.
  • Click Results.
  • Expand Authorization, and click Authorization profile.
  • Click the Add button in order to create a new authorization profile for central webauth.
  • In the Name field, enter a name for the profile.
  • Choose ACCESS_ACCEPT from the Access Type drop-down list.
  • Check the Web Authentication check box, and choose Centralized from the drop-down list.
  • In the ACL field, enter the name of the ACL on the switch that defines the traffic to be redirected.
  • Choose Default from the Redirect drop-down list.
  • Check the DACL Name checkbox, and choose DACL from the drop-down list if you decide to use a DACL instead of a static port ACL on the switch.

Figure 1-12. Authorization Profile Configuration

Profiling

Profiling of Endpoint feature is very important in authentication and authorization of Network access devices. Profile function collects the data of Endpoint devices accessing the network, identifies the device connected to the network and its location. Depending upon the Endpoint profile, Authentication server permits the access of the resources. Profiling can facilitate the authentication using 802.1x Port-based Authentication, MAC Authentication Bypass (MAB) as well as Network Admission Control (NAC).

Profiling service can identify, locate, and ensure the access of all endpoints connected or connecting to the network. This profiling is regardless of endpoints device type. Profiling collects the attribute and classifies these endpoints into groups with respect to the profile configured, and stores them in database with their matched profile.

Figure 1-13 Default Profiling Policies

By the help of Network Probe, Profile service collects an attribute or number of attributes of any endpoint allowing to create update or modify the profile in the database. Some network probes are listed below

  • IP Address and MAC Address Binding
  • NetFlow Probe
  • DHCP Probe
  • DHCP SPAN Probe
  • HTTP Probe
  • HTTP SPAN Probe
  • RADIUS Probe
  • Network Scan (NMAP) Probe
  • DNS Probe
  • SNMP Query Probe
  • SNMP Trap Probe

Figure 1-14. Profiling Flow Chart

Guest Services

Guest Service feature allow the new users or end points trying to access the network. Using Guest Service, a guest account is created by the user through Guest port and then these endpoints accessing through guest portal able to access the resources as they are allowed depending on downloadable access control list dACL in the Network Access Device (NAD). Guest user or visitors are redirected to the HTTP or HTTPS guest portal to access the network.

Any user with privilege can create temporary guest user account and sponsor it. As any User can create guest user account hence Guest service authenticates the sponsor as well. Sponsors are the creator of guest user accounts. Logs and statistics are stored during the process of user account creation to the network access of guest user. These logs and reports can be used for security auditing and reporting.

When a guest user first access the network, User must be redirected to HTTP or HTTPS guest portal (using limited Access) so that it can create guest user account and get access to the network. For this purpose, Wireless LAN Controller (WLC) or Network Access Device (NAD) guest user is connected through should be enabled and support HTTP or HTTPS portal Login.

To use web-based authentication, you must enable the HTTP server within the switch. You can enable the server for either HTTP or HTTPS. To do so, use the following commands

ip http server

ip http secure-server

Configuring Sponsor Group Policy

  1. Choose Administration > Guest Management > Sponsor Group Policy.
  2. Click Actions to select either Insert New Rule Above or Insert New Rule Below.

A new policy entry appears in the position you designated in the Sponsor Group Policy window.

  1. Enter values for the following sponsor policy fields:
  • Rule Name – Enter a name for the new policy.
  • Identity Groups – Choose a name for the identity group associated with the policy. Click + (“plus” sign) to display a drop-down list of group choices, or choose any for the policy for this identity group to include all users.
  • Other Conditions – Choose the types of conditions or attributes for the identity group associated with the policy. Click + next to Condition(s) to display the following list of condition and attribute choices that you can configure:
  • Select Existing Condition from the Library – This lets you select a Condition Name option from the pull-down list (Simple Conditions, Compound Conditions, or Time and Date Conditions) as needed.
  • Create new condition (Advanced option) – This displays a list of dictionaries that contain specific attributes related to the dictionary type.
  • Sponsor Group – Choose the sponsor group to associate with this sponsor group policy. Click + next to Sponsor Group to display a drop-down list of sponsor group choices. Select a group option.
  1. Click Save to save your changes to the Cisco ISE system database and create this new sponsor group policy.

Figure 1-15. Sponsor group Policy

The Cisco ISE Guest Services support the following scenarios:

  • Wireless LAN Controller with Local WebAuth
  • Wired NAD with Central WebAuth
  • Wired NAD with Local Web Auth

Lab 1.3: Implementing Registered and Self Registered Guest Services using Central Web Authentication over Cisco ISE

Case Study: Implementing a secure access on a network of reputed company for the registered guest users as well as new guest users visiting the company every day. In this lab Central Web Authentication is implemented using Guest Services feature of Cisco ISE.

Prerequisites:

Cisco ISE features including Profiling, Posturing, Central Web Authentication, Guest Services are supported by these devices.

  • Catalyst 2960/3560/3750 Series, 12.2(55) SE
  • Catalyst 3560/3750 Series, 15.0(2) SE
  • Catalyst 4500 Series, IOS-XE 3.3.0/15.1(1) SG
  • Catalyst 6500 Series, 12.2(33) SXJ and others.

Due to Cisco Bug in Switches, use recommended switches for this lab. Due to hardware limitation this lab cannot be performed on our vRacks platform.

Topology Diagram:

Configuring Network Access Device

Switch(config)# hostname SW1

SW1(config)# username admin password 0 admin

SW1(config)# aaa new-model

SW1(config)# aaa authentication login default local

SW1(config)# aaa authentication dot1x default group radius

SW1(config)# aaa authorization exec default none

SW1(config)# aaa authorization network default group radius

SW1(config)# aaa server radius dynamic-author

SW1(config-locsvr-da-radius)# client 10.10.50.30 server-key cisco

SW1(config)# dot1x system-auth-control

SW1(config)# dot1x critical eapol

SW1(config)# interface Ethernet 1/0

SW1(config-if)# switchport access vlan 1

SW1(config-if)# switchport mode access

SW1(config-if)# authentication open

SW1(config-if)# authentication order mab webauth

SW1(config-if)# authentication priority mab webauth

SW1(config-if)# authentication port-control auto

SW1(config-if)# mab

SW1(config-if)# spanning-tree portfast

SW1(config)# interface vlan 1

SW1(config-if)# ip address 10.10.50.254 255.255.255.0

SW1(config-if)# no shutdown

SW1(config)# ip http server

SW1(config)# ip http secure-server

SW1(config)# ip access-list extended redirect

SW1(config-ext-nacl)# permit ip any host 172.16.3.100

SW1(config-ext-nacl)# permit tcp any any eq www

SW1(config-ext-nacl)# permit tcp any any eq 443

SW1(config-ext-nacl)# permit tcp any any eq 8443

SW1(config-ext-nacl)# deny   ip any any

SW1(config)# radius-server host 10.10.50.30 auth-port 1645 acct-port 1646 key cisco

SW1(config)# radius-server vsa send accounting

SW1(config)# radius-server vsa send authentication

Configuring Cisco ISE

Go to Cisco ISE > Administration > Network Resources > Network Devices > Add

Configure the Name of NAD device, IP address of Source Interface for Radius configured on Switch i.e. 1.1.1.1/32 and Authentication password cisco.

Go to Policy > Authentication

Select the MAB Authentication rule and edit. In the attribute Internal Endpoint, select the option if user not found to continue.

Go to Policy > Policy Element > Results > Authorization > Downloadable ACL > Add