Implementing Network-Edge Security with 802.1x Enhancements to all areas of Organizational Security Michael Votaw RCC-E Network Monitoring Team Lead Michael.s.votaw.ctr@mail.mil

Overview Network based Authentication IEEE 802.1X Authentication RFC 3580 and Enhancements Network Access Control Security Tools Enhancements

Network Based Authentication What are we really talking about? Types of authentication MAC Authentication (MAB) IEEE 802.1X Who, Where, When? – What is the value History and forensics Authentication sources - RADIUS Microsoft 2003 IAS / Microsoft 2008 NPS FreeRADIUS Steel-belted RADIUS Many, Many, others The benefits of Automation with this new information

IEEE 802.1X Authentication History Authored by Members from Microsoft, Cisco, Enterasys, HP Ratified in late 2001 What need did it fill? How it is used? Centralized command and control Port control without the tedious work DHCP Phobias Who supports it? Switch Vendors – Extreme/Enterasys, Cisco, Brocade/Foundry, HP, many others Operating systems – Microsoft XP, Vista, 7&8, Mac OS X, Linux, others Devices – IP phones from Avaya, Seimens, Cisco, and many more Devices – Print Servers from HP, Lexmark, Xerox How does it work?

Authentication Server (RADIUS) 802.1X Basic Components User Supplicant Network Device Authentication Server (RADIUS) Valid user (AD/RADIUS) Printer Phone Certificate-Based Microsoft XP, Vista, 7 & 8 Mac OS X Linux Open1X Printers Phones Enterasys Cisco Foundry Extreme HP Many others Windows AD FreeRADIUS OpenRADIUS Steel-Belted RADIUS

802.1X Basic Flow Username/Password RADIUS Attributes -Filter-Id -Tunnel-Priv-Grp-ID RADIUS Attributes -User-Name -NAS-IP-Address -NAS-Port -NAS-Port-Type

Before Authentication Basic 802.1X Port Control Before Authentication After Authentication

802.1X Message Exchange All messages on client side are ethertype 888E (EAPOL/PAE) All messages between switch and server are RADIUS packets Most switch vendors enhance this with multi-method and multi-user authentication

802.1X Continued Support for periodic re-auth, and manual re-auth EAP Types - Industry Standard MD5 – basic PEAP – Microsoft & Cisco Protected EAP, Now dominate in the industry EAP-TLS (Transparent LAN Service) Requires a digital certificate on each supplicant (see RFC 2716) EAP Types – Proprietary EAP-TTLS (Tunneled TLS Authentication Protocol) - Juniper Software TTLS does not require digital cert (see Internet Draft) LEAP – Cisco Lightweight EAP (proprietary); Cisco moving to PEAP 802.1X on wireless Encryption, Rotating keys, Integration of Users and Enterprise Authentication The Future – 802.1AE Key exchange and encryption between clients, switches, and routers

Enhancing 802.1X Dynamic VLAN support (RFC 3580) Dynamic ACL support Dynamically assign a user, phone, or device to a VLAN based on RADIUS response Can allow for user mobility throughout the enterprise Dynamic ACL support Restrict unauthorized protocols Enhance others with QoS(phone, critical applications) Multi-User Most enterprise-class switches today support multiple users authenticating per port Multi-Method Many vendors support MAC+802.1X to help with supplicant support PAE Mib SNMP access, control, and statistics over the 802.1X experience Guest Access Many vendors support an auth-fail VLAN, or provide alternate access support

Basic Steps for Implementation in a Lab Setup NPS on Microsoft AD Simple configuration No Certificates Enable 8021.X on your network device Setup your RADIUS server Turn on 802.1X with “dot1x” commands Setup Windows 7 Go with Protected EAP Don’t validate server certs Deselect “Automatically use my windows logon name” Once tested, move to more secure model using host and server certificates (strong, mutual authentication) A phased approach can be used, enabling only some users and network devices. Group policy can be employed for configuration of end-systems

Basic NPS Setup

Configuration of RADIUS Clients

NPS Can Permit/Deny Based on Groups

EAP Methods Configured

Adding RADIUS Attributes

Basic Switch Config (Cisco) aaa authentication dot1x default group radius aaa authorization network default group radius dot1x system-auth-control ip radius source-interface Vlan99 radius-server attribute nas-port format c radius-server host 192.168.99.4 auth-port 1812 acct-port 1813 key #$TR3g42f34yytV3r4f radius-server vsa send accounting radius-server vsa send authentication interface FastEthernet0/17 switchport mode access authentication port-control auto authentication periodic dot1x pae authenticator dot1x timeout tx-period 3 spanning-tree portfast

Basic Switch Configuration (Brocade/Foundry) dot1x-enable re-authentication timeout quiet-period 30 timeout re-authperiod 2000 timeout tx-period 3 auth-fail-vlanid 10 enable ethe 1 to 16 aaa authentication dot1x default radius hostname fesx448 radius-server host 192.168.5.6 auth-port 1812 acct-port 1813 default key 1 $fl%}lq9}%0qPf:}%fBPfl dot1x interface ethernet 1 dot1x port-control auto dot1x disable-filter-strict-security port-name rm101-sw1-e1

MAC Authentication Authenticates a device using the source MAC address of received packets Overview of Authentication Process The authenticator (switch) sends the following as credentials for authentication: Username: Source MAC of end system Format of MAC address is XX-XX-XX-XX-XX-XX Password: Locally configured password on the switch Username and password sent to backend RADIUS server for authentication If credentials are valid, RADIUS Access-Accept message (possibly with Filter-ID or Tunnel attributes) is returned to switch MAC authentication enables switches to authenticate end systems that do not support an 802.1X supplicant or web browser (e.g. printers) to the network No special software is required for an end system to MAC authenticate

Client Configuration

Network Access Control – The Next Step NAC and 802.1X are not the same The 5 functions of NAC Detection Authentication Authorization Assessment Remediation 802.1X provides a foundation by filling the first three phases of NAC Using RFC 3580, control can be exercised over the VLAN or ACL Log data can be sent to log servers, historical and forensic information

Network Access Control – The Next Step Information now available to NAC solutions… MAC address of client The Username Exact port where request came from The IP of the switch The method of authentication (MAC, 802.1X) The IP address (through DHCP snooping) The time of Login The time of Logout Any VLAN or ACL that was applied

NAC Dashboard – End Systems View © 2013 Enterasys Networks, Inc. All rights reserved Enterasys Confidential

How Network-Auth Enhances Security Tools Integrate Network Authentication User tracking with Security Information Management capabilities. Result: Track down systems that cause security breaches with new levels of speed and accuracy.

IEEE 802.1X Conclusion The primary reason for using 802.1X authentication in your network is security, protecting against: Unauthorized access to a network Denial of Service (DoS) attacks Theft of services Support: Most all enterprise class switches support 802.1X authentication More and more operating systems and network attached devices

Reference Information IEEE 802.1X - Port Based Network Access Control http://www.ieee802.org/1/pages/802.1x.html IEEE 802.1X - Overview http://www.ieee802.org/1/files/public/docs2000/P8021XOverview.PDF RFC 3580 Information http://www.ietf.org/rfc/rfc3580.txt Using 802.1X Port Auth To Control Who Can Connect To Your Network http://www.itdojo.com/synner/pdf/synner2.pdf 802.1X Port-Based Authentication HOWTO. Setting up XSupplicant. http://www.linux.org/docs/ldp/howto/8021X-HOWTO/index.html Configuring IEEE 802.1X for Mac OS X http://docs.info.apple.com/article.html?path=Mac/10.5/en/8640.html