802.1x OVERVIEW Sudhir Nath Product Manager, Trust & Identity Internet Technologies Division
Agenda IBNS & 802.1x 802.1x Components 802.1x Markets 802.1x Customers 802.1x Target Platforms 802.1x in Cisco IOS Cisco IOS 802.1x Roadmap
Identity-Based Networking Services and 802.1x 802.1x is a key component of Identity-Based Networking Services (IBNS) Identifying who can access what information in the network IBNS has predominantly been focused on switches
Cisco Embedded Security with IBNS Campus Network User Identity Based Network Access User Based Policies Applied (BW, QoS etc) The first step in securing the Campus network is enabling the ability to prevent all unauthorized network where most Enterprise networks are setup as depicted in the left where as access to the Network is possible if physical access to wired port is achieved. Rogue APs are easily deployed by well intentioned users. Cisco Solution Enabling port based authentication via 802.1x using Cisco Catalyst switching products with the Cisco Secure ACS prevents unauthorized External access to the network which includes the prevention of well intended Rogue APs. Intelligent Cisco Catalyst switching products also provides these security features at wire speed, so compromises in speed do not have to be made to have security. Unauthorized Users/Devices Authorized Users/Devices Equivalent to placing a security guard at each switch port Only authorized users can get network access Unauthorized users can be placed into “Guest” VLANs Prevents unauthorized Access Points
IBNS Benefits Improve flexibility and mobility for users Strengthen security for network connectivity, services, and applications Increase user productivity and lower operating costs Combine authentication, access control and user profiles IBNS combines authentication, access control and user profiles
802.1x Client-server based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports Key technology in IBNS for authentication & access control Standard set by the IEEE 802.1 working group. Standard link layer protocol used for transporting higher-level authentication protocols Works between the supplicant (client) and the authenticator (network device) Maintains backend communication to an authentication (RADIUS) server
to a LAN through publicly accessible ports IEEE 802.1x 802.1x is a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports Authentication Server 1 2 IEEE 802.1x is a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports. 802.1x authenticates each user device connected to a switch port before making available any services offered by the switch or the LAN. Until the device is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the device is connected. After authentication is successful, normal traffic can pass through the port. 802.1x controls network access by creating two distinct virtual access points at each port. One access point is an uncontrolled port; the other is a controlled port. All traffic through the single port is available to both access points. Only EAPOL traffic is allowed to pass through the uncontrolled port, which is always open. The controlled port is open only when the device connected to the port has been authorized by 802.1x. After this authorization takes place, the controlled port opens, allowing normal traffic to pass. 4 3 1 User activates link (ie: turns on the PC) 2 Switch requests authentication server if user is authorized to access LAN 3 Authentication server responds with authority access 4 Switch opens controlled port (if authorized) for user to access LAN
IEEE 802.1x Components Supplicant PAE (Port Access Entity) Authentication Server EAPOL EAPOL Authenticator PAE - (Referred to as the "authenticator") entity at one end of a point-to-point LAN segment that enforces supplicant authentication. The authenticator is independent of the actual authentication method and functions only as a pass-through for the authentication exchange. It communicates with the supplicant, submits the information from the supplicant to the authentication server, and authorizes the supplicant when instructed to do so by the authentication server Authentication Server - Entity that provides the authentication service for the authenticator PAE. It checks the credentials of the supplicant PAE and then notifies its client, the authenticator PAE, whether the supplicant PAE is authorized to access the LAN/switch services. Supplicant PAE - (Referred to as the "supplicant") entity that requests access to the LAN/switch services and responds to information requests from the authenticator. EAPOL - Encapsulated EAP messages that can be handled directly by a LAN MAC service Extensible Authentication Protocol over LAN Authenticator PAE (Switch or Router)
How Does 802.1x Work? For each 802.1x switch port, the switch creates TWO virtual access points at each port The controlled port is open only when the device connected to the port has been authorized by 802.1x Controlled For each dot1x enabled port, the switch will create two virtual ports through which traffic will flow. One port is for control traffic and the other is for data. By default, the port that carries the data is disabled. Only the port for carrying the control (EAPOL) traffic is opened, but this will not carry data traffic if authentication has not been completed. EAPOL Un-Controlled EAPOL Uncontrolled port provides a path for Extensible Authentication Protocol over LAN (EAPOL) traffic ONLY
What Does 802.1x Do? 802.1x Header EAP Payload Transport authentication information in the form of Extensible Authentication Protocol (EAP) payloads Authenticator (switch or router) becomes the middleman for relaying EAP received in 802.1x packets to an authentication server by using RADIUS to carry the EAP information Three forms of EAP are specified in the standard EAP-MD5 – MD5 Hashed Username/Password EAP-OTP – One-Time Passwords EAP-TLS – Strong PKI Authenticated Transport Layer Security (SSL) 802.1x Header EAP Payload
802.1x Identity and Security Authentication Who can access the network and services? Authorization What is the user allowed? Access Control Control is based on authentication and authorization Policy enforcement Combining authentication, authorization, and access control to enforce enterprise/SP policies
Key 802.1x Functions/Building Blocks 802.1x Authenticator Controls access to Layer 2 resources Mechanisms to grant access Authorization policy from AAA/Radius/ACS 802.1x Supplicant Provides client capability Computers, routers, switches, PDAs, IP phones 802.1x Mutual authentication Client and server authentication Support for EAP transport
802.1x Benefits Uses standards-based technology to control network access Extends authentication to other security areas Authorization, access control, and policy enforcement Controls exercised at link layer, so all services riding on it can use link layer services Interoperates in wired, wireless, & switching scenarios Reduces overall IT costs by preventing external and internal threats Enables and performs centralized user administration
802.1x Markets and Applications SOHO/Telecommuter Enterprise Wired Wireless Remote access Service provider Metro Ethernet
SOHO / Telecommuter Corporate user VPN Tunnel Service Provider Personal user Today’s Enterprise Barriers – “Spouse and Kids Problem” Difficult to prevent unauthorized “home users” from accessing corporate network No prevention of rogue wireless access points This can be done today, but only with the VPN 3002. You need to implement a combination of split tunneling and individual user authentication. The limitation is that the personal users can’t go to the Internet unless the VPN tunnel is up; you don’t get the split tunnel rules downloaded and usable until you build the tunnel. So, if the VPN 3002 also requires external device authentication, then if the tunnel dies and the corporate user isn’t home to log the box back in, the personal users are dead in the water. That’s a security tradeoff. IOS and PIX Easy VPN Clients will get individual user authentication eventually, but not for at least several months. The VPN 3002 can support an IP phone without requiring that device to be authenticated explicitly. This feature is also not yet implemented for other Easy VPN clients. IP phone requires running the Easy VPN client in Network Extension mode to have the phone get an address that is usable on the corporate network. No CCIE required, but for now it’s a 2-box solution (even if the second box is just a generic cable/DSL modem). 28
SOHO / Telecommuter (Cont.) 802.1x Integration Corporate user Uses Tunnel VPN Tunnel Service Provider Personal user Straight to Internet Prevents unauthorized users from accessing corporate network Identifies IP phone, identifies the policy, and uses the Corporate VPN tunnel Identifies individual wireless access points, applies the policy, and enables authorized users to access the VPN tunnel Cisco IOS® Software 802.1x Phase 1 addresses all of these issues This can be done today, but only with the VPN 3002. You need to implement a combination of split tunneling and individual user authentication. The limitation is that the personal users can’t go to the Internet unless the VPN tunnel is up; you don’t get the split tunnel rules downloaded and usable until you build the tunnel. So, if the VPN 3002 also requires external device authentication, then if the tunnel dies and the corporate user isn’t home to log the box back in, the personal users are dead in the water. That’s a security tradeoff. IOS and PIX Easy VPN Clients will get individual user authentication eventually, but not for at least several months. The VPN 3002 can support an IP phone without requiring that device to be authenticated explicitly. This feature is also not yet implemented for other Easy VPN clients. IP phone requires running the Easy VPN client in Network Extension mode to have the phone get an address that is usable on the corporate network. No CCIE required, but for now it’s a 2-box solution (even if the second box is just a generic cable/DSL modem). 28
Metro Ethernet - 802.1x POP CE Authentication by SP Supplicant PAE POP CE Authentication by SP (Optional UNI Feature) PE-CLE Authentication by SP
SOHO / Telecommuter Customers ABB Intel Verizon Home Depot
Metro Ethernet Customers Time Warner Verizon Swisscom SBC Telecom Italia Bell Canada AT&T Sprint Bell South EDDI Cox Cable Reliance FastwEB NTT
802.1x Target Platforms Access Routers Metro Ethernet hardware Cisco 800 – 3700 Series Routers Metro Ethernet hardware Cisco 2750, 3550, and Congo Routers Cisco Catalyst® 4500 and 6500 Series Switches Cisco 7600, 10000, and 12000 Series Internet Routers
Cisco Products with 802.1x Cisco Aironet Cisco Catalyst 4000 and 4500 Series Switches Cisco ACS Server Cisco Catalyst 6500 Series Switch Cisco Catalyst 2950, 3550, 3750 Routers
Cisco Catalyst 6500 Series Support Cisco Catalyst Switch portfolio Basic 802.1X Support 802.1X with VLANs 802.1X with Port Security 802.1X with VVID 802.1X Guest VLANs 802.1X with ACLs High Availability for 802.1X High Availability for Port Security
802.1x in Cisco IOS Software Control who is allowed access earlier and sooner in the stack by building authentication at link layer (Layer 2) Use standards-based 802.1x technology so it is easier to interoperate with switches and wireless access points Extend 802.1x services to leverage other identity and security services Address SOHO/Telecommuters, wired and wireless Enterprise, and Service Provider markets
802.1x in Cisco IOS Software (Cont.) Build common 802.1x features to address the basic building blocks (Release 12.3T) Authenticator Supplicant EAP transport capability for different hashing types Mutual authentication Port common functionality to Release 12.2S and derivatives All supported hardware must add unique 802.1x functionality
802.1x Roadmap Phase Summary Authenticator Phase 2 Supplicant Mutual authentication Phase 3 Metro Ethernet market Phase 4 Wireless iEdge
802.1x Phase 1 Release 12.3(4)T 802.1x authenticator support in Cisco IOS Software MAC based authentication Static DHCP address pools Default authorization policy Split tunneling Multi-auth support Stealth deployment
802.1x Phase 2 Target: Release 12.3(5th)T 802.1x supplicant support in Cisco IOS Software Mutual authentication Support for EAP transport EAP MD5 EAP TLS Policy enforcement to include user access restrictions
802.1x Phase 3 Target: Release 12.2(Rls6)S Addresses Metro Ethernet market segment Common feature code from Phase 2 Hardware-specific feature code and test strategies will be determined with hardware teams Metro Ethernet Platforms Cisco 2750, 3750, Congo, 6500, and 7600 Series
802.1x Phase 3.1 Target: Release 12.2(Rls7)S Add additional hardware products for the Metro Ethernet market segment New hardware products will be supported: Cisco 4500 Series Switch Cisco 10000 and 12000 Series Internet Routers
802.1x Phase 4 Target: Release 12.3(6th)T Radius Proxy IP Phone Monitoring and management 802.1x MIB Scalability and high availability
802.1x Phase 5 Target: Release 12.3(7th)T Interoperability with wireless access points Antibody iEdge interoperability
References Ian Foo: Slide presentation at brown-bag lunch Ken Hook: IBNS launch Eric Voit: Metro Ethernet slide presentation Eric Marin: Slide presentation
802.1x Overview, 11/03 © 2003 Cisco Systems, Inc. All rights reserved. 33