Ing. Peter Feciľak Peter.Fecilak@tuke.sk 29.04.2008, KPI, FEI, TUKE. 802.1x Best Practises Ing. Peter Feciľak Peter.Fecilak@tuke.sk 29.04.2008, KPI, FEI, TUKE.

Content of the presentation Basic terminology - 802.1x - RADIUS server - Dynamic VLAN membership Why to implement 802.1x ? Problems in 802.1x implementation Discussion...

What is 802.1x ? IEEE standard for port-based Network Access Control Provides port-based authentication Supported in wired/wireless environment

802.1x terminology

Radius authentication server Provides authentication and other AAA services for end-device by a number of authentication mechanisms Each authentication mechanism has its own level of security (EAP/MD5, EAP/LEAP, EAP/PEAP) Can be linked to external user/computer database – ActiveDirectory / LDAP / MYSQL

Radius authentication server Supports delegation of requests (e.g. eduroam) Runs on different platforms MS Windows: Cisco Secure Access Control Server Linux: Freeradius / old version of CS ACS

Authenticator – access layer Provides port-based authentication and dynamic VLAN membership via RADIUS server (EAP and Radius protocol) Three types of VLANs: Dynamic VLAN from RADIUS AUTH-FAIL VLAN GUEST-VLAN Catalyst switches supports periodical re-authentication (Steve Riley vulnerability from 2005)

802.1x Supplicant Application that provides authentication via EAP against authenticator Possible types of authentication: Computer (domain account) User (domain account, OTP…) Computer with user account

802.1x Supplicant Supported under Windows and Linux as well Linux authentication tools: Xsupplicant (wired) WPA_supplicant (wireless) open1x

802.1x Linux Supplicant fecilak@travelko:~$ cat /etc/xsupplicant/xsupplicant.conf default_interface = eth0 default { type = wired allow_types = eap-peap identity = "pfecilak" eap-peap { inner_id = "pfecilak" root_cert = NONE chunk_size = 1398 random_file = /dev/urandom allow_types = all session_resume = yes eap-mschapv2 { username = "pfecilak" password = “Moje1Tajne2Heslo3!#" }

802.1x Windows Supplicant Native 802.1x supplicant under: MS Windows XP MS Vista MS Windows 2000 (latest SP) External supplicants: Cisco Secure Services Agent

802.1x Windows Supplicant

802.1x Windows Supplicant User-authentication GUI agent:

Why to implement 802.1x ? Provide port-based control for accessing network resources (problems with controlling physical access) Identify regular network users. Provide them easy access to network resources. Isolate non-regular users from internal infrastructure.

Why to implement 802.1x ? Apply different security levels for specified communities of users. Provide mobility features via RADIUS and Dynamic VLAN membership

Number of Security Levels Identify User/Computer roles and grand them access to network resources as defined by their security level.

Problems in 802.1x implementation Devices that does not support 802.1x connected to access-layer causes problems (e.g. hubs/unmanagable switches) Computers connected via IP phones that doesn’t support 802.1x has problem with authentication Periodical re-authentication can cause problems in large domain

Problems in 802.1x implementation Computer authentication with User to VLAN mapping can cause problem during IP settings renewal process Authentication tab not shown in local area network configuration (needs Wireless Zero Configuration)

Best practises When 802.1x is used mainly in MS Windows domain, use Cisco Secure ACS and computer domain accounts Do not use dynamic VLAN membership with User to VLAN mapping. Better is computer authentication with domain account

Best practises Scale the number of RADIUS servers concerning whether re-authentication is enabled and the number of end clients that will use 802.1x authentication I recommend to use 1 server for 100 computers when re-authentication at every 5 minutes is used

Best practises Classification to profiles for providing different security-levels: User Network For regular users granting access to network resources Visitors Network For guest access from internal infrastructure granting only internet access Guest/Auth-fail VLAN Fully isolated network. No network resources can be accessed.

Discussion/Questions and Answers

Redundant topologies

Redundant topologies

Problem

Solution – redundant gateways 192.168.1.2 192.168.1.1 192.168.1.0/24

Solution – HSRP MASTER 192.168.1.3 Slave SLAVE Master 192.168.1.3 Mas GW-1-1 GW-1-2 Virtual Router 192.168.1.2 192.168.1.1 192.168.1.3 Master Slave 192.168.1.2 192.168.1.1 192.168.1.0/24

First Hop Redundancy Protocols HSRP VRRP GLBP

Example - HSRP 192.168.1.2 192.168.1.1 GW-1-1(config)# interface FastEthernet 0/0 GW-1-1(config-if)# ip address 192.168.1.2 255.255.255.0 GW-1-1(config-if)# standby 1 priority 80 GW-1-1(config-if)# standby 1 preempt GW-1-1(config-if)# standby 1 ip 192.168.1.3 GW-1-1(config-if)# no shutdown GW-1-2(config)# interface FastEthernet 0/0 GW-1-2(config-if)# ip address 192.168.1.1 255.255.255.0 GW-1-2(config-if)# standby 1 priority 150 GW-1-2(config-if)# standby 1 preempt GW-1-2(config-if)# standby 1 ip 192.168.1.3 GW-1-2(config-if)# no shutdown IP: 192.168.1.100 Netmask: 255.255.255.0 Gateway: 192.168.1.3

Configuration statements - HSRP 192.168.1.2 192.168.1.1 GW-1-1(config)# interface FastEthernet 0/0 GW-1-1(config-if)# ip address 192.168.1.2 255.255.255.0 GW-1-1(config-if)# standby 1 priority 80 GW-1-1(config-if)# standby 1 preempt GW-1-1(config-if)# standby 1 ip 192.168.1.3 GW-1-1(config-if)# no shutdown GW-1-2(config)# interface FastEthernet 0/0 GW-1-2(config-if)# ip address 192.168.1.1 255.255.255.0 GW-1-2(config-if)# standby 1 priority 150 GW-1-2(config-if)# standby 1 preempt GW-1-2(config-if)# standby 1 ip 192.168.1.3 GW-1-2(config-if)# no shutdown IP: 192.168.1.100 Netmask: 255.255.255.0 Gateway: 192.168.1.3

Záver prezentácie Ďakujem za pozornosť. Moderné vzdelávanie pre vedomostnú spoločnosť. Projekt je spolufinancovaný zo zdrojov EÚ.