Download presentation
Presentation is loading. Please wait.
Published byDwight Perkins Modified over 6 years ago
1
Holistic view of 802.1x integration & optimization
High level design, with visual paradigm Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
2
What we will talk about Campus network in practice
Security in practice 802.1x, PEAP, EAP-TLS, EAP-FAST explained for campus network Policy based access control Network Admission Control (NAC) Introducing NAC appliance Secure network design with NAC for LAN & WLAN network Device profiling, posture check, guest redirection explained A case study scenario. Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
3
Purpose of the discussion
Central web authentication BYOD Posture Assessment Profiling & CoA (Change of Authorization) Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
4
We will not talk about Network design (routing, switching, WAN technologies) Network Quality of Service for routing & switching Basic WLAN infrastructure design. Not going to discus network design models in details. Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
5
Campus Area Network (CAN)
Network consists of switch, router, firewall. Network infrastructure is owned and operated by the organization itself. CAN is ranged within 1KM to 5KM of area. Users with network access within the network are free to use network resources once they are within the campus parameter. Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
6
CAN Pros & Cons Advantages Easy build and maintenance.
Open to all using simple and secured AAA, personal hand-held device or laptops. Easy share and storage of resources within network and access from anywhere within the network. Network resources stays within network and firewalled from external threat. Users uses secure login (SSO i.e. Shibbolet, Kerberos, LDAP or RADIUS) technology to get access to resources within network. Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
7
CAN Pros & Cons Disadvantages
Identity can be tempered. Such way unauthorized users with right user credential can have access to unauthorized resource location resides within the network while the system knows the resources are accessed by authorized person. User right within the entire network says same regardless which device the user using or from which network location the user is coming from. Transparent to any firewall / IPS / IDS appliance. Device authorization scope is so limited and not dynamic. Management is slow and authentication / authorization events are not transparent to network administrator. Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
8
CAN Pros & Cons Identity loss or unauthorized access (using valid credential) are never detected if the intruder don’t do any harm to resources. Authorized users can access network resources using any devices supports local network based authentication / SSO (i.e. AD, OpenLDAP, Shibbolet, OTP, RADIUS). Any devices can access network even if the device is not security compliant (i.e. Non-updated patch, AV definition, Application) Guest management is painful. Guest access to the network needs network administrator extra effort and time for managing new network. Device isolation for service is complicated. Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
9
Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
10
CAN security in practice
IPS /IDS PBR External Threat prevention Zone based Firewall AD, OTP, openLDAP, RSA Token System hardening Internal Threat prevention DLP, awareness Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
11
CAN proposed network security
Classify network traffic from Access Layer. Check device compliance policy prior to join network. Dynamic access authorization based on policy. Access automation. Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
12
CAN proposed security features
Device profiling Automatic Manual BYOD Device registration redirection Dynamic profile allocation TLS handshake Posture check Posture profiling Posture object Dynamic access control MAB Policy based 802.1x Guest redirection User /device redirection Guest mgmt. Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
13
Authentication method explained
MAC Authentication Bypass Method of excluding MAC addresses for 802.1x authentication process when its detected in a 802.1x enabled port. 802.1x based authentication Method of forwarding 802.1x request to Identity Source server (AD, openLDAP etc.) through Access Server. **NAD devices (Switch, Router, Firewall, virtual network devices) establish communication using pre- shared key prior to establish 802.1x request to Access server. Access server collect all authentication requests and forwards accordingly. Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
14
Protocols for authentication
RADIUS PEAP or Protected Extensible Authentication Protocol EAP-TLS or certificate based authentication. EAP-FAST to carry both TLS and non-TLS authentication. Inner methods MSCHAPv2, MSCHAP, MD5 TLS Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
15
802.1x components configuration
802.1x server or Access Server needs to add switches / Wireless controller with pre-shared key defined. Switch port 802.1x enablement Switch /Wireless controller to contact with Access Server using pre-shared key. Dynamic authorization enablement (if supported by NAD devices). User PC / Server or VM needs to be 802.1x supplicant (Windows, Linux built-in or third-party supplicant like CISCO Anyconnect) enabled. Finally correspondent rules for 802.1x authentication & authorization. Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
16
MAB configuration components
Access server configuration for 802.1x exception Switch port MAB enablement configuration Open SSIDs in WLAN to be configured for MAB for guest redirection. Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
17
Policy based dynamic access (Features)
Can be achieved using Microsoft NPS (No posture, device profiling, MDM integration, BYOD, Needs windows server 2K8 and 2K12 enterprise licensed) Can be achieved using CISCO ISE. (Licensed product. Needs feature unlock license). Can be achieved using OpenNAC (open-source, No posture) Can be achieved using PakcketFence. (open-source, supports almost everything) Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
18
Dynamic NAC process Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
19
Implementation summary
Deploying AD with domain name “bdnog2016.org”. (Optional) Deploying Certificate server (Microsoft CA, Entrust CA, OpenSSL etc.) (Optional) Deploying external RADIUS server. (Optional) Deploying OTP server (Optional) Deploying Identity Service Solution (ISE, Open-NAC or PacketFence). (mandatory) Select supported NAD device. Cisco WS-C PC-L is ideal for this operation. We can also select Dell Force10 switches, PowerConnect specific models. Using wireless controller (Cisco WLC, ARUBA, Chillispot for dwrt based AP Etc.) Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
20
RADIUS CoA Example Vendor Specific VSAs Example Cisco CoA operations 1
Terminate session Terminate session with port bounce Terminate with port shutdown Re-authenticate session Session Query For Active Services For Complete Identity Service Specific Service Activate Service De-activate Service Query Identity Service Endpoint fails Posture Assessment and gets assigned to Quarantine VLAN Endpoint remediates itself and is reported: Posture=Compliant ISE issues RADIUS CoA to reauthenticate Client is re-authenticated and assigned to CORP VLAN Quarantine VLAN 1 CORP VLAN 2 3 SWITCHPORT 4 © 2011, Cisco Systems, Inc. All rights reserved. TECSEC-2041.scr
21
CASE STUDY SCENARIO: ISE
DISCUSSION ON A STUDTY THAT ALREADY BEEN IMPLEMENTED AND FUNCTIONAL IN ONE OF THE LARGEST NGOs IN BANGLADESH WITHIN ALL 87 BRANCHES CONNECTED USING MPLS BACKBONE Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
22
Solution High Level Design
Wireless PEAP / Plain (MAB) . Sending 1st packet to WLC WLC detects EAP / MAB on 802.1x port WLC starts sending request to ISE ISE send profiles to NAD. Maintain session Wireless controller applying profile received from ISE Switch detects EAP / MAB on 802.1x port Switch starts sending request to ISE Switch applying profile received from ISE PEAP / Plain (MAB) . Sending 1st packet Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
24
Placement in network Recommended to deploy in server zone. Not necessary to deploy in DMZ as the service will be used by users within the organization. Must have secure firewall policies that will permit only the ports needed for 802.1x, RADIUS, Wep-Portal Redirection & Posture redirection Wireless LAN Controller can be placed on L2 network or L3 network (Use FQDN broadcast using the enterprise Domain-Controller). All NAD devices (Switches, Firewall, Wireless LAN Controller should be able to communicate with both ISE servers). Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
25
Advance placement issues
Do not place the ISE or NAC servers in Access Zone. Try to create separate zone for the ease of policing and security issue mitigation. If used de-centralized DHCP broadcast (in case of L3 MPLS) try Flex-Connect option at the branch AP. Use Flex-ACL, AP-Group policy to make management easy and to ensure session control for web-redirection (Avoid 500 Internal Error) Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
26
NAD configuration (Switch)
Switch-Global configuration Switch(config)# aaa new-model Switch(config)# radius-server host Switch(config)# radius-server key <mykey> Switch(config)# aaa authentication dot1x default group radius local Switch(config)# dot1x system-auth-control Switch(config)# aaa authorization network default group radius Switch(config)# radius-server vsa send authentication Port Configuration Switch(config-if)# switchport mode access Switch(config-if)# authentication event fail action next-method Switch(config-if)# authentication event server dead action authorize vlan 10 Switch(config-if)# authentication event server alive action reinitialze Switch(config-if)# authentication host-mode multi-auth Switch(config-if)# authentication closed Switch(config-if)# authentication port-control auto Switch(config-if)# authentication violation restrict Switch(config-if)# ip device tracking Switch(config-if)# dot1x pae authenticator Switch(config-if)# spanning-tree portfast Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
27
NAD configuration (Switch) continued
Switch AAA configuration ============================= aaa new-model aaa authentication login default group radius local aaa authentication dot1x default group radius aaa authorization exec default group radius if-authenticated aaa authorization network default group radius aaa accounting update periodic 5 aaa accounting dot1x default start-stop group radius aaa server radius dynamic-author client server-key bdnog5 RADIUS Configuration ============================= radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include radius-server dead-criteria time 10 tries 10 radius-server host auth-port 1812 acct-port key bdnog5 radius-server vsa send accounting radius-server vsa send authentication Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
28
NAD configuration (Switch) continued
SNMP configuration ============================= snmp-server community bdnog5snmp RO 10 snmp-server location BDPEER snmp-server contact snmp-server enable traps snmp linkdown linkup snmp-server enable traps mac-notification change move threshold snmp-server host version 2c bdnog5snmp mac- notification logging origin-id ip logging host transport udp port 20514 802.1x configuration ============================= epm logging dot1x system-auth-control MAC notification ============================= mac address-table notification change mac address-table notification mac-move Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
29
NAD configuration (Switch) continued
STATIC ACL !!! ============================= ip access-list extended ACL-DEFAULT permit udp any eq bootpc any eq bootps permit udp any any eq domain permit udp any any eq tftp permit ip any host permit udp any any eq bootps permit ip any host ip access-list extended REDIRECT permit tcp any any eq www permit tcp any any eq 443 Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
30
NAD Configuration (WLC)
Remote AP should be in flex-connect mode. Permit & Deny ACL should be configured on WLC, must be pointed at ISE under policy to dynamically allocate for wireless users. Redirection ACL should be configured on WLC (For flex AP, ACL will be FLEX-ACL while similar empty ACL will be in Normal ACL). Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
31
Example: MAB Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
32
Example: MAB (Web Redirection)
Getting guest portal from Server Central web authentication Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
33
For 802.1x Success scenario Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
34
Enjoy 802.1x faisal.rahman@bdpeer.com
Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
35
Presentation by: Faisal Md Abdur Rahman, BDPEER | | Phone:
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.