Scribd Logo
Upload

Welcome to Scribd!

  • 3 views

    SECS02L02 - Implementing Cisco IBNS

    Uploaded by

    Khoa Huynh Dang

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    SECS02L02 - Implementing Cisco IBNS

    Uploaded by

    Khoa Huynh Dang
    3 views31 pages

    Original Title

    SECS02L02_Implementing Cisco IBNS

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    3 views31 pages

    SECS02L02 - Implementing Cisco IBNS

    Uploaded by

    Khoa Huynh Dang

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    of 31

    Trust and Identity

    Implementing Cisco IBNS

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-1


    Concepts of Cisco IBNS in Action

    Authorized User Identity-Based


    Authentication

    Valid Credentials
    Corporate

    √ Network

    X No Access
    Corporate
    Invalid/No Credentials Resources

    Unauthorized External
    Wireless User

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-2


    Cisco IBNS
    Unified Control of User Identity for the Enterprise

    Cisco VPN Concentrators, Cisco IOS Routers, Cisco PIX Firewalls

    Hard and Soft


    Cisco Secure ACS Tokens
    OTP Server

    VPN
    Internet Clients
    Router
    Firewall

    Remote
    Offices

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-3


    Cisco IBNS Port-Based Access Control
    Cisco Catalyst Authentication Server
    End User Series 2950 (Cisco Secure
    (Client) (switch) ACS/RADIUS)

    1 7
    EAPOL-start Switch enables
    port 5
    Login request 2
    Policy database
    confirms ID and
    Login response 3 4 grants access
    Check with policy database

    Policy database informs switch

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-4


    IEEE 802.1x

     Standard set by the IEEE 802.1 working group


     A framework designed to address and provide port-based access
    control using authentication
     Primarily an encapsulation definition for EAP over IEEE 802
    media (EAPOL is the key protocol.)
     Layer 2 protocol for transporting authentication messages
    (EAP) between supplicant (user/PC) and authenticator (switch
    or access point)
     Assumes a secure connection
     Actual enforcement is via MAC-based filtering and port-state
    monitoring

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-5


    802.1x Components

    Authentication
    Supplicant Authenticator
    Server

    EAPOL RADIUS

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-6


    802.1x Operation
    For each 802.1x switch port, the switch creates
    two virtual access points at each port.

    The controlled port is open only when the device


    connected to the port has been authorized by 802.1x.

    Controlled
    EAPOL Uncontrolled EAPOL

    Uncontrolled
    The uncontrolled
    Port Provides
    port provides
    a Path for
    Extensible Authentication
    a path
    Protocol
    for (EAPOL)
    over LANtraffic
    (EAPOL)
    only. AND CDP Traffic ONLY

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-7


    How 802.1x Works
    End User Cisco Catalyst Authentication Server
    (Client) 2950 Series Switch (Cisco Secure ACS)
    (NAD)

    EAPOL RADIUS

    The actual authentication conversation occurs between the client and the
    authentication server using EAP. The authenticator is aware of this activity,
    but it is just an intermediary.

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-8


    How 802.1x Works (Cont.)
    End User Cisco Catalyst 2950 Authentication Server
    (Client) (Switch) (Cisco Secure ACS)

    EAPOL-start
    EAP Request/Identity
    EAP Response/Identity EAP–method dependent
    EAP–Auth Exchange Auth Exchange with AAA Server

    EAP Success/EAP Failure Auth Success/Reject

    Port Authorized
    Policies
    EAPOL–Logoff

    Port Unauthorized
    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-9
    What Is EAP?

     EAP—the Extensible Authentication Protocol


     A flexible transport protocol used to carry arbitrary authentication
    information—not the authentication method itself
     Typically runs directly over data-link layers such
    as PPP or IEEE 802 media
     Originally specified in RFC 2284, obsolete by
    RFC 3748
     Supports multiple “authentication” types

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-10


    Current Prevalent Authentication
    Methods
    Challenge-response-based
     EAP-MD5: Uses MD5-based challenge-response for authentication
     LEAP: Uses username/password authentication
     EAP-MS-CHAPv2: uses username/password MSCHAPv2
    challenge-response authentication
    Cryptographic-based
     EAP-TLS: Uses x.509 v3 PKI certificates and the TLS mechanism
    for authentication
    Tunneling methods
     PEAP: PEAP tunnel mode EAP encapsulator; tunnels other EAP types
    in an encrypted tunnel—much like web-based SSL
     EAP-Tunneled TLS (TTLS): Other EAP methods over an extended EAP-TLS encrypted tunnel
     EAP-FAST: Recent tunneling method designed to not require certificates
    at all for deployment
    Other
     EAP-GTC: Generic token and OTP authentication

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-11


    EAP Methods

     EAP-MD5
     EAP-TLS
     PEAP with EAP-MS-CHAPv2
     EAP-FAST

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-12


    EAP-MD5

    EAPOL RADIUS

    EAPOL-start

    EAP Request/Identity

    EAP Response/Identity EAP Response/Identity

    EAP Request/Challenge EAP Request/Challenge

    EAP Response/Challenge EAP Response/Challenge

    EAP Success EAP Success

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-13


    EAP-TLS
    EAPOL RADIUS

    EAPOL-start

    EAP Request/Identity

    EAP Response/Identity
    EAP Response/Identity
    EAP Request/TLS start
    EAP Request/TLS start
    EAP Response/TLS client hello
    EAP Response/TLS Client Hello

    EAP Response/TLS Server Hello, Server Cert, Server Key Exchange,


    Cert Request, Server Hello Done

    EAP Response/TLS ClientCert, Client Key Exchange,


    Cert Verify, Change Ciph Spec, TLS Finished

    EAP Request/TLS Change_Ciph_Spec,TLS Finished

    EAP Response EAP Response

    EAP Success EAP Success Protected


    Tunnel

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-14


    PEAP with MS-CHAPv2
    EAPOL RADIUS

    EAPOL-start
    EAP Request/Identity

    EAP Response/Identity EAP Response/Identity

    EAP Request/TLS start


    EAP Request/TLS start
    EAP Response/TLS client hello EAP Response/TLS client hello Phase 1

    EAP Response/TLS Server Hello, Server Cert, Server Key Exchange, Server Hello Done

    EAP Response/Cert Verify, Change Ciph Spec

    EAP Request/TLS Change_Ciph_Spec [Identity Request]

    Identity response Identity response


    EAP-MS-CHAPv2 Challenge
    EAP-MS-CHAPv2 Challenge
    Phase 2
    EAP-MS-CHAPV2 Response EAP-MS-CHAPV2 Response Protected

    EAP Success EAP Success

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-15


    EAP-FAST
    EAPOL RADIUS

    EAPOL-start
    EAP Request/Identity

    EAP Response/Identity EAP Response/Identity

    EAP-FAST Start Authority[ID]


    EAP-FAST Start Authority[ID] Phase 1
    EAP-FAST [TLS Client Hello [Client_random, PAC-Opaque]]

    EAP-Fast [TLS Server Hello [Server_random], Change_Cipher_Spec, TLS Finished

    EAP-FAST [TLS Change_Ciph_Spec, TLS Finished

    Authentication via EAP-GTC Authentication via EAP-GTC

    Authetication response Authetication response


    Phase 2
    Optional PAC refresh Optional PAC refresh Protected

    EAP Success EAP Success

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-16


    802.1x and Port Security

    A = Attacker
    Hub

    I do not
    know A,
    I do
    know B.

    Port unauthorized

    Cisco Secure
    Port Security ACS/RADIUS
    and
    Identity

    B = Legitimate User

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-17


    802.1x and VLAN Assignment

    A = Attacker
    I do not know A;
    I do know B, and
    B gets VLAN 10.

    Port unauthorized

    Cisco Secure
    ACS/RADIUS
    Identity with VLAN Assignment

    B = Legitimate User

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-18


    802.1x and the Guest VLAN

    Remediation
    A = Attacker Server

    Non-IEEE
    802.1x -compliant I do not know A,
    (no supplicant) I do know B, and
    B gets VLAN 10.
    Port is put into
    guest VLAN.

    Identity with
    Guest VLAN Cisco Secure
    ACS/RADIUS

    B = Legitimate User

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-19


    802.1x and the Restricted VLAN

    Remediation
    A = Attacker Server

    Is IEEE 802.1x-
    I do not know A,
    compliant, but fails I do know B, and
    authentication
    Port is put into B gets VLAN 10.
    protected VLAN.

    Identity with
    Protected VLAN Cisco Secure
    ACS/RADIUS

    B = Legitimate User

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-20


    Configuring 802.1x in Cisco IOS

     Enable AAA.
     Configure 802.1x authentication.
     Configure RADIUS communications.
     Enable 802.1x globally.
     Configure interface and enable 802.1x.
     Verify 802.1x operation.

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-21


    Enable AAA
    switch(config)#
    aaa new-model
     Enable AAA

    switch(config)#
    aaa authentication dot1x [<list name> | default]
    group radius
     Create an IEEE 802.1X authentication method list

    switch(config)#
    aaa authorization network {default} group radius
     (Optional ) Configure the switch for user RADIUS authorization for
    all network-related service requests, such as VLAN assignment

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-22


    Configure RADIUS Communications

    switch(config)#
    radius-server host [host name | IP address]
     Specify the IP address of the RADIUS server

    switch(config)#
    radius-server key [string]
     Specify the authentication and encryption key

    switch(config)#
    radius-server vsa send [accounting | authentication]
     (Optional) Enable the switch to recognize and use VSAs

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-23


    Enable 802.1x Globally

    switch(config)#
    dot1x system-auth-control

     Enable IEEE 802.1x authentication globally on the switch

    switch(config)#
    dot1x guest-vlan supplicant

     (Optional) Enable the optional guest VLAN behavior globally on the


    switch

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-24


    Configure Interface and Enable 802.1x
    switch(config-if)#
    switchport mode access / no switchport

     Configure port as an access port

    switch(config-if)#
    dot1x port-control [force-authorized |
    force-unauthorized | auto]

     Enable IEEE 802.1x authentication on the port

    switch(config-if)#
    dot1x host-mode multi-host

     (Optional) Allow multiple clients on an IEEE 802.1x-authorized port

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-25


    Configuring Guest and Restricted VLANs

    switch(config-if)#
    dot1x guest-vlan vlan-id
     (Optional) Specify active VLAN as an IEEE 802.1x guest VLAN

    switch(config-if)#
    dot1x auth-fail vlan vlan-id
     (Optional) Specify an active VLAN as an IEEE 802.1x restricted
    VLAN

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-26


    Verify 802.1x Operation
    switch#
    show dot1x

     View the operational status of IEEE 802.1x

    switch#
    show dot1x [all | interface]

     View the IEEE 802.1x status for all ports or a specific port

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-27


    Verify 802.1x Operation (Cont.)
    switch#
    show dot1x statistics interface [interface]

     View IEEE 802.1x statistics for a specific port

    switch#
    show aaa servers

     View the status and operational information for all configured AAA
    servers

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-28


    Summary

     Cisco IBNS combines several Cisco products that offer


    authentication, access control, and user policies to secure
    network connectivity and resources.
     802.1x is a standardized framework defined by the IEEE,
    designed to provide port-based network access.
     802.1x roles include the supplicant, authenticator, and
    authentication server.
     802.1x uses EAP and RADIUS for authentication.
     Various types of EAP methods are available for use with 802.1x.

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-29


    Summary (Cont.)

     802.1x works with port security.


     802.1x works with VLAN assignment.
     802.1x works with guest VLANs.
     802.1x works with restricted VLANs.
     Various commands are used to configure and verify operation
    of 802.1x on a Cisco Catalyst switch.

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-30


    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-31

    You might also like