This document discusses best practices for securing the wired access network. It begins by explaining why securing the LAN is important due to increased mobility and use of personal devices. It then reviews common methodologies for securing the LAN such as port security, MAC whitelisting, and 802.1X authentication. The document demonstrates how using device profiling and context from sources like EMM/MDM can improve enforcement options. It also addresses challenges like handling "headless" devices and preventing MAC spoofing.

1. #ATM16
Securing the LAN: Best
Practices to Secure the
Wired Access Network
Micah Staggs, CSE-Security
Chuck Jenson, CSE-Security
March 2016 @ArubaNetworks |

2. 2#ATM16
Agenda
Why the LAN?
Methodologies
Examples
Security
Demos

3. 3#ATM16
HPE-Aruba
7XXX
Controllers
Soon to be
Retired Cisco
Switches
Why Bother With the LAN?
–Isn’t in “inside” my network?
–Increased mobility of company-
provided devices and the
introduction of user-owned devices
make trusting the endpoint an issue
–Cloud-first, Mobile-first thinking is
that the access layer isn’t truly
“inside”
–What’s the point, we are going to be
all wireless in a year anyway!

4. 4#ATM16
Other Reasons
–Universal Port
–We’d like to have a similar
config on all ports and update
them based on the device
attached
–Static VLAN assignments
and changes can be a pain
–Security audits

5. 5#ATM16
Methodologies – Port Security
–Locks the port to the 1st MAC or 2 that
it sees. Clears out after the port has
been down for some time
–Works well against someone trying to
unplug a printer and use that port, but
not really secure and not mobile
friendly

6. 6#ATM16
Methodologies – MAC WhiteList
–MAC Lists are good for “Quick
and Dirty” Security
–Let’s face it, no one wants to
maintain an enterprise-wide list
of MAC addresses.
–What if a NIC gets changed?
–What about BYOD laptops?
–What about MAC spoofing?

7. 7#ATM16
Methodologies – Wait and See
–Let it on the network and if it does
something wrong, or we detect the
device type, move it via SNMP.
(sometimes coupled with a MAC
list)
–Constant changing of port config
–What if you miss a syslog?
–SNMP writing doesn’t always scale
well in enterprise environments

8. 8#ATM16
Methodologies – Captive Portal
–Works almost like a Guest Network.
1. Let them on in a temporary
fashion
2. Authenticate via Web Auth
3. Put them in the appropriate
VLAN/Role
–Not supported by all switches
–What happens to devices like
printers
and VoIP phones with no browser?

9. 9#ATM16
Methodologies – 802.1X
–L2, authentication and enforcement
occurs prior to the device getting an IP.
Also works for Guests with supplicant
active
–Requires the supplicant be present and active on the endpoint
(not on by default on Windows)
–What about printers and phones and door locks, etc. with no
supplicants (headless)?

10. 10#ATM16
What We Usually See
–802.1X, coupled with MAC Auth Bypass and Captive Portal
–Best if coupled with a profiler and/or other context sources
–Can be versatile enough to handle corporate, personal and guest
devices
Cisco:
interface GigabitEthernet<port-number>
switchport access vlan <vlan-id>
switchport mode access
authentication order dot1x mab
authentication priority dot1x mab
HPE:

11. 11#ATM16
Sample .1X Transaction using Certificates (TLS)
–Mutual Authentication
Request Identity
Response Identity (anonymous) Response Identity
TLS Start
Certificate
Client Key exchange
Cert. verification
Request credentials
Response credentials
Success
EAPOL RADIUS
EAPOL Start
AuthenticationServer
Authenticator
Endpoint

12. 12#ATM16
Sample .1X Transaction with Mac Auth Bypass and Captive
Portal

13. 13#ATM16
What Context do we use?
–Who is the user?
–What type of device is it?
–Is it a company-owned or
user-owned device?
–What’s the time of day or
day of week?
–Location – can this device
attach to this port?

14. 14#ATM16
Device
Profiling
• Samsung SM-G900
• Android
• “Jons-Galaxy”
EMM/MDM
• Personal owned
• Registered
• OS up-to-date
• Hansen, Jon [Sales]
• MDM enabled = true
• In-compliance = true
Identity
Stores
Network Devices
• Hansen, Jon [Sales]
• Title – COO
• Dept – Executive office
• City – London
• Location – Bldg 10
• Floor – 3
• Bandwidth – 10Mbps
Sources of Usable Device Context

15. 15#ATM16
Enforcement Options
–Great, now that we know the who, what, when, and where… what
can we do?
–Depends on access device, but typically we see:
–VLAN Steering
–dACL enforcement
–Change of
Authorization
–Vendor specific
(User Role, AV Pair)
–Captive portals on
some switches

16. 16#ATM16
Enforcement Options – Change of Authorization (CoA)
– The RADIUS Change of Authorization (CoA) feature provides a mechanism to change the attributes of an
authentication, authorization, and accounting (AAA) session after it is authenticated. When a policy
changes for a user in ClearPass, administrators can send the RADIUS CoA packets from the ClearPass
Policy Manager (CPPM) to reinitialize authentication and apply the new policy.
– RADIUS Change of Authorization will disconnect them allowing them to reconnect in the new VLAN
assigned in the policy.
– If CoA isn't available using short DHCP leases and short session timeouts are options.

17. 17#ATM16
How to Handle “Headless” Devices
–For devices that do not support 802.1X:
–Need to use dynamic authentication/FlexAuth/MAB on
the port
–Two mechanisms for authentication:
–Device Profiler
–Device Registration

18. 18#ATM16
MAC Spoofing
What if someone spoofs
a headless device’s
MAC address?

19. 19#ATM16
ClearPass Can Detect Device Conflicts

20. 20#ATM16
Endpoint Profiler
Authorize devices like IP Phones, Hand Scanners, Printers, or
Access Points
Protects your
users and
devices

21. 21#ATM16
Profiling “Unknowns”
–Recommended Best Practice:
–Allow DHCP, SNMP, and maybe redirect HTTP to CPPM
–Once profiled, re-authenticate against new information
In the Demo, we will show how
to use a VLAN for profiling with
a short DHCP lease and
“bounce” the device to the
appropriate VLAN once they
are profiled

22. 22#ATM16
Example Profiling Policy
Create an
enforcement
profile and policy
rule to send the
dACL
(in the case of,
say, a Cisco LAN
switch)
Protect your users and devices

23. 23#ATM16
Device Registration
–ClearPass comes with a device registration feature that allows a specific device (MAC)
to be registered and authorized in the system.
–This allows a user to pre-register a device before bringing it onto the network.
– Thus creating an audit trail of the users devices
–Useful when a general category or OS family isn’t
–specific enough or when you need to only allow
specific devices.
–Example: We don’t want to authorize all Apple
MacBooks but we will allow some to be registered
and authorized
–Example: You are allowed 3 Personal Devices and
you need to add a new device and remove an old device
without having to call the helpdesk

24. 24#ATM16
Device Registration Example
The default device
registration page
looks like this:

25. 25#ATM16
Pulling it All Together

26. 26#ATM16
Summary: What do we get?
–A single config we can use on all access ports
–With CPPM, a policy engine and profiler that can
provide consistency across multiple types of edge
devices
–Ability to react differently to different device types,
and provide needed access without having to default
to “full access”

27. 27
Configs / Demos

28. 28
Demo 1 – 802.1X Authentication with VLAN Switching
Valid
User?
User
Type?
Student
Guest
No
Yes
Faculty
HP-2920
Switch
(PEAP-
MSCHAPv2)ClearPass
Router
Access
Denied
VLAN 100
VLAN 600
VLAN 200

29. 29
Demo 2 – Mac Auth Bypass with Device Profiling
HP-2920
Switch
(PEAP-
MSCHAPv2)
Device
Profiled?
Device
Type?
Access Point
Apple TV
No
Yes
Computer
ClearPass
Router
VLAN 400
VLAN 300
VLAN 200
Profiling
VLAN 700 with
short DHCP
Lease

30. 30
Demo 3 – Wired Guest Portal
HP-2920
Switch
(PEAP-
MSCHAPv2)
Supplicant
Enabled? No
Yes
ClearPass
Router
Return to
Demo 1
Guest Portal
VLAN 200

31. 31#ATM16
Join Aruba’s Titans of Tomorrow
force in the fight against network
mayhem. Find out what your
IT superpower is.
Share your results with friends
and receive a free superpower
t-shirt.
www.arubatitans.com

32. Thank you
staggs@hpe.com
cjenson@hpe.com