Holistic view of 802.1x integration & optimization

Holistic view of 802.1x
integration & optimization
High level design, with visual paradigm
Presentation by: Faisal Md Abdur Rahman, BDPEER | faisal.rahman@bdpeer.com | www.bdpeer.com Phone: +8801687477308

What we will talk about
 Campus network in practice
 Security in practice
 802.1x, PEAP, EAP-TLS, EAP-FAST explained for campus network
 Policy based access control
 Network Admission Control (NAC)
 Introducing NAC appliance
 Secure network design with NAC for LAN & WLAN network
 Device profiling, posture check, guest redirection explained
 A case study scenario.

We will not talk about
 Network design (routing, switching, WAN technologies)
 Network Quality of Service for routing & switching
 Basic WLAN infrastructure design.
 Not going to discus network design models in details.

Campus Area Network (CAN)
 Network consists of switch, router, firewall.
 Network infrastructure is owned and operated by the organization itself.
 CAN is ranged within 1KM to 5KM of area.
 Users within the network are free to use network resources once they are within the
campus parameter.

CAN Pros & Cons
Advantages
 Easy build and maintenance.
 Open to all, personal hand-held device or laptops.
 Easy share and storage of resources within network and access from anywhere within the
network.
 Network resources stays within network and firewalled from external threat.
 Users uses secure login (SSO i.e. Shibbolet) technology to access resources within network.

Disadvantages
 Identity can be tempered. Such way unauthorized users with right user credential can
have access to unauthorized resource location resides within the network while the system
knows the resources are accessed by authorized person.
 User right within the entire network says same regardless which device the user using or
from which network location the user is coming from.
 Transparent to any firewall / IPS / IDS appliance.
 Device authorization scope is so limited and not dynamic.
 Management is slow and authentication / authorization events are not transparent to
network administrator.
CAN Pros & Cons

 Identity loss or unauthorized access (using valid credential) are never
detected if the intruder don’t do any harm to resources.
 Authorized users can access network resources using any devices
supports local network based authentication / SSO (i.e. AD,
OpenLDAP, Shibbolet, OTP, RADIUS).
 Any devices can access network even if the device is not security
compliant (i.e. Non-updated patch, AV definition, Application)
 Guest management is painful. Guest access to the network needs
network administrator extra effort and time for managing new
network.
 Device isolation for service is complicated.
CAN Pros & Cons

CAN security in practice
IPS /IDS
PBR
External
Threat
prevention
Zone
based
Firewall
AD, OTP,
openLDAP,
RSA Token
System
hardening
Internal
Threat
prevention
DLP,
awareness

CAN proposed
network security
Identity Service
Engine Core
Network
Security
LAN
Network
VPN
Access
Identity
source
External
RADIUS
External
MDM
Wireless
network
Switched
network
AD
Mobility
Services
Agent
less
Agent
based
OTP
Internal
CA
WLAN
Controller Lite AP
AP

CAN proposed security features
Features
Device
profiling
Automatic Manual
BYOD
Device
registration
redirection
Dynamic
profile
allocation
TLS
handshake
Posture
check
Posture
profiling
Posture
object
Dynamic
access
control
MAB
Policy
based
802.1x
Guest
redirection
User
/device
redirection
Guest
mgmt.

Authentication method explained
 MAC Authentication Bypass
Method of excluding MAC addresses for 802.1x authentication process when its detected in a 802.1x
enabled port.
 802.1x based authentication
Method of forwarding 802.1x request to Identity Source server (AD, openLDAP etc.) through Access
Server.
**NAD devices (Switch, Router, Firewall, virtual network devices) establish communication using pre-
shared key prior to establish 802.1x request to Access server.
Access server collect all authentication requests and forwards accordingly.

Protocols for authentication
 RADIUS
 PEAP or Protected Extensible Authentication Protocol
 EAP-TLS or certificate based authentication.
 EAP-FAST to carry both TLS and non-TLS authentication.
Inner methods
 MSCHAPv2, MSCHAP, MD5
 TLS

802.1x components configuration
 802.1x server or Access Server needs to add switches / Wireless controller with pre-shared
key defined.
 Switch port 802.1x enablement
 Switch /Wireless controller to contact with Access Server using pre-shared key.
 Dynamic authorization enablement (if supported by NAD devices).
 User PC / Server or VM needs to be 802.1x supplicant (Windows, Linux built-in or third-party
supplicant like CISCO Anyconnect) enabled.
 Finally correspondent rules for 802.1x authentication & authorization.

MAB configuration components
 Access server configuration for 802.1x exception
 Switch port MAB enablement configuration
 Open SSIDs in WLAN to be configured for MAB for guest redirection.

Policy based dynamic access
 Can be achieved using Microsoft NPS (No posture, device profiling, MDM integration,
BYOD, Needs windows server 2K8 and 2K12 enterprise licensed)
 Can be achieved using CISCO ISE. (Licensed product. Needs feature unlock license).
 Can be achieved using OpenNAC (open-source, No posture)
 Can be achieved using PakcketFence. (open-source, supports almost everything)

Dynamic NAC process
Failover
? Learn MAC
Start IEEE 802.1x
IEEE 802.1x
Fails
Retries
Exceeded
?
MAB
configured
MAB
configured
?
MAB
Pass?
Web-Auth
?
Auth Fail ?
Auth-Fail VLAN
Restart Timer
Restart Time
Expire
Quite Period
Expire
No Access
Web-Auth
Passed
Web-Authorization MAB Authorization
Y
N
N
Y
Y Y
N
N
Y
N
N
Y
Y

Implementation summary
 Deploying AD with domain name “bdnog2016.org”. (Optional)
 Deploying Certificate server (Microsoft CA, Entrust CA, OpenSSL etc.) (Optional)
 Deploying external RADIUS server. (Optional)
 Deploying OTP server (Optional)
 Deploying Identity Service Solution (ISE, Open-NAC or PacketFence). (mandatory)
 Select supported NAD device. Cisco WS-C2960+24PC-L is ideal for this operation. We can
also select Dell Force10 switches, PowerConnect specific models.
 Using wireless controller (Cisco WLC, ARUBA, Chillispot for dwrt based AP Etc.)

CASE STUDY SCENARIO: ISE
DISCUSSION ON A STUDTY THAT ALREADY BEEN IMPLEMENTED AND FUNCTIONAL IN ONE OF THE
LARGEST NGOs IN BANGLADESH WITHIN ALL 87 BRANCHES CONNECTED USING MPLS BACKBONE

Solution High Level Design

Placement in network
 Recommended to deploy in server zone. Not necessary to deploy in DMZ as the service
will be used by users within the organization.
 Must have secure firewall policies that will permit only the ports needed for 802.1x, RADIUS,
Wep-Portal Redirection & Posture redirection
 Wireless LAN Controller can be placed on L2 network or L3 network (Use FQDN broadcast
using the enterprise Domain-Controller).
 All NAD devices (Switches, Firewall, Wireless LAN Controller should be able to
communicate with both ISE servers).

Advance placement issues
 Do not place the ISE or NAC servers in Access Zone.
 Try to create separate zone for the ease of policing and security issue mitigation.
 If used de-centralized DHCP broadcast (in case of L3 MPLS) try Flex-Connect option at the
branch AP.
 Use Flex-ACL, AP-Group policy to make management easy and to ensure session control
for web-redirection (Avoid 500 Internal Error)

NAD configuration (Switch)
 Switch-Global configuration
 -----------------------------
 Switch(config)# aaa new-model
 Switch(config)# radius-server host 10.10.2.250
 Switch(config)# radius-server key <mykey>
 Switch(config)# aaa authentication dot1x default group radius local
 Switch(config)# dot1x system-auth-control
 Switch(config)# aaa authorization network default group radius
 Switch(config)# radius-server vsa send authentication
 Switch(config)# radius-server attribute 6 on-for-login-auth
 Switch(config)# radius-server attribute 8 include-in-access-req
 Switch(config)# radius-server attribute 25 access-request include
 Switch(config)# radius-server vsa send accounting
 Switch(config)# radius-server vsa send authentication
 Port Configuration
 ------------------------------
 Switch(config-if)# switchport mode access
 Switch(config-if)# authentication event fail action next-method
 Switch(config-if)# authentication event server dead action authorize
vlan 10
 Switch(config-if)# authentication event server alive action reinitialze
 Switch(config-if)# authentication host-mode multi-auth
 Switch(config-if)# authentication closed
 Switch(config-if)# authentication port-control auto
 Switch(config-if)# authentication violation restrict
 Switch(config-if)# ip device tracking
 Switch(config-if)# dot1x pae authenticator
 Switch(config-if)# spanning-tree portfast

NAD Configuration (WLC)
 Remote AP should be in flex-connect mode.
 Permit & Deny ACL should be configured on WLC, must be pointed at ISE under policy to
dynamically allocate for wireless users.
 Redirection ACL should be configured on WLC (For flex AP, ACL will be FLEX-ACL while
similar empty ACL will be in Normal ACL).

Enjoy 802.1x

Holistic view of 802.1x integration & optimization

Holistic view of 802.1x integration & optimization

Recommended

More Related Content

What's hot

What's hot(20)

Viewers also liked

Viewers also liked(20)

Similar to Holistic view of 802.1x integration & optimization

Similar to Holistic view of 802.1x integration & optimization(20)

More from Bangladesh Network Operators Group

More from Bangladesh Network Operators Group(20)

Recently uploaded

Recently uploaded(15)

Holistic view of 802.1x integration & optimization