Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Holistic view of 802.1x integration & optimization

560 views

Published on

Holistic view of 802.1x integration & optimization

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Holistic view of 802.1x integration & optimization

  1. 1. Holistic view of 802.1x integration & optimization High level design, with visual paradigm Presentation by: Faisal Md Abdur Rahman, BDPEER | faisal.rahman@bdpeer.com | www.bdpeer.com Phone: +8801687477308
  2. 2. What we will talk about  Campus network in practice  Security in practice  802.1x, PEAP, EAP-TLS, EAP-FAST explained for campus network  Policy based access control  Network Admission Control (NAC)  Introducing NAC appliance  Secure network design with NAC for LAN & WLAN network  Device profiling, posture check, guest redirection explained  A case study scenario. Presentation by: Faisal Md Abdur Rahman, BDPEER | faisal.rahman@bdpeer.com | www.bdpeer.com Phone: +8801687477308
  3. 3. We will not talk about  Network design (routing, switching, WAN technologies)  Network Quality of Service for routing & switching  Basic WLAN infrastructure design.  Not going to discus network design models in details. Presentation by: Faisal Md Abdur Rahman, BDPEER | faisal.rahman@bdpeer.com | www.bdpeer.com Phone: +8801687477308
  4. 4. Campus Area Network (CAN)  Network consists of switch, router, firewall.  Network infrastructure is owned and operated by the organization itself.  CAN is ranged within 1KM to 5KM of area.  Users within the network are free to use network resources once they are within the campus parameter. Presentation by: Faisal Md Abdur Rahman, BDPEER | faisal.rahman@bdpeer.com | www.bdpeer.com Phone: +8801687477308
  5. 5. CAN Pros & Cons Advantages  Easy build and maintenance.  Open to all, personal hand-held device or laptops.  Easy share and storage of resources within network and access from anywhere within the network.  Network resources stays within network and firewalled from external threat.  Users uses secure login (SSO i.e. Shibbolet) technology to access resources within network. Presentation by: Faisal Md Abdur Rahman, BDPEER | faisal.rahman@bdpeer.com | www.bdpeer.com Phone: +8801687477308
  6. 6. Disadvantages  Identity can be tempered. Such way unauthorized users with right user credential can have access to unauthorized resource location resides within the network while the system knows the resources are accessed by authorized person.  User right within the entire network says same regardless which device the user using or from which network location the user is coming from.  Transparent to any firewall / IPS / IDS appliance.  Device authorization scope is so limited and not dynamic.  Management is slow and authentication / authorization events are not transparent to network administrator. Presentation by: Faisal Md Abdur Rahman, BDPEER | faisal.rahman@bdpeer.com | www.bdpeer.com Phone: +8801687477308 CAN Pros & Cons
  7. 7.  Identity loss or unauthorized access (using valid credential) are never detected if the intruder don’t do any harm to resources.  Authorized users can access network resources using any devices supports local network based authentication / SSO (i.e. AD, OpenLDAP, Shibbolet, OTP, RADIUS).  Any devices can access network even if the device is not security compliant (i.e. Non-updated patch, AV definition, Application)  Guest management is painful. Guest access to the network needs network administrator extra effort and time for managing new network.  Device isolation for service is complicated. Presentation by: Faisal Md Abdur Rahman, BDPEER | faisal.rahman@bdpeer.com | www.bdpeer.com Phone: +8801687477308 CAN Pros & Cons
  8. 8. Presentation by: Faisal Md Abdur Rahman, BDPEER | faisal.rahman@bdpeer.com | www.bdpeer.com Phone: +8801687477308
  9. 9. CAN security in practice Presentation by: Faisal Md Abdur Rahman, BDPEER | faisal.rahman@bdpeer.com | www.bdpeer.com Phone: +8801687477308 IPS /IDS PBR External Threat prevention Zone based Firewall AD, OTP, openLDAP, RSA Token System hardening Internal Threat prevention DLP, awareness
  10. 10. CAN proposed network security Presentation by: Faisal Md Abdur Rahman, BDPEER | faisal.rahman@bdpeer.com | www.bdpeer.com Phone: +8801687477308 Identity Service Engine Core Network Security LAN Network VPN Access Identity source External RADIUS External MDM Wireless network Switched network AD Mobility Services Agent less Agent based OTP Internal CA WLAN Controller Lite AP AP
  11. 11. CAN proposed security features Features Device profiling Automatic Manual BYOD Device registration redirection Dynamic profile allocation TLS handshake Posture check Posture profiling Posture object Dynamic access control MAB Policy based 802.1x Guest redirection User /device redirection Guest mgmt. Presentation by: Faisal Md Abdur Rahman, BDPEER | faisal.rahman@bdpeer.com | www.bdpeer.com Phone: +8801687477308
  12. 12. Authentication method explained  MAC Authentication Bypass Method of excluding MAC addresses for 802.1x authentication process when its detected in a 802.1x enabled port.  802.1x based authentication Method of forwarding 802.1x request to Identity Source server (AD, openLDAP etc.) through Access Server. **NAD devices (Switch, Router, Firewall, virtual network devices) establish communication using pre- shared key prior to establish 802.1x request to Access server. Access server collect all authentication requests and forwards accordingly. Presentation by: Faisal Md Abdur Rahman, BDPEER | faisal.rahman@bdpeer.com | www.bdpeer.com Phone: +8801687477308
  13. 13. Protocols for authentication  RADIUS  PEAP or Protected Extensible Authentication Protocol  EAP-TLS or certificate based authentication.  EAP-FAST to carry both TLS and non-TLS authentication. Inner methods  MSCHAPv2, MSCHAP, MD5  TLS Presentation by: Faisal Md Abdur Rahman, BDPEER | faisal.rahman@bdpeer.com | www.bdpeer.com Phone: +8801687477308
  14. 14. 802.1x components configuration  802.1x server or Access Server needs to add switches / Wireless controller with pre-shared key defined.  Switch port 802.1x enablement  Switch /Wireless controller to contact with Access Server using pre-shared key.  Dynamic authorization enablement (if supported by NAD devices).  User PC / Server or VM needs to be 802.1x supplicant (Windows, Linux built-in or third-party supplicant like CISCO Anyconnect) enabled.  Finally correspondent rules for 802.1x authentication & authorization. Presentation by: Faisal Md Abdur Rahman, BDPEER | faisal.rahman@bdpeer.com | www.bdpeer.com Phone: +8801687477308
  15. 15. MAB configuration components  Access server configuration for 802.1x exception  Switch port MAB enablement configuration  Open SSIDs in WLAN to be configured for MAB for guest redirection. Presentation by: Faisal Md Abdur Rahman, BDPEER | faisal.rahman@bdpeer.com | www.bdpeer.com Phone: +8801687477308
  16. 16. Policy based dynamic access  Can be achieved using Microsoft NPS (No posture, device profiling, MDM integration, BYOD, Needs windows server 2K8 and 2K12 enterprise licensed)  Can be achieved using CISCO ISE. (Licensed product. Needs feature unlock license).  Can be achieved using OpenNAC (open-source, No posture)  Can be achieved using PakcketFence. (open-source, supports almost everything) Presentation by: Faisal Md Abdur Rahman, BDPEER | faisal.rahman@bdpeer.com | www.bdpeer.com Phone: +8801687477308
  17. 17. Dynamic NAC process Presentation by: Faisal Md Abdur Rahman, BDPEER | faisal.rahman@bdpeer.com | www.bdpeer.com Phone: +8801687477308 Failover ? Learn MAC Start IEEE 802.1x IEEE 802.1x Fails Retries Exceeded ? MAB configured MAB configured ? MAB Pass? Web-Auth ? Auth Fail ? Auth-Fail VLAN Restart Timer Restart Time Expire Quite Period Expire No Access Web-Auth Passed Web-Authorization MAB Authorization Y N N Y Y Y N N Y N N Y Y
  18. 18. Implementation summary  Deploying AD with domain name “bdnog2016.org”. (Optional)  Deploying Certificate server (Microsoft CA, Entrust CA, OpenSSL etc.) (Optional)  Deploying external RADIUS server. (Optional)  Deploying OTP server (Optional)  Deploying Identity Service Solution (ISE, Open-NAC or PacketFence). (mandatory)  Select supported NAD device. Cisco WS-C2960+24PC-L is ideal for this operation. We can also select Dell Force10 switches, PowerConnect specific models.  Using wireless controller (Cisco WLC, ARUBA, Chillispot for dwrt based AP Etc.) Presentation by: Faisal Md Abdur Rahman, BDPEER | faisal.rahman@bdpeer.com | www.bdpeer.com Phone: +8801687477308
  19. 19. CASE STUDY SCENARIO: ISE DISCUSSION ON A STUDTY THAT ALREADY BEEN IMPLEMENTED AND FUNCTIONAL IN ONE OF THE LARGEST NGOs IN BANGLADESH WITHIN ALL 87 BRANCHES CONNECTED USING MPLS BACKBONE Presentation by: Faisal Md Abdur Rahman, BDPEER | faisal.rahman@bdpeer.com | www.bdpeer.com Phone: +8801687477308
  20. 20. Solution High Level Design Presentation by: Faisal Md Abdur Rahman, BDPEER | faisal.rahman@bdpeer.com | www.bdpeer.com Phone: +8801687477308
  21. 21. Placement in network  Recommended to deploy in server zone. Not necessary to deploy in DMZ as the service will be used by users within the organization.  Must have secure firewall policies that will permit only the ports needed for 802.1x, RADIUS, Wep-Portal Redirection & Posture redirection  Wireless LAN Controller can be placed on L2 network or L3 network (Use FQDN broadcast using the enterprise Domain-Controller).  All NAD devices (Switches, Firewall, Wireless LAN Controller should be able to communicate with both ISE servers). Presentation by: Faisal Md Abdur Rahman, BDPEER | faisal.rahman@bdpeer.com | www.bdpeer.com Phone: +8801687477308
  22. 22. Advance placement issues  Do not place the ISE or NAC servers in Access Zone.  Try to create separate zone for the ease of policing and security issue mitigation.  If used de-centralized DHCP broadcast (in case of L3 MPLS) try Flex-Connect option at the branch AP.  Use Flex-ACL, AP-Group policy to make management easy and to ensure session control for web-redirection (Avoid 500 Internal Error) Presentation by: Faisal Md Abdur Rahman, BDPEER | faisal.rahman@bdpeer.com | www.bdpeer.com Phone: +8801687477308
  23. 23. NAD configuration (Switch)  Switch-Global configuration  -----------------------------  Switch(config)# aaa new-model  Switch(config)# radius-server host 10.10.2.250  Switch(config)# radius-server key <mykey>  Switch(config)# aaa authentication dot1x default group radius local  Switch(config)# dot1x system-auth-control  Switch(config)# aaa authorization network default group radius  Switch(config)# radius-server vsa send authentication  Switch(config)# radius-server attribute 6 on-for-login-auth  Switch(config)# radius-server attribute 8 include-in-access-req  Switch(config)# radius-server attribute 25 access-request include  Switch(config)# radius-server vsa send accounting  Switch(config)# radius-server vsa send authentication Presentation by: Faisal Md Abdur Rahman, BDPEER | faisal.rahman@bdpeer.com | www.bdpeer.com Phone: +8801687477308  Port Configuration  ------------------------------  Switch(config-if)# switchport mode access  Switch(config-if)# authentication event fail action next-method  Switch(config-if)# authentication event server dead action authorize vlan 10  Switch(config-if)# authentication event server alive action reinitialze  Switch(config-if)# authentication host-mode multi-auth  Switch(config-if)# authentication closed  Switch(config-if)# authentication port-control auto  Switch(config-if)# authentication violation restrict  Switch(config-if)# ip device tracking  Switch(config-if)# dot1x pae authenticator  Switch(config-if)# spanning-tree portfast
  24. 24. NAD Configuration (WLC)  Remote AP should be in flex-connect mode.  Permit & Deny ACL should be configured on WLC, must be pointed at ISE under policy to dynamically allocate for wireless users.  Redirection ACL should be configured on WLC (For flex AP, ACL will be FLEX-ACL while similar empty ACL will be in Normal ACL). Presentation by: Faisal Md Abdur Rahman, BDPEER | faisal.rahman@bdpeer.com | www.bdpeer.com Phone: +8801687477308
  25. 25. Enjoy 802.1x Presentation by: Faisal Md Abdur Rahman, BDPEER | faisal.rahman@bdpeer.com | www.bdpeer.com Phone: +8801687477308

×