deep dive into trustsec/demo - cisco · presentation_id © 2009 cisco systems, inc. all rights...
TRANSCRIPT
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 1
Deep Dive into TrustSec/Demo
Daniel Braine
Security CSE CCIE R/S:24663
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 2
Demo Architecture
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Policy Profiling
Personal
Government User
Govt. Device
2106 WLC
Gov Resources
Restricted Internet Only
USER LOCATION TIME ATTRIBUTE X
DHCP RADIUS SNMP
NETFLOW
District Issued Device 1. 802.1x EAP User Authentication 2. Profiling to identify device 3. Policy decision 4. Policy enforce to “VLAN 10” on same SSID 5. Full access granted 6. Full device visibility
PERSONAL Device 1. 802.1x EAP User Authentication 2. Profiling to identify device 3. Policy decision 4. Policy enforce to “VLAN 10 or 20” on same SSID 5. Full or Restricted access granted 6. Full device visibility
HTTP DNS DEVICE
Identity Services Engine
Unified Access Management: NCS
SSID: Agency_Secured_Wire
Demo Architecture
3750X
ASA 5520
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 4
ISE Policy Architecture: Summary
Subject Resource PEP
PAP PIP PDP View/ Configure Policies
Query Attributes
Access Request
Resource Access
Logging
Request/Response Context
M&T
View Logs/ Reports
Logging
Logging
PDP PIP
PAP
M&T
iPEP
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 5
Simple
Unified
Single view
Siloed
Repetitive
Error Prone X
X
X
Single pane of glass view and management of Wired+Wireless network
Wireless
Wired
Wireless Wired
Cisco NCS = Common Wired+Wireless Device Management
Siloed Management Unified Wired+Wireless Management
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 6
Network Access Core Principals
IEEE 802.1X framework Extensible Authentication Protocol
(EAP)—RFC 3748 Use of RADIUS
(CoA)—RFC 3576
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 7
IEEE 802.1X
Standard set by the IEEE 802.1 working group Is a framework designed to address and provide
port-based access control using authentication Primarily 802.1X is an encapsulation definition for
EAP over IEEE 802 media—EAPOL (EAP over LAN) is the key protocol
Layer 2 protocol for transporting authentication messages (EAP) between supplicant (user/PC) and authenticator (switch or access point)
Assumes a secure connection Actual enforcement is via MAC-based filtering
and port-state monitoring
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 8
What Does EAP Do?
Transports authentication information in the form of EAP payloads
Establishes and manages connections; allows authentication by encapsulating various types of authentication exchanges
Prevalent EAP types
– EAP-TLS: uses x.509 v3 PKI certificates and the TLS mechanism for authentication
– PEAP: protected EAP tunnel mode EAP encapsulator; tunnels other EAP types in an encrypted tunnel (TLS)
– EAP-FAST: designed to not require certificates; tunnels other EAP types in an encrypted tunnel (TLS)
802.1X Header Ethernet Header
RADIUS
IP Header
EAP Payload UDP
EAP Payload
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 9
How Is RADIUS Used Here?
RADIUS acts as the transport for EAP, from the authenticator (switch) to the authentication server (RADIUS server)
RFC for how RADIUS should support EAP between authenticator and authentication server—RFC 3579
RADIUS is also used to carry policy instructions (authorization) back to the authenticator in the form of AV pairs
Usage guideline for 802.1X authenticators use of RADIUS - RFC 3580
AV Pairs : Attribute-Values Pairs.
RADIUS Header EAP Payload UDP Header IP Header
RADIUS Header EAP Payload UDP Header IP Header AV Pairs
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 10
Challenges • How are ports reauthorized once it is learned what the the port is? • How is the access policy changed once the posture policy is learned? • How do we reauthorize a port once the user’s identity is authorized through
central web?
Problem: A RADIUS server cannot start a conversation with the authenticator. The authenticator (RADIUS Client) must start a conversation with the RADIUS server
Solution: CoA (RFC 3576 – Dynamic Authorization Extensions to RADIUS) allows the RADIUS server to start the conversation with the authenticator.
CoA allows an enforcement device (switchport, wireless conroller, vpn device) to change the VLAN/ACL/Redirection for a device/user without having to start the entire process all over again.
CoA is supported on the WLC for 802.1x since 7.0.116 (Spring 2011) release. CoA for non 802.1x on the WLC will be supported in Q1 CY2012. CoA is supported on wired routers and switches for all authentication methods.
Change of Authorization (CoA)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 11
RADIUS Change of Authorization (CoA)
SWITCHPORT
Guest VLAN
RADIUS Server (CoA) Dynamic session control from a Policy server Re-authenticate session Terminate session Terminate session with port bounce Disable host port Session Query
For Active Services For Complete Identity Service Specific
Service Activate Service De-activate Service Query
Corp VLAN
Device
RADIUS Client
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 12
5) Accounting
802.1X EndUser Authentication Flow VLAN 100 = “DATACENTER” = 10.1.100.0 /24
1) Detection
3) Authentication
4) Authorization
2) Challenge & Response
802.1X / EAP RADIUS
ACCESS 10.1.10.x /24
Access Switch .1 AAA .21
EAPoL-Start
Access-Request
Protocol Negotiation (PEAP, EAP-FAST, EAP-TLS)
Access-Accept EAP Success
Username:cisco
Identity Challenge & Response
Cisco/Cisco123
Accounting-Start
Accounting-Stop
Open Mode: ACL-DEFAULT: permit DHCP ACL-PREPOSTURE
Service Selection: 802.1X NAS-IP: 10.1.10.5 RADIUS-Key: cisco123 IETF:NAS-Port-Type == Ethernet IETF:Service-Type == Framed Calling-Station-ID = dead:beef:feed
Success! Group: Internal Users
Authorization Policy: PREPOSTURE [27] = 86400 (24 hours) [29] = RADIUS-Request (1) [64,65,81] = VLAN, 802, “ACCESS” [26/9/1] = dACL=ACL-PREPOSTURE
Disconnect, Shutdown, Restart, Sleep
Timestamp, MAC, NAS IP, Port ID Username, Group, Session-ID, …
Trust Auth Server Cert?
Username & Password?
aaa authen dot1x default group RADIUS
Authorization applied Re-DHCP
ISE ISE
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 13
Deployment Considerations -Authentication
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 14
• How can I restrict access to my network?
• Can I manage the risk of using personal PCs?
• Common access rights when on-premises, at home, on the road?
• Are endpoints healthy?
• Can I allow guests Internet-only access?
• How do I easily create a guest account?
• Can this work in wireless and wired?
• How do I monitor guest activities?
• How do I discover non-authenticating devices?
• Can I determine what they are?
• Can I control their access?
• Are they being spoofed?
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 15
Non-802.1X Client Default Behavior
X No EAPOL 802.1X Process
X X
A 802.1X-enabled switch port will send EAPOL-Identity-Request frames on the wire (whether a supplicant is there or not)
No network access is given if the switch does not receive an EAPOL identity-response.
Entire process continually repeats.
1
2
EAPOL-Request (Identity) D = 01.80.c2.00.00.03 3 30 Seconds
Upon Link Up
30 Seconds EAPOL-Request (Identity) D = 01.80.c2.00.00.03
EAPOL-Request (Identity) D = 01.80.c2.00.00.03
Switch(config-‐if)# authen4ca4on port-‐control auto
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 16
EAP Credentials Sent & Validated
Port Authorized
16
Flexible Authentication One Configuration Fits All
EAP 1X
MAB
URL
• One configuration addresses all use cases, all host modes
• Controllable sequence of access control mechanisms, with flexible failure and fallback authorization
• Choice of policy enforcement mechanisms: VLAN, dACL or named ACL, HTTP Redirect
• Support single-host and multi-auth scenarios
802.1x times out or fails
WEB
802.1X Client
IP Phone
Guest User
Employee Partner
Faculty
Sub Contractor
Network Printer
Guest User
802.1X Client IP Phone
Known MAC - Access Accept
Port Authorized
Host Change
ISE
Unknown MAC Access Accept Port Authorized w/ URL Redirect
MAB
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 17
Method What is it? Advantages Problems Use Case OUI Wildcards
Use 3-Byte Identifier
Easy to add lots of devices
No granularity ‘Add all HP printers’
ISE Local database with RADIUS Server
Readily available
No central repository for all IDs
‘RADIUS only’
Active Directory
Central Directory Service
Central repository
Should have support for [IEEE 802] object, password complexity GPO
‘All in one’
Device Profiling
Automatic building of MAC database
Automated Need certain methods to make it reliably identify devices
‘handle unknown devices’
LDAP Central directory
Standards based
Manually populated and maintained
‘leverage existing db’
MAC Databases Considerations Summary
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 18
Automated Identity & Analysis
Device Authentication – ISE Profiler PCs Non-PCs
UPS Phone Printer AP
Cisco ISE Profiler
DISCOVER and profile all devices
MONITOR device conformance to identity
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 19
Switch DHCP/DNS
ISE Policy Service node
Central Web Auth (CWA) for non-1X User “Flex Auth”:
Multiple Triggers Single Port Config
• 802.1X Timeout • 802.1X Failure • MAB Success
1
Host Acquires IP Address 3
Host Opens Browser – Switch redirects browser to ISE CWA page Login Page
Host Sends Username/Password
4
Web Auth Success results in CoA;
Server authorizes user
5
MAB re-auth
MAC Success
AuthC success; AuthZ for unknown user returned: URL Redirect + dACL/VLAN.
2
AUP process, if configured
Session lookup—policy matched
Authorization dACL/VLAN returned. 6
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 20
IPT & 802.1X: Fundamental Challenges
20
Two devices per port 1
IPT Breaks the Point-to-Point Model
Security Violation PC Link State is Unknown to Switch 2
?????
“The operation of Port Access Control assumes that the Ports on which it operate offer a point-to-point connection between a single Supplicant and a single Authenticator. It is this assumption that allows the authentication decision to be made on a per-Port basis.” IEEE 802.1X rev 2004
One device per port 1
Link State Dependency 2
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 21
802.1X and Voice Multi-Domain Authentication (MDA)
• MDA replaces CDP Bypass • Supports Cisco & 3rd Party Phones • Phones and PCs use 802.1X or MAB
Data
Two Domains Per Port
802.1q
Phone authenticates in Voice Domain, tags traffic in VVID
PC authenticates in Data Domain, untagged traffic in PVID
Single device per port Single device per domain per port
3K: 12.2(35)SEE!4K: 12.2(37)SG!6K: 12.2(33)SXI!
IEEE 802.1X MDA
Voice
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 22
Summary: Multiple Hosts per Port Host Mode Enforcement Deployment Considera4ons
Single Single mac address per port • Second mac address triggers a security viola>on • VMs on the host must share the same mac address.
• CDP Bypass is the only IPT solu>on. Mul>-‐Domain Auth (MDA)
One Voice Device + One Data Device per port
• Same as single host mode except phone authen>cates
• Supports third party phones Mul>-‐Auth Superset of MDA with
mul>ple Data Devices per port
• Authen>cates every mac address in the data domain.
• VMs on the host may use different mac addresses.
• One VLAN (default port VLAN) for all devices on the port
Mul>-‐Host One authen>cated device allows any number of subsequent mac addresses.
• Not recommended • VMs on the host may use different mac addresses.
• CDP Bypass is the only IPT solu>on.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 23
IPT & 802.1X: The Link-State Problem
23
A
B
Port authorized for 0011.2233.4455 only
Security Violation S:0011.2233.4455
S:6677.8899.AABB
1) Legitimate users cause security violation
A Security Hole
S:0011.2233.4455
S:0011.2233.4455
2) Hackers can spoof MAC to gain access without authenticating
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 24
EAPol-Logoff
Previous Solution: Proxy EAPoL-Logoff
24
Domain = DATA Supplicant = 0011.2233.4455 Port Status = AUTHORIZED Authentication Method = Dot1x
Domain = DATA Port Status = UNAUTHORIZED
A
Domain = DATA Supplicant = 6677.8899.AABB Port Status = AUTHORIZED Authentication Method = Dot1x
B
Caveats: • Only for 802.1X
devices behind phone
Requires: Logoff-capable Phones
Session cleared immediately by
proxy EAPoL-Logoff
PC-A Unplugs
PC-B Plugs In
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 25
Previous Solution: MAB Inactivity Timeout
25
Domain = DATA Supplicant = 0011.2233.4455 Port Status = AUTHORIZED Authentication Method = MAB
Domain = DATA Port Status = UNAUTHORIZED
Domain = DATA Supplicant = 0011.2233.4455 Port Status = AUTHORIZED Authentication Method = MAB
Vulnerable to security violation and/or hole
Device Unplugs
Inactivity Timer Expires
Session cleared. Vulnerability closed.
interface GigE 1/0/5 switchport mode access switchport access vlan 2 switchport voice vlan 12 authentication host-mode multi-domain authentication port-control auto authentication timer inactivity 300 mab
Caveats: " Quiet devices may have to re-
auth; network access denied until re-auth completes.
" Still a window of vulnerability.
3K:12.2(35)SE!4K: 12.2(50)SG!6K: 12.2(33)SXI!
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 26
26
CDP Link Down
Domain = DATA Supplicant = 0011.2233.4455 Port Status = AUTHORIZED Authentication Method = MAB
Domain = DATA Port Status = UNAUTHORIZED
Domain = DATA Supplicant = 6677.8899.AABB Port Status = AUTHORIZED Authentication Method = Dot1x
Phone sends link down TLV to switch.
Device A Unplugs
Device B Plugs In
Link status msg addresses root cause
Session cleared immediately.
Works for MAB and 802.1X
Nothing to configure
IP Phone: 8.4(1)!3K: 12.2(50)SE !4K: 12.2(50)SG!6K: 12.2(33)SXI!
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 27
Post-Logon User Authentication (Microsoft WZC)
Power On
Kernel Loading Windows HAL Loading Device Driver Loading
Obtain Network Address (Static, DHCP)
Determine Site and DC (DNS, LDAP)
Establish Secure Channel to AD
(LDAP, SMB)
Kerberos Authentication (Machine Account)
Computer GPOs Loading (Async)
GPO based Startup Script Execution
Certificate Auto Enrollment Time Synchronization Dynamic DNS Update
GINA
Start / End of 802.1X authentication
Components that depend on network connectivity
Kerberos Auth (User Account)
User GPOs Loading (Async)
GPO based Logon Script Execution (SMB)
802.1X Machine Auth
802.1X User Auth + network connectivity
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 28
802.1X - Machine Access Restriction
Machine authentication by itself does not prevent users from accessing the network with an unregistered machine
MAR allows ISE to use prior machine authentication as a condition for user authorization
To enforce this restriction, ISE caches the MAC address associated with a successful machine authentication
User authentication is only successful if MAC address is cached from previous machine authentication from same computer
This provides a way to deny authentication for a user because machine authentication to the network was not completed prior to a login attempt
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 29
Q & A Time
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 30
Authorization -Policies and Conditions -Enforcement Mechanisms -Confidentiality & Integrity
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 31
Other Conditions
Identity Information
+ Group: Contractor
Group: Full-Time Employee
Group: Guest
Context-Aware Policy
Time and Date
Access Type
Location Posture
Authorization (Controlling Access)
Broad Access
Limited Access
Guest/Internet
Deny Access
Quarantine
Track Activity for Compliance
Device Type
802.1x/Infrastructure
Vicky Sanchez Employee, Marketing Wireline 3 p.m.
Frank Lee Guest Wireless 9 a.m.
Security Camera G/W Agentless Asset MAC: F5 AB 8B 65 00 D4
Francois Didier Consultant HQ—Strategy Remote Access 6 p.m.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 32
Tying it All Together ISE Authorization Policy Definition
Device Type Location User Posture Time Access Method Custom
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 33
Segmentation
Method
Segmentation Point
PROs CONs
VLANS Ingress • Does not require switch port ACL management
• Preferred choice for path isolation
• Typically requires IP change, thus often disruptive to user access with potential delays and/or conflicts with other endpoint processes.
• Requires the proliferation of common VLANs across access network and its associated VLAN management/maintenance.
• VLANs still require some other enforcement mechanism(s) to be deployed to either isolate network traffic or provide access restrictions; VLANs alone do not limit traffic flow at L3 edge.
dACLs Ingress • No IP address change required, thus minimal host disruption.
• Does not require the proliferation of VLANs across access network and associated VLAN management
• Provides access control directly at switch port versus reliance on upstream security device or mechanism
• Resource limits per switch on ACE count per ACL, thus primary focus is on course-grained access restrictions and fine-grained restrictions resources permitting.
• Requires centralized management and maintenance of ACLs applied to each switch port
SGA Egress • Simplifies ACL management and reduces # ACLs required across entire network (single policy near resource versus policy deployed at ingress/intermediate point)
• Uniformly enforces policy independent of source IP.
• Provides fine-grained access control close to protected resource.
• SGA support is not yet universal across Cisco platforms
Policy Enforcement
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 34
Confidentiality and Integrity 802.1AE based Encryption
* NIST Special Publication 800-38D (http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf)
802.1AE
TrustSec provides Layer 2 hop-by-hop encryption and integrity, based on IEEE 802.1AE standard
128bit AES-GCM (Galois/Counter Mode) – NIST Approved *
Line rate Encryption / Decryption for both 10GbE/1GbE interface
Replay Protection of each and every frame
802.1AE encryption to protect CMD field (SGT value)
Protects against man-in-the-middle attacks (snooping, tampering, replay)
Standards based frame format and algorithm (AES-GCM)
Network service amenable hop-by-hop approach compared to end-to-end approach (e.g. Microsoft Domain Isolation/IPsec)
Customer Benefits
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 35
802.1AE (MACSec) Tagging
MACSec Tag Format
TrustSec Frame Format
Encrypted Authenticated
0x88e5
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 36
Hop-by-Hop Encryption via IEEE802.1AE
128bit AES GCM Encryption 128bit AES GCM Encryption 128bit AES GCM Encryption
0110100100011000100100100010100100111010101 01101001000110001001001000 01001010001001001000101001001110101
everything in clear 011010010100010010 011010010100010010
ASIC
“Bump-in-the-wire” model - Packets are encrypted on egress
- Packets are decrypted on ingress
- Packets are in the clear in the device
Allows the network to continue to perform all the packet inspection features currently used
Decrypt at Ingress
Encrypt at Egress
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 37
Security Association Protocol
Security Association Protocol (SAP) to negotiate keys and cipher suite for encryption automatically
Negotiation starts after successful authentication / authorization for NDAC
At the end of SAP, both supplicant and authenticator have same session key
Session key is used to encrypt traffic on the link Session key is derived from the PMK (learned by both
device from ACS during authentication) and some random numbers shared during SAP
Perform rekey periodically
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 38
Q & A Time
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 39
Trusted Network -Security Group Access -Authenticated Network
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 40
Security Group Based Access Control
SGACL
Security Group Based Access Control allows customers
To keep existing logical design at access layer
To change / apply policy to meet today’s business requirement
To distribute policy from central management server
802.1X/MAB/Web Auth
Database (SGT=4)
IT Server (SGT=10)
I’m a contractor My group is IT Admin
Contactor & IT Admin SGT = 100
SGT = 100 SGT capable device
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 41
Security Group Based Access Control Unique 16 bit (65K) tag assigned to unique role
Represents privilege of the source user, device, or entity
Tagged at ingress of TrustSec domain
SGACL SG
SecurityGroup
Tag
Filtered (SGACL) at egress of TrustSec domain
No IP address required in ACE (IP address is bound to SGT)
Policy (ACL) is distributed from central policy server (ACS) or configured locally on TrustSec device
Provides topology independentpolicy
Flexible and scalable policy based on user role
Centralized Policy Management for Dynamic policy provisioning
Egress filtering results to reduce TCAM impact
Customer Benefits
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 42
Layer 2 SGT Frame Format
are the L2 802.1AE + TrustSec overhead
Frame is always tagged at ingress port of SGT capable device
Tagging process prior to other L2 service such as QoS
No impact IP MTU/Fragmentation
L2 Frame MTU Impact: ~ 40 bytes = less than baby giant frame (~1600 bytes with 1552 bytes MTU)
Cisco Meta Data
Encrypted Authenticated
Ethernet Frame field
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 43
SGT Assignment
• via 802.1X Authentication
• via MAC Authentication Bypass
• via Web Authentication Bypass
• Or Static IP-to-SGT binding on SW
Campus/Mobile endpoints
Data Center / Servers
Every endpoint that touches TrustSec domain is classified with SGT
SGT can be sent to switch via RADIUS authorization after: Full integration
with Cisco Identity Solution
Every server that touches TrustSec domain is classified with SGT
SGT is usually assigned to those servers:
Just like VLAN Assignment or dACL, we assign SGT in
authorization process
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 44
SGT Exchange Protocol (SXP)
SGT native tagging requires hardware (ASIC) support SGT eXchange Protocol (SXP) is used to exchange IP-
to-SGT bindings between TrustSec capable and incapable device
Currently supported on Catalyst 6500, 4500/4900, 3560/3750 and Nexus 7000 switch
Based on TCP with MD5 authentication Support single hop or multi-hop SXP SXP accelerates initial deployment of SGT/SGACL
without immediate hardware upgrade
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 45
VLAN100
VLAN200
Doctor (SGT 7)
IT Admin (SGT 5)
MAB
LWA
Agent-less Device
Campus Network
Untagged Frame Tagged Frame
SGT=7 SGT Enforcement
IP-to-SGT Binding Info Exchange using SXP
Catalyst® 3750-E 802.1X
Users, Endpoints
Public Portal (SGT 8) Internal Portal (SGT 9)
Patient Record DB (SGT 10) 10.1.200.100
10.1.200.200 10.1.200.10
IT Portal (SGT 4) 10.1.100.10
Nexus® 7000 Core
Nexus® 7000 Distribution
ACS v5.1 Catalyst® 4948
If the switch supports SXP, switch can send IP-to-SGT binding table to SGT capable device (e.g. Nexus 7000)
Active Directory
IP Address SGT Source
10.1.10.102 5 LOCAL
10.1.10.110 14 LOCAL
10.1.99.100 12 LOCAL
SXP
IP Address SGT Source
10.1.100.10 4 CLI
10.1.200.10 8 CLI
10.1.200.100 10 CLI
10.1.200.200 9 CLI
SXP
Speaker Speaker Listener Listener
Statically configured
Locally Learned
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 46
VLAN100
VLAN200
Doctor (SGT 7)
IT Admin (SGT 5)
MAB
LWA
Agent-less Device
Campus Network
SGT=7 SGT Enforcement
SGT Tagging
Catalyst® 3750-E 802.1X
Users, Endpoints
Public Portal (SGT 8) Internal Portal (SGT 9)
Patient Record DB (SGT 10) 10.1.200.100
10.1.200.200 10.1.200.10
IT Portal (SGT 4) 10.1.100.10
Nexus® 7000 Core
Nexus® 7000 Distribution
ACS v5.1
When SGT capable device receives packet, it looks up SGT value in table, insert SGT tag to frame when it exits egress port
Active Directory
IP Address SGT Source
10.1.10.102 5 SXP
10.1.10.110 14 SXP
10.1.99.100 12 SXP
Untagged Frame Tagged Frame
SRC=10.1.10.102
IP-to-SGT Binding Table
SGT=5
Catalyst® 4948
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 47
SGT Policy Download to SGT Capable Device
Policy downloaded to SGT capable HW (e.g. Nexus 7000 switch) when
• Device first authenticates to ACS (via NDAC)
• Policy time expires (by default 1 day)
• Manually queried to ACS (cts refresh role-based-policy)
• When new IP-to-SGT mapping is configured manually on switch
• When new SGT is seen on interface of the device doing SGACL enforcement and the current SGACL policy on switch does not have the policy for this source SGT
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 48
Doctor (SGT 7)
MAB
LWA
Agent-less Device
Campus Network
SXP
Untagged Frame Tagged Frame
SGT=7 SGT Enforcement
Policy Download
Catalyst® 3750-X 802.1X
Users, Endpoints
Public Portal (SGT 8) Internal Portal (SGT 9)
Patient Record DB (SGT 10) 10.1.200.100
10.1.200.200 10.1.200.10
Nexus® 7000 Core
Nexus® 7000 Distribution
ACS v5.1
Catalyst® 4948 VLAN100
Active Directory
IT Portal (SGT 4) 10.1.100.10
VLAN200
CTS7K-DC# show cts role-based policy
sgt:5 dgt:4 rbacl:Permit IP permit ip
sgt:5 dgt:8 rbacl:Permit IP permit ip
sgt:5 dgt:9 rbacl:Permit IP permit ip
sgt:5 dgt:10 rbacl:IT_Maintenance_ACL permit tcp dst eq 20 log permit tcp dst eq 21 log permit tcp dst eq 22 log permit tcp dst eq 445 log permit tcp dst eq 135 log permit tcp dst eq 136 log permit tcp dst eq 137 log permit tcp dst eq 138 log permit tcp dst eq 139 log permit tcp dst eq 3389 log permit icmp log deny ip <skip>
IT Admin (SGT 5)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 49
SGT is exchanged based on “Trust”
Any member of CTS domain needs to establish trust relationship to its peer, otherwise not trusted
Only SGT from trusted member can be “trusted” and processed by its peer
SGT from distrusted device is tagged as “Unknown”, a special SGT (value is zero)
A process of authenticating network device is called “Network Device Admission Control” or NDAC in short
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 50
Network Device Admission Control Network Device Admission Control (NDAC) provides
strong mutual authentication (EAP-FAST) to form trusted domain
Only SGT from trusted peer is honored
Authentication leads to Security Association Protocol (SAP) to negotiate keys and cipher suite for encryption automatically (mechanism defined in 802.11i)
802.1X-REV will succeed and replace SAP
Trusted device acquires trust and policies from ACS server
Mitigate rogue network devices, establish trusted network fabric to ensure SGT integrity and its privilege
Automatic key and cipher suite negotiation for strong 802.1AE based encryption
NDAC
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 51
IT Portal (SGT 4)
Active Directory
10.1.100.10
Public Portal (SGT 8) Internal Portal (SGT 9)
Patient Record DB (SGT 10) 10.1.200.100
10.1.200.200 10.1.200.10
Network Device Admission Control
Catalyst® 3750-E
Users, Endpoints
Campus Network
Nexus® 7000 Core
Nexus® 7000 Distribution
ISE
SGT=7
802.1X Authenticator
802.1X Supplicant
Device
802.1X
RADIUS
802.1X Authentication
Server
NDAC validates peer identity before peer becomes the circle of Trust! NDAC uses EAP-FAST/MSCHAPv2 for authentication
First peer to gain ISE server connectivity wins authenticator role. Once authenticator role is determined, the device terminates supplicant role by itself.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 52
Q & A Time
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 53
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 54
RADIUS accounting logs provide visibility: • Passed/Failed 802.1X/EAP attempts
• List of valid dot1x capable • List of non-dotx capable
• Passed/Failed MAB attempts • List of Valid MACs • List of Invalid or unknown MACs
TO DO Before implementing access control: • Confirm that all these should be on network • Install supplicants on X, Y, Z clients • Upgrade credentials on failed 802.1X clients • Update MAC database with failed MABs …
Monitor the network, see who’s on, address future connectivity problems by installing supplicants and credentials, creating MAB database
Open Access Application 1: Monitor Mode
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 55
Segmenting Users, Devices and Networks How to Extend IBNS Policy into the Network…
GRE tunnels and policy routing
VRF-Lite end-to-end—(virtual route forwarding)
VRF-Lite at the distribution with MPLS L3 VPNs at the core
MPLS L3 VPNs end-to-end
Use the Network to Provide Isolation and
Simplified Policy Enforcement
Guest
Internet
Dept 1 Dept: ENGR
“Guest” VLAN Tunneled to Internet DMZ
VoIP on an Ultra-Secure
Segment
Overlapping Address Space in Dept-HR and Dept-ENGR Can Co-Exist
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 56
Session Directory APIs List of APIs
Session Directory Query • Count of concurrent session https://{hostname}/mnt/API/External/Session/ActiveCount • Count of sessions which have posture service involved https://{hostname}/mnt/API/External/Session/PostureCount • Count of sessions which have profiler service involved https://{hostname}/mnt/API/External/Session/ProfilerCount • Active Session List – Provide MAC Address, NAS IP, user name, session ID information associated to a session. https://{hostname}/mnt/API/External/Session/ActiveList • List of Active session List authenticated in a particular period of time https://{hostname}/mnt/API/External/Session/AuthList/{starttime}/{endtime} • Detailed Session Attributes of an endpoint’s latest session with MAC Address https://{hostname}/mnt/API/External/Session/MACAddress/{mac} • Detailed Session Attributes of an endpoint’s latest session with Username https://{hostname}/mnt/API/External/Session/UserName/{username} • Detailed Session Attributes of an endpoint’s latest session with NAS IP Address https://{hostname}/mnt/API/External/Session/IPAddress/{nasip}
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 57
Change of Authorization API
List of APIs
CoA Allow Change of Authorization of an endpoint
• Session Reauth https://{hostname}/mnt/API/External/CoA/Reauth/{server host name}/{mac}/{option}/{nasip}
{option} can be one of the following (0-2) REAUTH_TYPE_DEFAULT = 0; REAUTH_TYPE_LAST = 1; REAUTH_TYPE_RERUN = 2;
• Session Disconnect https://{hostname}/mnt/API/External/CoA/Disconnect/{server host name}/{mac}/{option}/{nasip}
{option} can be one of the following (0-2) DYNAMIC_AUTHZ_PORT_DEFAULT = 0;
DYNAMIC_AUTHZ_PORT_BOUNCE = 1; DYNAMIC_AUTHZ_PORT_SHUTDOWN = 2;
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 58
802.1X with Posture