802.1X uses the EAP to authenticate users who wish to access the network.
EAP messages are exchanged between a supplicant and an authenticator, which are tunneled inside the EAPOL and RADIUS protocols
EAP introduces the philosophy that the supplicant should talk directly to the authentication server, with all intermediate devices acting only as relays
Tunnel and Non-Tunnel EAP
Supplicant sends its identity (name) in the clear to the authentication server. This is followed by an exchange that authenticates the authentication server to the user, and the user to the authentication server.
limitation of transmitting the user identity (but not the credentials) in the clear
Transmitting the challenge-response authentication exchange in the clear can facilitate some passive dictionary attacks, if user passwords are weak
To overcome these limitations, you can use a tunneled EAP architecture, in which an outer EAP encapsulates an inner EAP.
The outer EAP provides server authentication, and a cryptographically secure tunnel for the inner EAP method to run in.
Typical outer EAPs are PEAP and EAP-FAST. EAP-MSCHAPv2, EAP-TLS and EAP-GTC are commonly used for the inner EAP.
Share your Knowledge
Wednesday, August 7, 2019
MAC Authentication Bypass
When the MAB feature is enabled on an 802.1X port, the authenticator uses the MAC address as the client identity.
The authentication server has a database of client MAC addresses that are allowed to access the network.
After detecting a client on an 802.1X port, the authenticator waits for an Ethernet frame from the client.
The authenticator sends an Access-Request message using the MAC address of the endpoint as both the username and the password to the RADIUS server.
The RADIUS server can then compare the MAC address against entries in its policy database to make authorization decisions.
If an EAPOL packet is detected on the interface during the lifetime of the link, the authenticator determines that the device connected to that interface is an 802.1X-capable supplicant and uses 802.1X authentication (not MAB) to authorize the interface
The authentication server has a database of client MAC addresses that are allowed to access the network.
After detecting a client on an 802.1X port, the authenticator waits for an Ethernet frame from the client.
The authenticator sends an Access-Request message using the MAC address of the endpoint as both the username and the password to the RADIUS server.
The RADIUS server can then compare the MAC address against entries in its policy database to make authorization decisions.
If an EAPOL packet is detected on the interface during the lifetime of the link, the authenticator determines that the device connected to that interface is an 802.1X-capable supplicant and uses 802.1X authentication (not MAB) to authorize the interface
- A method to allow exemptions from 802.1X authentication
- Certain MAC addresses skip the regular authentication process
- MAC address sent in RADIUS Access-Request message
- Exempted MAC addresses defined as endpoints on the server
802.1X Phased Deployment Guidelines
802.1X can be implemented using a phased deployment model that allows for limited impact on network access while gradually introducing authentication and authorization.
It is generally recommended to begin the phased deployment with monitor mode in a well defined area of the network.
Think of this phase as an audit phase. Your network administrators can gain visibility into who will succeed and who will fail, determine the failure reason, and remediate the problem before enabling a stronger enforcement mode.
It is generally recommended to begin the phased deployment with monitor mode in a well defined area of the network.
Think of this phase as an audit phase. Your network administrators can gain visibility into who will succeed and who will fail, determine the failure reason, and remediate the problem before enabling a stronger enforcement mode.
Before moving from monitor mode to a stronger enforcement mode, you must decide whether low impact mode or closed mode is most appropriate.
The choice will depend on factors internal to your organization and your organization's security policy. It is possible that different modes may be appropriate in different areas of your network. For example it may be optimal to use low impact mode at the headquarters campus and closed mode at branch offices.
The choice will depend on factors internal to your organization and your organization's security policy. It is possible that different modes may be appropriate in different areas of your network. For example it may be optimal to use low impact mode at the headquarters campus and closed mode at branch offices.
After a successful phase of deployment, it is time to move to the next phase.
After a successful audit phase, you can move to the preferred enforcement mode for that area of the network.
You can also extend the identity solution to other areas of the network using monitor mode.
After a successful audit phase, you can move to the preferred enforcement mode for that area of the network.
You can also extend the identity solution to other areas of the network using monitor mode.
802.1X Closed Mode
The default behavior on a Cisco switch port configured for 802.1X is closed mode.
With closed mode, no traffic allowed only EAPOL traffic is allowed until the authentication process completes.
Authentication is required before any basic network services are available, including DHCP. Consideration of 802.1X timers is very important with closed mode
When a device connected to that switch port authenticates, an appropriate authorization policy can be applied. Options for authorization policies include downloadable ACLs, dynamic VLAN assignment or security group tags.
Note: NO authentication open or ip access-group default-ACL in
With closed mode, no traffic allowed only EAPOL traffic is allowed until the authentication process completes.
Authentication is required before any basic network services are available, including DHCP. Consideration of 802.1X timers is very important with closed mode
When a device connected to that switch port authenticates, an appropriate authorization policy can be applied. Options for authorization policies include downloadable ACLs, dynamic VLAN assignment or security group tags.
Note: NO authentication open or ip access-group default-ACL in
interface GigabitEthernet 0/1 authentication host-mode multi-auth authentication port-control auto mab dot1x pae authenticator
802.1X Low-Impact Mode
With low-impact mode, you are able to strengthen the security stance by adding an ingress ACL to the 802.1X-enabled switch port that is configured in open mode. This ACL provides the ability to maintain whatever basic connectivity is required for unauthenticated hosts.
This procedure can be used to provide a host that is attached to a default port with the ability to use DHCP, DNS, and perhaps get to the Internet, while blocking access to internal resources.
When a device connected to that switch port authenticates, an appropriate authorization policy can be applied. Options for authorization policies include downloadable ACLs, dynamic VLAN assignment or security group tags.
- Limited, basic access prior to authentication
- Port ACL applied to the switch interface
- Default port ACL, if no interface ACL exists
- Grant specific access after successful authentication
- dACL received from server
interface GigabitEthernet 0/1 authentication host-mode multi-auth authentication open authentication port-control auto mab dot1x pae authenticator ip access-group default-ACL in
802.1x monitor mode
- Monitor mode is enabled using 802.1X with the open access and multiauth mode Cisco IOS Software features.
- Monitor mode is configured with the
authentication open
command. - The default behavior of 802.1X is to block all data traffic except EAPOL. However, the open access feature allows you the option of providing unrestricted access to all traffic, even though authentication (802.1X, MAB, or web authorization) is enabled. Open access is accomplished with no impact to end users or network-attached hosts.
- Even failed authentication will allow access
- Network administrators can:
- See who would have failed
- Resolve the problem before causing a Denial of Service
- No effect on user or endpoint access
- AAA RADIUS accounting provides visibility into 802.1X operation
interface GigabitEthernet0/1 authentication host-mode multi-auth authentication open authentication port-control auto mab dot1x pae authenticator
802.1X Phased Deployment
802.1X can be implemented using a phased deployment model that allows for limited impact on network access while gradually introducing authentication and authorization.
- Phased approach for 802.1x deployment
- Gradual authorization enforcement
- Visibility into who will succeed and who will fail
- Determine the failure reason
- Remediate before implementing stronger enforcement
- Modes:
- Monitor mode
- Low impact mode
- Closed mode
- This figure summarizes the preauthentication and post-authentication behavior of the three 802.1X deployment phases: monitor, low-impact, and closed modes.
- In monitor mode, the open access feature transforms the normal behavior of blocking traffic on an 802.1X-enabled port until authentication and authorization are successfully performed. Full access is provided independently of the authentication results.In low-impact mode, a pre-authentication ACL is added to the port to permit some basic connectivity. After successful authentication, options to enforce authorization policy include downloadable ACLs, dynamic VLAN assignment and security group tags.In closed mode, only EAPOL traffic is permitted until the user authenticates. After successful authentication, options to enforce authorization policy include downloadable ACLs, dynamic VLAN assignment and security group tags. The authorization options available in closed mode are identical to the options available in low-impact mode.
Subscribe to:
Posts (Atom)