Wednesday, August 7, 2019

Extensible Authentication Protocol

802.1X uses the EAP to authenticate users who wish to access the network. 

EAP messages are exchanged between a supplicant and an authenticator, which are tunneled inside the EAPOL and RADIUS protocols

EAP introduces the philosophy that the supplicant should talk directly to the authentication server, with all intermediate devices acting only as relays



Tunnel and Non-Tunnel EAP

Supplicant sends its identity (name) in the clear to the authentication server. This is followed by an exchange that authenticates the authentication server to the user, and the user to the authentication server. 

limitation of transmitting the user identity (but not the credentials) in the clear

Transmitting the challenge-response authentication exchange in the clear can facilitate some passive dictionary attacks, if user passwords are weak

To overcome these limitations, you can use a tunneled EAP architecture, in which an outer EAP encapsulates an inner EAP. 

The outer EAP provides server authentication, and a cryptographically secure tunnel for the inner EAP method to run in.

Typical outer EAPs are PEAP and EAP-FAST. EAP-MSCHAPv2, EAP-TLS and EAP-GTC are commonly used for the inner EAP.



MAC Authentication Bypass

When the MAB feature is enabled on an 802.1X port, the authenticator uses the MAC address as the client identity. 

The authentication server has a database of client MAC addresses that are allowed to access the network.

After detecting a client on an 802.1X port, the authenticator waits for an Ethernet frame from the client. 

The authenticator sends an Access-Request message using the MAC address of the endpoint as both the username and the password to the RADIUS server. 

The RADIUS server can then compare the MAC address against entries in its policy database to make authorization decisions.

If an EAPOL packet is detected on the interface during the lifetime of the link, the authenticator determines that the device connected to that interface is an 802.1X-capable supplicant and uses 802.1X authentication (not MAB) to authorize the interface

  • A method to allow exemptions from 802.1X authentication
  • Certain MAC addresses skip the regular authentication process
  • MAC address sent in RADIUS Access-Request message
  • Exempted MAC addresses defined as endpoints on the server

802.1X Phased Deployment Guidelines

802.1X can be implemented using a phased deployment model that allows for limited impact on network access while gradually introducing authentication and authorization.

 It is generally recommended to begin the phased deployment with monitor mode in a well defined area of the network.

Think of this phase as an audit phase. Your network administrators can gain visibility into who will succeed and who will fail, determine the failure reason, and remediate the problem before enabling a stronger enforcement mode.
Before moving from monitor mode to a stronger enforcement mode, you must decide whether low impact mode or closed mode is most appropriate.

The choice will depend on factors internal to your organization and your organization's security policy. It is possible that different modes may be appropriate in different areas of your network. For example it may be optimal to use low impact mode at the headquarters campus and closed mode at branch offices.
After a successful phase of deployment, it is time to move to the next phase.

After a successful audit phase, you can move to the preferred enforcement mode for that area of the network.

You can also extend the identity solution to other areas of the network using monitor mode.

802.1X Closed Mode

The default behavior on a Cisco switch port configured for 802.1X is closed mode. 

With closed mode, no traffic allowed only EAPOL traffic is allowed until the authentication process completes.

Authentication is required before any basic network services are available, including DHCP. Consideration of 802.1X timers is very important with closed mode

When a device connected to that switch port authenticates, an appropriate authorization policy can be applied. Options for authorization policies include downloadable ACLs, dynamic VLAN assignment or security group tags.



Note: NO  authentication open or ip access-group default-ACL in
interface GigabitEthernet 0/1
 authentication host-mode multi-auth
 authentication port-control auto
 mab
 dot1x pae authenticator

802.1X Low-Impact Mode

With low-impact mode, you are able to strengthen the security stance by adding an ingress ACL to the 802.1X-enabled switch port that is configured in open mode. This ACL provides the ability to maintain whatever basic connectivity is required for unauthenticated hosts.


This procedure can be used to provide a host that is attached to a default port with the ability to use DHCP, DNS, and perhaps get to the Internet, while blocking access to internal resources.
When a device connected to that switch port authenticates, an appropriate authorization policy can be applied. Options for authorization policies include downloadable ACLs, dynamic VLAN assignment or security group tags.
  • Limited, basic access prior to authentication
    1. Port ACL applied to the switch interface
    2. Default port ACL, if no interface ACL exists
  • Grant specific access after successful authentication
    1. dACL received from server
interface GigabitEthernet 0/1
 authentication host-mode multi-auth
 authentication open
 authentication port-control auto
 mab
 dot1x pae authenticator
 ip access-group default-ACL in



802.1x monitor mode

  • The monitor mode allows for the deployment of the authentication methods 802.1X, MAB, or web authentication without any effect on user or endpoint access to the network. Monitor mode is like placing a security camera at the door to monitor and record port access behavior
  • Monitor mode is enabled using 802.1X with the open access and multiauth mode Cisco IOS Software features. 
  • Monitor mode is configured with the authentication open command.

  • The default behavior of 802.1X is to block all data traffic except EAPOL. However, the open access feature allows you the option of providing unrestricted access to all traffic, even though authentication (802.1X, MAB, or web authorization) is enabled. Open access is accomplished with no impact to end users or network-attached hosts.

  • Even failed authentication will allow access
  • Network administrators can:
    1. See who would have failed
    2. Resolve the problem before causing a Denial of Service
  • No effect on user or endpoint access
  • AAA RADIUS accounting provides visibility into 802.1X operation
interface GigabitEthernet0/1
authentication host-mode multi-auth
authentication open
authentication port-control auto
mab
dot1x pae authenticator

802.1X Phased Deployment

802.1X can be implemented using a phased deployment model that allows for limited impact on network access while gradually introducing authentication and authorization. 


  • Phased approach for 802.1x deployment
  • Gradual authorization enforcement
  • Visibility into who will succeed and who will fail
    1. Determine the failure reason
    2. Remediate before implementing stronger enforcement
  • Modes:
    1. Monitor mode
    2. Low impact mode
    3. Closed mode
  • This figure summarizes the preauthentication and post-authentication behavior of the three 802.1X deployment phases: monitor, low-impact, and closed modes.

  • In monitor mode, the open access feature transforms the normal behavior of blocking traffic on an 802.1X-enabled port until authentication and authorization are successfully performed. Full access is provided independently of the authentication results.
    In low-impact mode, a pre-authentication ACL is added to the port to permit some basic connectivity. After successful authentication, options to enforce authorization policy include downloadable ACLs, dynamic VLAN assignment and security group tags.
    In closed mode, only EAPOL traffic is permitted until the user authenticates. After successful authentication, options to enforce authorization policy include downloadable ACLs, dynamic VLAN assignment and security group tags. The authorization options available in closed mode are identical to the options available in low-impact mode.

802.1X host modes.

802.1X host modes.
  • Single Host mode:
    1. Only one device (MAC address) per port
    2. Second client causes unauthorized port state
  • Multiple Host mode:
    1. One device (first MAC address) authenticated
    2. All subsequent devices get access
  • MDA mode:
    1. One data and one voice VLAN per port
    2. Independent authentication of phone and PC


  • Multiple Authentication mode:
    1. Superset of MDA
    2. Authenticates every MAC address
    3. One VLAN for all devices, per device dACL
    4. Used for hubs, access points, Virtual Machines

The host mode of the 802.1X port determines whether more than one client can be authenticated on the port and how authentication will be enforced. You can configure an 802.1X port to use any of the four host modes that are described below. In addition, each mode may be modified to allow pre-authentication open access.

Single-Host Mode

In single-host mode, only one client can be connected to the 802.1X-enabled port. The switch detects the client when the port changes to the up state and sends out an EAPOL frame. Access is provided for the client after authentication. Packets from other hosts are dropped. If the client leaves or is replaced with another client, the switch changes the port link state to down, and the port returns to the unauthorized state.

Multiple Host Mode

In multiple host mode (often called multi-host mode), you can attach multiple hosts to a single 802.1X-enabled port. In this mode, only one of the attached clients must be authorized for all clients to be granted network access. If the port becomes unauthorized (reauthentication fails or an EAPOL logoff message is received), the authenticator denies network access to all of the attached clients.

Multiple Domain Authentication Mode

MDA mode (often called multi-domain mode) allows an IP phone and a single host behind the IP phone to authenticate independently, using 802.1X, MAB, or (for the host only) web-based authentication. In this application, multidomain refers to two domains (data and voice VLAN), and only one MAC address is allowed per domain. The switch can place the host in the data VLAN and the IP phone in the voice VLAN, but they appear on the same switch port. The data and voice VLAN assignment can be obtained from the VSAs received from the AAA server.

Multiple Authentication Mode

Multiple authentication mode (often called multi-auth mode) allows one 802.1X or MAB client on the voice VLAN and multiple authenticated 802.1X, MAB, or web authorization clients on the data VLAN. When a hub or access point is connected to an 802.1X port, multi-auth mode provides enhanced security over the multi-host mode by requiring authentication of each connected client. For non-802.1X devices, MAB or web-based authentication can be used as the fallback method for individual host authentications, which allows different hosts to be authenticated through different methods on a single port.
In this mode, the first host that is authorized on the port defines the VLAN assignment, and subsequent hosts will be added to the same VLAN. They may either have no VLAN assignment in the RADIUS database, or their configured group VLAN must match the assigned group VLAN on the port. Otherwise they will be denied access to the port.
Also, if the Authentication Server assigns a dACL, the dACL will be modified to use the authenticated host’s IP address as the source address. That is, in multi-auth mode, per-host differentiated dACLs are supported.