802.1x

Reading Time: 6 minutes

One of the nice things about working with Cisco equipment, as opposed to many other brands, is that you truly do get a smorgasbord of features and capabilities. On the flip side of that coin, however, the bad thing about working with Cisco equipment is that you can really paint yourself into a corner with features, even when you know what you’re doing. Many features and capabilities that you have access to on a multilayer switch (or bridge, layer‑2 router, forwarder, other nom-de-jour) conflict with one another, are just not nearly as useful as they might seem at first glance, or bring a number of gotchas to the proverbial ball-game, often far outweighing any benefits inherent therein. Dynamic VLAN assignment with 802.1x is one of those features.

If you’ve read the first part in this series on dot1x, or are generally familiar with the technology, you know that dot1x on a wired network allows a supplicant (software on your PC) to communicate with an intermediary (the switch) in order to facilitate hardware level authentication of assets on the corporate network. In other words, the switch acts as a traffic-cop and only allows known systems to gain even layer‑2 access to the network. This happens in many cases prior to other types of authentication and authorization and can be part of an overall security strategy on your network.

When you try to do more with wired dot1x is where things get a little more fun. And by fun I mean gouging your eyes out with dull implements, or randomly beating the nearest co-worker with the weighted end of a console cable. Doing more in this case referring to assigning computers on your network to specific VLANs based on whatever policies you use to do these things.

For argument’s sake, and because we’ve already established that you’re probably a masochist for doing things this way, let’s just assume that you are using VTP (VLAN Trunking Protocol) to keep your VLANs consistent across all switches in a given campus or building. Let’s also assume that you have a couple of VTP Servers, and all other switches are in client mode. This would also be a good time to mention VTP Passwords, domains, and careful planning, but I think we’ve established that you might be a bit of a renegade. So we’ll move on.

If you’ve already gotten through the first part of this series, then you already have your switches talking to a backend access and authorization server; most likely this is NPS on Windows 2008 Server or some other RADIUS server tied into your user database. The main thing you have to do on the RADIUS side that is different for this configuration is to determine what user groups, or computer groups, etc. are going to be assigned to what VLAN.

So your main switch configuration, assuming NPS, could look something like this and would be defined under the Radius Clients section of Network Policy and Access Services:

All this does is establish a connection profile which allows your switch (or whatever device) to speak to the NPS server. For network policies we’ll have two defined for our example:

One of these is for the IT group, as you might have guessed. The other is for a Guest access group that we’ll talk about soon. These policies, by the way, are very flexible and can be written in a myriad of different ways. The examples here are just one particular way of implementing this type of control.

If we break open one of our policies to look at it, you’ll see something like so:

We actually have a lot more in this section that we’re not showing, including many dialog boxes and configuration tabs. The summary above, however, is enough to give you a general sense of what’s going on. While the whole breakdown is beyond the scope of what I’m writing here, a couple of the key things you’ll want to take note of are:

Tunnel-Pvt-Group-ID: This is the VLAN you want to assign to this group. This had better match what exists in your VTP domain, on the switch or switches in question.
Tunnel-Type: This is pretty self-explanatory, but I’ve seen it overlooked.
Tunnel-Medium-Type: The 802 here refers to, you guessed it, 802.1x

This is all fairly standard server-side NPS or IAS configuration for Windows. Other systems will, of course different and have their own idiosyncrasies to deal with. I assume that you or someone you work with is familiar with this on some level, as almost all major enterprise networks these days use a central database like Active Directory to not only control user access to the network generally, but also to authenticate and authorize all manner of connections from wireless dot1x to SSL VPN.

On the Cisco side, things are actually considerably cleaner as you might expect. Since you should already have dot1x working from our first part in this series, only a few changes are necessary:

Define a guest VLAN (in our example we’re using this but it is far from necessary)
Define a quarantine, or authentication failure VLAN (again, our example, etc.)
Define configuration for individual switch ports, or more likely for ranges.

Steps one and two above shouldn’t need explaining if you’ve come this far: just make the VLANs and be done with it. For step three, we’re going to use the following configuration:

dot1x pae authenticator

dot1x port-control auto

dot1x timeout quiet-period 5

dot1x timeout server-timeout 10

dot1x max-reauth-req 1

dot1x guest-vlan 405

dot1x auth-fail vlan 404

dot1x auth-fail max-attempts 1

Note that we are using a few extra options here that aren’t, strictly speaking, needed (the timeouts, quiet periods, etc.) Don’t let those distract you from the core elements. The dot1x guest-vlan and auth-fail vlan statements in particular are interesting. What we’re basically doing here are a couple of things:

When the switch port receives an EAPoL from the supplicant (PC) indicating dot1x capability, the credentials are tested. If they are good, the device is automatically put into the appropriate VLAN as prescribed by our RADIUS server.
If failure occurs during authentication (ie; EAPoL capable, but wrong credentials, etc.) then the device is put into the auth-fail VLAN (404 in this case.)
If the device in question has no dot1x capability or the capability is turned off (no EAPoL seen) then the device is put into the guest VLAN (405 in this case.)

Note that if you have voice VLANs set up, these are unaffected by the dot1x configuration. Also, you have options to force a port into a permanent authorized or unauthorized state (using the dot1x port-control force-authorized or force-unauthorized command) if you need this functionality.

So when all put together, what does this configuration get you besides a headache? Seamless and dynamic control of clients, as well as some pretty good security. You have the clients you know being put into their assigned VLANs regardless of where in the network they are. This can be good if you rely heavily on VLAN access control lists (VACLs) for security. Clients who fail authorization are immediately dumped into what can be set up as a black-hole VLAN and then dealt with as needed. Everyone else—those we don’t know or are older clients—can be put into a guest VLAN where maybe we just give them access out to the Internet at large and possibly a printer. This is a handy feature for auditors or customers who may set up in a conference room and need some access, but very limited. Another use for this might be in conjunction with a Network Access Control (NAC) system. In this case you could test for appropriate patch levels of clients, appropriate firewall settings, unauthorized software or whatever, then dump the client into a quarantine VLAN for remediation.

In the next part of this series I’ll explore some switch port security features that are arguably more useful than dot1x, but conflict in some way forcing you to make a choice. We’ll also talk about the things that can break in some way when running dot1x. Ultimately security policy will be determined by business needs—in my case we have a pretty heavy security burden due to the business we’re in. You, however, may find the headache of dot1x is too much to deal with when compared with the administrative overhead to manage it. You may also decide that the things you give up to run it just aren’t worth the cost. Hopefully, when we’re all done you’ll have enough information to make that choice intelligently.

Reading Time: 3 minutes

Most of you are probably familiar with the IEEE 802.1x specification, at least in general terms, but are more than likely used to seeing it applied in the context of wireless networks and services. In this multi-part series, I’m going to explore the use of 802.1x as it applies to wired networks. In part I we’ll begin with what 802.1x is and what it isn’t, followed by some basic configuration adhering to Cisco’s current best practices recommendations. Then, in part II we’ll follow-up with a more complex configuration that you really, really don’t want to use but I put out as an academic example of what can be done if you like the kind of complexity that will guarantee you or your support staff never sleep again. We’ll also talk about what happens when you mix other security features with 802.1x.

Dot1x, as I’ll be referring to it from now on, is at its most fundamental level simply a method for verifying that a device connected to your network is who it appears to be. If a company-owned computer connects to the network, we let them have access to certain resources. If someone connects an unauthorized computer (personal laptop, etc.) to the network, they have no access to anything. This is the basic idea behind dot1x when we’re talking about wired networks.

Dot1x is not encryption, and doesn’t provide any kind of privacy or anti-replay protection like IPsec. It isn’t intended for that. Think of dot1x as login security for your switch ports. If your switch ports are connected through to wall jacks, with no authentication, then rogue machines have at least limited (layer 1 and 2) access to, at minimum, the VLAN or network that switch port is a part of. Is that enough to cause damage to your network? You’ll have to decide for yourself based on your own appetite for risk and internal security policies.

So, what do we do to make it all work? I’m glad you asked. You’ll need to do four things, of which I’ll cover the two that happen on the Cisco side:

(1) Configure your switch to act as an authenticator

(2) Configure individual switch ports to use dot1x

(3) Configure your Radius Server to provide authentication and authorization to clients

(4) Turn on dot1x authentication on your clients (Windows, Mac, Linux, etc.)

The first step is fairly straight forward, and that is to tell your switch you want to do dot1x authentication. In order for this to work you have to have AAA enabled which is going to change your entire login method, so definitely play around with in a lab if you’re not familiar with it already. So, the commands we want look like this, entered from Global Config mode:

! Turn on aaa authentication

aaa new-model

! Define our Radius server, port, and shared secret (must match

! with our server setup)

radius-server host 10.0.0.1 auth-port 1812 key abc123

! Here we tell the switch that our default authentication method is to

! use the Radius host we defined above

aaa authentication dot1x default group radius

! Enable dot1x on the switch

dot1x system-auth-control

Now that we have the switch set to authenticate clients to our Radius (Remote Authentication Dial-in User Server) Server, we have to make sure the Radius server has some policies defined. This is beyond the scope of what I’m going to cover in this post, though if I get enough comments requesting it I can cover that portion in another post. Basically you’re just telling your Radius server (typically IAS or NPS on some version of Windows Server) that the switch will be contacting it for client authentication, and what that client can and can’t do once authenticated (the authorization piece.)

The next step is to configure your clients to use dot1x authentication, and this is different for each client OS you use. Windows clients need to have a service turned on which is not on by default, whereas Macintosh has the service turned on but not configured. For Linux and all manner of mobile devices, there are as many options as there are devices, so I’ll leave that as an exercise for the reader. As above with the Server section, if I get enough comments I can cover the Windows and Macintosh configuration piece in another post. Mobile devices and Linux I have limited experience with as pertains to dot1x setup.

The last step in this whole business is to turn on dot1x authentication on a per port or port-range basis. Keep in mind that you’ll want to test this before turning on carte-blanche as I’ve seen a lot of misconfiguration in the initial setup and the last thing you want is a horde of screaming users looking for your head on a stick. Therefore, to turn on one port, presumably for testing, we do like so from interface configuration mode:

dot1x port-control auto

! kind of anti-climactic isn’t it

That is the basic configuration of dot1x on a Cisco switch. In part II of this series, I’ll explore some more complex configurations, as well as some less-than-ideal ramifications of combining other security features with dot1x. As with anything you configure in the realm of security in particular, it is always a trade-off between security and usability and dot1x is no exception. Test, test, and test some more.

802.1x for Wired Networks (Part 2)

802.1x for Wired Networks (Part 1)