WP_CS_8011Z_Explained.pdf

7/27/2019 WP_CS_8011Z_Explained.pdf

1/12

1-800-COURSES www.globalknowledge.com

Expert Reerence Series o White Papers

802.1X -

Implementing and

Deploying Methods


2/12

Copyright 2013 Global Knowledge Training LLC. All rights reserved. 2

802.1X- Implementing and Deploying

Jim Thomas, Cisco Security Course Director, CCIE Security #16674

IntroductionA standard to remember, and one that youll have netmares about as you get started with deployment, is theinamous 802.1X. This is an authentication protocol that was designed back in 2001. There are dierent specu-lations on why there was such a high rate o ailure, whether it is lack o understanding, technologies such asRADIUS Servers that just didnt have the eatures that were needed, or a combination o the two.

802.1X, or dot1x as its commonly called, is simply an authentication method used by endpoints (Windows,MACs, iDevices, Android) to gain access to the network. You may have already used this protocol with your wire-less inrastructure, so now its time to implement it across the board on wired and wireless.

Dot1x History LessonDot1x has gone through three dierent versions since its inception. The rst request or comments (RFC) orthe protocol was written in 2001, under the impression that Port Access Entity (PAE) would be used or hard-wired clients only. In 2004, there was an update to the RFC that included the use o dot1x on wireless networks.The latest revision, labeled 802.1X-2010, brought the use o MACsec (802.1AE) with the standard. In the 2001and 2004 versions, it was discovered that attackers could a) insert themselves into the pathway o an already

authenticated endpoint to can gain access to the network (authentication o EACH individual MAC was not per-ormed) and b) any host on the same medium could spoo a legitimate users MAC and generate an EAP logomessage, bouncing the user o o the port; a classic disk operating system (DOS.)

In the 2010 version, these vulnerabilities were addressed. Primarily, Cisco began using newer IOS switcheatures, allowing every endpoint (MAC) on a port to require authentication separately and also included theoption o layer 2 encryption using MACsec.

Dot1x Layer 2 Authentication MethodDot1x is a Layer 2 authentication method used on the network and consists o three major components:

Supplicant: The middle-ware sotware that resides on the endpoint and talks to the authenticator. Itsresponsible or responding to Extensible Authentication Protocol (EAP) messages rom the authenticator.

Authenticator: The network access device (NAD) that is requesting authentication rom the suppli-cant. This is usually a switch or a wireless LAN controller (WLC). Think about this as a RADIUS client.


3/12


Authentication Server: The RADIUS server that processes the authentication requests; also respon-sible or returning attributes, such as access lists and VLANs, to the NAD.

EAPoL Frame Communication

Dot1X is only used between the endpoint and the NAD (Network Access Device) it is trying to get accessthrough, such as a switch or WLC. This communication takes place using a special rame labeled as an EAP overLAN (EAPoL) rame. This rame has the standard Ethernet II headers and trailers, but there is no upper layerinormation within the rame.

The EAPoL rame is the initial 802.1X message that is sent rom the Cisco switch (as indicated with the sourceMAC) to any endpoint that is hanging o o the port. Figure 1 displays a close-up shot o the packet contents.

Figure 1. EAPoL Frame Packet Contents

Notice the Dst: MAC indicates Nearest, which, i you look at the MAC (01:80:c2:00:00:03), it is a reservedMAC. Any endpoint or device that receives trac destined to this address should process the packet locally. The

switch we are using is congured to use the 2010 version o dot1x.

EAPoL Packet ResponseThe packet is sent rom the client to the switch as a response. In act, youll see the Code eld refects a valueo 2, indicating a response to the initial request. The Type eld refects that this packet is still an Identity type.The Identity eld refects the user that is currently logged into the host. 802.1X grabs the currently logged-in,cached credentials and uses them throughout the authentication phase. The thing most o us do not like is thatthe Identity eld can easily be read, since it is clear text. In Figure 1, look at the version o 802.1X being used;this is an up-to-date Windows 7 client. Microsot still uses the rst version o dot1X, which is okay, because aslong as the switch supports the newest versions, the network will be protected rom those vulnerabilities.


4/12


Figure 2. EAP Payload

The rame in Figure 2 contains no IP addresses and no Layer 4 headers. It containsnothing other than Layer 2inormation and a special payload called theEAP. This EAP payload contains the authentication protocol inorma-tion needed or the endpoint to authenticate to the network. Figure 3 displays the ollow-up request rom theRADIUS server, where it is requesting Protected EAP (PEAP) (type 25) communication.

Figure 3. RADIUS Server Follow-Up Request

The Version eld in Figure 3 indicates a 2010 favor o 802.1X. The switch that sent the packet is running thelatest code and thus supports the latest implementation o the protocol. Also note the Type eld indicates aPEAP packet. Now there are many, many dierent favors o EAP authentication protocols. PEAP is the mostcommon due to its ease o deployment. Lets ace it, dot1x isnt our entire lives; we have other things to do atwork. To streamline the conguration o PEAP, we could create Group Policy Objects (GPOs) on our Windowsservers and push down the PEAP conguration to our clients. Also, there is no additional supplicant to install,since Windows and other popular operating systems already come shipped with PEAP capabilities. Well talka little more about PEAP later. For now, know that this is a PEAP request sent rom the RADIUS server to our

switch, and then the switch proxies that data in an EAPoL packet to our client.

Clients Response to a PEAP RequestWhat ollows this PEAP request is the clients response to initiate the transport layer security (TLS) handshakewith the RADIUS server. The ollowing denotes the authentication process:


5/12


1. The client send its client hello packet to the RADIUS server. In this packet, the client sends a TLS record withthe contents: Random, Cipher Suites, Compression Support, and any Extensions o Capabilities(Figure 4).

Figure 4. Client Hello Packet

2. The next packet is rom the RADIUS server. The contents (which are three records contained in this packet)are the Server Hello record, the Server Certifcate, and the Server Hello Done record (Figure 5). Theserecords contain:

a. Server Hello: Random data generated on the RADIUS server, Session ID generated on the RADIUSserver, Cipher Suite selected, Extensions, and Compression settings.


6/12

Figure 5. Server Hello Packet

b. The next record is the Certifcate being supplied rom the RADIUS server (Figure 6). Notice that thecerticate chain, the RADIUS server cert, and the certication authority (CA) that signed the RADIUSservers cert are passed in the record:

Figure 6. Certifcate

c. The third record is the Server Done message.

3. The next packet sent rom the client is an acknowledgement to the PEAP request (Figure 7). Actually, the RA-DIUS server sends two more packets with the same header values, but the payload changes (notice the bytecount changing 1030, 1026, and 232 bytes).

Figure 7. Client Acknowledgement



7/12


4. Next comes the client response, containing three records: Clients Key Exchange, Change Cipher Spec,and Encrypted Handshake Message (Figure 8). The encrypted handshake method is the session key thatthe client has chosen to use and encrypting it, using the public key o the RADIUS server (this was providedin the identity certicate o the RADIUS server).

Figure 8. Client Response

5. The ollowing packet rom the RADIUS server is the change cipher spec message and the encrypted hand-shake message, which is basically the server sending back encrypted inormation using the shared sessionkey. I all works correctly, the client will be able to decrypt and conrm the message (Figure 9).

Figure 9. Change Cipher Spec Message

6. Now that we have negotiated the ciphers and have successully exchanged session keys, we need to authen-ticate the client to the RADIUS server using an inner-method o authentication (Figure 10). Commonly, weuse MSCHAPv2, but it can also be a client-based certicate sent through this encrypted TLS session. Sincethis session is truly encrypted, we wont be able to determine the inner method o authentication, but neitherwould an attacker (unless they did a man-in-the middle attack on the TLS session).


8/12


Figure 10. Authenticate Client to RADIUS Server

Client Supplicant ConfgurationOn the client side o the house we have a supplicant. The supplicant that ships with the Windows operatingsystem is the easiest to use and can also be controlled using GPOs, as mentioned earlier. The rst thing we needto enable is the Windows service or dot1x (Wired AutoConfg) as seen below in Figure 11 (youll want to setthis service to automatically start):

Figure 11. Enable Windows Service or Dot1x

Authentication TabNow that the service has been started, go to the NIC properties. Once there, youll notice the Authenticationtab and its various options (Figure 12). This is the dot1x conguration.


9/12


Figure 12. Authentication Tab

The Enable IEEE 802.1X authentication option allows you to enable or disable the supplicant. The Settingsdrop-down box has two values: PEAP method o authentication and Smart Cardor other certifcate EAP-TLS method o authentication.

The Remember my credentials or this connection each time Im logged on option allows thecredentials to be cached rom a user, which, in turn, are supplied during authentication. This option helps i tim-ers have been set to low values, and dot1x requests authentication or re-authentication, and the user doesnthave time to supply credentials. Since PEAP already uses the current users credentials, it would be benecial todisable this option or environments where computers are being shared. Also note that in the past, with XP, thisoption was toggled on or o with a registry value, which Win7 does not use.

Fallback to unauthorized network access option means that i a client ails authentication using dot1x,instead o just telling the NIC that its done and dead, it keeps the port in an unauthorized state.

The Additional Settings button will take you to the more advanced dot1x settings. Here we can selectMachine authentication and or User authentication. The thing to remember is that its not an AND thatmost users want. Actually, its not up to the machine at all. When the EAPoL request is made rom the switch,the credentials provided are the cached credentials (machine or user) that the device is currently logged in with.


10/12


I your machine boots up and dot1x immediately requests credentials rom your machine, then the machinecredentials will be used. Machine authentication happens within the rst couple o seconds o the machine boot-ing; basically, by the time you see the Windows logo, its already occurred. At this point, youll get the graphicalidentication and authentication (GINA) requesting credentials. Your user will supply credentials, and the dot1xprocess on the machine orwards the new credentials to the switch, which proxies them to the RADIUS server.A key point here is that the client itsel can also generate EAPoL packets on the fy, without having the switch

request them rst.

I you want to use both machine and user authentications, its up to the RADIUS server to determine whetherthis is allowed or not. The policies dened on that server dictate what to look or to determine machine and oruser authentication.

You can select the Enable Single Sign On option, i you need to have the primarily wireless clients connect tothe network beore they logon to the workstation or immediately ater. This option denes when to supply thecredentials. Again, this does not aect the hard-wired clients, because the medium is already present. In wireless,the single sign-on (SSO) option allows you to determine when to supply credentials or the wireless connection.

Lets go back to the main Authentication tab. From here, click the Settings button next to PEAP (Figure 13).These settings are crucial or securing the PEAP connection.

Figure 13. PEAP Connection


11/12


First, the Validate server certicate option is enabled by deault and should be disabled.

The Connectto these servers option is one that is commonly miscongured. The text in this eld needs tomatch the Issued to eld on the RADIUS server certicate.

I know that you are thinking about redundancy, right? Well, o course you are, so the answer is yes, you can addmultiple entries by separating them out with semi-colons.

The ollowing option (Figure 14) allows you to select the Trusted Root CAs or the connection. Heres the kicker:these are always on, and you cannot toggle them on or o. I know, you see the checkbox, but it doesnt doanything.

Figure 14. Trusted Root CAs

The Authentication method drop-down also contains value o interest. MSCHAPv2 is selected by deault, buta client-based certicate can also be used or authentication. The thing to remember is that the outer (Phase1)TLS tunnel is used to secure the tunnel or this inner method authentication to take place. I this were a straightEAP-TLS connection, certs would be exchanged without any encryption. However using PEAP-TLS ensures weare encrypted rst, then the client presents its certicate. In most cases, youll stick with MSCHAPv2, whicheliminates the need or client-based certicates.

The Enable Fast Reconnect option allows a users session to quickly resume without having to go throughthe inner method o authentication. This works because we are using TLS, which supports session-resume. So aslong as the users can resume the TLS session, they will be granted access. This is useul or users who requentlyroam between access points.

The Disconnect i server does not support cryptobinding TLV option is used to prevent man-in-the-middle attacks where inormation is taken rom Phase 1 o the tunnel negotiation and Phase 2 (client authenti-cation). The inormation is hashed, and the hash is orwarded to the peer. This ensures both Phase 1 and Phase 2data are sent and received between appropriate peers and that a phase was not compromised.


12/12


The last option on the page is the Enable Identity Privacy option. In this eld, we can speciy any identiyinginormation that will be used prior the Phase 1 tunnel negotiation with PEAP. Remember that this inormation issupplied in clear text. We can speciy anything in this eld, i we are worried about eavesdropping on the wire.

Right behind that RADIUS packet and ater TLS negotiation, we see another RADIUS packet with the inner

method o authentication using the actual machine/user credentials. Remember, however, this username will beencrypted.

ConclusionAs time goes on, well be seeing more and more o 802.1X in the environments we support. We have to or duediligence. Allowing trusted and non-trusted hosts to connect to our networks without proper controls is reallyjust turning our head to security.

You may have heard concerns or nightmare stories about 802.1X, but with the tools we have today and themethod o implementation, this can be seamless in an environment and ar exceeds any compliance require-

ments you may have. I will say this, though; this is one technology you HAVE to take a deep dive on. Its also acase or taking a course to really learn the technology in an environment thats not your production.

Learn MoreTo learn more about how you can improve productivity, enhance eciency, and sharpen your competitive edge,Global Knowledge suggests the ollowing courses:

802.1X - Introduction to 802.1X Operations or Cisco Security Proessionals

ACS 5.2 - Cisco Secure Access Control System

SISE - Implementing and Conguring Cisco Identity Services Engine v1.1

Visit www.globalknowledge.com or call 1-800-COURSES (1-800-268-7737) to speak with a GlobalKnowledge training advisor.

About the AuthorJim Thomas is a subject matter expert and Cisco Security Course Director or Global Knowledge. He has workedextensively with the various Cisco Business Units (BUs) over the years and has helped develop courseware usedworldwide. Although his passion is education, this passion is derived rom a need to understand the productshes engaged with. To this end, he has attained the CCIE Security designation. He takes a hands-on approach tolearning by contracting to government agencies (Federal, state, and local) and Enterprise networks. He is course

director or the ollowing courses: IPS, SSECMGT (CSM), NAC+, ISE, 802.1X, and ACS 5.x.
http://www.globalknowledge.com/training/course.asp?pageid=9&courseid=16806&country=United+Stateshttp://www.globalknowledge.com/training/course.asp?pageid=9&courseid=16245&country=United+Stateshttp://www.globalknowledge.com/training/course.asp?pageid=9&courseid=18058&catid=206&country=United+Stateshttp://www.globalknowledge.com/http://www.globalknowledge.com/http://www.globalknowledge.com/training/course.asp?pageid=9&courseid=18058&catid=206&country=United+Stateshttp://www.globalknowledge.com/training/course.asp?pageid=9&courseid=16245&country=United+Stateshttp://www.globalknowledge.com/training/course.asp?pageid=9&courseid=16806&country=United+States

Date post:	14-Apr-2018
Category:	Documents
Upload:	grabonlee
View:	213 times
Download:	0 times

WP_CS_8011Z_Explained.pdf

Documents