Академический Документы
Профессиональный Документы
Культура Документы
Cisco Public
Hariprasad Holla
Technical Marketing Engineer, Cisco
#clmel
hari_holla
BRKSEC-2691
IEEE 802.1X
IBNS
IBNS 2.0
( EAPoLAN )
( EAPoWLAN )
( Identity Based
Networking Services )
( Identity Based
Networking Services 2.0 )
Cisco Public
Agenda
Identity networking
IBNS 2.0
IBNS 2.0 Features
Troubleshooting IBNS 2.0
Additional things to know
Conclusion
Icons to
remember
BRKSEC-2691
For Your
Reference
Cisco Public
Cisco ISE
Real-world Scenario
Identity Networking
Troubleshootin
g IBNS 2.0
IBNS 2.0
Identity
Networking
IBNS 2.0
Features
Additional things
Conclusion
Fundamentals of 802.1X
Windows
Native
Apple OSX
Native
Cisco
Anyconnect
Open 1X
Ethernet
Switch
Router
Wireless
Controller
Access
Point
Network
Policy
Server
Access
Control
Server
Free
RADIUS
Active Directory
Open
LDAP
Token Server
Authentication
Server
Authenticator
Supplicant
BRKSEC-2691
Identity
Services
Engine
802.1X
RADIUS
Ethernet / WLAN
IP / Layer 3
Cisco Public
Identity
Store
Fundamentals of 802.1X
Credentials
Authentication
Server
Authenticator
Supplicant
802.1X
RADIUS
Ethernet / WLAN
IP / Layer 3
EAP
EAP
802.1X
EAP
EAP
RADIUS
RADIUS: ACCESS-REQUEST
RADIUS SERVICE-TYPE: FRAMED
EAP: EAP-RESPONSE-IDENTITY
Cisco Public
Identity
Store
Fundamentals of 802.1X
Authentication
Server
Authenticator
Supplicant
802.1X
RADIUS
IP / Layer 3
Port-Authorised
EAP
EAP
RADIUS
802.1X
EAP: EAP-SUCCESS
RADIUS: ACCESS-ACCEPT
[+Authorization Attributes ]
Port-Unauthorised
(If authentication fails)
Cisco Public
Identity
Store
Authenticator
Authentication Server
802.1X
Authentication
Server
Authenticator
LAN
No
802.1X
Any Packet
RADIUS: ACCESS-REQUEST
RADIUS Service-Type: Call-Check
AVP: 00-10-23-AA-1F-38
RADIUS: ACCESS-ACCEPT
BRKSEC-2691
Cisco Public
10
Authorisation Options
Beyond ACCESS-ACCEPTs and ACCESS-REJECTs
EMPLOYEE VLAN
EMPLOYEE (5)
SGT
Cisco Public
11
Authentication without
Access control
BRKSEC-2691
Minimal impact to
users and the network
Cisco Public
12
Before Authentication
interface GigabitEthernet1/0/1
switchport access vlan 100
switchport mode access
switchport voice vlan 10
authentication host-mode multi-auth
authentication open
authentication port-control auto
mab
dot1x pae authenticator
authentication violation restrict
After Authentication
Monitor
Mode
Basic
1X/MAB
Cisco Public
13
Improve Accuracy
Evaluate Remaining Risk
Leverage Information
Prepare for Access Control
Authentication
Server
Authenticator
Unknown
MAC
Known
MAC
.1X
Failures
.1X-Pass
BRKSEC-2691
14
Before Authentication
Closed Mode
After Authentication
Before Authentication
BRKSEC-2691
After Authentication
Cisco Public
15
Authentication
Server
Authenticator
Supplicant
802.1X
RADIUS
Ethernet / WLAN
IP / Layer 3
IBNS 1.0
or
IBNS 2.0
Configurations
BRKSEC-2691
Cisco Public
16
Identity Configurations
Global AAA
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa session-id common
!
dot1x system-auth-control
!
radius server ise
address ipv4 172.20.254.201 auth-port 1645 acct-port 1646
key cisco
interface GigabitEthernet1/0/1
switchport access vlan 100
switchport mode access
authentication control-direction in
authentication event fail action authorize vlan 100
authentication event server dead action authorize vlan 100
authentication event no-response action authorize vlan 100
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast
IBNS 2.0
IBNS 1.0
BRKSEC-2691
-Or-
Cisco Public
17
IBNS 2.0
Troubleshootin
g IBNS 2.0
IBNS 2.0
Identity
Networking
IBNS 2.0
Features
Additional things
Conclusion
RADIUS Server
Critical ACL
Flexible Authorisations
802.1X
Configuration Bloat
Auth-Fail
VLAN
AuthVLAN
MAB
WebAuth
Guest
VLAN
AuthVLAN
AuthVLAN
description...
switchport..
spanning-treee...
authentication...
dot1x...
mab
mls qos...
ip access-list...
...
RADIUS Servers
Cisco Public
19
IBNS 2.0
RADIUS
Server
Authenticator
RADIUS
MAB
LAN
VLAN
SGT
dACL
Authorisations
BRKSEC-2691
Cisco Public
20
IBNS 2.0
Any Authentication with Any Authorisation on Any media
Authentication
Access
Session
Manager
Manager
Interface Template(s)
Modular Configurations
Enhanced
CoA
Concurrent
Authentication
BRKSEC-2691
MAB
dACL
RADIUS
MAB
LAN
SGT
Intelligent
Aging
Critical
ACL
Manager
Common
Session-ID
Critical
MAB
IPv6
WebAuth
Differentiated
Authentication
Cisco Public
21
RADIUS
Server
Authenticator
VLAN
VLAN
VLAN
dACL
dACL
Authentication
SGT
SGT
WebAuth
Service
Templates
802.1X
Parameter
Map
802.1X
Class-maps
AuthZ
templates
Template
based
NEAT
IPv6
Identity
switchport
...
dot1x pae
authentication
auth host-mode
auth port-control
auth event fail
auth event server
auth periodic
...
switchport
...
dot1x pae
authentication
auth host-mode
auth port-control
auth event fail
auth event server
auth periodic
...
switchport
...
dot1x pae
authentication
auth host-mode
auth port-control
auth event fail
auth event server
auth periodic
...
Interface Config
Interface Config
Interface Config
switchport
...
dot1x pae
authentication
auth host-mode
auth port-control
auth event fail
auth event server
auth periodic
...
Interface Config
Interface Config
BRKSEC-2691
switchport
...
dot1x pae
authentication
auth host-mode
auth port-control
auth event fail
auth event server
auth periodic
...
Physical Interfaces
Cisco Public
22
Service Template
ACTIVATE
Access VLAN
Voice VLAN
Access Control List
EVENT
CLASS
ACTION
EVENT
CLASS
ACTION
Identity Control Policy
Configured with
service-template
command
switchport...
service-policy...
access-session...
Interface Template
Defined under
class-map
command
Defined under
policy-map command
Policy applied with
service-policy command
Configured with
template command
BRKSEC-2691
Physical Interfaces
Cisco Public
23
Class
Event
Class
Action
Action
IDENTITY CONTROL POLICY
policy-map type control subscriber POLICY-A
session-started
authenticate
always via 802.1X
session-started
always
Terminate 802.1X
AAA-DOWN
ALL
AAA-DOWN
ALL
authorise port
authentication-failure
FIRST
authentication-failure
NO-RESPONSE
FIRST
1X-FAIL
BRKSEC-2691
NO-RESPONSE
Assign Guest
VLAN
Assign
Guest VLAN
1X-FAIL
Cisco Public
24
Templates
Dynamic Configuration Done the Right Way
Configuration by Reference:
Service Templates
will be dynamically assigned to a session
can be locally defined -or downloaded via RADIUS
Interface Templates
Cure for the Configuration Bloat
Generic tool, not restricted to Session / Identity
Like Port Profiles on NX-OS
Cisco Public
25
Example
and
Available
Commands
switch(config)#service-template CRITICAL
switch(config-service-template)#?
service-template configuration commands:
absolute-timer
Absolute timeout value in seconds
access-group
Access list to be applied
description
Enter a description
exit
Exit identity policy configuration submode
inactivity-timer
Inactivity timeout value in seconds
interface-template Interface template to be applied
linksec
Configure link security parameters
no
Negate a command or set its defaults
redirect
Redirect clients to a particular location
service-policy
Configure service policy
sgt
SGT tag
tag
tag name
tunnel
tunnel for wired client access
vlan
Vlan to be applied
voice
Voice feature
<cr>
switch(config-service-template)#
Can be defined locally on the switch
Can also be defined on the RADIUS server and downloaded dynamically as needed per
authorisation or during CoA (ISE 1.2 Feature)
Used as one of the Actions per Control-Policy or as part of the RADIUS Authorisation (AV Pair)
Templates via AAA can contain arbitrary AV Pairs
BRKSEC-2691
Cisco Public
26
Applying a Template
Similar to Applying a Port ACL via filter-id
RADIUS
Switch
Can also be
Access-Request
username=jdoe
EAPoL
Access-Accept
AV-Pair subscriber:servicename=TEMPLATE
Enforce
Service-Templates
activation can be a
local Control Policy
action
If it doesnt exist, it
can be downloaded
like an dACL
DEFINED ON SWITCH
service-template TEMPLATE
access-group PERMIT-ANY
vlan 100
inactivity-timer 360
BRKSEC-2691
triggered via
RADIUS CoA
Cisco Public
27
ACS
Template-Name = Username
Trivially Pass Authentication
(username is the template name)
ISE
BRKSEC-2691
Cisco Public
28
Interface Templates
Interface configuration container
Switch(config)#template Corp-Default-Access
Switch(config-template)#?
Template configuration commands:
aaa
Authentication, Authorization and Accounting.
access-session Access Session specific Interface Configuration Commands
authentication Auth Manager Interface Configuration Commands
carrier-delay
Specify delay for interface transitions
dampening
Enable event dampening
default
Set a command to its defaults
description
Interface specific description
dot1x
Interface Config Commands for IEEE 802.1X
exit
Exit from template configuration mode
hold-queue
Set hold queue depth
ip
IP template config
keepalive
Enable keepalive
load-interval
Specify interval for load calculation for an interface
mab
MAC Authentication Bypass Interface Config Commands
mls
mls interface commands
no
Negate a command or set its defaults
peer
Peer parameters for point to point interfaces
priority-queue Priority Queue
queue-set
Choose a queue set for this queue
radius-server
Modify RADIUS query parameters
service-policy Configure CPL Service Policy
source
Get config from another source
spanning-tree
Spanning Tree Subsystem
srr-queue
Configure shaped round-robin transmit queues
storm-control
storm configuration
subscriber
Subscriber inactivity timeout value.
switchport
Set switching mode characteristics
BRKSEC-2691
Cisco Public
29
30
ACS
ISE
BRKSEC-2691
Cisco Public
32
aaa []
radius []
dot1x system-auth-control
ip access-list []
ipv6 access-list []
service-template []
service-template []
class-map []
class-map []
policy-map []
template []
mab
access-session port-control []
service-policy type control subscriber []
Per-Interface Configuration
References to other Policy
Elements (static or dynamic)
Interface-template Configuration
Cisco Public
33
interface GigabitEthernet1/0/1
switchport access vlan 100
switchport mode access
ip access-group IPV4-PRE-AUTH-ACL in
authentication control-direction in
authentication event fail action authorize vlan 100
authentication event server dead action authorize vlan 100
authentication event no-response action authorize vlan 100
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast
BRKSEC-2691
Cisco Public
34
legacy
Legacy configuration
Cisco Public
35
IBNS 2.0
Identity
Networking
IBNS 2.0
Features
Additional things
Conclusion
Authentication
Access
Session
Manager
Manager
Interface Template(s)
Modular Configurations
Enhanced
CoA
Concurrent
Authentication
BRKSEC-2691
MAB
dACL
RADIUS
MAB
LAN
SGT
Intelligent
Aging
Critical
ACL
Manager
Common
Session-ID
Critical
MAB
IPv6
WebAuth
Differentiated
Authentication
Cisco Public
37
RADIUS
Server
Authenticator
VLAN
VLAN
VLAN
dACL
dACL
Authentication
SGT
SGT
WebAuth
Service
Templates
802.1X
Parameter
Map
802.1X
Class-maps
AuthZ
templates
Template
based
NEAT
IPv6
Identity
Critical ACL
Scenarios today with Low Impact Mode:
Before Authentication
PRE-AUTH-ACL
Authentication Success
Infra Servers
(DHCP, DNS)
Permit any
DHCP
Permit any DNS
Deny any any
RADIUS
Server
10.1.1.1
PRE-AUTH-ACL + dACL
Permit ip host
- 10.1.1.1 any
Permit any
DHCP
Permit any DNS
Deny any any
10.1.1.1
Default
VLAN
PRE-AUTH-ACL
Infra Servers
(DHCP, DNS)
RADIUS
Server
Permit any
DHCP
Permit any DNS
Deny any any
RADIUS
Server
Critical
VLAN
Protected
Servers
Protected
Servers
* Critical authorisation wont apply to endpoints that were authorised by AAA server when it was reachable
BRKSEC-2691
Infra Servers
(DHCP, DNS)
10.1.1.1
Default /
Dynamic
VLAN
Protected
Servers
Cisco Public
38
Critical ACL
Configuration Example
Event
Class
Action
session-started
always
violation
always
restrict
agent-found
always
AAA-DOWN
authentication-failure
authorise port
Terminate 1X & MAB
Match
First
1X-FAIL
BRKSEC-2691
Do
All
Cisco Public
39
Critical ACL
Configuration Example
Event
Class
Action
session-started
always
violation
always
restrict
agent-found
always
AAA-DOWN
authentication-failure
Do
All
Match
First
1X-FAIL
BRKSEC-2691
authorise port
40
service-template CRITICAL
access-group CRITICAL-V4
access-group CRITICAL-V6
!
!
policy-map type control subscriber DOT1X
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x
event violation match-all
10 class always do-all
10 restrict
event agent-found match-all
10 class always do-all
10 authenticate using dot1x
event authentication-failure match-first
10 class AAA-DOWN do-all
10 activate service-template CRITICAL
20 authorize
30 terminate dot1x
40 terminate mab
20 class 1X-FAIL do-all
10 authenticate using mab
Critical MAB
Local Authentication during Server failure
000c.293c.8dca
...
event authentication-failure match-first
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-
until-failure
10 terminate mab
20 terminate dot1x
30 authenticate using mab aaa authc-
list mab-local authz-list mab-local
...
WAN
?
000c.293c.331e
Cisco Public
41
Concurrent Authentication
Faster on-boarding of endpoints in to the network
Sequential Authentication
An endpoint may be
authenticated by both methods,
but priority determines the
ultimate authorisation.
.1x
EAP
Campus LAN
CDP/DHCP
EAP
RADIUS
Concurrent Authentication
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
.1x
EAP
Campus LAN
CDP/DHCP
EAP
BRKSEC-2691
RADIUS
Cisco Public
42
Differentiated Authentication
Authenticate different methods with different Servers
aaa group server radius mab-servers
server name ise01
!
aaa group server radius 1x-servers
server name ise02
!
aaa authentication dot1x 1x-servers group 1x-servers
aaa authentication dot1x mab-servers group mab-servers
!
aaa authorization network 1x-servers group 1x-servers
aaa authorization network mab-servers group mab-servers
!
radius server ise02
address ipv4 172.20.254.8 auth-port 1645 acct-port 1646
key xxxxxx
!
radius server ise01
address ipv4 172.20.254.4 auth-port 1645 acct-port 1646
key xxxxxx
ISE
.1x
Gi1/0/1
NAC
Cisco Public
43
Intelligent Aging
Disconnect Indirectly connected endpoint sessions
Switch(config-if)subscriber aging
inactivity-timer 30 probe
Printer
Or
service-template
The inactivity timerIA-TIMER
is an indirect mechanism
inactivity-timer
probe
the switch uses to60
infer
that an endpoint has
! disconnected.
Indirectly
Connecte
d Host
000A.0001.0001
3rd Party Phone
RADIUS
Server
Gi1/1
Gi1/2
0001.0001.0002
000B.0001.000A
RADIUS
Gi1/3
Hub
Idle-Timeout (28) = 30
Termination-Action (29) = 0
Indirectly
Connecte
d Host
(Optional)
3rd
0001.0001.0003
Cisco Public
44
IPv6 Identity*
With Identity-Policy, both IPv4 & IPv6 endpoints can be securely on-boarded in a consistent manor
!
ipv6 snooping policy v6-snoop
trusted-port
!
vlan configuration 100-180
ipv6 nd suppress
ipv6 snooping
!
interface TenGig1/1/1
description *** Uplink ***
[ ... ]
ipv6 snooping attach-policy v6-snoop
!
interface GigabitEthernet1/0/1
switchport access vlan 100
switchport mode access
access-session port-control auto
ipv6 traffic-filter IPV6-PRE-AUTH-ACL in
dot1x pae authenticator
spanning-tree portfast
service-policy type control subscriber ACCESS-POL
!
service-template CRITICAL
description allow all traffic
access-group PERMIT-IPV4-ANY
access-group PERMIT-IPV6-ANY
!
Cisco Public
45
RADIUS
802.1X
MAB
Switch
BRKSEC-2691
interface GigabitEthernet1/0/1
switchport access vlan 100
switchport mode access
authentication host-mode multi-auth
authentication open
authentication port-control auto
ipv6 traffic-filter IPV6-PRE-AUTH-ACL in
mab
dot1x pae authenticator
dot1x timeout tx-period 5
2015 Cisco and/or its affiliates. All rights reserved.
Server Policies:
Per-User ACL:
:
:
GigabitEthernet1/0/1#v6#37F2F598
deny ipv6 any host 2001:db8:254::10
permit ipv6 any any
Cisco Public
46
Method
dot1x
State
Authc Success
Supplicant
Switch
RADIUS
Server
ACCESS-REQ
ACCESS-ACCEPT
EAPoL
device-traffic-class
= switch
...
trunk
switchport mode access
dot1x pae authenticator
authentication port auto
...
BRKSEC-2691
Cisco Public
49
template NEAT
switchport mode trunk
Authenticator
Switch
Supplicant
Switch
RADIUS
Server
Authenticator
Switch
Supplicant
Switch
ACCESS-REQ
device-traffic-class
= switch
EAPoL
Interface-templatename = NEAT
...
switchport mode access
dot1x pae authenticator
authentication port auto
...
...
trunk
switchport mode access
dot1x pae authenticator
authentication port auto
...
BRKSEC-2691
ACCESS-REQ
ACCESS-ACCEPT
ACCESS-ACCEPT
EAPoL
RADIUS
Server
Cisco Public
50
BRKSEC-2691
Cisco Public
51
IBNS 2.0
Identity
Networking
IBNS 2.0
Features
Additional things
Conclusion
Server Policies:
ACS ACL: xACSACLx-IP-permit-most-50b5f56e
Template: EMPLOYEE_1 (priority 100)
Vlan Group: Vlan: 160
ACS ACL: xACSACLx-IP-permit-most-50b5f56e
Method status list:
Method
dot1x
mab
BRKSEC-2691
State
Authc Success
Stopped
Cisco Public
53
Cisco Public
54
New Event
Single Event
Associated
Action
[PRE:RULE:EVENT:D8000001]
Next Event
Cisco Public
55
Selectively Debug
debug interface Gi1/0/1
Limits effect of debug to given interface
BRKSEC-2691
Cisco Public
56
IBNS 2.0
Identity
Networking
IBNS 2.0
Features
Additional things
Conclusion
VM
Not a trunk!
Gi1/0/1
C3850 03.03.00SE
WS-C3850
C3650 03.03.00SE
BRKSEC-2691
Cisco Public
58
160
WIRED-EMPLOYEE
active
Gi1/0/1
170
WIRED-GUEST
active
Gi1/0/1
EAP-SUCCESS
EAP-RESP
ACCESS-ACCEPT
ACCESS-REQUEST
WAN
Trunk
Cisco Public
59
00.0A.95.7F.DE.06
V100
G1/0/47
Corp LAN
G1/0/1
V200
00.0A.95.7F.DE.06
BRKSEC-2691
Cisco Public
60
18
18
18
18
02:52:11.763:
02:52:11.763:
02:52:11.763:
02:52:11.763:
18
18
18
18
18
18
02:52:11.764:
02:52:11.764:
02:52:11.765:
02:52:11.765:
02:52:11.765:
02:52:11.765:
RADIUS:
RADIUS:
RADIUS:
RADIUS:
RADIUS:
RADIUS:
Tunnel-Private-Group[81]
Tunnel-Type
[64]
Tunnel-Medium-Type [65]
Tunnel-Private-Group[81]
Tunnel-Type
[64]
Tunnel-Medium-Type [65]
6
6
6
16
6
6
01:"100"
01:VLAN
01:ALL_802
02:TrustdedArea"
02:VLAN
02:ALL_802
[13]
[6]
[13]
[6]
Applies to all authentication methods | System must be in IBNS 2.0 (policy) mode
BRKSEC-2691
Cisco Public
61
...
%RADIUS-6-SERVERALIVE: Group radius: Radius
server 10.0.1.1:1812,1813 is responding again
(previously dead).
%RADIUS-4-RADIUS_ALIVE: RADIUS server
10.0.1.1:1812,1813 is being marked alive.
...
ACCESS-REJECT
BRKSEC-2691
Cisco Public
62
Without Probe-on
radius server server-01
address ipv4 10.0.1.1 auth-port 1812 acct-port
1813
automate-tester username dummy
!
radius-server deadtime 15
radius-server dead-criteria 3 tries
%RADIUS-6-SERVERALIVE:
Group radius: Radius
ACCESS-REJECT
server 172.20.254.4:1645,1646 is responding
again (previously dead).
%RADIUS-4-RADIUS_ALIVE:
server
Mark Dead Server Alive RADIUS
after
172.20.254.4:1645,1646
is being marked alive.
response to probe packets
BRKSEC-2691
Cisco Public
63
DAD
Interval
G1/1
0001.0001.0001
10.0.1.1
Port#
G1/1
MAC
0001
IP
10.0.1.1
VLAN
100
Cisco Public
64
Is there a SVI IP
address?
YES
Is there a SVI IP
address?
YES
YES
NO
YES
NO
NO
BRKSEC-2691
Is there a SVI IP
address?
NO
NO
YES
Cisco Public
65
Conclusion
Troubleshootin
g IBNS 2.0
IBNS 2.0
Identity
Networking
IBNS 2.0
Features
Additional things
Conclusion
Key Takeaways
Start simple, start with monitor mode. Deploy in phases
IBNS 2.0 is flexible and extensible, Create once use many approach
BRKSEC-2691
Cisco Public
67
Q&A
Cisco Public
Thank you.