Presentation is loading. Please wait.

Presentation is loading. Please wait.

802.1x OVERVIEW Sudhir Nath Product Manager, Trust & Identity

Published byMildred Stone Modified over 5 years ago

Similar presentations

Presentation on theme: "802.1x OVERVIEW Sudhir Nath Product Manager, Trust & Identity"— Presentation transcript:

1 802.1x OVERVIEW Sudhir Nath Product Manager, Trust & Identity
Internet Technologies Division

2 Agenda IBNS & 802.1x 802.1x Components 802.1x Markets 802.1x Customers
802.1x Target Platforms 802.1x in Cisco IOS Cisco IOS 802.1x Roadmap

3 Identity-Based Networking Services and 802.1x
802.1x is a key component of Identity-Based Networking Services (IBNS) Identifying who can access what information in the network IBNS has predominantly been focused on switches

4 Cisco Embedded Security with IBNS
Campus Network User Identity Based Network Access User Based Policies Applied (BW, QoS etc) The first step in securing the Campus network is enabling the ability to prevent all unauthorized network where most Enterprise networks are setup as depicted in the left where as access to the Network is possible if physical access to wired port is achieved. Rogue APs are easily deployed by well intentioned users. Cisco Solution Enabling port based authentication via 802.1x using Cisco Catalyst switching products with the Cisco Secure ACS prevents unauthorized External access to the network which includes the prevention of well intended Rogue APs. Intelligent Cisco Catalyst switching products also provides these security features at wire speed, so compromises in speed do not have to be made to have security. Unauthorized Users/Devices Authorized Users/Devices Equivalent to placing a security guard at each switch port Only authorized users can get network access Unauthorized users can be placed into “Guest” VLANs Prevents unauthorized Access Points

5 IBNS Benefits Improve flexibility and mobility for users
Strengthen security for network connectivity, services, and applications Increase user productivity and lower operating costs Combine authentication, access control and user profiles IBNS combines authentication, access control and user profiles

6 802.1x Client-server based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports Key technology in IBNS for authentication & access control Standard set by the IEEE working group. Standard link layer protocol used for transporting higher-level authentication protocols Works between the supplicant (client) and the authenticator (network device) Maintains backend communication to an authentication (RADIUS) server

7 to a LAN through publicly accessible ports
IEEE x 802.1x is a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports Authentication Server 1 2 IEEE 802.1x is a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports x authenticates each user device connected to a switch port before making available any services offered by the switch or the LAN. Until the device is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the device is connected. After authentication is successful, normal traffic can pass through the port. 802.1x controls network access by creating two distinct virtual access points at each port. One access point is an uncontrolled port; the other is a controlled port. All traffic through the single port is available to both access points. Only EAPOL traffic is allowed to pass through the uncontrolled port, which is always open. The controlled port is open only when the device connected to the port has been authorized by 802.1x. After this authorization takes place, the controlled port opens, allowing normal traffic to pass. 4 3 1 User activates link (ie: turns on the PC) 2 Switch requests authentication server if user is authorized to access LAN 3 Authentication server responds with authority access 4 Switch opens controlled port (if authorized) for user to access LAN

8 IEEE 802.1x Components Supplicant PAE (Port Access Entity)
Authentication Server EAPOL EAPOL Authenticator PAE - (Referred to as the "authenticator") entity at one end of a point-to-point LAN segment that enforces supplicant authentication. The authenticator is independent of the actual authentication method and functions only as a pass-through for the authentication exchange. It communicates with the supplicant, submits the information from the supplicant to the authentication server, and authorizes the supplicant when instructed to do so by the authentication server Authentication Server - Entity that provides the authentication service for the authenticator PAE. It checks the credentials of the supplicant PAE and then notifies its client, the authenticator PAE, whether the supplicant PAE is authorized to access the LAN/switch services. Supplicant PAE - (Referred to as the "supplicant") entity that requests access to the LAN/switch services and responds to information requests from the authenticator. EAPOL - Encapsulated EAP messages that can be handled directly by a LAN MAC service Extensible Authentication Protocol over LAN Authenticator PAE (Switch or Router)

9 How Does 802.1x Work? For each 802.1x switch port, the switch creates
TWO virtual access points at each port The controlled port is open only when the device connected to the port has been authorized by 802.1x Controlled For each dot1x enabled port, the switch will create two virtual ports through which traffic will flow. One port is for control traffic and the other is for data. By default, the port that carries the data is disabled. Only the port for carrying the control (EAPOL) traffic is opened, but this will not carry data traffic if authentication has not been completed. EAPOL Un-Controlled EAPOL Uncontrolled port provides a path for Extensible Authentication Protocol over LAN (EAPOL) traffic ONLY

10 What Does 802.1x Do? 802.1x Header EAP Payload
Transport authentication information in the form of Extensible Authentication Protocol (EAP) payloads Authenticator (switch or router) becomes the middleman for relaying EAP received in 802.1x packets to an authentication server by using RADIUS to carry the EAP information Three forms of EAP are specified in the standard EAP-MD5 – MD5 Hashed Username/Password EAP-OTP – One-Time Passwords EAP-TLS – Strong PKI Authenticated Transport Layer Security (SSL) 802.1x Header EAP Payload

11 802.1x Identity and Security
Authentication Who can access the network and services? Authorization What is the user allowed? Access Control Control is based on authentication and authorization Policy enforcement Combining authentication, authorization, and access control to enforce enterprise/SP policies

12 Key 802.1x Functions/Building Blocks
802.1x Authenticator Controls access to Layer 2 resources Mechanisms to grant access Authorization policy from AAA/Radius/ACS 802.1x Supplicant Provides client capability Computers, routers, switches, PDAs, IP phones 802.1x Mutual authentication Client and server authentication Support for EAP transport

13 802.1x Benefits Uses standards-based technology to control network access Extends authentication to other security areas Authorization, access control, and policy enforcement Controls exercised at link layer, so all services riding on it can use link layer services Interoperates in wired, wireless, & switching scenarios Reduces overall IT costs by preventing external and internal threats Enables and performs centralized user administration

14 802.1x Markets and Applications
SOHO/Telecommuter Enterprise Wired Wireless Remote access Service provider Metro Ethernet

15 SOHO / Telecommuter Corporate user VPN Tunnel Service Provider Personal user Today’s Enterprise Barriers – “Spouse and Kids Problem” Difficult to prevent unauthorized “home users” from accessing corporate network No prevention of rogue wireless access points This can be done today, but only with the VPN You need to implement a combination of split tunneling and individual user authentication. The limitation is that the personal users can’t go to the Internet unless the VPN tunnel is up; you don’t get the split tunnel rules downloaded and usable until you build the tunnel. So, if the VPN 3002 also requires external device authentication, then if the tunnel dies and the corporate user isn’t home to log the box back in, the personal users are dead in the water. That’s a security tradeoff. IOS and PIX Easy VPN Clients will get individual user authentication eventually, but not for at least several months. The VPN 3002 can support an IP phone without requiring that device to be authenticated explicitly. This feature is also not yet implemented for other Easy VPN clients. IP phone requires running the Easy VPN client in Network Extension mode to have the phone get an address that is usable on the corporate network. No CCIE required, but for now it’s a 2-box solution (even if the second box is just a generic cable/DSL modem). 28

16 SOHO / Telecommuter (Cont.)
802.1x Integration Corporate user Uses Tunnel VPN Tunnel Service Provider Personal user Straight to Internet Prevents unauthorized users from accessing corporate network Identifies IP phone, identifies the policy, and uses the Corporate VPN tunnel Identifies individual wireless access points, applies the policy, and enables authorized users to access the VPN tunnel Cisco IOS® Software 802.1x Phase 1 addresses all of these issues This can be done today, but only with the VPN You need to implement a combination of split tunneling and individual user authentication. The limitation is that the personal users can’t go to the Internet unless the VPN tunnel is up; you don’t get the split tunnel rules downloaded and usable until you build the tunnel. So, if the VPN 3002 also requires external device authentication, then if the tunnel dies and the corporate user isn’t home to log the box back in, the personal users are dead in the water. That’s a security tradeoff. IOS and PIX Easy VPN Clients will get individual user authentication eventually, but not for at least several months. The VPN 3002 can support an IP phone without requiring that device to be authenticated explicitly. This feature is also not yet implemented for other Easy VPN clients. IP phone requires running the Easy VPN client in Network Extension mode to have the phone get an address that is usable on the corporate network. No CCIE required, but for now it’s a 2-box solution (even if the second box is just a generic cable/DSL modem). 28

17 Metro Ethernet - 802.1x POP CE Authentication by SP
Supplicant PAE POP CE Authentication by SP (Optional UNI Feature) PE-CLE Authentication by SP

18 SOHO / Telecommuter Customers
ABB Intel Verizon Home Depot

19 Metro Ethernet Customers
Time Warner Verizon Swisscom SBC Telecom Italia Bell Canada AT&T Sprint Bell South EDDI Cox Cable Reliance FastwEB NTT

20 802.1x Target Platforms Access Routers Metro Ethernet hardware
Cisco 800 – 3700 Series Routers Metro Ethernet hardware Cisco 2750, 3550, and Congo Routers Cisco Catalyst® 4500 and 6500 Series Switches Cisco 7600, 10000, and Series Internet Routers

21 Cisco Products with 802.1x Cisco Aironet
Cisco Catalyst 4000 and 4500 Series Switches Cisco ACS Server Cisco Catalyst 6500 Series Switch Cisco Catalyst 2950, 3550, 3750 Routers

22 Cisco Catalyst 6500 Series Support
Cisco Catalyst Switch portfolio Basic 802.1X Support 802.1X with VLANs 802.1X with Port Security 802.1X with VVID 802.1X Guest VLANs 802.1X with ACLs High Availability for 802.1X High Availability for Port Security

23 802.1x in Cisco IOS Software Control who is allowed access earlier and sooner in the stack by building authentication at link layer (Layer 2) Use standards-based 802.1x technology so it is easier to interoperate with switches and wireless access points Extend 802.1x services to leverage other identity and security services Address SOHO/Telecommuters, wired and wireless Enterprise, and Service Provider markets

24 802.1x in Cisco IOS Software (Cont.)
Build common 802.1x features to address the basic building blocks (Release 12.3T) Authenticator Supplicant EAP transport capability for different hashing types Mutual authentication Port common functionality to Release 12.2S and derivatives All supported hardware must add unique 802.1x functionality

25 802.1x Roadmap Phase Summary
Authenticator Phase 2 Supplicant Mutual authentication Phase 3 Metro Ethernet market Phase 4 Wireless iEdge

26 802.1x Phase 1 Release 12.3(4)T 802.1x authenticator support in Cisco IOS Software MAC based authentication Static DHCP address pools Default authorization policy Split tunneling Multi-auth support Stealth deployment

27 802.1x Phase 2 Target: Release 12.3(5th)T
802.1x supplicant support in Cisco IOS Software Mutual authentication Support for EAP transport EAP MD5 EAP TLS Policy enforcement to include user access restrictions

28 802.1x Phase 3 Target: Release 12.2(Rls6)S
Addresses Metro Ethernet market segment Common feature code from Phase 2 Hardware-specific feature code and test strategies will be determined with hardware teams Metro Ethernet Platforms Cisco 2750, 3750, Congo, 6500, and 7600 Series

29 802.1x Phase 3.1 Target: Release 12.2(Rls7)S
Add additional hardware products for the Metro Ethernet market segment New hardware products will be supported: Cisco 4500 Series Switch Cisco and Series Internet Routers

30 802.1x Phase 4 Target: Release 12.3(6th)T
Radius Proxy IP Phone Monitoring and management 802.1x MIB Scalability and high availability

31 802.1x Phase 5 Target: Release 12.3(7th)T
Interoperability with wireless access points Antibody iEdge interoperability

32 References Ian Foo: Slide presentation at brown-bag lunch
Ken Hook: IBNS launch Eric Voit: Metro Ethernet slide presentation Eric Marin: Slide presentation

33 802.1x Overview, 11/03 © 2003 Cisco Systems, Inc. All rights reserved. 33

Download ppt "802.1x OVERVIEW Sudhir Nath Product Manager, Trust & Identity"

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Operating and Configuring Cisco IOS Devices © 2004 Cisco Systems, Inc. All rights reserved. Operating Cisco IOS Software INTRO v2.0—8-1.

Operating and Configuring Cisco IOS Devices © 2004 Cisco Systems, Inc. All rights reserved. Operating Cisco IOS Software INTRO v2.0—8-1.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—2-1 Ethernet LANs Operating Cisco IOS Software.

© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—2-1 Ethernet LANs Operating Cisco IOS Software.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Network Access and 802.1X Klaas Wierenga SURFnet

Network Access and 802.1X Klaas Wierenga SURFnet
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
A Guide to major network components

A Guide to major network components
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.

1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x OVERVIEW Sudhir Nath Product Manager, Trust.

1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x OVERVIEW Sudhir Nath Product Manager, Trust.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Virtual Private Network prepared by Rachna Agrawal Lixia Hou.

Virtual Private Network prepared by Rachna Agrawal Lixia Hou.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Configuring Routing and Remote Access(RRAS) and Wireless Networking

Configuring Routing and Remote Access(RRAS) and Wireless Networking
Network Security1 – Chapter 5 (B) – Using IEEE 802.1x Purpose: (a) port authentication (b) access control An IEEE standard

Network Security1 – Chapter 5 (B) – Using IEEE 802.1x Purpose: (a) port authentication (b) access control An IEEE standard
EID Cards and “Identity Based Networking Services” Because “Networks” are an integral part of the total solution. Walter Gillis Account Manager, for Flemish.

EID Cards and “Identity Based Networking Services” Because “Networks” are an integral part of the total solution. Walter Gillis Account Manager, for Flemish.

Similar presentations

Ads by Google