Peter Sakala - University of Žilinapalo/Rozne/cisco-expo-2009/Presentati… · © 2006, Cisco...

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicIP Telephony &IBNSscadora 1

IP Telefónia v prostredísietí s 802.1x

Peter [email protected]

© 2009 Cisco Systems, Inc. All rights reserved. 2IP Telephony&IBNSscadora



Session Objectives

� Understand How Phones Work on an 802.1X-Enabled Network

–Challenges

–Techniques

–Best Practices

� Learn How Deployment Scenarios Can Simplify IP Telephony + 802.1X Implementations

–Monitor Mode

–Low Impact Mode


How Phones Work in an 802.1X-

Enabled Network

How Phones Work in an 802.1X -Enabled Network



HTTP

EAPoL

SWITCHPORTSWITCHPORT

DHCP

TFTP

KRB5


DHCP

TFTP

KRB5

HTTP

Known Phone:CP-7961G-SEP001E4AA900A8

All traffic All traffic except except EAPoLEAPoL is droppedis dropped

After Authentication

Before Authentication

?

802.1XNo 802.1X = No Access!

802.1X + IPT: First Challenge


�Multiple MACs not allowed• Helps ensure validity of

authenticated session• Negative Consequences for

Phones

interface fastEthernet 3/48authentication port-control autodot1xpae-authenticator

SWITCHPORT

SECURITY VIOLATION

√ Authenticated

802.1X

802.1X + IPT: Second Challenge



SWITCHPORT

√ Authenticated

Data VLANVoice VLAN

EAPoL

CDP

CDP

interface fastEthernet 3/48

switchport voice vlan 10

authentication port-control auto

dot1xpae-authenticator

Benefits Deployment Considerations

Easy phone interop in 802.1X-enabled network CDP-capable hackers get full access, too.

Default behavior: Cisco IP Phones get access if voice VLAN configured

Voice is no more secure than it was before 802.1X -- No visibility, No access control

Works for all Cisco phone models Incompatible with dynamic VVID, dACLs&Web Auth for PCs

Quick & Easy Not Identity-Enabled

First Solution: CDP Bypass


interface fastEthernet 3/48

authentication host-mode multi-domain

SWITCHPORT

EAPoL, MAC

√ Authenticated

√ AuthenticatedData Domain

Voice Domain

EAPoL


Secure 802.1X or MAB Authentication of the IP phone AND PC (removes CDP vulnerability)

Authentication type impacts timing, pre-deployment tasks

Compatible with IBNS features: dynamic VVID, downloadable ACLs (dACLs), Web Auth

AAA server dependency -- Centralized policy assigns phones to voice domain

Works for all phones, but retains Cisco-on-Cisco value for Cisco phones

Not all phones support 802.1X

Second Solution: Multi-Domain Authentication (MDA) Host Mode



AAA Server Considerations� Scalability – do phones double the AAA server load?

–Phones stay authenticated until link down (or re-auth).

• Wired phones don’t move much.

• 802.1X can be selectively enabled on phones (no avalanche)

–Use centralized policy to exempt phones from re-auth.

� ACS 5 Improvements

–New Linux-based architecture: Flexible & powerful policy model, incremental replication, distributed deployment, single master model, centralized logging

–Free 90 day license for VM: http://www.cisco.com/cgi-bin/tablebuild.pl/acs5-eval


MDA with MAC Authentication Bypass (MAB)

00.18.ba.c7.bc.ee

EAP-Identity-Request

Fallback to MAB

Learn MAC

RADIUS-AccessRequest: 00.18.ba.c7.bc.ee

RADIUS-Access Acceptdevice-traffic-class=voiceVoice VLAN Enabled√√

Link up



0:000:010:050:100:200:30

0:000:010:050:100:200:30

0:000:010:050:100:200:30

Timeout

Timeout

Timeout

No Response

No Response

No Response


No client, no credential needed ->Works for all Cisco phone models

Default 802.1X timeout = 90 seconds latency

Enables visibility & access control. PAP is not process-intensive

Must create & maintain phone MAC database (internal to AAA server or LDAP)

Compatible with IBNS features AAA server must be configured to assign phone to voice domain

Layer 2 Point-to-Point Layer 3 Link



3.Low Impact ModeMore on this later…

MAB Latency Solutions

1.Shorten 802.1X TimeoutTimeout = (max-reauth-req + 1) * tx-period

max-reauth-req : maximum number of times (default: 2) that the switch retransmits an EAP-Identity-Request frame on the wire

tx-period : number of seconds (default: 30) that the switch waits for a response to an EAP-Identity-Request frame before retransmitting

2 seconds to MAB

MAB on first packet

2. Flex-Auth OrderDo MAB first for all devicesControl Plane Traffic increases for all devices


Phone MAC Database

1) Manual Import of Phone MACs to ACS Internal DB

script

ExportFormatImport

2) Pre-deployment Phone Profiling

LDAP Bind:00.18.ba.c7.bc.ee?Cisco 7960 IP Phone!

00.18.ba.c7.bc.ee?

Access-Acceptdevice-traffic-class=voice

Today DBs are kept in-sync manually !



MDA with 802.1X

Layer 2 Point-to-Point Layer 3 Link

EAPoL Start

AuthenticatorAuthenticator AAA ServerAAA ServerSupplicantSupplicant

EAPoL Request Identity

EAPoL Response Identity

EAP-Response: TLS

RADIUS Access Request[AVP: EAP-Response: CP-79xx-xxxxxxxx

EAP-Request: TLS Client Hello

EAP SuccessRADIUS Access-Accept[AVP:device-traffic-class=voice]

[[AVP:AVP:voicevoice VLAN 10, VLAN 10, dACLdACL--nn]]

RADIUS Access-Challenge[AVP:EAP-Response: TLS]

RADIUS Access Request[AVP: EAP-Request: TLS Server Hello]

Actual Exchanges depend on EAP Method (MD5, TLS, FAST)


Strong Authentication with Minimal Delay Choice of EAP Method impacts deployability

Can be deployed without touching the phone or creating a database.

Requires : 7970G, 79x1, 79x2, 79x5 with X.509 cert support & firmware 8.5(2)

Compatible with IBNS features AAA server dependency

1.5 seconds


802.1XEAP Methods on Phones

Method Phone Credential Deployment Considerations

EAP-MD5 Username / password • Password manually configured on phone

• Phone name / password must be in AAA databaseDIFF

ICULT To

Deploy

DIFFICUL

T To Dep

loy



EAP-FAST with TLS

MIC or LSC for initial PAC provisioning, then PAC

• Not supported on ACS 5.0 or 5.1• Supported on ACS 4.2 with PAC-Free + PKIAuthz Bypass feature in NAPDeployable

With ACS4.2Deployable

With ACS4.2





ICULT To

Deploy

DIFFICUL

T To Dep

loy

EAP-TLS MIC or LSC • Never need to touch the phone: All config done from CUCM GUI (7.1.2)

• ACS 5 does not require username lookup after TLS cert validation -> No need to enter phone names in any database


EAP-FAST with TLS

MIC or LSC for initial PAC provisioning, then PAC

• Not supported on ACS 5.0 or 5.1• Supported on ACS 4.2 with PAC-Free + PKIAuthz Bypass feature in NAPDeployable

With ACS4.2Deployable

With ACS4.2





ICULT To

Deploy

DIFFICUL

T To Dep

loy

EAP-TLS MIC or LSC • Never need to touch the phone: All config done from CUCM GUI (7.1.2)

• ACS 5 does not require username lookup after TLS cert validation -> No need to enter phone names in any database

Deployable

With ACS5.xDeployable

With ACS5.x



EAP-TLS: MIC or LSC?� MIC comes on every 802.1X-EAP-TLS-capable phone

–LSCs are more work to configure on CUCM side, but security-conscious customers may already be doing the work

–From 802.1X perspective, both are same amount of config

� Security policy can leverage certificate type

–Every TLS-capable Cisco phone will have a MIC

–Only a customer’s phone will have LSC

� Example: use both MIC &LSC to bootstrap phone:

1)EAP-TLS with MIC -> Limited Accesspermit TFTP to CUCM (to pull the CTL and config file)permit TCP port 3804 to CUCM (to request LSC)

2)EAP-TLS with LSC -> Full Accesspermit ip any any


EAP Method Selection

� Phone with 802.1X enabled has all EAP methods enabled

� Problem : If ACS proposes MD5, phone will agree even if no password configured on phone -> failed auth.

� Solution : disable MD5 on ACS. If MD5 is required for other devices, disable MD5 in a phone-specific Access Service.

Must be unchecked for phonesMust be unchecked for phones

ACS 5 tries each method in orderACS 5 tries each method in order



Enabling 802.1X on phonesOld Way

New Way (CUCM 7.1.2)

• In Phone Config or BAT Template• Select “Enabled”• No need to touch the phone• Phone must be on the network when you

do this.

Difficul

t to Dep

loy

EN Masse


2. Do it the “Old Way”Works for one-offs, not mass deployments

4. Low Impact ModeMore on this later…

3. MAB ->802.1XUse MAB to get device on networkGrant just enough access to download config filePhone resets with 802.1X enabled

1. Non 802.1X Staging AreaInitial phone boot-up in network without 802.1X

Enabling 802.1X Post-Deployment

How do you enable 802.1X on a phone via the network if the phone needs 802.1X to get on the network?



Default Security: Link State

IP Telephony obscures the 802.1X state machine of endpoint changes

Switch 802.1X State MachineSwitch 802.1X State Machine

Triggers on Link State Changes

Switch 802.1X State Machine with IP PhoneSwitch 802.1X State Machine with IP Phone

Undetectable Link State Changes

SWITCHPORT HAS NO KNOWLEDGE OF PC DISCONNECTSWITCHPORT HAS NO KNOWLEDGE OF PC DISCONNECTNO LINK STATE CHANGE NO LINK STATE CHANGE -- NO 802.1X AWARENESS NO 802.1X AWARENESS

Link Still UpLink Still Up

SWITCHPORTSWITCHPORTENDPOINTENDPOINT ENDPOINTENDPOINT

DisconnectsDisconnects

Link DownLink Down

LINK STATE CHANGESLINK STATE CHANGES

Link UpLink Up

Authentication

Authentication A

uthorization

Authorization

AccountingAccounting

802.1X State Machine802.1X State Machine


TriggersTriggers


IPT & 802.1X: The Link-State Problem

MODE

S TA CKS PE EDDUPLXS TA TMA ST RRP SS YS T

Catalys t 3750 SERIES

1 2 3 4 5 6 7 8 9 10

1 X

2 X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 2 3 24 25 26

17X

18X

31X

32X

27 28 29 3 0 31 32 33 34 35 36 37 38 39 40 41 4 2

33X

34X

4 7X

4 8X

43 44 45 46 47 48

2 4

1 3

A

B

Port authorized for

0011.2233.4455 only

Security ViolationS:0011.2233.4455

S:6677.8899.AABB

1) Legitimate users cause security violation

MODE

S TA CKS PE EDDUPLX

S TA TMA ST RRP S

S YS T

Catalys t 3750 SERIES

1 2 3 4 5 6 7 8 9 10

1 X

2 X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 2 3 24 25 26

17X

18X

31X

32X

27 28 29 3 0 31 32 33 34 35 36 37 38 39 40 41 4 2

33X

34X

4 7X

4 8X

43 44 45 46 47 48

2 4

1 3

ASecurity Hole

S:0011.2233.4455

S:0011.2233.4455

2) Hackers can spoof MAC to gain access without authenticating



Link State: Three Solutions

CDP Link Down

MOD E

S TAC KS PE EDD UP LXS TATMAS TRR PSS YS T

Catalyst 3750 SERIES

1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

4 7X

4 8X

43 44 45 46 47 48

2 4

1 3

MOD E

ST AC KSP EE DDU PL XST ATMAST RRP SSY ST

Catalyst 3750 SERIES

1 2 3 4 5 6 7 8 9 1 0

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 2 4 25 26

1 7X

1 8X

31X

32X

27 28 29 3 0 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47 X

48 X

43 44 4 5 46 47 48

2 4

1 3

MO DE

STA CKSPE EDDU PLX

STA TMA STRRPS

SYS T

Catalyst 3750 SE RIE S

1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3

Proxy EAPoL-LogoffSSC

Inactivity Timer

SessionCleared

SessionCleared

Session Cleared

Proxy EAPoL-Logoff�Requires Logoff-capable phone�Only works for 802.1X endpoints

Inactivity Timer�Switch feature�Works for MAB endpoints�Port vulnerable during timeout�Quiet devices may get kicked off

CDP 2nd Port Status�Works for all 802.1X, MAB, Web-Auth.�Nothing to configure�Combined switch + phone feature.

Cisco on Cisco Value!Cisco on Cisco Value!


Best Practices: Summary

3rd Gen phone•X.509 cert support•firmware 8.5(2)

Catalyst switch•12.2(50)SE3 (2k, 3k)•12.2(52)SG (4k)•12.2(33)SXI (6K)

ACS version 5.0 CUCM 7.1.2

EAP-TLSCDP 2nd Port

802.1X with MDACDP 2nd PortMonitor/Low Impact

“Touchless” EAP-TLS

Remote 802.1X Enable

2nd Gen phone•firmware 8.1(1)

Catalyst switch•12.2(50)SE3 (2k, 3k)•12.2(52)SG (4k)•12.2(33)SXI (6K)

ACS CUCM

CDP 2nd Port

802.1X with MDACDP 2nd PortFlex-Auth, TimersMonitor/Low Impact

MAC Import/UpdateFinisher



Deployment Scenarios

Deployment Scenarios


� Features != a solution

� Deployment scenarios–Highlight effectiveness and applications of new features

–Simplify deployments by following a blueprint

–Combine features that interoperate most effectively

–Phase deployments for minimal impact to end users

–Customize basic blueprint as needed

� Two Scenarios:

–Monitor Mode

–Low Impact Mode

Why Deployment Scenarios?

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/whitepaper_C11-530469.html



Monitor Mode: How To� Enable 802.1X&MAB

� Enable Open Access

� All traffic in addition to EAP is allowed

� Like not having 802.1X enabled except authentications still occur

� Enable Multi-Auth Host-Mode (superset of Multi-Domain)

� Disable VLAN/ ACLAuthorization

Monitor Mode Goals� No Impact to Existing Network

Access

� See……what is on the network…who has a supplicant…who has good credentials…who has bad credentials

� Deterrence through accountability

Scenario 1: Monitor Mode Overview

SSC


SSC

� Evaluate Remaining Risk

� Analyze Failures

� Prepare the Network for Access Control in Later Phases

AAA Records Next Step

Phones passed 802.1X with phone profilePhones passed MAB with phone profile

Ready for access control

Phones passed 802.1X without phone profilePhones passed MAB without phone profile

Fix authorization rules in ACS

Phones failed 802.1X Disable MD5 on ACSImport correct CUCMcerts to ACS

Phones that failed MAB Import MAC to ACS, troubleshoot Profiler

Monitor Mode: Next Steps



Low Impact Mode: How To

� Start from Monitor Mode

� Add new features for access-control

� downloadable ACLs

�Muli-Auth --> MDA

� Nothing to add to CUCM

Low Impact Mode Goals

� Begin to control/differentiate network access

� Minimize Impact to Existing Network Access

� Retain Visibility of Monitor Mode

� “Low Impact” == no need to re-architect your network

�Keep existing VLAN design

�Minimize LAN changes

Scenario 2: Low Impact Mode


Monitor mode vs. Low-impact mode



Example: Using Low Impact Mode to bootstrap a new phone


RADIUS Access-Accept:

ACL: AUTH

permit ip host 10.100.20.200 anypermit udp any anyeqbootpspermit udp any host 10.100.10.238 eqtftppermit udp any host 10.100.10.238 range 32768 61000

EAPoL

Pre-AuthACL

TFTP

CTL, CNF

DHCP

� Pre-auth ACL allows just enough access for config, CTL

� New config enables 802.1X on phone

� After 802.1X, phone has full access

� Same idea can give MAB phones access before 802.1X times out

10.100.10.238


Configuring Monitor / Low Impact Modes

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/whitepaper_C11-530469.html



Conclusion

Conclusion


Cisco Identity End-to-End

Client IP Telephony Campus Access Servers

Solution Expertise

Cisco LAN Switches

• Catalyst Switch Portfolio

Single Vendor Support

Cisco

• IP Phones

• CUCM

Cisco RADIUS

• Cisco ACS 5.0

NAC

• Profiler/Guest

Cisco Identity

• Secure Services Client

SSC

Cisco Stability

CDP 2nd port

MDA

Monitor Mode

Low Impact Mode

Touchless TLS

EAP-TLS MAB DB

MIC/LSC



Platforms & VersionsFeature Switch (3k, 4k, 6k) Phones CUCM ACS

CDP Bypass 12.2(25)SEA12.1(20)EWA12.2(33)SXH

n/a n/a n/a

MDA 12.2(35)SEE12.2(44)SG12.2(33)SXI

n/a n/a Any

MAB 12.2(25)SEE12.2(31)SG12.2(33)SXH

n/a n/a Any

Flex-Auth Order 12.2(50)SE 12.2(52)SG12.2(33)SXI

n/a n/a n/a

EAP-TLS / FAST n/a 8.5(2) 7.1.2 5.0 / 4.2802.1X Remote Enable n/a 8.5(2) 7.1.2 n/a

Proxy Eapol-Logoff n/a 7.2(3) n/a n/a

Inactivity Timer 12.2(50)SE12.2(40)SG12.2(33)SXI

n/a n/a n/a

CDP 2nd port 12.2(50)SE12.2(52)SG12.2(33)SXI

8.1(1), 8.5(2) n/a n/a

Monitor Mode / Low Impact

12.2(50)SE 12.2(52)SG12.2(33)SXI

n/a n/a n/a


Key Takeaways

� IP Telephony + 802.1X showcases Cisco-on-Cisco value

� New Features Significantly Simplify Deployment

� Deployment Scenarios Can be Used For a Crawl-Walk-Run Approach




Exporting MAC addresses from Call Manager to ACS5.0

� The process described below has been tested using CUCM 7.1.2 and ACS 5.0

� Step 1: Exporting MAC Address from Call Manager

� Begin the export process at the Bulk Administration menu of the Cisco Unified CM Administration interface. Under Bulk Administration , select Phones , ExportPhones , Specific Details .




� The Find and List Phones screen appears. Click Find to lookup all phones, or enter more specific criteria to filter out specific phones. For example, if you only want to export the MAC addresses of phones that cannot support IEEE 802.1X, you could filter on Device Type.



� When you have all the phones listed that you wish to export, click Next to continue the export. The Export Phone Configuration screen appears. Specify a filename for the exported MAC addresses and select the Simple Phone Format File Format. Click Submit .





�

� #!C:\Perl\bin\perl.exe

� #script name: convert.pl

� #Description: Converts MAC address files exported from Cisco Call Manager

� # to a format that can be imported into ACS 5

� #usage: convert.pl InputFile OutputFile EnableFlag IdentityGroup

� #alternative usage: convert.pl InputFile OutputFile EnableFlag

� #alternative usage: convert.pl InputFile OutputFile

� if ($#ARGV < 1) {

� die "Insufficient arguments.\nUsage:

� convert.pl InputFile OutputFile EnableFlag IdentityGroup

� convert.pl InputFile OutputFile EnableFlag

� convert.pl InputFile OutputFile\n";

� } elsif ($#ARGV < 2) {

� $EnableFlag = "true";

� } else {

� $EnableFlag = $ARGV[2];

� }

� open(InFile, $ARGV[0]) or die "Can't open input file $ARGV[0]\n";

� open(OutFile, ">$ARGV[1]") or die "Can't open output file $ARGV[1]\n";

� #print Required ACS Template Header to OutFile

� print OutFile 'MACAddress:String(64):Required,description:String(1024),"enabled:Boolean(true,false):Required",HostIdentityGroup:String(256)', "\n";

� #Reformat fields and print to OutFile

� while (<InFile>) {

� if (s/^SEP//) {

� @field = split /,/;

� $field[0] =~ s/(..)(..)(..)(..)(..)/\1-\2-\3-\4-\5-/ ;

� print OutFile ($mac,$field[0],",",$field[1],",",$EnableFlag,",",$ARGV[3],"\n");

�

� }

� }

� close(InFile);

� close(OutFile);

�




2nd Gen. and 3 rd Gen. Phones

� 3rd Gen.: These are the 7906, 7911, 7931, 7941, 7942, 7945, 7961, 7962, 7965, 7970, 7971, 7975.

� 2nd Gen.: phones that do not support X.509 certs, e.g. 7902, 7905, 7910, 7912, 7920, 7935, 7936, 7940, 7960

Peter Sakala - University of Žilinapalo/Rozne/cisco-expo-2009/Presentati… · © 2006, Cisco...

Documents

Transcript of Peter Sakala - University of Žilinapalo/Rozne/cisco-expo-2009/Presentati… · © 2006, Cisco...