This white paper provides detailed design and implementation information for deploying IEEE 802.1x-based port authentication with Cisco® Virtual Office. Please refer to the Cisco Virtual Office overview (found at http://www.cisco.com/go/cvo) for further information about the solution, its architecture, and all of its components.
Purpose and Scope
This guide explains how IEEE 802.1x-based authentication for Ethernet ports is implemented in the Cisco Virtual Office solution. It may not explain all the alternative designs or configuration options.
Introduction
The 802.1x-based authentication described in this document is used to authenticate hosts connecting to the Ethernet switch ports of the router. Switch ports are supported on fixed-configuration and modular integrated services routers (ISR). Modular routers support switch ports as an add-on interface card. A device connecting through the wireless interface will use its own authentication mechanism. Deploying this feature in Cisco Virtual Office ensures that only authenticated hosts can gain access to the VPN. Unauthenticated hosts can access only the Internet. This is particularly helpful for separating "spouse and kids" computers from employee computers.
Following are the important functions provided by this feature.
• User authentication and port security: Only authorized users can access the VLAN.
• Automatic VLAN assignment: The port is assigned the appropriate VLAN based on the user credentials.
• Guest VLAN: Clientless hosts can be assigned to a separate VLAN designated as a guest VLAN.
• Single-host/multihost mode.
802.1x authentication is enabled on the spoke routers, which contact the RADIUS server hosted in the management network for user authentication.
Overview
With this feature, each device connecting to the switch ports of the Cisco Virtual Office spoke router is authenticated. Depending on the outcome of the authentication process, the port is enabled or disabled. Optionally, the port can be placed in a different VLAN with different access permissions.
In Cisco Virtual Office, two VLANs are configured on each spoke. One is called trusted VLAN (for example, VLAN 10), in which all the authenticated hosts are connected. Unauthenticated hosts are connected to the nontrusted VLAN (for example, VLAN 20). The trusted VLAN is the default VLAN of the switch ports.
There are three main components in 802.1x-based port authentication. They are the supplicant, the authenticator, and the RADIUS server (Figure 1).
Figure 1. 802.1x Components
The supplicant is the 802.1x client running on the device that needs to be authenticated. Supplicant support may come as part of the operating system or as third-party software. Care should be taken not to run multiple supplicants at the same time. The authenticator is the Cisco Virtual Office spoke router, and the authentication server is a Cisco Secure Access Control Server (ACS).
When a new IP host is connected to the switch port, the router initiates the communication, using Extensible Authentication Protocol over LAN (EAPoL). The supplicant running on the device will respond to it. The router then proceeds with further authentication. If there is no response from the device, it is considered to be a clientless device. Once the router gathers the credentials from the device, they are forwarded to the RADIUS server for authentication. If the credentials are valid, the port becomes enabled and is attached to the trusted VLAN. If the credentials are invalid, the port is shut. If the connected device does not respond to EAPoL messages (clientless device), the port is shut down or assigned to the guest VLAN if it is configured on the port.
On the Cisco Virtual Office spoke router, the computer with valid credentials will go to the primary VLAN, and the remaining computers will be assigned to the guest VLAN. This way, the hosts are separated into trusted and no-trusted categories based on their 802.1x authentication status. Only the traffic from the primary VLAN has access to the VPN tunnel. Guest VLAN members can access the only Internet. This separation prevents unsafe hosts from accessing the corporate network.
The authentication mechanisms used in deploying Cisco Virtual Office are EAP-MD5-Challenge, EAP-PEAP, and EAP-TLS (other EAP protocols also will work as long as the supplicant and the authentication server support it). The 802.1x supplicant running on the hosts establishes an EAP session with the Cisco Secure ACS and authenticates itself using username/password credentials. The user account needs to be configured on the Cisco Secure ACS. The supplicant needs to be configured to perform the EAP-MD5-Challenge, EAP-PEAP, or EAP-TLS. EAP-PEAP and EAP_TLS can be optionally configured to authenticate the Cisco Secure ACS using digital certificates. In this case the ACS should be preloaded with a certificate issued by a certificate server. EAP-TLS authenticates the end host using digital certificates along with the user credentials supplied. So each host should have its own certificate from a certificate server that is trusted by the Cisco Secure ACS server.
The configuration interface of the supplicants will depend on the vendor and the supported operating system. Supplicants may provide different options to gather the user credentials. They can prompt the user for credentials at the time of authentication, allow the credentials to be preconfigured, or get the credentials from the operating system (Windows login credentials, for example).
The following sections explain in detail the 802.1x features used in Cisco Virtual Office.
802.1X FEATURES
The following configurations are based on a Cisco 1811 Integrated Services Router running Cisco IOS® Software Release 12.4(20)T. The hosts are connected to the switch ports (f2 to f9), and the fastethernet0 is connected to the ISP. VLAN 10 is the trusted VLAN, and VLAN 20 is the guest VLAN. For other hardware platforms, the sample configurations may need minor modifications. Each port in the switch card is individually configured to enable 802.1x authentication. It is possible to configure some ports with authentication enabled and some without authentication.
Basic Port Authentication
This is the basic mode of operation of this feature. Once port authentication is enabled, the router asks for credentials before the host can establish network access. If the connected host has an 802.1x supplicant installed, it will respond with the credentials. If the validation is successful, the port will be enabled and will be part of the designated VLAN. If the authentication fails, the port is shut down.
Sample configuration:
aaa new-model
aaa group server radius dot1x
server-private <ip address> auth-port 1812 acct-port 1813 key 0 <key>
aaa authentication dot1x default group dot1x
! Enable dot1x feature globally
dot1x system-auth-control
!
interface FastEthernet2
switchport access vlan 10
! Enable authenticator functionality
dot1x pae authenticator
! Enable dot1x on this interface
dot1x port-control auto
! Enable periodic re-authentication
dot1x reauthentication
! Re-authentication timeout.
dot1x timeout reauth-period 120
!
The configuration needs to be added to each switch port that needs to do dot1x authentication.
Guest VLAN
Hosts that do not have 802.1x supplicant capability will not be able to respond the EAPoL requests initiated by the router. Normally, the port will be shut down if the router determines that the connected host is clientless. If the guest VLAN feature is enabled, the port will be associated with a different VLAN instead of shutting down. In the following configuration, the guest VLAN is configured to be VLAN 20.
interface FastEthernet2
switchport access vlan 10
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 20
!
Single-Host/Multihost Mode
The port can be configured to allow only one host or multiple hosts to connect to it. In single-host mode, only one host will be allowed to connect to the port. In multihost mode, more than one host can be connected to the port, using an Ethernet hub attached to it. A single host directly connected to the port will also work in multihost mode. Single-host mode is enabled by default. It should be noted that in multihost mode, the authentication status of the connected port is determined by the first host that attempts the authentication process. If the first host is authenticated, the rest of the hosts get the same access. If the authentication for the first host fails, the remaining hosts get the same limited access. Single-host mode is recommended, as it is more secure to allow only one authorized host per port than to share one authorized port with potentially unauthorized hosts.
interface FastEthernet2
dot1x host-mode single-host
! "dot1x host-mode multi-host" is the other option
Forced Authorization/Unauthorization
When forced authorization is enabled on a port, the clientless hosts can connect to it and still be part of the trusted VLAN. This has the same effect as not enabling dot1x on the port. This technique can be particularly useful if a user wants to connect an IP phone or other device that does not have a supplicant but still needs to be part of the secure VLAN. Any host can be connected to this port and be part of the secure VLAN without going through 802.1x authentication. Similarly, you can force the port to be unauthorized. This has the same effect as shutting down the port.
interface FastEthernet2
dot1x port-control force-authorized
! "dot1x port-control force-unauthorized" has the opposite effect
Reauthentication
The port can be configured to reauthenticate the hosts periodically. The reauthentication period is also configurable. Periodic reauthentication will remove a hosts from the trusted VLAN if its credentials are removed from the RADIUS server. It may not be helpful to detect whether a new user is using the authenticated host, mainly because most of the supplicants cache the credentials once they are entered by the original user. If the Ethernet cable is moved to a new host or the host is rebooted, the switch port will detect Layer 2 termination and clear the associated 802.1x session. This may not be possible if the port is expanded using a hub. A bad user can then spoof the MAC address of the authenticated host on a different host and try to use the existing 802.1x session. If reauthentication is enabled, the spoofed host can be forced to perform authentication when the reauthentication timer fires.
interface FastEthernet2
switchport access vlan 10
dot1x pae authenticator
dot1x port-control auto
dot1x timeout reauth-period 600
dot1x reauthentication
!
The timeout can also be initiated by the RADIUS server. The "aaa authorization network default group dot1x" command gives authority to the network group called dot1x. The dot1x group was defined earlier with the command "aaa authentication dot1x default group dot1x."The timeout period is defined on the RADIUS server itself.
aaa authorization network default group dot1x
interface FastEthernet2
switchport access vlan 10
dot1x pae authenticator
dot1x port-control auto
dot1x timeout reauth-period server
dot1x reauthentication
!
On the Cisco Secure ACS, the time feature is located under Interface Configurations -> RADIUS (IETF) -> select [027] Session Time Out. Depending on which column was selected, session timeout will appear under group settings or user settings. Enter a value (in seconds).
Voice VLAN
This feature allows Cisco IP phones to be placed in a separate VLAN when they are connected to an Ethernet switch port. This is not an 802.1x feature, but it is useful because the IP phones may not support an 802.1x supplicant. Placing IP phones in a separate VLAN enables them to bypass 802.1x authentication. The VLAN can be configured to provide only voice access. The voice VLAN can be configured to use the same Dynamic Host Configuration Protocol (DHCP) pool as the trusted VLAN with the "ip unnumbered Vlan 10 sub-interface" command. If the IP phone is not a Cisco model, the Voice VLAN feature will not work automatically. Using MAC bypass will permit a non-Cisco phone to be placed onto the voice VLAN.
interface FastEthernet2
switchport access vlan 10
switchport voice vlan 11
dot1x pae authenticator
dot1x port-control auto
Some 802.1x Diagnostic Commands
Table 1 lists some of the 802.1 diagnostic commands.
Table 1. 802.1X Diagnostic Commands
Cisco Secure ACS
In Cisco Virtual Office, Cisco Secure ACS 4.0 is used to validate user credentials. This is done using a RADIUS server. Cisco Secure ACS is configured to authenticate using "RADIUS (Cisco IOS/PIX 6.0)" mode. Each username and password can be configured on the User Setup interface of Cisco Secure ACS.
Deployment Considerations and Caveats
Hardware and Software Details
The Cisco Virtual Office solution is supported on most Cisco integrated services router platforms (Cisco 880 and above). The 802.x feature described in this document is supported in Cisco IOS Software Release 12.4(20)T and later.
End-User Experience
The end-user experience will largely depend on the supplicant used. Many 802.1x supplicants are commercially available now. Some supplicants ask for credentials only when an authentication is in progress. This enables the user to enter the credentials dynamically. However, it requires the user to be present when the authentication is taking place, which may not always be practical.
Some clients need the credentials to be preconfigured as user profiles. This helps the clients to authenticate and establish network connectivity when the computer is still booting up. It also does not require the user to be present when the authentication is in progress. This may not be desirable if security procedures require the computer to be authenticated only after the end user logs into it. The supplicant could fulfill this requirement by giving an option to delay authentication until the boot process is complete. It can also give an option to use operating system login credentials as the 802.1x credentials.
DHCP Integration
Some supplicants have integration with the DHCP process running on the host. This allows the option of sending DHCP requests only after the authentication process is completed. That way the computer will get the IP address from the correct DHCP address pool associated with a trusted or nontrusted VLAN, as appropriate.
Client-Initiated Reauthentication
Some supplicants allow the users to initiate a reauthentication from the host side. This can be useful when the end user changes the credentials and wants to apply the new credentials for the authentication. Depending on the previous status, the host could move from a nontrusted VLAN to a trusted VLAN, or vice versa.
Zone-Based Firewall
Zone-Based Policy Firewall (ZFW) is a new way to configure and deploy firewall policies. It allows administrators to apply firewall policies to different zones. Each zone is made up of different interfaces with different network privileges. Traffic between two specific zones is blocked until a policy is set to allow traffic between them. In Cisco Virtual Office, each VLAN interface and the FastEthernet4 interface [are in different zones. 802.1x will place the connected device in its appropriate VLAN, authenticated devices in VLAN 10, IP phones in VLAN 11, and guests in VLAN 20. Once the devices are connected, ZFW will either permit or deny traffic between zones based on the ZFW policies. The Advanced Layered Security guide has more information on ZFW and ZFW configurations.
References
• Cisco Virtual Office: http://www.cisco.com/go/cvo
• Cisco IOS Software 802.1x information: http://www.cisco.com/warp/public/732/Tech/security/trust/8021x/
• Cisco IOS Software Dynamic Multipoint VPN (DMVPN): http://www.cisco.com/go/dmvpn
• Cisco IOS Software IPsec: http://www.cisco.com/go/ipsec
• Cisco IOS Firewall resources:http://www.cisco.com/go/firewall
• Cisco IOS Software documentation: http://www.cisco.com/univercd/cc/td/doc/product/software/index.htm
• Cisco IOS Software infrastructure security: http://www.cisco.com/go/infrastructure
• Cisco integrated services routers: http://www.cisco.com/go/isr
• Cisco IOS Zonebased Firewall: TBD
Appendix A: 802.1x Sample Configuration
aaa new-model
!
aaa group server radius radius-eap
server-private <deleted> auth-port 1812 acct-port 1813 key <deleted>
aaa authentication dot1x default group dot1x
!
ip dhcp pool
!Corporate network DHCP pool
import all
network 10.10.10. 255.255.255.0
domain-name mycompany.com
option 150 ip <IP phone tftp server>
netbios-name-server <ip addresses>
dns-server <corporate dns server addresses>
default-router 10.10.10.1
!
dhcp pool public
!Guest DHCP pool
!Inherit the DHCP parameters from ISP
import all
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
!
interface FastEthernet 0
switchport access vlan 10
switchport voice vlan 11
dot1x port-control auto
dot1x timeout reauth-period 60
dot1x max-req 1
dot1x reauthentication
dot1x guest-vlan 20
spanning-tree portfast
!
interface FastEthernet 1
switchport access vlan 10
switchport voice vlan 11
dot1x port-control auto
dot1x timeout reauth-period 60
dot1x max-req 1
dot1x reauthentication
dot1x guest-vlan 20
spanning-tree portfast
!
interface FastEthernet 2
switchport access vlan 10
switchport voice vlan 11
dot1x port-control auto
dot1x timeout reauth-period 60
dot1x max-req 1
dot1x reauthentication
dot1x guest-vlan 20
spanning-tree portfast
!
interface FastEthernet 3
switchport access vlan 10
switchport voice vlan 11
dot1x port-control auto
dot1x timeout reauth-period 60
dot1x max-req 1
dot1x reauthentication
dot1x guest-vlan 20
spanning-tree portfast
!
interface Vlan10
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip pim sparse-dense-mode
ip nat inside
ip inspect test in
ip virtual-reassembly
ip tcp adjust-mss 1360
no autostate
tms-class
service-policy input mark_incoming_traffic
!
interface Vlan11
ip unnumbered Vlan10
ip access-group allow_skinny_acl in
ip nbar protocol-discovery
ip inspect test in
no autostate
service policy input mark_incoming_traffic
!
interface Vlan20
ip address 10.1.1.1 255.255.255.0
ip pim sparse-dense-mode
ip nat inside
ip inspect test in
ip virtual-reassembly
no autostate
!