Cisco Acs 4.2 Unkown User Policy And Windows AD Integration Authentication Example

 

 

Table of Contents

 


1.1.       Introduction
1.2.       Theory Behind 802.1.x authentication.
1.3.       Cisco Security Client Supplicant
1.4.       Windows based authentication client
1.5.       Cisco ACS side configuration to achieve basic 802.1.x authentication
1.6.       Cisco ACS local database users to be able to test the authentication
1.7.       Allow process host lookup for machine based authentication.
1.8.       Creating an access policy for 802.1.x authentication
1.9.       Creating authorization profile for the 802.1.x enabled clients or machines.
1.10.     About IP Telephony in Identity-Enabled Networks
1.11.     Functional Overview of the Ip telephony networks.
1.12.     Multi domain authentication traffic flow
1.13.     MAC Databases
1.14.     Ip Phone Authentication
1.15.     Cisco ACS 5.2 Multi domain authentication of VIOP class traffic configuration.
1.16.     Cisco Switch configuration example running version C3750-IPBASEK9-M), Version 12.2(55) SE1

Introduction

 

The below document will explain the cisco 802.1.x authentication concept including multi domain authentication host based authentication and mac address authentication bypass and more.

Theory Behind 802.1.x authentication

 

In its most basic the 802.1.x authentication is basically authenticating a user when he connects to the network via wired network connection or wireless network connection. To read an excellent document describing the process and theory behind it in more detail please refer to this document from cisco

Basic traffic flow

 

basic traffic flow 802.1.x authentication

 

Session Authorization if successful authentication places the user in a the approriate vlan

If not the user can be placed in a guest vlan until such time that the conditions that placed him there are changed either by fixing his machine’s problem or by the policy being override by a network administrator If the supplicant submits a valid credential, the authentication server will return a RADIUS Access-Accept message with an encapsulated EAP Success message. This sequence indicates to the switch that the supplicant should be allowed access to the port. Optionally, the authentication server may include dynamic network access policy instructions (for example, a dynamic VLAN or access control list [ACL]) in the Access-Accept message. In the absence of dynamic policy instructions, the switch will simply open the port.

Cisco Security Client Supplicant

 

The Cisco Secure Services Client (SSC) is client software that provides 802.1X (Layer 2) and device authentication for access to both wired and wireless networks. Windows XP service pack 3 and above include similar agent as part of the operating system .SSC manages user and device identity and the network access protocols required for secure access. It works intelligently to make it simple for employees and guests to connect to an enterprise wired or wireless network. SSC supports these main features: Wired (802.3) and wireless (802.11) network adapters SSC is single-homed—only one network adapter can be used SSC prioritizes wired network adapters over wireless network adapters Integrated VPN support
Bellow find some print screens showing how a client policy file has been created using the security client management utility used for large deployments and available for download for registered cisco clients.

 

cisco security client supplicant

 

cisco security client supplicant wired.jpeg

cisco security client supplicant wired install.jpeg

cisco security client supplicant wired install1.jpeg

 

Windows based authentication client

 

As mentioned previously windows gets shipped with variety of clients installed on it. Below is an example of the client tested with our deployment.

windows 802.1.x native client



A successfully authentication by the wired client is depicted below

 

successful windows 7 native client 802.1.x authentication.jpeg

 

 

Cisco ACS side configuration to achieve basic 802.1.x authentication

 

Cisco ACS server policy for that is pretty simple: create a radius host for the 802.1.x authentication as show bellow.

client creation in cisco acs 5.2 for 802.1.x authentication

 

Cisco ACS local database users to be able to test the authentication

 

local user creation cisco acs

 

Allow process host lookup for machine based authentication.

 

Machine based authentication is when you want to use the computer machine user account that’s part of The AD domain of your organization to replace the user authentication. For that however you need to configure the Cisco ACS server to talk to the AD domain. For more information on that process please see this document describing how to achieve that

host lookup for machine based authentication

 

Creating an access policy for 802.1.x authentication

 

Remember the identity is only the first step of the process.you also need to be able to tell the system what these users are allowed to access once they are identified.

access policy for cisco acs 5.2 and 802.1.x authentication.jpeg


The below screens expand on these policies the one deals with machine or host based authentication and the other deals with user based authentication respectively.

 

Creating an access policy for 802.1.x authentication.jpeg

 

user based authentication identity profile access policy creation.jpeg

 

Creating authorization profile for the 802.1.x enabled clients or machines.

 

As mentioned previously we need to be able to tell the system what these folks are able to perform now that they have been identified.

 

Creating authorization profile for the 802.1.x enabled clients or machines.jpeg

 

Creating authorization profile for the 802.1.x enabled clients or machines1.jpeg

 

 

Creating authorization profile for the 802.1.x enabled clients or machines2.jpeg

 

About IP Telephony in Identity-Enabled Networks

 

Cisco IOS software enables standards-based network access control at the access layer by using The IEEE 802.1X protocol to secure the physical ports where end users connect. 802.1X is an IEEE standard for media-level (Layer 2) access control, offering the capability to permit or deny Network connectivity based on the identity of the end user or device. The IEEE standard was not, However, designed to accommodate the unique requirements of IP telephony. In particular, IP
Phones conflict with or complicate the requirements of IEEE 802.1X in the following ways:


Assumption of Network Access: By default, IEEE 802.1X-enabled ports deny all access
Until and unless the attached device has successfully authenticated. IP phones, on the
Other hand, expect immediate access to the network.


Support for Two Devices per Port: Cisco IOS software enables IP telephony by allowing The same access switch port to provide network access to an IP phone and a data device Connected on the Ethernet port behind the phone—with the phone only capable of sending Tagged traffic on the voice VLAN and the PC capable of sending untagged traffic on the Data VLAN. This is done to cut down on cabling, capital equipment, and administrative Costs. IEEE 802.1X, however, does not address this issue directly.

Lack of Link State Awareness: When an IP Phone is present, the switch has no Knowledge of the link state of the port on the back of the IP Phone. IEEE 802.1X-enabled Ports, however, rely heavily on link state to determine when to start and stop the Authentication state machine. This functionality is essential to ensuring the validity of the Authenticated session, thus preventing both security holes and security violations. Successfully integrating IP telephony in an IEEE 802.1X-enabled network requires an end-to-end solution that can achieve the following:


● Phones that are capable of performing IEEE 802.1X must be configured to do so
● Phones that are not capable of IEEE 802.1X must be provided with some other means to access the voice network.
● IEEE 802.1X-enabled ports must address IP Telephony deployments with a phone and a data device on the same port.
● the lack of link-state awareness must be addressed.

Functional Overview of the Ip telephony networks.

 

 

This section describes the recommended operation of IP telephony in an IEEE 802.1Xenabled Network. The most secure and flexible deployments of IP telephony start with Multi-Domain Authentication (MDA) host mode. MDA is a feature that allows a Cisco Catalyst switch to modify the default IEEE 802.1X requirement that only a single device connect to a switch port while retaining the security And visibility that IEEE 802.1X provides. When properly enabled for MDA, the switch divides the switch port into two virtual “domains” (a domain is equivalent to a VLAN on a wired network). The switch independently and asynchronously authenticates the phone and the device behind the phone. When the phone authenticates successfully, it is given access to the voice domain. When the device behind the phone is authorized, it is given access to the data domain.

Multi domain authentication traffic flow

 

multi domain authentication traffic flow

MAC Databases

 

The other major consideration for deploying MAB for IP Phones is how to create and maintain a
MAC database that the AAA server can reference when validating the MAC address of the phone.
The quickest way to create a MAB database for an existing Cisco IP Phone deployment is to
Export the MAC addresses of all registered non-IEEE-802.1X-capable phones from CUCM and
Import them into your AAA server or an identity store (such as an LDAP directory) that you’re AAA
Server can query. Both CUCM and ACS provide GUI support for exporting and importing MAC
Addresses. If you are aiming to simply bypass authentication of the ip phones without having complex solution for keeping track of your MAC addresses in your organization you will need to find out how to summarize the MAC address of the ip phones .Usually these records can be researched on Google.
For example to summarize the ip phones mac address range for Avaya phones you can use the below policy
The assigned mac address range for these phones is: 00-04-0D   (hex) Avaya, Inc.

 

wildcard multiple mac addresses selction for cisco acs authentication bypass

 

Ip Phone Authentication

 

When a phone first plugs into a switch port, the LINK-UP event will trigger the start of the IEEE
802.1X state machine on the port. To get network access, the phone must now authenticate.
Phones can authenticate in one of two ways: IEEE 802.1X or MAC Authentication Bypass (MAB).
As part of a successful authentication, the AAA server must inform the switch that the
Authenticated device is a phone.
A typical MAB authentication for a phone is shown in Figure 3 below. The switch initially tries to
Authenticate the phone using IEEE 802.1X. When there is no response to the Identity-Request
Messages the switch times out and falls back to MAB.

Cisco ACS 5.2 Multi domain authentication of VIOP class traffic configuration.

 

 
In today’s organizations users usually access the resources behind an IP phone device as shown below

Cisco ACS 5.2 Multi domain authentication of VIOP class traffic configuration.jpeg

 

 


It’s important to note that if you are trying to bypass the ip phones for authentication you MUST NOT GIVE THEM PRIVILES ACESS LEVEL 15 .Only make sure the authorization profile is enabled to understand that the class of network incoming traffic is VOICE and nothing else as shown below.

 

Cisco ACS 5.2 Multi domain authentication authorization profile for voice class.jpeg

 

Cisco Switch configuration example running version C3750-IPBASEK9-M), Version 12.2(55) SE1

 

aaa group server radius dot1x
server-private 10.10.10.10 auth-port 1645 acct-port 1646 key cisco123

aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group dot1x
aaa authorization exec default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

aaa authorization network default group radius

interface Vlan217
ip address 172.24.117.20 255.255.255.0

tacacs-server host 172.22.138.150
tacacs-server directed-request
tacacs-server key cisco123
radius-server host 172.22.138.150 auth-port 1812 acct-port 1813 key cisco123
radius-server key cisco123

 

!
!
!
aaa session-id common

line con 0
line vty 0 4
password a
line vty 5 15

Interface configuration for wired 802.1.x access

interface FastEthernet1/0/1
switchport access vlan 110
switchport mode access
switchport voice vlan 217
speed 100
duplex full
authentication host-mode multi-domain
authentication priority mab dot1x
authentication port-control auto
authentication periodic
mab
dot1x pae authenticator
spanning-tree portfast

 

Recommended Reading

 

  1. Cisco ACS Best Practices document
  2. Cisco ASA Best Practices and Security Hardening Document.
  3. Cisco-vpn-ipsec-configuration-examples
  4. Cisco-ids-ips-aip-idsm-configuration-examples
  5. Detailed Cisco ACS 5.2 installation and configuration example with print screens

 

For a free assessment and recommendations on how to optimize your current Cisco ACS solution contact us here

Share The Link And Enjoy Thanks !