Cisco Security Quick Tip of the Week
Guest Web Authentication Builtin to Cisco Switches
By jheary on Fri, 01/29/10 - 6:36am.Did you know that Cisco switches come with the ability to perform web authentication at each switch port? Most people don't realize that this feature exists in Cisco IOS so I figured it would be a good Security Quick Tip. Web authentication works by redirecting a users browser to a login page as soon as they connect to the switch port. Once they login, the switch forwards their credentials to a radius server for verification. The radius server can either store user accounts or look to Active directory or LDAP instead. Once the user passes authentication the radius server can then download a switch port dynamic ACL to control how much access gets granted to the user. Web Auth can be used in conjunction with 802.1x and MAC authentication or can be used by it self. If you are an 802.1x shop then the browser based web auth feature can be used as a fallback for 802.1x. If a machine fails 802.1x auth or does not have a supplicant then the switch will fail over to provide web auth services to the user. If you are not a 802.1x shop but want a way to authenticate all users that connect to your switch ports then web auth might be a good option for guests and contractor access.
The Cisco NAC Guest server appliance is a full featured guest portal with user tracking, simple guest account provisioning, SMS support, Billing and payment support for guest access, self-provision service, and a bunch of other nerd knobs. NAC guest server supports Cisco NAC appliance, Cisco Wireless Controllers and Cisco Web Auth solutions. This allows you to provide the same look and feel to your guest or temporary workers no matter how they connect to your network, wired or wireless. For more info on the guest server see here
According to Cisco Docs, Cisco IOS Web Authentication is supported on the following Cisco Switches
• Cisco Catalyst 2960 Series Switches with Cisco IOS Software Release 12.2(50)SE3
• Cisco Catalyst 3560 Series Switches with Cisco IOS Software Release 12.2(50)SE3
• Cisco Catalyst 3750 Series Switches with Cisco IOS Software Release 12.2(50)SE3
• Cisco Catalyst 4500 Series Switches with Cisco IOS Software Release 12.2(50)SG
• Cisco Catalyst 6500 Series Switches with Cisco IOS Software Release 12.2(33)SXI
Note: Two optional features AAA fail policy and customized WebPages, require Cisco IOS Software Release 12.2(52)SE or later on the desktop switches.
To have a complete solution you really need a supported Cisco switch with the correct software and a Cisco ACS AAA Server (4.2 or later). If you'll be doing hardcore guest provisioning then I'd recommend you also get the Cisco NAC guest server as well to round out the solution. You can use a 3rd party radius server if you wish instead of ACS.
The web auth feature allows you to create customized login and logoff web page. These pages can be saved in flash memory on your switch but I recommend you point your switch to a standalone web server instead. If your switch supports a crypto image then the login page can be delivered as encrypted https instead of http.
Here is a sample configuration of web auth:
!define your radius servers
ip radius source-interface vlan10
radius-server host 10.10.10.10 test username anyone
radius-server key cisco
radius-server dead-criteria tries 2
Aaa new-model
aaa authentication login default group radius
aaa authorization auth-proxy default group radius
aaa accounting auth-proxy default start-stop group radius
!note: turning on authentication login will force you to login via radius to your vty and console ports so to turn off this feature use the following commands
aaa authentication login console none
!
line console 0
login authentication console
line vty 0 4
login authentication console
!detects hosts using dhcp and arp requests so web auth can happen
ip device tracking
ip http server
ip http secure-server
!secure-server only works for crypto capable switches
!create your web auth policy
ip admission name web-auth proxy http
!create an ACL that defines what you will allow through before the user authenticates
ip access-list extended pre-webauth
permit udp any any eq bootps
permit udp any any eq domain
deny ip any any
fallback profile web-auth-profile
ip access-group pre-webauth in
ip admission web-auth
!create your customized web auth pages (optional)
!load those pages into the flash memory of the switch
!Define where to find each page type
ip admission proxy http login page file disk1:login.htm
ip admission proxy http success page file disk1:success.htm
ip admission proxy http fail page file disk1:fail.htm
ip admission proxy http login expired page file disk1:expired.htm
!you can also tell the switch to redirect to an outside website upon successful web auth
ip admission proxy http success redirect www.cisco.com
!now assign the web auth policy to each interface you want it active on
interface gig0/1
authentication fallback web-auth-profile
note: On Catalyst 6500 series switches with redundant supervisor engines in RPR mode redundancy, information about currently authenticated hosts is maintained during a switchover. Users will not need to reauthenticate.
For more configuration information and several different configuration scenarios see here.
Web Authentication Deployment Guide, complete with ACS 5.1 configuration
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638...
Cisco Integrated Local Web Authentication Deployment and Configuration Guide
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638...
Will you use this feature in your conference rooms and public areas? (assuming you don't have something like NAC in place already that is)
The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.
More from Jamey Heary:
* Credit Card Skimming: How thieves can steal your card info without you knowing it
* Google Nexus One vs. Top 10 Phone Security Requirements
* Why you should always shred your boarding pass
* Video rental records are afforded more privacy protections than your online data
* The truth about new SSL attacks
* 2009 Top Urban Legends in IT Security/a>Go to Jamey’s Blog for more articles on security.
- About Cisco Security Expert
Jamey Heary, CCIE #7680, sits on the PCI Security Standards Council- Board of Advisors where he provides strategic and technical guidance for future PCI standards. Jamey is the author of Cisco NAC Appliance: Enforcing Host Security with Clean Access. (Check out all of Jamey Heary's books from Cisco Press.) He also has a patent pending on a new DDoS mitigation technique.
Jamey sits on several security advisory boards for Cisco Systems and is a founding member of the Colorado Healthcare InfoSec Users Group. He is an experienced speaker who is recognized as an expert in network security architecture, regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and he is a Certified HIPAA Security Professional. He has been working in the IT field for 15 years and in IT security for 10 years. Jamey is currently a Distinguished Systems Engineer at Cisco Systems.
Most Discussed Posts
-
Network World, Inc
The Connected Enterprise