Cisco released a score of new 802.1x features in 12.2.33 SXI for their Catalyst 6500 switch lineup. These new features focus on making dot1x easier to deploy. Hmmm…Is that an oxymoron: dot1x and easy? Well perhaps not anymore. You can now deploy full dot1x features in a quasi “monitor only” mode. This allows you to see what is going to happen in your live environment before you enable true enforcement.
Architecting, implementing, and supporting a wired 802.1x protected network can be one of the most challenging endeavors of your networking career. This is especially true if you find yourself just blindly bumbling through the project and not actively planning and designing for it. I’ve seen my fair share of wired dot1x implementations fail over the years; the reasons vary from customer to customer. But an overarching truth remained constant across them all; “This dot1x stuff is non-trivial!”
In my patch, new 802.1x projects dwindled to almost nothing for a couple years. But recently I’ve seen a strong resurgence by large companies wanting to give it a go or give it another go depending. I’m not going to pretend to know why but if I had to guess I would say it is because 802.1x is riding the recent popularity wave of all things NAC.
So today I wanted to write on the top 7 802.1x switch features you’ll most likely need to pull off a successful deployment. Here they are:
Making 802.1x deployments easier (monitor mode)-
Problem: 802.1x has many complexities and inter-dependencies. Before now their was no way to deploy dot1x in a monitor only mode. Protection was enabled by default making it very hard to have a smooth roll-out. 802.1x was designed to fail-closed not open. It was also designed to only allow one MAC address per switchport.
Solution: Given the rocky history of 802.1x deployments Cisco has decided to allow you to change a fundamental truth of dot1x. In short, they are making a fail-open option available that allows multiple MACs per port. The solution is made up of two separate features. The first is called pre-authentication open access and allows for the fail-open scenario. It allows all traffic, or ACL defined traffic, to flow into the network before the switchport is authorized. The command is authentication open and is configurable on a per-port basis.
The second feature is Authentication Host-mode Multi-Auth. This allows one IP Phone in the voice vlan and multiple hosts on the data vlan on each switch port.
These two features together allow you to implement full 802.1x in a quasi “monitor only” like mode. This gives you the tools, time, and real world testing environment you need to smooth out any dot1x roll-out.
Code Example:
interface range gigE 1/0/1 - 24
switchport access vlan 30
switchport voice vlan 31
ip access-group UNAUTH in
<b>authentication host-mode multi-auth</b>
<b>authentication open</b>
authentication port-control auto
mab
Router(config-if)# mab
Guest VLAN Support-
Problem: Host does not have a 802.1x supplicant and fails MAC Authentication Bypass. This might be a guest user PC that comes onto your network. Let’s say they don’t have a suppliant enabled and they are not in the MAC address database either. They will fail both and be denied network access.
Solution: Guest VLAN drops users that fail 802.1x and MAB into a pre-configured VLAN. This VLAN is set on a per switchport basis. This allows you flexibility to only set it in certain locations, like enabled in conference rooms but disabled in employee cubes.
Code Example:< code> Router(config-if)# authentication event no-response action authorize vlan 2
Authentication Host-mode Multi-domain or Multi-Auth –
Problem: By default 802.1x will only allow one MAC address on each switchport at a time. This leads to major issues in today networks. Two common examples are IP Phones and VMWare instances. If a client plugs into a port on the IP Phone which then plugs into the switchport the switch will see two MACs. One for the phone and one for the PC plugged into the phone. This will cause in a port violation resulting in the port shutting down (err-disable). Same idea for a host that brings up multiple VMware instances that connect to the network. Multiple MACs are seen, one for each VM and the port will err-disable.
Solution: A new feature was added to the authentication host-mode command called authentication host-mode multi-auth. It allows you to have one IP Phone on the voice vlan and multiple hosts behind it. Each host, or MAC address, is authenticated individually. A dynamic downloadable ACL can additionally restrict each hosts access. This solves the problem of VMware instances.
The other authentication host-mode feature called Multi-domain allows one IP Phone on the voice vlan and one host on the data vlan. This solves the problem of deploying dot1x in an environment with IP telephony in place. The phone and the host are authenticated separately.
Code Example: authentication host-mode multi-domain OR authentication host-mode multi-auth
Auth-Fail-VLAN –
Problem: Host comes on to the network with a supplicant, authentication happens, but the user doesn’t have a valid account on the network and is rejected. Maybe their credentials have expired or they are a guest or contractor PC with a supplicant enabled. It will never fail to MAB or the guest VLAN because the supplicant is talking correctly.
Solution: The Auth-Fail-VLAN feature is similar to the guest vlan feature in that if a client fails authentication a certain number of times (say 3) then they are pushed to a restricted VLAN and allowed onto the network. The particular VLAN they are moved to is configurable on a per port basis.
Code Example:< code> Router(config-if)# authentication event fail retry 3 action authorize vlan 2
Inaccessible Authentication Bypass-
Problem: If the AAA server goes down then new and potentially existing dot1x clients will be denied access to the network.
Solution: The Inaccessible Authentication Bypass feature detects when the AAA server is dead. When the AAA is dead it will automatically authorize all new clients and move them into a configurable VLAN. This vlan is configurable on a per-port basis. Existing clients are re-authorized as necessary and remain on their existing VLAN. When the AAA server comes back the switch can force a dot1x re-initialization on all in scope switchports, essentially forcing a re-authentication.
Code Example:
Router(config)# radius-server dead-criteria time 30 tries 20
Router(config)# radius-server deadtime 60
Router(config)# radius-server host 10.10.10.90 acct-port 1550 auth-port 1560 key cisco123 test username cisco idle-time 30
Router(config)# dot1x critical eapol
Router(config)# authentication critical recovery delay 2000
Router(config)# interface gigabitethernet 0/1
Router(config-if)# authentication event server dead action authorize vlan 123
Router(config-if)# authentication event server alive action reinitialize
The opinions and information presented here are my personal views and not those of my employer.
More from Jamey Heary: Credit Card Skimming: How thieves can steal your card info without you knowing it Cisco enters the crowded AV and DLP client marketCisco's new ASA code allows you to securely take your Cisco IP Phone with you anywhereCisco targets Symantec, McAfee with its new antivirus client Google's Chrome raises security concerns and tastes like chicken feet a>Go to Jamey’s Blog for more articles on security.*
*
*
*
*