Solved

How to deploy 802.1x in a Cisco network

Posted on 2014-01-13
11
616 Views
Last Modified: 2014-01-15
Hello,

Our company needs to to deploy 802.1x withinthe next couple of months.
We want to have a phased deployment that will incorporate a testing stage during that
periode using the "Monitor  Mode" feature of Cisco switches.

I know how to set up the supplicant, authenticator and the authenicating server(Radius server on the ACS 5.2).

We also need to employ active directory into the process...that is where the confusion
comes in.  I work primarily with Cisco not Microsoft so I will give that portion of the task
to our server guys!

My question is, if I configure monitor mode only on 1 of our 400 switches and have the
other 399 without any 802.1X configuration what so ever, will the users on those 399
switches without 802.1x still be able to access our production network?

Basically what I am trying to do is use just one of our buildings as a test site on our
production network without affecting all the users on our network.

Thanks in advance!

rayneedssomehelp
0
Comment
Question by:Rayneedssomehelp
  • 5
  • 4
  • 2
11 Comments
 
LVL 61

Expert Comment

by:btan
ID: 39778369
The monitor mode should still be enforceable on specific since it is configured as per multi auth mode and open access.  As long as it is in accordance I don't see why it may be implicated in such mixed environment.  Probably good to note specific for that building in test stage and segregate the actual enforced buildings to other ports.

For monitor mode targeted on each access port, enable open access authentication and multi-auth host-mode. Without multi-auth, the switch runs in single host mode and disable any ports with multiple devices, including phones. Monitor mode requires multi-auth host-mode to be transparent to end users.

Also       to ensure that all dynamic authorization, such as dynamic VLAN and dACL assignment, is disabled on the ACS server. Any form of dynamic authorization will impact end users and thus undermine the goal of monitor mode, which is end user transparency.


http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/Scenario_based_AppNote/Scenario_based_AN.html
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39778955
Everyone's idea/definition of Production is a bit different. For us, that's the data center where the live/real data is and other resources like file shares, intranet servers etc are. This environment is typically locked down physically and makes wired 802.1x a bit redundant and seem unnecessary. 802.1x is not an ACL in of itself, it's an authentication mechanism for mac addresses from the host to the switch only. The only effect turning on 802.1x fully should have it the allowance or denial of access to the switch port. That can be an acl if the host is denied or placed in an incorrect vlan.
Most folks deploying wired 802.1x are doing so because they are after NAC. This makes more sense in the user networks. Unless your DC is not physically protected I'm not sure why one would put it in "production".
802.1X is an IEEE standard for media-level access control, offering the capability to permit or deny network connectivity, control VLAN access and apply traffic policy, based on user or machine identity.
Again your idea of production may be different than mine. 802.1x is good for putting unknown mac-addresses into guest vlans so you block anyone coming in from using a free port or wifi connection to access your network. It's hard to deploy in small and large scales, but once it's operating it's great to have. You will have quite a few devices to whitelist, and this can be the crux of 802.1x. Dumb devices like some printers/copiers/fax, even some other switches will need to be whitelisted in the mac tables. They can't use or don't have a supplicant, and it's possible for a guest to spoof their mac address to be the same as a printer and get on the network. Not all that likely but you should be aware.
-rich
0
 

Author Comment

by:Rayneedssomehelp
ID: 39779188
I suppose a better question would be... what if 802.1X was configured on the ACS,
along with the radius protocol but nothing in regards to 802.1X was configured on the
Cisco switches or supplicants.  I would think users would still be able to connect to the
network.  Correct?

As I stated, I would like to provision everything in phases, So AS NOT TO PREVENT USERS
FROM CONNECTING TO THE NETWORK, just in case I screw something up.

Please remember that for now, nothing except for the ACS will be configured with 802.1X (including monitor mode).

Thanks,

Rayneedssomehelp
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39780052
Monitor mode should not affect anyone at all. It just logs what is happening and what it sees. You should start with that phase in as wide an area as possible, it might help you spot your troublesome hosts. Some supplicants don't work and some programs can mess with them. We had trouble with ZoneAlarm blocking supplicants and McAfee's own supplicant not working for some reason. Monitor mode should just let everything happen like it is now.
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/Phased_Deploy/Phased_Dep_Guide.html#wp392526
-rich
0
 

Author Comment

by:Rayneedssomehelp
ID: 39780198
We have approx. 10,000 ports\interfaces on 400 Cisco switches.

I apologize for  making this question more complicated than what I wanted it to be, but
let me try again.
Starting from scratch.  Is it OK to deploy 802.1x on all of our equipment, EXCEPT for
othe Cisco swithces and not cause any down time?  If the answer to that question is yes, I
will then proceed to place "monitor mode" on a few switches.

I have never used radius before and I am concerned about what might or could happen if
I jack up the ACS sever by trying to enable radius on it.

Rayneedssomehelp
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39780210
Get the config right on a few of them, monitor mode should not affect them at all, that guide I linked to should help if you hadn't seen it already. Read it all the way through, but it should not have a deleterious affect having some in monitor and some not. Monitor mode should give everyone a "bypass" and only log what is going on. The radius/EAP will still take place, but you are putting in a bypass that allows anyone to connect still. After you're happy with that config, begin to roll that out wider and wider.
-rich
0
 
LVL 61

Expert Comment

by:btan
ID: 39781063
Agree with Rich. Monitor is supposed to be "transparent" but do note that it still will get to RADIUS to perform the due checks.
There is no impact to users or endpoints of any kind: they continue to get exactly the same kind of network access that they did before you deployed TrustSec. The authorization level pre-authentication is the same as after successful authentications and failed authentications: completely open. In the background, however, the network is querying each endpoint as it connects and validating its credentials.

Let say if it become enforced or the so call low impact and high security mode, any timeout in 802.1x check will fallback to secondary authentication and it can be MAB.  There will be delays overall but I don't see inadvertent long blocking unnecessarily. We also do not want a fail open too for secure by default. Typically this happened for non 802.1x capable device as earlier shared.

After monitoring and able to establish the various device asset, over time, you may transition from a default port ACL that denies access to a few resources and permits everything else to one that permits access to specific resources, such as DHCP, DNS, TFTP for PXE, and so on, and denies everything else. Evolving the default ACL in this way allows you to incrementally add access control without inadvertently blocking important traffic.

Unless you have a specific need to support multiple data devices on a single port, configure all access ports in single host-mode for non-IP-Telephony deployments, or in multi-domain host-mode for IP telephony deployments.
0
 

Author Comment

by:Rayneedssomehelp
ID: 39782144
So what you guys are trying to tell me is that  the only difference between having a switch port  configured with "Monitor mode" versus having that same switch port configured with
no 802.1X configs whatsoever,  is that monitor mode WILL log Radius traffic and the port
with no 802.1X configs will NOT, but, THEY WILL BOTH PASS TRAFFIC AND ALLOW THE END
USER ON THAT PORT TO CONNECT TO THE NETWORK.  Correct?

Ray
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39782182
Correct. The clients will also be doing 802.1x in the background. You can specify which ports do 802.1x and which don't, and 802.1x will only affect ports that have it enabled, you will not enable it on trunk ports or switch interconnects.
-rich
0
 

Author Comment

by:Rayneedssomehelp
ID: 39782222
Rich,

If this is the case,  I can focus on implementing Active Directory with the Radius server
someone down the road, since this will be our next big hurdle after populating the
ACS server MAC database.

Ray
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 39782259
I've never had trouble with monitor mode, I've used lot's of cisco switches, 4000's, 6500, 3500 series etc... But I don't use 802.1x often, we've moved to Ipsec (on the hosts)for authentication and authorization.
-rich
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Wireless Authentication with RADIUS 5 62
Would an outbound ACL be an overkill? 3 62
asa failover 3 35
UNIX SCP 5 47
A few customers have recently asked my thoughts on Password Managers.  As Security is a big part of our industry I was initially very hesitant and sceptical about giving a program all of my secret passwords.  But as I was getting asked about them mo…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now