There is a lot of interest in enabling 802.1x for access control. Certificate based security is an industry standard and mandated by many federal agencies. Cisco’s first 802.1x based access control solution started with ACS and currently is enforced by their flagship access control solution Identity Services Engine ISE .
We have heard some administrators heard 802.1x is almost impossible to enable and something they don’t have the staff to maintain. The truth is 802.1x is like most technologies, which requires a basic understanding of core concepts and must be designed correctly in order for a project to be successful. Here are some concepts to take into considering while looking at Cisco or other 802.1x solutions for your network.
1) MONITOR ONLY – 802.1x can be deployed in a Monitor Only mode meaning you can turn it on and not impact the network. This is huge because it dramatically reduces the risk of 802.1x deployment issues by troubleshooting error messages before going live. Unlike many technologies, you don’t have to “cut over and troubleshoot”.
2) PROFILING – Cisco ISE offers network profiling, which has two key benefits. ISE can identify all devices on the network so you can plan for how access control can be handled for device types prior to enforcement. ISE can also maintain monitoring of those devices meaning if a hacker spoofs a printer, the spoofed IP will act differently on the network and be blocked. This is a more secure option than white listing devices. Best practice is planning device security via VLANs, ACLs, etc. prior to moving from 802.1x monitor mode.
3) SUPPLICANT – 802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server. The authenticator acts like a security guard while the supplicant (example laptop) is not permitted access through the authenticator to the protected side of the network until the supplicant’s identity has been validated and authorized. The supplicant provides credentials, such as user name, password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. The most common used supplicants are built into windows operating systems meaning you don’t have to distribute any new software or clients. Some devices don’t support 802.1x which best practice is using a combination of MAC address and profiling to provision and maintain credibility of those devices.
4) SYSTEM MANAGEMENT – A common question is “how many people does it take to maintain a Access Control solution such as 802.1x?”. The answer varies on the size, level of desired security and other factors. Regardless, the goal of an Access Control solution is to automate and enforce existing security infrastructure. For example, port security is a form of access control that typically requires manual efforts to maintain. Access Control solutions should reduce the required management hours by automating user and device access. The same concept goes for troubleshooting and locating rouge devices.
5) CONFIGURATION – 802.1x is an industry standard and uses switch level commands. Best practice is to build a template in a network management tool and push out the 802.1x Access Control configurations to switches to reduce the chance of misconfiguration.
Here is a line-by-line example of configuring a switch for monitor only 802.1x
//Enable =AAA, Enable Port-based authentication, VLAN/ACL and 802.1x / MAB
Switch(config)# aaa new-model
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# aaa authorization network default group radius
Switch(config)# aaa accounting dot1x default start-stop group radius
//Specify the IP and Ports of RADIUS server, pre-shared key, attributes, and RADIUS request source interface
Switch(config)# radius-server host ise-1.demo.local auth-port 1812 acct-port 1813
Switch(config)# radius-server key thesecurityblogger
Switch(config)# radius-server attribute 6 on-for-login-auth
Switch(config)# radius-server attribute 8 include-in-access-req
Switch(config)# radius-server attribute 25 access-request include
Switch(config)# radius-server dead-criteria time 5 tries 3
Switch(config)# ip radius source-interface g0/24
switch#test aaa group radius usertest password new-code
Switch(config)# dot1x system-auth-control
//port level commands
Switch(config)# interface range g0/1-3, g0/5
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# authentication port-control auto
Switch(config-if-range)# dot1x pae authenticator
//ISE monitor only mode config.
Switch(config-if-range)# authentication open
Switch(config-if-range)# authentication host-mode multi-auth
Switch(config-if-range)# switchport access vlan 10
switch(config-if-range)# authentication order mab dot1x
switch(config-if-range)# authentication priority dot1x mab
Hopefully this helps with the confusion around considering 802.1x and Cisco ISE.