Identity-Based Networking Service (IBNS) and IEEE 802.1x

IEEE 802.1x Overview
It is a data link layer (Layer 2) protocol designed to provide port-based network access control using authentication unique to a device or user in Ethernet or WLAN. This service is called port-level authentication.
Cisco IBNS is an IEEE 802.1x-based technology solution that increases network security by authenticating users based on personal identity in addition to device MAC and IP address verification.
IBNS enhancements to IEEE 802.1x

  • Auto VLAN Configuration based on identity: With IBNS, VLAN can be dynamically allocated based on the user identity. After user successful authentication, RADIUS server sends VLAN information to switch and  then the switch will dynamically configure the attached port for specific VLAN.
  • Auto ACL configuration: ACLs can be dynamically assigned to the attached port using 802.1x authentication policy.
  • 802.1x guest VLAN: non-802.1x-compatible users or devices will be allocated into Guest VLAN which only provide restricted access for basic network resources such as browsing, email or access to an 802.1x client.
  • Restricted VLAN for Authentication Failure user: 802.1x compatible clients can still be allocated into Restricted VLAN even though authentication fails. After that, fake Authentication Protocol (EAP) success message is sent to the client to stop constant re-authentication.
  • port security feature optional: 802.1x provides the option to enable port security on a switch port.
  • Inaccessible Authentication Bypass: This feature allows devices attached to critical ports to still be authenticated and allowed to pass traffic even if the RADIUS server(s) is (are) inaccessible. When the RADIUS server(s) become accessible again, The ports are then automatically re-authenticated using the server.
  • MAC Authentication Bypass (MAB): When using this feature, it is possible for a device to be authenticated without 802.1x support. This is done by referencing a MAC database that is held on the RADIUS server. The MAB feature is only enabled after the client fails to respond to Extensible Authentication Protocol over LAN (EAPOL) requests and causes a timeout.

802.1x components: 802.1x defines 3 roles in authentication process. Prior to the client authentication, the port will only allow EAPOL (EAP Over LAN), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the connected port.

  • Supplicant: The endpoint requesting access to the network. For example, this could be an end-user device, a printer, or an IP phone.
  • Authentication server: The entity that validates the identity of the supplicant and notifies the authenticator to allow or deny the client request for access. For example, a RADIUS server, such as ACS, can provide authentication server services.
  • Authenticator: The device between the supplicant and the authentication server that facilitates authentication. The client is normally directly connected to the authenticator. For example, a switch or a wireless access point would provide authenticator services to clients attempting to access LAN.

Extensible Authentication Protocol (EAP): EAP is an authentication framework not a specific authentication mechanism; it only provides some common functions and negotiation of authentication methods called EAP methods. EAP does not select a specific authentication mechanism during the link layer phase but rather postpones it until the authentication phase.
EAP only defines message formats and Each protocol that uses EAP defines a way to encapsulate EAP messages within that protocol’s messages.
As a result, within IEEE 802.1X, it is not possible to negotiate non-EAP authentication mechanisms, such as Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP), without specialized tunneling support. .
imageHowever, for the Code value 3 and 4, another information element (Packet Type 1 Byte, which indicates specific authentication mechanism) will be created.
imageimage
Reference URL: http://www.networksorcery.com/enp/protocol/eap.htm

  • EAP Over LAN (EAPOL):
    Ethernet Type (or Port Access Entity Ethernet Type: PAE Ethernet type) code is 0x888E, which represents EAP Over LAN. And the Destination MAC address is always:  01:80:C2:00:00:03.
    image

EAP Authentication Mechanism Options (which is specified in Packet Type octet of Data Field in EAP frame format):

  • EAP-MD5Packet Type = 4, EAP-MD5 requires user’s password stored on Authentication server in a plain-text or reversible way. It is well supported and provides a simple mechanism for authentication using username and passwords. It also does not burden the server or the client because of its lightweight processing requirements.
    The server generates a random string and sends it to the user as a challenge. The client MD5 hashes the challenge using its password as the key and sends it back to the server. The server then authenticates the subscriber by verifying this hash.
  • Protected EAP / MS-CHAPv2: Packet Type = 25 Protected EAP (PEAP) supports various EAP-encapsulated methods within a protected Transport Layer Security (TLS) tunnel.
    Besides, PEAP supports an extensible set of user authentication methods, such as one-time token authentication and password change or aging. It uses server-side digital certificate authentication based on the public-key infrastructure (PKI) standard. In environments where certificates are not issued to every client, PEAP can use a Microsoft Windows username and password instead by querying the Windows domain controller, Active Directory, or other existing user database.
  • Lightweight EAP (LEAP): cisco proprietary. It uses the concept of mutual authentication to validate a user. Mutual authentication relies on a shared secret and the user’s password, which is known by the client and the network.
    The authentication server sends a challenge to the client. The client uses a one-way hash of the user password to send a response to the challenge. The server creates its own response based on the user database information and compares it to the response received from the client. When the server authenticates the client, the same process is repeated in reverse so that the client can authenticate the server. When this process is completed, an EAP-Success message is sent to the client.
  • EAP-Transport Layer Security (EAP-TLS): Packet Type = 13 Similar to the Cisco LEAP method, EAP-TLS mutually authenticates the client and the server; however, in this case, passwords are not used. Instead, public key cryptography based on the Rivest, Shamir, and Adelman (RSA) handshake is used. EAP-TLS uses digital certificates or smart cards to validate both the user’s and the server’s identity.
    The RADIUS server sends its certificate to the client in Phase 1 of the authentication sequence (server-side TLS). The client validates the RADIUS server certificate by verifying the issuer of the certificate, a certificate authority (CA) server entity, and the contents of the digital certificate. When this is complete, the client sends its certificate to the RADIUS server in Phase 2 of the authentication sequence (client-side TLS). The RADIUS server validates the client’s certificate by verifying the issuer of the certificate (CA server entity) and the contents of the digital certificate. When this is complete, an EAP-Success message is sent to the client. It is one of the strongest forms of authentication available today, computationally intensive though.
  • EAP–Tunneled Transport Layer Security (EAP-TTLS): Packet Type = 21 extends on the concepts used for EAP-TLS, works similarly to PEAP, and uses two phases. Like EAP-TLS, EAP-TTLS utilizes TLS to form a tunnel between the authentication server and the supplicant and is created in Phase 1. Like PEAP, EAP-TTLS utilizes the TLS tunnel to encapsulate another form of EAP authentication but differs from PEAP in that it also can support non-EAP methods like PPP Authentication Protocol (PAP) and PPP Challenge Handshake Authentication Protocol (CHAP). However, unlike EAP-TLS, EAP-TTLS does not require that both the server and client be authenticated, which makes configuration easier.
  • EAP–Flexible Authentication via Secure Tunneling (EAP-FAST): Packet Type = 43 Cisco developed EAP-FAST to support customers that require strong password policy enforcement but do not want to deploy digital certificates. EAP-FAST provides protection against a variety of network attacks, including man-in-the-middle, replay, and dictionary attacks.
    Phase 1 establishes a mutually authenticated tunnel. The client and server use a Protected
    Access Credential (PAC) to authenticate each other and establish a secure tunnel.
    Phase 2 performs client authentication in the established tunnel. The client sends a user-
    name and password to authenticate and establish client authorization policy.
    EAP-FAST tunnel establishment relies on a PAC that can be provisioned and managed dynamically by EAP-FAST through the authentication server during Phase 2.

802.1x EAPOL message exchange: It is important to understand that the EAP packets are only encapsulated by EAPOL from the supplicant to the authenticator; from the authenticator to the authentication server, the EAP packets are encapsulated within the RADIUS packets.

image

 802.1x Port States: If IEEE 802.1x is configured on a switch port, the port starts in the automatic port authentication state (Auto). When in the Auto state, the port will start in the unauthorized state and require the supplicant to successfully authenticate. After the supplicant authenticates, the port changes to the authorized state and allows through traffic from the client to network resources. If the client does not support IEEE 802.1x, the switch cannot authenticate the client unless MAB is configured to be used or a guest VLAN is preconfigured to provide some level of necessary network access.

  • Auto: In this mode, the port begins in the unauthorized state and allows only EAPOL, CDP, and STP traffic. After the supplicant is authenticated, the port transitions to the authorized state and normal traffic is allowed.
  • Forced-Authorized: In this state, 802.1x is disabled on the port. All traffic is allowed as normal without restriction. This is the default port state when 802.1x is not globally enabled.
  • Forced-Unauthorized: In this state, the port ignores all traffic, including any attempts to authenticate.