Versions Compared

Version Old Version 4 New Version 5
Changes made by

Tracy Yang

Tracy Yang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Figure 1. Architecture of the NAC Authentication System

Image RemovedImage Added

  • Supplicant: The supplicant is the user device that wants access to the network resources through the switch. It is a client or a host that provides the user name and password to the authentication server to obtain network access rights.
  • Authenticator: The PICA8 Switch functions as the authenticator in the NAC authentication system. As an authentication gateway device, PICA8 Switch transfers authentication information between the client and the authentication server, and controls network access and authorization of the client.
  • AAA server: The authentication server is the entity that validates authentication credentials provided by the supplicant. RADIUS is a commonly used authentication server. The administrator configures the user's authentication and authorization information on the AAA server that is used to validate the client in the NAC authentication process and determine whether the client can access the network resources.

NOTE:

  •   The administrator needs to configure both the AAA server and PICA8 switch to deploy the NAC function successfully.
  •   From PICOS version 2.11.22, the NAC authentication function is extended to support Web authentication, downloadable ACL and dynamic ACL.

Host Mode

Host Mode refers to whether a single or multiple clients are allowed access on a single switch port. PICOS NAC function is a combination of switch port and the client’s MAC address learned on that switch port to implement user access control. Each switch port can be configured to operate in either single or multiple host mode.

...

Code Block
admin@Xorplus# run show dot1x server
Server-IP      Reachability
----------------  -------------
10.10.50.65    reachable  

admin@Xorplus# run show dot1x all
Global-Info:
---------------------------------------------------------------------------------
NAS-IP           :  10.10.1.1
Block-VLAN         :  2
Block-VLAN-IP        :  172.16.1.1/24
WEB-AUTH-MODE           :  Remote
Server-Fail-VLAN      :  100
--------------------------------------------------------------------------------

NOTE:

A maximum of three RADIUS servers can be configured on the switch. The server with the smallest IP address and reachable will be used for NAC authentication.

Block VLAN and Dynamic VLAN

...

After creating a block VLAN, you can use the run show vlans command to view VLAN information.

NOTE:

When deploying voice VLAN feature together with NAC feature, pay attention the following points:

  •   It is strongly recommended not to use both voice VLAN and dynamic VLAN on the port enabled with NAC function.
  •   If both the voice VLAN and the dynamic VLAN are used on the port enabled with NAC, the packet transmission depends on the tagged mode of the voice VLAN.

Ø  If the tagged mode of the voice VLAN is tag, the packets received from the port are transmitted through the voice VLAN, the packets sent from the port are tagged with the voice VLAN.

Ø  If the tagged mode of the voice VLAN is untag, the untagged packets received from the port are transmitted through the dynamic VLAN, the packets sent from the port are also untagged.

Ø  If the tagged mode of the voice VLAN is untag, the received packets tagged with the voice VLAN ID are forwarded through the voice VLAN and if the received packets are tagged with the dynamic VLAN ID then the packets will be forwarded through the dynamic VLAN. The packets will be dropped if the received tagged VLAN ID matches neither the dynamic VLAN nor the voice VLAN.

  •  If the returned RADIUS access accept message includes an extra Pica8 vendor-specific-attribute (VSA)“pica8-traffic-class=voice”, the dynamic VLAN will take precedence over the locally configured voice VLAN.

Fallback to WEB Function

PICOS NAC function includes three authentication modes: 802.1X authentication, MAB authentication and Central Web Authentication (CWA). To use NAC to control users' network access rights, you must enable one or more authentication modes on a switch interface. Note that: CWA authentication process relies on MAB authentication. If you want to deploy CWA, you need to enable MAB authentication first.

...

1.  Fallback to WEB function is disabled. This is the default configuration.

  • When both 802.1X authentication and MAB authentication modes are enabled, the 802.1X authentication will take precedence over MAB.

If the Supplicant supports 802.1X authentication, the system performs 802.1X authentication. If the Supplicant does not support 802.1X authentication, the system performs MAB authentication.

...

Comparison of the Three Authentication Modes

The application scenarios of the three authentication modes are different, the below table compares the three authentication modes.

Items

802.1X Authentication

MAB Authentication

CWA Authentication

Client Software

The 802.1X client software is required to be installed on the supplicant device.

Not required.

The supplicant needs to install a Web browser.

Characteristics

The Extensible Authentication Protocol (EAP) is used to exchange authentication information between the client, the switch and the authentication server.

High security.

Complex management as it requires  registering each MAC address on the AAA server.

Flexible deployment.

Scenarios

Applicable to scenarios where requirements for security are high.

Can be deployed in scenarios where 802.1X cannot be deployed.

Authentication of dumb terminals such as printers and fax machines.

Applicable to temporary access or guest access scenarios.

802.1X Authentication

802.1X authentication is an authentication method that controls the network access rights of users based on the switch port and the MAC addresses of clients learned on that port. The Extensible Authentication Protocol (EAP) packet is used to exchange authentication information between the supplicant, authenticator and authentication server. This technology is mainly used in networks with high security requirements. 802.1X authentication requires 802.1X client software to be installed on the supplicant.

...

You can use the set protocols dot1x interface <interface-name> auth-mode web command to enable WEB authentication mode on an interface.

NOTE:

  •   The Web authentication process relies on MAB authentication. If you want to deploy Web authentication, enable MAB authentication on the switch first.

Ø  From CLI configuration, you need to enable MAB authentication before enabling CWA authentication.

Ø  The CWA authentication works in conjunction with MAB authentication. The CWA authentication process will be implemented after the MAB authentication fails.

  •  To implement CWA authentication, there are a series of configurations on both the switch and AAA server, for details of how to configure CWA, please refer to section Example for Configuring CWA Authentication and the solution documentation Configuring Pica8 Switches with ClearPass Guest Central Web Authentication in Typical Configuration of NAC.
  • Both L2 and L3 connections between the client and the switch are supported when deploying CWA authentication.

Redirect URL

In the CWA authentication process, when the user connects to the network and tries to access a web page, the user is redirected to the authentication page on the web authentication server. Only after entering the correct username and password can the user successfully access the network resources.

...

Figure 2. CWA authentication process

Image RemovedImage Added

  1. The client is connected to the switch port and its MAC address is learned by the switch. The switch sends an MAB Request message to the AAA server to initiate MAB authentication for the guest user. The message carries the MAC address of the client as the authentication username and password.
  2. As the client's MAC address is an unregistered address on the AAA server, the MAB authentication fails. However, the AAA server is configured in such a way that an Access-Accept message is sent to the switch with a redirect URL for unregistered users.
  3. The client interacts with the switch to obtain a temporary IP address from the DHCP server running in the block VLAN.
  4. DNS resolution is done locally on DNS server running on the switch. Domain names such as www.example.com are resolved to the block VLAN interface IP address (e.g. 172.16.0.1) instead of its actual IP address. It’s important to note that both the DNS and DHCP server have the same IP address as the block VLAN interface IP address of 172.16.0.1.
  5. The client and the switch perform a TCP three-way handshake to establish a TCP connection.
  6. Then the client opens a web browser, initiates an HTTP access request.
  7. The switch replies to the client with the redirect URL in the HTTP response.
  8. The client’s request is redirected to the redirect URL page on the AAA server that requires the client to enter the username and password.
  9. After the client enters the correct username and password, login succeeds. AAA server sends a CoA bounce-port command to the switch.
  10. The switch and AAA server perform MAB authentication on the client MAC address again. This time the client is a known client to the AAA server, so another Access-Accept message is sent along with a dynamic VLAN ID. The switch port is then put into the dynamic VLAN.
  11. MAB authentication and Web authentication succeed. The user can access the Web resources normally.

Change of Authorization (CoA)

Server initiated Change of Authorization allows the administrator to modify the authorization of the already authorized users through the CoA messages from the AAA server.

The AAA server sends CoA messages to the PICA8 switch when the authorization information of an authorized user is changed by the administrator. The switch initiates a new authorization of the client when it receives a CoA messages. For example, if the administrator configures to disable the host port on the AAA server, the AAA server will send a CoA-Request message with disable-host-port field to the switch to disable the port connecting to the host.

CoA involves two parties: Dynamic Authorization Server (DAS) and Dynamic Authorization Client (DAC):

  • DAS: The component that resides on the NAS (switch) that processes and replies to the Change-of-Authorization (CoA) Request and Disconnect messages.
  • DAC: The component that sends CoA-Request and Disconnect messages to the Dynamic Authorization Server. This component often resides on the RADIUS server. For details, please refer to RFC5176.

...

NOTE:

  •   The CoA feature provides network administrators the flexibility to remotely control authorization changes of clients.
  •   FreeRADIUS server does not support DAC function. To support DAC function, user needs to connect to an AAA platform that supports DAC of CoA function, such as PacketFence.

CoA includes two types of message flows: Disconnect and Change-of-Authorization (CoA) processes. Disconnect message terminates a user session immediately whereas CoA message modifies the user session authorization attributes.

Figure 3 illustrates a CoA message exchange between an 802.1X-enabled client, a switch operating as Authenticator (DAS), and a RADIUS server operating as an Authentication Server (DAC).

Figure 3. Message Exchange during CoA Process

Image Removed

The AAA server sends a CoA-Request packet to the switch to request to change the user authorization attribute. The packet may include one of the four authorization attributes supported by PICOS: Disconnect, Re-authenticate, Bounce-host-port and Disable-host-port, as shown in Figure 3.

  • Disconnect: When the switch receives the Disconnect message, it terminates the user session immediately.
  • Re-authenticate: When the switch receives the re-authenticate CoA Request message from the AAA server, the switch sends an EAP Request message to the supplicant to initiate re-authentication.
  • Bounce-host-port: The CoA-Request message with bounce-host-port attribute brings the interface down and then up immediately.
  • Disable-host-port: The CoA-Request message with disable-host-port attribute brings the interface down. The interface cannot be used after this operation. If you want to enable this interface, use the set interface gigabit-ethernet<port> disable false CLI command.

Figure 4. Bounce-host-port Attribute in CoA-Request Message

Image Removed

1.  DAS performs the action according to the authorization attribute in the CoA-Request packet.

2.  DAS replies with a CoA-ACK/NAK message. While sending the CoA-ACK/NAK, the source port in the CoA-Request packet is used as the destination port whereas the destination port of   3799 in the CoA-Request packet is used as the source port.

...

RADIUS Accounting for 802.1X and MAB

NOTE:

RADIUS accounting applies only to 802.1X and MAB authentication procedures.

Enterprises or carriers need to charge users who are accessing different enterprise or carrier services such as Internet to be able to accurately and effectively calculate billing information for their customers

When a user gets online, the switch will send accounting start message to the AAA server when authentication is passed and starts accounting; When the user gets offline by either MAC aged out or be deleted, the switch will send accounting stop packet to the AAA server to stop accounting. In the accounting stop packet, the attribute Acct-Session-Time carries the amount of time the user was online.

Users can use the set protocols dot1x aaa radius accounting disable <true | false> command to enable or disable accounting function for 802.1X and MAB.

AAA server records the packet consumption, you can use the command run show dot1x dynamic/downloadable filter to check the counter result. For example,

Image Added

Image Added

Change of Authorization (CoA)

Server initiated Change of Authorization allows the administrator to modify the authorization of the already authorized users through the CoA messages from the AAA server.

The AAA server sends CoA messages to the PICA8 switch when the authorization information of an authorized user is changed by the administrator. The switch initiates a new authorization of the client when it receives a CoA messages. For example, if the administrator configures to disable the host port on the AAA server, the AAA server will send a CoA-Request message with disable-host-port field to the switch to disable the port connecting to the host.

CoA involves two parties: Dynamic Authorization Server (DAS) and Dynamic Authorization Client (DAC):

  • DAS: The component that resides on the NAS (switch) that processes and replies to the Change-of-Authorization (CoA) Request and Disconnect messages.
  • DAC: The component that sends CoA-Request and Disconnect messages to the Dynamic Authorization Server. This component often resides on the RADIUS server. For details, please refer to RFC5176.

NOTE:

  •   The CoA feature provides network administrators the flexibility to remotely control authorization changes of clients.
  •   FreeRADIUS server does not support DAC function. To support DAC function, user needs to connect to an AAA platform that supports DAC of CoA function, such as PacketFence.

CoA includes two types of message flows: Disconnect and Change-of-Authorization (CoA) processes. Disconnect message terminates a user session immediately whereas CoA message modifies the user session authorization attributes.

Figure 3 illustrates a CoA message exchange between an 802.1X-enabled client, a switch operating as Authenticator (DAS), and a RADIUS server operating as an Authentication Server (DAC).

Figure 3. Message Exchange during CoA Process

Image Added

The AAA server sends a CoA-Request packet to the switch to request to change the user authorization attribute. The packet may include one of the four authorization attributes supported by PICOS: Disconnect, Re-authenticate, Bounce-host-port and Disable-host-port, as shown in Figure 3.

  • Disconnect: When the switch receives the Disconnect message, it terminates the user session immediately.
  • Re-authenticate: When the switch receives the re-authenticate CoA Request message from the AAA server, the switch sends an EAP Request message to the supplicant to initiate re-authentication.
  • Bounce-host-port: The CoA-Request message with bounce-host-port attribute brings the interface down and then up immediately.
  • Disable-host-port: The CoA-Request message with disable-host-port attribute brings the interface down. The interface cannot be used after this operation. If you want to enable this interface, use the set interface gigabit-ethernet<port> disable false CLI command.

Figure 4. Bounce-host-port Attribute in CoA-Request Message

Image Added

1.  DAS performs the action according to the authorization attribute in the CoA-Request packet.

2.  DAS replies with a CoA-ACK/NAK message. While sending the CoA-ACK/NAK, the source port in the CoA-Request packet is used as the destination port whereas the destination port of   3799 in the CoA-Request packet is used as the source port.

  • If DAS successfully applies the action in the CoA Request packet it will reply with a CoA-ACK message. DAS replies with a CoA-ACK message.
  • If for some reason the DAS is unable to carry out the action requested in the CoA Request packet, the DAS replies with a CoA-NAK message.

...

Template of Downloadable ACL:

sequence [0..9999] from destination-mac-address <macaddr>

sequence [0..9999] from destination-address-ipv4 <IPv4Net>

sequence [0..9999] from source-address-ipv4 <IPv4Net>

sequence [0..9999] from destination-address-ipv6 <IPv6Net>

sequence [0..9999] from source-address-ipv6 <IPv6Net>

sequence [0..9999] from destination-port <uintrange>

sequence [0..9999] from source-port <uintrange>

sequence [0..9999] from ether-type [1501..65535]

sequence [0..9999] from vlan [1..4094]

sequence [0..9999] from protocol icmp

sequence [0..9999] from protocol icmp [type|code] [0..254]

sequence [0..9999] from protocol igmp

sequence [0..9999] from protocol ip

sequence [0..9999] from protocol tcp

sequence [0..9999] from protocol ospf

sequence [0..9999] from protocol others [0..255]

sequence [0..9999] then action [discard|forward]

and is the logical operator between the matching fields with the same sequence number, that is, to be considered to match a firewall filter rule and included in a class, the packets must match all of the matching fields with the same sequence number. NOTE that there is a drop rule for each firewall filter rule by default.

NOTE:

  •   If the format or the content of the downloadable ACL do not meet the template conditions mentioned above, the ACL rule fails to be parsed and applied to the hardware.
  •   On the AAA server, make sure you use only one Pica8-IP-Downloadable-ACL-Name attribute which carries the downloadable ACL name, but you can have multiple Pica8-IP-Downloadable-ACL-Rule attributes.

The following image shows the format of the downloadable ACL in the Access-Accept message which is sent from the AAA server to the switch:

Image RemovedImage Added

On the switch, you can use the run show dot1x interface command to view the detailed information about the downloadable ACL delivered by the interface.

...

The employment of the downloadable ACL and the configuration examples on the ClearPass/Cisco ISE and the switch are detailed in the document Configuring Dynamic and Downloadable ACL for ClearPass and Configuring Dynamic and Downloadable ACL on Cisco ISE in Typical Configuration of NAC.

Dynamic ACL

The dynamic ACL is a dynamic packet filtering function that is implemented by the AAA server and the firewall filter module of the switch function. Instead of downloadable ACL getting the detailed ACL rules from the AAA server, the detailed rules of dynamic ACL should be preconfigured on the switch and the ACL should be applied just when the ACL name is received from AAA server. The name of the dynamic ACL is configured on the AAA server which uses the RADIUS standard attribute Filter-Id, an attribute defined by the RFC3576 standard and the attribute ID number is 11.

...

The following image shows the format of Filter-ID in the Access-Accept message which is sent from the AAA server to the switch:

Image RemovedImage Added

On the switch, use the following commands to configure the NAC-based dynamic ACL rule.

...

The employment of the dynamic ACL and the configuration examples on the ClearPass/Cisco ISE and the switch are detailed in the document Configuring Dynamic and Downloadable ACL for ClearPass and Configuring Dynamic and Downloadable ACL on Cisco ISE in Typical Configuration of NAC.

NOTE:

  •   Every dynamic ACL rule will add matching source MAC rule automatically. So it is not supported
to configure source MAC rule for dynamic ACL.  The filter name configured in the filter-id must be the same as the filter name of the dynamic ACL configured on the switch
  • to configure source MAC rule for dynamic ACL.
  •   The filter name configured in the filter-id must be the same as the filter name of the dynamic ACL configured on the switch.

Response to session-timeout Attribute

If the returned access-accept RADIUS message carries the attribute session-timeout after MAB/802.1X authentication, the authenticated session will expire after a period of session-timeout and start a new authentication process.

  • If the access-accept RADIUS message carried the timeout-session attribute and the timeout value is not equal to 0 (such as 30s), the switch will send request packet to the AAA server or the client every 30s for re-authentication.
  • If the access-accept RADIUS message carried the timeout-session attribute but the timeout value is equal to 0, the switch does not send any re-authentication request packet to the AAA server or the client. No action is taken, it has the same effect as if the session timeout attribute was not used or the returned access accept packet did not had the timeout attribute.
  • If the access-accept RADIUS message does not include the timeout-session attribute, the switch will send the re-authentication request packet to the AAA server or the client every 60 mins (default value) for re-authentication. The default 60 minutes re-authentication applies in situations where the MAC address does not age out for 60 minutes.

Vendor Specific Attribute (VSA)

Vendor Specific Attribute (VSA) is a vendor defined attribute in the vendor’s RADIUS dictionary. For the NAC function, PICOS defines four VSAs whereas the PICA8 vendor ID is 35098:

...

5. Refer to the image below for reference.

Image RemovedImage Added

How to Import PICA8 RADIUS Dictionary for Cisco ISE

...

  1. Click on Policy Elements -> Dictionaries -> System -> Radius -> RADIUS Vendors.
  2. Click on Import and choose the Pica8 dictionary file, now click import to load the dictionary file.
  3. You should be able to see Pica8 dictionary file in the list of vendor dictionaries after successful import.Image RemovedImage RemovedImage AddedImage Added
  4. You can also create your dictionary file here by clicking Add and adding attributes as mentioned in dictionary file.
  5. Please note adding a dictionary file manually you need to enter the attributes as they are in the dictionary files. The two most important items are the VENDOR name and ID and Pica8-AVPair attribute. The VENDOR name must be set to Pica8 and the ID should be 35098.
  6. The dictionary file for Cisco ISE is attached below:

...

    7. Refer to the image below for reference.

Image RemovedImage Added

How to Import PICA8 RADIUS Dictionary to FreeRadius server

...