Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Figure 1. Architecture of the NAC Authentication System

Image RemovedImage Added

  • Supplicant: The supplicant is the user device that wants access to the network resources through the switch. It is a client or a host that provides the user name and password to the authentication server to obtain network access rights.
  • Authenticator: The PICA8 Switch functions as the authenticator in the NAC authentication system. As an authentication gateway device, PICA8 Switch transfers authentication information between the client and the authentication server, and controls network access and authorization of the client.
  • AAA server: The authentication server is the entity that validates authentication credentials provided by the supplicant. RADIUS is a commonly used authentication server. The administrator configures the user's authentication and authorization information on the AAA server that is used to validate the client in the NAC authentication process and determine whether the client can access the network resources.

...

The purpose of a server fail VLAN is to provide limited network connectivity to users in the event of AAA server failure or unreachability. After a RADIUS server is configured, the switch sends the Test Radius Request message to the server to detect the reachability of the RADIUS server. If all the RADIUS servers are unreachable, the port connected to the client will be added to the server fail VLAN, and the packets from the client can be forwarded in server fail VLAN. The switch continues to send the detection packets every 5 seconds second for 3 times (can be set by CLI command) to check whether the server is reachable. If one of the RADIUS servers is reachable, the switch removes this client from the server fail VLAN and adds it back into the block VLAN, and the switch stops sending the detective packets.

...

Code Block
admin@Xorplus# run show dot1x server
Server-IP      ReachabilityIP         Status        Priority  Activity  Retry-Interval  Retry-Num
----------------   -------------
10.10.50.65    reachable  

admin@Xorplus# run show dot1x all
Global-Info:
-------  --------  --------------  ----------------------------------------------------
NAS-IP           :  
10.10.1.1
Block-VLAN         : 51.70       reachable     2 Block-VLAN-IP        :  172.16.1.1/24
WEB-AUTH-MODE           *      5   Sec(s)      5        
10.10.50.72       reachable     3           Remote Server-Fail-VLAN      :  100
-------------------------      1   Sec(s)      3  
10.10.53.72       reachable     ...          -      5   Sec(s)      5


admin@Xorplus# run show dot1x all
Global-Info:
--------------------------------------------------------

...

NOTE:

A maximum of three RADIUS servers can be configured on the switch. The server with the smallest IP address and reachable will be used for NAC authentication.

Block VLAN and Dynamic VLAN

...

-------------------------
NAS-IP           :  10.10.1.1
Block-VLAN         :  2
Block-VLAN-IP        :  172.16.1.1/24
WEB-AUTH-MODE           :  Remote
Server-Fail-VLAN      :  100
--------------------------------------------------------------------------------

NOTE:

A maximum of three RADIUS servers can be configured on the switch. The server with the smallest IP address and reachable will be used for NAC authentication.

Block VLAN and Dynamic VLAN

Block VLAN is a global configuration for NAC authentication. The port enabled with web authentication NAC feature will be added to the block VLAN automatically. Users in the block VLAN  have very limited access network resources before being authenticated successfully through the web authentication portal. Block VLAN is a mandatory prerequisite for web authentication. If block VLAN is not specified, the switch won’t allow the user to configure web authentication for any physical port.

...

NOTE:

When deploying voice VLAN feature together with NAC feature, pay attention the following points:

  •   It is strongly recommended not to use both voice VLAN and dynamic VLAN on the port enabled with NAC function.
  •   If both the voice VLAN and the dynamic VLAN are used on the port enabled with NAC, the packet transmission depends on the tagged mode of the voice VLAN.

Ø  If the tagged mode of the voice VLAN is tag, the packets received from the port are transmitted through the voice VLAN, the packets sent from the port are tagged with the voice VLAN.

Ø  If the tagged mode of the voice VLAN is untag, the untagged packets received from the port are transmitted through the dynamic VLAN, the packets sent from the port are also untagged.

Ø  If the tagged mode of the voice VLAN is untag, the received packets tagged with the voice VLAN ID are forwarded through the voice VLAN and if the received packets are tagged with the dynamic VLAN ID then the packets will be forwarded through the dynamic VLAN. The packets will be dropped if the received tagged VLAN ID matches neither the dynamic VLAN nor the voice VLAN.

  •  If the returned RADIUS access accept message includes an extra Pica8 vendor-specific-attribute (VSA)“device“pica8-traffic-class=voice”, the dynamic VLAN will take precedence over the locally configured voice VLAN.

...

1.  Fallback to WEB function is disabled. This is the default configuration.

  • When both 802.1X authentication and MAB authentication modes are enabled, the 802.1X authentication will take precedence over MAB.

If the Supplicant supports 802.1X authentication, the system performs 802.1X authentication. If the Supplicant does not support 802.1X authentication, the system performs MAB authentication.

...

Comparison of the Three Authentication Modes

The application scenarios of the three authentication modes are different, the below table compares the three authentication modes.

Items

802.1X Authentication

MAB Authentication

CWA Authentication

Client Software

The 802.1X client software is required to be installed on the supplicant device.

Not required.

The supplicant needs to install a Web browser.

Characteristics

The Extensible Authentication Protocol (EAP) is used to exchange authentication information between the client, the switch and the authentication server.

High security.

Complex management as it requires  registering each MAC address on the AAA server.

Flexible deployment.

Scenarios

Applicable to scenarios where requirements for security are high.

Can be deployed in scenarios where 802.1X cannot be deployed.

Authentication of dumb terminals such as printers and fax machines.

Applicable to temporary access or guest access scenarios.

802.1X Authentication

802.1X authentication is an authentication method that controls the network access rights of users based on the switch port and the MAC addresses of clients learned on that port. The Extensible Authentication Protocol (EAP) packet is used to exchange authentication information between the supplicant, authenticator and authentication server. This technology is mainly used in networks with high security requirements. 802.1X authentication requires 802.1X client software to be installed on the supplicant.

...

When the interface enabled with MAB authentication learns the MAC address of the user, PICOS will perform the MAB authentication process. During the authentication process, the user is not required to manually enter a username or password. The user's MAC address will be encapsulated as the user-name and password in a RADIUS Access Request packet and sent to the AAA server. The port will be opened to the user with this MAC address only if MAB authentication is passed successfully. This technology is suitable for environments where the MAC address is fixed and the security requirements are not very high. At the same time, it can meet the authentication requirements of terminals such as printers that cannot install the 802.1X authentication client software.

When the MAC entry is aged or deleted, the user session with this source MAC will be disconnected. MAB authentication will be performed again if the user wants to access the network resources through this port.

Central Web Authentication (CWA)

Introduction

Central Web Authentication (CWA) provides a means to enterprise network administrators to allow guests on the network some form of access to network resources, which is also referred to as Web authentication. This feature is particularly helpful because guest users usually do not have proper 802.1X or MAC Radius credentials saved on the authentication servers.

With Web authentication feature, PICA8 switches can now provide an additional feature to guest users to use their web browser to access a login page where they can provide either authentication credentials for guests or simply accept a use-policy to access the network. In centralized web authentication environment, the PICA8 switch works as a proxy between the authentication server and user. When the user with MAB authentication learns the MAC address of the user, PICOS will perform the MAB authentication process. During the authentication process, the user is not required to manually enter a username or password. The user's MAC address will be encapsulated as the user-name and password in a RADIUS Access Request packet and sent to the AAA server. The port will be opened to the user with this MAC address only if MAB authentication is passed successfully. This technology is suitable for environments where the MAC address is fixed and the security requirements are not very high. At the same time, it can meet the authentication requirements of terminals such as printers that cannot install the 802.1X authentication client software.

When the MAC entry is aged or deleted, the user session with this source MAC will be disconnected. MAB authentication will be performed again if the user wants to access the network resources through this port.

Central Web Authentication (CWA)

Introduction

Central Web Authentication (CWA) provides a means to enterprise network administrators to allow guests on the network some form of access to network resources, which is also referred to as Web authentication. This feature is particularly helpful because guest users usually do not have proper 802.1X or MAC Radius credentials saved on the authentication servers.

With Web authentication feature, PICA8 switches can now provide an additional feature to guest users to use their web browser to access a login page where they can provide either authentication credentials for guests or simply accept a use-policy to access the network. In centralized web authentication environment, the PICA8 switch works as a proxy between the authentication server and user. When the user connects to the network and tries to access a Web page, the user is redirected to the authentication page on the Web authentication server. Only after entering the correct username and password can the user successfully access the network resources.

You can use the set protocols dot1x interface <interface-name> auth-mode web command to enable WEB authentication mode on an interface.

NOTE:

  •   The Web authentication process relies on MAB authentication. If you want to deploy Web authentication, enable MAB authentication on the switch first.

Ø  From CLI configuration, you need to enable MAB authentication before enabling CWA authentication.

Ø  The CWA authentication works in conjunction with MAB authentication. The CWA authentication process will be implemented after the MAB authentication fails.

  •  To implement CWA authentication, there are a series of configurations on both the switch and AAA server, for details of how to configure CWA, please refer to section Example for Configuring CWA Authentication and the solution documentation Configuring Pica8 Switches with ClearPass Guest Central Web Authentication in Typical Configuration of NAC.
  • Both L2 and L3 connections between the client and the switch are supported when deploying CWA authentication.

Redirect URL

In the CWA authentication process, when the user connects to the network and tries to access a Web web page, the user is redirected to the authentication page on the Web web authentication server. Only after entering the correct username and password can the user successfully access the network resources.

You can use the set protocols dot1x interface <interface-name> auth-mode web command to enable WEB authentication mode on an interface.

...

NOTE:

  •   The Web authentication process relies on MAB authentication. If you want to deploy Web authentication, enable MAB authentication on the switch first.

Ø  From CLI configuration, you need to enable MAB authentication before enabling CWA authentication.

Ø  The CWA authentication works in conjunction with MAB authentication. The CWA authentication process will be implemented after the MAB authentication fails.

  •  To implement CWA authentication, there are a series of configurations on both the switch and AAA server, for details of how to configure CWA, please refer to section Example for Configuring CWA Authentication and the solution documentation Configuring Pica8 Switches with ClearPass Guest Central Web Authentication in Typical Configuration of NAC.
  • Both L2 and L3 connections between the client and the switch are supported when deploying CWA authentication.

Redirect URL

In the CWA authentication process, when the user connects to the network and tries to access a web page, the user is redirected to the authentication page on the web authentication server. Only after entering the correct username and password can the user successfully access the network resources.

The Redirect URL is a vendor-specific attribute (VSA) of type string defined on the AAA server. The attribute name is Pica8-Redirect-URL and the attribute ID number is 4 in the PICA8 RADIUS dictionary. To use the Redirect URL VSA the user has to import PICA8 RADIUS dictionary to AAA server. For details about how to import PICA8 RADIUS dictionary, please refer to the document How to Import PICA8 RADIUS Dictionary.

CWA Authentication Process

Figure 2 shows the CWA authentication process.

Figure 2. CWA authentication process

Image Removed

...

user successfully access the network resources.

The Redirect URL is a vendor-specific attribute (VSA) of type string defined on the AAA server. The attribute name is Pica8-Redirect-URL and the attribute ID number is 4 in the PICA8 RADIUS dictionary. To use the Redirect URL VSA the user has to import PICA8 RADIUS dictionary to AAA server. For details about how to import PICA8 RADIUS dictionary, please refer to the document How to Import PICA8 RADIUS Dictionary.

CWA Authentication Process

Figure 2 shows the CWA authentication process.

Figure 2. CWA authentication process

Image Added

  1. The client is connected to the switch port and its MAC address is learned by the switch. The switch sends an MAB Request message to the AAA server to initiate MAB authentication for the guest user. The message carries the MAC address of the client as the authentication username and password.
  2. As the client's MAC address is an unregistered address on the AAA server, the MAB authentication fails. However, the AAA server is configured in such a way that an Access-Accept message is sent to the switch with a redirect URL for unregistered users.
  3. The client interacts with the switch to obtain a temporary IP address from the DHCP server running in the block VLAN.
  4. DNS resolution is done locally on DNS server running on the switch. Domain names such as www.example.com are resolved to the block VLAN interface IP address (e.g. 172.16.0.1) instead of its actual IP address. It’s important to note that both the DNS and DHCP server have the same IP address as the block VLAN interface IP address of 172.16.0.1.
  5. The client and the switch perform a TCP three-way handshake to establish a TCP connection.
  6. Then the client opens a web browser, initiates an HTTP access request.
  7. The switch replies to the client with the redirect URL in the HTTP response.
  8. The client’s request is redirected to the redirect URL page on the AAA server that requires the client to enter the username and password.
  9. After the client enters the correct username and password, login succeeds. AAA server sends a CoA bounce-port command to the switch.
  10. The switch and AAA server perform MAB authentication on the client MAC address again. This time the client is a known client to the AAA server, so another Access-Accept message is sent along with a dynamic VLAN ID. The switch port is then put into the dynamic VLAN.
  11. MAB authentication and Web authentication succeed. The user can access the Web resources normally.

RADIUS Accounting for 802.1X and MAB

NOTE:

RADIUS accounting applies only to 802.1X and MAB authentication procedures.

Enterprises or carriers need to charge users who are accessing different enterprise or carrier services such as Internet to be able to accurately and effectively calculate billing information for their customers

When a user gets online, the switch will send accounting start message to the AAA server when authentication is passed and starts accounting; When the user gets offline by either MAC aged out or be deleted, the switch will send accounting stop packet to the AAA server to stop accounting. In the accounting stop packet, the attribute Acct-Session-Time carries the amount of time the user was online.

Users can use the set protocols dot1x aaa radius accounting disable <true | false> command to enable or disable accounting function for 802.1X and MAB.

AAA server records the packet consumption, you can use the command run show dot1x dynamic/downloadable filter to check the counter result. For example,

Image Added

Image Added

Change of Authorization (CoA)

...

Figure 3. Message Exchange during CoA Process

Image RemovedImage Added

The AAA server sends a CoA-Request packet to the switch to request to change the user authorization attribute. The packet may include one of the four authorization attributes supported by PICOS: Disconnect, Re-authenticate, Bounce-host-port and Disable-host-port, as shown in Figure 3.

...

Figure 4. Bounce-host-port Attribute in CoA-Request Message

Image RemovedImage Added

1.  DAS performs the action according to the authorization attribute in the CoA-Request packet.

...

The following image shows the format of the downloadable ACL in the Access-Accept message which is sent from the AAA server to the switch:

Image RemovedImage Added

On the switch, you can use the run show dot1x interface command to view the detailed information about the downloadable ACL delivered by the interface.

...

  Client MAC                             : 00:ea:4c:5d:12:54

  Status                                         : authorized

Success Auth Method               : MAB

  Dynamic VLAN ID                   : 200

  Downloadable Filter Name     : my-downloadable-acl

  Downloadable Filter Rule       : sequence 1 from source 10.10.10.10/24

                 : authorizedSuccess Auth Method                : MAB   Dynamic VLAN ID                    : 200

  Downloadable Filter Name     : my-downloadable-acl

  Downloadable Filter Rule       : sequence 1 from source 10.10.10.10/24

                                                   sequence 1 then action discard

The employment of the downloadable ACL and the configuration examples on the ClearPass/Cisco ISE and the switch are detailed in the document Configuring Dynamic and Downloadable ACL for ClearPass and Configuring Dynamic and Downloadable ACL on Cisco ISE in Typical Configuration of NAC.

Dynamic ACL

The dynamic ACL is a dynamic packet filtering function that is implemented by the AAA server and the firewall filter module of the switch function. Instead of downloadable ACL getting the detailed ACL rules from the AAA server, the detailed rules of dynamic ACL should be preconfigured on the switch and the ACL should be applied just when the ACL name is received from AAA server. The name of the dynamic ACL is configured on the AAA server which uses the RADIUS standard attribute Filter-Id, an attribute defined by the RFC3576 standard and the attribute ID number is 11.

After the 802.1X authentication or MAB authentication has succeeded, the AAA server sends the ACL name to the switch in the Access-Accept message carried with Filter-Id field. The switch parses the received dynamic ACL field and implements packet filtering through the packet matching rules and processing operations. Each dynamic ACL is sent only with an Access-Accept message when any of MAB or 802.1X authentication has passed successfully on the AAA server for a specific client.

The switch delivers the ACL rule to match the packets and process the packets to implement packet filter rule. If the AAA server delivers a wrong ACL name, the switch prints a system log, and then drops the flow by using the default drop rule.

The following image shows the format of Filter-ID in the Access-Accept message which is sent from the AAA server to the switch:

Image Removed

On the switch, use the following commands to configure the NAC-based dynamic ACL rule.

set protocols dot1x filter <filter-name> sequence <sequence-number> from <filter-condition>

set protocols dot1x filter <filter-name> sequence <number> then action <discard | forward>

and is the logical operator between the matching fields with the same sequence number, that is, to be considered to match a firewall filter rule and included in a class, the packets must match all of the matching fields with the same sequence number. NOTE that there is a drop rule for each firewall filter rule by default.

On the switch, you can use the run show dot1x interface command to view the detailed information about the dynamic ACL applied to the interface.

For example,

admin@Xorplus# run show dot1x interface gigabit-ethernet ge-1/1/5

Interface ge-1/1/5:

=====================================================================

Client MAC                          : 08:9e:01:9e:cc:fe

Status                                  : authorized

Dynamic VLAN ID               : 200

Dynamic Filter Name           : f2

The employment of the dynamic ACL and the configuration examples on the ClearPass/Cisco ISE and the switch are detailed in the document Configuring Dynamic and Downloadable ACL for ClearPass and Configuring Dynamic and Downloadable ACL on Cisco ISE in Typical Configuration of NAC.

NOTE:

...

 sequence 1 then action discard

The employment of the downloadable ACL and the configuration examples on the ClearPass/Cisco ISE and the switch are detailed in the document Configuring Dynamic and Downloadable ACL for ClearPass and Configuring Dynamic and Downloadable ACL on Cisco ISE in Typical Configuration of NAC.

Dynamic ACL

The dynamic ACL is a dynamic packet filtering function that is implemented by the AAA server and the firewall filter module of the switch function. Instead of downloadable ACL getting the detailed ACL rules from the AAA server, the detailed rules of dynamic ACL should be preconfigured on the switch and the ACL should be applied just when the ACL name is received from AAA server. The name of the dynamic ACL is configured on the AAA server which uses the RADIUS standard attribute Filter-Id, an attribute defined by the RFC3576 standard and the attribute ID number is 11.

After the 802.1X authentication or MAB authentication has succeeded, the AAA server sends the ACL name to the switch in the Access-Accept message carried with Filter-Id field. The switch parses the received dynamic ACL field and implements packet filtering through the packet matching rules and processing operations. Each dynamic ACL is sent only with an Access-Accept message when any of MAB or 802.1X authentication has passed successfully on the AAA server for a specific client.

The switch delivers the ACL rule to match the packets and process the packets to implement packet filter rule. If the AAA server delivers a wrong ACL name, the switch prints a system log, and then drops the flow by using the default drop rule.

The following image shows the format of Filter-ID in the Access-Accept message which is sent from the AAA server to the switch:

Image Added

On the switch, use the following commands to configure the NAC-based dynamic ACL rule.

set protocols dot1x filter <filter-name> sequence <sequence-number> from <filter-condition>

set protocols dot1x filter <filter-name> sequence <number> then action <discard | forward>

and is the logical operator between the matching fields with the same sequence number, that is, to be considered to match a firewall filter rule and included in a class, the packets must match all of the matching fields with the same sequence number. NOTE that there is a drop rule for each firewall filter rule by default.

On the switch, you can use the run show dot1x interface command to view the detailed information about the dynamic ACL applied to the interface.

For example,

admin@Xorplus# run show dot1x interface gigabit-ethernet ge-1/1/5

Interface ge-1/1/5:

=====================================================================

Client MAC                          : 08:9e:01:9e:cc:fe

Status                                  : authorized

Dynamic VLAN ID               : 200

Dynamic Filter Name           : f2

The employment of the dynamic ACL and the configuration examples on the ClearPass/Cisco ISE and the switch are detailed in the document Configuring Dynamic and Downloadable ACL for ClearPass and Configuring Dynamic and Downloadable ACL on Cisco ISE in Typical Configuration of NAC.

NOTE:

  •   Every dynamic ACL rule will add matching source MAC rule automatically. So it is not supported to configure source MAC rule for dynamic ACL.
  •   The filter name configured in the filter-id must be the same as the filter name of the dynamic ACL configured on the switch.

Response to session-timeout Attribute

If the returned access-accept RADIUS message carries the attribute session-timeout after MAB/802.1X authentication, the authenticated session will expire after a period of session-timeout and start a new authentication process.

  • If the access-accept RADIUS message carried the timeout-session attribute and the timeout value is not equal to 0 (such as 30s), the switch will send request packet to the AAA server or the client every 30s for re-authentication.
  • If the access-accept RADIUS message carried the timeout-session attribute but the timeout value is equal to 0, the switch does not send any re-authentication request packet to the AAA server or the client. No action is taken, it has the same effect as if the session timeout attribute was not used or the returned access accept packet did not had the timeout attribute.
  • If the access-accept RADIUS message does not include the timeout-session attribute, the switch will send the re-authentication request packet to the AAA server or the client every 60 mins (default value) for re-authentication. The default 60 minutes re-authentication applies in situations where the MAC address does not age out for 60 minutes.

Vendor Specific Attribute (VSA)

Vendor Specific Attribute (VSA) is a vendor defined attribute in the vendor’s RADIUS dictionary. For the NAC function, PICOS defines four VSAs whereas the PICA8 vendor ID is 35098:

...

5. Refer to the image below for reference.

Image RemovedImage Added

How to Import PICA8 RADIUS Dictionary for Cisco ISE

...

  1. Click on Policy Elements -> Dictionaries -> System -> Radius -> RADIUS Vendors.
  2. Click on Import and choose the Pica8 dictionary file, now click import to load the dictionary file.

You should be able to see Pica8 dictionary file in the list of vendor dictionaries after successful import.

...

Image AddedImage Added

  1. You can also create your dictionary file here by clicking Add and adding attributes as mentioned in dictionary file.
  2. Please note adding a dictionary file manually you need to enter the attributes as they are in the dictionary files. The two most important items are the VENDOR name and ID and Pica8-AVPair attribute. The VENDOR name must be set to Pica8 and the ID should be 35098.
  3. The dictionary file for Cisco ISE is attached below:

...

    7. Refer to the image below for reference.

Image RemovedImage Added

How to Import PICA8 RADIUS Dictionary to FreeRadius server

...