鱼!
分类: 网络与安全
2013-11-25 12:42:22
Before we start, as a heads up, this article covers a specific MAB solution only and you're assumed to know how to setup a 802.1x authentication environment with SNAC and Cisco switches. Basics of 802.1x installation is not the subject of this article. In other words, this article is to be used on an existing, working, wired 802.1x environment.
To begin with, bypassing a network adapter by its MAC adress is a need when you want to completely secure all the UTP cables hanging around by using 802.1x authentication, because devices like printers or ip phones cannot respond to 802.1x requests.
Symantec Network Access Control 6100 Appliances include a builtin MAB feature with a clear and easy configuration, however I couldn't get it working in spite of all the advanced stuff I've been doing. I didn't want to open a case for this because it's not the best idea to use LAN Enforcer's local MAC database, since you have to back it up regularly if you do so. There's an LDAP option in the appliance configuration but I didn't try it as well, since this method looks easier to me.
Thus this article will cover how to create a MAC Authentication Bypass (MAB) using Microsoft IAS as a radius server and a Cisco switch.
1) Particular switch ports should be configured to initiate MAB if there is no 802.1x response
When dot1x is enable on a switch globally and on the specific shitch port, that switch port will only talk dot1x until the authentication is complete. But you'll have times when authentication requests are not responded. These can be guest clients where 802.1x is not enabled on their ethernet configuration, and these clients can be moved to a guest VLAN.
On the other hand, a network printer or an IP phone will not respond to the 802.1x, because they are not capable of it. And you cannot move them to a guest VLAN since they have to be accessable from production. To keep these clients in the production VLAN, you need to enable MAC bypass feature on the Cisco switch (depending on IOS).
The command we need is basically "dot1x mac-auth-bypass" :
|
This command enables the port to send the authentication request to the radius server configured even if there is no 802.1x response from the connected client when all timeouts are expired. So it may take some time before the request reaches to the radius server (both NAC appliance as a Radius proxy and IAS as the domain Radius server).
There are a few more commands depending on IOS, such as "dot1x max-reauth-req". You just need to check the available options on your Cisco switch.
2. You need domain users in correspond to MAC adresses
When MAB is activated, switch will send authentication package as if the username is the MAC adress of the connected client (such as a network printer). To be able to authenticate these requests, you're going to need to create domain users with those MAC adresses as if they are their user names:
Now, IAS will try to authenticate the user according to its policies since the user now exists in the domain.
I'd create a new OU for this clients to keep them separated and to prevent any confusion.
3. You need a new policy in IAS
To be able to authenticate those clients with only the MAC information of the client included in the requests, you need to have a special policy for those clients.
Create a quick new policy in Microsoft IAS, move it to the top of all policies and then edit the policy to match the below configuration:
Policy conditions will include one Callin-Station-ID parameter for an ethernet to be allowed. And the value is the MAC adress. So you can keep adding all the necessary MAC adresses into the same policy. This MAC adress format matches our Symantec LAN Enforcers'. Other devices may differ, you may need to check the event logs of IAS to verify the format.
After adding the MAC adress click on "Edit Profile" on the above window. Then the below window will appear, after you click the Authentication tab of course.
We'll only use "Unencrypted authentication (PAP, SPAP)" protocol to authenticate these users. So make sure no "EAP Methods" are selected nor any other authentication:
Next, go to the Advanced tab on the same window and match the below view. You'll probably only need to add Ignore-User-Dialin-Properties attribute by clicking the add button.
4. Allow protocols other then EAP
From the LAN Enforcer configuration options on the SEP Manager, you need to select the "Forward protocols beside EAP" option to be able to authenticate MAC adresses with PAP authentication.
And that is all for the configuration.
Now you'll see the matching MAC adresses are granted authentication and switch will open port for them. You cannot enforce anything for those clients from LAN Enforcers. You'll not even see a detailed debug log for their connections on the Enforcer since this authentication method is not EAP.
I hope this helps all of the Symantec guys out there playing with 802.1x NAC.
原文出处:
========================================
交换机在用户准入认证、动态访问授权方面的要求
认证功能需求:
? 交换机支持IEEE 801X Authentication;
? 交换机支持MAB(MAC Authentication Bypassa)认证功能;
? 交换机支持802.1X 环境下的Web认证功能,交换机可使用内置Portal页面进行用户认证;
? 交换机支持802.1X 环境下的Web认证功能,交换机可以将认证请求通过URL重定向功能引导至外部Portal页面进行用户认证;
? 交换机支持灵活的认证配置,可配置802.1X、MAB、WEB认证方式顺序认证,在一种认证方式失败后,能够自动切换至下一认证方式;
? 交换机端口支持Multi-Host认证方式,即同一个交换机端口下接有多台主机,其中一台主机通过802.1X 认证后,其余主机能够自动获取网络访问权限;
? 交换机端口支持Mulit-authentication认证方式,即同一交换机端口下接有多台主机(或者虚拟机环境下),每台主机须独立通过802.1x认证,方能获得网络访问权限;
? 交换机端口支持Mutlti-Domain认证方式,即在同一个交换机端口下接有一个IP话机,IP话机后面再接一台PC的情况下,IP话机可以在Voice VLAN作认证,PC可以在Data Vlan作认证,且两个VLAN可采用不同的认证方式(802.1x/MAB/WEB)及EAP类型;
? 交换机支持auth-fail Vlan功能,即用户认证失败时,能够将用户分配至特定的认证失败Vlan,为用户提供有限的网络访问功用;
? 交换机可配置为802.1X客户端(supplicant),以支持交换机设备身份认证技术,以防止私接交换机/HUB的情况;
用户授权策略强制需求:
? 交换机支持以动态VLAN分配的方式,为不同的认证用户分配不同VLAN ID,从而提供不同的网络访问权限;
? 交换机支持以动态VLAN分配的方式,为不同的认证用户分配不同VLAN Name,不同的Vlan name在不同的交换机可对应不同的Vlan ID,以使用户在跨越三层交换网络之间时仍能实现动态Vlan授权分配;
? 交换机支持动态访问控制列表(ACL)下发的方式,为不同的认证用户在交换机端口分配不同的ACL,从而提供不同的网络访问权限,且应用于交换机端口的ACL的源地址为当前通过认证主机的源地址,而不是any;
? 交换机端口支持COA(RFC3576 Change of authorization)功能,在终端用户发生状态变化时(会话超时、健康状态发生改变等),RADIUS能够动态对交换机端口触发诸如Re-auth(重新认证)、bonce(闪断)条件;
? 交换机支持针对特定用户的动态QOS策略下发功能,为不同的认证用户在交换机端口分配不同的QOS策略;
? 如交换机支持其它用户授权策略强制功能,请补充说明; 灵活的用户认证部署方案;
? 交换机在配置802.1x认证时,能够支持监控(monitor)模式,即不管用户因为何种原因导致认证失败(802.1x supplicant 配置、用户名/密码错误等),交换机可保留用户的网络访问权限,但交换机能够将认证失败原因发送至后台认证服务器,以供管理员排除故障;
? 交换机在配置802.1x认证时,能够支持低风险(Low Risk)模式,即不管用户因为何种原因导致认证失败(802.1x supplicant 配置、用户名/密码错误等),交换机可为提供有限的网络访问权限(通过预先定义好的ACL),但交换机能够将认证失败原因发送至后台认证服务器,以供管理员排除故障;
其它功能:
? 交换机在802.1X环境下,支持计费(Accounting)功能,对用户登入/登出网络提供详细的记录,以供安全审计与计费功能;
? 交换机支持基于条件的日志与Debug信息输出功能,例如可定义只输出特定交换机相关的Debug信息,以简化输出;
? 交换机端口在配置为802.1x认证时,支持网络唤醒(Wake-on-LAN)功能,网络唤醒数据包(Magic Packet)可以经由交换机唤醒PC;
? 交换机支持802.1X支持能力检测功能,可配置为在端口发送EAP探测包,以探测与交换机相连PC是否安装有合格的 802.1X客户端;