Connecting the world…

bypass

MAB and MDA in an IP Phone environment

I blogged before about the MAC Authentication Bypass (MAB) feature in network environments. MAC Authentication Bypass can be used to secure the wired network by verifying MAC addresses to a central database. By using a radius server, like Microsoft IAS or FreeRadius, you can also redirect verified MAC addresses to a specific VLAN.

Lately I had a new challenge with configuring MAB. These time a single switch port is shared by an IP phone and a workstation. The IP phone is used as a kind of switch. The backend switching network is build on Cisco Catalyst switches. All IP phone traffic is handled by the voice VLAN and all data traffic is handled by  the an access VLAN. The IP phones used in this situation are Mitel 5330 phones. These phones support CDP and also LLDP, which is perfect when using a voice VLAN.

The customer would like the MAC addresses of both devices verified against a central database. In this situation I used Microsoft IAS, because the customer is using Microsoft Active Directory as central database. In Active Directory I created an OU structure with an unique OU and security group for every logical group. So I created an OU voice and a security group voice, and I created a group data and an OU data. The MAC addresses of the components need to be added to Active Directory as users. The account name and the password are exactly the same and equal to the MAC address, like 001f22d712ef. I made the account for the IP phone member of the voice group and the account of the workstation member of the data group.

I started with just connecting a single workstation to the switch and configured IAS to verify the MAC address and automatically redirect the workstation to the correct access VLAN. The configuration of IAS is straightforward. First I installed IAS and registered the service in Active Directory. I added the switch as radius client and configured a radius policy for the data connections. The radius policy checks if the MAC address is member of the data group and returns the access VLAN if the MAC address is positively verified. This works without any problems. The screenshots below show the most important configuration of this policy.

data-radius-match data-radius-authentication data-radius-attribute

Next you see the switch configuration so far.

aaa new-model
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
dot1x system-auth-control
!
interface FastEthernet0/35
switchport access vlan 102
switchport mode access
switchport nonegotiate
switchport voice vlan 150
authentication control-direction in
authentication port-control auto
authentication periodic
authentication timer restart 900
authentication timer reauthenticate 5400
mab
spanning-tree portfast
spanning-tree bpduguard enable
end

I configured another policy, exactly the same, for the voice components. I disconnected the workstation and connected the IP phone to the network. This also works without any problems. The IP phone is authenticated and allowed access to the network. Next I connected the workstation to the IP phone and booted the workstation. I noticed that the IP phone lost his power and checked the switch port status. The switch port went in err-disable state with the following message:

Feb  5 08:54:50.095 GMT+1: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/35, new MAC address (0080.647f.c590) is seen.
Feb  5 08:54:50.095 GMT+1: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/35, new MAC address (0080.647f.c590) is seen.
Feb  5 08:54:50.095 GMT+1: %PM-4-ERR_DISABLE: security-violation error detected on Fa0/35, putting Fa0/35 in err-disable state

This is a big problem, because both network components aren’t able to communicate with the network. I did some research and found the Multiple Domain Authentication (MDA) feature. Multiple Domain Authentication (MDA) allows both a data device and a voice device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port, which is divided into a data domain and a voice domain. This feature is configured with the authentication host-mode commands and is very useful when combining IEEE 802.1x and/or MAB in an IP phone environment. The following host-modes can be used:

Single-host mode should be configured if only one data host is connected. Do not connect a voice device to authenticate on a single-host port. Voice device authorization fails if no voice VLAN is configured on the port.

Multi-domain mode should be configured if data host is connected through an IP Phone to the port. Multi-domain mode should be configured if the voice device needs to be authenticated.

Multi-auth mode should be configured to allow up to eight devices behind a hub to obtain secured port access through individual authentication. Only one voice device can be authenticated in this mode if a voice VLAN is configured.

Multi-host mode also offers port access for multiple hosts behind a hub, but multi-host mode gives unrestricted port access to the devices after the first user gets authenticated.

I tested the multi-host configuration and it did exactly as explained above. Only one device is authenticated and all next device are allowed without authentication. In my situation I have to use multi-domain. I added the configuration line authentication host-mode multi-domain to the interface configuration above. After this I had a new problem. Both devices are authenticated correctly, but the Mitel IP phone got stuck at DHCP Discovery, while the workstation is working correctly.

After some sniffing I saw the Mitel phone sending its DHCP Discovery to the data VLAN, but the phone didn’t receive any DHCP Offer from a DHCP server. Back to the drawing table and I found the solution in the radius configuration. I configured the radius attribute cisco-av-pair in order to tell the switch that the IP phone is allowed on the voice VLAN, see the picture.

MAB-MDAThe following steps are taken during the process:

  1. 1. The IP Phones learns the voice VLAN ID from CDP;
  2. 2. The switch learns the MAC address of the phone and sends an Accept-Request for the phones MAC address to the radius server;
  3. 3. The radius server responds with an Access-Accept and adds the Vendor-Specific Attribute (VSA) Cisco-AV-pair with the value device-traffic-class=voice;
  4. 4. All traffic from the IP Phone is allowed in the voice VLAN and the DHCP process works flawlessly;
  5. 5. The workstation is also authenticated by the radius server and all data traffic is allowed in the data VLAN;

The radius policy for the voice VLAN is almost equal to the radius policy for the data/access VLAN. The only difference is in the radius attributes. Below you see the attributes for the voice radius policy.

voice-radius-attributeI did some testing and the environment is working perfectly. Both devices are authenticated separately from each other. The final configuration of the switch port looks like this:

interface FastEthernet0/35
switchport access vlan 102
switchport mode access
switchport nonegotiate
switchport voice vlan 150
authentication control-direction in
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
authentication timer restart 900
authentication timer reauthenticate 5400
mab
spanning-tree portfast
spanning-tree bpduguard enable
end

Below you see some output from the show authentication sessions command. You can clearly see the domain where the device is authenticated in.

ONLY IP PHONE IS AUTHENTICATED SUCCESSFULLY

switch#show authentication session interface fa 0/35
Interface:  FastEthernet0/35
MAC Address:  0800.0f46.874a
IP Address:  Unknown
User-Name:  08000f46874a
Status:  Authz Success
Domain:  VOICE

Oper host mode:  multi-domain
Oper control dir:  in
Authorized By:  Authentication Server
Session timeout:  5400s (local), Remaining: 5397s
Timeout action:  Reauthenticate
Idle timeout:  N/A
Common Session ID:  0A0A421B00000065C2FF71B0
Acct Session ID:  0x0000014A
Handle:  0x04000065

Runnable methods list:
Method   State
mab      Authc Success

IP PHONE AND WORKSTATION ARE AUTHENTICATED SUCCESSFULLY

switch#show authentication session interface fa 0/35
Interface:  FastEthernet0/35
MAC Address:  0080.647f.c590
IP Address:  Unknown
User-Name:  0080647fc590
Status:  Authz Success
Domain:  DATA

Oper host mode:  multi-domain
Oper control dir:  in
Authorized By:  Authentication Server
Vlan Policy:  102
Session timeout:  5400s (local), Remaining: 5364s
Timeout action:  Reauthenticate
Idle timeout:  N/A
Common Session ID:  0A0A421B00000068C304A7C5
Acct Session ID:  0x0000014D
Handle:  0x56000068

Runnable methods list:
Method   State
mab      Authc Success

—————————————-
Interface:  FastEthernet0/35
MAC Address:  0800.0f46.874a
IP Address:  Unknown
User-Name:  08000f46874a
Status:  Authz Success
Domain:  VOICE

Oper host mode:  multi-domain
Oper control dir:  in
Authorized By:  Authentication Server
Session timeout:  5400s (local), Remaining: 5340s
Timeout action:  Reauthenticate
Idle timeout:  N/A
Common Session ID:  0A0A421B00000067C3043675
Acct Session ID:  0x0000014C
Handle:  0xE2000067

Runnable methods list:
Method   State
mab      Authc Success

IP PHONE IS AUTHENTICATED SUCCESSFULLY, WORKSTATION ISN’T

switch#show authentication session interface fa 0/35
Interface:  FastEthernet0/35
MAC Address:  0080.647f.c590
IP Address:  Unknown
User-Name:  UNRESPONSIVE
Status:  Authz Failed
Domain:  DATA

Oper host mode:  multi-domain
Oper control dir:  in
Session timeout:  N/A
Idle timeout:  N/A
Common Session ID:  0A0A421B00000066C300CB6C
Acct Session ID:  0x0000014B
Handle:  0xEB000066

Runnable methods list:
Method   State
mab      Failed over

—————————————-
Interface:  FastEthernet0/35
MAC Address:  0800.0f46.874a
IP Address:  Unknown
User-Name:  08000f46874a
Status:  Authz Success
Domain:  VOICE

Oper host mode:  multi-domain
Oper control dir:  in
Authorized By:  Authentication Server
Session timeout:  5400s (local), Remaining: 5261s
Timeout action:  Reauthenticate
Idle timeout:  N/A
Common Session ID:  0A0A421B00000065C2FF71B0
Acct Session ID:  0x0000014A
Handle:  0x04000065

Runnable methods list:
Method   State
mab      Authc Success

Wired 802.1X

The session about wired 802.1X deployment was really interesting. I was stunned about the information I already knew after my testing with MAC Authentication Bypass last week. Of course the speaker had more configuration options when configuring the switch ports.

Important for me to hear where the ways for deploying 802.1X in environments. It isn’t a good idea to just implement 802.1X with some kind of big-bang scenario. Important when implementing 802.1X is choosing the correct identity for authentication and which identity repository you are going to use.

Also good to know is that the actual authentication conversation is between the client and the authentication server using EAP; the switch is an EAP conduit, but aware of what’s going on. In normal 802.1X implementation all traffic is blocked on the port ingress and egress. This can give problems with features like DHCP, BootP, Wake on LAN and so one, like I already posted in my post about MAB.

One thing I learned from the session is using the VLAN name instead of the VLAN ID, when using RADIUS to assign the VLAN. This is because you can have a VLAN with the name Marketing, but the VLAN ID can differ per branch office. The Inaccessible Authentication Bypass feature is also useful for branch offices. IAB assigns the port to a statically configured VLAN when the RADIUS server cannot be reached. After IAB detects that the RADIUS server is online again, it starts authenticating all the ports that weren’t authenticated before.

Summarizing I guess that 802.1X will be the new authentication standard and when implementing 802.1X MAB is a good alternative for non-compliant 802.1X stations.

MAC Authentication Bypass – Continued

Finally I had a day “off” and could test MAC Authentication Bypass (MAB) in our test environment at the office. I created the following test environment:

MAB-TEST

There are 4 different VLAN’s and a Cisco Catalyst 3750 connects the VLAN’s to each other. I wanted to create an environment with the following properties:

  • All switch ports are default member of VLAN 1;
  • Authenticated workstations become member of VLAN 25;
  • Unauthenticated workstation become member of VLAN 30;
  • VoIP phones are member of VLAN 15;
  • All workstation should be able to boot with Wake on LAN;
  • MS-IAS is used as RADIUS Authentication server;

I have configured the necessary components and got the environment working with the above properties. The next few sections cover the configuration of the different components.

Cisco Catalyst 3750

Most of the configuration is done on the Cisco Catalyst 3750 switch. First of all I created the different VLAN’s on layer 2 of the OSI model. Next I created the SVI’s to make the VLANs routable. I used the standard SVI configuration. I used the ‘quick-and-dirty’ solution for configuring Wake On LAN (WOL) by just adding the ip directed-broadcast command to the SVI’s. The snippet below shows the SVI configuration.

Interface Vlan1
ip address 192.168.1.254 255.255.255.0
ip directed-broadcast
end
!
Interface Vlan10
ip address 192.168.10.254 255.255.255.0
ip directed-broadcast
end
!
Interface Vlan15
ip address 192.168.15.254 255.255.255.0
end
!
Interface Vlan30
ip address 192.168.30.254 255.255.255.0
end

The next step is configuring AAA and the RADIUS group for authenticating the connected clients to the network. The snippet shows these configuration.

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
radius-server host 192.168.10.30 auth-port 1812 acct-port 1813 key ictivity

The following step is to enable 802.1x globally in the switch. You should use the command in the following snippet to enable 802.1x.

dot1x system-auth-control

The last configuration snipper shows the configuration of a switch port. This switch port is configured use MAC Authentication Bypass as backup authentication method if 802.1x cannot authenticate.

interface GigabitEthernet1/0/16
switchport mode access
switchport voice vlan 15
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x control-direction in
dot1x timeout tx-period 1
dot1x max-reauth-req 1
dot1x guest-vlan 30
spanning-tree portfast
spanning-tree bpduguard enable

MS-IAS

I configured Internet Authentication Services on a Windows 2003 server. I didn’t configure the Active Directory, but use the local users and local groups to authenticate. I configured the RADIUS client inside IAS and started to create a Remote Access Policy. The Remote Access Policy matches a newly created Windows Group. The important aspects of the Policy are the Authentication options and the Advanced Attributes. The configuration of both is shown below.

Authentication Advanced

The last step in the whole process is configuring the Windows Group and adding users to that group. The MAC address of the workstation is acting as username and password. Important to notice is that all characters are case-sensitive and the username and password should only contain lowercase characters. An example of username and password is: 0016762eccda.

After configuring the test environment I have done some testing. First was trying to connect a workstation and authenticate. This is working perfectly, you will see a nice IAS event message on the Windows 2003 server. Next I connected an IP Phone with a build-in switch and connected the workstation to the IP Phone. The workstation again authenticates flawlessly against the RADIUS server. The last test was trying to wake up the workstation via Wake On LAN. When you should down the workstation, the switch ports first goes in shutdown and re-enables after the complete shutdown of the workstation. Next the switch ports returns to Vlan 1 (switchport access vlan 1). I send the Magic Packet to the broadcast address of VLAN 1. The workstation starts booting and authenticates against the RADIUS server.

I can only say, that MAC Authentication Bypass is working perfectly in my TEST environment. Shortly I will try to implement it on the network of one of our customers, because he wants a cheap method for securing his switch ports.

I know, and I told the customer, that MAC authentication isn’t a very powerful tool for security the switch port. Because spoofing a valid MAC address is enough to get access to the network. But MAC authentication is still better, then no authentication at all. And let’s face it, what are the costs: NOTHING!!!

Most companies have a Windows 2003 server where IAS can be installed or you can use FreeRADIUS, so no costs on the OS. I have tried an IP Base and an IP Services IOS on the Cisco Catalyst 3750, both are working perfectly. A switch has minimal an IP Base image, so no additional costs here. The only costs are made during the configuration and testing of the authentication.

Check the latest article about MAB and MDA in an IP Phone environment

MAC Authentication Bypass

NAC (for Cisco – Network Admission Control) or NAP (for Microsoft – Network Access Protection) in conjunction with 802.1x will be standard for authenticating network components and allowing them access to the network. At least in the future.

Currently their aren’t a lot of companies how are using NAC in the network. Techworld released an article about the caveats of NAC.

In the near future I am going to implement dynamic switch port security on a network. I would like to use 802.1x, but not all components are supporting 802.1x at the moment. While searching for documentation about the configuration of 802.1x, I found a backup authentication method for 802.1x with the name MAC Authentication Bypass (MAB). If a network component doesn’t support 802.1x, it uses its MAC address for authentication.

Much like the Guest-VLAN, MAB operates based on an 802.1x timeout condition. After a switch port can ascertain that an 802.1x supplicant is not present on the port, it falls back to checking the MAC address (which is an authentication technique of lesser security). After timing out 802.1x on the port, a MAC address can be learned by the switch through classic MAC learning techniques. after a MAC address is learned by the switch, it can then be authenticated by RADIUS initiation. The MAC address is used as username AND password in the RADIUS request. This means you should create an account with the MAC address as username and password.

I found some documentation about on the Cisco website, but I don’t have a suitable router at home for testing MAB. Looking at the PDF you should use the following commands in global config and on a switch port:

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
interface FastEthernet0/1
switchport access vlan 2
switchport mode access
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x control-direction in
dot1x timeout tx-period 1
dot1x max-reauth-req 1
spanning-tree portfast
spanning-tree bpduguard enable

When I have the appropriate equipment, I will do some testing on MAB. But I am curious if somebody already tested MAB or maybe already implemented MAB? What are the caveats during testing and/or implementing? How does MAB work in conjunction with features like Wake-On-LAN, DHCP and Voice VLAN’s?

Check the follow up article for more configuration or the latest article about MAB and MDA in an IP Phone environment.