Solved: Cisco Solution similar to dot1x

visitor68 · ‎10-14-2010

Does Cisco have a user authentication solution (like MAC-address based VLANs) that does not use the dot1x methodology?

I mentioned a user-authentication scheme using dot1x and he jabber-jawed about a Cisco solution that does not require a dot1x agent to run on the client machine.

Which Cisco solution offers MAC-address-based authentication and VLAN placement that doesnt use dot1x and does nto require an agent to nbe running on the client machine?

Thanks

Peter Paluch · ‎10-19-2010

Hello,

In a very general approach, a RADIUS server assigning VLANs dynamically based on stations' MAC addresses is possible if the RADIUS server actually gets to know the client's MAC address. That can happen via two ways: either the MAC is used as the username, or it is included as an additional attribute of a certain type in the Access-Request message sent from a switch towards the RADIUS server. A RADIUS server can provide its answer based on any attribute in the Access-Request message, be it a username or a different field that is "parseable" and comparable to a predefined template value (actually, this depends on particular RADIUS implementation what matching capabilities it provides you with - the FreeRADIUS is very flexible in this aspect).

The ramifications of this should be clear. In usual 802.1X environments, the Access-Request is sent from a switch as a result of EAPOL frame exchange detected on a switchport. If no EAPOL exchange takes place, no communication with the RADIUS server will be performed, so no authentication/DVLAN assignment can be done. The MAB circumvents this by simply waiting for any frame arriving from a connected station, learning the source MAC and constructing an Access-Request message without performing any EAPOL handshake with the PC, using the learned MAC as the username. Thus, it is not an added intelligence of a RADIUS server nor a client's issue; it is solely an intelligence added on the switch (the authenticator). Without a switch able to do this "trick", the RADIUS environment falls back to the EAPOL exchange between the switch and the station to exchange the credentials information.

A different vendor implementation must in essence do a very similar procedure - wait for a frame to arrive, learn the source MAC, and upon learning it, construct an Access-Request message and somehow use the MAC address in this message - either as a username or some other (possible vendor-specific) attribute. The RADIUS server itself is actually not responsible for this - it merely receives the Access-Request message, processes it and responds accordingly. It must be the added intelligence in the switch (the authenticator) that actually acts on behalf of client's MAC address without performing any EAPOL message exchange.

I know I have not given you any definitive answer but I am afraid that there is none. Really, this entire issue depends on whether a particular switch is so intelligent that it can use the client's MAC address without needing the EAP/credentials exchange to talk to the RADIUS server in order to authenticate the station.

Best regards,

Peter

View solution in original post

Edison Ortiz · ‎10-14-2010

I'm not aware of any solution that is similar to dot1x - perhaps 3rd party solution?

With that said, all solutions need some kind of client at the workstation.

visitor68 · ‎10-14-2010

Edison:

According to the client, they are using a Cisco product (I believe it is ACS 5.0).

He described user authentication accordingly:

-- client plugs into switch and automatically broadcasts its MAC address (why would a client machine do this automatically? DHCP?)

-- the switch snags that address and reaches out to a backend authentication server

-- the switch receives a successful authentication response from the server and allows the user into the network

According to him, no agent is necessary on the client machine.

Any ideas now?

Thanks

Jon Marshall · ‎10-14-2010

ex-engineer wrote:

Edison:

According to the client, they are using a Cisco product (I believe it is ACS 5.0).

He described user authentication accordingly:

client plugs into switch and automatically broadcasts its MAC address (why would a client machine do this automatically? DHCP?)

the switch snags that address and reaches out to a backend authentication server

the switch receives a successful authentication response from the server and allows the user into the network

According to him, no agent is necessary on the client machine.

Any ideas now?

Thanks

This sounds a little like VMPS where you store a copy of all the machines mac-addresses and when the machine boots up the switch sends the mac-address to the VMPS server and if the server has the mac-address it tells the switch which vlan to place the machine into.

But VMPS is -

a) old - only available on CatOS as far as i know

b) used primarily not to authenticate the machine but for dynamic vlan assignment

c) does not need or use an ACS server

so like Edison i'm not aware of what they are referring to.

Jon

visitor68 · ‎10-14-2010

Jon, I think youre right. Besides telling me that they are using ACS 5.0, he did mention a "policy server." And the description he gave sounds exactly like VMPS.

VMPS does not require a client agent. Once the client is plugged in, it will send out frames with its own MAC address (I guess because of DHCP or some other client traffic) as the source address, of course, and the switch will take note of it and send it to the VMPS server for DVLAN assignment.

According to this document, it is supported on IOS after a certain version....

http://www.cisco.com/en/US/docs/switches/lan/catalyst2900xl_3500xl/release12.0_5_xp/eeswcfg/mascvmps.html

So thats resolved.

So now I have three questions as corollaries: (Sorry to be a pain in the @ss)

1) Is VMPS still available and supported today?

2) Has Cisco abandoned this solution in favor of the dot1x industry standard in which an agent MUST exist on the client?

3) If Cisco is now offering dot1x solutions to DVLAN assigment (MAC-based), is it offering an appliance to act as the RADIUS server or does one have to deploy 3rd party RADIUS software and load it on a generic x86 server?

Thanks very much!

Peter Paluch · ‎10-14-2010

Jon,

Absolutely correct, this is VMPS. Regarding the VMPS, at least the client functionality is apparently happily supported also on the most recent IOS versions for 2960/3560 switches (I assume the same goes for higher Catalysts platforms as well). There are also open-source implementations of the VMPS server for Linux available, one of them being FreeRadius.

Best regards,

Peter

visitor68 · ‎10-14-2010

Peter, thank you for your input.

Let me see if I understand what you're saying.

VMPS is indeed still available and supported? If so, on which platforms?

And are you saying that a 3rd party version of VMPS is also available? If so, how does it work? You would still need a Cisco switch to act as the client, correct? Its not as though switches other than Cisco support VMPS, right?

I was under the impression that Cisco has pretty much abandoned VMPS as a solution and is now offering a suite of network access control solutions under the TrustSec umbrella that now leverage dot1x. What do you know about that?

Jon Marshall · ‎10-15-2010

ex-engineer wrote:

Peter, thank you for your input.

Let me see if I understand what you're saying.

VMPS is indeed still available and supported? If so, on which platforms?

And are you saying that a 3rd party version of VMPS is also available? If so, how does it work? You would still need a Cisco switch to act as the client, correct? Its not as though switches other than Cisco support VMPS, right?

I was under the impression that Cisco has pretty much abandoned VMPS as a solution and is now offering a suite of network access control solutions under the TrustSec umbrella that now leverage dot1x. What do you know about that?

VMPS client functionality ie. the switch being able to forward the request onto a VMPS server is still supported on Cisco IOS, although whether or not it is on all switches i would need to check.

The VMPS server functionality has however been discontinued as far as i am aware ie. it was never ported over from CatOS. Peter has confirmed that at least FreeRadius can act as a VMPS server (which i didn't know) but yes you will still need the Cisco switches to be able to forward on the client request to the VMPS server.

Cisco have for some time pushed dot1x as the solution for dynamic vlan assignment as well as authentication etc. so that is i believe their preferred solution. But as you say the client must have a dot1x client whether that be inbuilt into the OS such as Microsoft or a 3rd party add on client.

Jon

Peter Paluch · ‎10-15-2010

Hello all,

Jon, thanks for replying. Yes, it seems that the VPMS Server functionality is indeed present only in the CatOS operating system on 4500/6500 switches.

Regarding the 3rd party solutions for the VMPS Server functionality, there is the FreeRadius (as I mentioned earlier) and also the vmpsd - you can find it on SourceForge. There also seem to be some other, mainly unsupported implementations. The FreeRadius contains the only maintained VMPS server implementation as far as I know.

That being said, I agree absolutely with Jon that the VMPS functionality has not been "pushed forward" for a long time, coinciding with the arrival of the 802.1X and RADIUS-based authentication including dynamic VLAN membership. As this solution is open and widely supported, Cisco seems to be focusing on this functionality.

To respond to the questions:

VMPS is indeed still available and supported? If so, on which platforms?

VPMS client functionality is supported on all recent or almost-recent access-layer switches running IOS, i.e. 2950, 2960, 3550, 3560, etc. This can be verified by having a look into the Configuration Guide about these switches, usually in the section "Configuring VLANs" or "Configuring VLANs and VTP".

And are you saying that a 3rd party version of VMPS is also available?
If so, how does it work? You would still need a Cisco switch to act as
the client, correct? Its not as though switches other than Cisco
support VMPS, right?

Yes, VMPS Server functionality is available on the software mentioned earlier. You still need a Cisco switch to act as the VMPS Client. To my best knowledge, no other vendors support the VMPS or the VQP protocol that is used to communicate between the client switch and the server.

I was under the impression that Cisco has pretty much abandoned VMPS as a solution and is now offering a suite of network access control solutions under the TrustSec umbrella that now leverage dot1x. What do you know about that?

I cannot comment on that with absolute certainty but it seems obvious that the 802.1X is the preferred method of doing this right now, as it essentially bundles many useful things together, not just dynamic VLANs but the entire issue of connecting an authorized client to a network securely and appropriately. The VMPS is not being preferred anymore but as a technology that basically works and works nicely, nobody is probably going to throw it out from the IOS just yet (though that will probably happen at some time in the future).

Best regards,

Peter

Jon Marshall · ‎10-15-2010

Peter

Yes, i should have been more precise in what i said. It is the VMPS server that i believe is no longer supported by Cisco and was never implemented on IOS rather than the VMPS client functionality.

Jon

wholemans · ‎10-15-2010

In their latest versions of IOS for catalyst switches, cisco introduced something they call MAB,

Mac Authentication Bypass. You need a radius server to make this work. I've been playng this feature last week.

You configure the ports to use 802.1X but tell it to use MAB first : as soon as a mac address becomes visible on a port, this mac-address is sent to the radius server which has entries in the form 'username=mac' passw='mac'. If the mac address is known, the radius server sends an accept the port is placed in the access vlan. If the mac is not found, the port is put in a guest vlan.

This works fine in an environment where one device is connected to one switch port. In our environment where we have a lot of non-manageable desktop switches this doesn't work very well, allthough cisco has mulit-host and multi-auth options also. This also can be used in an environment with ip phones and the local pc connected to the switch port on the phone.

Just look for MAB in the release notes and configuration manuals for more info.

Wim Holemans

visitor68 · ‎10-15-2010

Folks:

Thank you very much for your time and attention.

I needed detailed explanations because I have a client who is really turned off by the fact that dot1x requires an agent that must be configured on the client. They want a plug and play mac-based VLAN solution. I have read some of the white paper on MAB and it speaks to the question I have about whether port-based authentication/DVLAN is STILL available to non-compliant dot1x clients. And the answer is yes. Great feedback!

This is an excellent discussion...another followup question...

How does dot1x respond to non-compliant clients - for example, clients that do not have dot1x functionality at all, like printers or older OSs? I imagine that it is a function of the switch functionality and configuration and its ability to respond to failed dot1x logons. There are also 2 types of "failures": one because a client does not run dot1x or because the dot1x client is indeed unauthorized.

Any thoughts on this?

Thank you once again

Peter Paluch · ‎10-15-2010

Hello,

For clients that do not support the 802.1X at all (they do not have any 802.1X supplicant installed), a so-called Guest VLAN can be configured on an access port. The Guest VLAN can contain clients that do not support the 802.1X, optionally allowing them access to servers where they can download 3rd party 802.1X supplicant and afterwards be able to authenticate.

For clients that do support the 802.1X but who fail to authenticate (for example, their OS has a built-in supplicant but they do not have any valid RADIUS account right now), there is another VLAN called Restricted VLAN or Authorization Failed VLAN (both terms are synonymous).

You can read more about them and their configuration here:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1176660

Best regards,

Peter

Jon Marshall · ‎10-15-2010

ex-engineer wrote:

Folks:

Thank you very much for your time and attention.

I needed detailed explanations because I have a client who is really turned off by the fact that dot1x requires an agent that must be configured on the client. They want a plug and play mac-based VLAN solution. I have read some of the white paper on MAB and it speaks to the question I have about whether port-based authentication/DVLAN is STILL available to non-compliant dot1x clients. And the answer is yes. Great feedback!

This is an excellent discussion...another followup question...

How does dot1x respond to non-compliant clients - for example, clients that do not have dot1x functionality at all, like printers or older OSs? I imagine that it is a function of the switch functionality and configuration and its ability to respond to failed dot1x logons. There are also 2 types of "failures": one because a client does not run dot1x or because the dot1x client is indeed unauthorized.

Any thoughts on this?

Thank you once again

In addtion to what Peter has posted, for printers, old OSs etc., bear in mind dot1x authentication is a function of the port configuration ie. you don't have to configure that port for dot1x authentication. The primary purpose of dot1x is to stop unauthorised users connecting to your network whereas your printer and server setup should be tightly controlled and fairly static so dot1x on servers is not often seen or at least wasn't when i was involved with it.

In answer to the clients concern about a 802.1x supplicant, bear in mind Windows at least and i believe now a fair number of Unix OSs have them inbuilt so there is no need for additional software to be loaded. It does still need configuring obviously but, as alluded to before, you get a lot more functionality using an 802.1x supplicant ie. machine authentication, user authentication with or without certificates etc. It is trivial on most modern machines to alter a mac-address.

Jon

visitor68 · ‎10-15-2010

Good stuff, guys..

Thanks! rated...