Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Blue

dot1x

Couple of questions, my friends...

1.) With dot1x authentication, the authentication server (perhaps a RADIUS or TACACS server) will use the supplicant's information (what that information is is my second question) as the security metric to allow or disallow access.The network access appliance to which the supplicant is connected simply acts as a liaison between supplicant and the back-end auth server.

Is this correct?

2.) What metric does dot1x use to authenticate the user? (EDIT)

3.) As opposed to dot1x, which is an open standard, Cisco's VMPS solution is basically the Cisco proprietary solution to port authentication.

OR

Is it the case that VMPS uses dot1x for the authentication part and then dynamically assigns a VLAN according to the MAC address, which is the VMPS part.

Which is correct?

4.) Therefore, they both use a dot1x-type architecture - namely, the supplicant (client), authenticator (switch) and the authentication server, but Cisco uses its own messaging protocol with VMPS, not EAP or its variants.

Is all this correct?

When you answer, can you be kind enough to do so in bulleted form - an answer per question type thing?

Thanks a million ahead of time!

Victor

6 REPLIES
Hall of Fame Super Silver

Re: dot1x

Hello Victor,

1) Substantially yes

2)  a Radius authentication has to be passed and this can include certificates of a PKI or security tokens

see

http://tldp.org/HOWTO/html_single/8021X-HOWTO/

actually with 802.1X you can authenticate the device, the user, or both.

3)  as far as I know VMPS  is old and dead and it was supported in CATOS

4) not true VMPS is not port based authentication but dynamic vlan assigment on MAC address basis

VMPS looks like to be tied to the MAC address: as I wrote it is an older concept and it was a good tool in old times, when VLANs were extended over the whole campus, and the old rule 80% of traffic local 20% of traffic to other subnet was the golden rule

>> When you enable VMPS, a MAC address-to-VLAN mapping database downloads from a Trivial File Transfer Protocol (TFTP) server and VMPS begins to accept client requests. If you reset or power cycle the switch, the VMPS database downloads from the TFTP server automatically and VMPS is reenabled.

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst5000/catos/5.x/configuration/guide/vmps.html

Hope to help

Giuseppe

Bronze

Re: dot1x

I can't answer all your questions, but I can give it a go:

1. The "Authenticator" is basically a go-between for the supplicant and authorization server.
The device being authenticated doesn't talk directly to the authorization server. The supplicant talks to the switch and the switch in-turn talks to the server.

2. 802.1x itself doesn't provide a metric for authentication. The 802.1x is just a "framework" for securely authenticating devices to the network. It uses RADIUS mainly. The authentication server passes back an Access:Accept or Access: Reject depending on the credentials passed to it from the supplicant. Depending on your authentication server and supplicant, lots of things can be used  as a "Metric". Username / Password, Anti-virus software installed or version installed, time of day, or the actual entry point into the network (i.e. connecting to Switch-X vs Switch-Y)

3-4. I'm not familiar with VMPS sorry.

HTH

Hall of Fame Super Blue

Re: dot1x

lamav wrote:

Couple of questions, my friends...

1.) With dot1x authentication, the authentication server (perhaps a RADIUS or TACACS server) will use the supplicant's information (what that information is is my second question) as the security metric to allow or disallow access.The network access appliance to which the supplicant is connected simply acts as a liaison between supplicant and the back-end auth server.

Is this correct?

2.) What metric does dot1x use to authenticate the user? (EDIT)

3.) As opposed to dot1x, which is an open standard, Cisco's VMPS solution is basically the Cisco proprietary solution to port authentication.

OR

Is it the case that VMPS uses dot1x for the authentication part and then dynamically assigns a VLAN according to the MAC address, which is the VMPS part.

Which is correct?

4.) Therefore, they both use a dot1x-type architecture - namely, the supplicant (client), authenticator (switch) and the authentication server, but Cisco uses its own messaging protocol with VMPS, not EAP or its variants.

Is all this correct?

When you answer, can you be kind enough to do so in bulleted form - an answer per question type thing?

Thanks a million ahead of time!

Victor

1) The network access appliance only needs to support network EAP ie. it doesn't know or care what type of EAP is in use eg. PEAP. EAP-TLS, LEAP etc.

2) Depends on the type of EAP used eg. EAP-TLS relies on the use of certificates.

3) Not aware that VMPS uses dot1x at all. VMPS is only concerned with dynamic vlan assignment not authentication to the network.

4) They use a similiar architecture yes in that there is a client (supplicant), an authentication server (VMPS server/Radius/ACS server) and an intermediate network device to pass on the supplicant message to the server.

Jon

Blue

Re: dot1x

Thank you to everyone.

Please humor me and read this somewhat long post. I really respect and trust your opinions. Thank you ahead of time for your patience.

So, here goes...

I did a little more refresher reading (havent thought about dot1x in years) and this is how I see it.

dot1x is a port-based authentication architecture - a framework - for authenticating users to a network. The authenticator will communicate with the supplicant using EAPOL encapsulated messages and then talk to the authentication server using RADIUS or Diameter or some other AAA service.

The one thing that is NEVER mentioned in any dot1x tutorial is the "fact" (and I need this verified) that the machine itself, using its MAC address as a parameter, is authenticated BEFORE the user - meaning before the EAP user-authentication mechanism kicks in (whether its username and password or OTP or a certificate).

If that is the case, then dot1x can provide machine authentication, then user authentication, and, pending successful authentication, place the switchport in a particular VLAN.

Cisco, however, also used VMPS, which is out of date now. But it used a dot1x-esque solution architecture. What I mean by that is there are 3 components to the architecture: the client, the switch, and a back-end server from which to download the VMPS database file. By the way, the switch would download the contents of the database file and store it locally and not keep reaching out to the back-end server for information.

Now, to me, VMPS has a security component to it because if the MAC address of the client does not match any MAC address on the database file, the user will either be denied access to the network OR the user will be placed in a quarantied VLAN that the administrator sets up -- cant remember which one it does.

Thoughts?

Hall of Fame Super Blue

Re: dot1x

Victor

The one thing that is NEVER mentioned in any dot1x tutorial is the "fact" (and I need this verified) that the machine itself, using its MAC address as a parameter, is authenticated BEFORE the user - meaning before the EAP user-authentication mechanism kicks in (whether its username and password or OTP or a certificate).

Not necessarily. You can indeed do machine authentication although it doesn't necessarily use mac-addresses ie. you can use a certificate for machine authentication, but the thing about dot1x is that the 2 ie. machine and user are split and you can use one without the other or both if you so choose. So you can go straight to user authentication without needing to authenticate the machine ie. any machine can be connected to the port regardless of it's mac-address and it can still be authenticated with the user.

Now you can setup mac-address authentication with dot1x in which case obvioulsy you need to have mac-address that is held in the authentication server database but as far as i know this is not manadatory ie. you can go straight to user authentication and not actually authenticate the machine.

VMPS as you say does indeed have a "similiar" architecture but it cannot authenticate users. It is really only concerned with placing the relevant machine into the correct vlan but you are correct in what you say in that the mac-address must exist in the VMPS database before the machine can be placed into that vlan. So there is a level of security albeit quite a low level since it is relatively trivial to modify the mac-address of your machine.

Jon

Blue

Re: dot1x

Good stuff, Jon...

I have to say...a guy I know, who is a CCIE (although that doesnt mean too much in this context), did a ton of testing with this a few years back for Sony, and he swears that MAC-address auth on the machine was done before the user auth by default. He captured packets and would routinely see that..

dont know....

Victor

878
Views
19
Helpful
6
Replies