This documents discuss implementation of 802.1x with ISE (Identity Service Engine).
Some Concepts to take into Consideration:
There is a lot of interest in enabling 802.1x for access control. Certificate based security is an industry standard and mandated by many federal agencies. Cisco’s first 802.1x based access control solution started with ACS and currently is enforced by their flagship access control solution Identity Services Engine ISE .
We have heard some administrators heard 802.1x is almost impossible to enable and something they don’t have the staff to maintain. The truth is 802.1x is like most technologies, which requires a basic understanding of core concepts and must be designed correctly in order for a project to be successful. Here are some concepts to take into considering while looking at Cisco or other 802.1x solutions for your network.
1) MONITOR ONLY – 802.1x can be deployed in a Monitor Only mode meaning you can turn it on and not impact the network. This is huge because it dramatically reduces the risk of 802.1x deployment issues by troubleshooting error messages before going live. Unlike many technologies, you don’t have to “cut over and troubleshoot”.
2) PROFILING – Cisco ISE offers network profiling, which has two key benefits. ISE can identify all devices on the network so you can plan for how access control can be handled for device types prior to enforcement. ISE can also maintain monitoring of those devices meaning if a hacker spoofs a printer, the spoofed IP will act differently on the network and be blocked. This is a more secure option than white listing devices. Best practice is planning device security via VLANs, ACLs, etc. prior to moving from 802.1x monitor mode.
3) SUPPLICANT – 802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server. The authenticator acts like a security guard while the supplicant (example laptop) is not permitted access through the authenticator to the protected side of the network until the supplicant’s identity has been validated and authorized. The supplicant provides credentials, such as user name, password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. The most common used supplicants are built into windows operating systems meaning you don’t have to distribute any new software or clients. Some devices don’t support 802.1x which best practice is using a combination of MAC address and profiling to provision and maintain credibility of those devices.
4) SYSTEM MANAGEMENT – A common question is “how many people does it take to maintain a Access Control solution such as 802.1x?”. The answer varies on the size, level of desired security and other factors. Regardless, the goal of an Access Control solution is to automate and enforce existing security infrastructure. For example, port security is a form of access control that typically requires manual efforts to maintain. Access Control solutions should reduce the required management hours by automating user and device access. The same concept goes for troubleshooting and locating rouge devices.
802.1x is an industry standard and uses switch level commands. Best practice is to build a template in a network management tool and push out the 802.1x Access Control configurations to switches to reduce the chance of misconfiguration.
Enable AAA, Enable Port-based authentication, VLAN/ACL and 802.1x ,MAB
Specify the IP and Ports of RADIUS server, pre-shared key, attributes, and RADIUS request source interface