Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches Best Practices Guide

Recommendations for Configuring Security on a Wired LAN

IEEE 802.1x permits or denies network connectivity based on the identity of users and devices. It provides a link between the user name and IP address, MAC address, and a port on a switch. It also provides customized network access based on the identity of the end device or user.

The main components of IEEE 802.1x are:

• Supplicant (end device)
• Authenticator (switch)
• Authentication server (RADIUS or ISE)

To provide secure access to your wired switch network, we recommend that you first provision your common wired security features. Provision security modes in phased deployments (monitor mode to high-security mode) of IEEE 802.1x authentication along with MAC Authentication Bypass (MAB), which uses the MAC address of the end device (or supplicant) to make decisions about access.

Note Each phased deployment should occur over time after ensuring that your network is ready to transition to the next security mode.

Table 8 describes the recommended IEEE 802.1x deployment scenarios that will have limited impact on network access. Test your network infrastructure while in monitor mode. If you are satisfied, then transition to low-impact mode and allow a subset of network traffic to pass through. Finally, transition to high-security mode, requiring authorization from all end devices.

Reference

For detailed information about wired mode deployments, see the TrustSec Phased Deployment Configuration Guide.

For basic information about IEEE 802.1x protocols, see the “8021X Protocols” section of the Wired 802.1X Deployment Guide.

Provision Common Wired Security Access

IEEE 802.1x port host modes determine whether more than one client can be authenticated on the port and how authentications is enforced:

Unless otherwise noted, we recommend that multiple-authentication mode be configured instead of single-host mode, for increased security:

• Multi-authentication mode authenticates all the devices that gain access to the network through a single switch port, such as devices connected through IP phones.
• Multi-authentication mode is more secure than multi-host mode (which also allows multiple data devices) because it authenticates all the devices that try to gain access to the network.

Step 1 Run the show run command on your switch to ensure that your access interface connections are set up.

This output is what you inherit after performing the “Access Interface Connectivity” workflow configuration for an interface connected to an IP phone.

Step 2 (Optional) If you observe excessive timeouts, fine-tune the IEEE 802.1x timers and variables. Timers and variables are important for controlling the IEEE 802.1x authenticator process on the switch.

We recommend that you do not change the IEEE 802.1x timer and variable default settings, unless necessary.

Begin in interface configuration mode:

Step 3 Set the timers on the appropriate interfaces.

These timers and variables control IEEE 802.1x authenticator operations when end devices stop functioning during authentication.

Begin in interface configuration mode.

Reference

For detailed information about the IEEE 802.1x timers and variables, see the Wired 802.1x Deployment Guide.

Step 4 Enable MAC authentication bypass (MAB) from interface configuration mode to authenticate supplicants that do not support IEEE 802.1x authentication.

When MAB is enabled, the switch uses the MAC address of the device as its identity. The authentication has a database of MAC addresses that are allowed network access.

We recommend that you enable MAB to support non-802.1x-compliant devices. MAB also is an alternate authentication method when end devices fail IEEE 802.1x authentication due to restricted ACL access.

Begin in interface configuration mode.

Step 5 Configure IEEE 802.1x on the appropriate interfaces.

When you configure an IEEE 802.1x parameter on a port, a dot1x authenticator is automatically created on the port. When that occurs, the dot1x pae authenticator command must also be configured to ensure that the dot1x authentication will work on legacy configurations.

Begin in interface configuration mode:

Step 6 Enable access control and IEEE 802.1x authentications.

Begin in global configuration mode.

Step 7 To establish the radius server, configure the RADIUS server with IP address, UDP port for authentication and accounting server, and server encryption key.

Provision in Monitor Mode

Monitor mode enables IEEE 802.1x authentication without impacting the access of the end devices (supplicants) to a switch (authenticator). This mode allows you to continuously gather the following types of data for all the devices connected to your network:

• List of IEEE 802.1x-capable devices
• List of devices that are not capable of IEEE 802.1x
• Devices with good credentials
• Devices with bad credentials.
• List of valid MAC addresses (for MAB)
• List of unknown or invalid MAC addresses (for MAB)

We recommend monitor mode as a first-phase approach to provide secure access with IEEE 802.1x. Although this mode authenticates the end devices and users (supplicants), traffic is not impacted if authentication fails.

In monitor mode, IEEE 802.1x and MAB are enabled, but access is open to all users.

Step 8 To allow hosts to gain access to a controlled port, configure multi-authentication host mode and open authentication.

Step 9 Disable the Port Security feature, because when IEEE 802.1x is enabled, the Port Security feature becomes redundant and might interfere with the IEEE 802.1x functionality.

Begin in interface configuration mode.

Provision in Low-Impact Mode

The next deployment phase in securing your network is to provision in low impact mode, which allows differentiated network access to authenticated users while permitting basic network services for all users.

Note For information about configuration of multiple-authentication mode on IEEE 802.1x ports, see “Provision Common Wired Security Access”.

Minimize the impact to your initial network access settings and add differentiated network access to authenticated users with low-impact mode provisioning. In low-impact mode, authentication is open and network access is contained using less restrictive port ACLs. After authentication, dACLs are used to allow full network access to end devices.

Step 10 configure multi-domain mode to prevent unauthorized users from accessing an interface after an authorized user has been authenticated.

Step 11 Add a static ACL to allow basic network access.

Configure a restrictive port ACL that allows access for configuration and a Configured Trust List (CTL).

Begin in global configuration mode.

Provision in High-Impact Mode

The final deployment phase of securing your wired network is high-impact mode.

This phase goes beyond low-impact mode and provisions tight access control on the network port by configuring the default IEEE 802.1x authentication mode with dynamic VLAN for differentiated access.

Step 12 Configure multi-authentication host mode, and open authentication.

Step 13 Disable RADIUS for this deployment phase.

High-impact mode provides no network access to devices and users that fail authentication. In monitor mode and low-impact mode, we recommend that you identify and resolve the devices and user accounts that have failed authentication. Transition to high-impact mode when you are confident that end devices (that need network access) authenticate successfully, and authentication fails for devices and users that do not need access.

Begin in global configuration mode.

Step 14 Assign critical VLAN assignments for situations where the authentication server is unavailable.

The following command is used to configure a port to send both new and existing hosts to the critical VLAN when the RADIUS server is unavailable. Use this command for ports in multiple authentication (multiauth) mode or if the voice domain of the port is in MDA mode.

Step 15 If the authentication server does not respond, authorize voice.