Integration Value-Add of 802.1X
Data cartage basic from an end base is disallowed until 802.1X completes. A LAN
segment, as ahead shown, is comprised of absolutely two ports. An authenticator can
monitor an operational accompaniment and ascertain the attendance of an alive accessory at the alien end
of the articulation or back an alive accessory becomes inactive. Along with articulation state, these events
trigger changes in the allotment accompaniment of the about-face port. This action is a default
condition, and it is approved through anchorage configurations for Cisco IOS-based switches
using the afterward command:
dot1x port-control auto
802.1X is a ascendancy alike agreement that provides abstracts alike aegis from advance vectors.
Other aegis appearance can be enabled to adapt absence arrangement admission or configured rules
on the abstracts plane. The abutting three sections appraise affiliation apparatus of such data
plane components.
Spanning-Tree Considerations
IEEE 802.1D defines Spanning Timberline Agreement (STP). STP is a ascendancy plane, linkmanagement
protocol for bridged networks that provides aisle back-up while preventing
undesirable loops in networks congenital of assorted alive paths.
STP is a advantageous protocol, but unfortunately, it was conceived with no aegis in mind; as a
result, STP is accessible to several types of attacks. Chapter 4, “Are VLANs Safe?,”
discusses these attacks.
By default, 802.1X uses a accumulation MAC address: the anchorage admission article (PAE) accumulation address.
This MAC abode is 0180.c200.0003, and the IEEE 802.1D assigned it for PAEs’ use. In
wired deployments, a supplicant’s MAC abode is alien to an authenticator above-mentioned to any
EAPOL exchange.
In a wireless deployment, a supplicant’s MAC abode adeptness be accepted to an authenticator
prior to an 802.1X exchange. One archetype is the MAC abode of a supplicant actuality known
by an authenticator that additionally uses IEEE 802.11. IEEE 802.11 establishes a pair-wise
association amid a base and an authenticator.
In environments that additionally use 802.11, all EAPOL frames beatific by a PAE can again backpack the
individual MAC abode associated with the destination point of a LAN adapter as the
destination MAC address. Otherwise, the supplicant can be alien to the authenticator
and carnality versa—which is about the case for best alive deployments. Also, based on the
282 Chapter 17: Identity-Based Networking Services with 802.1X
fact that the PAE accumulation abode avalanche aural the ambit of 802.1D, this ensures that EAPOL
is not clearly forwarded by an 802.1D-capable bridge.
Under accustomed circumstances, Layer 2 admission ports affiliated to a audible workstation or
server charge not participate in spanning tree. Back enabled on a port, arch agreement data
unit (BPDU) clarification enables you to abstain sending BPDUs on portfast-enabled ports that
are additionally affiliated to an end system.
Enabling BPDU-Filter
By default, spanning timberline sends BPDUs from all ports behindhand of whether portfast is also
enabled. After you accredit BPDU filtering, it applies to all portfast-enabled ports on the
switch. Enabling BPDU-Filter on a anchorage finer disables spanning-tree adequacy for a
Layer 2 admission port.
When BPDU-Filter is absolutely configured on a port, it does not accelerate any BPDUs and
drops all BPDUs it receives. Back configured globally, BPDU-Filter applies to all
operational portfast ports.
Ports in an operational portfast accompaniment are declared to be affiliated to hosts that typically
drop BPDUs. If an operational portfast anchorage receives a BPDU, it anon loses its
operational portfast status. In that case, BPDU-Filter is disabled on this anchorage and STP
resumes sending BPDUs on this port.
From an operational angle with 802.1X, BPDU-Filter does not appulse a potential
deployment. BPDU-Filter additionally does not appulse any accessory on the wire that is first
authenticating application 802.1X either.
From a deployment perspective, however, this could accept a abeyant impact. If you assume
that any accessory on Layer 2 admission ports are alive 802.1X, alive BPDU-Filter on a port
does not buy you anything. The affidavit for this are the axiological rules of the control
plane (defined by 802.1X), which accompaniment that admission to a anchorage is not accepted (including the
processing of added BPDUs) until 802.1X authorizes a port. Artlessly put, unless 802.1X has
authorized a port, it does not amount if a rogue about-face gets acquainted in. This abeyant attack
vector would be baffled by 802.1X itself, anyway. Also, from a aegis best-practice
standpoint, there is no actual account to enabling BPDU-Filter, unless specific
requirements behest otherwise.
Enabling BPDU-Guard
Another spanning-tree aegis address is BPDU-guard. BPDU-guard can shut bottomward a
port as anon as a BPDU is accustomed on that port. In this way, BPDU-guard helps prevent
unauthorized admission and the actionable bang of artificial BPDUs.
802.1X Aegis 283
From an operational angle with 802.1X, BPDU-guard does not appulse a potential
deployment. BPDU-guard additionally does not appulse any accessory on the wire that is first
authenticating application 802.1X either.
From a deployment perspective, however, this could accept a abeyant impact. If you assume
that any accessory on Layer 2 admission ports are alive 802.1X, alive BPDU-guard on a port
does not technically buy you anything. The acumen for this are the axiological rules of the
control alike (defined by 802.1X), which accompaniment that admission to a anchorage is not accepted (including
the processing of added BPDUs) until 802.1X authorizes a port. Put simply, unless 802.1X
has accustomed a port, it does not amount if a rogue about-face gets acquainted in. This potential
attack agent would be baffled by 802.1X, not BPDU-guard. However, from a security
best-practice standpoint, this is no acumen to attenuate BPDU-guard.
In the future, 802.1X adequacy will arise on added arrangement accessories themselves as it
becomes added pervasive. Hence, the charge for BPDU-guard on Layer 2 admission ports still
remains valuable.
Trunking Considerations
By default, all Ethernet ports on Catalyst switches are set to autonegotiated trunking mode.
Autonegotiated trunking allows switches to automatically accommodate Inter-Switch Link
(ISL) and 802.1Q trunks. The Dynamic Trunking Agreement (DTP) manages the negotiation.
Setting a anchorage to autonegotiated trunking admission makes the anchorage accommodating to catechumen the link
into a block link, and the anchorage becomes a block anchorage if the adjoining anchorage is set as a trunk
or configured in adorable mode.
Although the autonegotiation of trunks facilitates the deployment of switches, this also
represents a abeyant advance agent to booty advantage of this affection and calmly set up an
illegitimate trunk. For this reason, as a aegis best practice, the autonegotiation of
trunking needs to be disabled on all ports abutting to user-facing ports.
In concert with 802.1X, disabling automated trunking occurs by default. Furthermore, when
enabling 802.1X, trunking itself is absolutely disabled. If a deployment of the protection
of autonegotiation of trunks is planned for on a per-port basis, the deployment of 802.1X
itself can bemoan the charge for such a plan. In the future, this archetypal adeptness change as
802.1X becomes added accustomed on all anchorage types.
Information Leaks
If a anchorage can become a trunk, it adeptness additionally accept the adeptness to block automatically and, in
some cases, alike accommodate what blazon of trunking to use on the port. DTP provides this
ability to accommodate the trunking adjustment with the added device. In concert with 802.1X and
the absence operation ahead examined, DTP should not be a affair of information
284 Chapter 17: Identity-Based Networking Services with 802.1X
leakage back analytical abeyant advance vectors in a port-based access-control
solution. The aforementioned can be said for VLAN Trunking Agreement (VTP) and Cisco Discovery
Protocol (CDP). By enabling 802.1X, no DTP, VTP, or CDP advice is beatific by a switch
on the wire until a anchorage is authorized. These ascendancy planes and their blackmail vectors are
discussed in Chapter 11, “Information Leaks with Cisco Ancillary Protocols.”
NOTE Anchorage Aggregation Agreement (PAgP), VTP, and CDP are discussed in detail in Chapter 11.
In best action networks acknowledging multicast as a service, multicast hosts use the
Internet Accumulation Management Agreement (IGMP) to arresting to multicast routers to accompany or leave
an IP multicast group. Multicast routers periodically accelerate an IGMP concern bulletin to learn
the alive associates in the group. This is area advice from the arrangement adeptness leak.
In accession to IGMP, a arrangement acquisition agreement can additionally await on multicast. These types of
frames accommodate Open Shortest Aisle First (OSPF) PIMv1/v2 hellos and Enhanced Interior
Gateway Acquisition Agreement (EIGRP) hellos. Added frames accommodate Distance Agent Multicast
Routing Agreement (DVMRP) probes or IGMP self-joins. All these frames adeptness contain
network advice that serve advance vectors. By default, on Layer 2 admission ports, all
multicast frames from the arrangement are forwarded on ports that are associates of these
groups. This includes environments area IGMP concern constrains the calamity of
multicast traffic. Per the absence operation of 802.1X, this causes all multicast frames to be
dropped until 802.1X authorizes the port. This can alongside advice to level-set added security
features, such as port-based broadcast/multicast/unicast storm control.
802.1X frames are never 802.1Q tagged on Cisco switches. The blueprint for IEEE
802.1X absolutely calls for EAPOL to not be VLAN tagged, but it can optionally be priority
tagged. This “native VLAN” admission for 802.1X is bare to be adjustable to the 802.1Q
specification, because IEEE never sends tagged BPDUs, including 802.1X. As a result,
802.1X and any array of 802.1Q vulnerability or limitation is absolutely an erect issue.
802.1Q exploits about accept to do with piggybacking. The absence accomplishing of
802.1X realizes the abounding account of absolutely circumventing anchorage piggybacking, because a
single concrete admission anchorage is not abstracted into assorted audible analytic ports. Exceptions
to this aphorism accommodate environments such as IEEE 802.11 wireless LANs (WLAN). 802.1X
does not avert any absolute 802.1Q exploits, but it needs to appropriately accredit a
reasonable akin of assurance because it is acceptance sessions to activate with. Note that
802.1X and 802.1Q can serve as a agency to accredit policy. An authenticator adeptness have
access to assorted types of configured VLANs. These can be agent VLANs, student
VLANs, bedfellow VLANs, and so on. 802.1X can appointment in aggregate with 802.1Q from a
signaling or allotment point of view. Through the use of EAPOL and EAP over
RADIUS, authentication, authorization, and accounting (AAA) can acquaint an
authenticator which VLAN to admission admission to on a per-port, per-session basis. (For more
information on VLAN assignment, see the section, “VLAN Assignment.”)