Our team focuses on cutting edge customer and partner experiences for existing and new Windows Server and Cloud releases.
Given that the NAC (Network Access Control) market is one of the hottest segments in the industry (I think virtualization has that distinction at the moment) it is fitting to take a look at the variety of options available from Microsoft's Network Access Protection (NAP). NAP supports a variety of what we call enforcement methods. In the NAP space, and enforcement method is simply a term that defines the way a machine connects to a network. In NAP, these are DHCP, 802.1x (wired or wireless), VPN, IPsec, or via a Terminal Services Gateway.
The most common method of the list is 802.1x for a variety of reasons. First, the industry has been selling 802.1x network authentication for the last 10 years. 1x gained tremendous popularity as wireless networking became prevalent in the late 90's and early 2000's and has been proven to be a viable solution to identifying assets and users on your network. For customers that have invested in 802.1x capable switches and access points, NAP can very easily be implemented to complement what is already in place. The Network Policy Server (NPS) role Windows Server 2008 has been dramatically improved to make 802.1x policy creation much simpler to do, however, what many people don't realize is that there really are 2 rather distinct ways to deploy 802.1x based NAP, and this is what we will be discussing today. These 2 methods are commonly referred to as the use of VLAN's or Port ACL's.
Since we are talking about this in the context of NAP, this would be a good time to introduce the fact that taking the VLAN approach essentially requires that you involve the folks that own your switching infrastructure in your NAP plans. Why you ask, because you will now be asking them to touch all the switches and AP's on the network to create the VLAN structure that you will need for your NAP deployment. At a minimum, you would want to create 3 different VLAN's. One for 'healthy' or compliant computers, one for 'unhealthy' or non-compliant computers, and a third VLAN for guests, or unknown devices that cannot pass the ports requirement to do 802.1x authentication.
In the VLAN scenario, on your RADIUS server (i.e. our NPS server) you would create a policy that had a set of attributes with values that matched the VLAN you have created on the switch. The most common attributes used are Tunnel-Private-Group-ID, Tunnel-Tag and Filter-ID. The values for these attributes usually would match the VLAN name, or number you created on the switch.
As an example, let's say on your switch VLAN 100 is the compliant VLAN and VLAN 200 is the non-compliant VLAN.
To make this work when you walk through the wizard in NPS to create 802.1x policies you will create a compliant and non-compliant policy. When prompted to insert values for these attributes you will enter "100" for your compliant policy (i.e. Tunnel-Private-Group-ID = 100) and "200" for the non-compliant policy. Our wizard based configuration makes this very easy.
Once completed, when a machine comes onto your network and meets the criteria of one of the policies you created, the NPS will send back this tunnel information to the switch to instruct the switch to put that machine in the proper VLAN. Pretty simple and straight forward.
There are 2 approaches here.
In scenario 1, you would do the heavy configuration on the switch by creating the ACLs you would want for compliant and non-compliant machines. Most likely those ACL's would restrict protocols and ports and access to only certain IP addresses. For this example let's say you have named your ACL's "compliant" and "non-compliant".
In your RADIUS server you would use something like the Filter-ID attribute (this is the most commonly supported attribute) with a string value of "compliant" or "non-compliant". When received the switch will then know what ACL to apply to that port.
In scenario 2, instead of configuring and sending the Filter-ID attribute, you would create Vendor Specific Attributes (VSAs) (this is a common concept in the RADIUS protocol) that tell the switch explicitly what ACL's to apply to that port. For example, the HP ProCurve line of switches will accept the following Vendor Specific Attribute (VSA)
permit in udp from any to 10.10.10.2 53
This essentially says 'allow any DNS traffic on this port to IP address 10.10.10.2'. The assumption is that 10.10.10.2 is your DNS server.
The pros and cons of the 2 port ACL approaches are fairly similar as well.
Comparing the 2 approaches
Now that everyone understands what is required for each approach, let's take a look at some of the pro's and con's of each.
+ The concept of VLAN's is one that is easy to explain that even a manager can figure out!
+ Doesn't require extensive knowledge of the RADIUS protocol to set up and anyone who's anyone at a switch CLI could get this set up pretty easily
+ Makes helpdesk troubleshooting a bit simpler by being able to quickly find out why a machine can't connect to (insert your answer here). It would go something like "Oh, you can't get to your mail because you're in VLAN 200!"
- The user experience can be very poor if the machine is being dynamically moved from VLAN to VLAN (which is what NAP does essentially). The reason why is because when a machine changes VLAN's the interface on the machine is torn down and essentially does an ipconfig /release /renew
- If not properly designed, this can be a real helpdesk nightmare. A common mistake here is to ACL down the non-compliant VLAN to not have any corporate access, which is a mistake since that machine may need to re-authenticate itself with the network after NAP has remediated it
- Requires you to touch all of your switches and AP's to do the VLAN creation and management.
- For NAP, your AP's and switches will need to support the ability to do dynamic VLAN assignment and not all switches and AP's support this concept. In fact, not all firmware versions from the same manufacturer support this, so an upgrade may be required.
+ Can possibly be implemented without having to touch all your switches and AP's since the configuration would reside on the NPS Server. This can also be seen as a political positive as well since infrastructure folks and server folks are commonly separate teams with separate objectives that rarely overlap.
+ The actual enforcement of the ACL is done at the switch or AP and thus offers the user a more pleasant experience since even if the machine is moving from a compliant to a non-compliant state (or vice versa) it is handled at the switch and not on the client machine (no ipconfig /release /renew)
+ The attributes and values required in your NPS policy to make this scenario work are commonly supported and have been for some time, so the chance of having to do a hardware upgrade in this scenario are less likely
- To really make this work effectively in an enterprise you really need to know the ins and outs of your switches and what is and is not supported, not to mention you must be a pretty good RADIUS geek as well to get this working (we are a dying breed these days… J)
- Troubleshooting and helpdesk support in this scenario is a bit more complicated since your NPS policy for this could have multiple ACL's in it that look like this (permit in udp from any to 10.10.10.2 53). It would not be
uncommon to have 10-12 lines like this in your policy and trying to figure out why a machine can't connect to a resource on the network
- Finding accurate documentation on exactly what attributes and values are supported for your device(s) can be a challenge
Hopefully now you have a better understanding of what 802.1x authentication support in NAP can offer you. 1x is a very powerful means of maintaining and safe and healthy network, but it's not the ultimate solution by any means. Network security and health is an ongoing exercise that may require multiple solutions to achieve your business goals (like using 1x and IPsec together for instance).
NAP is a very compelling feature with a lot of moving parts, so in future posts we will be visiting more topics around NAP. In the mean time, please visit the NAP development team's blog at http://blogs.technet.com/nap
Pat Fetty from the WinCAT team posted a new article that talks about the differences between 802.1X NAP deployments when using VLANs or Port ACLs...
I am working on an implementation of 802.1x for VLAN assignment in an Server & Domain Isolation scenario (though without IPSec) and as I was coming up to speed on 802.1x I found this Blog post by Pat and it really helped me to understand the trade-off's of Port restrictions via ACL's versus VLAN assignment quite well. I like how Pat lays things out. Very clear. Thanks.
I agree. This is layed out extremely well. It convinced me to (attempt) move to a port ACL driven NAP implementation.
I've hit a road block though in passing a RADIUS attribute to the switch will accept as a port ACL change. I've tried both the filter-id and cisco av-pair methods (I am running a Catalyst 4500 IOS 12.2(50)SG1). Has any one successfully implemented port ACLs on Cisco? I am curious the syntax that was or would be used for the RADIUS attributes you passed. This would be a tremendous help! I've Googled this extensively and tried MANY different syntaxes..
For Cisco devices they are a bit picky when it comes to what attributes it receives as I have run into this at other customer sites. For instance, if you send both VLAN attributes as well as the Filter-ID the device will simply not respond and it is tough to troubleshoot.
For ACL's Cisco devices require that you define the ACL first on the switch, then send the Filter-ID attribute configred with a string value to reference the ACL. For example, if you have an inbound ACL defined as "10", then the filter ID attribute value you would send would configure and send back would be "10.in". If your ACL isn't referencing inbound or outbound traffic, then you don't need to configure the ".in" or ".out" and th string value for the Filter-ID would just be "10".
Hope this helps.
Thanks Pat. All valid info. I ran through all of that in my many attempts to get the syntax correct.
Turns out that my port wouldn't accept an ACL because I was using "multi-domain" authentication mode. This allows for 2 devices to auth on a single port (IP phone tethered with PC). To use filter-id you must be in "single-host" authentication mode or port ACLs are disabled.
Enter downloadable ACLs. (http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_50_se/configuration/guide/sw8021x.html#wp1430556) DACLs SHOULD allow for ACLs on ports with multiple devices. The switch tracks the IP address of the devices and modifies the ACL appropiately. The trouble is, all reference to DACL config deals with ACS Radius. I really want to use this with NPS (and NAP of course :). Has anyone been able to use DACLs with a Radius server other than ACS??? Radius is a STANDARD so I have to believe its achievable.
Also I wanted to share this KB as well. http://support.microsoft.com/kb/283829 Both methods detailed didnt work for me, but may work for others.