Network Access Protection Using 802.1x VLAN’s or Port ACLs – Which is right for you?

re: Network Access Protection Using 802.1x VLAN’s or Port ACLs – Which is right for you?

alexbchalmers — Wed, 27 Aug 2008 02:25:59 GMT

Pat Fetty from the WinCAT team posted a new article that talks about the differences between 802.1X NAP deployments when using VLANs or Port ACLs...

re: Network Access Protection Using 802.1x VLAN’s or Port ACLs – Which is right for you?

ewood — Mon, 19 Jan 2009 20:49:31 GMT

I am working on an implementation of 802.1x for VLAN assignment in an Server & Domain Isolation scenario (though without IPSec) and as I was coming up to speed on 802.1x I found this Blog post by Pat and it really helped me to understand the trade-off's of Port restrictions via ACL's versus VLAN assignment quite well. I like how Pat lays things out. Very clear. Thanks.

re: Network Access Protection Using 802.1x VLAN’s or Port ACLs – Which is right for you?

sbap — Thu, 18 Jun 2009 20:27:42 GMT

I agree. This is layed out extremely well. It convinced me to (attempt) move to a port ACL driven NAP implementation.

I've hit a road block though in passing a RADIUS attribute to the switch will accept as a port ACL change. I've tried both the filter-id and cisco av-pair methods (I am running a Catalyst 4500 IOS 12.2(50)SG1). Has any one successfully implemented port ACLs on Cisco? I am curious the syntax that was or would be used for the RADIUS attributes you passed. This would be a tremendous help! I've Googled this extensively and tried MANY different syntaxes..

re: Network Access Protection Using 802.1x VLAN’s or Port ACLs – Which is right for you?

pfetty — Fri, 19 Jun 2009 02:35:35 GMT

SBAP,

For Cisco devices they are a bit picky when it comes to what attributes it receives as I have run into this at other customer sites. For instance, if you send both VLAN attributes as well as the Filter-ID the device will simply not respond and it is tough to troubleshoot.

For ACL's Cisco devices require that you define the ACL first on the switch, then send the Filter-ID attribute configred with a string value to reference the ACL. For example, if you have an inbound ACL defined as "10", then the filter ID attribute value you would send would configure and send back would be "10.in". If your ACL isn't referencing inbound or outbound traffic, then you don't need to configure the ".in" or ".out" and th string value for the Filter-ID would just be "10".

Hope this helps.

Pat

re: Network Access Protection Using 802.1x VLAN’s or Port ACLs – Which is right for you?

sbap — Sat, 20 Jun 2009 00:53:04 GMT

Thanks Pat. All valid info. I ran through all of that in my many attempts to get the syntax correct.

Turns out that my port wouldn't accept an ACL because I was using "multi-domain" authentication mode. This allows for 2 devices to auth on a single port (IP phone tethered with PC). To use filter-id you must be in "single-host" authentication mode or port ACLs are disabled.

Enter downloadable ACLs. (http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_50_se/configuration/guide/sw8021x.html#wp1430556) DACLs SHOULD allow for ACLs on ports with multiple devices. The switch tracks the IP address of the devices and modifies the ACL appropiately. The trouble is, all reference to DACL config deals with ACS Radius. I really want to use this with NPS (and NAP of course :). Has anyone been able to use DACLs with a Radius server other than ACS??? Radius is a STANDARD so I have to believe its achievable.

Also I wanted to share this KB as well. http://support.microsoft.com/kb/283829 Both methods detailed didnt work for me, but may work for others.