Cisco CCNA 200-301 – Switch Security Part 2

4. 802.1X Identity Based Networking

In this lecture, you’ll learn about 802 one x identity based networking. When 802 one x is enabled, only authentication traffic is allowed on switch ports until the host and user are authenticated. Authentication traffic is sending a username and password. When the user has entered a valid username and password, the switch port transitions to a normal axis port in the relevant VLAN. So it’s easier to explain this with a picture. So you see the diagram here. This gives us the terminology as well. Over on the left, we’ve got the user sitting on a PC. The PC is the supplicant in the 802 one x terminology. So the operating system on there needs to support 802 one x.

All modern operating systems like Windows, Linux, et cetera, do support being an 802 one x supplicant. You’re going to need to enable this in the operating system. The next step up, we have the access layer switch that the user is connected to. That is the authenticator. We need to configure 802 one x support on that access layer switch as well. The final part in the jigsaw that we have is the authentication server. If you use a server from Cisco, that could be the ACS, which is the older server, or the newer version is the Ice, the Identity Services Engine. So what happens with the 802 one x is the client plugs into the access layer switch, and at that point they haven’t authenticated yet. So at that point, they only get connectivity to the authentication server.

They don’t get access to anywhere else in the network. So it basically keeps them off the network until they authenticate. They then enter their username and password. The authenticator switch passes that information onto the authentication server, and the authentication server will check that it is a valid username and password. The authentication server is typically also integrated itself with an active directory domain controller, which is where your user database is. Once the username and password has been authenticated, it’s a valid username and password that can be mapped to a VLAN as well.

The authentication server can then send that information down to the authenticator switch and it will update the port that the client is plugged into with the correct VLAN. At that point, it acts just like a normal switch port in the correct VLAN, and the user get their normal access to the network. So 802 one x, it’s used to authenticate your users on the network. They don’t get access to the network at all until they do put in a valid username and password. And at that point they get given the relevant access for that particular user. Okay, that was our first three access alert switch security mechanisms. I’ll see you in the next lecture for port security.

5. Preventing Unauthorised Devices with Port Security

You’ll learn about port security, which we can use to secure our ports on our switches. First thing you talk about while we’re on the subject is it’s best practice to shut down any unused interfaces. So if you’ve got any parts in your switch that don’t have anything plugged into them right now, then you’d should shut down those ports. The reason for this is it stops somebody unauthorized coming along, plugging into the port and getting onto the network. Okay, so on to port security. Port security enables an administrator, you, to specify which Mac address or addresses can send traffic into an individual switch port. So that can be used to lock a port down to a particular host or hosts. So you see the example in the picture here. I’ve got PC One, which has got Mac address one one, and on portfast zero two on the switch, which is where it’s plugged in.

I configure port security on there, and I see the only Mac address one one is allowed to send traffic into this port. So port security, it works on Mac addresses. So we do that, and then if somebody comes along and wants to connect into the network and they disconnect PC One and they plug a different PC into the same cable, it’s going to have a different Mac address. So this one’s got Mac address two. They then send traffic into the network, comes in with a source Mac of two, which is not the allowed Mac address of one. So the switch will drop that traffic. But it’s easy to spoof a Mac address. That scenario that I just gave you there, if this was an attacker doing it and they knew the Mac address of the existing host was one, they can easily change their Mac address to one one. You can do that in software in a few seconds. So locking parts down to a specific host is not what port security is actually usually used for in production networks.

There’s a different thing that we can use it for. Port security can also configure individual switch ports to allow only a specified number of source Mac addresses to send traffic into the port. And it can learn the Mac addresses that are coming in. Of course it can do that. It’s a switch. It’s what switches do. So what we configure here is on that switch port again on the switch fast zero two, we say that we’re going to allow only one Mac address to send traffic into this port. We don’t specify what the Mac address is, but because PC One is connected in right now, the switch will learn that the current Mac address is one one. And what this allows us to do, why it’s useful, is it prevents users from adding wireless access points or other shared devices onto your network. So we’ve got the same network again. Here where we’ve got the switch on portfast zero two. We enabled port security on there. We’re going to allow one Mac address and it learned one. And then what happens is that one of your users says, hey, there’s not enough wall ports in this part of the building.

There’s too many people. We can’t get them all connected into the wall. And the It help desk take too long to fix things and get back to me, so I’m going to do it myself. And the user goes and takes a wireless access point from home and they plug that into the port. And hopefully it’s obvious that this is a big problem because a user doesn’t really know much about networking. They’re not going to put the correct security settings in a wireless access point. Maybe that part of the building is right next to the car park and they go and put a wireless access point in there that has got unrestricted access on it. Now, anybody can pull up in your car park and get onto your network. So that’s a huge security concern. Well, port security can stop that from happening. So say the user does do that.

They connect another wireless access point, or maybe it’s another switch into that switch. And now we’ve got PC One with Mac one and PC Two with Mach two, both trying to use that physical port fast Ethernet zero two on the switch. But it’s only allowed one Mac address, which is one right now. So now when that additional PC with Mac two two tries to send traffic into the network, the switch is going to drop it. So that’s what port security is most commonly used for in production networks.

To configure this, very simple if you don’t add any additional parameters, it’s configured at the interface level. So we would say interface fast zero two and then switch port security, it’s configured at the interface level. But obviously, typically you would enable this on all parts on your switch, not just one. If you do configure port security like we did just there with no additional parameters, then only one Mac address is allowed to transmit on the port by default.

These are all the default settings. With that, the current Mac address can be disconnected and replaced. The port is not locked down to a particular Mac address. So say that host Mac address one one is currently plugged in and transmitting. That’s fine. It’s only one Mac address. If you then disconnect that host, well, the port will go down because there’s nothing on the other end. You then plug in another host with Mac address two two, the port goes live again. The switch will learn the new Mac address of two two and that host can transmit. Now. So when you do it like this with the default setting, it locks it down to just one Mac address. So you can’t have multiple people behind a wireless access point or a switch but the actual Mac address that is on there can be changed. So if a shared device is connected and multiple hosts try to transmit, the port will be shut down.

But if it’s only ever one at a time, it doesn’t matter which one it is, that will be allowed to verify your port security settings. The command is show port security and then the interface that you want to check here. We’re checking interface fast two. I can see here that port security has been enabled. The violation mode is shut down, meaning if I get more than one Mac address transmitting on this port, I’m going to shut the port down. We’ll cover the other violation modes later. In this section, the maximum Mac addresses allowed is one. That’s the default and total Mac addresses that’s how many have been discovered right now, is also one. The current Mac address is ending a three five nine. It’s in VLAN one. The security violation count is zero because I’ve only got that one Mac address. At no point has more than one Mac address tries to transmit.

So because there’s no violations report status is secure, meaning that your port security has been enabled on here and it’s up right now. It has not been shut down. Okay, so I just mentioned the security violation actions. There are three options. You select one of the three, the default is shut down. With this, the interface is placed into the error disabled state if there’s a violation and it will block all traffic. The next option is protect. When you do this, traffic from unauthorized addresses is dropped. Traffic from allowed addresses is forwarded. So it’s not going to shut the interface down. Share a legitimate host can still keep transmitting on there, but it’s going to lock out any unauthorized addresses. The last one is restrict, which is similar to protect.

Again, traffic from unauthorized addresses is dropped, but with restrict it will also be logged and a violation counter incremented. Again, the same with protect. Traffic from allowed addresses is forwarded to change the violation action from the default of shutdown at the interface level, switch port security violation and then either protect or restrict. Okay? If the violation action is left at the default, which is shut down and a violation occurs, like more than one Mac address tries to transmit on the interface, the port will move into an error disabled state. When it’s in an error disabled state, the port is down to bring an error disabled interface back in service, first off, remove those Mac addresses, the offending ones that were causing the problem in the first place. After that you need to do a shutdown and then a no shutdown on the interface. That’s how you bring it back into service again. So doing it that way is manual. You can also do it in an automatic way as well, so you can specify a time interval after which a port that has been error disabled will automatically move back into service again. The time interval is configured in settings, the example configuration here.

Now, this one is done at the global config level rather than at the interface level. I’ve said error disable recovery cause p secure violation. This means how to what we’re going to do is recover from an error disabled interface. If the cause that caused it to go error disabled was a port security violation and then error disabled recovery interval 600 means that after it first goes to error disabled after 600 seconds, it will automatically come out of error disabled and start forwarding traffic again. Obviously, if the offending hosts are still there, it will just go back into a violation state again. So more commonly, we would be fixing this manually with the shutdown and the no shutdown. Okay, so that is port security. Next up, we’ve will have a look at how to configure it in the last.