RE: MAC level authentication or filtering

["Jay Archibald" <jay.archibald () comcast net>]

> Jay -
> Can you send me a sanitized copy of the switch config file? I am
interested to see how you have implemented MAC
> authentication on the ports. Your scheme seems to be a lot more simple
than that recommended by Cisco a couple of
> months ago with the Cisco User Registration Tool (URT) which has a
requirement to the VTP on all switches.
> Have you considered port-based authentication with 802.1x protocol?
> Thanks,
> Craig.

Craig,

I have attached an example of a config for a Cisco Catalyst 2950T switch.
Dynamic VLANs are very simple to configure on a switch.  It is setting up
the TACACS server that is time consuming, but you only have to do it once
per mac-address.  As for the switch you only need two commands:

vmps server 192.168.18.3 primary                                (this tells the switch where the TACACS
server is)
switchport access vlan dynamic                          (this command which ports are dynamic)

As I mentioned before the TACACS server needs to have a database setup which
tells the switch which VLAN to assign the port according to the mac-address
of the network host.  The network host will be on the same VLAN no matter
where it connects in the network.  TACACS can be setup to have a default
VLAN for mac-addresses that are not defined in the database.  To protect
your network from these unknown network hosts all you need to do is filter
that default VLAN and the unknown mac-addresses will have limited network
access.  For example, you can allow the this VLAN to access the Internet but
restrict access to any other part of your network.  This is an excellent way
to protect your network from users bringing in their own laptops or other
network devices.

I have also included an example on interface fa0/1 and fa0/3 that will only
allow a defined mac-address to forward packets on that port.  Any other
mac-address is blocked.  This is very useful for servers that nee 100% of
the bandwidth or if you do not want anything else but a specific host to
connect to that port.  With this port security configuration you do not have
to worry about users bringing in hubs, switches or access points and
connecting them to your network.  Port security is not limited to only one
mac-address per port.  You can set the port up with additional mac-address
if desired.  Although this can be very useful I would only recommend it for
parts of a network that are very static in terms of where network hosts
connect.

switchport port-security
switchport port-security violation restrict
switchport port-security maximum 1
switchport port-security mac-address 0800.20a8.3678

I do need to admit that both of these examples are subject to mac-address
spoofing as mentioned in other posts.  It does however stop the 99% of users
that do not know what mac-address spoofing is from connecting a laptop up to
your network that is infected with a Virus and infecting your network.  For
the other 1% the users that know how to spoof a mac-address and gain access
the answer is set their NIC to full duplex and the switch port to half
duplex ;).  That will teach them.  For those 1% this is where the Cisco User
Registration Tool (URT) comes into play.

Concerning VTP...I do not use VTP in my network.  I don't like it.  All it
takes is one switch with a higher revision number added to your network with
an empty VLAN database and your network is gone.  It has happened to
me...***PANIC***.  I set all my switches to VTP Transparent mode and
manually add the VLANs I want on the switch.  You do however have to use
VLAN trunking between your switches, but by manually adding the desired
VLANs per switch you control what VLANs are allowed on that switch.

Regards,

Jay Archibald


vmps server 192.168.18.3 primary
!
spanning-tree mode rapid-pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree uplinkfast
!
!
!
!
interface FastEthernet0/1
switchport access vlan dynamic
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address 0800.20a8.3678
switchport block multicast
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/2
switchport access vlan dynamic
switchport mode access
switchport block multicast
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/3
switchport access vlan dynamic
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address 0080.d406.004a
switchport block multicast
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/4
switchport access vlan dynamic
switchport mode access
switchport block multicast
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable


-----Original Message-----
From: Craig
Sent: Saturday, October 09, 2004 9:00 AM
To: jay.archibald () comcast net
Subject: FW: MAC level authentication or filtering


Jay -
Can you send me a sanitized copy of the switch config file? I am interested
to see how you have implemented MAC authentication on the ports. Your scheme
seems to be a lot more simple than that recommended by Cisco a couple of
months ago with the Cisco User Registration Tool (URT) which has a
requirement to the VTP on all switches.
Have you considered port-based authentication with 802.1x protocol?
Thanks,
Craig.


-----Original Message-----
From: Jay Archibald [mailto:jay.archibald () comcast net]
Sent: Friday, October 08, 2004 12:57 PM
To: dnardoni () firstresponseconsulting com; security-basics () securityfocus com
Subject: RE: MAC level authentication or filtering
Mr. Nardoni
If you have managed switches in your network that can use dynamic VLANs you
have your answer.
I will use Cisco products for an example since that is what I use.  If you
have dynamic VLANs enabled, the switch will search a database (TACACS) of
mac-addresses to see what VLAN to assign to the port.  You then populate the
TACACs database with the "allowed mac-addresses" and their assigned VLAN
which has access to your servers.
When an unknown mac-address is connected to a switch, the switch will put it
into a default VLAN.  All you have to do is filter that VLAN.  You may want
to filter access for this VLAN to the Internet and nothing else.
Additionally you can turn logging on the switch and send the syslogs to a
syslog server.  This will record everything that is being connected to the
network and what VLAN is being assigned.
This is a little configuration work up front, but it allows you to control
the known, and protects you from the unknown.
Regards,
Jay Archibald


| -----Original Message-----
| From: David Nardoni [mailto:dnardoni () firstresponseconsulting com]
| Sent: Thursday, October 07, 2004 09:54
| To: security-basics () securityfocus com
| Subject: MAC level authentication or filtering
|
|
| I need a solution that will allow me to prevent a user from
| coming in to my
| office and plugging in a laptop and gaining access to the network.
|
| I have users that are currently using thin clients to connect
| to the main
| server to do all their processing.  If a legitimate user turns bad and
| decides to bring in a system (laptop) from home and connect it to the
| network and proceed to use their proper username and password
| to gather
| information from terminal services, I want to be able to
| recognize that they
| have plugged in an unauthorized system and keep them from
| gaining access to
| the network.
|
| I welcome all ideas no matter what vendor solution or no
| matter how simple
| or complex.  If you need more info on the situation let me know.
|
|
| Dave Nardoni CISSP
| First Response Consulting Services, Inc.
| dnardoni () firstresponseconsulting com


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.774 / Virus Database: 521 - Release Date: 10/7/2004

Attachment: example.txt
Description: