About NAP, MAB and Dynamic VLANs
An article about how our small organization uses Microsoft and Cisco technologies to restrict access to the network to various devices. Under the cat will be told about NAP, MAB and how all this can be used.
Some things are described in passing, because are well known or described in sufficient detail in many documents.
Technology number one - NAP (Network Access Protection) from Microsoft - providing access to the network based on the health of computers. In other words, some policies are defined in which it is stated that a computer must meet certain requirements in order to gain access to the network — for example, you need an antivirus, an antivirus with updated anti-virus databases, a working firewall or automatic update service, and so on. If the computer meets the required conditions, then access to the network is granted. If not satisfied, then access is not granted, or is granted but limited.
')
NAP technology can be used in various scenarios - with DHCP, IPSec, RD-Gate . In our small organization, NAP is used in conjunction with the 802.1X protocol to test and provide \ not provide network access to devices connected to switch ports or via Wi-Fi. Those. As soon as the computer is connected to the network socket, the authentication occurs and the verification of its compliance with the specified policies - based on the results of this test, the switch from the RADIUS server receives a message about whether we let the client into the network or do not allow it. If we let, then where (VLAN).
If the computer does not meet the specified requirements, then it can be moved to the quarantine VLAN, in which a certain server will be available to this computer - a recovery server. From this server you can download and install an antivirus for example and try to re-gain access to the desired network.
This operation algorithm assumes that all clients receive addresses via DHCP from us - and this is a very important point.
Technology number two - MAB (MAC Authentication Bypass) from Cisco - authenticates devices connected to the network by MAC addresses. Those. When a device is connected to a port of a properly configured switch (a correctly configured switch does not let anyone enter the network without first checking it), the connected device is authenticated. The correctly configured switch forwards the corresponding request to the RADIUS server using the device’s MAC address as the login and password. Next, the switch is already focused on the response of the RADIUS server — either MAB-Success or a banana.
And now about how we all use it.
As it is not difficult to notice, the NAP technology is perfectly attached to computer-type devices, since it is here that its technology, potential, can be realized (checking for an installed antivirus, fire, updates ...) and it doesn’t matter under what OS the computer works - there are, it’s true, paid implementations for Linux and it’s even like a Mac. For Windows, much is free of the box (the box is really worth the money).
On the other hand, MAB is perfectly attached to devices that are not particularly versed in such high matters as 802.1X or, especially, NAP - i.e. printers (although many printers can work on 802.1X), network scanners, video recorders, refrigerators ...
Knowing which devices are used in the network, the corresponding tricky addressing scheme was developed within this network with the definition of the corresponding VLANs. Those. printers were assigned a separate subnet and assigned VLAN, say 5. Computer users have their own subnet and VLAN, say 6. The number of VLANs and subnets depends on how you need to differentiate access and whether it is worth it.
VLANs, and this is important, are assigned dynamically - i.e. Whichever socket the user is plugged in, he will get access to his network (unless of course he has the appropriate “permissions” and he satisfies the given policies). The same with other devices. Random passer everywhere will get a banana.
Next, RADIUS servers were deployed and targeted to Active Directory. In turn, AD were created specials. Groups to which computer accounts are added (depending on the department \ department \ ... or the required level of access).
Also in AD, user accounts are created corresponding to devices that do not understand NAP and 802.1X, which will pass through the MAB. During testing and configuration, the only thing that I managed to find on the Internet is authorization by MAC address (in particular, on the Microsoft website) - MAC Address Authorization - an article following which MAB is NOT set up. And you can configure it like this:
Created user accounts for devices are also added to specially instituted groups — for example, printers, scanners, thin clients, floor heating sensors ...
Next, RADIUS clients are started on RADIUS servers, i.e. switches from which requests for authentication and authorization will come.
At the time when NAP only appeared, we began to deploy it on Windows 2008 Standard and very quickly rested in our small organization, in the limitation of this version - the standard version with the role of NPS (Network Policy Server - also in our case RADIUS) supports only 50 RADIUS clients. Of course, this is written in manuals, but somehow it was a subtitleand it was.
In addition to RADIUS clients, corresponding rules are created on the servers for both NAP and MAB operations. The rules are approximately as follows - if the request came from the xxx.xxx.xxx.xxx subnet, and the client belongs to a group in AD YYY , and it also meets all the requirements set by a specific policy (for example, there is a working anti-virus with current databases and firewall enabled for all network connections ), then full access to the network is provided - VLAN ZZZ .
For MAB, the policy is the same, only without checking the state of health and membership in a specific user group, and not a computer, is already being checked.
As mentioned above, PAP is used for MAB, and PEAP is used for NAP, respectively. On PEAP, it is worthwhile to focus attention otherwise one day PEAP will do it. The fact is that PEAP is tied to a server certificate - in our case it is a RAS IAS server certificate. Certificates have a great ability - they expire once. Therefore, it will take good care in advance about the autoenroll policy of the corresponding certificates to NPS servers, since otherwise, tens, hundreds or perhaps thousands of users risk being left without access to the network (depending on the size of the organization and the degree of penetration of the NAP).
Next is the configuration of network equipment. It is important that the switches support the 802.1X protocol, otherwise the focus will not work. In our small organization, Cisco devices are used everywhere, but even with them there were problems - the necessary support appeared in later versions of IOS.
All you need to do on the switches is:
- specify the RADIUS server and shared key;
- configure the necessary ports.
Example:
Actually on this setting on the network equipment ends.
However, in order for all this to work, it is necessary, among other things, to perform some settings on client computers. Namely, to set Network Access Protection and Wired Autoconfig to autostart, they are in the Manual state by default.
A feature is noticed that when computers are connected to the network via Cisco IP phones of completely different models, a situation periodically arises when the phone blocks EAP packets from passing through. On some phones this is treated by turning on the SPAN to PC parameter in the settings. Many phones do not have this setting. Therefore, someone has to connect by phone to the network, or restart the phone. Whether other vendors have similar nishtyak is not known - we only use Cisco.
As a result, we get a good protection of our network already at the stage of trying to connect to it. We are moving away from things like port-security or shutdown ports. As a bonus, getting dynamically assigned VLANs.
In general and in general, we can say that the technology is not bad and quite working.
Some things are described in passing, because are well known or described in sufficient detail in many documents.
Technology number one - NAP (Network Access Protection) from Microsoft - providing access to the network based on the health of computers. In other words, some policies are defined in which it is stated that a computer must meet certain requirements in order to gain access to the network — for example, you need an antivirus, an antivirus with updated anti-virus databases, a working firewall or automatic update service, and so on. If the computer meets the required conditions, then access to the network is granted. If not satisfied, then access is not granted, or is granted but limited.
')
NAP technology can be used in various scenarios - with DHCP, IPSec, RD-Gate . In our small organization, NAP is used in conjunction with the 802.1X protocol to test and provide \ not provide network access to devices connected to switch ports or via Wi-Fi. Those. As soon as the computer is connected to the network socket, the authentication occurs and the verification of its compliance with the specified policies - based on the results of this test, the switch from the RADIUS server receives a message about whether we let the client into the network or do not allow it. If we let, then where (VLAN).
If the computer does not meet the specified requirements, then it can be moved to the quarantine VLAN, in which a certain server will be available to this computer - a recovery server. From this server you can download and install an antivirus for example and try to re-gain access to the desired network.
This operation algorithm assumes that all clients receive addresses via DHCP from us - and this is a very important point.
Technology number two - MAB (MAC Authentication Bypass) from Cisco - authenticates devices connected to the network by MAC addresses. Those. When a device is connected to a port of a properly configured switch (a correctly configured switch does not let anyone enter the network without first checking it), the connected device is authenticated. The correctly configured switch forwards the corresponding request to the RADIUS server using the device’s MAC address as the login and password. Next, the switch is already focused on the response of the RADIUS server — either MAB-Success or a banana.
And now about how we all use it.
As it is not difficult to notice, the NAP technology is perfectly attached to computer-type devices, since it is here that its technology, potential, can be realized (checking for an installed antivirus, fire, updates ...) and it doesn’t matter under what OS the computer works - there are, it’s true, paid implementations for Linux and it’s even like a Mac. For Windows, much is free of the box (the box is really worth the money).
On the other hand, MAB is perfectly attached to devices that are not particularly versed in such high matters as 802.1X or, especially, NAP - i.e. printers (although many printers can work on 802.1X), network scanners, video recorders, refrigerators ...
Knowing which devices are used in the network, the corresponding tricky addressing scheme was developed within this network with the definition of the corresponding VLANs. Those. printers were assigned a separate subnet and assigned VLAN, say 5. Computer users have their own subnet and VLAN, say 6. The number of VLANs and subnets depends on how you need to differentiate access and whether it is worth it.
VLANs, and this is important, are assigned dynamically - i.e. Whichever socket the user is plugged in, he will get access to his network (unless of course he has the appropriate “permissions” and he satisfies the given policies). The same with other devices. Random passer everywhere will get a banana.
Next, RADIUS servers were deployed and targeted to Active Directory. In turn, AD were created specials. Groups to which computer accounts are added (depending on the department \ department \ ... or the required level of access).
Also in AD, user accounts are created corresponding to devices that do not understand NAP and 802.1X, which will pass through the MAB. During testing and configuration, the only thing that I managed to find on the Internet is authorization by MAC address (in particular, on the Microsoft website) - MAC Address Authorization - an article following which MAB is NOT set up. And you can configure it like this:
- in the NPS settings, add the PAP authentication protocol to the existing policy;
- read the technet article mentioned above and make sure that you do not have these keys in the registry (they are recommended to be created in the article);
- create user accounts in AD with usernames and passwords corresponding to the MAC address of the device (in small letters without separators);
Created user accounts for devices are also added to specially instituted groups — for example, printers, scanners, thin clients, floor heating sensors ...
Next, RADIUS clients are started on RADIUS servers, i.e. switches from which requests for authentication and authorization will come.
At the time when NAP only appeared, we began to deploy it on Windows 2008 Standard and very quickly rested in our small organization, in the limitation of this version - the standard version with the role of NPS (Network Policy Server - also in our case RADIUS) supports only 50 RADIUS clients. Of course, this is written in manuals, but somehow it was a subtitle
In addition to RADIUS clients, corresponding rules are created on the servers for both NAP and MAB operations. The rules are approximately as follows - if the request came from the xxx.xxx.xxx.xxx subnet, and the client belongs to a group in AD YYY , and it also meets all the requirements set by a specific policy (for example, there is a working anti-virus with current databases and firewall enabled for all network connections ), then full access to the network is provided - VLAN ZZZ .
For MAB, the policy is the same, only without checking the state of health and membership in a specific user group, and not a computer, is already being checked.
As mentioned above, PAP is used for MAB, and PEAP is used for NAP, respectively. On PEAP, it is worthwhile to focus attention otherwise one day PEAP will do it. The fact is that PEAP is tied to a server certificate - in our case it is a RAS IAS server certificate. Certificates have a great ability - they expire once. Therefore, it will take good care in advance about the autoenroll policy of the corresponding certificates to NPS servers, since otherwise, tens, hundreds or perhaps thousands of users risk being left without access to the network (depending on the size of the organization and the degree of penetration of the NAP).
Next is the configuration of network equipment. It is important that the switches support the 802.1X protocol, otherwise the focus will not work. In our small organization, Cisco devices are used everywhere, but even with them there were problems - the necessary support appeared in later versions of IOS.
All you need to do on the switches is:
- specify the RADIUS server and shared key;
- configure the necessary ports.
Example:
aaa authentication dot1x default group radius
dot1x system-auth-control
!
interface GigabithtEthernetX/X/X
switchport mode access
authentication order mab dot1x
authentication port-control auto
mab
dot1x guest-vlan XXX
spanning-tree portfast
!
radius-server host XXX.XXX.XXX.XXX auth-port 1812 acct-port 1813 key XXXActually on this setting on the network equipment ends.
However, in order for all this to work, it is necessary, among other things, to perform some settings on client computers. Namely, to set Network Access Protection and Wired Autoconfig to autostart, they are in the Manual state by default.
A feature is noticed that when computers are connected to the network via Cisco IP phones of completely different models, a situation periodically arises when the phone blocks EAP packets from passing through. On some phones this is treated by turning on the SPAN to PC parameter in the settings. Many phones do not have this setting. Therefore, someone has to connect by phone to the network, or restart the phone. Whether other vendors have similar nishtyak is not known - we only use Cisco.
As a result, we get a good protection of our network already at the stage of trying to connect to it. We are moving away from things like port-security or shutdown ports. As a bonus, getting dynamically assigned VLANs.
In general and in general, we can say that the technology is not bad and quite working.
Source: https://habr.com/ru/post/124697/
All Articles