802.1X and Faucet Michael Baird Michael.Baird@ecs.vuw.ac.nz - PowerPoint PPT Presentation

802.1X and Faucet Michael Baird Michael.Baird@ecs.vuw.ac.nz 19-10-2017 FAUCET Conference

Outline • Introductjon to 802.1X • Design • Implementatjon • Example confjgs/demo • Future work 2

Introduction – IEEE 802.1X • Port-Based Network Access Control • Framework for EAP • Wired/WiFi Supplicant Client Authentjcator Switch Authentjcatjon RADIUS Server Server 3

Design Goals • NFV-ed 802.1X • Switch doesn’t need to support 1X. • Any RADIUS server. • >25 EAP Methods • Fail secure 4

Implementation 5

Implementation 6

Implementation 7

Implementation Authentjcatjon Authentjcator Server Supplicants 8

Implementation 9

Implementation 10

Implementation – Interprocess Communication hostapd Auth_App Faucet - UNIX Socket - Confjg File & SIGHUP - Same Machine - To Faucet - UDP Socket - Prometheus - Network - From Faucet - ACLs to apply - Receive Events on statjon state - MAC – Port Learning table changes (Success, Logofg, …) - Request client data (Username, ACL names, …) 11

Implementation – 1X Redirect #1 (client initiates authentication) Eth_src: C Eth_src: C Eth_dst: H Eth_dst: 1X Eth_type: 1X Eth_type: 1X 12

Implementation – 1X Redirect #2 (client implicit authentication request) Eth_src: C Eth_src: C Eth_dst: H Eth_dst: B Eth_type: DHCP Eth_type: DHCP 13

Implementation – 1X Redirect #2 (client implicit authentication request) Eth_src: H Eth_dst: C Eth_type: 1X Eth_src: H Eth_dst: C Eth_type: 1X 14

Implementation - ACLs faucet.yaml acls: - Matches: no_smtp: - rule: - Ethernet, VLAN, IP, TCP/UDP, … dl_src: 00:00:00:00:00:01 - Actjons: dl_type: 0x800 # ipv4 nw_proto: 6 # tcp - Drop, allow, output port, mirror, change VLAN, … tcp_dst: 25 # smtp actjons: allow: 0 # drop - rule: dl_src: 00:00:00:00:00:01 dl_type: 0x86dd # ipv6 nw_proto: 6 # tcp tcp_dst: 25 # smtp actjons: allow: 0 # drop 15

Implementation - ACLs faucet.yaml … - Each port has unique ACL faucet-1 : - port_<dp name>_<port #> interfaces: 1: name: network natjve_vlan: 100 2: name: h0 natjve_vlan: 100 acl_in: port_faucet-1_3 3: name: h1 natjve_vlan: 100 acl_in: port_faucet-1_4 4: name: hostapd natjve_vlan: 100 16

Implementation - ACLs Maps user radius to high level ACLs Statjc base- base- faucet- ACLs faucet acls.yaml acls.yaml acls.yaml + marker dynamic rules faucet updates + authentjcatjon openfmow tables Defjnes state rules.yaml high level + statjc ACLs ACLs 17

Implementation - ACLs • RADIUS Aturibute Vendor-Specifjc “Faucet-ACL-Names” • List of ACL names • Limited to 255 characters • Applied in list order (fjrst = highest priority) • “No-SMTP, No-SSH, No-ICMP, Allow-All” • “Student” 18

rules.yaml acls: Implementation - ACLs no-smtp: _auth-port_: - rule: _name_: _user-name_ - Matches: _mac_: _user-mac_ - Ethernet, VLAN. IP, TCP/UDP, … dl_src: _user-mac_ dl_type: 0x800 # ipv4 - Actjons: nw_proto: 6 # tcp - Drop, allow, output port, mirror, change VLAN, … tcp_dst: 25 # smtp actjons: - Runtjme insertjon of authentjcated clients username & allow: 0 # drop port_faucet-1_3: MAC address - rule: - Rulelist have two ‘types’: _name_: _user-name_ - Runtjme auth port – apply rules to ACL that belongs to _mac_: _user-mac_ dl_dst: _user-mac_ the port authentjcatjon occurred on. dl_type: 0x800 # ipv4 - ACL name – any other Faucet ACL. actjons: - YAML Anchors allow: 1 # allow 19

rules.yaml acls: Implementation - ACLs no-smtp: _auth-port_: - rule: _name_: _user-name_ - Matches: _mac_: _user-mac_ - Ethernet, VLAN. IP, TCP/UDP, … dl_src: _user-mac_ dl_type: 0x800 # ipv4 - Actjons: nw_proto: 6 # tcp - Drop, allow, output port, mirror, change VLAN, … tcp_dst: 25 # smtp actjons: - Runtjme insertjon of authentjcated clients username & allow: 0 # drop port_faucet-1_3: MAC address - rule: - Rulelist have two ‘types’: _name_: _user-name_ - Runtjme auth port – apply rules to ACL that belongs to _mac_: _user-mac_ dl_dst: _user-mac_ the port authentjcatjon occurred on. dl_type: 0x800 # ipv4 - ACL name – any other Faucet ACL. actjons: - YAML Anchors allow: 1 # allow 20

rules.yaml Implementation - ACLs acls: block-smtp: &block-smtp - rule: - Matches: _name_: _user-name_ _mac_: _user-mac_ - Ethernet, VLAN. IP, TCP/UDP, … dl_src: _user-mac_ - Actjons: dl_type: 0x800 # ipv4 - Drop, allow, output port, mirror, change VLAN, … nw_proto: 6 # tcp tcp_dst: 25 # smtp actjons: - Runtjme insertjon of authentjcated clients username & allow: 0 # drop MAC address - Rulelist have two ‘types’: … acls: - Runtjme auth port – apply rules to ACL that belongs to student: the port authentjcatjon occurred on. _auth-port_: - ACL name – any other Faucet ACL. *block-smtp *block-ssh - YAML Anchors *allow-all 21

base-acls.yaml acls: Implementation - ACLs port_faucet-1_4: - rule: dl_type: 0x888e actjons: ‘Base-ACLs’ allow: 1 output: • Base-ACLs -> Faucet-ACLs dl_dst: '44:44:44:44:44:44' - authed-rules - rule: • Marker – where new rules (host authorisatjon) _name_: michael applied. _mac_: ’00:00:00:00:00:01’ • State of what rules belong to which user & MAC dl_dst: ’00:00:00:00:00:01’ dl_type: 0x800 # ipv4 • Allows YAML anchors actjons: allow: 1 # allow - rule: actjons: allow: 1 output: dl_dst: '44:44:44:44:44:44' 22

Fail Secure • Faucet - network should stay the same. • auth_app - Either reset confjg or reload last good. • Switch – Faucet applies latest confjg. 23

Example 24

Demo • H1 windows for ping. • H1 windows for running logon and logofg. • Wireshark all switch interfaces. – showing mac rewrite. • Bring up the changed base acl/original 25

Future Work • Link state events. • Flexibility • Single authentjcatjon server for many switches. • RADIUS Accountjng • Packetgence (dynamically allocate to vlans) • MACSEC (offmoad crypto to NFV host) • Richer ACLs (VUW policy language) 31

Thanks 32

References & Links Hostapd htups://github.com/Bairdo/hostapd-d1xf/tree/faucet-tests htups://w1.fj/hostapd/ Auth_App/Faucet htups://github.com/Bairdo/faucet/tree/radius-acls 33

Extra Slides 34

Link State Events • Listen for Ryu Link event Messages • Switch port goes down – all on that port should reauth 35