802.1X and Faucet Michael Baird Michael.Baird@ecs.vuw.ac.nz - - PowerPoint PPT Presentation

802 1x and faucet
SMART_READER_LITE
LIVE PREVIEW

802.1X and Faucet Michael Baird Michael.Baird@ecs.vuw.ac.nz - - PowerPoint PPT Presentation

Feb 01, 2023 322 likes •679 views

802.1X and Faucet Michael Baird Michael.Baird@ecs.vuw.ac.nz 19-10-2017 FAUCET Conference Outline Introductjon to 802.1X Design Implementatjon Example confjgs/demo Future work 2 Introduction IEEE 802.1X Port-Based

slide-1
SLIDE 1

802.1X and Faucet

Michael Baird

Michael.Baird@ecs.vuw.ac.nz

19-10-2017 FAUCET Conference

slide-2
SLIDE 2

Outline

  • Introductjon to 802.1X
  • Design
  • Implementatjon
  • Example confjgs/demo
  • Future work

2

slide-3
SLIDE 3

Introduction – IEEE 802.1X

  • Port-Based Network Access Control
  • Framework for EAP
  • Wired/WiFi

3

Supplicant Authentjcator Authentjcatjon Server Client Switch RADIUS Server

slide-4
SLIDE 4

Design Goals

  • NFV-ed 802.1X
  • Switch doesn’t need to support 1X.
  • Any RADIUS server.
  • >25 EAP Methods
  • Fail secure

4

slide-5
SLIDE 5

Implementation

5

slide-6
SLIDE 6

Implementation

6

slide-7
SLIDE 7

Implementation

7

slide-8
SLIDE 8

Implementation

8

Authentjcator Supplicants Authentjcatjon Server

slide-9
SLIDE 9

Implementation

9

slide-10
SLIDE 10

Implementation

10

slide-11
SLIDE 11

Implementation – Interprocess Communication

11

hostapd Auth_App Faucet

  • UNIX Socket
  • Same Machine
  • UDP Socket
  • Network
  • Receive Events on statjon state

changes (Success, Logofg, …)

  • Request client data

(Username, ACL names, …)

  • Confjg File & SIGHUP
  • To Faucet
  • Prometheus
  • From Faucet
  • ACLs to apply
  • MAC – Port Learning table
slide-12
SLIDE 12

Implementation – 1X Redirect #1 (client initiates authentication)

12

Eth_src: C Eth_dst: 1X Eth_type: 1X Eth_src: C Eth_dst: H Eth_type: 1X

slide-13
SLIDE 13

13

Eth_src: C Eth_dst: B Eth_type: DHCP Eth_src: C Eth_dst: H Eth_type: DHCP

Implementation – 1X Redirect #2 (client implicit authentication request)

slide-14
SLIDE 14

14

Eth_src: H Eth_dst: C Eth_type: 1X Eth_src: H Eth_dst: C Eth_type: 1X

Implementation – 1X Redirect #2 (client implicit authentication request)

slide-15
SLIDE 15

Implementation - ACLs

faucet.yaml acls: no_smtp:

  • rule:

dl_src: 00:00:00:00:00:01 dl_type: 0x800 # ipv4 nw_proto: 6 # tcp tcp_dst: 25 # smtp actjons: allow: 0 # drop

  • rule:

dl_src: 00:00:00:00:00:01 dl_type: 0x86dd # ipv6 nw_proto: 6 # tcp tcp_dst: 25 # smtp actjons: allow: 0 # drop

15

  • Matches:
  • Ethernet, VLAN, IP, TCP/UDP, …
  • Actjons:
  • Drop, allow, output port, mirror, change VLAN, …
slide-16
SLIDE 16

Implementation - ACLs

faucet.yaml … faucet-1: interfaces: 1: name: network natjve_vlan: 100 2: name: h0 natjve_vlan: 100 acl_in: port_faucet-1_3 3: name: h1 natjve_vlan: 100 acl_in: port_faucet-1_4 4: name: hostapd natjve_vlan: 100

16

  • Each port has unique ACL
  • port_<dp name>_<port #>
slide-17
SLIDE 17

Implementation - ACLs

17

radius base- acls.yaml rules.yaml faucet faucet- acls.yaml

Defjnes high level ACLs Maps user to high level ACLs dynamic rules + authentjcatjon state + statjc ACLs

base- acls.yaml

Statjc ACLs + marker faucet updates

  • penfmow tables
slide-18
SLIDE 18

Implementation - ACLs

18

  • RADIUS Aturibute Vendor-Specifjc “Faucet-ACL-Names”
  • List of ACL names
  • Limited to 255 characters
  • Applied in list order (fjrst = highest priority)
  • “No-SMTP, No-SSH, No-ICMP, Allow-All”
  • “Student”
slide-19
SLIDE 19

rules.yaml acls: no-smtp: _auth-port_:

  • rule:

_name_: _user-name_ _mac_: _user-mac_ dl_src: _user-mac_ dl_type: 0x800 # ipv4 nw_proto: 6 # tcp tcp_dst: 25 # smtp actjons: allow: 0 # drop port_faucet-1_3:

  • rule:

_name_: _user-name_ _mac_: _user-mac_ dl_dst: _user-mac_ dl_type: 0x800 # ipv4 actjons: allow: 1 # allow

Implementation - ACLs

19

  • Matches:
  • Ethernet, VLAN. IP, TCP/UDP, …
  • Actjons:
  • Drop, allow, output port, mirror, change VLAN, …
  • Runtjme insertjon of authentjcated clients username &

MAC address

  • Rulelist have two ‘types’:
  • Runtjme auth port – apply rules to ACL that belongs to

the port authentjcatjon occurred on.

  • ACL name – any other Faucet ACL.
  • YAML Anchors
slide-20
SLIDE 20

rules.yaml acls: no-smtp: _auth-port_:

  • rule:

_name_: _user-name_ _mac_: _user-mac_ dl_src: _user-mac_ dl_type: 0x800 # ipv4 nw_proto: 6 # tcp tcp_dst: 25 # smtp actjons: allow: 0 # drop port_faucet-1_3:

  • rule:

_name_: _user-name_ _mac_: _user-mac_ dl_dst: _user-mac_ dl_type: 0x800 # ipv4 actjons: allow: 1 # allow

Implementation - ACLs

20

  • Matches:
  • Ethernet, VLAN. IP, TCP/UDP, …
  • Actjons:
  • Drop, allow, output port, mirror, change VLAN, …
  • Runtjme insertjon of authentjcated clients username &

MAC address

  • Rulelist have two ‘types’:
  • Runtjme auth port – apply rules to ACL that belongs to

the port authentjcatjon occurred on.

  • ACL name – any other Faucet ACL.
  • YAML Anchors
slide-21
SLIDE 21

rules.yaml acls: block-smtp: &block-smtp

  • rule:

_name_: _user-name_ _mac_: _user-mac_ dl_src: _user-mac_ dl_type: 0x800 # ipv4 nw_proto: 6 # tcp tcp_dst: 25 # smtp actjons: allow: 0 # drop … acls: student: _auth-port_: *block-smtp *block-ssh *allow-all

Implementation - ACLs

21

  • Matches:
  • Ethernet, VLAN. IP, TCP/UDP, …
  • Actjons:
  • Drop, allow, output port, mirror, change VLAN, …
  • Runtjme insertjon of authentjcated clients username &

MAC address

  • Rulelist have two ‘types’:
  • Runtjme auth port – apply rules to ACL that belongs to

the port authentjcatjon occurred on.

  • ACL name – any other Faucet ACL.
  • YAML Anchors
slide-22
SLIDE 22

Implementation - ACLs

22

‘Base-ACLs’

  • Base-ACLs -> Faucet-ACLs
  • Marker – where new rules (host authorisatjon)

applied.

  • State of what rules belong to which user & MAC
  • Allows YAML anchors

base-acls.yaml acls: port_faucet-1_4:

  • rule:

dl_type: 0x888e actjons: allow: 1

  • utput:

dl_dst: '44:44:44:44:44:44'

  • authed-rules
  • rule:

_name_: michael _mac_: ’00:00:00:00:00:01’ dl_dst: ’00:00:00:00:00:01’ dl_type: 0x800 # ipv4 actjons: allow: 1 # allow

  • rule:

actjons: allow: 1

  • utput:

dl_dst: '44:44:44:44:44:44'

slide-23
SLIDE 23

Fail Secure

  • Faucet - network should stay the same.
  • auth_app - Either reset confjg or reload last good.
  • Switch – Faucet applies latest confjg.

23

slide-24
SLIDE 24

Example

24

slide-25
SLIDE 25

Demo

  • H1 windows for ping.
  • H1 windows for running logon and logofg.
  • Wireshark all switch interfaces. – showing mac rewrite.
  • Bring up the changed base acl/original

25

slide-26
SLIDE 26
slide-27
SLIDE 27
slide-28
SLIDE 28
slide-29
SLIDE 29
slide-30
SLIDE 30
slide-31
SLIDE 31

Future Work

  • Link state events.
  • Flexibility
  • Single authentjcatjon server for many switches.
  • RADIUS Accountjng
  • Packetgence (dynamically allocate to vlans)
  • MACSEC (offmoad crypto to NFV host)
  • Richer ACLs (VUW policy language)

31

slide-32
SLIDE 32

Thanks

32

slide-33
SLIDE 33

References & Links

Hostapd htups://github.com/Bairdo/hostapd-d1xf/tree/faucet-tests htups://w1.fj/hostapd/ Auth_App/Faucet htups://github.com/Bairdo/faucet/tree/radius-acls

33

slide-34
SLIDE 34

Extra Slides

34

slide-35
SLIDE 35

Link State Events

  • Listen for Ryu Link event Messages
  • Switch port goes down – all on that port should reauth

35