Postings are a little slow lately because I’ve just been to my first Cisco Networkers conference. I did meet a guy Paul at a techtorial and we were discussing 802.1x. Paul’s problem was how to deal with re-imaging.
Fortunately I’d already tackled and documented that issue and was able to email my document to him. Extrapolating from the fact that one person found it useful, I thought I might re-write as a series of blog posts here. At least google will index it for others to find. If you can’t wait for the blog posts to finish, leave a comment with your email address (obfuscated) and I’ll send you the whole document.
Port-based network access control is defined by the dot1x standard as a means of authenticating
devices attached to the network edge, and preventing access to the port where authentication
Dot1x defines three roles within the port based access control system.
- Authenticator – usually a switch port that is configured to require authentication before passing traffic.
- Supplicant – the device that requires access to the network. The supplicant function is performed by software, either as part of the operating system (windows xp), as an add-on provided by companies such as Juniper/Funk and Cisco/Meetinghouse, or open source such as X-supplicant.
- Authentication Server – checks the credentials of the supplicant on behalf of the authenticator. The authentication is usually performed via radius.
The preboot execution environment (PXE) is an essential part of the re-imaging process. PXE is
built into the computer BIOS to allow network boot and automatic download of software images
and configuration parameters. Unfortunately the PXE environment has no supplicant or
credentials with which to authenticate. The switch port will attempt to initiate authentication,
performing a number of retries before timing out and leaving the port in the unauthenticated
state. The computer can neither obtain a DHCP address nor perform boot server discovery to
obtain a boot image.
Our options at this point are:
- Move the computer to a port in a physically secure location with dot1x disabled.
- Have the network administrator disable dot1x on the port, and enable dot1x again when re-imaging is completed.
EDITED TO ADD: Kevin’s comment points out a third option, Mac Authentication Bypass. I write more on that after I have finished this series of posts.
Drawbacks of Option 1 – Computer relocations are extremely unpopular amongst helpdesk staff
charged with re-imaging computers. Also, this option doesn’t scale well when deploying a new
image across the whole organisation.
Drawbacks of Option 2 – Enabling and disabling dot1x on the port will almost certainly fail.
Ultimately someone will forget to enable dot1x on the port, and the number of unsecured ports
will increase over time. The dot1x security will eventually become like swiss cheese.
An automated method that is part of the re-image operations is required. If your re-imaging program allows scripting (like Altiris in this example) then a completely automated solution is possible.
SNMP to the Rescue
The essence of the solution is to use altiris scripting to perform snmp operations during the reimaging
job. SNMP is used to temporarily disable dot1x authentication on the switch port until
the image is delivered. But the security versus utility tradeoff also comes in to play here.
Compromises made for this solution are listed below.
- SNMP must be enabled on the edge switches where the computers to be re-imaged connect.
- SNMP read and write access must be granted to the altiris deployment server.
- The SNMP read and write community names to the switches are stored in plain text in the altiris scripts.
The only protections we can apply are snmp access control lists to the switches, and ensuring
operating system and file system security is set appropriately on the altiris server. Re-imaging is
optionally performed in a vlan that has limited connectivity in the local network. This protects to
some extent against failure to re-enable dot1x on the switch port. Firewall rules or access control
lists on the switches are used to achieve this.
The process of configuring a port for re-imaging consists of five steps.
- Obtain a list of vlans on the switch.
- Use the mac address to identify the bridgeport number associated with the port.
- Use the bridgeport number to identify the interface index of the port to which the computer is connected.
- Use the interface index to set dot1x port control.
- Use the interface index to set the vlan. (Optional, only if re-imaging vlans are used)
The next series of posts will discuss each of these steps in depth. I’ll provide detail of the method used to acquire the information, as well as vbscript functions that can be used in re-imaging scripts.