Meet us at Cisco Live Las Vegas 2024
Home
>
Blog
>
Verifying 802.1X configuration

Verifying 802.1X configuration

3 minute read
Home
>
Blog
>
Verifying 802.1X configuration
Updated: October 27, 2023
September 11, 2020
Updated: October 27, 2023
3 mins

Why 802.1X?

There was a time when networks were secure islands, used to connect PCs to services they consumed and each other. The network was protected from the outside world by a perimeter firewall: there was only one way in and out.

With the explosion in wireless networking and the use of personal devices in corporate environments, the security perimeter has dissolved. More open access to the corporate network has massively increased the attack surface for potential bad actors.

In order to secure the network, we now look to the access network and identify potential threats as they connect. Enter 802.1X - the IEEE standard which describes the use of Extensible Authentication Protocol (EAP) on the LAN. This provides a method of proving the identity of a client device and/or user. We can then provide a security policy enforcement point at the edge of the network.

Enabling the network for 802.1X

Typically, this is a fraught rollout process. Firstly, a pilot phase is used to check that different combinations of network hardware and endpoint devices are able to work together. This often highlights specific issues with certain types of endpoint or operating system, leading to more detailed analysis.

Next, policies are built to allow or deny access based on the results of the authentication. Templates are then built for configuration and policy, and a phased rollout schedule defined.

Typically, there are two stages to each rollout phase. The first is putting the ports into "monitoring" mode - enforcing the authentication to take place, but not the policy associated. If there are problems with authentication, users can still access the network. Policy enforcement is later enabled after a period of monitoring, allowing authentication issues to be ironed out.

A key part to the rollout process is documenting both the configuration templates and the extent of the rollout activity, in both monitoring and enforcement modes. From a support perspective, rollout of 802.1X is a significant change and a potentially painful one due to the interaction of endpoint with network, and the potential impact of failure. If a client can't authenticate, the user will lose access to all network services!

So how to verify where 802.1X is configured, and that it is behaving as expected? Without accurate detailed documentation, the only way to confirm this is to:

  • login to each access switch in turn;
  • check each port to see if it configured correctly for 802.1X authentication;
  • check whether ports are in monitoring mode;
  • ensure authentication methods are enabled and working correctly;
  • check endpoints are joining the network as they supply correct credentials; and
  • verify policy is enforced as expected.

Clearly a complex and long-winded process!

Let IP Fabric have a go

The IP Fabric discovery process identifies "edge" ports by detecting where hosts are directly connected. Once we have that information, we also collect whether those edge ports are configured for 802.1X. And so we have instant access to the information simply by filtering the appropriate table in IP Fabric:

image 7

You can also see from the table that we can track whether those interfaces are in monitor mode or not. Using this information, we can create an intent verification check to track how many interfaces are configured for 802.1X and enforcing:

image 10

or remain in monitoring mode:

image 9

The summary displayed above the table shows the number of matches to each rule:

image 13

Using that same data, we can also build a dashboard widget to show progress of the rollout of configuration. For example, the widget below shows that most ports aren't configured with the remaining 2% enabled but in monitoring mode. You can see how this visualisation would be useful to track the project status, using data captured by IP Fabric automatically.

image 14

Once the rollout is progressing, the table will be updated at each snapshot with the state of each port, showing whether endpoints are authorised and users are able to join the network:

image 15

IP Fabric will even show you user details if they have used their username and password to authenticate! So you can see that we have you covered for rolling out and operating an 802.1X secured network!

If you have found this article helpful, please follow our company’s LinkedIn or Blog, where more content will be emerging. If you would like to test our solution to see for yourself how IP Fabric can help you manage your network more effectively, please contact us through www.ipfabric.io.

Verifying 802.1X configuration

Why 802.1X?

There was a time when networks were secure islands, used to connect PCs to services they consumed and each other. The network was protected from the outside world by a perimeter firewall: there was only one way in and out.

With the explosion in wireless networking and the use of personal devices in corporate environments, the security perimeter has dissolved. More open access to the corporate network has massively increased the attack surface for potential bad actors.

In order to secure the network, we now look to the access network and identify potential threats as they connect. Enter 802.1X - the IEEE standard which describes the use of Extensible Authentication Protocol (EAP) on the LAN. This provides a method of proving the identity of a client device and/or user. We can then provide a security policy enforcement point at the edge of the network.

Enabling the network for 802.1X

Typically, this is a fraught rollout process. Firstly, a pilot phase is used to check that different combinations of network hardware and endpoint devices are able to work together. This often highlights specific issues with certain types of endpoint or operating system, leading to more detailed analysis.

Next, policies are built to allow or deny access based on the results of the authentication. Templates are then built for configuration and policy, and a phased rollout schedule defined.

Typically, there are two stages to each rollout phase. The first is putting the ports into "monitoring" mode - enforcing the authentication to take place, but not the policy associated. If there are problems with authentication, users can still access the network. Policy enforcement is later enabled after a period of monitoring, allowing authentication issues to be ironed out.

A key part to the rollout process is documenting both the configuration templates and the extent of the rollout activity, in both monitoring and enforcement modes. From a support perspective, rollout of 802.1X is a significant change and a potentially painful one due to the interaction of endpoint with network, and the potential impact of failure. If a client can't authenticate, the user will lose access to all network services!

So how to verify where 802.1X is configured, and that it is behaving as expected? Without accurate detailed documentation, the only way to confirm this is to:

  • login to each access switch in turn;
  • check each port to see if it configured correctly for 802.1X authentication;
  • check whether ports are in monitoring mode;
  • ensure authentication methods are enabled and working correctly;
  • check endpoints are joining the network as they supply correct credentials; and
  • verify policy is enforced as expected.

Clearly a complex and long-winded process!

Let IP Fabric have a go

The IP Fabric discovery process identifies "edge" ports by detecting where hosts are directly connected. Once we have that information, we also collect whether those edge ports are configured for 802.1X. And so we have instant access to the information simply by filtering the appropriate table in IP Fabric:

image 7

You can also see from the table that we can track whether those interfaces are in monitor mode or not. Using this information, we can create an intent verification check to track how many interfaces are configured for 802.1X and enforcing:

image 10

or remain in monitoring mode:

image 9

The summary displayed above the table shows the number of matches to each rule:

image 13

Using that same data, we can also build a dashboard widget to show progress of the rollout of configuration. For example, the widget below shows that most ports aren't configured with the remaining 2% enabled but in monitoring mode. You can see how this visualisation would be useful to track the project status, using data captured by IP Fabric automatically.

image 14

Once the rollout is progressing, the table will be updated at each snapshot with the state of each port, showing whether endpoints are authorised and users are able to join the network:

image 15

IP Fabric will even show you user details if they have used their username and password to authenticate! So you can see that we have you covered for rolling out and operating an 802.1X secured network!

If you have found this article helpful, please follow our company’s LinkedIn or Blog, where more content will be emerging. If you would like to test our solution to see for yourself how IP Fabric can help you manage your network more effectively, please contact us through www.ipfabric.io.

SHARE
Demo

Try out the platform

Test out IP Fabric’s automated network assurance platform yourself and be inspired by the endless possibilities.

What would this change for your network teams?
Start live demo
 
 
 
 
 
We're Hiring!
Join the Team and be part of the Future of Network Automation
Available Positions
IP Fabric, Inc.
115 BROADWAY, 5th Floor
NEW YORK NY, 10006
United States
This is a block of text. Double-click this text to edit it.
Phone : +1 617-821-3639
IP Fabric s.r.o.
Kateřinská 466/40
Praha 2 - Nové Město, 120 00
Czech Republic
This is a block of text. Double-click this text to edit it.
Phone : +420 720 022 997
IP Fabric UK Limited
Gateley Legal, 1 Paternoster Square, London,
England EC4M 7DX
This is a block of text. Double-click this text to edit it.
Phone : +420 720 022 997
IP Fabric, Inc. © 2024 All Rights Reserved