Published On: August 6ᵗʰ, 2019 02:08
Cisco NAC Profiler Installation and Configuration Guide, Release 2.1.8
LDAP Integration for Cisco NAC Profiler
This chapter includes the following topics:
•
Cisco NAC Profiler Configuration
for LDAP Integration
•Enabling Profiles for LDAP
Authentication
•Enabling Cisco NAC Profiler for
LDAP Integration
•Perform an Initial LDAP
Synchronization
•Cisco NAC Profiler LDAP
Parameters
•Verifying Availability of Cisco
NAC Profiler LDAP Service
Overview
The contextual endpoint inventory maintained by Cisco NAC Profiler is extensible to other systems via the standard Lightweight Directory Access Protocol (LDAP). The Server module of the Cisco NAC Profiler system can be configured to replicate selected endpoint data (by Profile) to an LDAP-enabled directory that runs in parallel with the Cisco NAC Profiler database and maintained by the Server system module of the Cisco NAC Profiler system. The Cisco NAC Profiler system can be configured to publish endpoints in selected Profiles to the directory such that other systems such as Authentication Servers (RADIUS servers, for example) can query the Cisco NAC Profiler system in order to get contextual information about endpoints using the MAC address of the endpoint as the identifier. The LDAP subsystem of the Cisco NAC Profiler system is a high-performance and scalable solution that can be utilized to augment authentication systems such as IEEE 802.1X port-based authentication, particularly for the purposes of automating the discovery and authentication of endpoints unable to participate in the 802.1X protocol using the existing authentication infrastructure.
The Cisco NAC Profiler system includes an LDAP-enabled directory which runs in parallel with the Cisco NAC Profiler Endpoint Database when the system is enabled for LDAP integration as described later in this chapter. In response to an LDAP query containing an endpoint MAC address initiated by another entity such as an Authentication Server attempting to authenticate an endpoint by MAC address, the Cisco NAC Profiler LDAP subsystem checks the onboard directory to determine the most current information about the endpoint: if the endpoint has been discovered and is currently Profiled by the Cisco NAC Profiler system. Selected Profiles are enabled for LDAP integration-that is, the Cisco NAC Profiler administrator can selectively designate which Profiles the Cisco NAC Profiler system will respond to LDAP queries for. In other words, the Cisco NAC Profiler system will only respond about endpoints that it has discovered, and currently has Profiled into Profiles that have been explicitly configured for LDAP enablement. Typically, only Profiles used to containerize non-authenticating devices are enabled for LDAP integration on the Cisco NAC Profiler system. Profiles for devices such as printers, IP Phone, and wireless access points are examples of Profiles that are typically enabled for LDAP integration for cases where the Cisco NAC Profiler system is being utilized for MAC authentication.
After the enablement of LDAP on a Cisco NAC Profiler system, as endpoints are Profiled into any LDAP-enabled Profile, the Cisco NAC Profiler directory is updated such that information about the endpoint can be determined via an LDAP query of the Cisco NAC Profiler directory using the endpoint's MAC address as a unique identifier. An example of how this might be used is to designate the Cisco NAC Profiler system as an external database for use by RADIUS servers to assist in MAC authentication of endpoints, particularly those endpoints that cannot be authenticated otherwise. A successful authentication response from Cisco NAC Profiler to the Authentication Server includes the current Cisco NAC Profiler Profile name (e.g., Printer) in the response to the query for a given MAC which can be used by the Authentication Server in the determination of the proper network access policy to assign to the endpoint. Again, the Cisco NAC Profiler system will only respond to queries about MAC addresses that it has discovered and Profiled into a Profile that is designated for LDAP enablement by the Cisco NAC Profiler administrator. Queries for MAC addresses that are not known by the system or for an endpoint are not currently in an LDAP-enabled Profile, will be handled by the Cisco NAC Profiler system as an authentication failure. In this way, the system is able to differentiate subsets of devices within the larger Cisco NAC Profiler database that should and should not be authenticated via their MAC address.
The Cisco NAC Profiler system includes a Synchronization function that is used to publish MAC addresses in all LDAP-enabled Profiles to the directory. The LDAP synchronization is used when LDAP is initially enabled on a Cisco NAC Profiler system to ensure that endpoints previously Profiled into Profiles selected for LDAP-enablement are published into the directory. Synchronization of the LDAP-enabled directory also occurs whenever the Cisco NAC Profiler system is restarted (Apply Changes -> Update Modules or Re-model) when the system is enabled for LDAP as described later in this chapter.
The Behavior Monitoring functionality of the Cisco NAC Profiler system is fully utilized in the monitoring of endpoints in the LDAP-enabled directory as well. In situations where an endpoint is observed by Cisco NAC Profiler exhibiting behaviors that result in a Profile change, specifically from a Profile enabled for LDAP authentication to another Profile not LDAP-enabled, the directory will be immediately updated such that the endpoint changing Profile will no longer successfully authenticate via MAC authentication. For example, if an endpoint that is currently in the LDAP-enabled Printer Profile is observed by the Cisco NAC Profiler system exhibiting behaviors that are more consistent with a higher-certainty Windows User Profile, the Cisco NAC Profiler engine will re-Profile the endpoint from the LDAP-enabled Printers Profile, to the non-LDAP enabled Windows User Profile. (Windows Users in this example are assumed to be able authenticate by a method other than by MAC address-802.1X for example) Any subsequent re-authentication of that MAC address will fail because the endpoint transitioned to a Profile that is not enabled for LDAP authentication by MAC.
Applications of Cisco NAC Profiler LDAP Integration: MAC Authentication Support in 802.1X Deployments
To accommodate endpoints in 802.1X-enabled networks that are unable to authenticate via 802.1X, Cisco and other switch vendors with 802.1X support have implemented a feature within their switch firmware to revert to MAC authentication when devices connect and do not initiate the EAPoL process. A device not initiating the EAPoL process is indicative of a non-802.1X capable endpoint connecting to an access port that has 802.1X enabled. This feature is used primarily to authenticate known, non-802.1X corporate assets attempting to connect to the network on access ports with 802.1X port-based authentication enabled. In addition, many RADIUS Authentication Server implementations support MAC authentication as well so that they will interoperate with access switches including MAC authentication bypass in the 802.1X implementation.
In these deployments, the RADIUS Authentication Server must somehow be provisioned with the list of MAC addresses in an internal database (e.g., white list) or support querying an external database of the MAC addresses of endpoints in the environment that are known to be non-802.1X capable and should be authenticated by MAC. Many of the leading Authentication Server solutions support mechanisms to reference an external database via LDAP to proxy MAC authentication to another system, alleviating the need to maintain the local database (e.g., white list) on the Authentication Server.
The external LDAP database mechanism implemented in these solutions provided the model for the engineering of the Cisco NAC Profiler LDAP subsystem. The Cisco NAC Profiler LDAP integration functionality described earlier in this chapter provides the opportunity to utilize the Endpoint Profiling and Behavior Monitoring functionality of Cisco NAC Profiler to automate the management of non-802.1X capable endpoints in enterprise, providing an easily accessible and up-to-date list of the endpoints that are to be authenticated by MAC. In this model, whenever a non-802.1X capable endpoint attaches to any port with 802.1X/MAC authentication bypass enabled the switch reverts to MAC authentication for the endpoint, and in turn the RADIUS server queries Cisco NAC Profiler to determine if the endpoint should be allowed to access the network, and if so, what access policy should it be assigned based on its current Profile.
MAC authentication fallback (or "MAC Authentication Bypass," or "MAB" as the feature is called by Cisco Systems) implemented in the switch firmware is designed to provide an alternative authentication path for endpoints that connect to an 802.1X-enabled port and do not initiate the 802.1X authentication protocol. Figure 14-1 shows how a Cisco switch that has 802.1X authentication with the MAC Authentication Bypass feature enabled will proceed when a non-802.1X capable device connects to one of its access ports:
Figure 14-1 Cisco MAC Authentication Bypass
The lack of EAPoL packets from the endpoint connecting on the 802.1X enabled port with MAB enabled results in the switch reverting to an attempt to use MAC authentication to enable access for the endpoint. The NAS (RADIUS client) on the switch will send a MAC authentication request to the RADIUS server, which will determine if the MAC is known to be a non-802.1X capable endpoint, (on the "white list") and if so, what policy should it be assigned. This is communicated back to the switch so the enforcement action such as the assignment of a VLAN can be carried out at the access port. For devices that fail MAC authentication (e.g., an unknown non-802.1X endpoint) the RADIUS server will also likely have a policy for device that cannot be authenticated via this mechanism, which may result in the unknown endpoint being provisioned for no network access or perhaps some limited access (e.g., guest privileges only) depending on the environment and security policy.
Operating in concert with support for MAC authentication, the RADIUS Authentication Server must contain a mechanism for maintaining the list of MAC addresses that should be authenticated via MAC, those endpoints owned by the organization but that are known to be not 802.1X supplicant-capable. In order for this approach to be deployed and utilized effectively, the environment must have a means of identifying the devices in the environment that are not capable of 802.1X authentication, and maintaining an up-to-date database of these devices over time as moves, adds and changes occur. This list needs to be populated and maintained on the Authentication Server or another accessible repository either manually, or via some alternative means to ensure that the devices enabled for authentication via MAC is complete and valid at any point in time. This in turn ensures that when one of these endpoints connects to the network on a port enabled for authentication and does not initiate the EAPoL process, the MAC authentication succeeds because the Authentication Server is able to authenticate the MAC address of the endpoint.
Cisco NAC Profiler can automate the process of identifying non-authenticating endpoints, those without 802.1X supplicants, and maintaining the validity of these endpoints in networks of varying scale via the Endpoint Profiling and Behavior Monitoring functionality. Through a standard LDAP interface, the Cisco NAC Profiler system can serve as an External Database or Directory of the endpoints to be authenticated via MAB-the so-called "white list" of devices known to be unable to authenticate via 802.1X. The Cisco NAC Profiler directory is accessed as necessary by the Authentication Server when access switches attempt to authenticate an endpoint by MAC address via the MAB feature. Upon receiving a MAB request from the edge infrastructure, the Authentication Server will query the Cisco NAC Profiler system to determine whether or not a given endpoint should be admitted to the network based on most current information about the endpoint known by Cisco NAC Profiler, obviating the need for a manual initial configuration and ongoing maintenance of the "white list" of devices that should be authenticated by MAC.
Beyond automating the discovery of non-802.1X capable endpoints, and monitoring the behavior of those endpoints, implementing support of non-802.1X endpoints using the Cisco NAC Profiler system in this manner enables these endpoints to connect to any access port configured for MAB across the enterprise. Each time one of these endpoints connects to a port and is unable to complete the EAPoL process, the Authentication Server queries the Cisco NAC Profiler system to determine how the endpoint should be handled: if access should or should not be provided, and the access policy.
Cisco NAC Profiler Configuration for LDAP Integration
Configuration of the Cisco NAC Profiler system for integration with Authentication Servers via LDAP is straightforward, and consists of three steps:
1. Designate the Profile(s) that contain the endpoints
that should be successfully authenticated via MAC address.
2. Enable the system to accept LDAP queries and for auto
synchronization of the LDAP directory with the Cisco NAC Profiler
database.
3. Perform an Apply Changes -> Update Modules to save
the previous configuration changes and perform an initial
synchronization of the LDAP Directory.
The procedure for each of these steps is outlined in the remainder of this section. Once these steps are completed for the Cisco NAC Profiler system, the Authentication Server is configured to use the Cisco NAC Profiler system as an external database in accordance with the technical documentation for that solution.
Enabling Profiles for LDAP Authentication
The Cisco NAC Profiler system utilizes the Profile mechanism for determining which endpoints will successfully authenticate via MAC. On a per Profile basis, selected Profiles can be designated for LDAP, or LDAP can be disabled. MAC authentication requests to Cisco NAC Profiler for endpoints not currently in an LDAP-enabled Profile will result in failing MAC authentication. By default, the pre-configured Profiles included with the system, and newly created Profiles are not LDAP enabled. Therefore, as part of the configuration of the Cisco NAC Profiler system for MAC Authentication support via LDAP, the Profiles containing endpoints that should be MAC Authenticated must have the LDAP function enabled.
The primary task in this step is to identify the Profiles that contain endpoints that are desired to be authenticated via MAC in the environment, and then enable those Profiles for LDAP. Typically, these are the Cisco NAC Profiler Profiles which contain devices owned by the organization that should be provided network access, yet are known to be unable to authenticate. In an 802.1X environment for example, the devices in this category would be devices known not to have an 802.1X supplicant, and unable to authenticate via the 802.1X protocol. Typically these are Profiles that contain printers, IP Phones or manageable UPSs as common examples.
For example, if printers profiled by Cisco NAC Profiler were placed in a Profile named 'Printers', and IP Phones in a profile named 'IP Phones,' for example, then these Profiles would need to be enabled for LDAP such that the endpoints placed in those Profiles would result in them being successfully authenticated as known IP Phones and Printers in the environment via MAB.
Configuring an enabled Profile for LDAP requires that the LDAP radio button adjacent to the 'yes' in the Endpoint Profile configuration be selected, as shown in Figure 14-2:
Figure 14-2 Enabling a Profile for LDAP
After making the change to the LDAP parameter for the Profile, select the Save Profile button at the bottom of the form to save the changes.
Determining active (currently enabled and containing at least one endpoint) Profiles that currently are LDAP-enabled and that should result in successful MAC authentications of endpoints contained in those Profiles can be ascertained by checking the Endpoint Directory. To view the Endpoint Directory, navigate to the Endpoint Console Tab, and select Endpoint Directory. An example Endpoint Directory with LDAP-enabled Profiles is shown in Figure 14-3.
Figure 14-3 Endpoint Directory showing LDAP-enabled Profile
In the example above, the LDAP column shows the current LDAP status of each active Profile. The 8 endpoints in the Polycom Phones would successfully authenticate via MAC should the Cisco NAC Profiler system be queried by an Authentication Server for the MAC address of that printer.
Enabling Cisco NAC Profiler for LDAP Integration
Configuration of the Profiler Server module to enable the LDAP subsystem of the Endpoint Profiler is accomplished via the Configure Server form. From the Configuration tab, select Cisco NAC Profiler Modules -> List Cisco NAC Profiler Modules, and then click on the Server link to display the Configure Server form.
Midway down the form is the LDAP Configuration section of the Configure Server form, containing two items as shown in Figure 14-4.
Figure 14-4 Profiler Server LDAP parameters
Enable LDAP
Enables the onboard directory on the Cisco NAC Profiler system and prepares the Cisco NAC Profiler system for processing MAC authentication queries by external Authentication Servers. By default, the Cisco NAC Profiler LDAP service listens for LDAP version 3 requests on port 389 received on the management interface of appliance running the Server module. (In the case of HA pairs, the HA pair will respond to LDAP queries forwarded to the Service IP address for the HA pair.)
Verbose Logging
Enables verbose logging of the LDAP process to the Profiler Server.out file.
Select the 'Update Server Module' button at the bottom of the form to save the changes to the Server module configuration.
Perform an Initial LDAP Synchronization
When the Enable LDAP checkbox is selected in the Server configuration as outlined in Enabling Cisco NAC Profiler for LDAP Integration, the enablement of the synchronization of the Cisco NAC Profiler LDAP directory upon Apply Changes -> Update Modules occurs automatically. Whenever an Update Modules is executed on a Cisco NAC Profiler system with LDAP enabled, as part of the restart and remodel that occurs, the Cisco NAC Profiler system will synchronize the Cisco NAC Profiler endpoint database and the LDAP data store to ensure that the LDAP data store reflects the current Profile of all endpoints in the database.
Note After Enabling LDAP on a Profiler Server, an Apply
Changes -> Update Modules must be performed to ensure that the
endpoints currently Profiled into Profiles enabled for LDAP are
synchronized into the LDAP store. Prior to attempting to
authenticate MACs against the Cisco NAC Profiler store, an Apply
Changes -> Update Modules must be performed to ensure the LDAP
directory is populated with the endpoints currently in the
LDAP-enabled Profiles.
Once the steps outlined in the previous steps have been completed, the LDAP functionality of the Cisco NAC Profiler will be ready to respond to LDAP queries. When LDAP is enabled on Cisco NAC Profiler, as endpoints are Profiled into any of the LDAP-enabled Profiles, they are automatically added to the LDAP directory, and enabled for MAC Authentication. Conversely, if an endpoint is re-Profiled by the Cisco NAC Profiler from a Profile enabled for LDAP, to another that is not, the endpoint will be removed from the LDAP directory, and subsequent attempts to authenticate that endpoint via MAC against the Cisco NAC Profiler data store will result in an authentication failure.
Cisco NAC Profiler LDAP Parameters
After completing the steps outlined above, the Cisco NAC Profiler LDAP system is ready to begin processing LDAP queries from external systems such as RADIUS servers, Cisco Systems ACS as common examples. Configuration of external LDAP databases varies from vendor to vendor, so it is imperative to review the documentation provided by the vendor of the specific Authentication Solution in order to set up the Cisco NAC Profiler as an LDAP database specifically for the purposes of MAC Authentication.
Regardless of what system is connecting to the Cisco NAC Profiler LDAP store, there are some LDAP-specific parameters that will be required for the configuration of the Authentication Server to enable successful connectivity between the AS and Cisco NAC Profiler. Those parameters are as follows:
•LDAP version 3
•Port 389
•LDAP Server IP address: IP address/DNS name of the
management (eth0) interface of the appliance running the Server
module for the Cisco NAC Profiler. For HA pairs, the address/DNS
name should be the Service IP (VIP) for the pair.
•Authentication required - yes
•Username (AdminDN) - cn=root,o=beacon
•LDAP bind password - GBSbeacon(default)
Verifying Availability of Cisco NAC Profiler LDAP Service
Once Cisco NAC Profiler has been properly configured for LDAP, verification that the service is available on the system can be done simply and easily from any PC with IP connectivity to the Profiler Server, using a LDAP browser tool. LDAP browsers are readily available; there are several freeware versions that can be downloaded. One such LDAP tool is the LDAP Admin Windows LDAP Manager (http://ldapadmin.sourceforge.net/), which was used for the illustrations in this section.
The following example provides the steps necessary to verify Cisco NAC Profiler LDAP configuration by browsing the LDAP directory using the LDAP Admin tool. After starting the LDAP Admin application, select Start from the menu to open the drop-down menu then select Connect... This opens the Connections window which contains an icon entitled "New connection". Double-click on "New Connection" icon to open the dialog which allows the entry of the LDAP-specific parameters for the Cisco NAC Profiler system being verified as illustrated in Figure 14-5.
Figure 14-5 Creating a Connection to the Cisco NAC Profiler LDAP store
Note Uncheck the 'Anonymous connection' checkbox in order
to be able to enter the required Username and password credentials
as shown above.
Before clicking OK, select the 'Test connection' button in the bottom left corner of the Connection properties dialog box. If the Cisco NAC Profiler system is responding to LDAP correctly, a dialog box indicating Connection is successful will appear, select OK to clear the dialog, and OK again to save the new connection.
Note If an error dialog: LDAP Error: Server Down! results,
this indicates that either the Cisco NAC Profiler system is not
listening on the LDAP port (389), or that network communications
between the PC running the LDAP Admin and the Cisco NAC Profiler
system are being blocked (e.g., firewall or ACL). Verify the Server
configuration parameters, and ensure that an Apply Changes ->
Update modules was executed. Verify network connectivity between
the PC and the Cisco NAC Profiler system using PING.
Note If an error dialog: "LDAP Error: Invalid Credentials!"
results, this indicates that there is an error with the username
and password provided. Verify that the password entered is the LDAP
bind password specified in the last section: GBSbeacon.
Open the connection to the Cisco NAC Profiler LDAP directory by double-clicking the icon for the connection you created in the previous step. The following view of the Cisco NAC Profiler LDAP directory tree should be displayed.
Figure 14-6 Browsing the Cisco NAC Profiler LDAP data store
The part of the Cisco NAC Profiler LDAP directory that is germane to MAC Authentication is the ou=profiler tree. Expand the directory by clicking on the + to the left of the file icon for ou=profiler, then expand the directory further to open ou=BeaconProfiledMACs as shown in Figure 14-7.
Figure 14-7 View LDAP-enabled Profiles in Cisco NAC Profiler LDAP data store
In the example above, Lexmark Printer is the only LDAP-enabled Profile on the Cisco NAC Profiler system. To see the endpoints currently in the Profile, double click on the cn=ProfileName which displays the following dialog on the example system:
Figure 14-8 Browse Endpoints in LDAP-enabled Profile
The Members section of the dialog shown inFigure 14-8 shows the MAC address of each device in the LDAP-enabled Profile selected, and verifies the availability of the LDAP store on the Cisco NAC Profiler system.
Note That the format of the MAC address in the Cisco NAC
Profiler LDAP store is of the form 00:11:22:aa:bb:cc. In order for
a query to result in a match, the format of the MAC address in the
LDAP query must include the same MAC address format.