Solved: LAN Port security

clark white · ‎01-31-2015

Hello,

I have enabled port security on switches with below configuration. I connected guest laptop in switch A and completed my job and kept my laptop in IT cupboard. After 10 days I took the guest laptop and try to connect on switch B in same vlan, the laptop is restricted to access by port violation.

I tried searching by the command sh mac address-table address XXXX.44eb.XXXX on switch B but I didn't found the mac address but luckily I remember that I have connected on switch A on port 20 so I removed the mac from the running configuration and I was able to get access on switch B.

so this is very difficult to search a mac address when I have a 100 switches if I would have not remember than it was a big mess for me, Is it the below correct way of configuring the port -security on the switches when I have a IP phones in the network.

interface GigabitEthernet2/0/14
switchport access vlan 31
switchport mode access
switchport voice vlan 30
switchport port-security maximum 2

switchport port-security mac-address sticky
switchport port-security violation restrict
switchport port-security
storm-control broadcast level 20.00
storm-control multicast level 20.00
spanning-tree portfast
spanning-tree bpduguard enable

switch B# sh mac address-table address XXXX.44eb.XXXX
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----

Jon Marshall · ‎02-02-2015

In terms of security if you do not want unauthorised users accessing your network port security is not the tool to use ie. it is trivial to change a mac address although yes the user would need to know it.

If you want to protect against unauthorised access then you need to authenticate users before they get access to the network.

There is not a lot I can say about the other point ie. yes it's a lot of work if users are continually moving around but then if they are it doesn't make sense to use the mac-address sticky option.

Like I say it can be useful to tie mac addresses to ports if the majority of your users don't move around a lot.

It is also helpful to stop your users connecting things like hubs so they can have more ports.

It is just one though of many tools to secure your network.

Jon

View solution in original post

Jon Marshall · ‎02-03-2015

when 802.1X configured an outsider pc or laptop connected to network will not get access becz his domain will be different and the request will not hit to authenticate on the ACS--->domain controller it will authenticate locally in his pc and he will not be given an ip address (Access)

Are you talking about user authentication here ?

If so it has nothing to do with the domain being different.

The switch authenticates the user. The users presents their credentials (whatever they are) and the switch relays this to the ACS server. The ACS server may have a local database but more likely it uses AD if that is what you have.

If the authentication is successful the port stays up and then the machines can get an IP address etc.

If it isn't the port is disabled and the machine has no access to the network.

This would happen even if the user configured their own IP address.

Jon

View solution in original post

Jon Marshall · ‎02-01-2015

It's all to do with the "switchport port-security mac-address sticky" command.

Without that command the switch would not have kept a record of your mac address in the running configuration and it would have most definitely have timed out before you reconnected the laptop.

Whether you need it or not depends on what you are trying to achieve with port security.

Without it your port above would allow only two mac addresses ie. the PC/laptop and the phone.

But it wouldn't stop someone disconnecting those device(s) from the port and connecting something else although it does provide protection from someone connecting a hub for example.

With it as, you have found, it not only stops things like hubs being connected but it also ties those devices to that port.

If the majority of your clients do not move about and it is really for you when you connect a laptop for example then you could just remember to remove the entry from the running configuration after you have disconnected.

Up to you really but like I say, it depends on exactly what you are using port security for.

Jon

clark white · ‎02-01-2015

Dear Jon,

so conclusion for port security is as such below pls confirm.

With switchport port-security maximum 2 configured without switchport port-security mac-address sticky command.

Phone A + PC A ---> pc will get access if i remove PC A and connect PC B,, B will get access.

Phone B+ PC A ----> PC and phone will get access

No mac-address is stick and any PC and phone can be connected but not more than "2"

Another Scenario.

switchport port-security maximum 2 configured with switchport port-security mac-address sticky command.

Phone A + PC A ---> pc & Phone will get access if i remove PC A and connect PC B,, B will be in port violation.

Phone A and PC A cannot be connected in some other switch in the same vlan, if i want to connect to some other switch i have to remove from the running config them from the old switch

Please confirm thought are correct.

Thanks

Jon Marshall · ‎02-02-2015

Yes to both is my understanding.

Jon

clark white · ‎02-02-2015

Dear Jon,

scenario 1

what security cisco see in scenario 1 any outsider can connect his laptop and access the network.

Scenario 2

If it is continues movement of PC it is lots of job for network administrator and incase the mac timeout has happened then administrator has to login in every switch and check running configuration for that specific MAC.

Jon as per your words below

Up to you really but like I say, it depends on exactly what you are using port security for.

can you explain me the best scenario cisco says as a best practice to implement port-security.

Thanks

Jon Marshall · ‎02-02-2015

In terms of security if you do not want unauthorised users accessing your network port security is not the tool to use ie. it is trivial to change a mac address although yes the user would need to know it.

If you want to protect against unauthorised access then you need to authenticate users before they get access to the network.

There is not a lot I can say about the other point ie. yes it's a lot of work if users are continually moving around but then if they are it doesn't make sense to use the mac-address sticky option.

Like I say it can be useful to tie mac addresses to ports if the majority of your users don't move around a lot.

It is also helpful to stop your users connecting things like hubs so they can have more ports.

It is just one though of many tools to secure your network.

Jon

clark white · ‎02-02-2015

Dear Jon,

If you want to protect against unauthorised access then you need to authenticate users before they get access to the network.

How ??? u mean to say user or a switchport

thanks

Jon Marshall · ‎02-02-2015

You would need an 802.1x type solution where the switches play a part but you also need an authentication server and support on the clients, although I think all modern OSs do support it.

It is not a trivial thing to implement.

Jon

clark white · ‎02-02-2015

Dear Jon,

I knew 802.1x solution you will provide me, just reading about it roughly not went deeply before your post but i have a question.

what identity a switch port provides to authenticate itself to the radius server,

thanks

clark white · ‎02-02-2015

Dear Jon,

Awaiting your reply.

thanks

Jon Marshall · ‎02-03-2015

Sorry I missed your latest post.

What you typically do is -

1) configure the switch to use your authentication server together with a secret key that they both know

and

2) you then configure the switch as a client on the authentication server so it is allowed to send requests.

Jon

clark white · ‎02-03-2015

Dear Jon

I have a ACS server 4.2

this answer you provided is for the switch authentication but what about the user PC MAC address, is it all the user PC/Laptop MAC has to be known to get network access.

OR

a user has to authenticate itself to the LDAP server and LDAP has to be integrated with ACS 4.2

Can you elaborate sequence in bullets how the user pc gets autheticate

Thanks

Jon Marshall · ‎02-03-2015

No you don't need to know the mac address of the PC although you may want to if you are doing machine authentication.

Basically you can authenticate the user, the client device or both.

For the user you could use certificates or username/password.

I haven't done machine authentication but if memory serves me right you also use certificates or the mac address.

You should be able to integrate your ACS server with AD so it can use AD for user credentials.

In terms of the process when the users first logs on or boots up their client the switch either challenges the client or the client simply sends it's credentials to the switch.

They both use EAP to achieve this.

The switch acts as the authenticator and communicates with the ACS server and the client to negotiate access to the network.

If you want to know the detailed process have a look at your switch configuration guide and it goes through the whole process in terms of the switch and client there.

Jon

clark white · ‎02-03-2015

Dear Jon,

In terms of the process when the users first logs on or boots up their client the switch either challenges the client or the client simply sends it's credentials to the switch.

They both use EAP to achieve this.

The switch acts as the authenticator and communicates with the ACS server and the client to negotiate access to the network.

A user without dot1.X is also authenticating with microsoft AD so it doesn't make sense to send traffic to ACS and then AD

As you told USER + MAC ADD really make sense.

Basically you can authenticate the user, the client device or both.

I need to authenticate MAC of the user PC so that any other outsider laptop or PC cannot get any access to the Network.Any configuration example from cisco for both (user+mac) or from any other website.

i found the below link for user authentication only

http://packetlife.net/blog/2008/aug/06/simple-wired-8021x-lab/

thanks

Jon Marshall · ‎02-03-2015

A user without dot1.X is also authenticating with microsoft AD so it doesn't make sense to send traffic to ACS and then AD

That's not true.

What if a user simply configured an IP address on their machine and connected to the port. No need to authenticate with AD, they still have access to your network.

If you want to configure machine authentication look at the ACS configuration guides, all the information is in there.

Jon