Layer 2 authentication on VoIP phones (802.1x)

Transcription

1 White Paper Layer 2 authentication on VoIP phones (802.1x) IP Telephony offers users the ability to log-on anywhere in the world. Although this offers mobile workers great advantages, it presents new challenges for system administrators who need to ensure that they only allow authorized users into their enterprise network. The standard 802.1x provides an authentication process verifying that only permitted devices are allowed onto the network. In addition to supporting security, 802.1x also reduces costs by simplifying adds / moves / changes and allows employees to more easily change locations. This paper discusses the reasons customers ask for 802.1x, the technical principles of 802.1x, and the methods for deploying 802.1x certificates on end devices. A white paper issued by: Siemens Enterprise Communications Siemens Enterprise Communications GmbH & Co. KG 2007, All rights reserved

2 Content Layer 2 authentication on VoIP phones (802.1x) 3 Introduction 3 The protocol: how it works x in a one-wire-to-the-desk scenario 5 Deployment 5 Status 7

3 Layer 2 authentication on VoIP phones (802.1x) Introduction 802.1x blocks unauthorized physical user access to the network What is 802.1x? is an IEEE Standard for port-based access control in order to enhance the security of local area networks, allowing a user to be authenticated by a central authority. The authentication is based on layer 2 of the OSI layer model and utilizes the following methods: digital certificates, User/Password, One Time Password (OTP) or MAC address. What are the advantages of 802.1x? Using 802.1x, access to the network is restricted to authorized entities. Together with a management system, it is possible to restrict access to particular resources and / or tag access to the network with QoS levels. It is also possible to have billing information for every connection. How can 802.1x improve profitability? enhanced network security (reduced risk of unauthorized usage of network resource, intrusion attempts, network attacks) simplified administration through central user management increased user mobility (project teams etc.) The protocol: how it works A VoIP phone acts as an 802.1x supplicant The authentication mechanism EAP-TLS (Extensible Authentication Protocol Transport Layer Security) is based on a device specific certificate. This device specific certificate is checked against the one in the user database. In the following diagram, you can see the different components within an 802.1x infrastructure. The 802.1x supplicant is typically an IP end device such as a laptop, PC or a VoIP phone. The 802.1x authenticator functionality is provided by an Ethernet switch in a LAN environment or a Wireless Access Point in a WLAN environment. The authentication server is a RADIUS server.

4 Components of the 802.1x architecture Using the authentication mechanism EAP-TLS the following sequence is executed. (Port of Ethernet switch is configured for EAP-TLS as well): 1. The IP telephone (supplicant) is connected, but the switch port is only opened for EAPOL packets. Remark: The phone sends an EAPOL Start to the LAN switch, to show "there is a new device". This message isn't necessary if a "Layer up" event is created during plugin of the LAN cable into port of the LAN switch. 2. The LAN switch (authenticator) sends an EAP (Extensible Authentication Protocol) request to the IP telephone requesting an authentication method, e.g. EAP-TLS. In case of EAP-TLS the RADIUS server sends its certificate to the phone. 3. The IP telephone checks the received RADIUS server certificate against the certificates stored in the phone's trusted store and answers the request by sending its certificate to the LAN switch using EAP-TLS Remark: All the communication between (1) and (3) is routed via the data VLAN. 4. The LAN switch forwards this information to a RADIUS Server (Authentication- Server) and the RADIUS Server verifies the information against the User Database (DB) 5. If the verification is successful, the LAN switch is informed and the switch port is opened for normal traffic according to its pre-configured privileges (VLAN, DiffServ/ToS, etc.). From now on typically voice VLAN is used. The VLAN ID is either provided by the DHCP server or via the administration (DLS or locally on the phone).

5 802.1x in a one-wire-to-the-desk scenario Also, in a one wire-to-the-desk scenario, the VoIP phone acts as a supplicant In typical VoIP scenarios today, PCs are plugged to the VoIP phone, eliminating the need of a second Ethernet cable from the cabinet switch to the same desk. An internal Ethernet switch in the VoIP phone relays all frames that are destined to the PC. Special care has to be taken, when using 802.1x in such a single-wire-to-the desk scenario. With standard 802.1x port-based authentication, the LAN port is opened for both, the telephone and the PC, if only one of them is authenticated. This would create a security hole, since the PC port of an authenticated VoIP phone is unprotected. The LAN switch features MultiDomain Authentication (Cisco s terminology) or MultiUser Authentication (Enterasys terminology) instead provide support for independent device-based authentications of different devices that are connected (via a VoIP phone) to the same LAN port. In such a way, the respective LAN switch is able to authenticate the VoIP phone and the PC, and both can be in separate VLANs.. Remark: for the detailed descriptions of the supported authentication options please refer to LAN switch vendor provided documentation. Deployment Deployment of 802.1x devices in a 802.1x-secured network has its challenges: at time of deployment, the device does not yet have the credentials on board that are necessary to connect to the network. Downloading will involve communication via the LAN switch. So how can the phones get access to its 802.1x certificates, private keys and CA certificate? One possibility is to download the certificates onto the end devices in an off-line, separate network. Another possibility is to allow access to a default VLAN throughout the whole 802.1xsecured network, but only allow the device to contact the servers needed to download the certificates. Deployment via a Default VLAN First communication via default VLAN to get the certificate, second communication in an authenticated way To prepare the deployment, the company specific certificates are made available within Deployment Server (the DLS) for all Siemens hard phones via an Import File, 1. The initial phase (i.e. in the quarantine phase) is to be handled over the Default VLAN (in the Enterasys case), or in the data VLAN with limited access, i.e. only to the DHCP server and DLS. In this phase, the 802.1x device specific certificate together with all other configuration data are downloaded onto the IP phone. Note: Until certificates have been installed for 802.1x, the phone ignores all EAP-TLS requests, assuming that a device that does not support 802.1x could be put on the Default VLAN by the switch (otherwise; the challenge would fail at this point and the port would be closed). Once the certificates have been installed, the phone takes part in the EAP-TLS exchange. 2. After having received the credentials all further communication will be authenticated by the next LAN switch.

6 x (EAP-TLS) Radius Server 802.1x (EAP-TLS) 1a 1 WBM DLS Deployment via an off-line Network Preparation for Step 1: Company specific certificates (i.e. phone specific certificate and CA certificate) are made available via Import File within the Deployment Server (DLS) for all Siemens hard phones to be authenticated Step 1: 802.1x certificates are distributed to all Siemens hard phones within an off-line network (without 802.1x enabled) with a separate DLS and DHCP server. Off-line, the DLS has the 802.1x certificates preconfigured in its database. Preparation for Step 2: Configure the Layer-2 switches so that, without the company specific certificates, no communication at all is allowed; i.e. no port will be opened in such a case.

7 Step 2: All phones are plugged in at their destination locations. As the phones are now preconfigured with the correct company specific certificates, access to the "real-life" DHCP and DLS is granted. All other configuration data is distributed via the DLS. Status The standard can be found at: Additionally you can find information about 802.1x under and on the Siemens Enterprise Communications Wikipedia site: including a 802.1x admin guide to know how to configure 802.1x within the VoIP environment x is currently available on optipoint 410, 420 and on the optipoint WL x is planned on OpenStage for the second half of Remark: For the opticlient 130 (S) 802.1x is not relevant due to the fact that 802.1x is based on layer 2 and is handled by the PC itself x deployments have been tested with the Enterasys Matrix N Series; Nortel BayStack 5520; HP ProCurve Switch 3500yl; Huawei S3026C and Netgear FSM726S Managed Stackable Switch (no multi-user authentication), and Cisco s Catalyst 3560.

8 Abbreviations DHCP Dynamic Host Communication Protocol DLS Deployment Server EAP Extensible Authentication Protocol IP Internet Protocol LAN Local Area Network LDAP Lightweight Directory Access Protocol MAC Media Access Control Public Key Infrastructure TLS Transport Layer Security VLAN Virtual Local Area Network WLAN Wireless Local Area Network

9 All rights reserved. All trademarks used are owned by Siemens Enterprise Communications or their respective owners. Siemens Enterprise Communications GmbH & Co. KG The information provided in this whitepaper contains merely general descriptions or characteristics of performance which in case of actual use do not always apply as described or which may change as a result of further development of the products. An obligation to provide the respective characteristics shall only exist if expressly agreed in the terms of the contract. Availability and technical specifications are subject to change without notice. Printed in Germany. Siemens Enterprise Communications GmbH & Co. KG Hofmannstraße 51 D München