NEC Corporation of America. Design Guide for Port Based Network Access Control (NAC)/802.1x and OpenFlow Network Integration. Version 3.

Transcription

1 NEC Corporation of America Design Guide for Port Based Network Access Control (NAC)/802.1x and OpenFlow Network Integration Version 3.0

2 Table of Contents 1. Introduction Error Bookmark not defined. 1.1 Purpose Error Bookmark not defined. 1.2 Overview Error Bookmark not defined. 2. Use Cases for Wired Users and Wireless Users Demo Environment Wired users Error Bookmark not defined. 2.3 Wireless users Error Bookmark not defined. 3. Configuration Examples Dell PoE 802.1x enabled Switch Radius Server to use FreeRadius Server 4 4. OpenFlow Switches and ProgrammableFlow Controller OFS versions OFS types Edge OFS: Core OFS: PFC Configuration Example 8 5. Glossary 11 Revision History 11 NEC Corporation of America, 2015 Page 2 of 11

3 1. Use Cases for Wired Users and Wireless Users 1.1 Demo Environment The following servers and switches are used to build the demo for both use cases as a reference. Switch/Server Hardware OS Software Version ProgrammableFlow Controller PFC V6.0 NEC Express5800/R120b-2 CPU: Intel(R) Xeon(R) CPU X5690 Memory: 24GB HDD: 300GB, 10000rpm, (RAID-1) NIC: 1000Base-T x 6 Power: AC100V/200V±10%, Redundant power supply FAN: Redundant fan Optical drive for DVD-RAM Red Hat Enterprise Linux 6.4 (x86_64) Kernel version: kernel el6.x86_64 RADIUS Server ESXi VM CentOS 6.4 FreeRADIUS running version DHCP Server ESXi VM CentOS 6.4 Wireless LAN Controller ESXi VM Meru WLC MC4200V sdn x Switch Dell PowerConnect5524P Firmware PF5240 Switch PF5240R-48T4XW-AX OS-F3PA Ver. V PF5820 Switch NEC PF5820 Software Version Management/Secure Channel Switch Cisco 2960S IOS 12.2(55)SE7 2. Configuration Examples 2.1 Dell PoE 802.1x enabled Switch vlan 2,11-20,55, ,4000 radius-server host usage dot1.x radius-server key testing123 logging host severity debugging aaa authentication dot1x default radius interface vlan 2 ip address < Dell Switch Mgmt interface vlan 4000 ip address interface gigabitethernet1/0/2 < Radius Server switchport access vlan 2 interface gigabitethernet1/0/3 <----In this demo,vlan 12 will be assigned after authentication dot1x host-mode multi-sessions dot1x reauthentication dot1x radius-attributes vlan dot1x port-control auto NEC Corporation of America, 2015 Page 3 of 11

4 interface gigabitethernet1/0/4 < Uplink to PFS (MCLAG) switchport mode trunk switchport trunk allowed vlan remove 1-2,11,4000 interface gigabitethernet1/0/5 < Uplink to PFS (MCLAG) switchport mode trunk switchport trunk allowed vlan remove 1-2,11,4000 interface gigabitethernet1/0/6 <---- In this demo,vlan 13 will be assigned after authentication dot1x host-mode multi-sessions dot1x reauthentication dot1x radius-attributes vlan dot1x port-control auto interface gigabitethernet1/0/7 < Meru AP switchport access vlan 2 interface gigabitethernet1/0/8 < Meru WLC switchport mode trunk switchport access vlan none switchport trunk native vlan 2 switchport trunk allowed vlan remove 1,11-20,4000 interface gigabitethernet1/0/24 < Uplink to management network switchport access vlan Radius Server to use FreeRadius Server Details Tips for CentOS (Warning: You should read the manual to get more detail configuration info. The following is just tips to help you get you started the server) FreeRadius Server Installation: yum install freeradius freeradius-mysql freeradius-utils mysql-server -y mysql setup service mysqld start chkconfig --levels 235 mysqld on /usr/bin/mysql_secure_installation mysql -uroot -p CREATE DATABASE radius; GRANT ALL PRIVILEGES ON radius.* TO radius@localhost IDENTIFIED BY " YourPASSWORD "; flush privileges; mysql> use radius; SOURCE /etc/raddb/sql/mysql/schema.sql SOURCE /etc/raddb/sql/mysql/admin.sql SOURCE /etc/raddb/sql/mysql/nas.sql NEC Corporation of America, 2015 Page 4 of 11

5 mysql> INSERT INTO `radcheck` (`id`, `username`, `attribute`, `op`, `value`) VALUES (1,'test','User-Password',':=','test'); Now open up CentOS:/etc/raddb/sql.conf and enter your mysql database details you just created, Example: # Connection info: server = "localhost" #port = 3306 login = "radius" password = "YourPASSWORD" # Database table configuration for everything except Oracle radius_db = "radius" In /etc/raddb/radiusd.conf ensure that the line saying: $INCLUDE sql.conf is uncommented. FreeRadius server configuration to enable, EAP and PEAP /etc/raddb/eap.conf eap{ use_tunneled_reply = yes peap { copy_request_to_tunnel = yes use_tunneled_reply = yes Open up /etc/raddb/clients.conf set your secret to something a bit more random, example: Change: secret = yoursecret Debug mode of Radius server command: radiusd X /etc/raddb/users to manage user credentials and VLAN info, one option to test quickly. Using DB tables is recommendable for production level setup. /etc/raddb/authorized_macs to manage MAC addresses of each user: add new MACs for end stations to come in to the network. The following scenario is from wireless use case when wireless end station uses PEAP and MS-CHAPv2 with lee user name and D2-A0 MAC address. Password is hidden from debugging messages. /etc/raddb/users has user credentials and VLAN info. An example of debugging messages from Radius Server with the request from 802.1x switch which authentication request comes from end stations: NEC Corporation of America, 2015 Page 5 of 11

6 rad_recv: Access-Request packet from host port 65412, id=10, length=196 < is 802.1x switch IP User-Name = "lee" <- User Name NAS-IP-Address = NAS-Port = 0 Called-Station-Id = "80-EA-96-F :8021x" Calling-Station-Id = " D2-A0" < x s client, supplicant s MAC address Framed-MTU = 1400 NAS-Port-Type = Wireless Connect-Info = "CONNECT 0Mbps " EAP-Message = 0x02f1002b a941fee3dfc1e8bc55c8f52a359c7f0db0271abb69d40f92c03f4e50a30e4139 State = 0x8996e0de8067f944f83f a9247 Message-Authenticator = 0x009d ddfbce7c61491f29fba2a Sending Access-Accept of id 10 to port <- Response to 802.1x switch Reply-Message = "Device with MAC Address d2-a0 authorized for network access" <- Authorized calling station Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "14" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "14" <- VLAN ID set in Radius Server for the specific user, lee User-Name = "lee" <- lee User Name got authenticated MS-MPPE-Recv-Key = 0x6874f146e6fdf017b39f4975a31943dfa85d14db137ee592f1c3410ca32921de MS-MPPE-Send-Key = 0x6fb8154bdf06f911cca4883e82003e8d8ce bfd5d1263d72702d4fbc11 EAP-Message = 0x03f10004 Message-Authenticator = 0x NEC Corporation of America, 2015 Page 6 of 11

7 3. OpenFlow Switches and ProgrammableFlow Controller An Openflow switch is a software program or a hardware that forwards packets based on the flow rules defined by an Openflow Controller. The configuration is based on Figure 2 and Figure 7 to illustrate physical topology. 3.1 OFS versions 1. Openflow version Openflow version 1.3 The demo was built based on OF1.3. OF version doesn t matter for this demo. The example is a just reference. PFC example config for OF1.3 network-default { openflow-version 1.3 PF5240 openflow openflow-id 1 protocol-version OFS types The demo shows to enable VLAN auto configuration so that PFC automatically sets VLANS into switches to avoid VLAN configuration mistakes on each switch. Currently VLAN auto configuration from PFC works only on NEC PF524x switches. 1. Edge OFS 2. Core OFS Edge OFS: Edge OFS are used to connect hosts/vms/non-openflow devices. This demo used PF5240. PF5240 SW1 interface gigabitethernet 0/15 description "Uplink from 0/4 of Dell" initial-inactive switchport mode trunk openflow-table-resource mode 14 openflow openflow-id 1 protocol-version 04 controller controller-name pfcserver dpid table normal1 priority table expanded priority openflow-interface gigabitethernet 0/1-40, gigabitethernet 0/43-48, tengigabitethernet 0/49-52 emergency-mode disable mac-learning disable enable PF5240 SW2 interface gigabitethernet 0/15 description "Uplink from 0/5 of Dell" initial-inactive switchport mode trunk openflow openflow-id 1 NEC Corporation of America, 2015 Page 7 of 11

8 protocol-version 04 controller controller-name pfcserver dpid table normal1 priority table expanded priority openflow-interface gigabitethernet 0/1-40, gigabitethernet 0/43-48, tengigabitethernet 0/49-52 emergency-mode disable mac-learning disable enable Core OFS: Core switches are connected to other edge OFS only and not to any non-openflow devices. This demo used PF5820. Core VLAN 4009 should be set manually on PF5820, but 4009 was set automatically on Edge OFS. interface port 59 no learning switchport access vlan 4009 flood-blocking exit interface port 60 no learning switchport access vlan 4009 flood-blocking exit To enable VLAN auto configuration on PFC side: real-network { vlan-connect enable vlan-auto-configuration enable 3.3 PFC Configuration Example The following is the example of PFC configuration of wired scenario with DHCP Server being in OpenFlow network. PFC works as a DHCP relay agent in this example as shown in Figure 3 and Figure 1. real-network { flow-entry-list dhcp { sequence-number 10 { mac-destination-address wildcard feff.ffff.ffff mac-ether-type 0x800 ip-protocol 17 l4-destination-port 67 l4-source-port 68 vtn 8021xDemoVTN { vbridge vbr0013 { vlan-map vlan-id 13 <- end station will be dynamically detected by PFC when VLAN tagged packet (VLAN 13) comes into OpenFlow network initially interface if_vrt vbridge vbr0020 { NEC Corporation of America, 2015 Page 8 of 11

9 vlan-map vlan-id 4012 interface vbif00020 interface vbiftovrt vbridge vbr0033 { vlan-map vlan-id 33 interface if_s2 interface if_vrt vrouter vrt { interface if_vbr0013 { ip address /24 interface if_vbr0020 { ip address /24 interface if_vbr0033 { ip address /24 dhcp-relay server dhcp-relay interface if_vbr0013 dhcp-relay interface if_vbr0020 dhcp-relay enable vexternal DHCPserver { ofs-map ofs-datapath-id ofs-port GBE0/13 vlan-id 4012 tagged interface veif vexternal Server2 { ofs-map ofs-datapath-id ofs-port GBE0/13 vlan-id 33 tagged interface veif vlink vl_vbr001_vrt_ { vtn link vbridge vbr0013 interface if_vrt vtnnode vrt interface if_vbr0013 vlink vl_vbr002_dhcpserv_ { vtn link vbridge vbr0020 interface vbif00020 vtnnode DHCPserver interface veif vlink vl_vbr002_server2_ { vtn link vbridge vbr0033 interface if_s2 vtnnode Server2 interface veif vlink vl_vbr002_vrt_ { vtn link vbridge vbr0033 interface if_vrt vtnnode vrt interface if_vbr0033 vlink vl_vbr002_vrt_ { vtn link vbridge vbr0020 interface vbiftovrt vtnnode vrt interface if_vbr0020 NEC Corporation of America, 2015 Page 9 of 11

10 The following is the example of PFC configuration of wireless scenario with DHCP Server being in traditional network. WLC works as a DHCP server in this example as shown in Figure 8 and Figure 9. vtn WirelessVTN { vbridge vb14 { vlan-map vlan-id 14 <- end station will be dynamically detected by PFC when VLAN tagged packets (VLAN 14) comes into OpenFlow network initially interface vbifrouter14 vbridge vb44 { vlan-map vlan-id 44 interface vbif44 interface vbrouter44 vrouter vr { interface vrif14 { ip address /24 interface vrif44 { ip address /24 vexternal ve44 { ofs-map ofs-datapath-id ofs-port GBE0/13 vlan-id 44 tagged interface veif vlink vl_vb14_vr_ { vtn link vbridge vb14 interface vbifrouter14 vtnnode vr interface vrif14 vlink vl_vb44_ve44_ { vtn link vbridge vb44 interface vbif44 vtnnode ve44 interface veif vlink vl_vb44_vr_ { vtn link vbridge vb44 interface vbrouter44 vtnnode vr interface vrif44 Warning: To make PFC configuration clear on each VTN in this demo, MCLAG setting on PFC is omitted x Supplicant Configuration Example on Windows and Linux Clients Windows for wired and wireless Linux CentOS or RedHat Configuring_Connection_Settings.html NEC Corporation of America, 2015 Page 10 of 11

11 4. Glossary PFC NEC PF6800 ProgrammableFlow Controller PFS NEC PF524x/PF5820 ProgrammableFlow Switch NAC Network Access Control PEAP Protected Extensible Authentication Protocol RADIUS Remote Authentication Dial In User Service WLC Wireless LAN Controller AP Access Point OFS OpenFlow Switch Revision History Revision Date Author Note 1 1/22,2015 Jenny Initial version Oshima 2 2/3, 2015 Jenny Oshima Added wired/wireless user scenarios, configuration examples, supplicant configuration NEC Corporation of America, 2015 Page 11 of 11