Saturday, July 31, 2010

Autonomous APs: Network EAP vs. Open with EAP, the right combination

When configuring an SSID with EAP/802.1X on an autonomous AP, you are given the choice between Network EAP and Open with EAP (or both).

On the CLI, you would say:
dot11 ssid whatever
   authentication open eap eap_methods
   authentication network-eap eap_methods
As Cisco documentation (for example here) is... er... not completely clear (thanks Seth for pointing me to it!), if not completely wrong, here is a quick summary of which one to choose and when.

First, background information on why this is here (skip this part if you don't care about the whys and just care about the hows).
All this started at the time when we had "nothing (Authentication set to 0 in the AP beacons)" or WEP PSK (Authentication set to 1 in the AP beacons). WEP was weak, so everybody needed a replacement for it. Cisco implemented LEAP, which implies both au authenticaion mechainsm and some encryption. So Cisco set the Authentication value to 1 in the AP beacons using LEAP, not to indicate PSK but to indicate "authentication required" (and this is also why you cannot use LEAP with no encryption). But this does not really conform to the (future, when LEAP was created) 802.11i (and WPA) specifications, so this is Cisco specific...
Later on, when WPA and 802.11i appeared, the protocol detailed that, for compatibility with the 802.1X protocol, the authentication would occur at the association phase. In other words, with 802.1X you plug your PC to a switch, and it is only when you do that that authentication occurs. Similarly in the wireless space, you go through the 802.11 authentication phase (request/response) in an open manner, and it is only when you go to the association phase, which is the "hey, plug me to your cell" message, that the AP says "wait, I need to do 802.1X authentication first", and the EAP process starts. So, Authentication is set to 0 (for its 802.11 part), and EAP/802.1X starts at the association phase.
At the same time, in 2004, ASLEAP was released, and so was 802.11i, following WPA the year before. So when Cisco replaced LEAP with EAP-FAST, the information I have is that they conformed to the WPA/802.11i specifications, and Authentication is set to 0.

So, (whatever the documentation above says) Network EAP = LEAP. Open with EAP = Any other EAP. This is something you see when checking Network EAP: the popup window clearly states that if you use EAP-FAST or any other EAP (than LEAP), you should check Open with EAP. You can of course check both when you want to allow LEAP and another EAP, but you will not be able to authenticate using EAP-FAST if you choose Network EAP only...

There is one exception though... for long, LEAP used to be the default "secure" authentication method. This makes that some old Cisco clients (for example access points!) need to be offered LEAP to get started (or turned on, name it the way you like)!
In other words, if you build a wireless link between 2 APs, for a repeater, bridge or Workgroup Bridge configuration, and if you use 802.1X on that link, you need to offer LEAP (i.e Network EAP) for the secure authentication to be used. So you can offer Network EAP, or Network EAP and Open with EAP, but you should not offer just Open with EAP.
Which one is going to be used if you offer both? Well, it all depends on how you configure your client side (non root Bridge, Workgroup Bridge, etc). If you use the "old" EAP Client (optional feature), in the SSID page:

Which is in the CLI:
dot11 ssid whatever
   authentication client username jerome password 7 104D000A0618
This is going to use LEAP only.
If you want to use another EAP, for example EAP-FAST, you need to empty that EAP Client field (it cannot be used in combination with another method), then use the AP Authentication feature.

In this page, you define credentials and method. You can pick up several methods if you want.
Then from the SSID page, you can call these methods:

In the CLI, this is:
dot11 ssid whatever
   dot1x credentials jerome
   dot1x eap profile Myfast
exit
eap profile Myfast
 method fast
dot1x credentials jerome
 username cisco
 password cisco
So you offer both LEAP and Open with EAP, and using the newer AP Authentication method allows you to to use the credentials you defined, and use the most secure method selected. In this example, we use EAP FAST only, so that's the one we'll use. Of course, the RADIUS to which you main AP points (local RADIUS on the main APor external RADIUS) needs to allow that method.
Careful when testing, it is only from the non-root AP / WGB /  repeater CLI that you will use, at authentication time, which method was used. The main AP CLI will just tell you "WPA", or "Open", etc., but not the details of the authentication method used.
If you offer just Open with EAP, as the AP expects LEAP (Network LEAP) among the possibilities, then the EAP part is discarded. Although your link may come up, if you look carefully at your non-root AP CLI, you will see that the authentication is going to be "Open" (NOT with EAP), so there is no real authentication there. As soon as you also offer Network EAP, the non-root AP is happy, being offered LEAP, btu also something stronger, and is going to use the stronger method (EAP-FAST in our example)>
Give it a try in your lab!
;-)

8 comments:

  1. Thank you for the thorough explanation, Jerome! This makes things much clearer for me. Good job noting that for AP to AP communication Network EAP needs to be enabled - I think I would have overlooked that if it was not stated outright in your post.

    ReplyDelete
  2. Thanks again for the explanation Jerome. although I also tried using EAP-fast with only network-eap and seems to work fine. do you recommend when using EAF-Fast to offer both network-eap and open eap?

    ReplyDelete
  3. Hi anonymous,
    I would recommend using Network EAP + Open wi/ EAP when using EAP-FAST if your client is a Cisco AP. Otherwise, with a standard client, Open w/EAP is enough to make the client happy...
    :-)

    ReplyDelete
  4. Hello Jerome.

    First of all i would like to congratulate you about the excellent blog and the ccie channel.
    You have helped me so much..(keep up the good work!!!).
    I was wondering if it is possible to secure a PtP link using Peap Authentication and an external radius server.
    Based on your config i think this scenario should work.
    Have you tried this or something similar?

    Best regards.

    Christos.

    ReplyDelete
  5. I have a problem to start this type of authentication with my AP.
    I used the config you posted but I'm not getting login.
    I enabled some debugs and what happens is these posts:

    an 3 12:15:11.896: AAA/BIND(000000A5): Bind i/f Jan 3 12:15:11.896: dot1x-registry:registry:dot1x_ether_macaddr called Jan 3 12:15:14.943: dot1x-ev:dot1x_mgr_process_eapol_pak: dot1x eapol on dot11 interface Jan 3 12:15:14.944: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on Dot11Radio0.1. Jan 3 12:15:14.944: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an EAPOL pkt on Authenticator Q Jan 3 12:15:14.944: dot1x-registry:registry:dot1x_ether_macaddr called Jan 3 12:15:27.512: dot1x-ev:dot1x_mgr_process_eapol_pak: dot1x eapol on dot11 interface Jan 3 12:15:27.512: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on Dot11Radio0.1. Jan 3 12:15:27.512: dot1x-err:No dot1x subblock Jan 3 12:15:27.512: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an EAPOL pkt on Authenticator

    Could you and give help?

    Thanks in advance

    ReplyDelete
  6. Nice description in the EAP-Jungle of Autonomous AP's...Thanks Jerome:)

    ReplyDelete
  7. Hi Jerome,

    Thanks for the excellent write up. I have an issue in my network and would like to get some suggestion:

    I am using a 3602 AP with a 5508 WLC and the clients are windows 8 with 2013 drivers installed. I am facing connectivity issues on certain clients intermittently. I performed netmon packet captures on the problem client in local mode and ran simultaneous debugs on the WLC. My observation is:
    ++ The Client send an association request
    ++ WLC receives and send an EAP ID request with ID=1
    ++ Client receives the request BUT sends an EAPOL start packet
    ++ WLC receives this EAPOL start and then restarts the EAP process and sends another EAP ID req packet with ID=2
    ++ Client receives this packet but doesn't respond
    ++ On the WLC debugs at this point. I see one more EAPOL start packet from the client
    ++ Thus the WLC restarts the EAP process and send one more EAP ID req with ID=3
    ++ Client receives this EAP ID req packet with ID=3
    ++ Client responds now to the first request packet with ID=1
    ++ WLC debugs say that received a response with mismatched EAP ID. (expecting ID=3 but received ID=1)
    ++ The problem is that the client netmon captures show only 1 EAPOL start packet being sent, whereas we see 2 EAPOL start packets on the WLC debugs.
    ++ It's very clear that the root casue is this second EAPOL start packet being seen on the WLC which actually restarts the EAP process
    ++ Now, I have the following questions:
    >> At which exact point does the Netmon capture packet on the client ? What all components are there on the client during the traffic transmission and reception ?
    >> Is it possible that running the Netmon on a third machine might show us a different picture on the problem client ?
    >> The only component between the client and the WLC is the AP. Is it possible that the AP is replaying the EAPOL start packet twice ? or the WLC itself is replaying it ?

    Your kind suggestions will be highly appreciated.

    Thanks ,
    Manish

    ReplyDelete
  8. Waooow!!! Magnificent blogs, this is what I wanted to search. Thanks buddy
    Zero Up 2.0 Bonus

    ReplyDelete