Go back

Why Automation Is a “Must” for Deploying 802.1x on a Wired Network

NB author by Phillip Gervasi May 4, 2018

I’ve been doing a lot of 802.1x projects lately. And by a lot, I mean a lot. Solutions such as Cisco’s Identity Services Engine, Packetfence, and our old favorite Microsoft Network Policy Server are fast becoming the cornerstone of wired network access rather than an interesting corner case for only the most security-minded.

For me, the biggest challenges haven’t been the policies, the integrations, or the licensing (don’t get me started on licensing). The biggest challenge to deploying 802.1x on a wired network has been the incredible tedium of network discovery and having to configure every single switchport in the access layer.

Normally we log into our domain-joined computer and authenticate with a username and password against an LDAP directory such as Microsoft Active Directory. This controls access to network resources such as file shares, applications, and network printers. However, using 802.1x authentication and authorization allows us to bring network security to a whole new level.

An 802.1x solution such as Cisco ISE can use the same back-end LDAP database to grant or deny access to the network itself. In other words, the switchport won’t even forward traffic if an end-user fails to authenticate. And rather than use only a username and password, a robust network access solution can look at multiple conditions in order to grant access.

The biggest challenge to deploying 802.1x on a wired network has been the incredible tedium of network discovery and having to configure every single switchport in the access layer.

 

The Manual Approach: A Months-Long Nightmare

Today, many organizations are taking it even further and using this method to dynamically assign ACLs and VLANs to a particular switchport based on user identity, computer identity, type of device, computer health, or some combination of these and other factors. This is very powerful, because it gives network administrators much more granular control over network access, especially when contending with BYOD, shared workspaces, and guest users.

I’ve worked on an ISE project for a global organization with several hundred thousand employees, school districts with a thousand staff members and thousands of students, and small companies with only a few hundred employees total. The back end is always about the same: a few domain controllers, maybe in a cluster or maybe not, a few ISE servers, also possibly in a cluster, and very similar policies. The difference, however, is how many switches I have to look at and how many ports I have to touch.

NetBrain discovering devicesNetBrain auto-discovers more than 2,000 devices per hour — hundreds of models across dozens of vendors.

This is where it gets interesting. Cisco ISE doesn’t act on its own. The switch a device plugs into is actually a proxy that speaks to the Cisco ISE server on behalf of the client. Therefore, the hardware and software version of the switch must be compatible with the version of ISE that’s being used.

In order to deploy Cisco ISE successfully, you need to inventory your entire access layer to see if there are any switches that need to be replaced or upgraded. In a large organization this can take a small team literally weeks to accomplish.

Even with network diagrams as an aid, crawling a large network to get specific switch hardware and software versions is mind-numbingly tedious. For one project in particular it took me several months of daily manual discovery with show cdp neighbors and show version.

After compatibility is addressed and the ISE servers are configured, an engineer has to configure each switch with a few lines of global dot1x configuration followed by configuring each individual port with the appropriate dot1x config as well.

If ever there was a case for network automation, this is it.

The Automated Approach: Discovery and Troubleshooting in Minutes

NetBrain’s automated discovery function creates a Dynamic Map, or in other words, a real-time network topology than can update itself periodically. This provides engineers an accurate map of the network in minutes rather than the hours, days, or weeks it could take manually, and this is no trivial benefit. NetBrain can discover thousands of devices in an hour, including hundreds of models across dozens of vendors. Certain versions of Cisco ISE will just not work with particular hardware or software platforms, so for a wired 802.1x implementation to work, a network discovery is not just helpful, it’s essential.

For a wired 802.1x implementation to work, a network discovery is not just helpful, it’s essential.

 

After upgrading hardware and software to the correct versions, the next step is to globally enable 802.1x on every switch and add the relevant switchport configuration to every switchport. The configurations themselves aren’t difficult, but do the math. . . .

Even a moderate-sized organization may have hundreds of switches. And even after factoring in servers and trunk ports, this could still mean tens of thousands of switchports.

In my experience, rolling out wired 802.1x is done in phases. Typically it’s location by location, using a fail-open strategy just in case things go wrong during a cutover. Most of the change window, however, is configuring devices. Some configurations can be pre-staged, such as the global 802.1x commands, but many are at the port level and take effect as soon as they’re added.

After cutting a site over, the troubleshooting begins. There’s always at least one device that’s just not connecting, and it’s a matter of tracking down the switch and port that device is plugged into and checking configuration. However, when we’re talking about many switches, it’s rarely just one device that has issues.

After a post-cutover Dynamic Map is created, NetBrain’s Executable Runbooks can programmatically search for configuration anomalies, or in our example, troubleshoot a large wired 802.1x implementation, with only a few clicks. This is an incredibly powerful tool when so many devices are integrated into an overall authentication solution.

Keep in mind that for me, the biggest challenges I’ve faced deploying 802.1x on a wired network haven’t been the policies in whatever network access server I was using.  The biggest challenge is surveying the entire network accurately and quickly in order to deploy many lines of configurations to almost every switch in the access layer.

Manual discovery and troubleshooting is a complete waste of time — I know because I’ve been there. Automating these mundane tasks with NetBrain ensures a much more accurate view of the network as well as a much more efficient means of troubleshooting large numbers of devices at once.

Related