DIY MAB library for Microsoft NPS
Recently, more and more companies are starting to take network security seriously. Particular attention is paid, including access control to the local network within the organization. It is not uncommon that a security policy requires that absolutely all devices connected to wired and wireless networks be authenticated (we do not consider equipment that is physically isolated in server rooms).
As a network engineer, I was just tasked with realizing all this. I must say right away that we have more than ten offices of various sizes in our company, whose networks number from one to thirty Cisco Catalyst access level switches. Historically, in almost every office Microsoft Network Policy Server (NPS) has already been raised as a RADIUS server for authenticating wireless clients.
It was all of these NPSs that needed to be used to complete the task, since the option with a centralized RADIUS server such as Cisco ISE / ACS fell out due to the unreliability of WAN channels, and there was no means to buy other products.
Consider the problem in more detail.
1) It is necessary to authenticate:
2) It is necessary to dynamically assign vlan for each authenticated device, since some of them can "travel" across different floors (for example, video conferencing devices). In this case, the phones should fall into the tagged voice vlan, and the rest of the devices in the data-vlan.
It was decided to authenticate workstations using the installed certificate using 802.1x. It is easy to implement in NPS. We create Network Policy, as a condition we select Authentication Type = EAP (in fact it is EAP-TLS, where a secure channel between the supplicant and the authentication server is created using their certificates), NAS Port Type = Ethernet (for wired connections) or Wireless (for wireless )
For fidelity, you can add the computer to a domain group. Standard RADIUS attributes are used to assign vlans, although Vendor Specific Attributes can also be used, which will be discussed later.
As for other devices, it is necessary to apply MAB (MAC-address Authentication Bypass) for them, due to the lack of support for 802.1x. During MAB, the switch acts as a supplicant and sends information about the mac address of the connected device to the RADIUS server. Cisco Catalyst switches support MAB as the fallback method for 802.1x (when the switch did not receive an EAPoL response from the client).
It so happened that in NPS you can implement MAB only with binding to ActiveDirectory. Those. for each device, an object must be set up in AD, which categorically did not suit us. It was decided to "finish" NPS to normal support for MAB. Fortunately, Microsoft provides the ability to connect extension libraries to NPS , which I took advantage of.
Having collected a bunch of stingy Microsoft technical documentation, a description of the RFC standard for RADIUS and the few examples found on the Internet, and adding to them my limited programming knowledge, I got a positive result ... two months later.
The library is launched along with NPS and implements the RadiusExtensionProcess2 method, called upon each new request. My algorithm checks the request to the RADIUS server and compares the attributes of the Calling-Station-ID (client's mac address) and Username, since they coincide with MAB. Of course, it was possible to identify the MAB by other attributes, but I chose this method.
After we have established that this request is a MAB, it is necessary to verify the client address with the base of mac addresses. All addresses are tied to various profiles (data, voice, printer, ...), for each of which a different format of the RADIUS response is set.
Since I was dealing with Cisco equipment, I decided to add the Vendor Specific Attribute (VSA) - AV-Pair to the RADIUS response. Using it, you can force the switch to place the client in some data / voice vlan (to be honest, I didn’t use the standard RADIUS attributes here either because I just couldn’t get the program to work correctly).
Example 1: put the client in vlan 2:
tunnel-type = VLAN
tunnel-medium-type = ALL_802
tunnel-private-group-id = 2
Example 2: put the client in the voice vlan configured on this port:
device-traffic-class = voice
If the client needs to be placed in a data vlan that is configured on the switch port, then there is no need to add a VSA. Just send ResponseCode = AccessAccept.
The library is accessed after the NPS has checked all its Network Policies for their conditions match with the client settings, so the existing old policies for Wireless work fine even after the implementation of MAB.
I completely forgot to say that NPS contains two groups of policies: Connection Request Policies and Network Policies. Earlier I mentioned only the second. In the first, it is enough to create one rule, under which all requests to the RADIUS server will fall. For example, as a condition, set the time from 00:00 to 24:00. Well, or if this does not suit you, then you can specify with the regex syntax all possible addresses of network devices in the NAS IPv4 Address parameter.
Back to my library. To manage the database of poppy addresses, I wrote a simple program with a graphical interface that allows you to create profiles for different types of devices and associate them with poppy addresses from the database. It looks like this: A
lot has been written about configuring switches for 802.1x and MAB, but I will give an example anyway:
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
radius-server host < server address> key <key> (or the same via the server group in the new IOS)
interface range <your access ports>
switchport mode access
switchport voice vlan (if necessary)
authentication port-control auto
authentication host-mode multi-domain
dot1x pae authenticator
mab A
test version of the library and management program can be downloaded here .
Now I am actively testing it and simultaneously developing a new, more serious version with central control via a web interface that will combine several RADIUS servers from different offices and synchronize data between them, as well as be friends with the main DBMSs and automatically import device mac addresses from corporate inventory tools. I hope to tell about the new project in the following posts.
As a network engineer, I was just tasked with realizing all this. I must say right away that we have more than ten offices of various sizes in our company, whose networks number from one to thirty Cisco Catalyst access level switches. Historically, in almost every office Microsoft Network Policy Server (NPS) has already been raised as a RADIUS server for authenticating wireless clients.
It was all of these NPSs that needed to be used to complete the task, since the option with a centralized RADIUS server such as Cisco ISE / ACS fell out due to the unreliability of WAN channels, and there was no means to buy other products.
Consider the problem in more detail.
1) It is necessary to authenticate:
- corporate workstations;
- IP phones and conference devices;
- network printers;
- CCTV cameras
- etc.
2) It is necessary to dynamically assign vlan for each authenticated device, since some of them can "travel" across different floors (for example, video conferencing devices). In this case, the phones should fall into the tagged voice vlan, and the rest of the devices in the data-vlan.
It was decided to authenticate workstations using the installed certificate using 802.1x. It is easy to implement in NPS. We create Network Policy, as a condition we select Authentication Type = EAP (in fact it is EAP-TLS, where a secure channel between the supplicant and the authentication server is created using their certificates), NAS Port Type = Ethernet (for wired connections) or Wireless (for wireless )
For fidelity, you can add the computer to a domain group. Standard RADIUS attributes are used to assign vlans, although Vendor Specific Attributes can also be used, which will be discussed later.
As for other devices, it is necessary to apply MAB (MAC-address Authentication Bypass) for them, due to the lack of support for 802.1x. During MAB, the switch acts as a supplicant and sends information about the mac address of the connected device to the RADIUS server. Cisco Catalyst switches support MAB as the fallback method for 802.1x (when the switch did not receive an EAPoL response from the client).
It so happened that in NPS you can implement MAB only with binding to ActiveDirectory. Those. for each device, an object must be set up in AD, which categorically did not suit us. It was decided to "finish" NPS to normal support for MAB. Fortunately, Microsoft provides the ability to connect extension libraries to NPS , which I took advantage of.
Having collected a bunch of stingy Microsoft technical documentation, a description of the RFC standard for RADIUS and the few examples found on the Internet, and adding to them my limited programming knowledge, I got a positive result ... two months later.
The library is launched along with NPS and implements the RadiusExtensionProcess2 method, called upon each new request. My algorithm checks the request to the RADIUS server and compares the attributes of the Calling-Station-ID (client's mac address) and Username, since they coincide with MAB. Of course, it was possible to identify the MAB by other attributes, but I chose this method.
After we have established that this request is a MAB, it is necessary to verify the client address with the base of mac addresses. All addresses are tied to various profiles (data, voice, printer, ...), for each of which a different format of the RADIUS response is set.
Since I was dealing with Cisco equipment, I decided to add the Vendor Specific Attribute (VSA) - AV-Pair to the RADIUS response. Using it, you can force the switch to place the client in some data / voice vlan (to be honest, I didn’t use the standard RADIUS attributes here either because I just couldn’t get the program to work correctly).
Example 1: put the client in vlan 2:
tunnel-type = VLAN
tunnel-medium-type = ALL_802
tunnel-private-group-id = 2
Example 2: put the client in the voice vlan configured on this port:
device-traffic-class = voice
If the client needs to be placed in a data vlan that is configured on the switch port, then there is no need to add a VSA. Just send ResponseCode = AccessAccept.
The library is accessed after the NPS has checked all its Network Policies for their conditions match with the client settings, so the existing old policies for Wireless work fine even after the implementation of MAB.
I completely forgot to say that NPS contains two groups of policies: Connection Request Policies and Network Policies. Earlier I mentioned only the second. In the first, it is enough to create one rule, under which all requests to the RADIUS server will fall. For example, as a condition, set the time from 00:00 to 24:00. Well, or if this does not suit you, then you can specify with the regex syntax all possible addresses of network devices in the NAS IPv4 Address parameter.
Back to my library. To manage the database of poppy addresses, I wrote a simple program with a graphical interface that allows you to create profiles for different types of devices and associate them with poppy addresses from the database. It looks like this: A
lot has been written about configuring switches for 802.1x and MAB, but I will give an example anyway:
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
radius-server host < server address> key <key> (or the same via the server group in the new IOS)
interface range <your access ports>
switchport mode access
switchport voice vlan (if necessary)
authentication port-control auto
authentication host-mode multi-domain
dot1x pae authenticator
mab A
test version of the library and management program can be downloaded here .
Now I am actively testing it and simultaneously developing a new, more serious version with central control via a web interface that will combine several RADIUS servers from different offices and synchronize data between them, as well as be friends with the main DBMSs and automatically import device mac addresses from corporate inventory tools. I hope to tell about the new project in the following posts.