Breaking into 802.1x EAP-MD5 Port based authentication in Wired VoIP Network – I

To avoid physical security breaches and un-authorized access from publicly available network ports laying in lobby or reception, companies use port based authentication schemes.
Once implemented device needs to authenticate itself with the authenticating server to prove its identity and once proved, gets access to the network. Thus
providing authentication mechanism to devices wishing to attach to a LAN port.
These implementations are more common in Wireless access points however nowadays wired networks also are taking their fair share.
I will break up this tutorial in two parts:
1) Setting up 802.1x authentication in Wired VoIP network.
2) Breaking Port based Authentication to gain unauthorized access.
802.1X provides port-based authentication, which involves communications between a supplicant, authenticator, and authentication server.
The supplicant is often software on a client device, such as a laptop, the authenticator is a wired Ethernet switch or wireless access point, and an authentication server is generally a RADIUS database.
The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant’s identity is authorized.
With 802.1X port-based authentication, the supplicant provides credentials, such as user name / password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification.
If the credentials are valid (in the authentication server database), the supplicant (client device) is allowed to access resources located on the protected side of the network.
If the authenticating server accepts the request, the authenticator sets the port to the “authorized” mode and normal traffic is allowed.
When the supplicant logs off, it sends an EAP-logoff message to the authenticator. The authenticator then sets the port to the “unauthorized” state, once again blocking all non-EAP traffic.

The basic authentication transaction can be shown as:
We will setup up the port based authentication using following supplicants, authenticator and Authentication server.

Supplicant: Cisco Unified IP Phone 7961G-GE
802.1x Authenticator: Cisco Catalyst 3560 (WS-C3560G-24PS)
Radius Server: CiscoSecure ACS 4.1

I will not go through the whole installation and configuration procedure of all the above mentioned devices. I hope you already have same or equivalent devices in your network. Here we will cover only needed configuration steps.

Radius Server Configuration:
1) One can do administrative tasks once Cisco ACS 4.1 server is successfully installed.
2) First talk is to setup Authenticator.
i) Click on Network Configuration from left pane.
ii) Add Your Authenticator details as shown in following screenshots including shared secret of Authenticator.
iii) Click on Submit+Apply Button.
3) Now add users to authenticate in the user database.
i) Click on User Setup: First button from left pane.
ii) Add the username in the input box and click on Add.
iii) You can find the username from phone security settings.
iv) Under user setup form, Enter shared secret(password) for the device. This password will be used as authentication secret by phone device.
4) Repeat step 3 for all the devices present in the network.

802.1x Authenticator:
1) Login to the switch and go to configure mode.
2) Under config mode use followig CLI to enable authenticator functionality.
WS-C3560G-24PS(config)# aaa authentication dot1x default group radius
WS-C3560G-24PS(config)# radius-server host <ipAddr_Radius_Server> auth-port 1645 acct-port 1646 key <shared secret with radius server>
3) Now configure switch ethernet interfaces for 802.1x authetication using following sequence of CLI’s
WS-C3560G-24PS(config)#interface GigabitEthernet0/7
WS-C3560G-24PS(config-if)#dot1x pae authenticator
WS-C3560G-24PS(config-if)#dot1x port-control auto
WS-C3560G-24PS(config-if)#dot1x violation-mode protect
WS-C3560G-24PS(config-if)#dot1x timeout reauth-period 20
WS-C3560G-24PS(config-if)#dot1x reauthentication
WS-C3560G-24PS(config)# write mem

Supplicant Configuration:
I am using Cisco 7961G IP Phone as a supplicant here. All the configuration steps mentioned here are same for all Cisco IP Phone supporting
802.1x Authentication supplicant.
1) Unlock the Phone configuration by pressing *##*
2) Once unlocked. Go to Options and “Security Configuration” menu.
3) Scroll down till you come across 802.1x Authentication sub-menu.
4) Select Device Authentication and Change it to “Enable”. By default, Device Authentication is Disabled.
5) Now select “EAP-MD5” Sub-menu and configure “shared secret” for authentication which we have configured in the Radius Server.
6) Refer to adjecent screen shots for more details.
7) Save the configuration and reboot the phone.

If everything is setup fine on all the 3 tiers then you will see phone getting IP address after successful 802.1x authentication.
Following Wireshark Capture depicts typical conversation between Supplicant and Authenticator.

If any other device tries to connect itself on the same ethernet port, it will get challenged by Authenticator and failing to successfully respond to the challenge, will get blocked from accessing services in wired LAN network.
This mechanism is fair enough to stop some physical securiy breaches. In the next part, we’ll see how this Port Based Authentication can be hacked to gain un-authorised access in the wired network implementing EAP-MD5 802.1x authentication mechanism.
Stay tuned…


About this entry