Demystifying IBNS 2.0 Configuration

-

In this article I would like to go through a typical Identity Based Networking Services (IBNS 2.0) configuration, breaking down each so that we can better understand the configuration. While there are many configuration elements of secure network access, this article will focus on the Cisco Common Classification Policy Language (C3PL) configurations.


I must admit, when I first got a glance of some IBNS 2.0 configuration, I was a little taken back at the amount of configuration. However, after reading up about it, and refreshing parts of my CCNP R&S skills, I was able to understand how IBNS 2.0 configuration comes together.
This article will NOT focus on use cases for using IBNS 2.0, however, I would like to point out some good, online documentation that will provide you with some useful information.
  1. IBNS 2.0 at a glance
  2. Identity Based Networking Command Reference Guide
  3. Cisco Live IBNS 2.0 Lab Guide
  4. Configuring Identity
  5. Service Templates
  6. Configuring IEEE 802.1x Port-Based Authentication
  7. Wired Deployment Guide
Just before we jump into the configuration element, I think its worth pointing out that IBNS 2.0 works on Cisco Common Classification Policy Language (C3PL). Simply put, C3PL is a combination of Class-maps, Policy-maps and Service-Policies. If you understand C3PL works, you shouldn’t have any trouble getting your head around the configuration you’re about to see. It’s also worth pointing out that the terminology used for C3PL in the IBNS world is slightly different to those mentioned above:
  1. Class-map = Control Class
  2. Policy-map = Control Policy
  3. Service policy = Control Service Policy

Considerations

  1. When one has decided to configure IBNS 2.0 configuration, it is often easier to implement the required global configurations as well as the interface level configurations using the classic (IBNS 1.0) way. This is because the configuration is converted automatically when you enter the required command (authentication display new-style) to use IBNS 2.0.
  2. When transitioning to IBNS 2.0 you should remember the following. You will be able to transition back to IBNS 1.0 ONLY if you’ve not made changes to the control policy, any IBNS 2.0 configurations or issued a copy run start. If you’ve done any of those that I’ve just mentioned, you won’t be able to change back to IBNS 1.0.

Demystifying IBNS 2.0

Whether you’ve automatically converted your IBNS 1.0 configuration or you’ve decided to start your IBNS 2.0 configuration from scratch, you’ll be surprised at the amount of configuration lines that you could end up with depending on your requirements. Below is a snippet of the IBNS 2.0 configuration I currently have configured in my lab environment. 
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
linksec policy must-secure
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
linksec policy should-secure
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
service-template CRITICAL_AUTH_VLAN_DATA
vlan <VLAN>
!
service-template CRITICAL_AUTH_ACCESS
description ** Access Policy for Inaccessible Auth Bypass **
access-group IPV4_CRITICAL_ACL
!
class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST
match result-type aaa-timeout
match authorization-status authorized
!
class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
match result-type aaa-timeout
match authorization-status unauthorized
!
class-map type control subscriber match-all DOT1X
match method dot1x
!
class-map type control subscriber match-all DOT1X_FAILED
match method dot1x
match result-type method dot1x authoritative
!
class-map type control subscriber match-all DOT1X_MEDIUM_PRIO
match authorizing-method-priority gt 20
!
class-map type control subscriber match-all DOT1X_NO_RESP
match method dot1x
match result-type method dot1x agent-not-found
!
class-map type control subscriber match-all DOT1X_TIMEOUT
match method dot1x
match result-type method dot1x method-timeout
!
class-map type control subscriber match-any IN_CRITICAL_AUTH
match activated-service-template CRITICAL_AUTH_ACCESS
match activated-service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
!
class-map type control subscriber match-any IN_CRITICAL_VLAN_DATA
match activated-service-template CRITICAL_AUTH_VLAN_DATA
match activated-service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
!
class-map type control subscriber match-all MAB
match method mab
!
class-map type control subscriber match-all MAB_FAILED
match method mab
match result-type method mab authoritative
!
class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH
match activated-service-template CRITICAL_AUTH_ACCESS
match activated-service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
!
class-map type control subscriber match-none NOT_IN_CRITICAL_VLAN_DATA
match activated-service-template CRITICAL_AUTH_VLAN_DATA
match activated-service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
!
class-map type control subscriber match-all NRH
!
class-map type control subscriber match-all WEBAUTH_FAILED
!
policy-map type control subscriber POLICY_DATA
event session-started match-all
10 class always do-until-failure
10 authenticate using mab priority 20
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 clear-authenticated-data-hosts-on-port
20 activate service-template CRITICAL_AUTH_ACCESS
30 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
40 authorize
50 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class MAB_FAILED do-until-failure
10 terminate mab
20 authenticate using dot1x priority 10
40 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authentication-restart 60
50 class NRH do-until-failure
10 terminate webauth
20 authentication-restart 60
60 class NRH do-until-failure
10 terminate webauth
20 authentication-restart 60
80 class WEBAUTH_FAILED do-until-failure
10 terminate webauth
20 authentication-restart 60
90 class always do-until-failure
10 terminate mab
20 terminate dot1x
30 terminate webauth
40 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 terminate webauth
30 authenticate using dot1x priority 10
event aaa-available match-all
10 class IN_CRITICAL_AUTH do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH do-until-failure
10 resume reauthentication
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
10 class always do-until-failure
10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
:-O Seems like a lot right?
Well don’t worry, lets break it down into more manageable sections so that we can better understand whats going on with all this configuration.
The best way to do this is to separate the control class, control policy and service policy.

Control Class

A control class simply put is a set of conditions that must equal true in order for a control policy to execute actions. Control classes can either match-all, match any or match none in order to get a true result. The screenshot below shows the options we have when creating control classes.
Now lets take a look at the control classes presented in this lab and break each one down. Most of the following control classes were generated when changing from IBNS 1.0 to 2.0. 
class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST
class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
class-map type control subscriber match-all DOT1X
class-map type control subscriber match-all DOT1X_FAILED
class-map type control subscriber match-all DOT1X_MEDIUM_PRIO
class-map type control subscriber match-all DOT1X_NO_RESP
class-map type control subscriber match-all DOT1X_TIMEOUT
class-map type control subscriber match-any IN_CRITICAL_AUTH
class-map type control subscriber match-any IN_CRITICAL_VLAN
class-map type control subscriber match-all MAB
class-map type control subscriber match-all MAB_FAILED
class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH
class-map type control subscriber match-none NOT_IN_CRITICAL_VLAN
class-map type control subscriber match-all NRH
class-map type control subscriber match-all WEBAUTH_FAILED
Starting with the first control class: class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST, lets take a look at what the configuration means. 
class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST
 match result-type aaa-timeout
 match authorization-status authorized
  1. class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST <<< We create a control class called AAA_SVR_DOWN_AUTHD_HOST and for the value to be true, everything in the control class must match.
  2. match result-type aaa-timeout <<< True if aaa times-out
  3. match authorization-status authorized <<< True if an authorization session is authorized.
Moving onto: class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST 
class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
match result-type aaa-timeout
match authorization-status unauthorized
  1. class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST <<< We create a control class called AAA_SVR_DOWN_UNAUTHD_HOST and for the value to be true, everything in the control class must match.
  2. match result-type aaa-timeout <<< True if aaa times-out
  3. match authorization-status unauthorized <<< True if a session is unauthorized
Up next is: class-map type control subscriber match-all DOT1X 
class-map type control subscriber match-all DOT1X
match method dot1x
  1. class-map type control subscriber match-all DOT1X <<< Control class called DOT1X and for the value to be true, everything in the control class must match.
  2. match method dot1x <<< True if the authentication method is 802.1X
The next control class is: class-map type control subscriber match-all DOT1X_FAILED 
class-map type control subscriber match-all DOT1X_FAILED
match method dot1x
match result-type method dot1x authoritative
  1. class-map type control subscriber match-all DOT1X_FAILED <<< Control class called DOT1X_FAILED and for the value to be true, everything in the control class must match.
  2. match method dot1x <<< True if the authentication method is 802.1X
  3. match result-type method dot1x authoritative <<< True if the 802.1X authentication method has failed
Next up is: class-map type control subscriber match-all DOT1X_MEDIUM_PRIO 
class-map type control subscriber match-all DOT1X_MEDIUM_PRIO
match authorizing-method-priority gt 20
  1. class-map type control subscriber match-all DOT1X_MEDIUM_PRIO <<< Control class called DOT1X_MEDIUM_PRIO and for the value to be true, everything in the control class must match.
  2. match authorizing-method-priority gt 20 <<< True if the authorization method priority is greater than 20
Next up is: class-map type control subscriber match-all DOT1X_NO_RESP 
class-map type control subscriber match-all DOT1X_NO_RESP
match method dot1x
match result-type method dot1x agent-not-found
  1. class-map type control subscriber match-all DOT1X_NO_RESP <<< Control class called DOT1X_NO_RESP and for the value to be true, everything in the control class must match.
  2. match method dot1x <<< True if the authentication method is 802.1X
  3. match result-type method dot1x agent-not-found <<< True when an endpoint doesn’t have an 802.1X supplicant.
Next up is: class-map type control subscriber match-all DOT1X_TIMEOUT 
class-map type control subscriber match-all DOT1X_TIMEOUT
match method dot1x
match result-type method dot1x method-timeout
  1. class-map type control subscriber match-all DOT1X_TIMEOUT <<< Control class called DOT1X_TIMEOUT and for the value to be true, everything in the control class must match.
  2. match method dot1x <<< True if the authentication method is 802.1X
  3. match result-type method dot1x method-timeout <<< True if the method which is 802.1x has timed-out
Next up is: class-map type control subscriber match-any IN_CRITICAL_AUTH 
class-map type control subscriber match-any IN_CRITICAL_AUTH
match activated-service-template CRITICAL_AUTH_ACCESS
match activated-service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
  1. class-map type control subscriber match-any IN_CRITICAL_AUTH <<< Control class called IN_CRITICAL_AUTH and for the value to be true, any one of the service templates within the control class must match.
  2. match activated-service-template CRITICAL_AUTH_ACCESS <<< True if the service template CRITICAL_AUTH_ACCESS is matched. This service template has an access-list tied to it and if activated the access-list will be applied to any interface that has the control class assigned to a policy.
  3. match activated-service-template DEFAULT_CRITICAL_VOICE_TEMPLATE <<< True if the service template DEFAULT_CRITICAL_VOICE_TEMPLATE is matched. This service template will assign a relevant device to the voice vlan if matched within a policy.
Next up is: class-map type control subscriber match-any IN_CRITICAL_VLAN 
class-map type control subscriber match-any IN_CRITICAL_VLAN_DATA
match activated-service-template CRITICAL_AUTH_VLAN_DATA
match activated-service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
  1. class-map type control subscriber match-any IN_CRITICAL_VLAN_DATA <<< Control class called IN_CRITICAL_VLAN_DATA and for the value to be true, any one of the service templates within the control class must match.
  2. match activated-service-template CRITICAL_AUTH_VLAN_DATA <<< True if the service template CRITICAL_AUTH_VLAN_DATA is matched. This service template will assign the relevant critical vlan if matched within a policy.
  3. match activated-service-template DEFAULT_CRITICAL_VOICE_TEMPLATE <<< True if the service template DEFAULT_CRITICAL_VOICE_TEMPLATE is matched. This service template will assign a relevant device to the voice vlan if matched within a policy.
Next up is: class-map type control subscriber match-all MAB 
class-map type control subscriber match-all MAB
match method mab
  1. class-map type control subscriber match-all MAB <<< Control class called MAB and for the value to be true, everything in the control class must match.
  2. match method mab <<< True if the method of authentication is MAC Authentication Bypass (MAB).
Next up is: class-map type control subscriber match-all MAB_FAILED 
class-map type control subscriber match-all MAB_FAILED
match method mab
match result-type method mab authoritative
  1. class-map type control subscriber match-all MAB_FAILED <<< Control class called MAB_FAILED and for the value to be true, everything in the control class must match.
  2. match method mab <<< True if the method of authentication is MAC Authentication Bypass (MAB).
  3. match result-type method mab authoritative <<< True if MAB method has failed.
Next up is: class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH 
class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH
match activated-service-template CRITICAL_AUTH_ACCESS
match activated-service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
  1. class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH <<< Control class called NOT_IN_CRITICAL_AUTH and for the value to be true, none must match.
  2. match activated-service-template CRITICAL_AUTH_ACCESS <<< True if the service template CRITICAL_AUTH_ACCESS is not matched.
  3. match activated-service-template DEFAULT_CRITICAL_VOICE_TEMPLATE <<< True if service template DEFAULT_CRITICAL_VOICE_TEMPLATE is not matched.
Next up is: class-map type control subscriber match-none NOT_IN_CRITICAL_VLAN 
class-map type control subscriber match-none NOT_IN_CRITICAL_VLAN_DATA
match activated-service-template CRITICAL_AUTH_VLAN_DATA
match activated-service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
  1. class-map type control subscriber match-none NOT_IN_CRITICAL_VLAN_DATA <<< Control class called NOT_IN_CRITICAL_VLAN_DATA and for the value to be true, none must match.
  2. match activated-service-template CRITICAL_AUTH_VLAN_DATA <<< True if the service template CRITICAL_AUTH_VLAN_DATA is not matched.
  3. match activated-service-template DEFAULT_CRITICAL_VOICE_TEMPLATE <<< True if service template DEFAULT_CRITICAL_VOICE_TEMPLATE is not matched.
The last two control classes below are not used in this example so will not be discussed.
class-map type control subscriber match-all NRH class-map type control subscriber match-all WEBAUTH_FAILED
Now that we’ve taken a look at the control classes and now hopefully understand them, we will now take a look at the service templates.

Service Templates

Service Templates contain attributes that can be applied to subscriber sessions through control policies. Features such as ACL’s & VLAN’s as used in the following templates can be configured within a service template.
The following service templates are used in this example: 
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
linksec policy must-secure
!
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
linksec policy should-secure
!
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
!
service-template CRITICAL_AUTH_VLAN_DATA
vlan <VLAN>
!
service-template CRITICAL_AUTH_ACCESS
description ** Access Policy for Inaccessible Auth Bypass **
access-group IPV4_CRITICAL_ACL
I will now break down each template, describing the purpose of each one, starting with service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE. 
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
linksec policy must-secure
  1. service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE <<< Creates a service template called DEFAULT_LINKSEC_POLICY_MUST_SECURE
  2. linksec policy must-secure <<< Used to secure and authorize a port if a MACsec session is established. 
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
linksec policy should-secure
  1. service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE <<< Creates a service template called DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
  2. linksec policy should-secure <<< Used to optionally secure the port. 
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
  1. service-template DEFAULT_CRITICAL_VOICE_TEMPLATE <<< Creates a service template called DEFAULT_CRITICAL_VOICE_TEMPLATE
  2. voice vlan <<< Applies the voice vlan to sessions where the service template is activated. 
service-template CRITICAL_AUTH_VLAN_DATA
vlan <VLAN>
  1. service-template CRITICAL_AUTH_VLAN_DATA <<< Creates a service template called CRITICAL_AUTH_VLAN_DATA
  2. vlan <VLAN> <<< Applies a data vlan to sessions where the service template is activated. 
service-template CRITICAL_AUTH_ACCESS
description ** Access Policy for Inaccessible Auth Bypass **
access-group IPV4_CRITICAL_ACL
  1. service-template CRITICAL_AUTH_ACCESS <<< Creates a service template called CRITICAL_AUTH_ACCESS
  2. access-group IPV4_CRITICAL_ACL <<< Applies an access-list called IPV4_CRITICAL_ACL to sessions where the service template is activated.
Now onto the most important part, putting everything together. We will now take a look at the example control policy and see how all the configuration comes together.

Control Policy

Control policies consist of one or more rules that governs how the policy rules are evaluated. A control policy consists of the following:
  1. A control class
  2. An event
  3. One or more actions
The following configuration is that of the control policy created for this article. I have put together an info-graphic, breaking down the control policy for better understanding. 
policy-map type control subscriber POLICY_DATA
event session-started match-all
10 class always do-until-failure
10 authenticate using mab priority 20
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 clear-authenticated-data-hosts-on-port
20 activate service-template CRITICAL_AUTH_ACCESS
30 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
40 authorize
50 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class MAB_FAILED do-until-failure
10 terminate mab
20 authenticate using dot1x priority 10
40 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authentication-restart 60
50 class NRH do-until-failure
10 terminate webauth
20 authentication-restart 60
60 class NRH do-until-failure
10 terminate webauth
20 authentication-restart 60
80 class WEBAUTH_FAILED do-until-failure
10 terminate webauth
20 authentication-restart 60
90 class always do-until-failure
10 terminate mab
20 terminate dot1x
30 terminate webauth
40 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 terminate webauth
30 authenticate using dot1x priority 10
event aaa-available match-all
10 class IN_CRITICAL_AUTH do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH do-until-failure
10 resume reauthentication
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
10 class always do-until-failure
10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE

Summary


By now you should hopefully understand what the IBNS 2.0 configuration means and how it’s all put together. The configurations shown in this article are for demonstration purposes only. It is recommended that your configuration is devised based on the requirements on your company.
Once you’ve created your required control policies, they need to be assigned to your data interfaces in order for them to take effect. The configuration snippet below shows how we apply policies to interfaces on a Cisco switch. 
(config)#interface GigabitEthernet1/0/23
(config-if)service-policy type control subscriber <NAME OF POLICY>
#Cisco #CiscoCommonClassificationPolicyLanguage #MAB #IBNS #CiscoSystems #Dot1xIBNS #IdentityBasedNetworking #8021x #IBNS20 #IBNS10 #DemystifyingIBNS20 #IBNS20configuration #dot1x #C3PL
Kelvin Charles - Network and Cyber Security Professional.

Popular Posts

Capturing EAPOL and RADIUS Using Wireshark

-
Image
In this article we are going to take a look at how to capture Extensible Authentication Protocol Over LAN (EAPOL) and Remote Authentication Dial-In User Service (RADIUS) packets using Wireshark. This article can be useful for troubleshooting 802.1x within your environment and can also be used for learning purposes. The following topology has been used to gather the required output for this article. Note: This article will only cover the switch configurations that are required to gather EAPOL and RADIUS configuration. Overview of the Topology The supplicant is configured to perform 802.1x using EAP-TLS as the authentication method The user certificate on the supplicant will be used for authentication The supplicant has Wireshark installed Cisco ISE is used for authentication and authorisation The supplicant is assigned to VLAN 10 upon authentication and all other endpoint ports are assigned to VLAN 99 Sniffer device is running Wireshark in order to capture RADIUS flows via SPAN 802.1x
Read more

Configuring Cisco Smart License Software

-
In this article, I would like to demonstrate how to configure Cisco Smart Licensing on the virtual Cisco Adaptive Security Appliance (ASAv). This post assumes that readers already have access to there own Smart Account and would like to know the process of applying licenses. Step 1: Generate ID Token Sign into your Cisco Software Portal: software.cisco.com and navigate to “Smart Software Licensing” You will now need to create an ID token for your device, this is required for communication between the device and the licensing authority. Follow the steps below to create a new token. Click Inventory >>> General >>> New Token and select your preferred options and enter a description for your token. Once you are happy with your token settings click Create Token . You should now have a token created which can be copied over to the device you wish to license. All commands and output from this point will be related to the ASA so please seek out further advice if you wish
Read more

Cisco :: FXOS Authentication Using TACACS

-
In this article, I will describe how to enable authentication and authorization for Firepower eXtensible Operating System (FXOS) devices. The use case presented in this document illustrates how Cisco Identity Services Engine (ISE) can be utilised with attribute-value pairs (AV-Pairs) to authenticate and authorize users accessing the Firepower Chassis Manager (FCM) or FXOS platforms via TACACS+. At the time of writing this post, I found that limited documentation existed and of that documentation that did exist, the examples given weren’t as straightforward. In an effort to make this process easier for my colleagues and customers to understand I have put together the following instructions based on a previous use case given to me. Extracts of this document have been taken from a wider document I am currently creating. I will update this article with the complete document when it has been finalized. Requirements A ‘Device Administration’ license is required in order to use TACACS+ with
Read more

Configuring Remote Access VPN on Firepower

-
Image
In this article we are going to take a look at how to configure remote access VPN's on Firepower devices. This demonstration is based on the following lab environment: Cisco Virtual Firepower Management Center Cisco Virtual Firepower Threat Defense Cisco ISE 2.6 Windows host with AnyConnect VPN Windows Server 2019 (CA Server) All Firepower devices are running version 6.5 Note: ISE is used for authentication and authorization in the following lab however the configuration elements of ISE are out of scope for this demonstration. Generate a CSR for Remote Access VPN's Those accessing your network remotely need to trust the service you're running. Without the correct trust users could face issues connecting via VPN. With access to the FMC navigate to Objects > Object Management > PKI > Cert Enrollment Assuming you are opting for manual enrollment, select 'Manual' in Enrollment Type and copy the CA Certificate BASE-64 into the field. Now select the 'Certifi
Read more

Kali Linux :: CAM Table Overflow Attack Demonstration

-
Image
As part of my on-going studying for the CCNA Security 210 – 260 certification I have been exploring different types of network attacks, one of which is CAM table overflow attacks. In this article I would like to share what I have learnt and provide a demonstration of the attack carried out in a lab environment. To understand my demonstration, you first need to understand how a CAM table overflow attack works and what happens as a result of the attack.   Switches build Content Addressable Memory (CAM) tables based on mac-addresses and port numbers. When a switch receives a frame it checks the table to see if the source mac-address is already known, if the source mac-address is unknown the switch will add the mac-address to the table along with the port number. The switch then checks the destination layer two frame and if no entry exists the switch broadcasts the frame out of all ports except the port in which the frame was received. Presuming the destination mac-address wants to respond
Read more