1 / 34

© 2004, Cisco Systems, Inc. All rights reserved.

CNIT 221 Security 1 ver.2 Module 7. City College of San Francisco Spring 2007. 1. 1. 1. © 2004, Cisco Systems, Inc. All rights reserved. Network Security 1. Module 7 – Configure Trust and Identity at Layer 2. Learning Objectives. 7.1 Identity-Based Networking Services (IBNS)

lieu
Télécharger la présentation

© 2004, Cisco Systems, Inc. All rights reserved.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CNIT 221 Security 1 ver.2Module 7 City College of San Francisco Spring 2007 1 1 1 © 2004, Cisco Systems, Inc. All rights reserved.

  2. Network Security 1 Module 7 – Configure Trust and Identity at Layer 2

  3. Learning Objectives • 7.1 Identity-Based Networking Services (IBNS) • 7.2 Configuring 802.1x Port-Based Authentication

  4. Module 7 – Configure Trust and Identity at Layer 2 7.1 Identity-Based Networking Services (IBNS)

  5. Cisco Identity Based Networking Services (IBNS) • Cisco IBNS is an integrated solution combining several Cisco products that offer authentication, access control, and user policies to secure network connectivity and resources. • Cisco IBNS is an IEEE 802.1x-based technology that authenticates users based on personal identity verification. • IEEE 802.1x is a Layer 2 protocol designed to provide port-based network access.

  6. Cisco VPN Concentrators, IOS Routers, PIX Security Appliances Hard and Soft Tokens Cisco Secure ACS OTP Server VPN Clients Internet Router Firewall Remote Offices Identity Based Network Services Unified Control of User Identity for the Enterprise

  7. 802.1x • 802.1x is a standardized framework defined by the IEEE that is designed to provide port-based network access. • The 802.1x framework defines three roles in the authentication process: • Supplicant = endpoint that needs network access • Authenticator = switch or access point • Authentication Server = RADIUS, TACACS+, LDAP • The authentication process consists of exchanges of Extensible Authentication Protocol (EAP) messages between the supplicant and the authentication server.

  8. Authentication Server Authenticator Supplicant 802.1x Roles Microsoft Windows XP includes 802.1x supplicant support

  9. Cisco Secure ACS The perimeter router acts as the authenticator Internet Home Office The remote user’s PC acts as the supplicant 802.1x Authenticator and Supplicant

  10. Authentication Server (RADIUS) End User (client) Catalyst 2950 (switch) 802.1x RADIUS How 802.1x Works Actual authentication conversation occurs between the client and Authentication Server using EAP. The authenticator is aware of this activity, but it is just a middleman.

  11. Authentication Server (RADIUS) End User (client) Catalyst 2950 (switch) EAPOL - Start Port Unauthorized EAP – Request Identity RADIUS Access - Request EAP – Response/Identity RADIUS Access - Challenge EAP – Request/OTP RADIUS Access - Request EAP – Response/OTP EAP – Success RADIUS Access - Accept Port Authorized EAPOL – Logoff Port Unauthorized How 802.1x Works (Continued)

  12. 802.1x and EAP • Prior to the client authentication, the port will only allow 802.1x protocol, CDP, and STP traffic. • EAP is the transport protocol used by 802.1x to authenticate supplicants against an authentication server such as RADIUS. • RFC 3748 updated EAP to support IEEE 802 • On LAN media, the supplicant and authenticator use the EAP over LANs (EAPOL) encapsulation.

  13. EAP Characteristics • EAP – The Extensible Authentication Protocol • Extension of PPP to provide additional authentication features • A flexible protocol used to carry arbitrary authentication information. • Typically rides on top of another protocol such as 802.1x or RADIUS. EAP can also be used with TACACS+ • Specified in RFC 2284 • Support multiple authentication types : • EAP-MD5: Plain Password Hash (CHAP over EAP) • EAP-TLS (based on X.509 certificates) • LEAP (EAP-Cisco Wireless) • PEAP (Protected EAP)

  14. EAP Selection • Cisco Secure ACS supports the following varieties of EAP: • EAP-MD5 – An EAP protocol that does not support mutual authentication. • EAP-TLS – EAP incorporating Transport Layer Security (TLS). • LEAP—An EAP protocol used by Cisco Aironet wireless equipment. LEAP supports mutual authentication. • PEAP – Protected EAP, which is implemented with EAP-Generic Token Card (GTC) and EAP-MSCHAPv2 protocols. • EAP-FAST – EAP Flexible Authentication via Secured Tunnel (EAP-FAST), a faster means of encrypting EAP authentication, supports EAP-GTC authentication.

  15. Client ACS Server Access Point Cisco LEAP Lightweight Extensible Authentication Protocol • Derives per-user, per-session key • Enhancement to IEEE802.11b Wired Equivalent Privacy (WEP) encryption • Usesmutual authentication– both user and AP needs to be authenticated

  16. Mutual Authentication • Cisco LEAP as well as other secure EAP variations support mutual authentication. • The authentication server sends a challenge to the client and the client responds to the challenge with a hash of a secret password known by the client and the network. • Password is never sent over the wire • When the client is authenticated, the same process is repeated in reverse order so the client can authenticate the server.

  17. Client Server cert, cert request ACS Server Access Point Switch EAP-TLS EAP – Transport Layer Security • RFC 2716 – Developed by Microsoft • Used for TLS Handshake Authentication (RFC2246) • Requires PKI (X.509) Certificates rather than username/password • Mutual authentication • Requires client and server certificates • Certificate Management is complex and costly

  18. Access Point Switch Client ACS Server TLS Tunnel PEAP Protected Extensible Authentication Protocol • Internet-Draft by Cisco, Microsoft & RSA • Enhancement of EAP-TLS • Requires server certificate only • Mutual authentication • username/password challenge over TLS Channel • Available for use with Microsoft and Cisco products

  19. Cisco Secure ACS AAA Radius Server 4500/4000 Series 3550/2950 Series Host device attempts to connects to Switch 6500 Series Access Points 802.1x Capable Ethernet LAN Access Devices Switch Request ID Switch Forward credentials to ACS Server Send ID/Password or Certificate applies policies and enables port. Authentication Successful 4 1 3 7 5 6 2 Client now has secure access Actual authentication conversation is between client and Auth Server using EAP. RADIUS 802.1x How Does Basic Port Based Network Access Work? The switch detects the 802.1x compatible client, forces authentication, then acts as a middleman during the authentication, Upon successful authentication the switch sets the port to forwarding, and applies the designated policies.

  20. Firewall Catalyst 2950/3500 Switch Client Router Internet Cisco Secure ACS ACS Deployment in a Small LAN

  21. Cisco Secure ACS Cisco Catalyst Switch End User 802.1x RADIUS Cisco Secure ACS RADIUS Response After a user successfully completes the EAP authentication process the Cisco Secure ACS responds to the switch with a RADIUS authentication-accept packet granting that user access to the network.

  22. Module 7 – Configure Trust and Identity at Layer 2 7.2 Configuring 802.1x Port-Based Authentication

  23. 802.1x Port-Based Authentication Configuration • Enable 802.1x Authentication (required) • Configure the Switch-to-RADIUS-Server Communication (required) • Enable Periodic Re-Authentication (optional) • Manually Re-Authenticating a Client Connected to a Port (optional)

  24. 802.1x Port-Based Authentication Configuration (Cont.) • Changing the Switch-to-Client Retransmission Time (optional) • Setting the Switch-to-Client Frame-Retransmission Number (optional) • Enabling Multiple Hosts (optional) • Resetting the 802.1x Configuration to the Default Values (optional)

  25. Enabling 802.1x Authentication Switch# configure terminal • Enter global configuration mode Switch(config)# aaa new-model • Enable AAA Switch(config)# aaa authentication dot1x default group radius • Create an 802.1x authentication method list

  26. Enabling 802.1x Authentication (Cont.) Switch(config)# interface fastethernet0/12 • Enter interface configuration mode Switch(config-if)# dot1x port-control auto • Enable 802.1x authentication on the interface Switch(config-if)# end • Return to privileged EXEC mode

  27. Configuring Switch-to-RADIUS Communication Switch(config)# radius-server host 172.l20.39.46 auth-port 1812 key rad123 • Configure the RADIUS server parameters on the switch.

  28. Enabling Periodic Re-Authentication Switch# configure terminal • Enter global configuration mode Switch(config)# dot1x re-authentication • Enable periodic re-authentication of the client, which is disabled by default. Switch(config)# dot1x timeout re-authperiod seconds • Set the number of seconds between re-authentication attempts.

  29. Manually Re-Authenticating a Client Connected to a Port Switch(config)# dot1x re-authenticate interface fastethernet0/12 • Starts re-authentication of the client.

  30. Enabling Multiple Hosts Switch# configure terminal • Enter global configuration mode Switch(config)# interface fastethernet0/12 • Enter interface configuration mode, and specify the interface to which multiple hosts are indirectly attached. Switch(config-if)# dot1x multiple-hosts • Allow multiple hosts (clients) on an 802.1x-authorized port.

  31. Resetting the 802.1x Configuration to the Default Values Switch# configure terminal • Enter global configuration mode Switch(config)# dot1x default • Reset the configurable 802.1x parameters to the default values.

  32. Displaying 802.1x Statistics Switch# show dot1x statistics • Display 802.1x statistics Switch# show dot1x statistics interface interface-id • Display 802.1x statistics for a specific interface.

  33. Displaying 802.1x Status Switch# show dot1x • Display 802.1x administrative and operational status. Switch# show dot1x interface interface-id • Display 802.1x administrative and operational status for a specific interface.

  34. 34 34 34 © 2005, Cisco Systems, Inc. All rights reserved.

More Related