1 / 22

802.1x Port Authentication via RADIUS

802.1x Port Authentication via RADIUS. By Oswaldo Perdomo cs580 Network Security. What is 802.1x ?. Defined by IEEE and designed to provide port-based network access. 802.1x authenticates network clients using information unique to the client and with credentials known only to the client.

mabelk
Télécharger la présentation

802.1x Port Authentication via RADIUS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security

  2. What is 802.1x ? • Defined by IEEE and designed to provide port-based network access. • 802.1x authenticates network clients using information unique to the client and with credentials known only to the client. • Service known as port-level authentication

  3. Benefits of 802.1x • 802.1x is a LAN access control. • 802.1x introduces the ability to provide Authentication, Authorization, and Accounting (AAA) for LAN access using a standard approach.

  4. 802.1x Framework • The framework is defined by 3 authentication processes: • The supplicant • Possibly a standalone device or an end user, such as a remote user. • The authenticator • A device to which the supplicant directly connects and through which the supplicant obtains network access permission • The authentication server • The authenticator acts as a gateway to the authentication server, which is responsible for actually authenticating the supplicant.

  5. What is EAP ? • EAP • Extensible Authentication Protocol • A flexible protocol used to carry arbitrary authentication information • Typically rides on top of another protocol such as 802.1x or RADIUS/TACACS+, etc. • EAP Messages • Request • Sent to supplicant to indicate a challenge • Response • Supplicant reply message • Success • Notification to supplicant of success • Failure • Notification to supplicant of failure

  6. Benefits of EAP-TLS Authentication • Password’s are not used at all. • Instead TLS public key is used. • AAA Server authenticates client, but client can also authenticate AAA Server • AAA Server receives certification from client, verifies authenticity of certification using CA public key, then verifies bearer identity using TLS handshake

  7. EAP over 802.1x Frame Format

  8. Diagram of EAP-TLS Authentication

  9. Benefits 802.1x with Cisco Secure ACS • Flexible authentication options using public key infrastructure (PKI), tokens, smart cards, and in the future, biometrics. • Flexible policy assignment, such as per-user session quotas, time of day, and virtual LAN (VLAN) assignment • Identity-based session accounting and auditing, which enables tracking of client network usage.

  10. Configuring the Switch for 802.1x Port Authentication • GV-Rack1>s2 • Translating "s2" • Trying s2 (1.1.1.1, 2015)... Open • Rack1S2>enable • Rack1S2#config t • Enter configuration commands, one per line. End with CNTL/Z. • Rack1S2(config)#hostname mytest • mytest(config)#aaa new-model • mytest(config)#aaa authentication dot1x default group radius • mytest(config)#interface fastethernet0/1 • mytest(config-if)#dot1x port-control auto • mytest(config-if)#radius-server host 10.252.252.252 auth-port 1812 key cisco • mytest(config)#end • mytest#s • 12:06:37: %SYS-5-CONFIG_I: Configured from console by console • mytest#show dot1x • Sysauthcontrol = Disabled • Supplicant Allowed In Guest Vlan = Disabled • Dot1x Protocol Version = 1 • Dot1x Oper Controlled Directions = Both • Dot1x Admin Controlled Directions = Both

  11. Catalyst 3550 series Configuration File • mytest#show running-config • Building configuration... • Current configuration : 2267 bytes • ! • version 12.1 • no service pad • service timestamps debug uptime • service timestamps log uptime • no service password-encryption • ! • hostname mytest • ! • aaa new-model • aaa authentication dot1x default group radius • ! • ip subnet-zero • ! • no ip domain-lookup • ! • spanning-tree mode pvst • spanning-tree extend system-id • ! • interface FastEthernet0/1 • switchport mode dynamic desirable • dot1x port-control auto • spanning-tree portfast • !! • interface Vlan1 • no ip address • shutdown • ! • ip classless • ip http server • ! • radius-server host 10.252.252.252 auth-port 1812 acct-port 1813 key cisco • radius-server retransmit 3 • ! • line con 0 • exec-timeout 0 0 • logging synchronous • line vty 5 15 • ! • ! • end

  12. The Network

  13. EAP Port Configuration

  14. EAP-TLS Configuration

  15. Configure Authentication Server Authorization Policy

  16. Install ACS Certificate

  17. Install ACS Certificate Cont.

  18. Configure Authenticator & Authentication Server

  19. Configure Supplement & Authorization Policy

  20. Configure Supplement & Authorization Policy Cont.

  21. Configuring The Logging Scheme

  22. Any Questions ?

More Related