Port Based Network Access Control

Slides:

Advertisements

Similar presentations

Authentication.

Advertisements

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.

WLAN Security Examining EAP and 802.1x x works at Layer 2 to authentication and authorize devices on wireless access points.

802.1x EAP Authentication Protocols

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.

Georgy Melamed Eran Stiller

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,

Remote Networking Architectures

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Virtual Private Networks

Development of the Authentication Reliability and Security System for Wireless Local Area Network Professor, Dr. sc. ing. Viktors Gopejenko MSc. Sergejs.

S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.

Brian Dwyer – CITA370. Introduction  Network Device Security  Identity Management AAA Process Model ○ Authentication ○ Authorization ○ Accounting (Sometimes.

CCENT Review. Put the following descriptions in order from Layer 7 to Layer 1 and give the name of each layer.

Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.

Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.

1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x OVERVIEW Sudhir Nath Product Manager, Trust.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

Virtual Private Networks (Tunnels). When Are VPN Tunnels Used? VPN with PPTP tunnel Used if: All routers support VPN tunnels You are using MS-CHAP or.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.

Method of identifying mobile devices Srinivas Tenneti.

Network Security1 – Chapter 5 (B) – Using IEEE 802.1x Purpose: (a) port authentication (b) access control An IEEE standard

Wireless and Security CSCI 5857: Encoding and Encryption.

Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.

Chapter 13 – Network Security

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

11 SECURING COMMUNICATIONS Chapter 7. Chapter 7: SECURING COMMUNICATIONS2 CHAPTER OBJECTIVES  Explain how to secure remote connections.  Describe how.

Wireless Network Authentication Regnauld / Büttrich, Edit: Sept 2011 Wireless Network Authentication Regnauld / Büttrich, Edit: Sept 2011.

Remote Access Chapter 4. IEEE 802.1x An internet standard created to perform authentication services for remote access to a central LAN. An internet standard.

Chapter Network Security Architecture Security Basics Legacy security Robust Security Segmentation Infrastructure Security VPN.

BY MOHAMMED ALQAHTANI (802.11) Security. What is ? IEEE is a set of standards carrying out WLAN computer communication in frequency bands.

1 Figure 2-11: Wireless LAN (WLAN) Security Wireless LAN Family of Standards Basic Operation (Figure 2-12 on next slide)  Main wired network.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

11.59 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,

Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)

Csci388 Wireless and Mobile Security – Access Control: 802

Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.

1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.

11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 

Lecture 24 Wireless Network Security

AAA Services Authentication -Who ? -Management of the user’s identity Authorization -What can the user do? -Management of the granted services Accounting.

1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

Wireless Network Security CSIS 5857: Encoding and Encryption.

1 © 2004, Cisco Systems, Inc. All rights reserved. Wireless LAN (network) security.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

Lecture 7 (Chapter 17) Wireless Network Security Prepared by Dr. Lamiaa M. Elshenawy 1.

Introduction to Port-Based Network Access Control EAP, 802.1X, and RADIUS Anthony Critelli Introduction to Port-Based Network Access Control.

KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.

Network Security. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Remote Authentication Dial-In User Service (RADIUS)

Wireless Security - Encryption Joel Jaeggli For AIT Wireless and Security Workshop.

1. Introduction In this presentation, we will review ,802.1x and give their drawbacks, and then we will propose the use of a central manager to replace.

Virtual Private Networks

Unit 3: Authentication.

Configuring and Troubleshooting Routing and Remote Access

PPP – Point to Point Protocol

– Chapter 5 (B) – Using IEEE 802.1x

SECURING WIRELESS LANS WITH CERTIFICATE SERVICES

Presentation transcript:

Port Based Network Access Control IEEE 802.1X Port Based Network Access Control

Definition “Port-based network access control allows a network administrator to restrict the use of IEEE 802 LAN service access points (ports) to secure communication between authenticated and authorized devices.” “IEEE Std 802.1X specifies an architecture, functional elements, and protocols that support mutual authentication between the clients of ports attached to the same LAN and secure communication between the ports.”

Definition “Port-based network access control allows a network administrator to restrict the use of IEEE 802 LAN service access points (ports) to secure communication between authenticated and authorized devices.” “IEEE Std 802.1X specifies an architecture, functional elements, and protocols that support mutual authentication between the clients of ports attached to the same LAN and secure communication between the ports.” Layer 2 Access to the medium. Access control applied to ports. Authentication. Secure communication.

Basic Topology There are three elements: The Supplicant which in this example is a wireless 802.11 Client A. The Authenticator which in this case is a wireless 802.11 access point WAP. The Authentication Server.

Extensible Authentication Protocol EAP The IEEE 802.1X standard specifies the use of EAP, the Extensible Authentication Protocol (RFC 3748) to support authentication using a centrally administered Authentication Server. The implementation of EAP was initially defined for PPP protocols; however, our main focus is in the use in LAN networks. Consequently, the standard also defines EAP encapsulation over LANs (EAPoL) to convey the necessary exchanges between the supplicant and the authenticator.

EAPoL Format Nothing more than an EAP message encapsulated by an Ethernet Frame. That’s all . Destination Source Type 888EH EAP Message Version Length Value

Association Phase All traffic Client A, the supplicant, associates with the Wireless Access Point WAP. This is equivalent to connecting a cable to a LAN switch port. In such case, there are electrical signals, but nothing more significant is going on. All traffic is blocked at the WAP Authenticator.

Jargon EAP Other traffic In the initial stage of authentication, only EAP messages are accepted. The technical jargon for this is Open Uncontrolled Virtual Port. Any other traffic is blocked and ignored at the authenticator. The technical jargon for this is Closed Controlled Virtual Port. In reality, the ports do not even exist, this is just technical babble. It is simply that the Authenticator listens to authentication messages and ignores/blocks anything else, that’s all.

EAP Transactions EAPoL-Start Other traffic The supplicant sends a EAP message start encapsulated inside a WLAN frame (EAPoL). The message is an EAPoL-start.

EAP Transactions EAP-request-id Other traffic EAP-response-id The WLAN Authenticator reply with an EAP-request-identity. The supplicant client responds with the username in clear-text

EAP Transactions EAP-response-id Other traffic RADIUS or TACACS+ The Authenticator sends now a RADIUS or TACACS+ message. Let’s assume that we are just using RADIUS for simplicity of the explanation.

EAP Transactions EAP Other traffic RADIUS or TACACS+ EAP messages do not continue unchanged toward the authentication server. The authenticator talks another protocol, like RADIUS or TACACS+ to the Authentication Server. So, in one hand, the authenticator talks EAP and in the other RADIUS or TACACS+. WAP is a proxy or translator or intermediary.

RADIUS –access-request EAP Transactions EAP-response-id Other traffic RADIUS –access-request The EAP response with the username, triggers a RADIUS message access request. RADIUS Authentication Server receives the message and checks the policies and user database to find a match. RADIUS server prepares a reply message.

RADIUS –access-challenge EAP Transactions Other traffic RADIUS –access-challenge RADIUS server prepares a reply message. Radius server replies with an Access Challenge. The WAP authenticator translates the RADIUS message to an EAP message which is sent to the supplicant.

RADIUS –access-challenge EAP Transactions Other traffic EAP challenge RADIUS –access-challenge The WAP authenticator translates the RADIUS message to an EAP message which is sent to the supplicant as an EAP challenge-request. The Supplicant receives the message and it prepares an answer.

RADIUS –access-challenge EAP Transactions EAP challenge telecomS144 RADIUS –access-challenge MD5 AX1Z05FE2CD48 The Supplicant receives the message and it prepares an answer. It hashes a password with a well known algorithm.

EAP Transactions AX1Z05FE2CD48 MD5 telecomS144 Challenge Response The Supplicant receives the message and it prepares an answer. It hashes a password with a well known algorithm. It answers the challenge with a EAP-Challenge-Response.

RADIUS-Access-Request EAP Transactions RADIUS-Access-Request AX1Z05FE2CD48 MD5 telecomS144 Challenge Response The authenticator sends a RADIUS message Access-Request that contains the HASH to the Radius Server. The Radius Server runs an stored password thru the same algorithm to find if the result matches the HASH received.

RADIUS-Access-Request EAP Transactions RADIUS-Access-Request AX1Z05FE2CD48 MD5 telecomS144 AX1Z05FE2CD48 MD5 telecomS144 Challenge Response The authenticator sends a RADIUS message Access-Request that contains the HASH to the Radius Server. The Radius Server runs an stored password thru the same algorithm to find if the result matches the received HASH.

RADIUS –access-accept EAP Transactions RADIUS –access-accept EAP success The supplicant receives the approval of authentication. The final part of the authentication process is the creation of a dynamic encryption key. IEEE 802.11i describes this process which is called Robust Security Network (RSN) with two new protocols, the 4-Way Handshake and the Group Key Handshake

Radius TACACS+ IEEE 802.1X

IEEE 802.1x IEEE 802.1X is the IEEE standard for Port based Network Access Control . It provides an authentication mechanism to devices attaching to LAN or WLAN infrastructure. IEEE 802.1X defines the encapsulation of the Extensible Authentication Protocol over Ethernet type networks. 802.1X authentication involves three parties: A supplicant (which is a CLIENT) An authenticator (an access point) An authentication server (a RADIUS server)

IEEE 802.1x The authenticator (access point) acts like a security guard to a protected network. The supplicant (CLIENT) is not allowed access through the authenticator (access point) to the protected side of the network until the supplicant’s identity has been validated and authorized.

IEEE 802.1x The supplicant presents credentials, (user name / password or a digital certificate), to the authenticator. The authenticator forwards the credentials to the authentication server for verification. If the authentication server determines the credentials are valid, the supplicant (client device) is allowed to access resources located on the protected side of the network.

Cisco Support Cisco implementation of RADIUS is compatible with Microsoft PEAP-MS-CHAP-v2 and PEAP-GTC. Cisco proprietary product ACS includes Radius and TACACS+ implementation. TACACS+ is Cisco only.

RADIUS/TACACS+ RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients run on Cisco routers and relays authentication requests to a central RADIUS server that contains all user authentication and network service access information.