802.1X Configuration Terena 802.1X workshop the Netherlands, Amsterdam, March 30 th Paul Dekkers.

Slides:

Advertisements

Similar presentations

Inter WISP WLAN roaming

Advertisements

Authentication.

Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.

Radius based ssh authentication Location of Radius server – radius-server host auth-port 1812 acct-port 1813 key WinRadius – The same config.

High-quality Internet for higher education and research 5 th of April, Eurocamp, Ljubljana eduroam, security and authentication Paul Dekkers.

Filtering and Security By Mohammad Shanehsaz June 2004.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.

Housing Residence Education Network and Services.

EduRoam ESA workshop 17 December 2004 Utrecht.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.

Network Access and 802.1X Klaas Wierenga SURFnet

High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.

Configuring Linux Radius Server

802.1x EAP Authentication Protocols

WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,

Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.

Deploying eduroam Deyan Stoykov, BREN E-infrastructure Autumn Workshops 8 September, 2014.

Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Company LOGO WIRELESS DEPLOYMENT A successful solution to Campuswide role-based secure Wi-Fi deployment Andrea Di Fabio – Information Security Officer.

Wireless Security with 802.1X Copyright 2005 Michael Griego This work is the intellectual property of the author. Permission is granted for this material.

802.1X in Windows Tom Rixom Alfa & Ariss. Overview 802.1X/EAP 802.1X in Windows Tunneled Authentication Certificates in Windows WIFI Client in Windows.

Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,

802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Wireless Security and Accounting with 802.1X. Introduction Background Why 802.1X? What is 802.1X? Implementing 802.1X at UTD The future of 802.1X and.

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

Technical Training: DAP-1360 Wireless N Access Point DAP-1360.

What about 802.1X? An overview of possibilities for safe access to fixed and wireless networks Amsterdam, October Erik Dobbelsteijn.

Windows 2003 and 802.1x Secure Wireless Deployments.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.

Firewall policies Configuration->Security->Access Control->Policies: Add User role Configuration->Security->Access Control-> User Roles: Add Server group.

WIRELESS LAN SECURITY Using

Altai Certification Training Backend Network Planning

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 NGWC – Central Webauth (CWA) using ISE 3850 and 5760 Viten Patel – RTP Wireless.

Ing. Peter Feciľak , KPI, FEI, TUKE.

High-quality Internet for higher education and research Paul Dekkers April 4th, Turkey.

Michal Procházka, Jan Oppolzer CESNET.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

A Practical Guide for Joining EduRoam EuroCAMP Torino A Practical Guide for Joining EduRoam 4 March 2005 Version 1.6.

Network Infrastructure Configuration for MAB Port Configuration Interface fastethernet 0/1 description Trustsec:802.1X+MAB+MultiAuth switchport access.

Scenario 1 Internet WAN LAN1 LAN2 LAN3 LAN4

© 2015 Mohamed Samir YouTube channel All rights reserved. Samir CCNP-SWITCHING Mohamed Samir YouTube channel Double.

Configuring Linux Radius Server Objectives –This chapter will show you how to install and use Radius Contents –An Overview Of How Radius Works –Configruation.

© 2015 Mohamed Samir YouTube channel All rights reserved. Samir Part V: Monitoring Campus Networks.

SECURE WIRELESS NETWORK IN IŞIK UNIVERSITY ŞİLE CAMPUS.

Wireless Authentication & 802.1X By Gareth Ayres.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

802.1X in SURFnet 22 May 2003.

1 © 2004 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS Identity Based Networking Terena Rhodes, June 04 Eric Marin EMEA Consulting Engineer.

© 2015 Mohamed Samir YouTube channel All rights reserved. Samir CCNP-SWITCHING Mohamed Samir YouTube channel Double.

Security for (Wireless) LANs 802.1X workshop 30 & 31 March 2004 Amsterdam.

Workshop roaming services: eduroam / govroam

Configuring AAA Kamyar Miremadi Laila Sherif Summer 2005.

RADIUS What it is Remote Authentication Dial-In User Service

Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.

19 May 2003 © The JNT Association Terena Technical Advisory Council Terena Mobility Task Force

RADIUS By: Nicole Cappella. Overview  Central Authentication Services  Definition of RADIUS  “AAA Transaction”  Roaming  Security Issues and How.

How to Configure VLAN Hopping for Cisco Switch

Wireless Security - Encryption Joel Jaeggli For AIT Wireless and Security Workshop.

Implementing Network-Edge Security with 802.1x

WPA Configuration Example WebUI

Holistic view of 802.1x integration & optimization

SECURE WIRELESS NETWORK IN IŞIK UNIVERSITY ŞİLE CAMPUS

Cisco Real Exam Dumps IT-Dumps

UT Gert Meijerink Service Departement for Information Technology, Library and Education (ITBE) TERENA 2004.

Presentation transcript:

802.1X Configuration Terena 802.1X workshop the Netherlands, Amsterdam, March 30 th Paul Dekkers

2 Overview

3 EAP

4 What makes EAP flexible

5 Man-in-the-Middle attack That’s why we need a good EAP mechanism!

6 RADIUS proxy-ing

7 RADIUS Client-Server model –Authenticator is a RADIUS client –Authentication-server is the RADIUS server –RADIUS server can be a client as well

8 RADIUS – what’s in the packet UDP, ports 1645/1646 or 1812/1813 Mind the firewall! Attributes, like User-Name, User-Password, EAP-Message Shared Secret

9 RADIUS and REALMS Use well-chosen realms: preferably like an address, Important with PROXY-ing

10 Guest Access

11 Traffic separation without 1x

12 Traffic separation with 1x RADIUS server SURFnet office RADIUS server University X Internet Central RADIUS proxy server Authenticator (AP or switch) User DB Supplicant Guest Students VLAN Guest VLAN Employee VLAN

13 Traffic separation with 1x

14 Hands-on setup

15 Configuration : Radiator Linear Global configuration AuthPort 1812 AcctPort 1813 LogDir /var/log/radius DbDir /etc/radiator Clients Handlers

16 Configuration : Radiator RADIUS Clients Secret 6.6obaFkm&RNs666 Identifier AP1 IdenticalClients ,

17 Configuration : Radiator Filename users

18 Configuration : Radiator Filename users EAPType TTLS, PEAP, MSCHAP-V2 EAPTLS_CAFile root-ca.pem EAPTLS_CertificateFile server.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile private.pem EAPTLS_PrivateKeyPassword secret EAPTLS_MaxFragmentSize 1024 AutoMPPEKeys

19 Configuration : Radiator # Accept, and log # PAP # EAP-MSCHAPv2 # EAP-TTLS and EAP-PEAP

20 Configuration : Radiator, Identifiers and Catch-all Identifier SURFNET-PROXY Host radius-proxy.surfnet.nl Secret Sdfg8WeR98r09d8fg AuthPort 1812 AcctPort 1813 AuthBy SURFNET-PROXY

21 RADIUS proxy-loop Good configuration is more complex, often lacks in prevention for proxy-loops

22 Configuration: Access-Point

23 Cisco AP - RADIUS AP1(config)#aaa new-model aaa group server radius rad_eap server auth-port 1812 acct-port 1813 aaa authentication login eap_methods group rad_eap aaa accounting network acct_methods start-stop group rad_acct radius-server host auth-port 1812 acct-port 1813 key X

24 Cisco AP - Wireless Interface AP1(config)#interface dot11Radio 0 AP1(config-if)#encryption mode ciphers wep40 AP1(config-if)#broadcast-key change 1800 AP1(config-if)#no ssid tsunami AP1(config-if)#ssid SURFnet AP1(config-if-ssid)#authentication open eap eap_methods AP1(config-if-ssid)#guest-mode AP1(config-if-ssid)#^Z

25 Cisco switch – enable RADIUS Switch# configure terminal Switch(config)# aaa new-model Switch(config)# radius-server host x auth-port 1812 key

26 Cisco switch – enable 802.1x Switch(config)# aaa authentication dot1x default group radius Switch(config)# dot1x system-auth-control Switch(config)# interface fastethernet0/1 Switch(config-if)# spanning-tree portfast Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 10 Switch(config-if)# dot1x port-control auto Switch(config-if)# end Switch(config-if)# dot1x guest-vlan 60

27 Windows and wired 802.1x

28 Extra in hands-on Configuration of VLAN’s: Can you enable “roaming” with another group? Can you create an SSID for users without 802.1x?