802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security

What is 802.1x ? Defined by IEEE and designed to provide port-based network access x authenticates network clients using information unique to the client and with credentials known only to the client. Service known as port-level authentication

Benefits of 802.1x 802.1x is a LAN access control x introduces the ability to provide Authentication, Authorization, and Accounting (AAA) for LAN access using a standard approach.

802.1x Framework The framework is defined by 3 authentication processes: 1. The supplicant Possibly a standalone device or an end user, such as a remote user. 2. The authenticator A device to which the supplicant directly connects and through which the supplicant obtains network access permission 3. The authentication server The authenticator acts as a gateway to the authentication server, which is responsible for actually authenticating the supplicant.

What is EAP ? EAP Extensible Authentication Protocol A flexible protocol used to carry arbitrary authentication information Typically rides on top of another protocol such as 802.1x or RADIUS/TACACS+, etc. EAP Messages Request Sent to supplicant to indicate a challenge Response Supplicant reply message Success Notification to supplicant of success Failure Notification to supplicant of failure

Benefits of EAP-TLS Authentication Password’s are not used at all. Instead TLS public key is used. AAA Server authenticates client, but client can also authenticate AAA Server AAA Server receives certification from client, verifies authenticity of certification using CA public key, then verifies bearer identity using TLS handshake

EAP over 802.1x Frame Format

Diagram of EAP-TLS Authentication

Benefits 802.1x with Cisco Secure ACS Flexible authentication options using public key infrastructure (PKI), tokens, smart cards, and in the future, biometrics. Flexible policy assignment, such as per-user session quotas, time of day, and virtual LAN (VLAN) assignment Identity-based session accounting and auditing, which enables tracking of client network usage.

Configuring the Switch for 802.1x Port Authentication GV-Rack1>s2 Translating "s2" Trying s2 ( , 2015)... Open Rack1S2>enable Rack1S2#config t Enter configuration commands, one per line. End with CNTL/Z. Rack1S2(config)#hostname mytest mytest(config)#aaa new-model mytest(config)#aaa authentication dot1x default group radius mytest(config)#interface fastethernet0/1 mytest(config-if)#dot1x port-control auto mytest(config-if)#radius-server host auth-port 1812 key cisco mytest(config)#end mytest#s 12:06:37: %SYS-5-CONFIG_I: Configured from console by console mytest#show dot1x Sysauthcontrol = Disabled Supplicant Allowed In Guest Vlan = Disabled Dot1x Protocol Version = 1 Dot1x Oper Controlled Directions = Both Dot1x Admin Controlled Directions = Both

Catalyst 3550 series Configuration File mytest#show running-config Building configuration... Current configuration : 2267 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname mytest ! aaa new-model aaa authentication dot1x default group radius ! ip subnet-zero ! no ip domain-lookup ! spanning-tree mode pvst spanning-tree extend system-id ! interface FastEthernet0/1 switchport mode dynamic desirable dot1x port-control auto spanning-tree portfast !! interface Vlan1 no ip address shutdown ! ip classless ip http server ! radius-server host auth-port 1812 acct-port 1813 key cisco radius-server retransmit 3 ! line con 0 exec-timeout 0 0 logging synchronous line vty 5 15 ! ! end

The Network

EAP Port Configuration

EAP-TLS Configuration

Configure Authentication Server Authorization Policy

Install ACS Certificate

Install ACS Certificate Cont.

Configure Authenticator & Authentication Server

Configure Supplement & Authorization Policy

Configure Supplement & Authorization Policy Cont.

Configuring The Logging Scheme

Any Questions ?