1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Slides:



Advertisements
Similar presentations
Authentication.
Advertisements

© 2003, Cisco Systems, Inc. All rights reserved..
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.
Operating and Configuring Cisco IOS Devices © 2004 Cisco Systems, Inc. All rights reserved. Operating Cisco IOS Software INTRO v2.0—8-1.
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—2-1 Ethernet LANs Operating Cisco IOS Software.
無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – b  Security Mechanisms in b  Security Problems in b  Solutions for b.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
802.1x EAP Authentication Protocols
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-1 Security Olga Torstensson Halmstad University.
(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,
Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.
Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
KIRAN CHAMARTHI NETWORK SECURITY
Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.
802.1X in Windows Tom Rixom Alfa & Ariss. Overview 802.1X/EAP 802.1X in Windows Tunneled Authentication Certificates in Windows WIFI Client in Windows.
Remote Networking Architectures
802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.
Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University
Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.
EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.
1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x OVERVIEW Sudhir Nath Product Manager, Trust.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.
Windows 2003 and 802.1x Secure Wireless Deployments.
Virtual Private Networks (Tunnels). When Are VPN Tunnels Used? VPN with PPTP tunnel Used if: All routers support VPN tunnels You are using MS-CHAP or.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.
RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.
Configuring Routing and Remote Access(RRAS) and Wireless Networking
© 2004, Cisco Systems, Inc. All rights reserved.
Network Security1 – Chapter 5 (B) – Using IEEE 802.1x Purpose: (a) port authentication (b) access control An IEEE standard
Mobile and Wireless Communication Security By Jason Gratto.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 5 City College.
Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.
WIRELESS LAN SECURITY Using
Chapter 7: Protecting Advanced Communications
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Network Security. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Remote Authentication Dial-In User Service (RADIUS)
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Module 8: Designing Network Access Solutions. Module Overview Securing and Controlling Network Access Designing Remote Access Services Designing RADIUS.
1 Course Number Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt.
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 6: Implement Wireless Scalability.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1 © 2004 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS Identity Based Networking Terena Rhodes, June 04 Eric Marin EMEA Consulting Engineer.
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
Configuring AAA Kamyar Miremadi Laila Sherif Summer 2005.
RADIUS What it is Remote Authentication Dial-In User Service
© 2002, Cisco Systems, Inc. All rights reserved..
Authentication Protocols Natalie DeKoker, Lindsay Haley, Jordan Lunda, Matty Ott.
Copyright © 2006 Heathkit Company, Inc. All Rights Reserved Introduction to Networking Technologies Wireless Security.
Introduction to Port-Based Network Access Control EAP, 802.1X, and RADIUS Anthony Critelli Introduction to Port-Based Network Access Control.
Network Security. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Remote Authentication Dial-In User Service (RADIUS)
Port Based Network Access Control
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
Implementing Network-Edge Security with 802.1x
Configuring and Troubleshooting Routing and Remote Access
802.1x OVERVIEW Sudhir Nath Product Manager, Trust & Identity
Cisco Real Exam Dumps IT-Dumps
On and Off Premise Secure Access
– Chapter 5 (B) – Using IEEE 802.1x
Presentation transcript:

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

2 © 2005 Cisco Systems, Inc. All rights reserved. Network Security 1 Module 7 – Configure Trust and Identity at Layer 2

3 © 2005 Cisco Systems, Inc. All rights reserved. Learning Objectives 7.1 Identity-Based Networking Services (IBNS) 7.2 Configuring 802.1x Port-Based Authentication

4 © 2005 Cisco Systems, Inc. All rights reserved. Module 7 – Configure Trust and Identity at Layer Identity-Based Networking Services (IBNS)

5 © 2005 Cisco Systems, Inc. All rights reserved. Identity Based Network Services Cisco VPN Concentrators, IOS Routers, PIX Security Appliances Unified Control of User Identity for the Enterprise Router Internet Cisco Secure ACS Firewall VPN Clients Hard and Soft Tokens Remote Offices OTP Server

6 © 2005 Cisco Systems, Inc. All rights reserved x Roles Authentication Server Authenticator Supplicant

7 © 2005 Cisco Systems, Inc. All rights reserved x Authenticator and Supplicant The perimeter router acts as the authenticator Internet Cisco Secure ACS Home Office The remote user’s PC acts as the supplicant

8 © 2005 Cisco Systems, Inc. All rights reserved x Components

9 © 2005 Cisco Systems, Inc. All rights reserved. How 802.1x Works Authentication Server (RADIUS) Catalyst 2950 (switch) End User (client) 802.1x RADIUS Actual authentication conversation occurs between the client and Authentication Server using EAP. The authenticator is aware of this activity, but it is just a middleman.

10 © 2005 Cisco Systems, Inc. All rights reserved. How 802.1x Works (Continued) Authentication Server (RADIUS) Catalyst 2950 (switch) End User (client) EAPOL - Start EAP – Request Identity EAP – Response/Identity RADIUS Access - Request EAP – Request/OTP RADIUS Access - Challenge EAP – Response/OTP RADIUS Access - Request RADIUS Access - AcceptEAP – Success Port Authorized EAPOL – Logoff Port Unauthorized

11 © 2005 Cisco Systems, Inc. All rights reserved. EAP Characteristics EAP – The Extensible Authentication Protocol Extension of PPP to provide additional authentication features A flexible protocol used to carry arbitrary authentication information. Typically rides on top of another protocol such as 802.1x or RADIUS. EAP can also be used with TACACS+ Specified in RFC 2284 Support multiple authentication types : EAP-MD5: Plain Password Hash (CHAP over EAP) EAP-TLS (based on X.509 certificates) LEAP (EAP-Cisco Wireless) PEAP (Protected EAP)

12 © 2005 Cisco Systems, Inc. All rights reserved. EAP Selection Cisco Secure ACS supports the following varieties of EAP: EAP-MD5 – An EAP protocol that does not support mutual authentication. EAP-TLS – EAP incorporating Transport Layer Security (TLS). LEAP—An EAP protocol used by Cisco Aironet wireless equipment. LEAP supports mutual authentication. PEAP – Protected EAP, which is implemented with EAP-Generic Token Card (GTC) and EAP-MSCHAPv2 protocols. EAP-FAST – EAP Flexible Authentication via Secured Tunnel (EAP- FAST), a faster means of encrypting EAP authentication, supports EAP-GTC authentication.

13 © 2005 Cisco Systems, Inc. All rights reserved. Cisco LEAP Access Point Client Lightweight Extensible Authentication Protocol Derives per-user, per-session key Enhancement to IEEE802.11b Wired Equivalent Privacy (WEP) encryption Uses mutual authentication – both user and AP needs to be authenticated ACS Server

14 © 2005 Cisco Systems, Inc. All rights reserved. EAP-TLS Access Point Client Extensible Authentication Protocol – Transport Layer Security RFC 2716 Used for TLS Handshake Authentication (RFC2246) Requires PKI (X.509) Certificates rather than username/password Mutual authentication Requires client and server certificates Certificate Management is complex and costly Switch ACS Server

15 © 2005 Cisco Systems, Inc. All rights reserved. PEAP Access Point Client Protected Extensible Authentication Protocol Internet-Draft by Cisco, Microsoft & RSA Enhancement of EAP-TLS Requires server certificate only Mutual authentication username/password challenge over TLS Channel Available for use with Microsoft and Cisco products Switch TLS Tunnel ACS Server

16 © 2005 Cisco Systems, Inc. All rights reserved. How Does Basic Port Based Network Access Work? Switch Request ID The switch detects the 802.1x compatible client, forces authentication, then acts as a middleman during the authentication, Upon successful authentication the switch sets the port to forwarding, and applies the designated policies. Send ID/Password or Certificate Switch Forward credentials to ACS Server Authentication Successful Client now has secure access 802.1x RADIUS Cisco Secure ACS AAA Radius Server 802.1x Capable Ethernet LAN Access Devices applies policies and enables port. Host device attempts to connects to Switch Actual authentication conversation is between client and Auth Server using EAP SeriesAccess Points 4500/4000 Series 3550/2950 Series

17 © 2005 Cisco Systems, Inc. All rights reserved. ACS Deployment in a Small LAN Cisco Secure ACS Client Catalyst 2950/3500 Switch Firewall Router Internet

18 © 2005 Cisco Systems, Inc. All rights reserved. ACS Deployment in a Global Network ACS1 Client Switch 1 Region 1 Firewall ACS3 ACS2 Region 2 Region 3 Switch 2 Switch 3

19 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Secure ACS RADIUS Response Cisco Secure ACS Cisco Catalyst Switch End User 802.1x RADIUS After a user successfully completes the EAP authentication process the Cisco Secure ACS responds to the switch with a RADIUS authentication- accept packet granting that user access to the network.

20 © 2005 Cisco Systems, Inc. All rights reserved. Module 7 – Configure Trust and Identity at Layer Configuring 802.1x Port-Based Authentication

21 © 2005 Cisco Systems, Inc. All rights reserved x Port-Based Authentication Configuration Enable 802.1x Authentication (required) Configure the Switch-to-RADIUS-Server Communication (required) Enable Periodic Re-Authentication (optional) Manually Re-Authenticating a Client Connected to a Port (optional) Resetting the 802.1x Configuration to the Default Values (optional)

22 © 2005 Cisco Systems, Inc. All rights reserved x Port-Based Authentication Configuration (Cont.) Changing the Quiet Period (optional) Changing the Switch-to-Client Retransmission Time (optional) Setting the Switch-to-Client Frame-Retransmission Number (optional) Enabling Multiple Hosts (optional) Resetting the 802.1x Configuration to the Default Values (optional)

23 © 2005 Cisco Systems, Inc. All rights reserved. Enabling 802.1x Authentication configure terminal Switch# Enter global configuration mode aaa new-model Switch(config)# Enable AAA aaa authentication dot1x default group radius Switch(config)# Create an 802.1x authentication method list

24 © 2005 Cisco Systems, Inc. All rights reserved. Enabling 802.1x Authentication (Cont.) interface fastethernet0/12 Switch(config)# Enter interface configuration mode dot1x port-control auto Switch(config-if)# Enable 802.1x authentication on the interface end Switch(config-if)# Return to privileged EXEC mode

25 © 2005 Cisco Systems, Inc. All rights reserved. Configuring Switch-to-RADIUS Communication radius-server host 172.l auth-port 1812 key rad123 Switch(config)# Configure the RADIUS server parameters on the switch.

26 © 2005 Cisco Systems, Inc. All rights reserved. Enabling Periodic Re-Authentication configure terminal Switch# Enter global configuration mode dot1x re-authentication Switch(config)# Enable periodic re-authentication of the client, which is disabled by default. dot1x timeout re-authperiod seconds Switch(config)# Set the number of seconds between re-authentication attempts.

27 © 2005 Cisco Systems, Inc. All rights reserved. Manually Re-Authenticating a Client Connected to a Port dot1x re-authenticate interface fastethernet0/12 Switch(config)# Starts re-authentication of the client.

28 © 2005 Cisco Systems, Inc. All rights reserved. Enabling Multiple Hosts configure terminal Switch# Enter global configuration mode interface fastethernet0/12 Switch(config)# Enter interface configuration mode, and specify the interface to which multiple hosts are indirectly attached. dot1x multiple-hosts Switch(config-if)# Allow multiple hosts (clients) on an 802.1x-authorized port.

29 © 2005 Cisco Systems, Inc. All rights reserved. Resetting the 802.1x Configuration to the Default Values configure terminal Switch# Enter global configuration mode dot1x default Switch(config)# Reset the configurable 802.1x parameters to the default values.

30 © 2005 Cisco Systems, Inc. All rights reserved. Displaying 802.1x Statistics show dot1x statistics Switch# Display 802.1x statistics show dot1x statistics interface interface-id Switch# Display 802.1x statistics for a specific interface.

31 © 2005 Cisco Systems, Inc. All rights reserved. Displaying 802.1x Status show dot1x Switch# Display 802.1x administrative and operational status. show dot1x interface interface-id Switch# Display 802.1x administrative and operational status for a specific interface.

32 © 2005, Cisco Systems, Inc. All rights reserved.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.