Presentation is loading. Please wait.

Presentation is loading. Please wait.

Port Based Network Access Control

Published byWhitney Caldwell Modified over 8 years ago

Similar presentations

Presentation on theme: "Port Based Network Access Control"— Presentation transcript:

1 Port Based Network Access Control
IEEE 802.1X Port Based Network Access Control

2 Definition “Port-based network access control allows a network administrator to restrict the use of IEEE 802 LAN service access points (ports) to secure communication between authenticated and authorized devices.” “IEEE Std 802.1X specifies an architecture, functional elements, and protocols that support mutual authentication between the clients of ports attached to the same LAN and secure communication between the ports.”

3 Definition “Port-based network access control allows a network administrator to restrict the use of IEEE 802 LAN service access points (ports) to secure communication between authenticated and authorized devices.” “IEEE Std 802.1X specifies an architecture, functional elements, and protocols that support mutual authentication between the clients of ports attached to the same LAN and secure communication between the ports.” Layer 2 Access to the medium. Access control applied to ports. Authentication. Secure communication.

4 Basic Topology There are three elements:
The Supplicant which in this example is a wireless Client A. The Authenticator which in this case is a wireless access point WAP. The Authentication Server.

5 Extensible Authentication Protocol EAP
The IEEE 802.1X standard specifies the use of EAP, the Extensible Authentication Protocol (RFC 3748) to support authentication using a centrally administered Authentication Server. The implementation of EAP was initially defined for PPP protocols; however, our main focus is in the use in LAN networks. Consequently, the standard also defines EAP encapsulation over LANs (EAPoL) to convey the necessary exchanges between the supplicant and the authenticator.

6 EAPoL Format Nothing more than an EAP message encapsulated by an Ethernet Frame. That’s all . Destination Source Type 888EH EAP Message Version Length Value

7 Association Phase All traffic Client A, the supplicant, associates with the Wireless Access Point WAP. This is equivalent to connecting a cable to a LAN switch port. In such case, there are electrical signals, but nothing more significant is going on. All traffic is blocked at the WAP Authenticator.

8 Jargon EAP Other traffic In the initial stage of authentication, only EAP messages are accepted. The technical jargon for this is Open Uncontrolled Virtual Port. Any other traffic is blocked and ignored at the authenticator. The technical jargon for this is Closed Controlled Virtual Port. In reality, the ports do not even exist, this is just technical babble. It is simply that the Authenticator listens to authentication messages and ignores/blocks anything else, that’s all.

9 EAP Transactions EAPoL-Start Other traffic The supplicant sends a EAP message start encapsulated inside a WLAN frame (EAPoL). The message is an EAPoL-start.

10 EAP Transactions EAP-request-id Other traffic EAP-response-id The WLAN Authenticator reply with an EAP-request-identity. The supplicant client responds with the username in clear-text

11 EAP Transactions EAP-response-id Other traffic RADIUS or TACACS+ The Authenticator sends now a RADIUS or TACACS+ message. Let’s assume that we are just using RADIUS for simplicity of the explanation.

12 EAP Transactions EAP Other traffic RADIUS or TACACS+ EAP messages do not continue unchanged toward the authentication server. The authenticator talks another protocol, like RADIUS or TACACS+ to the Authentication Server. So, in one hand, the authenticator talks EAP and in the other RADIUS or TACACS+. WAP is a proxy or translator or intermediary.

13 RADIUS –access-request
EAP Transactions EAP-response-id Other traffic RADIUS –access-request The EAP response with the username, triggers a RADIUS message access request. RADIUS Authentication Server receives the message and checks the policies and user database to find a match. RADIUS server prepares a reply message.

14 RADIUS –access-challenge
EAP Transactions Other traffic RADIUS –access-challenge RADIUS server prepares a reply message. Radius server replies with an Access Challenge. The WAP authenticator translates the RADIUS message to an EAP message which is sent to the supplicant.

15 RADIUS –access-challenge
EAP Transactions Other traffic EAP challenge RADIUS –access-challenge The WAP authenticator translates the RADIUS message to an EAP message which is sent to the supplicant as an EAP challenge-request. The Supplicant receives the message and it prepares an answer.

16 RADIUS –access-challenge
EAP Transactions EAP challenge telecomS144 RADIUS –access-challenge MD5 AX1Z05FE2CD48 The Supplicant receives the message and it prepares an answer. It hashes a password with a well known algorithm.

17 EAP Transactions AX1Z05FE2CD48 MD5 telecomS144 Challenge Response The Supplicant receives the message and it prepares an answer. It hashes a password with a well known algorithm. It answers the challenge with a EAP-Challenge-Response.

18 RADIUS-Access-Request
EAP Transactions RADIUS-Access-Request AX1Z05FE2CD48 MD5 telecomS144 Challenge Response The authenticator sends a RADIUS message Access-Request that contains the HASH to the Radius Server. The Radius Server runs an stored password thru the same algorithm to find if the result matches the HASH received.

19 RADIUS-Access-Request
EAP Transactions RADIUS-Access-Request AX1Z05FE2CD48 MD5 telecomS144 AX1Z05FE2CD48 MD5 telecomS144 Challenge Response The authenticator sends a RADIUS message Access-Request that contains the HASH to the Radius Server. The Radius Server runs an stored password thru the same algorithm to find if the result matches the received HASH.

20 RADIUS –access-accept
EAP Transactions RADIUS –access-accept EAP success The supplicant receives the approval of authentication. The final part of the authentication process is the creation of a dynamic encryption key. IEEE i describes this process which is called Robust Security Network (RSN) with two new protocols, the 4-Way Handshake and the Group Key Handshake

21 Radius TACACS+ IEEE 802.1X

22 IEEE 802.1x IEEE 802.1X is the IEEE standard for Port based Network Access Control . It provides an authentication mechanism to devices attaching to LAN or WLAN infrastructure. IEEE 802.1X defines the encapsulation of the Extensible Authentication Protocol over Ethernet type networks. 802.1X authentication involves three parties: A supplicant (which is a CLIENT) An authenticator (an access point) An authentication server (a RADIUS server)

23 IEEE 802.1x The authenticator (access point) acts like a security guard to a protected network. The supplicant (CLIENT) is not allowed access through the authenticator (access point) to the protected side of the network until the supplicant’s identity has been validated and authorized.

24 IEEE 802.1x The supplicant presents credentials, (user name / password or a digital certificate), to the authenticator. The authenticator forwards the credentials to the authentication server for verification. If the authentication server determines the credentials are valid, the supplicant (client device) is allowed to access resources located on the protected side of the network.

25 Cisco Support Cisco implementation of RADIUS is compatible with Microsoft PEAP-MS-CHAP-v2 and PEAP-GTC. Cisco proprietary product ACS includes Radius and TACACS+ implementation. TACACS+ is Cisco only.

26 RADIUS/TACACS+ RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients run on Cisco routers and relays authentication requests to a central RADIUS server that contains all user authentication and network service access information.

Download ppt "Port Based Network Access Control"

Similar presentations

Authentication.

Authentication.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.

Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.
WLAN Security Examining EAP and 802.1x. 802.1x works at Layer 2 to authentication and authorize devices on wireless access points.

WLAN Security Examining EAP and 802.1x x works at Layer 2 to authentication and authorize devices on wireless access points.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.
Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.

Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.
Georgy Melamed Eran Stiller

Georgy Melamed Eran Stiller
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,

Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,
Remote Networking Architectures

Remote Networking Architectures
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Virtual Private Networks

Virtual Private Networks
Development of the Authentication Reliability and Security System for Wireless Local Area Network Professor, Dr. sc. ing. Viktors Gopejenko MSc. Sergejs.

Development of the Authentication Reliability and Security System for Wireless Local Area Network Professor, Dr. sc. ing. Viktors Gopejenko MSc. Sergejs.

Similar presentations

Ads by Google