Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing Network-Edge Security with 802.1x

Published byBartholomew Charles Modified over 7 years ago

Similar presentations

Presentation on theme: "Implementing Network-Edge Security with 802.1x"— Presentation transcript:

1 Implementing Network-Edge Security with 802.1x
Enhancements to all areas of Organizational Security Michael Votaw RCC-E Network Monitoring Team Lead

2 Overview Network based Authentication IEEE 802.1X Authentication
RFC 3580 and Enhancements Network Access Control Security Tools Enhancements

3 Network Based Authentication
What are we really talking about? Types of authentication MAC Authentication (MAB) IEEE 802.1X Who, Where, When? – What is the value History and forensics Authentication sources - RADIUS Microsoft 2003 IAS / Microsoft 2008 NPS FreeRADIUS Steel-belted RADIUS Many, Many, others The benefits of Automation with this new information

4 IEEE 802.1X Authentication History
Authored by Members from Microsoft, Cisco, Enterasys, HP Ratified in late 2001 What need did it fill? How it is used? Centralized command and control Port control without the tedious work DHCP Phobias Who supports it? Switch Vendors – Extreme/Enterasys, Cisco, Brocade/Foundry, HP, many others Operating systems – Microsoft XP, Vista, 7&8, Mac OS X, Linux, others Devices – IP phones from Avaya, Seimens, Cisco, and many more Devices – Print Servers from HP, Lexmark, Xerox How does it work?

5 Authentication Server (RADIUS)
802.1X Basic Components User Supplicant Network Device Authentication Server (RADIUS) Valid user (AD/RADIUS) Printer Phone Certificate-Based Microsoft XP, Vista, 7 & 8 Mac OS X Linux Open1X Printers Phones Enterasys Cisco Foundry Extreme HP Many others Windows AD FreeRADIUS OpenRADIUS Steel-Belted RADIUS

6 802.1X Basic Flow Username/Password RADIUS Attributes -Filter-Id
-Tunnel-Priv-Grp-ID RADIUS Attributes -User-Name -NAS-IP-Address -NAS-Port -NAS-Port-Type

7 Before Authentication
Basic 802.1X Port Control Before Authentication After Authentication

8 802.1X Message Exchange All messages on client side are ethertype 888E (EAPOL/PAE) All messages between switch and server are RADIUS packets Most switch vendors enhance this with multi-method and multi-user authentication

9 802.1X Continued Support for periodic re-auth, and manual re-auth
EAP Types - Industry Standard MD5 – basic PEAP – Microsoft & Cisco Protected EAP, Now dominate in the industry EAP-TLS (Transparent LAN Service) Requires a digital certificate on each supplicant (see RFC 2716) EAP Types – Proprietary EAP-TTLS (Tunneled TLS Authentication Protocol) - Juniper Software TTLS does not require digital cert (see Internet Draft) LEAP – Cisco Lightweight EAP (proprietary); Cisco moving to PEAP 802.1X on wireless Encryption, Rotating keys, Integration of Users and Enterprise Authentication The Future – 802.1AE Key exchange and encryption between clients, switches, and routers

10 Enhancing 802.1X Dynamic VLAN support (RFC 3580) Dynamic ACL support
Dynamically assign a user, phone, or device to a VLAN based on RADIUS response Can allow for user mobility throughout the enterprise Dynamic ACL support Restrict unauthorized protocols Enhance others with QoS(phone, critical applications) Multi-User Most enterprise-class switches today support multiple users authenticating per port Multi-Method Many vendors support MAC+802.1X to help with supplicant support PAE Mib SNMP access, control, and statistics over the 802.1X experience Guest Access Many vendors support an auth-fail VLAN, or provide alternate access support

11 Basic Steps for Implementation in a Lab
Setup NPS on Microsoft AD Simple configuration No Certificates Enable 8021.X on your network device Setup your RADIUS server Turn on 802.1X with “dot1x” commands Setup Windows 7 Go with Protected EAP Don’t validate server certs Deselect “Automatically use my windows logon name” Once tested, move to more secure model using host and server certificates (strong, mutual authentication) A phased approach can be used, enabling only some users and network devices. Group policy can be employed for configuration of end-systems

12 Basic NPS Setup

13 Configuration of RADIUS Clients

14 NPS Can Permit/Deny Based on Groups

15 EAP Methods Configured

16 Adding RADIUS Attributes

17 Basic Switch Config (Cisco)
aaa authentication dot1x default group radius aaa authorization network default group radius dot1x system-auth-control ip radius source-interface Vlan99 radius-server attribute nas-port format c radius-server host auth-port 1812 acct-port 1813 key #$TR3g42f34yytV3r4f radius-server vsa send accounting radius-server vsa send authentication interface FastEthernet0/17 switchport mode access authentication port-control auto authentication periodic dot1x pae authenticator dot1x timeout tx-period 3 spanning-tree portfast

18 Basic Switch Configuration (Brocade/Foundry)
dot1x-enable re-authentication timeout quiet-period 30 timeout re-authperiod 2000 timeout tx-period 3 auth-fail-vlanid 10 enable ethe 1 to 16 aaa authentication dot1x default radius hostname fesx448 radius-server host auth-port 1812 acct-port 1813 default key 1 $fl%}lq9}%0qPf:}%fBPfl dot1x interface ethernet 1 dot1x port-control auto dot1x disable-filter-strict-security port-name rm101-sw1-e1

19 MAC Authentication Authenticates a device using the source MAC address of received packets Overview of Authentication Process The authenticator (switch) sends the following as credentials for authentication: Username: Source MAC of end system Format of MAC address is XX-XX-XX-XX-XX-XX Password: Locally configured password on the switch Username and password sent to backend RADIUS server for authentication If credentials are valid, RADIUS Access-Accept message (possibly with Filter-ID or Tunnel attributes) is returned to switch MAC authentication enables switches to authenticate end systems that do not support an 802.1X supplicant or web browser (e.g. printers) to the network No special software is required for an end system to MAC authenticate

20 Client Configuration

21 Network Access Control – The Next Step
NAC and 802.1X are not the same The 5 functions of NAC Detection Authentication Authorization Assessment Remediation 802.1X provides a foundation by filling the first three phases of NAC Using RFC 3580, control can be exercised over the VLAN or ACL Log data can be sent to log servers, historical and forensic information

22 Network Access Control – The Next Step
Information now available to NAC solutions… MAC address of client The Username Exact port where request came from The IP of the switch The method of authentication (MAC, 802.1X) The IP address (through DHCP snooping) The time of Login The time of Logout Any VLAN or ACL that was applied

23 NAC Dashboard – End Systems View
© 2013 Enterasys Networks, Inc All rights reserved Enterasys Confidential

24 How Network-Auth Enhances Security Tools
Integrate Network Authentication User tracking with Security Information Management capabilities. Result: Track down systems that cause security breaches with new levels of speed and accuracy.

25 IEEE 802.1X Conclusion The primary reason for using 802.1X authentication in your network is security, protecting against: Unauthorized access to a network Denial of Service (DoS) attacks Theft of services Support: Most all enterprise class switches support 802.1X authentication More and more operating systems and network attached devices

26 Reference Information
IEEE 802.1X - Port Based Network Access Control IEEE 802.1X - Overview RFC 3580 Information Using 802.1X Port Auth To Control Who Can Connect To Your Network 802.1X Port-Based Authentication HOWTO. Setting up XSupplicant. Configuring IEEE 802.1X for Mac OS X

Download ppt "Implementing Network-Edge Security with 802.1x"

Similar presentations

Authentication.

Authentication.
Ethernet Switch Features Important to EtherNet/IP

Ethernet Switch Features Important to EtherNet/IP
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
Virtual LANs.

Virtual LANs.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.
Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security.

802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
Windows 2003 and 802.1x Secure Wireless Deployments.

Windows 2003 and 802.1x Secure Wireless Deployments.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.
Configuring Routing and Remote Access(RRAS) and Wireless Networking

Configuring Routing and Remote Access(RRAS) and Wireless Networking
1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.

1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.
Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.

Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.

Similar presentations

Ads by Google