Presentation is loading. Please wait.

Presentation is loading. Please wait.

802.1X Configuration Terena 802.1X workshop the Netherlands, Amsterdam, March 30 th Paul Dekkers.

Published bySuzanna Riley Modified over 9 years ago

Similar presentations

Presentation on theme: "802.1X Configuration Terena 802.1X workshop the Netherlands, Amsterdam, March 30 th Paul Dekkers."— Presentation transcript:

1 802.1X Configuration Terena 802.1X workshop the Netherlands, Amsterdam, March 30 th Paul Dekkers

2 2 Overview

3 3 EAP

4 4 What makes EAP flexible

5 5 Man-in-the-Middle attack That’s why we need a good EAP mechanism!

6 6 RADIUS proxy-ing

7 7 RADIUS Client-Server model –Authenticator is a RADIUS client –Authentication-server is the RADIUS server –RADIUS server can be a client as well

8 8 RADIUS – what’s in the packet UDP, ports 1645/1646 or 1812/1813 Mind the firewall! Attributes, like User-Name, User-Password, EAP-Message Shared Secret

9 9 RADIUS and REALMS Use well-chosen realms: preferably like an e-mail address, user@institution.ccTLD Important with PROXY-ing

10 10 Guest Access

11 11 Traffic separation without 1x

12 12 Traffic separation with 1x RADIUS server SURFnet office RADIUS server University X Internet Central RADIUS proxy server Authenticator (AP or switch) User DB Supplicant Guest Paul.Dekkers@surfnet.nl Students VLAN Guest VLAN Employee VLAN

13 13 Traffic separation with 1x

14 14 Hands-on setup

15 15 Configuration : Radiator Linear Global configuration AuthPort 1812 AcctPort 1813 LogDir /var/log/radius DbDir /etc/radiator Clients Handlers

16 16 Configuration : Radiator RADIUS Clients Secret 6.6obaFkm&RNs666 Identifier AP1 IdenticalClients 192.168.1.3, 192.168.1.4

17 17 Configuration : Radiator Filename users

18 18 Configuration : Radiator Filename users EAPType TTLS, PEAP, MSCHAP-V2 EAPTLS_CAFile root-ca.pem EAPTLS_CertificateFile server.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile private.pem EAPTLS_PrivateKeyPassword secret EAPTLS_MaxFragmentSize 1024 AutoMPPEKeys

19 19 Configuration : Radiator # Accept, and log # PAP # EAP-MSCHAPv2 # EAP-TTLS and EAP-PEAP

20 20 Configuration : Radiator, Identifiers and Catch-all Identifier SURFNET-PROXY Host radius-proxy.surfnet.nl Secret Sdfg8WeR98r09d8fg AuthPort 1812 AcctPort 1813 AuthBy SURFNET-PROXY

21 21 RADIUS proxy-loop Good configuration is more complex, often lacks in prevention for proxy-loops

22 22 Configuration: Access-Point

23 23 Cisco AP - RADIUS AP1(config)#aaa new-model aaa group server radius rad_eap server 192.87.116.63 auth-port 1812 acct-port 1813 aaa authentication login eap_methods group rad_eap aaa accounting network acct_methods start-stop group rad_acct radius-server host 192.87.116.63 auth-port 1812 acct-port 1813 key X

24 24 Cisco AP - Wireless Interface AP1(config)#interface dot11Radio 0 AP1(config-if)#encryption mode ciphers wep40 AP1(config-if)#broadcast-key change 1800 AP1(config-if)#no ssid tsunami AP1(config-if)#ssid SURFnet AP1(config-if-ssid)#authentication open eap eap_methods AP1(config-if-ssid)#guest-mode AP1(config-if-ssid)#^Z

25 25 Cisco switch – enable RADIUS Switch# configure terminal Switch(config)# aaa new-model Switch(config)# radius-server host 192.168.100.1x auth-port 1812 key

26 26 Cisco switch – enable 802.1x Switch(config)# aaa authentication dot1x default group radius Switch(config)# dot1x system-auth-control Switch(config)# interface fastethernet0/1 Switch(config-if)# spanning-tree portfast Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 10 Switch(config-if)# dot1x port-control auto Switch(config-if)# end Switch(config-if)# dot1x guest-vlan 60

27 27 Windows and wired 802.1x

28 28 Extra in hands-on Configuration of VLAN’s: Can you enable “roaming” with another group? Can you create an SSID for users without 802.1x?

Download ppt "802.1X Configuration Terena 802.1X workshop the Netherlands, Amsterdam, March 30 th Paul Dekkers."

Similar presentations

Inter WISP WLAN roaming

Inter WISP WLAN roaming
Authentication.

Authentication.
Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.

Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.
Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June 22 2005 Licia Florio.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.
Radius based ssh authentication Location of Radius server – radius-server host 192.168.1.2 auth-port 1812 acct-port 1813 key WinRadius – The same config.

Radius based ssh authentication Location of Radius server – radius-server host auth-port 1812 acct-port 1813 key WinRadius – The same config.
High-quality Internet for higher education and research 5 th of April, Eurocamp, Ljubljana eduroam, security and authentication Paul Dekkers.

High-quality Internet for higher education and research 5 th of April, Eurocamp, Ljubljana eduroam, security and authentication Paul Dekkers.
Filtering and Security By Mohammad Shanehsaz June 2004.

Filtering and Security By Mohammad Shanehsaz June 2004.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.
Housing Residence Education Network and Services.

Housing Residence Education Network and Services.
EduRoam ESA workshop 17 December 2004 Utrecht.

EduRoam ESA workshop 17 December 2004 Utrecht.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference 2006 9 th November, 2006.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
Network Access and 802.1X Klaas Wierenga SURFnet

Network Access and 802.1X Klaas Wierenga SURFnet
High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.

High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.
Configuring Linux Radius Server

Configuring Linux Radius Server
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,

WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,
Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.
Deploying eduroam Deyan Stoykov, BREN E-infrastructure Autumn Workshops 8 September, 2014.

Deploying eduroam Deyan Stoykov, BREN E-infrastructure Autumn Workshops 8 September, 2014.
Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Similar presentations

Ads by Google