Download presentation
Presentation is loading. Please wait.
Published byEthan Jeffery Pope Modified over 9 years ago
1
802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security
2
What is 802.1x ? Defined by IEEE and designed to provide port-based network access. 802.1x authenticates network clients using information unique to the client and with credentials known only to the client. Service known as port-level authentication
3
Benefits of 802.1x 802.1x is a LAN access control. 802.1x introduces the ability to provide Authentication, Authorization, and Accounting (AAA) for LAN access using a standard approach.
4
802.1x Framework The framework is defined by 3 authentication processes: 1. The supplicant Possibly a standalone device or an end user, such as a remote user. 2. The authenticator A device to which the supplicant directly connects and through which the supplicant obtains network access permission 3. The authentication server The authenticator acts as a gateway to the authentication server, which is responsible for actually authenticating the supplicant.
5
What is EAP ? EAP Extensible Authentication Protocol A flexible protocol used to carry arbitrary authentication information Typically rides on top of another protocol such as 802.1x or RADIUS/TACACS+, etc. EAP Messages Request Sent to supplicant to indicate a challenge Response Supplicant reply message Success Notification to supplicant of success Failure Notification to supplicant of failure
6
Benefits of EAP-TLS Authentication Password’s are not used at all. Instead TLS public key is used. AAA Server authenticates client, but client can also authenticate AAA Server AAA Server receives certification from client, verifies authenticity of certification using CA public key, then verifies bearer identity using TLS handshake
7
EAP over 802.1x Frame Format
8
Diagram of EAP-TLS Authentication
9
Benefits 802.1x with Cisco Secure ACS Flexible authentication options using public key infrastructure (PKI), tokens, smart cards, and in the future, biometrics. Flexible policy assignment, such as per-user session quotas, time of day, and virtual LAN (VLAN) assignment Identity-based session accounting and auditing, which enables tracking of client network usage.
10
Configuring the Switch for 802.1x Port Authentication GV-Rack1>s2 Translating "s2" Trying s2 (1.1.1.1, 2015)... Open Rack1S2>enable Rack1S2#config t Enter configuration commands, one per line. End with CNTL/Z. Rack1S2(config)#hostname mytest mytest(config)#aaa new-model mytest(config)#aaa authentication dot1x default group radius mytest(config)#interface fastethernet0/1 mytest(config-if)#dot1x port-control auto mytest(config-if)#radius-server host 10.252.252.252 auth-port 1812 key cisco mytest(config)#end mytest#s 12:06:37: %SYS-5-CONFIG_I: Configured from console by console mytest#show dot1x Sysauthcontrol = Disabled Supplicant Allowed In Guest Vlan = Disabled Dot1x Protocol Version = 1 Dot1x Oper Controlled Directions = Both Dot1x Admin Controlled Directions = Both
11
Catalyst 3550 series Configuration File mytest#show running-config Building configuration... Current configuration : 2267 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname mytest ! aaa new-model aaa authentication dot1x default group radius ! ip subnet-zero ! no ip domain-lookup ! spanning-tree mode pvst spanning-tree extend system-id ! interface FastEthernet0/1 switchport mode dynamic desirable dot1x port-control auto spanning-tree portfast !! interface Vlan1 no ip address shutdown ! ip classless ip http server ! radius-server host 10.252.252.252 auth-port 1812 acct-port 1813 key cisco radius-server retransmit 3 ! line con 0 exec-timeout 0 0 logging synchronous line vty 5 15 ! ! end
12
The Network
13
EAP Port Configuration
14
EAP-TLS Configuration
15
Configure Authentication Server Authorization Policy
16
Install ACS Certificate
17
Install ACS Certificate Cont.
18
Configure Authenticator & Authentication Server
19
Configure Supplement & Authorization Policy
20
Configure Supplement & Authorization Policy Cont.
21
Configuring The Logging Scheme
22
Any Questions ?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.