Presentation is loading. Please wait.

Presentation is loading. Please wait.

© UNIVERSITY of NEW HAMPSHIRE INTEROPERABILITY LABORATORY UNH InterOperability Laboratory Bridge Functions Consortium 802.1X Port-Based Network Access.

Published byClarissa James Modified over 9 years ago

Similar presentations

Presentation on theme: "© UNIVERSITY of NEW HAMPSHIRE INTEROPERABILITY LABORATORY UNH InterOperability Laboratory Bridge Functions Consortium 802.1X Port-Based Network Access."— Presentation transcript:

1 © UNIVERSITY of NEW HAMPSHIRE INTEROPERABILITY LABORATORY UNH InterOperability Laboratory Bridge Functions Consortium 802.1X Port-Based Network Access Control

2 U NIVERSITY of N EW H AMPSHIRE I NTER O PERABILITY L ABORATORY UNH-IOL Bridge Functions Consortium IntroductionIntroduction 802.1X is a method to authenticate a new connection on a LAN. The Port-Based Authentication Protocol works with three parts. –Supplicant –Authenticator –Authentication Server 802.1X is a method to authenticate a new connection on a LAN. The Port-Based Authentication Protocol works with three parts. –Supplicant –Authenticator –Authentication Server

3 U NIVERSITY of N EW H AMPSHIRE I NTER O PERABILITY L ABORATORY UNH-IOL Bridge Functions Consortium Terms and Definitions Authenticator - An entity at one end of a point-to-point LAN segment that facilitates authentication of the entity attached to the other end of that link. Authentication Server - An entity that provides an authentication service to an Authenticator. This service determines, from the credentials provided by the Supplicant, whether the Supplicant is authorized to access the services provided by the system in which the Authenticator resides. –Usually a Remote Authentication Dial In Service (RADIUS) Server Supplicant - An entity at one end of a point-to-point LAN segment that seeks to be authenticated by an Authenticator attached to the other end of that link. Authenticator - An entity at one end of a point-to-point LAN segment that facilitates authentication of the entity attached to the other end of that link. Authentication Server - An entity that provides an authentication service to an Authenticator. This service determines, from the credentials provided by the Supplicant, whether the Supplicant is authorized to access the services provided by the system in which the Authenticator resides. –Usually a Remote Authentication Dial In Service (RADIUS) Server Supplicant - An entity at one end of a point-to-point LAN segment that seeks to be authenticated by an Authenticator attached to the other end of that link.

4 U NIVERSITY of N EW H AMPSHIRE I NTER O PERABILITY L ABORATORY UNH-IOL Bridge Functions Consortium How It Works - 1 The Supplicant supplies credentials to the Authenticator The supplicant does not have access to the Active Network right now. It can only communicate with the Authenticator The Supplicant supplies credentials to the Authenticator The supplicant does not have access to the Active Network right now. It can only communicate with the Authenticator

5 U NIVERSITY of N EW H AMPSHIRE I NTER O PERABILITY L ABORATORY UNH-IOL Bridge Functions Consortium How It Works - 2 Since the Authenticator has access to the Authentication Server, it transmits the credentials over an encrypted communications.

6 U NIVERSITY of N EW H AMPSHIRE I NTER O PERABILITY L ABORATORY UNH-IOL Bridge Functions Consortium How It Works - 3 If the credentials match what is stored in the Authentication Server’s database, the supplicant is allowed to connect to the LAN If the credentials do not match what is stored in the Authentication Server’s database, the supplicant is denied access to the LAN on all but the Physical Layer

7 U NIVERSITY of N EW H AMPSHIRE I NTER O PERABILITY L ABORATORY UNH-IOL Bridge Functions Consortium SupplicantSupplicant The supplicant is a software program that runs on the Operating system of the computer that is trying to connect the LAN. What the supplicant supplies depends on the Authentication methods being used. The currently tested Authentication protocols are: –MD5-Challenge A Username, Password, and Domain are supplied. –PEAP A Username, Password, Domain, and certificate are supplied. –TTLS A Username, Password, Domain, and an Anonymous Username are supplied. The supplicant is a software program that runs on the Operating system of the computer that is trying to connect the LAN. What the supplicant supplies depends on the Authentication methods being used. The currently tested Authentication protocols are: –MD5-Challenge A Username, Password, and Domain are supplied. –PEAP A Username, Password, Domain, and certificate are supplied. –TTLS A Username, Password, Domain, and an Anonymous Username are supplied.

8 U NIVERSITY of N EW H AMPSHIRE I NTER O PERABILITY L ABORATORY UNH-IOL Bridge Functions Consortium AuthenticatorAuthenticator The Authenticator is normally a switch equipped with the 802.1X protocols and the capability to talk to a RADIUS Server. The Authenticator has the IP address of the RADIUS Server in it as well as a Shared Secret between it and the Server. The Shared Secret allows it to tell the Server that it is in fact an Authenticator that is allowed to talk to it. The Authenticator also controls which ports support 802.1X. –Ports in which 802.1X is enabled are called Controlled Ports. –Ports in which 802.1X is disabled are called Uncontrolled Ports. Uncontrolled Ports do not require any Authentication and may access the LAN immediately. The Authenticator is normally a switch equipped with the 802.1X protocols and the capability to talk to a RADIUS Server. The Authenticator has the IP address of the RADIUS Server in it as well as a Shared Secret between it and the Server. The Shared Secret allows it to tell the Server that it is in fact an Authenticator that is allowed to talk to it. The Authenticator also controls which ports support 802.1X. –Ports in which 802.1X is enabled are called Controlled Ports. –Ports in which 802.1X is disabled are called Uncontrolled Ports. Uncontrolled Ports do not require any Authentication and may access the LAN immediately.

9 U NIVERSITY of N EW H AMPSHIRE I NTER O PERABILITY L ABORATORY UNH-IOL Bridge Functions Consortium Authentication Server The Authentication Server is usually a RADIUS Server. Within the RADIUS Server there is a database of Usernames and Passwords, as well as a Server Certificate. Many RADIUS Servers also have a Certificate Authority Server on them, however it is not required. The RADIUS Server uses the Authentication Protocol(s) set by the user to be allowed on the LAN (i.e. MD5-Challenge, PEAP, TTLS) The Authentication Server is usually a RADIUS Server. Within the RADIUS Server there is a database of Usernames and Passwords, as well as a Server Certificate. Many RADIUS Servers also have a Certificate Authority Server on them, however it is not required. The RADIUS Server uses the Authentication Protocol(s) set by the user to be allowed on the LAN (i.e. MD5-Challenge, PEAP, TTLS)

10 U NIVERSITY of N EW H AMPSHIRE I NTER O PERABILITY L ABORATORY UNH-IOL Bridge Functions Consortium Current Authentication Servers Microsoft Windows Server 2003 Standard Meetinghouse Aegis Radius Server Funk Steel-Belted-Radius Server Cisco Secure ACS Infoblox RADIUSOne FREERADIUS (To be added in the future)

11 U NIVERSITY of N EW H AMPSHIRE I NTER O PERABILITY L ABORATORY UNH-IOL Bridge Functions Consortium Current Supplicants Microsoft Windows Built-in Client (2000/XP) Meetinghouse Aegis Client (2000/XP) Funk Odyssey Client (2000/XP) Xsupplicant (Linux, To be added in the future)

12 U NIVERSITY of N EW H AMPSHIRE I NTER O PERABILITY L ABORATORY UNH-IOL Bridge Functions Consortium Contact Information Tyler Marcotte, Curtis Simonson InterOperability Laboratory University of New Hampshire 121 Technology Drive Suite 2 Durham, NH 03824 (603) 862-3525 (603) 862-4181 (fax) marcotte@iol.unh.edu simonson@iol.unh.edu Tyler Marcotte, Curtis Simonson InterOperability Laboratory University of New Hampshire 121 Technology Drive Suite 2 Durham, NH 03824 (603) 862-3525 (603) 862-4181 (fax) marcotte@iol.unh.edu simonson@iol.unh.edu

Download ppt "© UNIVERSITY of NEW HAMPSHIRE INTEROPERABILITY LABORATORY UNH InterOperability Laboratory Bridge Functions Consortium 802.1X Port-Based Network Access."

Similar presentations

Inter WISP WLAN roaming

Inter WISP WLAN roaming
Authentication.

Authentication.
Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.

Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
What to expect.  Linux  Windows Server (2008 or 2012)

What to expect.  Linux  Windows Server (2008 or 2012)
Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.
Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.

Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.
Microsoft Server 2008 R2 Group Policies & Network Policy and Access Services.

Microsoft Server 2008 R2 Group Policies & Network Policy and Access Services.
© UNIVERSITY of NEW HAMPSHIRE INTEROPERABILITY LABORATORY IEEE 802.1ad Provider Bridges Henry He UNH-IOL Bridge Functions Consortium.

© UNIVERSITY of NEW HAMPSHIRE INTEROPERABILITY LABORATORY IEEE 802.1ad Provider Bridges Henry He UNH-IOL Bridge Functions Consortium.
Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.

Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,

(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Similar presentations

Ads by Google