Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ing. Peter Feciľak , KPI, FEI, TUKE.

Published byLora Henry Modified over 9 years ago

Similar presentations

Presentation on theme: "Ing. Peter Feciľak , KPI, FEI, TUKE."— Presentation transcript:

1 Ing. Peter Feciľak Peter.Fecilak@tuke.sk 29.04.2008, KPI, FEI, TUKE.
802.1x Best Practises Ing. Peter Feciľak , KPI, FEI, TUKE.

2 Content of the presentation
Basic terminology x - RADIUS server - Dynamic VLAN membership Why to implement 802.1x ? Problems in 802.1x implementation Discussion...

3 What is 802.1x ? IEEE standard for port-based Network Access Control
Provides port-based authentication Supported in wired/wireless environment

4 802.1x terminology

5 Radius authentication server
Provides authentication and other AAA services for end-device by a number of authentication mechanisms Each authentication mechanism has its own level of security (EAP/MD5, EAP/LEAP, EAP/PEAP) Can be linked to external user/computer database – ActiveDirectory / LDAP / MYSQL

6 Radius authentication server
Supports delegation of requests (e.g. eduroam) Runs on different platforms MS Windows: Cisco Secure Access Control Server Linux: Freeradius / old version of CS ACS

7 Authenticator – access layer
Provides port-based authentication and dynamic VLAN membership via RADIUS server (EAP and Radius protocol) Three types of VLANs: Dynamic VLAN from RADIUS AUTH-FAIL VLAN GUEST-VLAN Catalyst switches supports periodical re-authentication (Steve Riley vulnerability from 2005)

8 802.1x Supplicant Application that provides authentication via EAP against authenticator Possible types of authentication: Computer (domain account) User (domain account, OTP…) Computer with user account

9 802.1x Supplicant Supported under Windows and Linux as well
Linux authentication tools: Xsupplicant (wired) WPA_supplicant (wireless) open1x

10 802.1x Linux Supplicant cat /etc/xsupplicant/xsupplicant.conf default_interface = eth0 default { type = wired allow_types = eap-peap identity = "pfecilak" eap-peap { inner_id = "pfecilak" root_cert = NONE chunk_size = 1398 random_file = /dev/urandom allow_types = all session_resume = yes eap-mschapv2 { username = "pfecilak" password = “Moje1Tajne2Heslo3!#" }

11 802.1x Windows Supplicant Native 802.1x supplicant under:
MS Windows XP MS Vista MS Windows 2000 (latest SP) External supplicants: Cisco Secure Services Agent

12 802.1x Windows Supplicant

13 802.1x Windows Supplicant User-authentication GUI agent:

14 Why to implement 802.1x ? Provide port-based control for accessing network resources (problems with controlling physical access) Identify regular network users. Provide them easy access to network resources. Isolate non-regular users from internal infrastructure.

15 Why to implement 802.1x ? Apply different security levels for specified communities of users. Provide mobility features via RADIUS and Dynamic VLAN membership

16 Number of Security Levels
Identify User/Computer roles and grand them access to network resources as defined by their security level.

17 Problems in 802.1x implementation
Devices that does not support 802.1x connected to access-layer causes problems (e.g. hubs/unmanagable switches) Computers connected via IP phones that doesn’t support 802.1x has problem with authentication Periodical re-authentication can cause problems in large domain

18 Problems in 802.1x implementation
Computer authentication with User to VLAN mapping can cause problem during IP settings renewal process Authentication tab not shown in local area network configuration (needs Wireless Zero Configuration)

19 Best practises When 802.1x is used mainly in MS Windows domain, use Cisco Secure ACS and computer domain accounts Do not use dynamic VLAN membership with User to VLAN mapping. Better is computer authentication with domain account

20 Best practises Scale the number of RADIUS servers concerning whether re-authentication is enabled and the number of end clients that will use 802.1x authentication I recommend to use 1 server for 100 computers when re-authentication at every 5 minutes is used

21 Best practises Classification to profiles for providing different security-levels: User Network For regular users granting access to network resources Visitors Network For guest access from internal infrastructure granting only internet access Guest/Auth-fail VLAN Fully isolated network. No network resources can be accessed.

22 Discussion/Questions and Answers

23 Redundant topologies

24 Redundant topologies

25 Problem

26 Solution – redundant gateways
/24

27 Solution – HSRP MASTER 192.168.1.3 Slave SLAVE Master 192.168.1.3 Mas
GW-1-1 GW-1-2 Virtual Router Master Slave /24

28 First Hop Redundancy Protocols
HSRP VRRP GLBP

29 Example - HSRP GW-1-1(config)# interface FastEthernet 0/0 GW-1-1(config-if)# ip address GW-1-1(config-if)# standby 1 priority 80 GW-1-1(config-if)# standby 1 preempt GW-1-1(config-if)# standby 1 ip GW-1-1(config-if)# no shutdown GW-1-2(config)# interface FastEthernet 0/0 GW-1-2(config-if)# ip address GW-1-2(config-if)# standby 1 priority 150 GW-1-2(config-if)# standby 1 preempt GW-1-2(config-if)# standby 1 ip GW-1-2(config-if)# no shutdown IP: Netmask: Gateway:

30 Configuration statements - HSRP
GW-1-1(config)# interface FastEthernet 0/0 GW-1-1(config-if)# ip address GW-1-1(config-if)# standby 1 priority 80 GW-1-1(config-if)# standby 1 preempt GW-1-1(config-if)# standby 1 ip GW-1-1(config-if)# no shutdown GW-1-2(config)# interface FastEthernet 0/0 GW-1-2(config-if)# ip address GW-1-2(config-if)# standby 1 priority 150 GW-1-2(config-if)# standby 1 preempt GW-1-2(config-if)# standby 1 ip GW-1-2(config-if)# no shutdown IP: Netmask: Gateway:

31 Záver prezentácie Ďakujem za pozornosť.
Moderné vzdelávanie pre vedomostnú spoločnosť. Projekt je spolufinancovaný zo zdrojov EÚ.

Download ppt "Ing. Peter Feciľak , KPI, FEI, TUKE."

Similar presentations

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—2-1 Extending Switched Networks with Virtual LANs Introducing VLAN Operations.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—2-1 Extending Switched Networks with Virtual LANs Introducing VLAN Operations.
Securing the Router Chris Cunningham.

Securing the Router Chris Cunningham.
192.168.0.0/30 Host Name : R1 Serial 0/0/0.1.2 Host Name : R2 Router Lab 3 : 2 - Routers Connection DTE DCE.

/30 Host Name : R1 Serial 0/0/0.1.2 Host Name : R2 Router Lab 3 : 2 - Routers Connection DTE DCE.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implement VTP LAN Switching and Wireless – Chapter 4.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implement VTP LAN Switching and Wireless – Chapter 4.
Implementing Layer 3 High Availability

Implementing Layer 3 High Availability
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—6-1 Implementing Layer 3 High Availability Configuring Layer 3 Redundancy with HSRP.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—6-1 Implementing Layer 3 High Availability Configuring Layer 3 Redundancy with HSRP.
Understanding Layer 3 Redundancy. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 Upon completing this lesson, you will be able.

Understanding Layer 3 Redundancy. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 Upon completing this lesson, you will be able.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference 2006 9 th November, 2006.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.

Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.
Networking with Windows Vista.. Vista’s New Tools and Features The Network and Sharing Center Network Discovery Network Map Network Diagnostics.

Networking with Windows Vista.. Vista’s New Tools and Features The Network and Sharing Center Network Discovery Network Map Network Diagnostics.
Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.

Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.
Mobile Computing and Security Authenticated Network Access (ANA) Jon Peters Associate Director Dave Packham Manager of Network Engineering NetCom University.

Mobile Computing and Security Authenticated Network Access (ANA) Jon Peters Associate Director Dave Packham Manager of Network Engineering NetCom University.
Wireless Security with 802.1X Copyright 2005 Michael Griego This work is the intellectual property of the author. Permission is granted for this material.

Wireless Security with 802.1X Copyright 2005 Michael Griego This work is the intellectual property of the author. Permission is granted for this material.
802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security.

802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security.

Similar presentations

Ads by Google