Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Published byElwin Malone Modified over 9 years ago

Similar presentations

Presentation on theme: "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved."— Presentation transcript:

1 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

2 2 © 2005 Cisco Systems, Inc. All rights reserved. Network Security 1 Module 7 – Configure Trust and Identity at Layer 2

3 3 © 2005 Cisco Systems, Inc. All rights reserved. Learning Objectives 7.1 Identity-Based Networking Services (IBNS) 7.2 Configuring 802.1x Port-Based Authentication

4 4 © 2005 Cisco Systems, Inc. All rights reserved. Module 7 – Configure Trust and Identity at Layer 2 7.1 Identity-Based Networking Services (IBNS)

5 5 © 2005 Cisco Systems, Inc. All rights reserved. Identity Based Network Services Cisco VPN Concentrators, IOS Routers, PIX Security Appliances Unified Control of User Identity for the Enterprise Router Internet Cisco Secure ACS Firewall VPN Clients Hard and Soft Tokens Remote Offices OTP Server

6 6 © 2005 Cisco Systems, Inc. All rights reserved. 802.1x Roles Authentication Server Authenticator Supplicant

7 7 © 2005 Cisco Systems, Inc. All rights reserved. 802.1x Authenticator and Supplicant The perimeter router acts as the authenticator Internet Cisco Secure ACS Home Office The remote user’s PC acts as the supplicant

8 8 © 2005 Cisco Systems, Inc. All rights reserved. 802.1x Components

9 9 © 2005 Cisco Systems, Inc. All rights reserved. How 802.1x Works Authentication Server (RADIUS) Catalyst 2950 (switch) End User (client) 802.1x RADIUS Actual authentication conversation occurs between the client and Authentication Server using EAP. The authenticator is aware of this activity, but it is just a middleman.

10 10 © 2005 Cisco Systems, Inc. All rights reserved. How 802.1x Works (Continued) Authentication Server (RADIUS) Catalyst 2950 (switch) End User (client) EAPOL - Start EAP – Request Identity EAP – Response/Identity RADIUS Access - Request EAP – Request/OTP RADIUS Access - Challenge EAP – Response/OTP RADIUS Access - Request RADIUS Access - AcceptEAP – Success Port Authorized EAPOL – Logoff Port Unauthorized

11 11 © 2005 Cisco Systems, Inc. All rights reserved. EAP Characteristics EAP – The Extensible Authentication Protocol Extension of PPP to provide additional authentication features A flexible protocol used to carry arbitrary authentication information. Typically rides on top of another protocol such as 802.1x or RADIUS. EAP can also be used with TACACS+ Specified in RFC 2284 Support multiple authentication types : EAP-MD5: Plain Password Hash (CHAP over EAP) EAP-TLS (based on X.509 certificates) LEAP (EAP-Cisco Wireless) PEAP (Protected EAP)

12 12 © 2005 Cisco Systems, Inc. All rights reserved. EAP Selection Cisco Secure ACS supports the following varieties of EAP: EAP-MD5 – An EAP protocol that does not support mutual authentication. EAP-TLS – EAP incorporating Transport Layer Security (TLS). LEAP—An EAP protocol used by Cisco Aironet wireless equipment. LEAP supports mutual authentication. PEAP – Protected EAP, which is implemented with EAP-Generic Token Card (GTC) and EAP-MSCHAPv2 protocols. EAP-FAST – EAP Flexible Authentication via Secured Tunnel (EAP- FAST), a faster means of encrypting EAP authentication, supports EAP-GTC authentication.

13 13 © 2005 Cisco Systems, Inc. All rights reserved. Cisco LEAP Access Point Client Lightweight Extensible Authentication Protocol Derives per-user, per-session key Enhancement to IEEE802.11b Wired Equivalent Privacy (WEP) encryption Uses mutual authentication – both user and AP needs to be authenticated ACS Server

14 14 © 2005 Cisco Systems, Inc. All rights reserved. EAP-TLS Access Point Client Extensible Authentication Protocol – Transport Layer Security RFC 2716 Used for TLS Handshake Authentication (RFC2246) Requires PKI (X.509) Certificates rather than username/password Mutual authentication Requires client and server certificates Certificate Management is complex and costly Switch ACS Server

15 15 © 2005 Cisco Systems, Inc. All rights reserved. PEAP Access Point Client Protected Extensible Authentication Protocol Internet-Draft by Cisco, Microsoft & RSA Enhancement of EAP-TLS Requires server certificate only Mutual authentication username/password challenge over TLS Channel Available for use with Microsoft and Cisco products Switch TLS Tunnel ACS Server

16 16 © 2005 Cisco Systems, Inc. All rights reserved. How Does Basic Port Based Network Access Work? Switch Request ID The switch detects the 802.1x compatible client, forces authentication, then acts as a middleman during the authentication, Upon successful authentication the switch sets the port to forwarding, and applies the designated policies. Send ID/Password or Certificate Switch Forward credentials to ACS Server Authentication Successful Client now has secure access 802.1x RADIUS Cisco Secure ACS AAA Radius Server 802.1x Capable Ethernet LAN Access Devices 12345 6 7 applies policies and enables port. Host device attempts to connects to Switch Actual authentication conversation is between client and Auth Server using EAP. 6500 SeriesAccess Points 4500/4000 Series 3550/2950 Series

17 17 © 2005 Cisco Systems, Inc. All rights reserved. ACS Deployment in a Small LAN Cisco Secure ACS Client Catalyst 2950/3500 Switch Firewall Router Internet

18 18 © 2005 Cisco Systems, Inc. All rights reserved. ACS Deployment in a Global Network ACS1 Client Switch 1 Region 1 Firewall ACS3 ACS2 Region 2 Region 3 Switch 2 Switch 3

19 19 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Secure ACS RADIUS Response Cisco Secure ACS Cisco Catalyst Switch End User 802.1x RADIUS After a user successfully completes the EAP authentication process the Cisco Secure ACS responds to the switch with a RADIUS authentication- accept packet granting that user access to the network.

20 20 © 2005 Cisco Systems, Inc. All rights reserved. Module 7 – Configure Trust and Identity at Layer 2 7.2 Configuring 802.1x Port-Based Authentication

21 21 © 2005 Cisco Systems, Inc. All rights reserved. 802.1x Port-Based Authentication Configuration Enable 802.1x Authentication (required) Configure the Switch-to-RADIUS-Server Communication (required) Enable Periodic Re-Authentication (optional) Manually Re-Authenticating a Client Connected to a Port (optional) Resetting the 802.1x Configuration to the Default Values (optional)

22 22 © 2005 Cisco Systems, Inc. All rights reserved. 802.1x Port-Based Authentication Configuration (Cont.) Changing the Quiet Period (optional) Changing the Switch-to-Client Retransmission Time (optional) Setting the Switch-to-Client Frame-Retransmission Number (optional) Enabling Multiple Hosts (optional) Resetting the 802.1x Configuration to the Default Values (optional)

23 23 © 2005 Cisco Systems, Inc. All rights reserved. Enabling 802.1x Authentication configure terminal Switch# Enter global configuration mode aaa new-model Switch(config)# Enable AAA aaa authentication dot1x default group radius Switch(config)# Create an 802.1x authentication method list

24 24 © 2005 Cisco Systems, Inc. All rights reserved. Enabling 802.1x Authentication (Cont.) interface fastethernet0/12 Switch(config)# Enter interface configuration mode dot1x port-control auto Switch(config-if)# Enable 802.1x authentication on the interface end Switch(config-if)# Return to privileged EXEC mode

25 25 © 2005 Cisco Systems, Inc. All rights reserved. Configuring Switch-to-RADIUS Communication radius-server host 172.l20.39.46 auth-port 1812 key rad123 Switch(config)# Configure the RADIUS server parameters on the switch.

26 26 © 2005 Cisco Systems, Inc. All rights reserved. Enabling Periodic Re-Authentication configure terminal Switch# Enter global configuration mode dot1x re-authentication Switch(config)# Enable periodic re-authentication of the client, which is disabled by default. dot1x timeout re-authperiod seconds Switch(config)# Set the number of seconds between re-authentication attempts.

27 27 © 2005 Cisco Systems, Inc. All rights reserved. Manually Re-Authenticating a Client Connected to a Port dot1x re-authenticate interface fastethernet0/12 Switch(config)# Starts re-authentication of the client.

28 28 © 2005 Cisco Systems, Inc. All rights reserved. Enabling Multiple Hosts configure terminal Switch# Enter global configuration mode interface fastethernet0/12 Switch(config)# Enter interface configuration mode, and specify the interface to which multiple hosts are indirectly attached. dot1x multiple-hosts Switch(config-if)# Allow multiple hosts (clients) on an 802.1x-authorized port.

29 29 © 2005 Cisco Systems, Inc. All rights reserved. Resetting the 802.1x Configuration to the Default Values configure terminal Switch# Enter global configuration mode dot1x default Switch(config)# Reset the configurable 802.1x parameters to the default values.

30 30 © 2005 Cisco Systems, Inc. All rights reserved. Displaying 802.1x Statistics show dot1x statistics Switch# Display 802.1x statistics show dot1x statistics interface interface-id Switch# Display 802.1x statistics for a specific interface.

31 31 © 2005 Cisco Systems, Inc. All rights reserved. Displaying 802.1x Status show dot1x Switch# Display 802.1x administrative and operational status. show dot1x interface interface-id Switch# Display 802.1x administrative and operational status for a specific interface.

32 32 © 2005, Cisco Systems, Inc. All rights reserved.

Download ppt "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved."

Similar presentations

Authentication.

Authentication.
© 2003, Cisco Systems, Inc. All rights reserved..

© 2003, Cisco Systems, Inc. All rights reserved..
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.

Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.
Operating and Configuring Cisco IOS Devices © 2004 Cisco Systems, Inc. All rights reserved. Operating Cisco IOS Software INTRO v2.0—8-1.

Operating and Configuring Cisco IOS Devices © 2004 Cisco Systems, Inc. All rights reserved. Operating Cisco IOS Software INTRO v2.0—8-1.
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—2-1 Ethernet LANs Operating Cisco IOS Software.

© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—2-1 Ethernet LANs Operating Cisco IOS Software.
無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – 802.11b  Security Mechanisms in 802.11b  Security Problems in 802.11b  Solutions for 802.11b.

無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – b  Security Mechanisms in b  Security Problems in b  Solutions for b.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-1 Security Olga Torstensson Halmstad University.

© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-1 Security Olga Torstensson Halmstad University.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,

WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,
Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.
Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
KIRAN CHAMARTHI NETWORK SECURITY

KIRAN CHAMARTHI NETWORK SECURITY
Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.

Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.
802.1X in Windows Tom Rixom Alfa & Ariss. Overview 802.1X/EAP 802.1X in Windows Tunneled Authentication Certificates in Windows WIFI Client in Windows.

802.1X in Windows Tom Rixom Alfa & Ariss. Overview 802.1X/EAP 802.1X in Windows Tunneled Authentication Certificates in Windows WIFI Client in Windows.
Remote Networking Architectures

Remote Networking Architectures

Similar presentations

Ads by Google