Download
1 / 17
170 likes | 332 Views
Agenda. 802.1x mechanism 802.1x solution & Non-802.1x solution D-Link 802.1X Based Security Solution Port-Based 802.1x and MAC-based 802.1x Port-Based 802.1x with Guest VLAN function D-Link Non-802.1X Based Security Solution MAC-Based Access Control (MAC)
E N D
Agenda • 802.1x mechanism • 802.1x solution & Non-802.1x solution • D-Link 802.1X Based Security Solution • Port-Based 802.1x and MAC-based 802.1x • Port-Based 802.1x with Guest VLAN function • D-Link Non-802.1X Based Security Solution • MAC-Based Access Control (MAC) • MAC-Based Access Control (MAC) with Guest VLAN • WEB-Based Access Control (WAC)
802.1X & Non-802.1X • 802.1X Authentication Mechanism The 802.1X authentication mechanism consists of three components: • Authentication Server(RADIUS Server):TheAuthentication Server validates the identity of the client and notifies the switch. • Authenticator (Switch):The Authenticator requests identity information from the client, verifying that information with the Authentication Server, and relaying a response to the client. • Client: Requests access to the LAN and switch services and responds to the requests from the switch. The Workstation must be running 802.1X-Compliant client software. (e.g. Windows XP has embedded 802.1X suppliant) • Disadvantage of 802.1X Even though 802.1X is a secure authentication method, however the popularity of the 802.1X supplicant agent and the RADIUS server are always the challenges for deployment. It’s not only costly but also resource consuming for setup and maintenance.
802.1X & Non-802.1X • Non-802.1x Authentication Mechanism On the contrary, Non-802.1X method makes the authentication deployment easier and more user-friendly. It can compensate what 802.1X technology lacks, and facilitate the deployment. This clientless mechanism is not only flexible but also provide required security. The benefit • To reduce the difficult of deployment ( you don’t care about client software issue) • Save maintain cost ( Radius Server becomes optional) • To increate User-friendly (ex: MAC function, which makes users don’t key-in username & password during the authentication) • Emerging solutions of Non-802.1X authentication are demanding. They’re mostly without extra client software needed, easy to deployment and maintain. • Therefore D-Link develops comprehensive solutions for either 802.1X or Non-802.1X environment to increase productivity without compromising the security of the network.
D-Link 802.1X Based Security Solution • 802.1x mechanism802.1x Port-Based and 802.1x MAC-Based • Implanting Port-Based 802.1x with Guest VLAN
Radius Radius Server What is 802.1x Authentication? • Authenticate User Identity 802.1x The 802.1X protocol is the popular LAN authentication protocol ratified by the IEEE. It enables user authentication in both wireless and wired environment. The 802.1X service is included in the Microsoft Windows XP & Vista operating systems already. D-Link’s Implementation • Port-based 802.1x:users have to be authenticated before accessing the network, and switches will unlock the the port only after users pass authentication • MAC-based 802.1x:D-Link switch can perform authentication per MAC address. It means each switch port can authenticate multiple PCs’ access right. Username Password -------------- -------------- Crowley mygoca-ah Anderson busy2 Shinglin 4wireless 802.1x Auth Request Username: Crowley Password: ***********
Internet IEEE 802.1x Definition • Defines a Client/Server-based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports. The Authentication Server authenticates each Client connected to a switch port before making available any services offered by the switch or the LAN. Authentication Server Radius Server(Authentication Server) Switch(Authenticator) Client …….. 802.1x Client Unauthorized device 802.1x Client 802.1x Client 802.1x Client
“Client” “Authenticator” “Authentication Server” After Authentication Normalpacket NIC Card Ethernet 802.3, Wireless PC Card, etc. Network Port Access Point, Ethernet Switch, etc. AAA Server Any EAP Server, Mostly RADIUS EAPOLpacket Before Authentication EAP Over LAN EAP Over Wireless(802.3 or 802.11) Encapsulated EAP Messages, typically on RADIUS • The three different roles in IEEE 802.1x: • Client • Authenticator • Authentication Server Before a Client is authenticated, 802.1x access control allows only EAPOL traffic pass through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port. * RADIUS Server provides Authentication, Authorization, Accounting (AAA) service
802.1x Device Role • Device Roles: Client Identity/ challenge Switch (Authenticator) RADIUS Server (Authentication Server) Workstation (Client) Client: Thedevice (Workstation) that requests access to the LAN, switch services and responds to the user identity/challenge from the switch and radius server. The Workstation must be running 802.1x-Compliant client software such as that offered in the Microsoft Windows XP operating system.
802.1x Device Role (Cont) • Device Roles: Authentication Server Request/ challenge Switch (Authenticator) RADIUS Server (Authentication Server) Workstation (Client) Authentication Server: TheAuthentication Server validates the identity of the clients and notifies the switch whether or not the client is authorized to access the LAN. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients. * Remote Authentication Dial-In User Service(RADIUS)
802.1x Device Role (Cont) • Device Roles: Authenticator Request/ challenge Identity/ challenge Switch (Authenticator) RADIUS Server (Authentication Server) Workstation (Client) Authenticator: The Authenticator acts as an intermediary (proxy) between the Client and the Authentication Server, requesting identity information from the Client, verifying that information with the Authentication Server, and relaying a request/response (identity & challenge) between the Client andAuthentication Server.
802.1X Authentication process Workstation(Client) Switch(Authenticator) RADIUS Server(Authentication Server) EAPOL-Start EAP-Request/Identity 1 EAP-Response/Identity RADIUS Access-Request 2 EAP-Request/OTP RADIUS Access-Challenge 3 EAP-Response/OTP RADIUS Access-Request 4 EAP-Success RADIUS Access-Accept 5 Port Authorized EAPOL-Logoff RADIUS Account-Stop RADIUS Ack Port Unauthorized * OTP (One-Time-Password)
802.1X Authentication process Workstation(Client) IP: 192.168.0.100 Switch(Authenticator)IP: 192.168.0.1 RADIUS Server(Authentication Server)IP: 192.168.0.10 Client Client to Switch Switch to Client 1 2 3 4 5 Radius Server Switch to Server Server to Switch 2 3 4 5 * OTP (One-Time-Password)
Internet Port Based 802.1x Example: Port Based 802.1x Enabled Ports 1-12 DES-3828 Username/Password Confirmed !!! port 1 Win2003 ServerRADIUS Server service L2 Switch/HUB Username: James Password: 123 User Pasword James 123 192.168.0.10 James Gary Ryan 192.168.0.100 802.1x client WinXP built-in 802.1x client WinXP built-in 802.1x client WinXP built-in • All of the clients connected the L2 HUB can pass through switch(DES-3828) once a client (Kobe) is authenticated. Page 18
1. Enable 802.1x State by device 2. Configure client connected ports. (Note: Uplink port shouldn’t enable authenticator). 3. Configure Radius Server setting Port Based 802.1x Command Example: • DES3828 Configuration • reset • enable 802.1x • config 802.1x capability ports 1-24 authenticator • config radius add 1 192.168.0.10 key 123456 default • Client PCs configuration • Run 802.1x software. • RADIUS Server configuration • Radius: Windows NT/Windows 2000/2003 Server Radius Server Service or third-party RADIUS server program
Internet MAC Based 802.1x Example: MAC Based 802.1x Enabled Ports 1-12 DES-3828 Username/Password Confirmed !!! Win2003 Server RADIUS Server service L2 Switch/HUB Username: James Password: 123 User Pasword James 123 192.168.0.10 . . . . James Gary Ryan DES-3828 is only capable of learning up to 16 MAC address per port 192.168.0.100 802.1x client WinXP built-in 802.1x client WinXP built-in 802.1x client WinXP built-in • Each client needs to provide correct username/password to pass the authentication so that it can access the network • NOTICE: The L2 switch or hub should support 802.1x pass-through. Otherwise, the 802.1x packet (dest MAC=0180c2000003, inside the IEEE reserved range,0180c2000001~0F) will be dropped by switch, and therefore cannot reach DES-3828. Page 18
1. Enable 802.1x State by device, and change to mac_based mode 2. Configure client connected ports. (Note: Uplink port shouldn’t enable authenticator). 3. Configure Radius Server setting MAC Based 802.1x Example: • DES3828 Configuration • reset • enable 802.1x • config 802.1x auth_mode mac_based • config 802.1x capability ports 1-24 authenticator • config radius add 1 192.168.0.10 key 123456 default • Client PCs configuration • Run 802.1x software. • RADIUS Server configuration • Radius: Windows NT/Windows 2000/2003 Server Radius Server Service or third-party RADIUS server program
802.1x Port Based vs MAC Based • Port-based 802.1x Once a port is authorized by a client, the others users connecting to the same port through hub or switch can pass through the switch. • MAC-based 802.1x 1. Once a port is authorized by a client, only this client can pass through the switch. 2. The switch is not only checking the username / password, but also checking whether the max. MAC allowed is reached or not. If reached, deny new MAC Page 14 Page 16
