280 likes | 765 Views
802.1X Configuration. Ter ena 802.1X workshop t he Net herlands, Amsterdam, March 30 th. Paul Dekkers. Overview. EAP. What makes EAP flexible. Man-in-the-Middle attack. That’s why we need a good EAP mechanism!. RADIUS proxy-ing. RADIUS. Client-Server model
E N D
802.1X Configuration Terena 802.1X workshop the Netherlands, Amsterdam, March 30th Paul Dekkers
Man-in-the-Middle attack That’s why we need a good EAP mechanism!
RADIUS • Client-Server model • Authenticator is a RADIUS client • Authentication-server is the RADIUS server • RADIUS server can be a client as well
RADIUS – what’s in the packet • UDP, ports 1645/1646 or 1812/1813Mind the firewall! • Attributes, like User-Name, User-Password, EAP-Message • Shared Secret
RADIUS and REALMS • Use well-chosen realms: preferably like an e-mail address,user@institution.ccTLDImportant with PROXY-ing
Traffic separation with 1x Supplicant Authenticator (AP or switch) RADIUS server University X RADIUS server SURFnet office User DB User DB Guest Paul.Dekkers@surfnet.nl Internet Guest VLAN Employee VLAN Central RADIUS proxy server Students VLAN
Configuration:Radiator Linear Global configurationAuthPort 1812AcctPort 1813LogDir /var/log/radius DbDir /etc/radiator Clients Handlers
Configuration:Radiator RADIUS Clients <Client 192.168.1.2>Secret 6.6obaFkm&RNs666 Identifier AP1 IdenticalClients 192.168.1.3, 192.168.1.4 </Client>
Configuration:Radiator <Handler Realm=surfnet.nl> <AuthBy FILE> Filename users </AuthBy> </Handler>
Configuration:Radiator <Handler Realm=surfnet.nl> <AuthBy FILE> Filename users EAPType TTLS, PEAP, MSCHAP-V2 EAPTLS_CAFile root-ca.pem EAPTLS_CertificateFile server.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile private.pem EAPTLS_PrivateKeyPassword secret EAPTLS_MaxFragmentSize 1024 AutoMPPEKeys </AuthBy> </Handler>
Configuration:Radiator <Handler Realm=surfnet.nl, Request-Type=Accounting-Request> # Accept, and log </Handler> <Handler Realm=surfnet.nl, TunnelledByTTLS=1> # PAP </Handler> <Handler Realm=surfnet.nl, TunnelledByPEAP=1> # EAP-MSCHAPv2 </Handler> <Handler Realm=surfnet.nl> # EAP-TTLS and EAP-PEAP </Handler>
Configuration:Radiator, Identifiers and Catch-all <AuthBy RADIUS> Identifier SURFNET-PROXY Host radius-proxy.surfnet.nlSecret Sdfg8WeR98r09d8fg AuthPort 1812 AcctPort 1813 </AuthBy> <Handler> AuthBy SURFNET-PROXY </Handler>
RADIUS proxy-loop • Good configuration is more complex, often lacks in prevention for proxy-loops
Cisco AP - RADIUS AP1(config)#aaa new-model aaa group server radius rad_eap server 192.87.116.63 auth-port 1812 acct-port 1813 aaa authentication login eap_methods group rad_eap aaa accounting network acct_methods start-stop group rad_acct radius-server host 192.87.116.63 auth-port 1812 acct-port 1813 key X
Cisco AP - Wireless Interface AP1(config)#interface dot11Radio 0 AP1(config-if)#encryption mode ciphers wep40 AP1(config-if)#broadcast-key change 1800 AP1(config-if)#no ssid tsunami AP1(config-if)#ssid SURFnet AP1(config-if-ssid)#authentication open eap eap_methods AP1(config-if-ssid)#guest-mode AP1(config-if-ssid)#^Z
Cisco switch – enable RADIUS Switch# configure terminal Switch(config)# aaa new-model Switch(config)# radius-server host 192.168.100.1x auth-port 1812 key <secret>
Cisco switch – enable 802.1x Switch(config)# aaa authentication dot1x default group radius Switch(config)# dot1x system-auth-control Switch(config)# interface fastethernet0/1 Switch(config-if)# spanning-tree portfast Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 10 Switch(config-if)# dot1x port-control auto Switch(config-if)# end Switch(config-if)# dot1x guest-vlan 60
Extra in hands-on • Configuration of VLAN’s:Can you enable “roaming” with another group?Can you create an SSID for users without 802.1x?