1 / 28

802.1X Configuration

802.1X Configuration. Ter ena 802.1X workshop t he Net herlands, Amsterdam, March 30 th. Paul Dekkers. Overview. EAP. What makes EAP flexible. Man-in-the-Middle attack. That’s why we need a good EAP mechanism!. RADIUS proxy-ing. RADIUS. Client-Server model

libitha
Download Presentation

802.1X Configuration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 802.1X Configuration Terena 802.1X workshop the Netherlands, Amsterdam, March 30th Paul Dekkers

  2. Overview

  3. EAP

  4. What makes EAP flexible

  5. Man-in-the-Middle attack That’s why we need a good EAP mechanism!

  6. RADIUS proxy-ing

  7. RADIUS • Client-Server model • Authenticator is a RADIUS client • Authentication-server is the RADIUS server • RADIUS server can be a client as well

  8. RADIUS – what’s in the packet • UDP, ports 1645/1646 or 1812/1813Mind the firewall! • Attributes, like User-Name, User-Password, EAP-Message • Shared Secret

  9. RADIUS and REALMS • Use well-chosen realms: preferably like an e-mail address,user@institution.ccTLDImportant with PROXY-ing

  10. Guest Access

  11. Traffic separation without 1x

  12. Traffic separation with 1x Supplicant Authenticator (AP or switch) RADIUS server University X RADIUS server SURFnet office User DB User DB Guest Paul.Dekkers@surfnet.nl Internet Guest VLAN Employee VLAN Central RADIUS proxy server Students VLAN

  13. Traffic separation with 1x

  14. Hands-on setup

  15. Configuration:Radiator Linear Global configurationAuthPort 1812AcctPort 1813LogDir /var/log/radius DbDir /etc/radiator Clients Handlers

  16. Configuration:Radiator RADIUS Clients <Client 192.168.1.2>Secret 6.6obaFkm&RNs666 Identifier AP1 IdenticalClients 192.168.1.3, 192.168.1.4 </Client>

  17. Configuration:Radiator <Handler Realm=surfnet.nl> <AuthBy FILE> Filename users </AuthBy> </Handler>

  18. Configuration:Radiator <Handler Realm=surfnet.nl> <AuthBy FILE> Filename users EAPType TTLS, PEAP, MSCHAP-V2 EAPTLS_CAFile root-ca.pem EAPTLS_CertificateFile server.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile private.pem EAPTLS_PrivateKeyPassword secret EAPTLS_MaxFragmentSize 1024 AutoMPPEKeys </AuthBy> </Handler>

  19. Configuration:Radiator <Handler Realm=surfnet.nl, Request-Type=Accounting-Request> # Accept, and log </Handler> <Handler Realm=surfnet.nl, TunnelledByTTLS=1> # PAP </Handler> <Handler Realm=surfnet.nl, TunnelledByPEAP=1> # EAP-MSCHAPv2 </Handler> <Handler Realm=surfnet.nl> # EAP-TTLS and EAP-PEAP </Handler>

  20. Configuration:Radiator, Identifiers and Catch-all <AuthBy RADIUS> Identifier SURFNET-PROXY Host radius-proxy.surfnet.nlSecret Sdfg8WeR98r09d8fg AuthPort 1812 AcctPort 1813 </AuthBy> <Handler> AuthBy SURFNET-PROXY </Handler>

  21. RADIUS proxy-loop • Good configuration is more complex, often lacks in prevention for proxy-loops

  22. Configuration:Access-Point

  23. Cisco AP - RADIUS AP1(config)#aaa new-model aaa group server radius rad_eap server 192.87.116.63 auth-port 1812 acct-port 1813 aaa authentication login eap_methods group rad_eap aaa accounting network acct_methods start-stop group rad_acct radius-server host 192.87.116.63 auth-port 1812 acct-port 1813 key X

  24. Cisco AP - Wireless Interface AP1(config)#interface dot11Radio 0 AP1(config-if)#encryption mode ciphers wep40 AP1(config-if)#broadcast-key change 1800 AP1(config-if)#no ssid tsunami AP1(config-if)#ssid SURFnet AP1(config-if-ssid)#authentication open eap eap_methods AP1(config-if-ssid)#guest-mode AP1(config-if-ssid)#^Z

  25. Cisco switch – enable RADIUS Switch# configure terminal Switch(config)# aaa new-model Switch(config)# radius-server host 192.168.100.1x auth-port 1812 key <secret>

  26. Cisco switch – enable 802.1x Switch(config)# aaa authentication dot1x default group radius Switch(config)# dot1x system-auth-control Switch(config)# interface fastethernet0/1 Switch(config-if)# spanning-tree portfast Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 10 Switch(config-if)# dot1x port-control auto Switch(config-if)# end Switch(config-if)# dot1x guest-vlan 60

  27. Windows and wired 802.1x

  28. Extra in hands-on • Configuration of VLAN’s:Can you enable “roaming” with another group?Can you create an SSID for users without 802.1x?

More Related