250 likes | 349 Views
802.1x Port Authentication via RADIUS. By Oswaldo Perdomo cs580 Network Security. What is 802.1x ?. Defined by IEEE and designed to provide port-based network access. 802.1x authenticates network clients using information unique to the client and with credentials known only to the client.
E N D
802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security
What is 802.1x ? • Defined by IEEE and designed to provide port-based network access. • 802.1x authenticates network clients using information unique to the client and with credentials known only to the client. • Service known as port-level authentication
Benefits of 802.1x • 802.1x is a LAN access control. • 802.1x introduces the ability to provide Authentication, Authorization, and Accounting (AAA) for LAN access using a standard approach.
802.1x Framework • The framework is defined by 3 authentication processes: • The supplicant • Possibly a standalone device or an end user, such as a remote user. • The authenticator • A device to which the supplicant directly connects and through which the supplicant obtains network access permission • The authentication server • The authenticator acts as a gateway to the authentication server, which is responsible for actually authenticating the supplicant.
What is EAP ? • EAP • Extensible Authentication Protocol • A flexible protocol used to carry arbitrary authentication information • Typically rides on top of another protocol such as 802.1x or RADIUS/TACACS+, etc. • EAP Messages • Request • Sent to supplicant to indicate a challenge • Response • Supplicant reply message • Success • Notification to supplicant of success • Failure • Notification to supplicant of failure
Benefits of EAP-TLS Authentication • Password’s are not used at all. • Instead TLS public key is used. • AAA Server authenticates client, but client can also authenticate AAA Server • AAA Server receives certification from client, verifies authenticity of certification using CA public key, then verifies bearer identity using TLS handshake
Benefits 802.1x with Cisco Secure ACS • Flexible authentication options using public key infrastructure (PKI), tokens, smart cards, and in the future, biometrics. • Flexible policy assignment, such as per-user session quotas, time of day, and virtual LAN (VLAN) assignment • Identity-based session accounting and auditing, which enables tracking of client network usage.
Configuring the Switch for 802.1x Port Authentication • GV-Rack1>s2 • Translating "s2" • Trying s2 (1.1.1.1, 2015)... Open • Rack1S2>enable • Rack1S2#config t • Enter configuration commands, one per line. End with CNTL/Z. • Rack1S2(config)#hostname mytest • mytest(config)#aaa new-model • mytest(config)#aaa authentication dot1x default group radius • mytest(config)#interface fastethernet0/1 • mytest(config-if)#dot1x port-control auto • mytest(config-if)#radius-server host 10.252.252.252 auth-port 1812 key cisco • mytest(config)#end • mytest#s • 12:06:37: %SYS-5-CONFIG_I: Configured from console by console • mytest#show dot1x • Sysauthcontrol = Disabled • Supplicant Allowed In Guest Vlan = Disabled • Dot1x Protocol Version = 1 • Dot1x Oper Controlled Directions = Both • Dot1x Admin Controlled Directions = Both
Catalyst 3550 series Configuration File • mytest#show running-config • Building configuration... • Current configuration : 2267 bytes • ! • version 12.1 • no service pad • service timestamps debug uptime • service timestamps log uptime • no service password-encryption • ! • hostname mytest • ! • aaa new-model • aaa authentication dot1x default group radius • ! • ip subnet-zero • ! • no ip domain-lookup • ! • spanning-tree mode pvst • spanning-tree extend system-id • ! • interface FastEthernet0/1 • switchport mode dynamic desirable • dot1x port-control auto • spanning-tree portfast • !! • interface Vlan1 • no ip address • shutdown • ! • ip classless • ip http server • ! • radius-server host 10.252.252.252 auth-port 1812 acct-port 1813 key cisco • radius-server retransmit 3 • ! • line con 0 • exec-timeout 0 0 • logging synchronous • line vty 5 15 • ! • ! • end