1 / 31

802.1x Best Practises

802.1x Best Practises. Ing. Peter Feciľak Peter.Fecilak @tuke.sk 29.04.2008 , KPI, FEI, TUKE. Content of the presentation. Basic terminology - 802.1x - RADIUS server - Dynamic VLAN membership Why to implement 802.1x ? Problems in 802.1x implementation Discussion. What is 802.1x ?.

medea
Download Presentation

802.1x Best Practises

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 802.1x Best Practises Ing. Peter Feciľak Peter.Fecilak@tuke.sk 29.04.2008, KPI, FEI, TUKE.

  2. Content of the presentation • Basic terminology- 802.1x- RADIUS server- Dynamic VLAN membership • Why to implement 802.1x ? • Problems in 802.1x implementation • Discussion...

  3. What is 802.1x ? • IEEE standard for port-based Network Access Control • Provides port-based authentication • Supported in wired/wireless environment

  4. 802.1x terminology

  5. Radius authentication server • Provides authentication and other AAA services for end-device by a number of authentication mechanisms • Each authentication mechanism has its own level of security(EAP/MD5, EAP/LEAP, EAP/PEAP) • Can be linked to external user/computer database – ActiveDirectory / LDAP / MYSQL

  6. Radius authentication server • Supports delegation of requests(e.g. eduroam) • Runs on different platformsMS Windows:Cisco Secure Access Control ServerLinux:Freeradius / old version of CS ACS

  7. Authenticator – access layer • Provides port-based authentication and dynamic VLAN membership via RADIUS server(EAP and Radius protocol) • Three types of VLANs: • Dynamic VLAN from RADIUS • AUTH-FAIL VLAN • GUEST-VLAN • Catalyst switches supports periodical re-authentication (Steve Riley vulnerability from 2005)

  8. 802.1x Supplicant • Application that provides authentication via EAP against authenticator • Possible types of authentication: • Computer (domain account) • User (domain account, OTP…) • Computer with user account

  9. 802.1x Supplicant • Supported under Windows and Linux as well • Linux authentication tools: • Xsupplicant (wired) • WPA_supplicant (wireless) • open1x

  10. 802.1x Linux Supplicant fecilak@travelko:~$ cat /etc/xsupplicant/xsupplicant.conf default_interface = eth0 default { type = wired allow_types = eap-peap identity = "pfecilak" eap-peap { inner_id = "pfecilak" root_cert = NONE chunk_size = 1398 random_file = /dev/urandom allow_types = all session_resume = yes eap-mschapv2 { username = "pfecilak" password = “Moje1Tajne2Heslo3!#" } } }

  11. 802.1x Windows Supplicant • Native 802.1x supplicant under: • MS Windows XP • MS Vista • MS Windows 2000 (latest SP) • External supplicants: • Cisco Secure Services Agent

  12. 802.1x Windows Supplicant

  13. 802.1x Windows Supplicant User-authentication GUI agent:

  14. Why to implement 802.1x ? • Provide port-based control for accessing network resources (problems with controlling physical access) • Identify regular network users. Provide them easy access to network resources. Isolate non-regular users from internal infrastructure.

  15. Why to implement 802.1x ? • Apply different security levels for specified communities of users. • Provide mobility features via RADIUS and Dynamic VLAN membership

  16. Number of Security Levels • Identify User/Computer roles and grand them access to network resources as defined by their security level.

  17. Problems in 802.1x implementation • Devices that does not support 802.1x connected to access-layer causes problems(e.g. hubs/unmanagable switches) • Computers connected via IP phones that doesn’t support 802.1x has problem with authentication • Periodical re-authentication can cause problems in large domain

  18. Problems in 802.1x implementation • Computer authentication with User to VLAN mapping can cause problem during IP settings renewal process • Authentication tab not shown in local area network configuration(needs Wireless Zero Configuration)

  19. Best practises • When 802.1x is used mainly in MS Windows domain, use Cisco Secure ACS and computer domain accounts • Do not use dynamic VLAN membership with User to VLAN mapping. Better is computer authentication with domain account

  20. Best practises • Scale the number of RADIUS servers concerning whether re-authentication is enabled and the number of end clients that will use 802.1x authentication • I recommend to use 1 server for 100 computers when re-authentication at every 5 minutes is used

  21. Best practises Classification to profiles for providing different security-levels: • User Network • For regular users granting access to network resources • Visitors Network • For guest access from internal infrastructure granting only internet access • Guest/Auth-fail VLAN • Fully isolated network. No network resources can be accessed.

  22. Discussion/Questions and Answers

  23. Redundant topologies

  24. Redundant topologies

  25. Problem

  26. Solution – redundant gateways 192.168.1.2 192.168.1.1 192.168.1.0/24

  27. Mas 192.168.1.2 192.168.1.1 192.168.1.3 GW-1-1 GW-1-2 Master Slave Virtual Router Solution – HSRP Slave MASTER 192.168.1.3 Master 192.168.1.3 SLAVE 192.168.1.2 192.168.1.1 192.168.1.0/24

  28. First Hop Redundancy Protocols HSRP VRRP GLBP

  29. Example - HSRP 192.168.1.2 192.168.1.1 GW-1-1(config)# interface FastEthernet 0/0 GW-1-1(config-if)# ip address 192.168.1.2 255.255.255.0 GW-1-1(config-if)# standby 1 priority 80 GW-1-1(config-if)# standby 1 preempt GW-1-1(config-if)# standby 1 ip 192.168.1.3 GW-1-1(config-if)# no shutdown GW-1-2(config)# interface FastEthernet 0/0 GW-1-2(config-if)# ip address 192.168.1.1 255.255.255.0 GW-1-2(config-if)# standby 1 priority 150 GW-1-2(config-if)# standby 1 preempt GW-1-2(config-if)# standby 1 ip 192.168.1.3 GW-1-2(config-if)# no shutdown IP: 192.168.1.100 Netmask: 255.255.255.0 Gateway: 192.168.1.3

  30. Configuration statements - HSRP 192.168.1.2 192.168.1.1 GW-1-1(config)# interface FastEthernet 0/0 GW-1-1(config-if)# ip address 192.168.1.2 255.255.255.0 GW-1-1(config-if)# standby 1 priority 80 GW-1-1(config-if)# standby 1 preempt GW-1-1(config-if)# standby 1 ip 192.168.1.3 GW-1-1(config-if)# no shutdown GW-1-2(config)# interface FastEthernet 0/0 GW-1-2(config-if)# ip address 192.168.1.1 255.255.255.0 GW-1-2(config-if)# standby 1 priority 150 GW-1-2(config-if)# standby 1 preempt GW-1-2(config-if)# standby 1 ip 192.168.1.3 GW-1-2(config-if)# no shutdown IP: 192.168.1.100 Netmask: 255.255.255.0 Gateway: 192.168.1.3

  31. The End Thank you for your attention… Ing. Peter Feciľak Peter.Fecilak@tuke.sk 29.04.2008, KPI, FEI, TUKE.

More Related