14
Seacoast National Bank 802.1x Implementation Plan Microsoft Network Policy Server (NPS) IMPLEMENTATION PLAN Page 1 of 13

802.1x Implementation Plan for Seacoast

Embed Size (px)

Citation preview

Page 1: 802.1x Implementation Plan for Seacoast

Seacoast National Bank 802.1x Implementation Plan

Microsoft Network Policy Server (NPS)

IMPLEMENTATION PLAN

Page 1 of 13

Page 2: 802.1x Implementation Plan for Seacoast

Seacoast National Bank 802.1x Implementation Plan

Page 2 of 14

Table of Contents

1.1 PURPOSE ........................................................................................................................ 3

1.2 SYSTEM OVERVIEW ..........................................................................................................3 1.3 System Description.................................................................................................................3 1.4 Assumptions and Constraints ................................................................................................3

1.5Benefits....................................................................................................................................3

2 Hardware and Software Requirements .......................................................................................... 4

2.1 Hardware Requirements ........................................................................................................4 2.2 Software Requirements ..........................................................................................................4

3 Design Topology ............................................................................................................................. 5 3.1 The CCC NPS Topology ........................................................................................................6

3.2 Topology Layout Details……………………………………………………………............7

4 Components of the NPS Infrastructure ....................................................................................... 8 4.1 Access Clients……………………………………………………………………………….9 4.2 Access Servers (RADIUS Clients) ........................................................................................9

4.3 NPS Servers (RADIUS Servers) ...........................................................................................9

4.4 User Accounts Databases ......................................................................................................9

4.5 Authentication Flow and EAP/RADIUS Message Exchange……………………………..10

5 Implementation Tasks ................................................................................................................. 11 5.1 Install Windows 2008 R2.....................................................................................................11

5.2 Install Network Policy Server .............................................................................................11

5.3 Plan and Configure VLAN structure ...................................................................................11

5.4 Plan and Configure AD Group Structure ............................................................................11 5.4 Client Settings .....................................................................................................................12

5.5 Plan and Configure NPS Policy Structure ..............................................................................13

Page 3: 802.1x Implementation Plan for Seacoast

Seacoast National Bank 802.1x Implementation Plan

Page 3 of 14

Introduction

1.1 Purpose

Currently, anyone (Customers, Vendors, Consultants, etc) is able to plug their network device(s)

into the wall jack in our buildings and have access to our network resources, regardless of the fact

that they are not Seacoast employees. Although we have a solution in place to mitigate these

types of intrusions, the solution is reactive in nature. This would give someone with malicious

intent the ability to launch a variety of attacks - such as breaking into specific servers,

eavesdropping on network packets, and unleashing a worm or Denial of Service (DoS) attacks.

I am proposing an implementation a pro-active network security solution based on the Institute of

Electrical and Electronics Engineers (IEEE) 802.1x standard for network device authentication

protocol and the Microsoft Network Policy Server (NPS), Microsoft's implementation of RADIUS, to

provide fine-grained, wired computer authentication and authorization to control access to

network resources.

1.2 System Overview

The Network Policy Server (NPS) is the Microsoft implementation of Remote Authentication Dialin

User Service (RADIUS). It will perform centralized connection authentication, authorization, and

accounting for wired and wireless network access.

1.3 System Description

The Network Policy Server will provide the ability for Seacoast National Bank to implement and

manage machine and user authentication and authorization for Seacoast owned and non-Seacoast

owned devices. The Network Policy Server grants access to the appropriate resources via NPS

Connection Request and Network policies which are based on multiple conditions such as user id,

machine id, switch, access points, etc.

1.4 Assumptions and Constraints o Implementation project to begin August 30, 2013 and be completed by DTBD o

Implementation will begin with the building on 973 SE Federal HWY moving on with the

main office on 815 S. Colorado Ave.

o If needed, this solution can also be implemented at the branch offices.

1.5 Benefits

o Encryption of Wireless Keys

o Strong Authentication

o Secure Access Control

Page 4: 802.1x Implementation Plan for Seacoast

Seacoast National Bank 802.1x Implementation Plan

Page 4 of 14

2 Hardware and Software Requirements This section will describe the hardware components that are required to install Windows 2008 R2

and the software requirements that are needed to install the Microsoft NPS.

2.1 Hardware Requirements:

The following section lists the minimum and recommended hardware component that is required

to support the Microsoft NPS.

Component Minimum Recommended

Single CPU speed 2.5 GHz 3.5 GHz or faster

Dual CPU speed 2.0 GHz 3.0 GHz or faster

RAM 2.0 GB 4.0 GB or more

Disk Space 10 GB 100 GB or more

The following shows the hardware specification that we are recommending. These are also the

hardware specification that we are using for the NPS at the system office.

• Processor: 1 CPU

• Memory: 4 GB Disk: 100 GB

2.2 Software Requirements:

This section lists the various Server, Server Roles, and Features that needs to be added in order to

implement the Microsoft NPS.

• Windows Server 2008 R2 Enterprise Edition (Operating System)

• Active Directory Certificate Services (Server Roles)

• Network Policy and Access Services (Server Roles)

• Web Server (Server Roles)

• Group Policy Management (Features)

Note: Windows Server 2008 Standard Edition is limited to a maximum of 50 RADIUS clients

(authenticators) and a maximum of 2 remote RADIUS server groups. For this reason, I am

recommending that we go with Windows Server 2008 Enterprise Edition which would provide us

with an unlimited number of RADIUS client (authenticators) and remote server groups.

The Microsoft NPS can be installed on either the regular stand-alone hardware platform and/or in

a virtualized environment. We are installing all of our Microsoft Network Access Policy servers on

the Microsoft Hyper-V platform.

Page 5: 802.1x Implementation Plan for Seacoast

Seacoast National Bank 802.1x Implementation Plan

Page 5 of 14

3 Design Topology

Figure 3.1.1

Page 6: 802.1x Implementation Plan for Seacoast

Seacoast National Bank 802.1x Implementation Plan

Page 6 of 14

Figure 3.1.2

3.2 The Seacoast NPS Topology:

The NPS will be deployed as a RADIUS proxy. The RADIUS proxy approach will provide us with a

High Availability (HA) authentication, authorization, and accounting solution.

Page 7: 802.1x Implementation Plan for Seacoast

Seacoast National Bank 802.1x Implementation Plan

Page 7 of 14

3.3 Topology Layout Details:

MAIN OFFICE

RADIUS clients (wireless access points, 802.1X-capable switches, virtual private network (VPN)

servers, and dial-up servers - also known as “authenticators” and/or “Network Access Servers”) are

configured to connect to two NPS proxy servers. One NPS proxy is used as the primary RADIUS

proxy and the other is used as a backup. If the primary NPS proxy becomes unavailable, RADIUS

clients then send Access-Request messages to the alternate NPS proxy. The primary server will be

installed as a virtual machine and the secondary server will be installed on a physical server. Data

is mirrored to the secondary server at regular intervals and also manually through a script after

each times any changes are made.

The NPS proxy servers will point to two Remote RADIUS Server Groups. The first Remote RADIUS

Server Group will contain servers that are members of AD and will provide authentication and

authorization for computers in the Seacoast “Corp” domain. The second Remote RADIUS Server

Group will contain servers that are members a workgroup and not members of AD. The local

database on these servers will contain Groups and MAC addresses for non-802.1x capable devices

(printers, VOIP phones, laptops from branch offices, etc.). There will be two servers in each of the

two Remote RADIUS Server Groups. The primary server will be installed as a virtual machine and

the secondary server will be installed on a physical server.

BRANCH OFFICE

A hybrid solution consisting of 802.1x with MAC Authentication Bypass (MAB) and Port Security

with Sticky MAC will be implemented at the branch offices. The public accessible ports (i.e.

conference rooms, waiting area, etc.) will use 802.1x with MAC Authentication Bypass which will

authenticate to the NPS servers located at the main office. The static ports in the offices will use

Port Security with Sticky MAC which will allow the switch interfaces to learn MAC addresses of

trusted Seacoast workstations and ensure that any new devices will not be allowed access.

Note: See Figure 3.1.1 and 3.1.2 for full visual details.

Page 8: 802.1x Implementation Plan for Seacoast

Seacoast National Bank 802.1x Implementation Plan

Page 8 of 14

4 Components of the NPS Infrastructure

There are four components to our implementation of the NPS infrastructure: access clients, access

servers (RADIUS clients), NPS servers (RADIUS servers), and user account databases.

The following figure illustrates the relationships between the four components of the NPS

infrastructure.

Page 9: 802.1x Implementation Plan for Seacoast

Seacoast National Bank 802.1x Implementation Plan

Page 9 of 14

How Does 802.1x Work An 802.1X network requires only three components to operate, each of which is referred to in

terms that are somewhat unique to this standard. Those components are:

4.1 Access Clients:

An access client is a device that requires some level of access to the network. Examples of access

clients are computers, laptops, smart phones, IP phones, printers, etc. The following needs to be

configured on the access clients in order to function with NPS:

802.1x Supplicant

PEAP settings

4.2 Access Servers / Authenticators (RADIUS Clients):

An access server/Authenticator is a device that provides some level of access to the network. An

access server acts as a RADIUS client, sending connection requests and accounting messages to a

RADIUS server. Examples of access servers are switches, wireless LAN controllers, Wireless APs,

etc. The following needs to be configured on the access servers in order to function with NPS:

802.1x settings | RADIUS settings | VLANs

4.3 NPS Servers (RADIUS Servers) / Authentication Server:

A NPS or RADIUS server is a device that receives and processes connection requests or accounting

messages sent by RADIUS clients. In the case of connection requests, the RADIUS server processes

the list of RADIUS attributes in the connection request. The following needs to be configured on

the NPS servers:

Connection Request Policies

Network Policies: designate who is authorized to connect to the network and the

circumstances under which they can or cannot connect. The following are matched to

allow access:

• Conditions: Matches against Groups in AD (User Account Database)

• Constraints: Authentication methods (Access client PEAP settings)

• Settings: Sends client to correct VLANs (Access servers VLANs

settings)

4.4 User Accounts Databases:

The user account database is the list of user accounts and their properties that can be checked by

a RADIUS server to verify authentication credentials and user account properties containing

authorization and connection parameter information.

The user account databases that NPS can use are the user accounts database provided with Active

Directory Domain Services (AD DS) in Windows Server 2008. When NPS is a domain member of an

AD DS domain, NPS can provide authentication and authorization for user or computer accounts

that exist in the following locations:

Page 10: 802.1x Implementation Plan for Seacoast

Seacoast National Bank 802.1x Implementation Plan

Page 10 of 14

In the domain in which the NPS server is a member.

In domains for which there is a two-way trust with the NPS server domain.

In trusted forests with domain controllers running Windows Server 2008 and AD DS.

4.5 Authentication Flow and EAP/RADIUS Message Exchange:

Figure 4.5.1 below shows the 802.1x authentication flow and the roles that the authenticator, AD

and the NPS plays in the decision making process. The chart also shows the message exchange

that happens during this process.

Figure 4.5.1

Page 11: 802.1x Implementation Plan for Seacoast

Seacoast National Bank 802.1x Implementation Plan

Page 11 of 14

5 Implementation Tasks

The implementation tasks are organized into the following sections. Each section, priorities or

strategies to be acted on by the implementation are listed, followed by specific action steps for

each priority / strategy.

5.1 Install Windows 2008 R2:

5.2 Install Network Policy Server:

Add Server Roles: Active Directory Certificate Services

Add Server Roles: Network Policy and Access Services

5.3 Plan and Configure VLAN structure:

Below are the lists of VLANs that were deemed to be required. There will probably be cases where

additional VLANs would be required by the colleges. These requests would be reviewed and decided upon

accordingly.

The VLANs can be configured to look like the following: VLAN 10: Staff Workstation VLAN 20: Printers VLAN 30: Voice

And so on and so forth. If needed, going with blocks of ten will leave us room with the flexibility to

add new VLANs.

5.4 Plan and Configure AD Group Structure:

Requirements: o Active Directory

will be used for NPS

o Groups must be used

o The design must allow for delegation of control

o The design should be set up for ease of operational management

Assumptions:

o There will be a specific, consistently-used name associated with each VLAN

("StaffWorkstations", "StaffPrinters", etc)

o For each VLAN managed by NPS, that at least two new groups in AD must be created, with

possibly two more (bringing it to four)

• The first group contains computers within AD. These will be used by NPS to check

which VLAN a specific computer must go

• The second group is for MAC authentication. Usernames matching their MAC

addresses and appropriate passwords must be created.

• A third and fourth group may be needed for delegated management of the first two

groups

Page 12: 802.1x Implementation Plan for Seacoast

Seacoast National Bank 802.1x Implementation Plan

Page 12 of 14

Initial Configuration:

Prerequisites

Need final list of all VLAN names

5.4 Client Settings:

Network configurations needs to be modified on the clients (Windows XP, Windows 7 and

Windows Vista) In order for them to authenticate to the network via 802.1X. In particular, the

following settings need to be enabled:

Authentication:

• Enable IEEE 802.1X authentication.

• Cache user information for subsequent connections to this network.

Protected EAP Properties:

• Uncheck Validate server certificate

• Enable Fast Reconnect

Authentication Method:

• Secure password (EAP-MSCHAP v2)

• Automatically use my Windows logon name and password (and domain if any).

Deployment Options:

• Manual change on each computer

• Scripts

• Group Policy

Out of the three deployment options, Group Policy would be the most ideal solution. The policy

that specifically contains the authentication and PEAP settings is called Wired Network (IEEE

802.3) Policies. This policy can be applied to the following clients: Windows XP SP3, Windows 7,

and Windows Vista.

After some thorough testing, we have found that certain settings will not work with Windows XP.

In order to resolve this issue, the Group Policy needs to be created from a Windows Server 2008

(not R2) or Windows Vista workstation. We recommend using Windows Vista workstation.

The following steps outline the Group Policy deployment for the clients:

1. Create a new Group Policy with Windows Vista and configure it with the required settings.

2. Modify the policy so that the refresh occurs in 10 minutes instead of the default 90-120

minutes.

Page 13: 802.1x Implementation Plan for Seacoast

Seacoast National Bank 802.1x Implementation Plan

Page 13 of 14

3. Disable 802.1X on switch ports

4. Apply new Group Policy to the OU 5. Very that policy change took place.

6. Re-enable 802.1x on switch ports

5.5 Plan and Configure NPS Policy Structure

The policies built within the Microsoft NPS are based on the Network Policy of Seacoast National

Bank.

There were two different options available on how we could configure the NPS to meet the needs

of the network policy. The options are:

Option 1: Configure NPS for User and Machine Authentication

- This option will provide users with the ability to access their data regardless of which

devices they are logging into. For example, a faculty member can walk into a computer

lab, log into the lab computer, and have access to all of their network resources as if they

were logged into their own PC.

Option 2: Configure NPS for Machine Authentication Only

- This option will provide users with the ability to access only the resources that the device

has access to. For example, a faculty member walks into a computer lab, log into the lab

computer, and will only have access to the limited resources that the lab computer has

permission to.

I am recommending that we proceed with option 2. This will ease our policy configuration

requirements. The following are examples of how the NPS policies would be written:

Target:

- Staff Workstation | VLAN10: 172.16.10.0/24

- Printers | VLAN 50: 172.16.50.0/24

- Guest | VLAN 100: 172.16.100.0/24

Policies:

Connection Request Policies -

Condition:

Condition: NAS Port Type

Value: Ethernet - Settings:

Authentication Methods: Override network policy authentication settings

EAP Types: Microsoft Protected EAP (PEAP)

- Configure Protected EAP Properties

o Certificate issued: rayite.corp.local

Page 14: 802.1x Implementation Plan for Seacoast

Seacoast National Bank 802.1x Implementation Plan

Page 14 of 14

o Enable Fast Reconnect

o Eap Types: Secured password (EAP MSCHAP v2)

Less secure authentication methods:

- Microsoft Encrypted Authentication version 2 (MS-CHAP v2)

- Microsoft Encrypted Authentication (MS-CHAP)

- Encrypted Authentication (CHAP)

- Unencrypted Authentication (PAP)