Upload
sithideth-banavong
View
562
Download
1
Embed Size (px)
Citation preview
Seacoast National Bank 802.1x Implementation Plan
Microsoft Network Policy Server (NPS)
IMPLEMENTATION PLAN
Page 1 of 13
Seacoast National Bank 802.1x Implementation Plan
Page 2 of 14
Table of Contents
1.1 PURPOSE ........................................................................................................................ 3
1.2 SYSTEM OVERVIEW ..........................................................................................................3 1.3 System Description.................................................................................................................3 1.4 Assumptions and Constraints ................................................................................................3
1.5Benefits....................................................................................................................................3
2 Hardware and Software Requirements .......................................................................................... 4
2.1 Hardware Requirements ........................................................................................................4 2.2 Software Requirements ..........................................................................................................4
3 Design Topology ............................................................................................................................. 5 3.1 The CCC NPS Topology ........................................................................................................6
3.2 Topology Layout Details……………………………………………………………............7
4 Components of the NPS Infrastructure ....................................................................................... 8 4.1 Access Clients……………………………………………………………………………….9 4.2 Access Servers (RADIUS Clients) ........................................................................................9
4.3 NPS Servers (RADIUS Servers) ...........................................................................................9
4.4 User Accounts Databases ......................................................................................................9
4.5 Authentication Flow and EAP/RADIUS Message Exchange……………………………..10
5 Implementation Tasks ................................................................................................................. 11 5.1 Install Windows 2008 R2.....................................................................................................11
5.2 Install Network Policy Server .............................................................................................11
5.3 Plan and Configure VLAN structure ...................................................................................11
5.4 Plan and Configure AD Group Structure ............................................................................11 5.4 Client Settings .....................................................................................................................12
5.5 Plan and Configure NPS Policy Structure ..............................................................................13
Seacoast National Bank 802.1x Implementation Plan
Page 3 of 14
Introduction
1.1 Purpose
Currently, anyone (Customers, Vendors, Consultants, etc) is able to plug their network device(s)
into the wall jack in our buildings and have access to our network resources, regardless of the fact
that they are not Seacoast employees. Although we have a solution in place to mitigate these
types of intrusions, the solution is reactive in nature. This would give someone with malicious
intent the ability to launch a variety of attacks - such as breaking into specific servers,
eavesdropping on network packets, and unleashing a worm or Denial of Service (DoS) attacks.
I am proposing an implementation a pro-active network security solution based on the Institute of
Electrical and Electronics Engineers (IEEE) 802.1x standard for network device authentication
protocol and the Microsoft Network Policy Server (NPS), Microsoft's implementation of RADIUS, to
provide fine-grained, wired computer authentication and authorization to control access to
network resources.
1.2 System Overview
The Network Policy Server (NPS) is the Microsoft implementation of Remote Authentication Dialin
User Service (RADIUS). It will perform centralized connection authentication, authorization, and
accounting for wired and wireless network access.
1.3 System Description
The Network Policy Server will provide the ability for Seacoast National Bank to implement and
manage machine and user authentication and authorization for Seacoast owned and non-Seacoast
owned devices. The Network Policy Server grants access to the appropriate resources via NPS
Connection Request and Network policies which are based on multiple conditions such as user id,
machine id, switch, access points, etc.
1.4 Assumptions and Constraints o Implementation project to begin August 30, 2013 and be completed by DTBD o
Implementation will begin with the building on 973 SE Federal HWY moving on with the
main office on 815 S. Colorado Ave.
o If needed, this solution can also be implemented at the branch offices.
1.5 Benefits
o Encryption of Wireless Keys
o Strong Authentication
o Secure Access Control
Seacoast National Bank 802.1x Implementation Plan
Page 4 of 14
2 Hardware and Software Requirements This section will describe the hardware components that are required to install Windows 2008 R2
and the software requirements that are needed to install the Microsoft NPS.
2.1 Hardware Requirements:
The following section lists the minimum and recommended hardware component that is required
to support the Microsoft NPS.
Component Minimum Recommended
Single CPU speed 2.5 GHz 3.5 GHz or faster
Dual CPU speed 2.0 GHz 3.0 GHz or faster
RAM 2.0 GB 4.0 GB or more
Disk Space 10 GB 100 GB or more
The following shows the hardware specification that we are recommending. These are also the
hardware specification that we are using for the NPS at the system office.
• Processor: 1 CPU
• Memory: 4 GB Disk: 100 GB
2.2 Software Requirements:
This section lists the various Server, Server Roles, and Features that needs to be added in order to
implement the Microsoft NPS.
• Windows Server 2008 R2 Enterprise Edition (Operating System)
• Active Directory Certificate Services (Server Roles)
• Network Policy and Access Services (Server Roles)
• Web Server (Server Roles)
• Group Policy Management (Features)
Note: Windows Server 2008 Standard Edition is limited to a maximum of 50 RADIUS clients
(authenticators) and a maximum of 2 remote RADIUS server groups. For this reason, I am
recommending that we go with Windows Server 2008 Enterprise Edition which would provide us
with an unlimited number of RADIUS client (authenticators) and remote server groups.
The Microsoft NPS can be installed on either the regular stand-alone hardware platform and/or in
a virtualized environment. We are installing all of our Microsoft Network Access Policy servers on
the Microsoft Hyper-V platform.
Seacoast National Bank 802.1x Implementation Plan
Page 5 of 14
3 Design Topology
Figure 3.1.1
Seacoast National Bank 802.1x Implementation Plan
Page 6 of 14
Figure 3.1.2
3.2 The Seacoast NPS Topology:
The NPS will be deployed as a RADIUS proxy. The RADIUS proxy approach will provide us with a
High Availability (HA) authentication, authorization, and accounting solution.
Seacoast National Bank 802.1x Implementation Plan
Page 7 of 14
3.3 Topology Layout Details:
MAIN OFFICE
RADIUS clients (wireless access points, 802.1X-capable switches, virtual private network (VPN)
servers, and dial-up servers - also known as “authenticators” and/or “Network Access Servers”) are
configured to connect to two NPS proxy servers. One NPS proxy is used as the primary RADIUS
proxy and the other is used as a backup. If the primary NPS proxy becomes unavailable, RADIUS
clients then send Access-Request messages to the alternate NPS proxy. The primary server will be
installed as a virtual machine and the secondary server will be installed on a physical server. Data
is mirrored to the secondary server at regular intervals and also manually through a script after
each times any changes are made.
The NPS proxy servers will point to two Remote RADIUS Server Groups. The first Remote RADIUS
Server Group will contain servers that are members of AD and will provide authentication and
authorization for computers in the Seacoast “Corp” domain. The second Remote RADIUS Server
Group will contain servers that are members a workgroup and not members of AD. The local
database on these servers will contain Groups and MAC addresses for non-802.1x capable devices
(printers, VOIP phones, laptops from branch offices, etc.). There will be two servers in each of the
two Remote RADIUS Server Groups. The primary server will be installed as a virtual machine and
the secondary server will be installed on a physical server.
BRANCH OFFICE
A hybrid solution consisting of 802.1x with MAC Authentication Bypass (MAB) and Port Security
with Sticky MAC will be implemented at the branch offices. The public accessible ports (i.e.
conference rooms, waiting area, etc.) will use 802.1x with MAC Authentication Bypass which will
authenticate to the NPS servers located at the main office. The static ports in the offices will use
Port Security with Sticky MAC which will allow the switch interfaces to learn MAC addresses of
trusted Seacoast workstations and ensure that any new devices will not be allowed access.
Note: See Figure 3.1.1 and 3.1.2 for full visual details.
Seacoast National Bank 802.1x Implementation Plan
Page 8 of 14
4 Components of the NPS Infrastructure
There are four components to our implementation of the NPS infrastructure: access clients, access
servers (RADIUS clients), NPS servers (RADIUS servers), and user account databases.
The following figure illustrates the relationships between the four components of the NPS
infrastructure.
Seacoast National Bank 802.1x Implementation Plan
Page 9 of 14
How Does 802.1x Work An 802.1X network requires only three components to operate, each of which is referred to in
terms that are somewhat unique to this standard. Those components are:
4.1 Access Clients:
An access client is a device that requires some level of access to the network. Examples of access
clients are computers, laptops, smart phones, IP phones, printers, etc. The following needs to be
configured on the access clients in order to function with NPS:
802.1x Supplicant
PEAP settings
4.2 Access Servers / Authenticators (RADIUS Clients):
An access server/Authenticator is a device that provides some level of access to the network. An
access server acts as a RADIUS client, sending connection requests and accounting messages to a
RADIUS server. Examples of access servers are switches, wireless LAN controllers, Wireless APs,
etc. The following needs to be configured on the access servers in order to function with NPS:
802.1x settings | RADIUS settings | VLANs
4.3 NPS Servers (RADIUS Servers) / Authentication Server:
A NPS or RADIUS server is a device that receives and processes connection requests or accounting
messages sent by RADIUS clients. In the case of connection requests, the RADIUS server processes
the list of RADIUS attributes in the connection request. The following needs to be configured on
the NPS servers:
Connection Request Policies
Network Policies: designate who is authorized to connect to the network and the
circumstances under which they can or cannot connect. The following are matched to
allow access:
• Conditions: Matches against Groups in AD (User Account Database)
• Constraints: Authentication methods (Access client PEAP settings)
• Settings: Sends client to correct VLANs (Access servers VLANs
settings)
4.4 User Accounts Databases:
The user account database is the list of user accounts and their properties that can be checked by
a RADIUS server to verify authentication credentials and user account properties containing
authorization and connection parameter information.
The user account databases that NPS can use are the user accounts database provided with Active
Directory Domain Services (AD DS) in Windows Server 2008. When NPS is a domain member of an
AD DS domain, NPS can provide authentication and authorization for user or computer accounts
that exist in the following locations:
Seacoast National Bank 802.1x Implementation Plan
Page 10 of 14
In the domain in which the NPS server is a member.
In domains for which there is a two-way trust with the NPS server domain.
In trusted forests with domain controllers running Windows Server 2008 and AD DS.
4.5 Authentication Flow and EAP/RADIUS Message Exchange:
Figure 4.5.1 below shows the 802.1x authentication flow and the roles that the authenticator, AD
and the NPS plays in the decision making process. The chart also shows the message exchange
that happens during this process.
Figure 4.5.1
Seacoast National Bank 802.1x Implementation Plan
Page 11 of 14
5 Implementation Tasks
The implementation tasks are organized into the following sections. Each section, priorities or
strategies to be acted on by the implementation are listed, followed by specific action steps for
each priority / strategy.
5.1 Install Windows 2008 R2:
5.2 Install Network Policy Server:
Add Server Roles: Active Directory Certificate Services
Add Server Roles: Network Policy and Access Services
5.3 Plan and Configure VLAN structure:
Below are the lists of VLANs that were deemed to be required. There will probably be cases where
additional VLANs would be required by the colleges. These requests would be reviewed and decided upon
accordingly.
The VLANs can be configured to look like the following: VLAN 10: Staff Workstation VLAN 20: Printers VLAN 30: Voice
And so on and so forth. If needed, going with blocks of ten will leave us room with the flexibility to
add new VLANs.
5.4 Plan and Configure AD Group Structure:
Requirements: o Active Directory
will be used for NPS
o Groups must be used
o The design must allow for delegation of control
o The design should be set up for ease of operational management
Assumptions:
o There will be a specific, consistently-used name associated with each VLAN
("StaffWorkstations", "StaffPrinters", etc)
o For each VLAN managed by NPS, that at least two new groups in AD must be created, with
possibly two more (bringing it to four)
• The first group contains computers within AD. These will be used by NPS to check
which VLAN a specific computer must go
• The second group is for MAC authentication. Usernames matching their MAC
addresses and appropriate passwords must be created.
• A third and fourth group may be needed for delegated management of the first two
groups
Seacoast National Bank 802.1x Implementation Plan
Page 12 of 14
Initial Configuration:
Prerequisites
Need final list of all VLAN names
5.4 Client Settings:
Network configurations needs to be modified on the clients (Windows XP, Windows 7 and
Windows Vista) In order for them to authenticate to the network via 802.1X. In particular, the
following settings need to be enabled:
Authentication:
• Enable IEEE 802.1X authentication.
• Cache user information for subsequent connections to this network.
Protected EAP Properties:
• Uncheck Validate server certificate
• Enable Fast Reconnect
Authentication Method:
• Secure password (EAP-MSCHAP v2)
• Automatically use my Windows logon name and password (and domain if any).
Deployment Options:
• Manual change on each computer
• Scripts
• Group Policy
Out of the three deployment options, Group Policy would be the most ideal solution. The policy
that specifically contains the authentication and PEAP settings is called Wired Network (IEEE
802.3) Policies. This policy can be applied to the following clients: Windows XP SP3, Windows 7,
and Windows Vista.
After some thorough testing, we have found that certain settings will not work with Windows XP.
In order to resolve this issue, the Group Policy needs to be created from a Windows Server 2008
(not R2) or Windows Vista workstation. We recommend using Windows Vista workstation.
The following steps outline the Group Policy deployment for the clients:
1. Create a new Group Policy with Windows Vista and configure it with the required settings.
2. Modify the policy so that the refresh occurs in 10 minutes instead of the default 90-120
minutes.
Seacoast National Bank 802.1x Implementation Plan
Page 13 of 14
3. Disable 802.1X on switch ports
4. Apply new Group Policy to the OU 5. Very that policy change took place.
6. Re-enable 802.1x on switch ports
5.5 Plan and Configure NPS Policy Structure
The policies built within the Microsoft NPS are based on the Network Policy of Seacoast National
Bank.
There were two different options available on how we could configure the NPS to meet the needs
of the network policy. The options are:
Option 1: Configure NPS for User and Machine Authentication
- This option will provide users with the ability to access their data regardless of which
devices they are logging into. For example, a faculty member can walk into a computer
lab, log into the lab computer, and have access to all of their network resources as if they
were logged into their own PC.
Option 2: Configure NPS for Machine Authentication Only
- This option will provide users with the ability to access only the resources that the device
has access to. For example, a faculty member walks into a computer lab, log into the lab
computer, and will only have access to the limited resources that the lab computer has
permission to.
I am recommending that we proceed with option 2. This will ease our policy configuration
requirements. The following are examples of how the NPS policies would be written:
Target:
- Staff Workstation | VLAN10: 172.16.10.0/24
- Printers | VLAN 50: 172.16.50.0/24
- Guest | VLAN 100: 172.16.100.0/24
Policies:
Connection Request Policies -
Condition:
Condition: NAS Port Type
Value: Ethernet - Settings:
Authentication Methods: Override network policy authentication settings
EAP Types: Microsoft Protected EAP (PEAP)
- Configure Protected EAP Properties
o Certificate issued: rayite.corp.local
Seacoast National Bank 802.1x Implementation Plan
Page 14 of 14
o Enable Fast Reconnect
o Eap Types: Secured password (EAP MSCHAP v2)
Less secure authentication methods:
- Microsoft Encrypted Authentication version 2 (MS-CHAP v2)
- Microsoft Encrypted Authentication (MS-CHAP)
- Encrypted Authentication (CHAP)
- Unencrypted Authentication (PAP)