Embed Size (px)
Citation preview
802.1x Port Authentication via RADIUS
By Oswaldo Perdomocs580 Network Security
What is 802.1x ?
Defined by IEEE and designed to provide port-based network access.
802.1x authenticates network clients using information unique to the client and with credentials known only to the client.Service known as port-level
authentication
Benefits of 802.1x
802.1x is a LAN access control. 802.1x introduces the ability to
provide Authentication, Authorization, and Accounting (AAA) for LAN access using a standard approach.
802.1x Framework
The framework is defined by 3 authentication processes:
1. The supplicant• Possibly a standalone device or an end user,
such as a remote user.2. The authenticator
• A device to which the supplicant directly connects and through which the supplicant obtains network access permission
3. The authentication server• The authenticator acts as a gateway to the
authentication server, which is responsible for actually authenticating the supplicant.
What is EAP ?
EAP Extensible Authentication Protocol A flexible protocol used to carry arbitrary
authentication information Typically rides on top of another protocol such as
802.1x or RADIUS/TACACS+, etc. EAP Messages
Request• Sent to supplicant to indicate a challenge
Response• Supplicant reply message
Success• Notification to supplicant of success
Failure• Notification to supplicant of failure
Benefits of EAP-TLS Authentication Password’s are not used at all. Instead TLS public key is used. AAA Server authenticates client, but
client can also authenticate AAA Server
AAA Server receives certification from client, verifies authenticity of certification using CA public key, then verifies bearer identity using TLS handshake
EAP over 802.1x Frame Format
Diagram of EAP-TLS Authentication
Benefits 802.1x with Cisco Secure ACS Flexible authentication options using
public key infrastructure (PKI), tokens, smart cards, and in the future, biometrics.
Flexible policy assignment, such as per-user session quotas, time of day, and virtual LAN (VLAN) assignment
Identity-based session accounting and auditing, which enables tracking of client network usage.
Configuring the Switch for 802.1x Port Authentication
GV-Rack1>s2 Translating "s2" Trying s2 (1.1.1.1, 2015)... Open
Rack1S2>enable Rack1S2#config t Enter configuration commands, one per line. End with CNTL/Z. Rack1S2(config)#hostname mytest
mytest(config)#aaa new-model mytest(config)#aaa authentication dot1x default group radius mytest(config)#interface fastethernet0/1 mytest(config-if)#dot1x port-control auto mytest(config-if)#radius-server host 10.252.252.252 auth-port 1812 key cisco mytest(config)#end mytest#s 12:06:37: %SYS-5-CONFIG_I: Configured from console by console mytest#show dot1x Sysauthcontrol = Disabled Supplicant Allowed In Guest Vlan = Disabled Dot1x Protocol Version = 1 Dot1x Oper Controlled Directions = Both Dot1x Admin Controlled Directions = Both
Catalyst 3550 series Configuration
File mytest#show running-config Building configuration... Current configuration : 2267 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname mytest ! aaa new-model aaa authentication dot1x default group radius ! ip subnet-zero ! no ip domain-lookup ! spanning-tree mode pvst spanning-tree extend system-id ! interface FastEthernet0/1 switchport mode dynamic desirable dot1x port-control auto spanning-tree portfast !! interface Vlan1 no ip address shutdown ! ip classless ip http server ! radius-server host 10.252.252.252 auth-port 1812 acct-port 1813 key cisco radius-server retransmit 3 ! line con 0 exec-timeout 0 0 logging synchronous line vty 5 15 ! ! end
The Network
EAP Port Configuration
EAP-TLS Configuration
Configure Authentication Server Authorization Policy
Install ACS Certificate
Install ACS Certificate Cont.
Configure Authenticator & Authentication Server
Configure Supplement & Authorization Policy
Configure Supplement & Authorization Policy Cont.
Configuring The Logging Scheme
Any Questions ?
