What is 802.1x

Download Report

Transcript What is 802.1x 

802.1x Best Practises
Ing. Peter Feciľak
[email protected]
29.04.2008, KPI, FEI, TUKE.
Content of the presentation
• Basic terminology
- 802.1x
- RADIUS server
- Dynamic VLAN membership
• Why to implement 802.1x ?
• Problems in 802.1x implementation
• Discussion...
What is 802.1x ?
• IEEE standard for port-based
Network Access Control
• Provides port-based authentication
• Supported in wired/wireless
environment
802.1x terminology
Radius authentication server
• Provides authentication and other
AAA services for end-device by a
number of authentication
mechanisms
• Each authentication mechanism has
its own level of security
(EAP/MD5, EAP/LEAP, EAP/PEAP)
• Can be linked to external
user/computer database –
ActiveDirectory / LDAP / MYSQL
Radius authentication server
• Supports delegation of requests
(e.g. eduroam)
• Runs on different platforms
MS Windows:
Cisco Secure Access Control Server
Linux:
Freeradius / old version of CS ACS
Authenticator – access layer
• Provides port-based authentication and
dynamic VLAN membership via RADIUS
server
(EAP and Radius protocol)
• Three types of VLANs:
– Dynamic VLAN from RADIUS
– AUTH-FAIL VLAN
– GUEST-VLAN
• Catalyst switches supports periodical
re-authentication
(Steve Riley vulnerability from 2005)
802.1x Supplicant
• Application that provides
authentication via EAP against
authenticator
• Possible types of authentication:
– Computer (domain account)
– User (domain account, OTP…)
– Computer with user account
802.1x Supplicant
• Supported under Windows and
Linux as well
• Linux authentication tools:
– Xsupplicant (wired)
– WPA_supplicant (wireless)
– open1x
802.1x Linux Supplicant
fecilak@travelko:~$ cat /etc/xsupplicant/xsupplicant.conf
default_interface = eth0
default {
type = wired
allow_types = eap-peap
identity = "pfecilak"
eap-peap {
inner_id = "pfecilak"
root_cert = NONE
chunk_size = 1398
random_file = /dev/urandom
allow_types = all
session_resume = yes
eap-mschapv2 {
username = "pfecilak"
password = “Moje1Tajne2Heslo3!#"
}
}
}
802.1x Windows Supplicant
• Native 802.1x supplicant under:
– MS Windows XP
– MS Vista
– MS Windows 2000 (latest SP)
• External supplicants:
– Cisco Secure Services Agent
802.1x Windows Supplicant
802.1x Windows Supplicant
User-authentication GUI agent:
Why to implement 802.1x ?
• Provide port-based control for accessing
network resources
(problems with controlling physical access)
• Identify regular network users. Provide them
easy access to network resources. Isolate
non-regular users from internal
infrastructure.
Why to implement 802.1x ?
• Apply different security levels for specified
communities of users.
• Provide mobility features via RADIUS and
Dynamic VLAN membership
Number of Security Levels
• Identify User/Computer roles and grand them access to network resources
as defined by their security level.
Problems in 802.1x implementation
• Devices that does not support 802.1x connected to
access-layer causes problems
(e.g. hubs/unmanagable switches)
• Computers connected via IP phones that doesn’t
support 802.1x has problem with authentication
• Periodical re-authentication can cause problems in
large domain
Problems in 802.1x implementation
• Computer authentication with User to VLAN
mapping can cause problem during IP
settings renewal process
• Authentication tab not shown in local area
network configuration
(needs Wireless Zero Configuration)
Best practises
• When 802.1x is used mainly in MS Windows
domain, use Cisco Secure ACS and
computer domain accounts
• Do not use dynamic VLAN membership with
User to VLAN mapping. Better is computer
authentication with domain account
Best practises
• Scale the number of RADIUS servers
concerning whether re-authentication is
enabled and the number of end clients that
will use 802.1x authentication
• I recommend to use 1 server for 100
computers when re-authentication at every 5
minutes is used
Best practises
Classification to profiles for providing different
security-levels:
• User Network
– For regular users granting access to network resources
• Visitors Network
– For guest access from internal infrastructure granting
only internet access
• Guest/Auth-fail VLAN
– Fully isolated network. No network resources can be
accessed.
Discussion/Questions and Answers
Redundant topologies
Redundant topologies
Problem
Solution – redundant gateways
192.168.1.2
192.168.1.1
192.168.1.0/24
Solution – HSRP
MASTER
Slave
192.168.1.3
192.168.1.2
Master
SLAVE
192.168.1.3
192.168.1.2
192.168.1.1
192.168.1.1
192.168.1.3
GW-1-1
Mas
Master
Slave
Virtual Router
192.168.1.0/24
GW-1-2
First Hop Redundancy Protocols
HSRP
VRRP
GLBP
Example - HSRP
192.168.1.2
192.168.1.1
GW-1-1(config)# interface FastEthernet 0/0
GW-1-1(config-if)# ip address 192.168.1.2 255.255.255.0
GW-1-1(config-if)# standby 1 priority 80
GW-1-1(config-if)# standby 1 preempt
GW-1-1(config-if)# standby 1 ip 192.168.1.3
GW-1-1(config-if)# no shutdown
GW-1-2(config)# interface FastEthernet 0/0
GW-1-2(config-if)# ip address 192.168.1.1 255.255.255.0
GW-1-2(config-if)# standby 1 priority 150
GW-1-2(config-if)# standby 1 preempt
GW-1-2(config-if)# standby 1 ip 192.168.1.3
GW-1-2(config-if)# no shutdown
IP: 192.168.1.100
Netmask: 255.255.255.0
Gateway: 192.168.1.3
Configuration statements - HSRP
192.168.1.2
192.168.1.1
GW-1-1(config)# interface FastEthernet 0/0
GW-1-1(config-if)# ip address 192.168.1.2 255.255.255.0
GW-1-1(config-if)# standby 1 priority 80
GW-1-1(config-if)# standby 1 preempt
GW-1-1(config-if)# standby 1 ip 192.168.1.3
GW-1-1(config-if)# no shutdown
GW-1-2(config)# interface FastEthernet 0/0
GW-1-2(config-if)# ip address 192.168.1.1 255.255.255.0
GW-1-2(config-if)# standby 1 priority 150
GW-1-2(config-if)# standby 1 preempt
GW-1-2(config-if)# standby 1 ip 192.168.1.3
GW-1-2(config-if)# no shutdown
IP: 192.168.1.100
Netmask: 255.255.255.0
Gateway: 192.168.1.3
Záver prezentácie
Ďakujem za pozornosť.
Moderné vzdelávanie pre vedomostnú spoločnosť.
Projekt je spolufinancovaný zo zdrojov EÚ.