802.1x Port Authentication via TACACS+ or RADIUS

Download Report

Transcript 802.1x Port Authentication via TACACS+ or RADIUS 

802.1x Port Authentication
via RADIUS
By Oswaldo Perdomo
cs580 Network Security
What is 802.1x ?
Defined by IEEE and designed to
provide port-based network access.
 802.1x authenticates network clients
using information unique to the client
and with credentials known only to
the client.


Service known as port-level
authentication
Benefits of 802.1x
802.1x is a LAN access control.
 802.1x introduces the ability to
provide Authentication,
Authorization, and Accounting (AAA)
for LAN access using a standard
approach.

802.1x Framework

The framework is defined by 3
authentication processes:
1.
The supplicant
•
2.
The authenticator
•
3.
Possibly a standalone device or an end user,
such as a remote user.
A device to which the supplicant directly
connects and through which the supplicant
obtains network access permission
The authentication server
•
The authenticator acts as a gateway to the
authentication server, which is responsible for
actually authenticating the supplicant.
What is EAP ?

EAP




Extensible Authentication Protocol
A flexible protocol used to carry arbitrary authentication
information
Typically rides on top of another protocol such as 802.1x or
RADIUS/TACACS+, etc.
EAP Messages

Request
• Sent to supplicant to indicate a challenge

Response
• Supplicant reply message

Success
• Notification to supplicant of success

Failure
• Notification to supplicant of failure
Benefits of EAP-TLS
Authentication




Password’s are not used at all.
Instead TLS public key is used.
AAA Server authenticates client, but client
can also authenticate AAA Server
AAA Server receives certification from
client, verifies authenticity of certification
using CA public key, then verifies bearer
identity using TLS handshake
EAP over 802.1x Frame
Format
Diagram of EAP-TLS
Authentication
Benefits 802.1x with Cisco
Secure ACS



Flexible authentication options using public
key infrastructure (PKI), tokens, smart
cards, and in the future, biometrics.
Flexible policy assignment, such as per-user
session quotas, time of day, and virtual LAN
(VLAN) assignment
Identity-based session accounting and
auditing, which enables tracking of client
network usage.
Configuring the Switch for
802.1x Port Authentication





















GV-Rack1>s2
Translating "s2"
Trying s2 (1.1.1.1, 2015)... Open
Rack1S2>enable
Rack1S2#config t
Enter configuration commands, one per line. End with CNTL/Z.
Rack1S2(config)#hostname mytest
mytest(config)#aaa new-model
mytest(config)#aaa authentication dot1x default group radius
mytest(config)#interface fastethernet0/1
mytest(config-if)#dot1x port-control auto
mytest(config-if)#radius-server host 10.252.252.252 auth-port 1812 key cisco
mytest(config)#end
mytest#s
12:06:37: %SYS-5-CONFIG_I: Configured from console by console
mytest#show dot1x
Sysauthcontrol
= Disabled
Supplicant Allowed In Guest Vlan = Disabled
Dot1x Protocol Version
=1
Dot1x Oper Controlled Directions = Both
Dot1x Admin Controlled Directions = Both












































Catalyst 3550 series
Configuration File
mytest#show running-config
Building configuration...
Current configuration : 2267 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname mytest
!
aaa new-model
aaa authentication dot1x default group radius
!
ip subnet-zero
!
no ip domain-lookup
!
spanning-tree mode pvst
spanning-tree extend system-id
!
interface FastEthernet0/1
switchport mode dynamic desirable
dot1x port-control auto
spanning-tree portfast
!!
interface Vlan1
no ip address
shutdown
!
ip classless
ip http server
!
radius-server host 10.252.252.252 auth-port 1812 acct-port 1813 key cisco
radius-server retransmit 3
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 5 15
!
!
end
The Network
EAP Port Configuration
EAP-TLS Configuration
Configure Authentication
Server Authorization Policy
Install ACS Certificate
Install ACS Certificate Cont.
Configure Authenticator &
Authentication Server
Configure Supplement &
Authorization Policy
Configure Supplement &
Authorization Policy Cont.
Configuring The Logging
Scheme
Any Questions ?