SlideShare a Scribd company logo

802.1x Implementation Plan for Seacoast

S
Sithideth Banavong
1 of 14
Download to read offline
Seacoast National Bank 802.1x Implementation Plan Microsoft Network Policy Server (NPS) IMPLEMENTATION PLAN Page 1 of 13
Seacoast National Bank 802.1x Implementation Plan Page 2 of 14 Table of Contents 1.1 PURPOSE ........................................................................................................................ 3 1.2 SYSTEM OVERVIEW ..........................................................................................................3 1.3 System Description.................................................................................................................3 1.4 Assumptions and Constraints ................................................................................................3 1.5Benefits....................................................................................................................................3 2 Hardware and Software Requirements .......................................................................................... 4 2.1 Hardware Requirements ........................................................................................................4 2.2 Software Requirements ..........................................................................................................4 3 Design Topology ............................................................................................................................. 5 3.1 The CCC NPS Topology ........................................................................................................6 3.2 Topology Layout Details……………………………………………………………............7 4 Components of the NPS Infrastructure ....................................................................................... 8 4.1 Access Clients……………………………………………………………………………….9 4.2 Access Servers (RADIUS Clients) ........................................................................................9 4.3 NPS Servers (RADIUS Servers) ...........................................................................................9 4.4 User Accounts Databases ......................................................................................................9 4.5 Authentication Flow and EAP/RADIUS Message Exchange……………………………..10 5 Implementation Tasks ................................................................................................................. 11 5.1 Install Windows 2008 R2.....................................................................................................11 5.2 Install Network Policy Server .............................................................................................11 5.3 Plan and Configure VLAN structure ...................................................................................11 5.4 Plan and Configure AD Group Structure ............................................................................11 5.4 Client Settings .....................................................................................................................12 5.5 Plan and Configure NPS Policy Structure ..............................................................................13
Seacoast National Bank 802.1x Implementation Plan Page 3 of 14 Introduction 1.1 Purpose Currently, anyone (Customers, Vendors, Consultants, etc) is able to plug their network device(s) into the wall jack in our buildings and have access to our network resources, regardless of the fact that they are not Seacoast employees. Although we have a solution in place to mitigate these types of intrusions, the solution is reactive in nature. This would give someone with malicious intent the ability to launch a variety of attacks - such as breaking into specific servers, eavesdropping on network packets, and unleashing a worm or Denial of Service (DoS) attacks. I am proposing an implementation a pro-active network security solution based on the Institute of Electrical and Electronics Engineers (IEEE) 802.1x standard for network device authentication protocol and the Microsoft Network Policy Server (NPS), Microsoft's implementation of RADIUS, to provide fine-grained, wired computer authentication and authorization to control access to network resources. 1.2 System Overview The Network Policy Server (NPS) is the Microsoft implementation of Remote Authentication Dialin User Service (RADIUS). It will perform centralized connection authentication, authorization, and accounting for wired and wireless network access. 1.3 System Description The Network Policy Server will provide the ability for Seacoast National Bank to implement and manage machine and user authentication and authorization for Seacoast owned and non-Seacoast owned devices. The Network Policy Server grants access to the appropriate resources via NPS Connection Request and Network policies which are based on multiple conditions such as user id, machine id, switch, access points, etc. 1.4 Assumptions and Constraints o Implementation project to begin August 30, 2013 and be completed by DTBD o Implementation will begin with the building on 973 SE Federal HWY moving on with the main office on 815 S. Colorado Ave. o If needed, this solution can also be implemented at the branch offices. 1.5 Benefits o Encryption of Wireless Keys o Strong Authentication o Secure Access Control
Seacoast National Bank 802.1x Implementation Plan Page 4 of 14 2 Hardware and Software Requirements This section will describe the hardware components that are required to install Windows 2008 R2 and the software requirements that are needed to install the Microsoft NPS. 2.1 Hardware Requirements: The following section lists the minimum and recommended hardware component that is required to support the Microsoft NPS. Component Minimum Recommended Single CPU speed 2.5 GHz 3.5 GHz or faster Dual CPU speed 2.0 GHz 3.0 GHz or faster RAM 2.0 GB 4.0 GB or more Disk Space 10 GB 100 GB or more The following shows the hardware specification that we are recommending. These are also the hardware specification that we are using for the NPS at the system office. • Processor: 1 CPU • Memory: 4 GB Disk: 100 GB 2.2 Software Requirements: This section lists the various Server, Server Roles, and Features that needs to be added in order to implement the Microsoft NPS. • Windows Server 2008 R2 Enterprise Edition (Operating System) • Active Directory Certificate Services (Server Roles) • Network Policy and Access Services (Server Roles) • Web Server (Server Roles) • Group Policy Management (Features) Note: Windows Server 2008 Standard Edition is limited to a maximum of 50 RADIUS clients (authenticators) and a maximum of 2 remote RADIUS server groups. For this reason, I am recommending that we go with Windows Server 2008 Enterprise Edition which would provide us with an unlimited number of RADIUS client (authenticators) and remote server groups. The Microsoft NPS can be installed on either the regular stand-alone hardware platform and/or in a virtualized environment. We are installing all of our Microsoft Network Access Policy servers on the Microsoft Hyper-V platform.
Seacoast National Bank 802.1x Implementation Plan Page 5 of 14 3 Design Topology Figure 3.1.1
Seacoast National Bank 802.1x Implementation Plan Page 6 of 14 Figure 3.1.2 3.2 The Seacoast NPS Topology: The NPS will be deployed as a RADIUS proxy. The RADIUS proxy approach will provide us with a High Availability (HA) authentication, authorization, and accounting solution.
Seacoast National Bank 802.1x Implementation Plan Page 7 of 14 3.3 Topology Layout Details: MAIN OFFICE RADIUS clients (wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers - also known as “authenticators” and/or “Network Access Servers”) are configured to connect to two NPS proxy servers. One NPS proxy is used as the primary RADIUS proxy and the other is used as a backup. If the primary NPS proxy becomes unavailable, RADIUS clients then send Access-Request messages to the alternate NPS proxy. The primary server will be installed as a virtual machine and the secondary server will be installed on a physical server. Data is mirrored to the secondary server at regular intervals and also manually through a script after each times any changes are made. The NPS proxy servers will point to two Remote RADIUS Server Groups. The first Remote RADIUS Server Group will contain servers that are members of AD and will provide authentication and authorization for computers in the Seacoast “Corp” domain. The second Remote RADIUS Server Group will contain servers that are members a workgroup and not members of AD. The local database on these servers will contain Groups and MAC addresses for non-802.1x capable devices (printers, VOIP phones, laptops from branch offices, etc.). There will be two servers in each of the two Remote RADIUS Server Groups. The primary server will be installed as a virtual machine and the secondary server will be installed on a physical server. BRANCH OFFICE A hybrid solution consisting of 802.1x with MAC Authentication Bypass (MAB) and Port Security with Sticky MAC will be implemented at the branch offices. The public accessible ports (i.e. conference rooms, waiting area, etc.) will use 802.1x with MAC Authentication Bypass which will authenticate to the NPS servers located at the main office. The static ports in the offices will use Port Security with Sticky MAC which will allow the switch interfaces to learn MAC addresses of trusted Seacoast workstations and ensure that any new devices will not be allowed access. Note: See Figure 3.1.1 and 3.1.2 for full visual details.
Seacoast National Bank 802.1x Implementation Plan Page 8 of 14 4 Components of the NPS Infrastructure There are four components to our implementation of the NPS infrastructure: access clients, access servers (RADIUS clients), NPS servers (RADIUS servers), and user account databases. The following figure illustrates the relationships between the four components of the NPS infrastructure.
Seacoast National Bank 802.1x Implementation Plan Page 9 of 14 How Does 802.1x Work An 802.1X network requires only three components to operate, each of which is referred to in terms that are somewhat unique to this standard. Those components are: 4.1 Access Clients: An access client is a device that requires some level of access to the network. Examples of access clients are computers, laptops, smart phones, IP phones, printers, etc. The following needs to be configured on the access clients in order to function with NPS:  802.1x Supplicant  PEAP settings 4.2 Access Servers / Authenticators (RADIUS Clients): An access server/Authenticator is a device that provides some level of access to the network. An access server acts as a RADIUS client, sending connection requests and accounting messages to a RADIUS server. Examples of access servers are switches, wireless LAN controllers, Wireless APs, etc. The following needs to be configured on the access servers in order to function with NPS: 802.1x settings | RADIUS settings | VLANs 4.3 NPS Servers (RADIUS Servers) / Authentication Server: A NPS or RADIUS server is a device that receives and processes connection requests or accounting messages sent by RADIUS clients. In the case of connection requests, the RADIUS server processes the list of RADIUS attributes in the connection request. The following needs to be configured on the NPS servers:  Connection Request Policies  Network Policies: designate who is authorized to connect to the network and the circumstances under which they can or cannot connect. The following are matched to allow access: • Conditions: Matches against Groups in AD (User Account Database) • Constraints: Authentication methods (Access client PEAP settings) • Settings: Sends client to correct VLANs (Access servers VLANs settings) 4.4 User Accounts Databases: The user account database is the list of user accounts and their properties that can be checked by a RADIUS server to verify authentication credentials and user account properties containing authorization and connection parameter information. The user account databases that NPS can use are the user accounts database provided with Active Directory Domain Services (AD DS) in Windows Server 2008. When NPS is a domain member of an AD DS domain, NPS can provide authentication and authorization for user or computer accounts that exist in the following locations:
Seacoast National Bank 802.1x Implementation Plan Page 10 of 14  In the domain in which the NPS server is a member.  In domains for which there is a two-way trust with the NPS server domain.  In trusted forests with domain controllers running Windows Server 2008 and AD DS. 4.5 Authentication Flow and EAP/RADIUS Message Exchange: Figure 4.5.1 below shows the 802.1x authentication flow and the roles that the authenticator, AD and the NPS plays in the decision making process. The chart also shows the message exchange that happens during this process. Figure 4.5.1
Seacoast National Bank 802.1x Implementation Plan Page 11 of 14 5 Implementation Tasks The implementation tasks are organized into the following sections. Each section, priorities or strategies to be acted on by the implementation are listed, followed by specific action steps for each priority / strategy. 5.1 Install Windows 2008 R2: 5.2 Install Network Policy Server:  Add Server Roles: Active Directory Certificate Services  Add Server Roles: Network Policy and Access Services 5.3 Plan and Configure VLAN structure: Below are the lists of VLANs that were deemed to be required. There will probably be cases where additional VLANs would be required by the colleges. These requests would be reviewed and decided upon accordingly. The VLANs can be configured to look like the following: VLAN 10: Staff Workstation VLAN 20: Printers VLAN 30: Voice And so on and so forth. If needed, going with blocks of ten will leave us room with the flexibility to add new VLANs. 5.4 Plan and Configure AD Group Structure: Requirements: o Active Directory will be used for NPS o Groups must be used o The design must allow for delegation of control o The design should be set up for ease of operational management Assumptions: o There will be a specific, consistently-used name associated with each VLAN ("StaffWorkstations", "StaffPrinters", etc) o For each VLAN managed by NPS, that at least two new groups in AD must be created, with possibly two more (bringing it to four) • The first group contains computers within AD. These will be used by NPS to check which VLAN a specific computer must go • The second group is for MAC authentication. Usernames matching their MAC addresses and appropriate passwords must be created. • A third and fourth group may be needed for delegated management of the first two groups
Seacoast National Bank 802.1x Implementation Plan Page 12 of 14 Initial Configuration: Prerequisites Need final list of all VLAN names 5.4 Client Settings: Network configurations needs to be modified on the clients (Windows XP, Windows 7 and Windows Vista) In order for them to authenticate to the network via 802.1X. In particular, the following settings need to be enabled: Authentication: • Enable IEEE 802.1X authentication. • Cache user information for subsequent connections to this network. Protected EAP Properties: • Uncheck Validate server certificate • Enable Fast Reconnect Authentication Method: • Secure password (EAP-MSCHAP v2) • Automatically use my Windows logon name and password (and domain if any). Deployment Options: • Manual change on each computer • Scripts • Group Policy Out of the three deployment options, Group Policy would be the most ideal solution. The policy that specifically contains the authentication and PEAP settings is called Wired Network (IEEE 802.3) Policies. This policy can be applied to the following clients: Windows XP SP3, Windows 7, and Windows Vista. After some thorough testing, we have found that certain settings will not work with Windows XP. In order to resolve this issue, the Group Policy needs to be created from a Windows Server 2008 (not R2) or Windows Vista workstation. We recommend using Windows Vista workstation. The following steps outline the Group Policy deployment for the clients: 1. Create a new Group Policy with Windows Vista and configure it with the required settings. 2. Modify the policy so that the refresh occurs in 10 minutes instead of the default 90-120 minutes.
Seacoast National Bank 802.1x Implementation Plan Page 13 of 14 3. Disable 802.1X on switch ports 4. Apply new Group Policy to the OU 5. Very that policy change took place. 6. Re-enable 802.1x on switch ports 5.5 Plan and Configure NPS Policy Structure The policies built within the Microsoft NPS are based on the Network Policy of Seacoast National Bank. There were two different options available on how we could configure the NPS to meet the needs of the network policy. The options are: Option 1: Configure NPS for User and Machine Authentication - This option will provide users with the ability to access their data regardless of which devices they are logging into. For example, a faculty member can walk into a computer lab, log into the lab computer, and have access to all of their network resources as if they were logged into their own PC. Option 2: Configure NPS for Machine Authentication Only - This option will provide users with the ability to access only the resources that the device has access to. For example, a faculty member walks into a computer lab, log into the lab computer, and will only have access to the limited resources that the lab computer has permission to. I am recommending that we proceed with option 2. This will ease our policy configuration requirements. The following are examples of how the NPS policies would be written: Target: - Staff Workstation | VLAN10: 172.16.10.0/24 - Printers | VLAN 50: 172.16.50.0/24 - Guest | VLAN 100: 172.16.100.0/24 Policies: Connection Request Policies - Condition:  Condition: NAS Port Type  Value: Ethernet - Settings:  Authentication Methods: Override network policy authentication settings  EAP Types: Microsoft Protected EAP (PEAP) - Configure Protected EAP Properties o Certificate issued: rayite.corp.local
Seacoast National Bank 802.1x Implementation Plan Page 14 of 14 oEnable Fast Reconnect oEap Types: Secured password (EAP MSCHAP v2)  Less secure authentication methods: - Microsoft Encrypted Authentication version 2 (MS-CHAP v2) - Microsoft Encrypted Authentication (MS-CHAP) - Encrypted Authentication (CHAP) - Unencrypted Authentication (PAP)

Recommended

Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authentication
dkaya
 
JOSE Can You See...
JOSE Can You See...JOSE Can You See...
JOSE Can You See...
Brian Campbell
 
802.1x authentication
802.1x authentication802.1x authentication
802.1x authentication
Xiaoqi Zhao
 
802.1x
802.1x802.1x
802.1x
akruthi k
 
Barry Hesk: Cisco Unified Communications Manager training deck 1
Barry Hesk: Cisco Unified Communications Manager training deck 1Barry Hesk: Cisco Unified Communications Manager training deck 1
Barry Hesk: Cisco Unified Communications Manager training deck 1
Barry Hesk
 
Palo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El LathyPalo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El Lathy
Mostafa El Lathy
 
CCDE Experience
CCDE ExperienceCCDE Experience
CCDE Experience
Himawan Nugroho
 
CCNAv5 - S1: Chapter 9 - Subnetting Ip Networks
CCNAv5 - S1: Chapter 9 - Subnetting Ip NetworksCCNAv5 - S1: Chapter 9 - Subnetting Ip Networks
CCNAv5 - S1: Chapter 9 - Subnetting Ip Networks
Vuz Dở Hơi
 

Recommended

Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authentication
dkaya
 
JOSE Can You See...
JOSE Can You See...JOSE Can You See...
JOSE Can You See...
Brian Campbell
 
802.1x authentication
802.1x authentication802.1x authentication
802.1x authentication
Xiaoqi Zhao
 
802.1x
802.1x802.1x
802.1x
akruthi k
 
Barry Hesk: Cisco Unified Communications Manager training deck 1
Barry Hesk: Cisco Unified Communications Manager training deck 1Barry Hesk: Cisco Unified Communications Manager training deck 1
Barry Hesk: Cisco Unified Communications Manager training deck 1
Barry Hesk
 
Palo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El LathyPalo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El Lathy
Mostafa El Lathy
 
CCDE Experience
CCDE ExperienceCCDE Experience
CCDE Experience
Himawan Nugroho
 
CCNAv5 - S1: Chapter 9 - Subnetting Ip Networks
CCNAv5 - S1: Chapter 9 - Subnetting Ip NetworksCCNAv5 - S1: Chapter 9 - Subnetting Ip Networks
CCNAv5 - S1: Chapter 9 - Subnetting Ip Networks
Vuz Dở Hơi
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2
Mike Schwartz
 
IronPort
IronPortIronPort
IronPort
Netwax Lab
 
XG Firewall
XG FirewallXG Firewall
XG Firewall
DeServ - Tecnologia e Servços
 
Vlan lab
Vlan labVlan lab
Vlan lab
tmim8
 
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
SSIMeetup
 
Clear pass policy manager advanced_ashwath murthy
Clear pass policy manager advanced_ashwath murthyClear pass policy manager advanced_ashwath murthy
Clear pass policy manager advanced_ashwath murthy
Aruba, a Hewlett Packard Enterprise company
 
OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)
Torsten Lodderstedt
 
IP Addressing
IP AddressingIP Addressing
IP Addressing
Kishore Kumar
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
BAKOTECH
 
VMworld 2017 vSAN Network Design
VMworld 2017 vSAN Network Design VMworld 2017 vSAN Network Design
VMworld 2017 vSAN Network Design
Cormac Hogan
 
802.11r Explained.
802.11r Explained. 802.11r Explained.
802.11r Explained.
Ajay Gupta
 
Fhrp notes
Fhrp notesFhrp notes
Fhrp notes
Krunal Shah
 
ISE-802.1X-MAB
ISE-802.1X-MABISE-802.1X-MAB
ISE-802.1X-MAB
Emerson Barros Rivas
 
Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise Security
WSO2
 
Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?
ForgeRock
 
SDWAN Concept - Certificate and keys Roles in Controllers and vEdge Router Au...
SDWAN Concept - Certificate and keys Roles in Controllers and vEdge Router Au...SDWAN Concept - Certificate and keys Roles in Controllers and vEdge Router Au...
SDWAN Concept - Certificate and keys Roles in Controllers and vEdge Router Au...
Farooq Khan
 
Junos routing overview from Juniper
Junos routing overview from JuniperJunos routing overview from Juniper
Junos routing overview from Juniper
Nam Nguyen
 
CCNA 1 Routing and Switching v5.0 Chapter 11
CCNA 1 Routing and Switching v5.0 Chapter 11CCNA 1 Routing and Switching v5.0 Chapter 11
CCNA 1 Routing and Switching v5.0 Chapter 11
Nil Menon
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewalls
Castleforce
 
Application Centric Infrastructure (ACI), the policy driven data centre
Application Centric Infrastructure (ACI), the policy driven data centreApplication Centric Infrastructure (ACI), the policy driven data centre
Application Centric Infrastructure (ACI), the policy driven data centre
Cisco Canada
 
Ieee 802.1 x
Ieee 802.1 xIeee 802.1 x
Ieee 802.1 x
Swapnil Kapate
 
IEEE 802.1X and Axis’ Implementation
IEEE 802.1X and Axis’ ImplementationIEEE 802.1X and Axis’ Implementation
IEEE 802.1X and Axis’ Implementation
Axis Communications
 

More Related Content

What's hot

Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise Security
WSO2
 
Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?
ForgeRock
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewalls
Castleforce
 

What's hot (20)

OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2
 
IronPort
IronPortIronPort
IronPort
 
XG Firewall
XG FirewallXG Firewall
XG Firewall
 
Vlan lab
Vlan labVlan lab
Vlan lab
 
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
 
Clear pass policy manager advanced_ashwath murthy
Clear pass policy manager advanced_ashwath murthyClear pass policy manager advanced_ashwath murthy
Clear pass policy manager advanced_ashwath murthy
 
OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)
 
IP Addressing
IP AddressingIP Addressing
IP Addressing
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
 
VMworld 2017 vSAN Network Design
VMworld 2017 vSAN Network Design VMworld 2017 vSAN Network Design
VMworld 2017 vSAN Network Design
 
802.11r Explained.
802.11r Explained. 802.11r Explained.
802.11r Explained.
 
Fhrp notes
Fhrp notesFhrp notes
Fhrp notes
 
ISE-802.1X-MAB
ISE-802.1X-MABISE-802.1X-MAB
ISE-802.1X-MAB
 
Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise Security
 
Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?
 
SDWAN Concept - Certificate and keys Roles in Controllers and vEdge Router Au...
SDWAN Concept - Certificate and keys Roles in Controllers and vEdge Router Au...SDWAN Concept - Certificate and keys Roles in Controllers and vEdge Router Au...
SDWAN Concept - Certificate and keys Roles in Controllers and vEdge Router Au...
 
Junos routing overview from Juniper
Junos routing overview from JuniperJunos routing overview from Juniper
Junos routing overview from Juniper
 
CCNA 1 Routing and Switching v5.0 Chapter 11
CCNA 1 Routing and Switching v5.0 Chapter 11CCNA 1 Routing and Switching v5.0 Chapter 11
CCNA 1 Routing and Switching v5.0 Chapter 11
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewalls
 
Application Centric Infrastructure (ACI), the policy driven data centre
Application Centric Infrastructure (ACI), the policy driven data centreApplication Centric Infrastructure (ACI), the policy driven data centre
Application Centric Infrastructure (ACI), the policy driven data centre
 

Viewers also liked

802.1x Authentication Standard
802.1x Authentication Standard802.1x Authentication Standard
802.1x Authentication Standard
Dan Miller
 

Viewers also liked (11)

Ieee 802.1 x
Ieee 802.1 xIeee 802.1 x
Ieee 802.1 x
 
IEEE 802.1X and Axis’ Implementation
IEEE 802.1X and Axis’ ImplementationIEEE 802.1X and Axis’ Implementation
IEEE 802.1X and Axis’ Implementation
 
802.1x
802.1x802.1x
802.1x
 
802.1x Authentication Standard
802.1x Authentication Standard802.1x Authentication Standard
802.1x Authentication Standard
 
Identity Services Engine Overview and Update
Identity Services Engine Overview and UpdateIdentity Services Engine Overview and Update
Identity Services Engine Overview and Update
 
Demystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISEDemystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISE
 
Real-world 802.1X Deployment Challenges
Real-world 802.1X Deployment ChallengesReal-world 802.1X Deployment Challenges
Real-world 802.1X Deployment Challenges
 
Cisco switch setup with cppm v1.2
Cisco switch setup with cppm v1.2Cisco switch setup with cppm v1.2
Cisco switch setup with cppm v1.2
 
EMEA Airheads- Troubleshooting 802.1x issues
EMEA Airheads- Troubleshooting 802.1x issuesEMEA Airheads- Troubleshooting 802.1x issues
EMEA Airheads- Troubleshooting 802.1x issues
 
Aerohive Configuration guide.
Aerohive Configuration guide. Aerohive Configuration guide.
Aerohive Configuration guide.
 
Holistic view of 802.1x integration & optimization
Holistic view of 802.1x integration & optimizationHolistic view of 802.1x integration & optimization
Holistic view of 802.1x integration & optimization
 

Similar to 802.1x Implementation Plan for Seacoast

Table of Contents Capstone Project Summary ................docx
Table of Contents Capstone Project Summary ................docxTable of Contents Capstone Project Summary ................docx
Table of Contents Capstone Project Summary ................docx
ssuserf9c51d
 
DBA, LEVEL III TTLM Monitoring and Administering Database.docx
DBA, LEVEL III TTLM Monitoring and Administering Database.docxDBA, LEVEL III TTLM Monitoring and Administering Database.docx
DBA, LEVEL III TTLM Monitoring and Administering Database.docx
seifusisay06
 
Software design specification
Software design specificationSoftware design specification
Software design specification
SubhashiniSukumar
 
Computing And Information Technology Programmes Essay
Computing And Information Technology Programmes EssayComputing And Information Technology Programmes Essay
Computing And Information Technology Programmes Essay
Lucy Nader
 
MEDICAL FACILITY ANALYSIS2MEDICAL FACILITY ANALYSIS16.docx
MEDICAL FACILITY ANALYSIS2MEDICAL FACILITY ANALYSIS16.docxMEDICAL FACILITY ANALYSIS2MEDICAL FACILITY ANALYSIS16.docx
MEDICAL FACILITY ANALYSIS2MEDICAL FACILITY ANALYSIS16.docx
ARIV4
 
Ocssco database policy document
Ocssco database policy documentOcssco database policy document
Ocssco database policy document
Endale Mintesinot
 
Financial, Retail And Shopping Domains
Financial, Retail And Shopping DomainsFinancial, Retail And Shopping Domains
Financial, Retail And Shopping Domains
Sonia Sanchez
 
JaySexton_IT326_IP5
JaySexton_IT326_IP5JaySexton_IT326_IP5
JaySexton_IT326_IP5
Jay T Sexton
 
Resume-SystemsDBA-Brian Wigton
Resume-SystemsDBA-Brian WigtonResume-SystemsDBA-Brian Wigton
Resume-SystemsDBA-Brian Wigton
Brian Wigton
 

Similar to 802.1x Implementation Plan for Seacoast (20)

AAI-4847 Full Disclosure on the Performance Characteristics of WebSphere Appl...
AAI-4847 Full Disclosure on the Performance Characteristics of WebSphere Appl...AAI-4847 Full Disclosure on the Performance Characteristics of WebSphere Appl...
AAI-4847 Full Disclosure on the Performance Characteristics of WebSphere Appl...
 
Vskills certified enterprise applications integration specialist with micros...
Vskills certified enterprise applications integration specialist with micros...Vskills certified enterprise applications integration specialist with micros...
Vskills certified enterprise applications integration specialist with micros...
 
Microsoft SQL Licensing Workshop - Software ONE
Microsoft SQL Licensing Workshop - Software ONEMicrosoft SQL Licensing Workshop - Software ONE
Microsoft SQL Licensing Workshop - Software ONE
 
Table of Contents Capstone Project Summary ................docx
Table of Contents Capstone Project Summary ................docxTable of Contents Capstone Project Summary ................docx
Table of Contents Capstone Project Summary ................docx
 
Unit 3
Unit 3Unit 3
Unit 3
 
DBA, LEVEL III TTLM Monitoring and Administering Database.docx
DBA, LEVEL III TTLM Monitoring and Administering Database.docxDBA, LEVEL III TTLM Monitoring and Administering Database.docx
DBA, LEVEL III TTLM Monitoring and Administering Database.docx
 
Network_Administration_PPT
Network_Administration_PPTNetwork_Administration_PPT
Network_Administration_PPT
 
Software design specification
Software design specificationSoftware design specification
Software design specification
 
aug-resume-2015
aug-resume-2015aug-resume-2015
aug-resume-2015
 
Computing And Information Technology Programmes Essay
Computing And Information Technology Programmes EssayComputing And Information Technology Programmes Essay
Computing And Information Technology Programmes Essay
 
MEDICAL FACILITY ANALYSIS2MEDICAL FACILITY ANALYSIS16.docx
MEDICAL FACILITY ANALYSIS2MEDICAL FACILITY ANALYSIS16.docxMEDICAL FACILITY ANALYSIS2MEDICAL FACILITY ANALYSIS16.docx
MEDICAL FACILITY ANALYSIS2MEDICAL FACILITY ANALYSIS16.docx
 
Banking and ATM networking reports
Banking and ATM networking reportsBanking and ATM networking reports
Banking and ATM networking reports
 
Ocssco database policy document
Ocssco database policy documentOcssco database policy document
Ocssco database policy document
 
Client server technology main
Client server technology mainClient server technology main
Client server technology main
 
Financial, Retail And Shopping Domains
Financial, Retail And Shopping DomainsFinancial, Retail And Shopping Domains
Financial, Retail And Shopping Domains
 
Vmware desktop infrastructure virtualization assessment
Vmware desktop infrastructure virtualization assessmentVmware desktop infrastructure virtualization assessment
Vmware desktop infrastructure virtualization assessment
 
JaySexton_IT326_IP5
JaySexton_IT326_IP5JaySexton_IT326_IP5
JaySexton_IT326_IP5
 
Resume-SystemsDBA-Brian Wigton
Resume-SystemsDBA-Brian WigtonResume-SystemsDBA-Brian Wigton
Resume-SystemsDBA-Brian Wigton
 
Ad cs-step-by-step-guide
Ad cs-step-by-step-guideAd cs-step-by-step-guide
Ad cs-step-by-step-guide
 
Jvvnl 071108
Jvvnl 071108Jvvnl 071108
Jvvnl 071108
 

802.1x Implementation Plan for Seacoast

  • 1. Seacoast National Bank 802.1x Implementation Plan Microsoft Network Policy Server (NPS) IMPLEMENTATION PLAN Page 1 of 13
  • 2. Seacoast National Bank 802.1x Implementation Plan Page 2 of 14 Table of Contents 1.1 PURPOSE ........................................................................................................................ 3 1.2 SYSTEM OVERVIEW ..........................................................................................................3 1.3 System Description.................................................................................................................3 1.4 Assumptions and Constraints ................................................................................................3 1.5Benefits....................................................................................................................................3 2 Hardware and Software Requirements .......................................................................................... 4 2.1 Hardware Requirements ........................................................................................................4 2.2 Software Requirements ..........................................................................................................4 3 Design Topology ............................................................................................................................. 5 3.1 The CCC NPS Topology ........................................................................................................6 3.2 Topology Layout Details……………………………………………………………............7 4 Components of the NPS Infrastructure ....................................................................................... 8 4.1 Access Clients……………………………………………………………………………….9 4.2 Access Servers (RADIUS Clients) ........................................................................................9 4.3 NPS Servers (RADIUS Servers) ...........................................................................................9 4.4 User Accounts Databases ......................................................................................................9 4.5 Authentication Flow and EAP/RADIUS Message Exchange……………………………..10 5 Implementation Tasks ................................................................................................................. 11 5.1 Install Windows 2008 R2.....................................................................................................11 5.2 Install Network Policy Server .............................................................................................11 5.3 Plan and Configure VLAN structure ...................................................................................11 5.4 Plan and Configure AD Group Structure ............................................................................11 5.4 Client Settings .....................................................................................................................12 5.5 Plan and Configure NPS Policy Structure ..............................................................................13
  • 3. Seacoast National Bank 802.1x Implementation Plan Page 3 of 14 Introduction 1.1 Purpose Currently, anyone (Customers, Vendors, Consultants, etc) is able to plug their network device(s) into the wall jack in our buildings and have access to our network resources, regardless of the fact that they are not Seacoast employees. Although we have a solution in place to mitigate these types of intrusions, the solution is reactive in nature. This would give someone with malicious intent the ability to launch a variety of attacks - such as breaking into specific servers, eavesdropping on network packets, and unleashing a worm or Denial of Service (DoS) attacks. I am proposing an implementation a pro-active network security solution based on the Institute of Electrical and Electronics Engineers (IEEE) 802.1x standard for network device authentication protocol and the Microsoft Network Policy Server (NPS), Microsoft's implementation of RADIUS, to provide fine-grained, wired computer authentication and authorization to control access to network resources. 1.2 System Overview The Network Policy Server (NPS) is the Microsoft implementation of Remote Authentication Dialin User Service (RADIUS). It will perform centralized connection authentication, authorization, and accounting for wired and wireless network access. 1.3 System Description The Network Policy Server will provide the ability for Seacoast National Bank to implement and manage machine and user authentication and authorization for Seacoast owned and non-Seacoast owned devices. The Network Policy Server grants access to the appropriate resources via NPS Connection Request and Network policies which are based on multiple conditions such as user id, machine id, switch, access points, etc. 1.4 Assumptions and Constraints o Implementation project to begin August 30, 2013 and be completed by DTBD o Implementation will begin with the building on 973 SE Federal HWY moving on with the main office on 815 S. Colorado Ave. o If needed, this solution can also be implemented at the branch offices. 1.5 Benefits o Encryption of Wireless Keys o Strong Authentication o Secure Access Control
  • 4. Seacoast National Bank 802.1x Implementation Plan Page 4 of 14 2 Hardware and Software Requirements This section will describe the hardware components that are required to install Windows 2008 R2 and the software requirements that are needed to install the Microsoft NPS. 2.1 Hardware Requirements: The following section lists the minimum and recommended hardware component that is required to support the Microsoft NPS. Component Minimum Recommended Single CPU speed 2.5 GHz 3.5 GHz or faster Dual CPU speed 2.0 GHz 3.0 GHz or faster RAM 2.0 GB 4.0 GB or more Disk Space 10 GB 100 GB or more The following shows the hardware specification that we are recommending. These are also the hardware specification that we are using for the NPS at the system office. • Processor: 1 CPU • Memory: 4 GB Disk: 100 GB 2.2 Software Requirements: This section lists the various Server, Server Roles, and Features that needs to be added in order to implement the Microsoft NPS. • Windows Server 2008 R2 Enterprise Edition (Operating System) • Active Directory Certificate Services (Server Roles) • Network Policy and Access Services (Server Roles) • Web Server (Server Roles) • Group Policy Management (Features) Note: Windows Server 2008 Standard Edition is limited to a maximum of 50 RADIUS clients (authenticators) and a maximum of 2 remote RADIUS server groups. For this reason, I am recommending that we go with Windows Server 2008 Enterprise Edition which would provide us with an unlimited number of RADIUS client (authenticators) and remote server groups. The Microsoft NPS can be installed on either the regular stand-alone hardware platform and/or in a virtualized environment. We are installing all of our Microsoft Network Access Policy servers on the Microsoft Hyper-V platform.
  • 5. Seacoast National Bank 802.1x Implementation Plan Page 5 of 14 3 Design Topology Figure 3.1.1
  • 6. Seacoast National Bank 802.1x Implementation Plan Page 6 of 14 Figure 3.1.2 3.2 The Seacoast NPS Topology: The NPS will be deployed as a RADIUS proxy. The RADIUS proxy approach will provide us with a High Availability (HA) authentication, authorization, and accounting solution.
  • 7. Seacoast National Bank 802.1x Implementation Plan Page 7 of 14 3.3 Topology Layout Details: MAIN OFFICE RADIUS clients (wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers - also known as “authenticators” and/or “Network Access Servers”) are configured to connect to two NPS proxy servers. One NPS proxy is used as the primary RADIUS proxy and the other is used as a backup. If the primary NPS proxy becomes unavailable, RADIUS clients then send Access-Request messages to the alternate NPS proxy. The primary server will be installed as a virtual machine and the secondary server will be installed on a physical server. Data is mirrored to the secondary server at regular intervals and also manually through a script after each times any changes are made. The NPS proxy servers will point to two Remote RADIUS Server Groups. The first Remote RADIUS Server Group will contain servers that are members of AD and will provide authentication and authorization for computers in the Seacoast “Corp” domain. The second Remote RADIUS Server Group will contain servers that are members a workgroup and not members of AD. The local database on these servers will contain Groups and MAC addresses for non-802.1x capable devices (printers, VOIP phones, laptops from branch offices, etc.). There will be two servers in each of the two Remote RADIUS Server Groups. The primary server will be installed as a virtual machine and the secondary server will be installed on a physical server. BRANCH OFFICE A hybrid solution consisting of 802.1x with MAC Authentication Bypass (MAB) and Port Security with Sticky MAC will be implemented at the branch offices. The public accessible ports (i.e. conference rooms, waiting area, etc.) will use 802.1x with MAC Authentication Bypass which will authenticate to the NPS servers located at the main office. The static ports in the offices will use Port Security with Sticky MAC which will allow the switch interfaces to learn MAC addresses of trusted Seacoast workstations and ensure that any new devices will not be allowed access. Note: See Figure 3.1.1 and 3.1.2 for full visual details.
  • 8. Seacoast National Bank 802.1x Implementation Plan Page 8 of 14 4 Components of the NPS Infrastructure There are four components to our implementation of the NPS infrastructure: access clients, access servers (RADIUS clients), NPS servers (RADIUS servers), and user account databases. The following figure illustrates the relationships between the four components of the NPS infrastructure.
  • 9. Seacoast National Bank 802.1x Implementation Plan Page 9 of 14 How Does 802.1x Work An 802.1X network requires only three components to operate, each of which is referred to in terms that are somewhat unique to this standard. Those components are: 4.1 Access Clients: An access client is a device that requires some level of access to the network. Examples of access clients are computers, laptops, smart phones, IP phones, printers, etc. The following needs to be configured on the access clients in order to function with NPS:  802.1x Supplicant  PEAP settings 4.2 Access Servers / Authenticators (RADIUS Clients): An access server/Authenticator is a device that provides some level of access to the network. An access server acts as a RADIUS client, sending connection requests and accounting messages to a RADIUS server. Examples of access servers are switches, wireless LAN controllers, Wireless APs, etc. The following needs to be configured on the access servers in order to function with NPS: 802.1x settings | RADIUS settings | VLANs 4.3 NPS Servers (RADIUS Servers) / Authentication Server: A NPS or RADIUS server is a device that receives and processes connection requests or accounting messages sent by RADIUS clients. In the case of connection requests, the RADIUS server processes the list of RADIUS attributes in the connection request. The following needs to be configured on the NPS servers:  Connection Request Policies  Network Policies: designate who is authorized to connect to the network and the circumstances under which they can or cannot connect. The following are matched to allow access: • Conditions: Matches against Groups in AD (User Account Database) • Constraints: Authentication methods (Access client PEAP settings) • Settings: Sends client to correct VLANs (Access servers VLANs settings) 4.4 User Accounts Databases: The user account database is the list of user accounts and their properties that can be checked by a RADIUS server to verify authentication credentials and user account properties containing authorization and connection parameter information. The user account databases that NPS can use are the user accounts database provided with Active Directory Domain Services (AD DS) in Windows Server 2008. When NPS is a domain member of an AD DS domain, NPS can provide authentication and authorization for user or computer accounts that exist in the following locations:
  • 10. Seacoast National Bank 802.1x Implementation Plan Page 10 of 14  In the domain in which the NPS server is a member.  In domains for which there is a two-way trust with the NPS server domain.  In trusted forests with domain controllers running Windows Server 2008 and AD DS. 4.5 Authentication Flow and EAP/RADIUS Message Exchange: Figure 4.5.1 below shows the 802.1x authentication flow and the roles that the authenticator, AD and the NPS plays in the decision making process. The chart also shows the message exchange that happens during this process. Figure 4.5.1
  • 11. Seacoast National Bank 802.1x Implementation Plan Page 11 of 14 5 Implementation Tasks The implementation tasks are organized into the following sections. Each section, priorities or strategies to be acted on by the implementation are listed, followed by specific action steps for each priority / strategy. 5.1 Install Windows 2008 R2: 5.2 Install Network Policy Server:  Add Server Roles: Active Directory Certificate Services  Add Server Roles: Network Policy and Access Services 5.3 Plan and Configure VLAN structure: Below are the lists of VLANs that were deemed to be required. There will probably be cases where additional VLANs would be required by the colleges. These requests would be reviewed and decided upon accordingly. The VLANs can be configured to look like the following: VLAN 10: Staff Workstation VLAN 20: Printers VLAN 30: Voice And so on and so forth. If needed, going with blocks of ten will leave us room with the flexibility to add new VLANs. 5.4 Plan and Configure AD Group Structure: Requirements: o Active Directory will be used for NPS o Groups must be used o The design must allow for delegation of control o The design should be set up for ease of operational management Assumptions: o There will be a specific, consistently-used name associated with each VLAN ("StaffWorkstations", "StaffPrinters", etc) o For each VLAN managed by NPS, that at least two new groups in AD must be created, with possibly two more (bringing it to four) • The first group contains computers within AD. These will be used by NPS to check which VLAN a specific computer must go • The second group is for MAC authentication. Usernames matching their MAC addresses and appropriate passwords must be created. • A third and fourth group may be needed for delegated management of the first two groups
  • 12. Seacoast National Bank 802.1x Implementation Plan Page 12 of 14 Initial Configuration: Prerequisites Need final list of all VLAN names 5.4 Client Settings: Network configurations needs to be modified on the clients (Windows XP, Windows 7 and Windows Vista) In order for them to authenticate to the network via 802.1X. In particular, the following settings need to be enabled: Authentication: • Enable IEEE 802.1X authentication. • Cache user information for subsequent connections to this network. Protected EAP Properties: • Uncheck Validate server certificate • Enable Fast Reconnect Authentication Method: • Secure password (EAP-MSCHAP v2) • Automatically use my Windows logon name and password (and domain if any). Deployment Options: • Manual change on each computer • Scripts • Group Policy Out of the three deployment options, Group Policy would be the most ideal solution. The policy that specifically contains the authentication and PEAP settings is called Wired Network (IEEE 802.3) Policies. This policy can be applied to the following clients: Windows XP SP3, Windows 7, and Windows Vista. After some thorough testing, we have found that certain settings will not work with Windows XP. In order to resolve this issue, the Group Policy needs to be created from a Windows Server 2008 (not R2) or Windows Vista workstation. We recommend using Windows Vista workstation. The following steps outline the Group Policy deployment for the clients: 1. Create a new Group Policy with Windows Vista and configure it with the required settings. 2. Modify the policy so that the refresh occurs in 10 minutes instead of the default 90-120 minutes.
  • 13. Seacoast National Bank 802.1x Implementation Plan Page 13 of 14 3. Disable 802.1X on switch ports 4. Apply new Group Policy to the OU 5. Very that policy change took place. 6. Re-enable 802.1x on switch ports 5.5 Plan and Configure NPS Policy Structure The policies built within the Microsoft NPS are based on the Network Policy of Seacoast National Bank. There were two different options available on how we could configure the NPS to meet the needs of the network policy. The options are: Option 1: Configure NPS for User and Machine Authentication - This option will provide users with the ability to access their data regardless of which devices they are logging into. For example, a faculty member can walk into a computer lab, log into the lab computer, and have access to all of their network resources as if they were logged into their own PC. Option 2: Configure NPS for Machine Authentication Only - This option will provide users with the ability to access only the resources that the device has access to. For example, a faculty member walks into a computer lab, log into the lab computer, and will only have access to the limited resources that the lab computer has permission to. I am recommending that we proceed with option 2. This will ease our policy configuration requirements. The following are examples of how the NPS policies would be written: Target: - Staff Workstation | VLAN10: 172.16.10.0/24 - Printers | VLAN 50: 172.16.50.0/24 - Guest | VLAN 100: 172.16.100.0/24 Policies: Connection Request Policies - Condition:  Condition: NAS Port Type  Value: Ethernet - Settings:  Authentication Methods: Override network policy authentication settings  EAP Types: Microsoft Protected EAP (PEAP) - Configure Protected EAP Properties o Certificate issued: rayite.corp.local
  • 14. Seacoast National Bank 802.1x Implementation Plan Page 14 of 14 oEnable Fast Reconnect oEap Types: Secured password (EAP MSCHAP v2)  Less secure authentication methods: - Microsoft Encrypted Authentication version 2 (MS-CHAP v2) - Microsoft Encrypted Authentication (MS-CHAP) - Encrypted Authentication (CHAP) - Unencrypted Authentication (PAP)