My name is Deniz Kaya and today I will be speaking about 802.1x authentication standard, how to configure it on Cisco Catalyst Switches and also 802.1x authentication client in Microsoft Windows. In the year 2000, IEEE created the 802.1x specification. This was done to further protect wired and wireless networks. First of all, I want to lay the groundwork of what 802.1x authentication really is, and how it enhances network security. We'll talk briefly about the specifics of the protocol, and we'll also get into implementation and EAP methods (Extensible Authentication Protocol methods). And then we'll talk about the kind of configuration and the type of scenarios that you'll be using 802.1x in.
802.1X Authentication Deniz Kaya Microsoft, Cisco, Ironport Trainer CCSI, CCNP, MCT, MCSE, ICSI, ICSP, CPTS
… While the Assets Needing to be Protected are Expanding Service Provider/ Internet Teleworker City Hall VPN Head-End Cable Provider 831 Library Partner/Vendor One physical network, must accommodate multiple logical networks (user groups) each with own rules. Airport
IDENTITY: So, you said MAC Address ? Win 2K & XP allow easy change for MAC addresses MAC address is not an authentication mechanism…
Determining “who” gets access and “what” they can do User Identity Based Network Access User Based Policies Applied (BW, QoS etc) Campus Network
Equivalent to placing a Security Guard at each Switch Port
Only Authorized users can get Network Access
Unauthorized users can be placed into “Guest” VLANs
RADIUS acts as the transport for EAP, from the authenticator (switch) to the authentication server (RADIUS server)
RADIUS is also used to carry policy instructions back to the authenticator in the form of AV pairs.
Client and Switch Talk 802.1x Switch Speaks to Auth Server Using RADIUS Actual Authentication Conversation Is between Client and Auth Server Using EAP; the Switch Is Just a Middleman, but Is Aware of What’s Going on
Wireless interfaces – integrated with the wireless configuration client
Enabled by default if privacy is enabled
Dynamic keys usage enforcement
User and computer authentication enabled by default
802.1x in Microsoft Windows Machine and user authentication Startup Machine Machine credentials available (use machine credentials) Machine authentication success Machine authentication failure User logon User credentials available (use user credentials) User authentication success User authentication failure User logoff
Windows Machine Authentication Power Up Load NDIS drivers DHCP Setup Secure Channel to DC Update GPOs Apply Computer GPOs Present GINA (Ctrl-Alt-Del) Login 802.1x Authenticate as Computer
What is Machine Authentication?
The ability of a Windows workstation to authenticate under it’s own identity, independent of the requirement for an interactive user session.
What is it used for?
Machine authentication is used at boot time by Windows OSes to authenticate and communicate with Windows Domain Controllers in order to pull down machine group policies.
Why do we care?
Pre-802.1x this worked under the assumption that network connectivity was a given. Post-802.1x the blocking of network access prior to 802.1x authentication breaks the machine based group policy model – UNLESS the machine can authenticate using its own identity in 802.1x .
802.1x in Microsoft Windows 802.1x authentication configuration page
Same for wired and wireless
Provides control over computer and guest authentication