• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
802 1 x
 

802 1 x

on

  • 864 views

802.1X Port-Based Authentication

802.1X Port-Based Authentication

Statistics

Views

Total Views
864
Views on SlideShare
685
Embed Views
179

Actions

Likes
0
Downloads
0
Comments
0

13 Embeds 179

http://scottshulinux.blogspot.com 87
http://scottshulinux.blogspot.tw 53
http://scottshulinux.blogspot.in 14
http://scottshulinux.blogspot.fr 6
http://scottshulinux.blogspot.jp 5
http://scottshulinux.blogspot.it 3
http://scottshulinux.blogspot.ca 2
http://scottshulinux.blogspot.kr 2
http://www.scottshulinux.blogspot.com 2
http://scottshulinux.blogspot.ru 2
http://scottshulinux.blogspot.co.uk 1
http://scottshulinux.blogspot.se 1
http://scottshulinux.blogspot.de 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    802 1 x 802 1 x Presentation Transcript

    • 802.1X Port-Based Authentication Scott Shu <scott.shu@gmail.com> [ Scott.Shu ] - 1 of 75.
    • WLAN Architecture [ Scott.Shu ] - 2 of 75.
    • WLAN 802.1X Architecture [ Scott.Shu ] - 3 of 75.
    • WLAN 802.1X Architecture [ Scott.Shu ] - 4 of 75.
    • EAP• Extensible Authentication Protocol (EAP) How authentication messages are to be exchanged between the supplicant, authenticator and authentication server. The EAP standard does not define the security protocols or mechanisms for the authentication process. EAP supports a number of authentication protocols to provide security during the authentication process. For example: MD5, MSCHAPv2, TTLS, etc. The EAP protocol does not require the IP protocol to communicate, because it uses the link layer. RFC2284 (Point-to-Point Extensible Authentication Protocol) [ Scott.Shu ] - 5 of 75.
    • Authentication Message ExchangeSupplicant Authenticator AS EAP-Request/Identity EAP-Response/Identity Radius Access-Request EAP-Request/MD5 Challenge Radius Access-Challenge EAP-Request/Identity Radius Access-Request EAP Success Radius Access-Accept Port Authorized EAP Logoff Port Scott.Shu ] - 6 of 75. [ Unauthorized
    • Supplicant Authenticator AS Association Request Association Response EAPOL Start EAP-Request/Identity EAP-Response/Identity Radius Access-Request EAP-Request/MD5 Challenge Radius Access-Challenge EAP-Request/Identity Radius Access-Request EAP Success Radius Access-Accept Port Authorized EAP Logoff Port Scott.Shu ] - 7 of 75. [ Unauthorized
    • Wireless 802.1X Network [ Scott.Shu ] - 8 of 75.
    • Wireless 802.1X Network [ Scott.Shu ] - 9 of 75.
    • (1) Supplicant [ Scott.Shu ] - 10 of 75.
    • Supplicant• wpa_supplicant• Juniper Odyssey Access Client• Xsupplicant [ Scott.Shu ] - 11 of 75.
    • Juniper Odyssey Access Client• Add Adapters• Add Networks• Add Profiles [ Scott.Shu ] - 12 of 75.
    • [ Scott.Shu ] - 13 of 75.
    • (2) Authenticator [ Scott.Shu ] - 14 of 75.
    • Authenticator• Access Point (AP) – Radius Server (Primary, Secondary) (1) Radius Server’s IP Address (2) Authentication Port Number 1812 (UDP) or 1645 (UDP / Windows System) (3) Accounting Port Number 1813 (UDP) or 1646 (UDP / Windows System) (4) Shared Secret – Security Policy WPA / WPA2 Configuring and setting up 802.1X on the AP may differ between vendors. [ Scott.Shu ] - 15 of 75.
    • (3) Authentication Server [ Scott.Shu ] - 16 of 75.
    • Authentication Server (AS)• FreeRadius• Radiator• Microsoft Windows Server 2003 Internet Authentication Service (IAS)• Cisco ACS [ Scott.Shu ] - 17 of 75.
    • FreeRadius• Installing Free-RADIUS[ ]# wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.0.2.tar.gz[ ]# tar zxvf freeradius-server-2.0.2.tar.gz[ ]# cd freeradius-server[ ]# ./configure[ ]# make[ ]# make installOr directly install FreeRadius by RPM. [ Scott.Shu ] - 18 of 75.
    • FreeRadius (cont.)• Configuring FreeRADIUS1. The configuration files can be found under /usr/local/etc/raddb/2. Open the main configuration file radiusd.conf3. Change the clients.conf file to specify what network its serving.4. Open the eap configuration file eap.conf.5. The user information is stored in a plain text file users. [ Scott.Shu ] - 19 of 75.
    • Radiator• Installing Radiator• Configuring Radiator [ Scott.Shu ] - 20 of 75.
    • IAS• Installing IAS• Configuring IAS [ Scott.Shu ] - 21 of 75.
    • (4) Certificate Authority [ Scott.Shu ] - 22 of 75.
    • Certificate Authority (CA)• Who needs a Certificate?EAP Method Supplicant Authentication ServerEAP-TLS Certificate is required Certificate is requiredEAP-TTLS Certificate is optional Certificate is requiredPEAP Certificate is optional Certificate is requiredEAP-FASTLEAP [ Scott.Shu ] - 23 of 75.
    • • Installing – Install the IIS Service – Install the CA Service• Configuring• For User (Client side) – Obtain a certificate from the CA by MMC – Obtain a certificate from the CA by Internet browser (Easy Way) – Obtain a certificate from a Public Certificate Authority by Internet browser [ Scott.Shu ] - 24 of 75.
    • Install the IIS Service • Click Start > Control Panel > Add or Remove Programs • Click Add/Remove Windows Components. [ Scott.Shu ] - 25 of 75.
    • • Click on Application Server and press on the Details button.[ Scott.Shu ] - 26 of 75.
    • • Click to select IIS and click OK.[ Scott.Shu ] - 27 of 75.
    • • Now, total disk spaces required: 15.1 MB • Click on Next[ Scott.Shu ] - 28 of 75.
    • • After the wizard completes the installation, click Finish.[ Scott.Shu ] - 29 of 75.
    • Install the CA Service • Click Start > Control Panel > Add or Remove Programs • Click Add/Remove Windows Components. • Select Certificate Services. [ Scott.Shu ] - 30 of 75.
    • • You will get a warning about domain membership and computer renaming constraints, and then click Yes.[ Scott.Shu ] - 31 of 75.
    • • On the CA Type page, click Stand-alone root CA, and then click Next.[ Scott.Shu ] - 32 of 75.
    • • On this page, in the Common name for this CA box, type the name of the server, and then click Next.[ Scott.Shu ] - 33 of 75.
    • • If the private key already exists, Do you want to overwrite this key with a new one? • Just click Yes. • You will not get this prompt if this is your first time installation.[ Scott.Shu ] - 34 of 75.
    • • On this page, accept the default settings, and then just click Next.[ Scott.Shu ] - 35 of 75.
    • • You will get a prompt to stop IIS, click Yes.[ Scott.Shu ] - 36 of 75.
    • • On this page, accept the default settings, and then just click Next.[ Scott.Shu ] - 37 of 75.
    • • Enable Active Server Pages (ASPs), by click Yes.[ Scott.Shu ] - 38 of 75.
    • • After the installation process is completed, click Finish.[ Scott.Shu ] - 39 of 75.
    • Issue Certificate • Click Start > Programs > Administrative Tools > Certification Authority [ Scott.Shu ] - 40 of 75.
    • • Certification Authority[ Scott.Shu ] - 41 of 75.
    • • Click Pending Requests[ Scott.Shu ] - 42 of 75.
    • • Click All Tasks > Issue • If there is no pending request, do “Request a certificate” now. (see below)[ Scott.Shu ] - 43 of 75.
    • • You can check Issued Certificates now.[ Scott.Shu ] - 44 of 75.
    • Obtain a DC from the CA by MMC • Go to the start menu > Run > type mmc and press Enter [ Scott.Shu ] - 45 of 75.
    • • You will get the MMC window.[ Scott.Shu ] - 46 of 75.
    • • In the MMC window, go to the File menu and select Add/Remove Snap-In.[ Scott.Shu ] - 47 of 75.
    • • Press the Add button.[ Scott.Shu ] - 48 of 75.
    • • Select Certificates from the available list of snap- ins and click Add.[ Scott.Shu ] - 49 of 75.
    • • Select My User Account. Click Finish.[ Scott.Shu ] - 50 of 75.
    • • Expend Certificates[ Scott.Shu ] - 51 of 75.
    • • Right-click the Personal folder and select All Tasks > Request New Certificate.[ Scott.Shu ] - 52 of 75.
    • [ Scott.Shu ] - 53 of 75.
    • Obtain a DC from the CA by Internet browser • Open an Internet browser such as IE or Firefox. • Type the following URL in the address bar: http://10.7.15.165/certsrv where 10.7.15.165 is the CA server IP address. • In this page, click Request a certificate [ Scott.Shu ] - 54 of 75.
    • • Click Web Browser Certificate[ Scott.Shu ] - 55 of 75.
    • • To complete your certificate, type the requested information.[ Scott.Shu ] - 56 of 75.
    • • You will get a prompt to conform your request, just click Yes.[ Scott.Shu ] - 57 of 75.
    • • Wait… • After the CA administrator issue your certificate … Next slide …[ Scott.Shu ] - 58 of 75.
    • • Open an Internet browser such as IE or Firefox. • Type the following URL in the address bar again: http://10.7.15.165/certsrv where 10.7.15.165 is the CA server IP address. • In this page, click Download a CA certificate, certificate chain, or CRL[ Scott.Shu ] - 59 of 75.
    • • In this page, click Download CA Certificate[ Scott.Shu ] - 60 of 75.
    • • Click Save or Open “certnew.cer”[ Scott.Shu ] - 61 of 75.
    • • Open the certificate • Install this CA certificate, click Install certificate…[ Scott.Shu ] - 62 of 75.
    • • Click Next[ Scott.Shu ] - 63 of 75.
    • • Click Next[ Scott.Shu ] - 64 of 75.
    • • Click Finish[ Scott.Shu ] - 65 of 75.
    • • You will get a prompt to make sure you want to install this certificate, just click Yes.[ Scott.Shu ] - 66 of 75.
    • • You did it.[ Scott.Shu ] - 67 of 75.
    • • Open the certificate again • Now, it’s a effective certificate.[ Scott.Shu ] - 68 of 75.
    • Obtain a DC from a Public Certificate Authority • Open an Internet browser such as IE or Firefox. • Type the following URL in the address bar: http://archimedes.csisoftware.net/ • In this page, click Request a certificate [ Scott.Shu ] - 69 of 75.
    • • Click Web Browser Certificate[ Scott.Shu ] - 70 of 75.
    • • To complete your certificate, type the requested information.[ Scott.Shu ] - 71 of 75.
    • • You will get a prompt to conform your request, just click Yes.[ Scott.Shu ] - 72 of 75.
    • • Generating request…[ Scott.Shu ] - 73 of 75.
    • • Wait…[ Scott.Shu ] - 74 of 75.
    • Testbed OS, ProgramsSupplicant Windows XP Prof. SP3Notebook Odyssey ClientAuthentication Windows XPServer (Radius 1) Radiator 4.0Authentication LinuxServer (Radius 2) FreeRadiusCertificate Windows Server 2003Authority Enterprise SP1Access Point [ Scott.Shu ] - 75 of 75.