Your SlideShare is downloading. ×
  • Like
802.1x authentication
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

802.1x authentication

  • 620 views
Published

Detail phases for using 802.1X authentication, total 11 steps.

Detail phases for using 802.1X authentication, total 11 steps.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
620
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
24
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. 802.1x Authentication Zhao Xiaoqi
  • 2. This section provides an overview of the components and the processes involved in establishing 802.11 wireless connections to 802.1X authenticating infrastructure networks. THE AUTHENTICATION PROCESS - WIRELESSVolvo IT
  • 3. Association with the Wireless AP andLink-Layer AuthenticationWhen a wireless network adapter is turned on, it begins to scan across the wirelessfrequencies (spectrum) for wireless APs and other wireless clients. Scanning is an activeprocess in which the wireless adapter sends Probe-Request frames on all channels of theISM frequency range and listens for the Probe-Response frames sent by wireless APs andother wireless clients. After scanning, Windows instructs the wireless adapter to connect to anetwork, based on the configured preferences.This choice is made automatically by using the SSID of a known or preferred wirelessnetwork and the wireless AP with the best signal strength (the highest signal-to-noise ratio).Next, the wireless client negotiates the use of a logical wireless port with the chosen wirelessAP. This process is known as association.The wireless client’s configuration settings determine whether the wireless client prefers toconnect with infrastructure or ad-hoc mode networks. By default, a wireless client runningWindows Vista, Windows XP, or Windows Server 2003 prefers infrastructure mode wirelessnetworks over ad-hoc mode wireless networks. If the signal strength of the wireless AP is toolow, if the error rate is too high, or if instructed by the operating system, the wireless clientscans for other wireless APs to determine whether a different wireless AP can provide astronger signal to the same wireless network. If so, the wireless client negotiates aconnection with that wireless AP. This process is known as roaming.Volvo IT
  • 4. 802.1x Authentication Phases - Wireless1. Scanning 7. Access-Accept2. Association 8. 802.1X Controlled Port3. Access Request 9. DHCP Address Request4. EAP 10. Group Policy Applied5. Authentication 11. Network Access6. AuthorizationVolvo IT
  • 5. Phase 1: Scanning The client scans for an AP using a Probe Request.Volvo IT
  • 6. Phase 2: Association The client associates with the AP: – The AP registers the client’s MAC address and assigns a unique virtual port that is mapped to that MAC address. – The client registers the MAC address of the AP as the only device to which it is permitted to associate (until such time that is disassociates and then reassociates with another AP or wireless device).Volvo IT
  • 7. Phase 3: Access Request Using its 802.1X uncontrolled port, the AP forwards a RADIUS Access-Request message to the RADIUS (IAS) server. Note TCP/IP frames generates by the wireless client can only be sent to the network through the controlled port. The client cannot send frames using the controlled port until it is authenticated and authorized.Volvo IT
  • 8. Volvo IT
  • 9. Phase 4: EAP If the server running IAS does not reject the Access-Request, the EAP authentication method is negotiated between the client and IAS. After the negotiation is complete, the AP forwards messages between the client and the server running IAS. Note There are many EAP authentication types. Both EAP-TLS and PEAP-MS-CHAPv2 are supported natively in Windows Server 2003, Windows XP, and Windows Vista. Note When PEAP is used, a TLS session is first created between the access client and the server running IAS; authentication then occurs through the secure TLS session.Volvo IT
  • 10. Phase 5: AuthenticationAfter the EAP authentication method is agreed upon between the client and IAS, the serverrunning IAS sends its server certificate chain to the client computer as proof of identity.The client computer uses the IAS server certificate to authenticate the server running IAS.Successful PEAP-MS-CHAPv2 authentication requires that the client trusts the serverrunning IAS after validating the IAS server certificate chain.For the client to trust the server running IAS, the root CA certificate of the issuing CA of theserver certificate must be installed in the Trust Root Certification Authorities certificate storeon client computer.After the client authenticates the server, the client sends password-based user credentialsto the server running IAS, which verifies the client credentials against the user accountsdatabase in Active Directory. – If the credentials are not valid, IAS sends an Access-Reject message to the AP in response to the connection request. – If the credentials are valid, the server running IAS proceeds to the Authorization phase.Volvo IT
  • 11. Phase 6: Authorization The server running IAS performs authorization, as follows: a. IAS checks the users or computer account dial-in properties in Active Directory. b. IAS then attempts to find a remote access policy that matches the connection request. If a matching remote access policy is found, IAS authorizes the connection request based on that policy.Volvo IT
  • 12. Phase 7: Access-Accept If the authorization is successful, IAS sends the AP an Access- Accept message. If authorization is not successful, IAS sends an Access-Reject message.Volvo IT
  • 13. Volvo IT
  • 14. Phase 8: 802.1X Controlled Port As part of authentication, 802.1X dynamically generates session keys from which it further derives encryption keys to secure the wireless connection. The encryption keys are configured on both the wireless AP and the client; all subsequent data traffic is protected. The wireless AP enables the controlled port; traffic from the wireless client is allowed to traverse the port.Volvo IT
  • 15. Phase 9: DHCP Address Request The client sends a DHCP address request through the 802.1X controlled port to the network. If a DHCP server responds, the client obtains an IP address.Volvo IT
  • 16. Phase 10: Group Policy Applied If configured, updated Group Policy is applied on the client during domain logon operation; this includes the Wireless Network (IEEE802.11) Policies Group Policy extension. Note For computer already configured with Wireless Network (IEEE 802.11) Policies, Group Policy is applied when the computer is started, and whenever an updated policy is downloaded. If Group Policy is updated on the server while the computer is turned off, the last known policy (which might be stale) is immediately applied when the computer is started. If the 802.1X settings on the computer enable IAS to authorize the computer for network access, updated policies are downloaded and applied when the computer connects to the network, prior to user authentication. If 802.1X settings on the computer cannot enable IAS to authorize the computer for network access at startup, then application of updated policies occurs immediately after user authentication.Volvo IT
  • 17. Phase 11: Network Access The client is able to access network resources, contingent upon any applied restrictions.Volvo IT
  • 18. Volvo IT