SlideShare a Scribd company logo

802.1x authentication

Download as PPTX, PDF
Xiaoqi Zhao
Xiaoqi Zhao

Detail phases for using 802.1X authentication, total 11 steps.

Technology
1 of 18
802.1x Authentication Zhao Xiaoqi
This section provides an overview of the components and the processes involved in establishing 802.11 wireless connections to 802.1X authenticating infrastructure networks. THE AUTHENTICATION PROCESS - WIRELESS Volvo IT
Association with the Wireless AP and Link-Layer Authentication When a wireless network adapter is turned on, it begins to scan across the wireless frequencies (spectrum) for wireless APs and other wireless clients. Scanning is an active process in which the wireless adapter sends Probe-Request frames on all channels of the ISM frequency range and listens for the Probe-Response frames sent by wireless APs and other wireless clients. After scanning, Windows instructs the wireless adapter to connect to a network, based on the configured preferences. This choice is made automatically by using the SSID of a known or preferred wireless network and the wireless AP with the best signal strength (the highest signal-to-noise ratio). Next, the wireless client negotiates the use of a logical wireless port with the chosen wireless AP. This process is known as association. The wireless client’s configuration settings determine whether the wireless client prefers to connect with infrastructure or ad-hoc mode networks. By default, a wireless client running Windows Vista, Windows XP, or Windows Server 2003 prefers infrastructure mode wireless networks over ad-hoc mode wireless networks. If the signal strength of the wireless AP is too low, if the error rate is too high, or if instructed by the operating system, the wireless client scans for other wireless APs to determine whether a different wireless AP can provide a stronger signal to the same wireless network. If so, the wireless client negotiates a connection with that wireless AP. This process is known as roaming. Volvo IT
802.1x Authentication Phases - Wireless 1. Scanning 7. Access-Accept 2. Association 8. 802.1X Controlled Port 3. Access Request 9. DHCP Address Request 4. EAP 10. Group Policy Applied 5. Authentication 11. Network Access 6. Authorization Volvo IT
Phase 1: Scanning The client scans for an AP using a Probe Request. Volvo IT
Phase 2: Association The client associates with the AP: – The AP registers the client’s MAC address and assigns a unique virtual port that is mapped to that MAC address. – The client registers the MAC address of the AP as the only device to which it is permitted to associate (until such time that is disassociates and then reassociates with another AP or wireless device). Volvo IT
Phase 3: Access Request Using its 802.1X uncontrolled port, the AP forwards a RADIUS Access-Request message to the RADIUS (IAS) server. Note TCP/IP frames generates by the wireless client can only be sent to the network through the controlled port. The client cannot send frames using the controlled port until it is authenticated and authorized. Volvo IT
Volvo IT
Phase 4: EAP If the server running IAS does not reject the Access-Request, the EAP authentication method is negotiated between the client and IAS. After the negotiation is complete, the AP forwards messages between the client and the server running IAS. Note There are many EAP authentication types. Both EAP-TLS and PEAP-MS-CHAPv2 are supported natively in Windows Server 2003, Windows XP, and Windows Vista. Note When PEAP is used, a TLS session is first created between the access client and the server running IAS; authentication then occurs through the secure TLS session. Volvo IT
Phase 5: Authentication After the EAP authentication method is agreed upon between the client and IAS, the server running IAS sends its server certificate chain to the client computer as proof of identity. The client computer uses the IAS server certificate to authenticate the server running IAS. Successful PEAP-MS-CHAPv2 authentication requires that the client trusts the server running IAS after validating the IAS server certificate chain. For the client to trust the server running IAS, the root CA certificate of the issuing CA of the server certificate must be installed in the Trust Root Certification Authorities certificate store on client computer. After the client authenticates the server, the client sends password-based user credentials to the server running IAS, which verifies the client credentials against the user accounts database in Active Directory. – If the credentials are not valid, IAS sends an Access-Reject message to the AP in response to the connection request. – If the credentials are valid, the server running IAS proceeds to the Authorization phase. Volvo IT
Phase 6: Authorization The server running IAS performs authorization, as follows: a. IAS checks the users or computer account dial-in properties in Active Directory. b. IAS then attempts to find a remote access policy that matches the connection request. If a matching remote access policy is found, IAS authorizes the connection request based on that policy. Volvo IT
Phase 7: Access-Accept If the authorization is successful, IAS sends the AP an Access- Accept message. If authorization is not successful, IAS sends an Access-Reject message. Volvo IT
Volvo IT
Phase 8: 802.1X Controlled Port As part of authentication, 802.1X dynamically generates session keys from which it further derives encryption keys to secure the wireless connection. The encryption keys are configured on both the wireless AP and the client; all subsequent data traffic is protected. The wireless AP enables the controlled port; traffic from the wireless client is allowed to traverse the port. Volvo IT
Phase 9: DHCP Address Request The client sends a DHCP address request through the 802.1X controlled port to the network. If a DHCP server responds, the client obtains an IP address. Volvo IT
Phase 10: Group Policy Applied If configured, updated Group Policy is applied on the client during domain logon operation; this includes the Wireless Network (IEEE802.11) Policies Group Policy extension. Note For computer already configured with Wireless Network (IEEE 802.11) Policies, Group Policy is applied when the computer is started, and whenever an updated policy is downloaded. If Group Policy is updated on the server while the computer is turned off, the last known policy (which might be stale) is immediately applied when the computer is started. If the 802.1X settings on the computer enable IAS to authorize the computer for network access, updated policies are downloaded and applied when the computer connects to the network, prior to user authentication. If 802.1X settings on the computer cannot enable IAS to authorize the computer for network access at startup, then application of updated policies occurs immediately after user authentication. Volvo IT
Phase 11: Network Access The client is able to access network resources, contingent upon any applied restrictions. Volvo IT
Volvo IT

Recommended

Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authenticationdkaya
 
Ldap introduction (eng)
Ldap introduction (eng)Ldap introduction (eng)
Ldap introduction (eng)Anatoliy Okhotnikov
 
Report on data link layer
Report on data link layerReport on data link layer
Report on data link layerAlisha Korpal
 
Campus Redundancy Models
Campus Redundancy ModelsCampus Redundancy Models
Campus Redundancy ModelsAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- LACP and distributed LACP – ArubaOS Switch
EMEA Airheads- LACP and distributed LACP – ArubaOS SwitchEMEA Airheads- LACP and distributed LACP – ArubaOS Switch
EMEA Airheads- LACP and distributed LACP – ArubaOS SwitchAruba, a Hewlett Packard Enterprise company
 
High-density 802.11ac Wi-Fi design and deployment for large public venues
High-density 802.11ac Wi-Fi design and deployment for large public venuesHigh-density 802.11ac Wi-Fi design and deployment for large public venues
High-density 802.11ac Wi-Fi design and deployment for large public venuesAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads - AP Discovery Logic and AP Deployment
EMEA Airheads - AP Discovery Logic and AP DeploymentEMEA Airheads - AP Discovery Logic and AP Deployment
EMEA Airheads - AP Discovery Logic and AP DeploymentAruba, a Hewlett Packard Enterprise company
 
Congestion on computer network
Congestion on computer networkCongestion on computer network
Congestion on computer networkDisi Dc
 

Recommended

Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authenticationdkaya
 
Ldap introduction (eng)
Ldap introduction (eng)Ldap introduction (eng)
Ldap introduction (eng)Anatoliy Okhotnikov
 
Report on data link layer
Report on data link layerReport on data link layer
Report on data link layerAlisha Korpal
 
Campus Redundancy Models
Campus Redundancy ModelsCampus Redundancy Models
Campus Redundancy ModelsAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- LACP and distributed LACP – ArubaOS Switch
EMEA Airheads- LACP and distributed LACP – ArubaOS SwitchEMEA Airheads- LACP and distributed LACP – ArubaOS Switch
EMEA Airheads- LACP and distributed LACP – ArubaOS SwitchAruba, a Hewlett Packard Enterprise company
 
High-density 802.11ac Wi-Fi design and deployment for large public venues
High-density 802.11ac Wi-Fi design and deployment for large public venuesHigh-density 802.11ac Wi-Fi design and deployment for large public venues
High-density 802.11ac Wi-Fi design and deployment for large public venuesAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads - AP Discovery Logic and AP Deployment
EMEA Airheads - AP Discovery Logic and AP DeploymentEMEA Airheads - AP Discovery Logic and AP Deployment
EMEA Airheads - AP Discovery Logic and AP DeploymentAruba, a Hewlett Packard Enterprise company
 
Congestion on computer network
Congestion on computer networkCongestion on computer network
Congestion on computer networkDisi Dc
 
Radius Protocol
Radius ProtocolRadius Protocol
Radius ProtocolNetwax Lab
 
IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateways - What's new in 2016 v7.5.2IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateways - What's new in 2016 v7.5.2IBM DataPower Gateway
 
EMEA Airheads - Configuring different APIs in Aruba 8.x
EMEA Airheads - Configuring different APIs in Aruba 8.x EMEA Airheads - Configuring different APIs in Aruba 8.x
EMEA Airheads - Configuring different APIs in Aruba 8.x Aruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Aruba 8.x Architecture overview & UI Navigation
EMEA Airheads- Aruba 8.x Architecture overview & UI NavigationEMEA Airheads- Aruba 8.x Architecture overview & UI Navigation
EMEA Airheads- Aruba 8.x Architecture overview & UI NavigationAruba, a Hewlett Packard Enterprise company
 
Campus Network Design version 8
Campus Network Design version 8Campus Network Design version 8
Campus Network Design version 8Aruba, a Hewlett Packard Enterprise company
 
RUCKUS Unleashed & SmartZone
RUCKUS Unleashed & SmartZoneRUCKUS Unleashed & SmartZone
RUCKUS Unleashed & SmartZoneCarla Nadin
 
Optimizing Aruba WLANs for Roaming Devices
Optimizing Aruba WLANs for Roaming DevicesOptimizing Aruba WLANs for Roaming Devices
Optimizing Aruba WLANs for Roaming DevicesAruba, a Hewlett Packard Enterprise company
 
Packet radio protocol
Packet radio protocolPacket radio protocol
Packet radio protocolPriya Kaushal
 
Carrier-sense multiple access with collision avoidance CSMA/CA
Carrier-sense multiple access with collision avoidance CSMA/CACarrier-sense multiple access with collision avoidance CSMA/CA
Carrier-sense multiple access with collision avoidance CSMA/CASoumen Santra
 
101 CCNA LABS.pdf
101 CCNA LABS.pdf101 CCNA LABS.pdf
101 CCNA LABS.pdfAKSHAYKARMANKAR3
 
Vlan
VlanVlan
Vlanilias ahmed
 
Acmp study guide_d[1]
Acmp study guide_d[1]Acmp study guide_d[1]
Acmp study guide_d[1]Aruba, a Hewlett Packard Enterprise company
 
Issues In Adhoc Wireless Network
Issues In Adhoc Wireless NetworkIssues In Adhoc Wireless Network
Issues In Adhoc Wireless NetworkDushhyant Kumar
 
VMware Cloud on AWS -- A Technical Deep Dive PPT
VMware Cloud on AWS -- A Technical Deep Dive PPTVMware Cloud on AWS -- A Technical Deep Dive PPT
VMware Cloud on AWS -- A Technical Deep Dive PPTAmazon Web Services
 
EMEA Airheads- Instant AP- APP REF and Mixed IAP Cluster deployments
EMEA Airheads- Instant AP- APP REF and Mixed IAP Cluster deploymentsEMEA Airheads- Instant AP- APP REF and Mixed IAP Cluster deployments
EMEA Airheads- Instant AP- APP REF and Mixed IAP Cluster deploymentsAruba, a Hewlett Packard Enterprise company
 
Apple Captive Network Assistant Bypass with ClearPass Guest
Apple Captive Network Assistant Bypass with ClearPass GuestApple Captive Network Assistant Bypass with ClearPass Guest
Apple Captive Network Assistant Bypass with ClearPass GuestAruba, a Hewlett Packard Enterprise company
 
Selective repeat protocol
Selective repeat protocolSelective repeat protocol
Selective repeat protocolManusha Dilan
 
Airheads Tech Talks: Advanced Clustering in AOS 8.x
Airheads Tech Talks: Advanced Clustering in AOS 8.xAirheads Tech Talks: Advanced Clustering in AOS 8.x
Airheads Tech Talks: Advanced Clustering in AOS 8.xAruba, a Hewlett Packard Enterprise company
 
Open shortest path first (ospf)
Open shortest path first (ospf)Open shortest path first (ospf)
Open shortest path first (ospf)Respa Peter
 
Chap24
Chap24Chap24
Chap24Waqas !!!!
 
802.1x
802.1x802.1x
802.1xakruthi k
 
Real-world 802.1X Deployment Challenges
Real-world 802.1X Deployment ChallengesReal-world 802.1X Deployment Challenges
Real-world 802.1X Deployment ChallengesAruba, a Hewlett Packard Enterprise company
 

More Related Content

What's hot

Radius Protocol
Radius ProtocolRadius Protocol
Radius ProtocolNetwax Lab
 
IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateways - What's new in 2016 v7.5.2IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateways - What's new in 2016 v7.5.2IBM DataPower Gateway
 
RUCKUS Unleashed & SmartZone
RUCKUS Unleashed & SmartZoneRUCKUS Unleashed & SmartZone
RUCKUS Unleashed & SmartZoneCarla Nadin
 
Packet radio protocol
Packet radio protocolPacket radio protocol
Packet radio protocolPriya Kaushal
 
Carrier-sense multiple access with collision avoidance CSMA/CA
Carrier-sense multiple access with collision avoidance CSMA/CACarrier-sense multiple access with collision avoidance CSMA/CA
Carrier-sense multiple access with collision avoidance CSMA/CASoumen Santra
 
Issues In Adhoc Wireless Network
Issues In Adhoc Wireless NetworkIssues In Adhoc Wireless Network
Issues In Adhoc Wireless NetworkDushhyant Kumar
 
VMware Cloud on AWS -- A Technical Deep Dive PPT
VMware Cloud on AWS -- A Technical Deep Dive PPTVMware Cloud on AWS -- A Technical Deep Dive PPT
VMware Cloud on AWS -- A Technical Deep Dive PPTAmazon Web Services
 
Selective repeat protocol
Selective repeat protocolSelective repeat protocol
Selective repeat protocolManusha Dilan
 
Open shortest path first (ospf)
Open shortest path first (ospf)Open shortest path first (ospf)
Open shortest path first (ospf)Respa Peter
 

What's hot (20)

Radius Protocol
Radius ProtocolRadius Protocol
Radius Protocol
 
IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateways - What's new in 2016 v7.5.2IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateways - What's new in 2016 v7.5.2
 
EMEA Airheads - Configuring different APIs in Aruba 8.x
EMEA Airheads - Configuring different APIs in Aruba 8.x EMEA Airheads - Configuring different APIs in Aruba 8.x
EMEA Airheads - Configuring different APIs in Aruba 8.x
 
EMEA Airheads- Aruba 8.x Architecture overview & UI Navigation
EMEA Airheads- Aruba 8.x Architecture overview & UI NavigationEMEA Airheads- Aruba 8.x Architecture overview & UI Navigation
EMEA Airheads- Aruba 8.x Architecture overview & UI Navigation
 
Campus Network Design version 8
Campus Network Design version 8Campus Network Design version 8
Campus Network Design version 8
 
RUCKUS Unleashed & SmartZone
RUCKUS Unleashed & SmartZoneRUCKUS Unleashed & SmartZone
RUCKUS Unleashed & SmartZone
 
Optimizing Aruba WLANs for Roaming Devices
Optimizing Aruba WLANs for Roaming DevicesOptimizing Aruba WLANs for Roaming Devices
Optimizing Aruba WLANs for Roaming Devices
 
Packet radio protocol
Packet radio protocolPacket radio protocol
Packet radio protocol
 
Carrier-sense multiple access with collision avoidance CSMA/CA
Carrier-sense multiple access with collision avoidance CSMA/CACarrier-sense multiple access with collision avoidance CSMA/CA
Carrier-sense multiple access with collision avoidance CSMA/CA
 
101 CCNA LABS.pdf
101 CCNA LABS.pdf101 CCNA LABS.pdf
101 CCNA LABS.pdf
 
Vlan
VlanVlan
Vlan
 
Acmp study guide_d[1]
Acmp study guide_d[1]Acmp study guide_d[1]
Acmp study guide_d[1]
 
Issues In Adhoc Wireless Network
Issues In Adhoc Wireless NetworkIssues In Adhoc Wireless Network
Issues In Adhoc Wireless Network
 
VMware Cloud on AWS -- A Technical Deep Dive PPT
VMware Cloud on AWS -- A Technical Deep Dive PPTVMware Cloud on AWS -- A Technical Deep Dive PPT
VMware Cloud on AWS -- A Technical Deep Dive PPT
 
EMEA Airheads- Instant AP- APP REF and Mixed IAP Cluster deployments
EMEA Airheads- Instant AP- APP REF and Mixed IAP Cluster deploymentsEMEA Airheads- Instant AP- APP REF and Mixed IAP Cluster deployments
EMEA Airheads- Instant AP- APP REF and Mixed IAP Cluster deployments
 
Apple Captive Network Assistant Bypass with ClearPass Guest
Apple Captive Network Assistant Bypass with ClearPass GuestApple Captive Network Assistant Bypass with ClearPass Guest
Apple Captive Network Assistant Bypass with ClearPass Guest
 
Selective repeat protocol
Selective repeat protocolSelective repeat protocol
Selective repeat protocol
 
Airheads Tech Talks: Advanced Clustering in AOS 8.x
Airheads Tech Talks: Advanced Clustering in AOS 8.xAirheads Tech Talks: Advanced Clustering in AOS 8.x
Airheads Tech Talks: Advanced Clustering in AOS 8.x
 
Open shortest path first (ospf)
Open shortest path first (ospf)Open shortest path first (ospf)
Open shortest path first (ospf)
 
Chap24
Chap24Chap24
Chap24
 

Viewers also liked

IEEE 802.1X and Axis’ Implementation
IEEE 802.1X and Axis’ ImplementationIEEE 802.1X and Axis’ Implementation
IEEE 802.1X and Axis’ ImplementationAxis Communications
 
802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for SeacoastSithideth Banavong
 
Ieee 802.1 redes lan
Ieee 802.1 redes lanIeee 802.1 redes lan
Ieee 802.1 redes lanomegaleonx45
 
802.1x Authentication Standard
802.1x Authentication Standard802.1x Authentication Standard
802.1x Authentication StandardDan Miller
 
Identity Services Engine Overview and Update
Identity Services Engine Overview and UpdateIdentity Services Engine Overview and Update
Identity Services Engine Overview and UpdateCisco Canada
 
Demystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISEDemystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISECisco Canada
 
VMworld 2015: vSphere Distributed Switch 6 –Technical Deep Dive
VMworld 2015: vSphere Distributed Switch 6 –Technical Deep DiveVMworld 2015: vSphere Distributed Switch 6 –Technical Deep Dive
VMworld 2015: vSphere Distributed Switch 6 –Technical Deep DiveVMworld
 
VMworld 2015: Networking Virtual SAN's Backbone
VMworld 2015: Networking Virtual SAN's BackboneVMworld 2015: Networking Virtual SAN's Backbone
VMworld 2015: Networking Virtual SAN's BackboneVMworld
 
VMworld 2015: Explaining Advanced Virtual Volumes Configurations
VMworld 2015: Explaining Advanced Virtual Volumes ConfigurationsVMworld 2015: Explaining Advanced Virtual Volumes Configurations
VMworld 2015: Explaining Advanced Virtual Volumes ConfigurationsVMworld
 
VMworld 2015: Building a Business Case for Virtual SAN
VMworld 2015: Building a Business Case for Virtual SANVMworld 2015: Building a Business Case for Virtual SAN
VMworld 2015: Building a Business Case for Virtual SANVMworld
 
VMworld 2016: Ask the vCenter Server Exerts Panel
VMworld 2016: Ask the vCenter Server Exerts PanelVMworld 2016: Ask the vCenter Server Exerts Panel
VMworld 2016: Ask the vCenter Server Exerts PanelVMworld
 

Viewers also liked (20)

802.1x
802.1x802.1x
802.1x
 
Real-world 802.1X Deployment Challenges
Real-world 802.1X Deployment ChallengesReal-world 802.1X Deployment Challenges
Real-world 802.1X Deployment Challenges
 
ISE-802.1X-MAB
ISE-802.1X-MABISE-802.1X-MAB
ISE-802.1X-MAB
 
IEEE 802.1x
IEEE 802.1xIEEE 802.1x
IEEE 802.1x
 
Ieee 802.1 x
Ieee 802.1 xIeee 802.1 x
Ieee 802.1 x
 
IEEE 802.1X and Axis’ Implementation
IEEE 802.1X and Axis’ ImplementationIEEE 802.1X and Axis’ Implementation
IEEE 802.1X and Axis’ Implementation
 
802.1x
802.1x802.1x
802.1x
 
802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast
 
Ieee 802.1 redes lan
Ieee 802.1 redes lanIeee 802.1 redes lan
Ieee 802.1 redes lan
 
padrão ieee 802.2
padrão ieee 802.2padrão ieee 802.2
padrão ieee 802.2
 
802.1x Authentication Standard
802.1x Authentication Standard802.1x Authentication Standard
802.1x Authentication Standard
 
Arquitetura IEEE 802
Arquitetura IEEE 802Arquitetura IEEE 802
Arquitetura IEEE 802
 
Identity Services Engine Overview and Update
Identity Services Engine Overview and UpdateIdentity Services Engine Overview and Update
Identity Services Engine Overview and Update
 
Demystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISEDemystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISE
 
VMworld 2015: vSphere Distributed Switch 6 –Technical Deep Dive
VMworld 2015: vSphere Distributed Switch 6 –Technical Deep DiveVMworld 2015: vSphere Distributed Switch 6 –Technical Deep Dive
VMworld 2015: vSphere Distributed Switch 6 –Technical Deep Dive
 
VMworld 2015: Networking Virtual SAN's Backbone
VMworld 2015: Networking Virtual SAN's BackboneVMworld 2015: Networking Virtual SAN's Backbone
VMworld 2015: Networking Virtual SAN's Backbone
 
VMworld 2015: Explaining Advanced Virtual Volumes Configurations
VMworld 2015: Explaining Advanced Virtual Volumes ConfigurationsVMworld 2015: Explaining Advanced Virtual Volumes Configurations
VMworld 2015: Explaining Advanced Virtual Volumes Configurations
 
VMworld 2015: Building a Business Case for Virtual SAN
VMworld 2015: Building a Business Case for Virtual SANVMworld 2015: Building a Business Case for Virtual SAN
VMworld 2015: Building a Business Case for Virtual SAN
 
VMworld 2016: Ask the vCenter Server Exerts Panel
VMworld 2016: Ask the vCenter Server Exerts PanelVMworld 2016: Ask the vCenter Server Exerts Panel
VMworld 2016: Ask the vCenter Server Exerts Panel
 
SKYPE AS OVERLAY NETWORK
SKYPE AS OVERLAY NETWORKSKYPE AS OVERLAY NETWORK
SKYPE AS OVERLAY NETWORK
 

Similar to 802.1x authentication

Service Provider Wi-Fi Networks: Scaling Signaling Transactions (White Paper)
Service Provider Wi-Fi Networks: Scaling Signaling Transactions (White Paper)Service Provider Wi-Fi Networks: Scaling Signaling Transactions (White Paper)
Service Provider Wi-Fi Networks: Scaling Signaling Transactions (White Paper)Cisco Service Provider Mobility
 
Remote access service
Remote access serviceRemote access service
Remote access serviceApoorw Pandey
 
Wi fi security dedicated architectures
Wi fi security dedicated architecturesWi fi security dedicated architectures
Wi fi security dedicated architecturesparipec
 
Configuring Wired 802.1x Authentication on Windows Server 2012.pdf
Configuring Wired 802.1x Authentication on Windows Server 2012.pdfConfiguring Wired 802.1x Authentication on Windows Server 2012.pdf
Configuring Wired 802.1x Authentication on Windows Server 2012.pdfdjameleddine2015
 
Cert0101 HPE6-A42 & HPE6-A70.pdf
Cert0101 HPE6-A42 & HPE6-A70.pdfCert0101 HPE6-A42 & HPE6-A70.pdf
Cert0101 HPE6-A42 & HPE6-A70.pdfAllen Kuo
 
Handlink ISS-6000 Presentation
Handlink ISS-6000 PresentationHandlink ISS-6000 Presentation
Handlink ISS-6000 PresentationITWare
 
10 steps for troubleshooting wi fi
10 steps for troubleshooting wi fi10 steps for troubleshooting wi fi
10 steps for troubleshooting wi fiTaylorStepanski
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShareyayao
 
802 11 3
802 11 3802 11 3
802 11 3rphelps
 
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730Netgear Italia
 
Ch11 Hacking Wireless Networks it-slideshares.blogspot.com
Ch11 Hacking Wireless Networks it-slideshares.blogspot.comCh11 Hacking Wireless Networks it-slideshares.blogspot.com
Ch11 Hacking Wireless Networks it-slideshares.blogspot.comphanleson
 
wireless local area networks (http://4knet.ir)
wireless local area networks (http://4knet.ir)wireless local area networks (http://4knet.ir)
wireless local area networks (http://4knet.ir)Azad Kaki
 
8021x feature config_guide
8021x feature config_guide8021x feature config_guide
8021x feature config_guideWilson Ospina
 
Pentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssuePentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssueIshan Girdhar
 

Similar to 802.1x authentication (20)

Service Provider Wi-Fi Networks: Scaling Signaling Transactions (White Paper)
Service Provider Wi-Fi Networks: Scaling Signaling Transactions (White Paper)Service Provider Wi-Fi Networks: Scaling Signaling Transactions (White Paper)
Service Provider Wi-Fi Networks: Scaling Signaling Transactions (White Paper)
 
Remote access service
Remote access serviceRemote access service
Remote access service
 
Wi fi security dedicated architectures
Wi fi security dedicated architecturesWi fi security dedicated architectures
Wi fi security dedicated architectures
 
Configuring Wired 802.1x Authentication on Windows Server 2012.pdf
Configuring Wired 802.1x Authentication on Windows Server 2012.pdfConfiguring Wired 802.1x Authentication on Windows Server 2012.pdf
Configuring Wired 802.1x Authentication on Windows Server 2012.pdf
 
Cert0101 HPE6-A42 & HPE6-A70.pdf
Cert0101 HPE6-A42 & HPE6-A70.pdfCert0101 HPE6-A42 & HPE6-A70.pdf
Cert0101 HPE6-A42 & HPE6-A70.pdf
 
Wireless lan security(10.8)
Wireless lan security(10.8)Wireless lan security(10.8)
Wireless lan security(10.8)
 
Handlink ISS-6000 Presentation
Handlink ISS-6000 PresentationHandlink ISS-6000 Presentation
Handlink ISS-6000 Presentation
 
Sw8021x
Sw8021xSw8021x
Sw8021x
 
10 steps for troubleshooting wi fi
10 steps for troubleshooting wi fi10 steps for troubleshooting wi fi
10 steps for troubleshooting wi fi
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShare
 
802 11 3
802 11 3802 11 3
802 11 3
 
Introduction to WAP
Introduction to WAPIntroduction to WAP
Introduction to WAP
 
Wi Fi Technology
Wi Fi TechnologyWi Fi Technology
Wi Fi Technology
 
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
 
Wireless Networks
Wireless NetworksWireless Networks
Wireless Networks
 
Ch11 Hacking Wireless Networks it-slideshares.blogspot.com
Ch11 Hacking Wireless Networks it-slideshares.blogspot.comCh11 Hacking Wireless Networks it-slideshares.blogspot.com
Ch11 Hacking Wireless Networks it-slideshares.blogspot.com
 
Lec 6.pptx
Lec 6.pptxLec 6.pptx
Lec 6.pptx
 
wireless local area networks (http://4knet.ir)
wireless local area networks (http://4knet.ir)wireless local area networks (http://4knet.ir)
wireless local area networks (http://4knet.ir)
 
8021x feature config_guide
8021x feature config_guide8021x feature config_guide
8021x feature config_guide
 
Pentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssuePentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 Issue
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 

Recently uploaded (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

802.1x authentication

  • 1. 802.1x Authentication Zhao Xiaoqi
  • 2. This section provides an overview of the components and the processes involved in establishing 802.11 wireless connections to 802.1X authenticating infrastructure networks. THE AUTHENTICATION PROCESS - WIRELESS Volvo IT
  • 3. Association with the Wireless AP and Link-Layer Authentication When a wireless network adapter is turned on, it begins to scan across the wireless frequencies (spectrum) for wireless APs and other wireless clients. Scanning is an active process in which the wireless adapter sends Probe-Request frames on all channels of the ISM frequency range and listens for the Probe-Response frames sent by wireless APs and other wireless clients. After scanning, Windows instructs the wireless adapter to connect to a network, based on the configured preferences. This choice is made automatically by using the SSID of a known or preferred wireless network and the wireless AP with the best signal strength (the highest signal-to-noise ratio). Next, the wireless client negotiates the use of a logical wireless port with the chosen wireless AP. This process is known as association. The wireless client’s configuration settings determine whether the wireless client prefers to connect with infrastructure or ad-hoc mode networks. By default, a wireless client running Windows Vista, Windows XP, or Windows Server 2003 prefers infrastructure mode wireless networks over ad-hoc mode wireless networks. If the signal strength of the wireless AP is too low, if the error rate is too high, or if instructed by the operating system, the wireless client scans for other wireless APs to determine whether a different wireless AP can provide a stronger signal to the same wireless network. If so, the wireless client negotiates a connection with that wireless AP. This process is known as roaming. Volvo IT
  • 4. 802.1x Authentication Phases - Wireless 1. Scanning 7. Access-Accept 2. Association 8. 802.1X Controlled Port 3. Access Request 9. DHCP Address Request 4. EAP 10. Group Policy Applied 5. Authentication 11. Network Access 6. Authorization Volvo IT
  • 5. Phase 1: Scanning The client scans for an AP using a Probe Request. Volvo IT
  • 6. Phase 2: Association The client associates with the AP: – The AP registers the client’s MAC address and assigns a unique virtual port that is mapped to that MAC address. – The client registers the MAC address of the AP as the only device to which it is permitted to associate (until such time that is disassociates and then reassociates with another AP or wireless device). Volvo IT
  • 7. Phase 3: Access Request Using its 802.1X uncontrolled port, the AP forwards a RADIUS Access-Request message to the RADIUS (IAS) server. Note TCP/IP frames generates by the wireless client can only be sent to the network through the controlled port. The client cannot send frames using the controlled port until it is authenticated and authorized. Volvo IT
  • 9. Phase 4: EAP If the server running IAS does not reject the Access-Request, the EAP authentication method is negotiated between the client and IAS. After the negotiation is complete, the AP forwards messages between the client and the server running IAS. Note There are many EAP authentication types. Both EAP-TLS and PEAP-MS-CHAPv2 are supported natively in Windows Server 2003, Windows XP, and Windows Vista. Note When PEAP is used, a TLS session is first created between the access client and the server running IAS; authentication then occurs through the secure TLS session. Volvo IT
  • 10. Phase 5: Authentication After the EAP authentication method is agreed upon between the client and IAS, the server running IAS sends its server certificate chain to the client computer as proof of identity. The client computer uses the IAS server certificate to authenticate the server running IAS. Successful PEAP-MS-CHAPv2 authentication requires that the client trusts the server running IAS after validating the IAS server certificate chain. For the client to trust the server running IAS, the root CA certificate of the issuing CA of the server certificate must be installed in the Trust Root Certification Authorities certificate store on client computer. After the client authenticates the server, the client sends password-based user credentials to the server running IAS, which verifies the client credentials against the user accounts database in Active Directory. – If the credentials are not valid, IAS sends an Access-Reject message to the AP in response to the connection request. – If the credentials are valid, the server running IAS proceeds to the Authorization phase. Volvo IT
  • 11. Phase 6: Authorization The server running IAS performs authorization, as follows: a. IAS checks the users or computer account dial-in properties in Active Directory. b. IAS then attempts to find a remote access policy that matches the connection request. If a matching remote access policy is found, IAS authorizes the connection request based on that policy. Volvo IT
  • 12. Phase 7: Access-Accept If the authorization is successful, IAS sends the AP an Access- Accept message. If authorization is not successful, IAS sends an Access-Reject message. Volvo IT
  • 14. Phase 8: 802.1X Controlled Port As part of authentication, 802.1X dynamically generates session keys from which it further derives encryption keys to secure the wireless connection. The encryption keys are configured on both the wireless AP and the client; all subsequent data traffic is protected. The wireless AP enables the controlled port; traffic from the wireless client is allowed to traverse the port. Volvo IT
  • 15. Phase 9: DHCP Address Request The client sends a DHCP address request through the 802.1X controlled port to the network. If a DHCP server responds, the client obtains an IP address. Volvo IT
  • 16. Phase 10: Group Policy Applied If configured, updated Group Policy is applied on the client during domain logon operation; this includes the Wireless Network (IEEE802.11) Policies Group Policy extension. Note For computer already configured with Wireless Network (IEEE 802.11) Policies, Group Policy is applied when the computer is started, and whenever an updated policy is downloaded. If Group Policy is updated on the server while the computer is turned off, the last known policy (which might be stale) is immediately applied when the computer is started. If the 802.1X settings on the computer enable IAS to authorize the computer for network access, updated policies are downloaded and applied when the computer connects to the network, prior to user authentication. If 802.1X settings on the computer cannot enable IAS to authorize the computer for network access at startup, then application of updated policies occurs immediately after user authentication. Volvo IT
  • 17. Phase 11: Network Access The client is able to access network resources, contingent upon any applied restrictions. Volvo IT