Implementing 802.1x Authentication


Published on

This is the presentation of my 802.1x Authentication seminar at New Horizons of Sofia, at 22.10.2008.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • My name is Deniz Kaya and today I will be speaking about 802.1x authentication standard, how to configure it on Cisco Catalyst Switches and also 802.1x authentication client in Microsoft Windows. In the year 2000, IEEE created the 802.1x specification. This was done to further protect wired and wireless networks. First of all, I want to lay the groundwork of what 802.1x authentication really is, and how it enhances network security. We'll talk briefly about the specifics of the protocol, and we'll also get into implementation and EAP methods (Extensible Authentication Protocol methods). And then we'll talk about the kind of configuration and the type of scenarios that you'll be using 802.1x in.
  • Implementing 802.1x Authentication

    1. 1. 802.1X Authentication Deniz Kaya Microsoft, Cisco, Ironport Trainer CCSI, CCNP, MCT, MCSE, ICSI, ICSP, CPTS
    2. 2. … While the Assets Needing to be Protected are Expanding Service Provider/ Internet Teleworker City Hall VPN Head-End Cable Provider 831 Library Partner/Vendor One physical network, must accommodate multiple logical networks (user groups) each with own rules. Airport
    3. 3. IDENTITY: So, you said MAC Address ? Win 2K & XP allow easy change for MAC addresses MAC address is not an authentication mechanism…
    4. 4. Determining “who” gets access and “what” they can do User Identity Based Network Access User Based Policies Applied (BW, QoS etc) Campus Network <ul><li>Equivalent to placing a Security Guard at each Switch Port </li></ul><ul><li>Only Authorized users can get Network Access </li></ul><ul><li>Unauthorized users can be placed into “Guest” VLANs </li></ul><ul><li>Prevents unauthorized APs </li></ul>Authorized Users/Devices Unauthorized Users/Devices
    5. 5. What Exactly Is 802.1x? <ul><li>Standard set by the IEEE 802.1 working group. </li></ul><ul><li>Describes a standard link layer protocol used for transporting higher-level authentication protocols . </li></ul><ul><li>Works between the Supplicant and the Authenticator . </li></ul><ul><li>Maintains backend communication to an Authentication Server . </li></ul>
    6. 6. Some IEEE Terminology AAA/RADIUS Server Authentication Server Network Access Device Authenticator Client Supplicant Normal People Terms IEEE Terms
    7. 7. What Does it Do? <ul><li>Transport authentication information in the form of Extensible Authentication Protocol (EAP) payloads. </li></ul><ul><li>The authenticator (switch) becomes the middleman for relaying EAP received in 802.1x packets to an authentication server by using RADIUS to carry the EAP information. </li></ul>802.1x Header EAP Payload
    8. 8. What is RADIUS? <ul><li>RADIUS – The Remote Authentication Dial In User Service </li></ul><ul><li>A protocol used to communicate between a network device and an authentication server or database. </li></ul><ul><li>Allows the communication of login and authentication information. i.e.. Username/Password, OTP, etc. </li></ul><ul><li>Allows the communication of arbitrary value pairs using “Vendor Specific Attributes” (VSAs). </li></ul>RADIUS Header EAP Payload UDP Header
    9. 9. 802.1x – enhancing LAN security Topology
    10. 10. Wired Access Control Model <ul><li>RADIUS acts as the transport for EAP, from the authenticator (switch) to the authentication server (RADIUS server) </li></ul><ul><li>RADIUS is also used to carry policy instructions back to the authenticator in the form of AV pairs. </li></ul>Client and Switch Talk 802.1x Switch Speaks to Auth Server Using RADIUS Actual Authentication Conversation Is between Client and Auth Server Using EAP; the Switch Is Just a Middleman, but Is Aware of What’s Going on
    11. 11. Identity Based Network Services <ul><li>Set port to enable </li></ul><ul><li>set port vlan 10 </li></ul>VLAN 10 Engineering VLAN AAA Radius Server 802.1x Authentication Server Active Directory Login and Certificate Services 802.1x Capable Access Devices 802.1x Capable Client IEEE802.1x + VLANS + VVID + ACL + QoS Login Request Login Info Verify Login and Check with Policy DB Login Good! Apply Policies Switch applies policies and enables port. Login + Certificate Login Verified 6500 Series Access Points 4000 Series 3550/2950 Series
    12. 12. 802.1x client implementation in Windows <ul><li>Wired interfaces – enabled by default </li></ul><ul><li>Wireless interfaces – integrated with the wireless configuration client </li></ul><ul><ul><li>Enabled by default if privacy is enabled </li></ul></ul><ul><ul><li>Dynamic keys usage enforcement </li></ul></ul><ul><li>User and computer authentication enabled by default </li></ul>
    13. 13. 802.1x in Microsoft Windows Machine and user authentication Startup Machine Machine credentials available (use machine credentials) Machine authentication success Machine authentication failure User logon User credentials available (use user credentials) User authentication success User authentication failure User logoff
    14. 14. Windows Machine Authentication Power Up Load NDIS drivers DHCP Setup Secure Channel to DC Update GPOs Apply Computer GPOs Present GINA (Ctrl-Alt-Del) Login 802.1x Authenticate as Computer <ul><li>What is Machine Authentication? </li></ul><ul><ul><li>The ability of a Windows workstation to authenticate under it’s own identity, independent of the requirement for an interactive user session. </li></ul></ul><ul><li>What is it used for? </li></ul><ul><ul><li>Machine authentication is used at boot time by Windows OSes to authenticate and communicate with Windows Domain Controllers in order to pull down machine group policies. </li></ul></ul><ul><li>Why do we care? </li></ul><ul><ul><li>Pre-802.1x this worked under the assumption that network connectivity was a given. Post-802.1x the blocking of network access prior to 802.1x authentication breaks the machine based group policy model – UNLESS the machine can authenticate using its own identity in 802.1x . </li></ul></ul>
    15. 15. 802.1x in Microsoft Windows 802.1x authentication configuration page <ul><li>Same for wired and wireless </li></ul><ul><li>Provides control over computer and guest authentication </li></ul><ul><li>EAP method setting </li></ul>
    16. 16. What is EAP? <ul><li>EAP – The Extensible Authentication Protocol </li></ul><ul><li>A flexible protocol used to carry arbitrary authentication information. </li></ul>
    17. 17. EAP TLS GSS_API Kerberos PEAP MS-CHAPv2 TLS IKE MD5 EAP PPP 802.3 802.5 802.11 Other… method layer EAP layer media layer
    18. 18. 802.1x authentication client EAP methods available in Windows <ul><li>EAP-TLS (Transport Level Security) – default setting for 802.1x client in Windows </li></ul><ul><li>PEAP (Protected EAP) allows inner methods </li></ul><ul><ul><li>TLS (certificate based) </li></ul></ul><ul><ul><li>Microsoft Challenge Handshake Authentication Protocol v2 (MSCHAPv2) (password based) </li></ul></ul><ul><li>EAP-MD5 – available for wired networks only </li></ul><ul><ul><li>Doesn’t provide encrypted session between supplicant and authenticator </li></ul></ul><ul><ul><li>Transfers password hashes in clear </li></ul></ul>
    19. 19. 802.1x authentication client EAP methods – wired and wireless networks
    20. 20. EAP with MD5 Authenticator Peer cleartext password cleartext password Random challenge identity-request identity-response (username) success or failure MD5-challenge -request MD5-challenge -response R = MD5(password,challenge) Check that MD5(password,challenge) equals the response
    21. 21. 802.1x with EAP-TLS Local store certificates <ul><li>Uses both user and computer certificates </li></ul><ul><li>Certificates deployed through auto-enrollment, Web enrollment, certificate import, or manual request using the Certificates snap-in </li></ul><ul><li>Local computer store is always available </li></ul><ul><li>The user store (for a current user) is only available after a successful user logon </li></ul>
    22. 22. 802.1x with EAP-TLS Configuration page <ul><li>Mutual authentication enabled by default </li></ul><ul><li>Simple certificate selection </li></ul>
    23. 23. 802.1x with EAP-TLS Smart card certificates <ul><li>User must enter PIN to access the certificate on the smart card. </li></ul><ul><ul><li>PIN input is not required again on subsequent re-authentication tries – like session time-out or roaming on wireless networks. </li></ul></ul><ul><ul><li>When roaming out of range and back in range, user will be re-prompted for PIN. </li></ul></ul><ul><li>Managing user certificates stored on local hard drives can be difficult, and some users may move among computers. </li></ul>
    24. 24. 802.1x with PEAP-MSCHAPv2 What to consider <ul><li>Password-based authentication – not all networks have a PKI deployment. </li></ul><ul><li>Single sign-on (SSO). </li></ul><ul><li>Enables both machine and user authentication. </li></ul><ul><li>Windows logon credentials can be automatically used (default setting), or credentials can be provided by user. </li></ul>
    25. 25. 802.1x with PEAP-MSCHAPv2 Configuration page <ul><li>By default, fast reconnect feature is disabled. </li></ul>
    26. 26. Campus Identity - Supplicants <ul><li>Possible End-Points : </li></ul><ul><ul><li>Windows XP – Yes </li></ul></ul><ul><ul><li>Windows 2000 – Yes (SP3 + KB) </li></ul></ul><ul><ul><li>Linux – Yes </li></ul></ul><ul><ul><li>HP-UX – Yes </li></ul></ul><ul><ul><li>Solaris - Yes </li></ul></ul><ul><ul><li>HP Printers – Yes </li></ul></ul><ul><ul><li>Windows 98 – Limited </li></ul></ul><ul><ul><li>Windows NT4 – Limited </li></ul></ul><ul><ul><li>Apple – yes </li></ul></ul><ul><ul><li>IP Phones – yes </li></ul></ul><ul><ul><li>WLAN APs – yes </li></ul></ul><ul><ul><li>… . </li></ul></ul>Windows HP Jet Direct Solaris 7920 Apple IP Phones WLAN APs Pocket PC
    27. 27. 802.1x Port based network access control <ul><li>Falls under 802.1 NOT 802.11 </li></ul><ul><li>This is a NETWORK standard, not a wireless standard </li></ul><ul><li>Is PART of the 802.11i draft </li></ul><ul><li>Provides Network Authentication, NOT encryption </li></ul>
    28. 28. Know before you start ! <ul><li>802.1x Implementation requires various knowledge from different domains </li></ul><ul><ul><li>Switch or AP Compliance and configuration </li></ul></ul><ul><ul><li>Certificate Services (Hidden part of the ICEBERG) if you intend to you EAP-TLS </li></ul></ul><ul><ul><li>Radius Server, especially when you have a multi-domain-directory infrastructure </li></ul></ul><ul><ul><li>Smart-card services, if you intend to use them instead of user certificates </li></ul></ul><ul><ul><li>Various Client Deployment Scenarios </li></ul></ul>
    29. 29. Demo – Wired Client Authentication 802.1x with PEAP-MSCHAPv2 <ul><li>Cisco Switch Configuration </li></ul><ul><li>Active Directory Configuration </li></ul><ul><li>Installation of IAS (Radius) </li></ul><ul><li>Installation of Certificate Services </li></ul><ul><li>XP Client Configuration </li></ul>
    30. 30. New Horizons' Partners