802.1x Port Based Authentication

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "802.1x Port Based Authentication"

Transcription

1 802.1x Port Based Authentication Johan Loos Johan at accessdenied.be

2 Who? Independent Information Security Consultant and Trainer Vulnerability Management and Assessment Wireless Security Next-Generation Firewalls Virtualization Security MCT, CISSP, ISO LI/LA, ISO RM,.

3 Agenda Understanding 802.1x 802.1x EAP Authentication Methods PKI Requirements Understanding Network Policy Server Role Understanding VLANs Understanding 802.1x Authentication Switch Configuration Relax, It s Demo Time Things to think about What we not cover: IP Phone (Voice), PXE

4 Understanding 802.1x

5 What is 802.1x? Framework designed to provide port-based network access Layer-2 security to permit or deny access based on identity of the client Identity is based on who we are and is based on: MAC address Certificate Username/password

6 Why is 802.1x important? Authenticate devices connected to switch ports When authentication fails: No or limited network access When authentication succeeds: Access is granted Access can be restricted by using (downloadable) access lists

7 802.1x Benefits Visibility: Clients are authenticated Identity can be used for security audits and forensics Security: Strongest authentication methods should be used Transparancy: No involvement of end-user

8 802.1x Components Supplicant Authenticator Authentication Server

9 802.1x EAP Authentication Methods

10 802.1x EAP Methods Method EAP-TTLS EAP-TLS EAP-MSCHAPv2 PEAP-EAP-TLS PEAP-MS-CHAPv2 Identification Any authentication Certificate Password TLS + Certificate TLS + Password EAP-MD5 EAP-LEAP EAP-SIM

11 EAP-TLS Authentication No user identity protection Active Directory Domain Services Active Directory Certificate Services Network Policy Server (RADIUS server) 802.1x capable devices Client (Windows XP/Vista/7/8)

12 EAP-TLS Authentication Certificate based authentication for users or computers Provides mutual authentication No dependency on the password of the user Protected by public key cryptography Network Policy Server must have a certificate Wired client must have a certificate

13 EAP-TLS Authentication

14 EAP-TTLS Authentication Extends TLS by creating a secure tunnel Encapsulation EAP in TLS Can be used as proxy Client does not need a certificate Only server authentication Protection against eavesdropping and mitm Windows Server 2012 and Windows 8

15 EAP-MSCHAPv2 Authentication Password based authentication for users or computers User or computer account must be member of the domain Easier to deploy Provides mutual authentication Network Policy Server must have a certificate Wired or wireless clients does not need a certificate

16 EAP-MSCHAPv2 Authentication

17 EAP-MSCHAPv2 Authentication

18 PEAP Used TLS to enhance security by protecting authentication traffic (EAP-MSCHAPv2 or EAP-TLS) between the wired client and the RADIUS server Does not specify the authentication method Wired client authenticates the RADIUS server Protection against packet injection between wired client and RADIUS

19 PEAP Fast reconnect (no re-authentication when the client moves between wireless access points) Not supported with EAP-MD5 Does not support guest authentication (blank username and password) Support for smart cards

20 PEAP-EAP-MSCHAPv2

21 Configure Wired Clients Wired AutoConfig Service Configure 802.1x Manually Configure 802.1x via Group Policy

22 Configure Wired Clients

23 Types of Authentication

24 Types of Authentication User Authentication Specifies that when users are not logged on to the computer, authentication is performed by using the computer credentials Computer Authentication Authentication is always performed by using only the computer credentials Guest Authentication Allows connection to the network that are regulated by the restrictions and permissions that are set for the guest account

25 PKI Requirements

26 Requirements for PKI Server running Active Directory Certificate Services NPS must have a certificate If using EAP-TLS for computers: Computer certificate for every client If using EAP-TLS for users: User certificate for every user account Certificate can be stored on workstation or smartcard Root Certificate must be installed on NPS servers and workstations

27 Requirements for PKI Certificates must be issued by an enterprise CA Certificate must be linked to private key CRL or OCSP must be accessible All certificates in the chain must be trusted Configure auto enrollment

28 Understanding Network Policy Server

29 Installing the NPS Server Role Dedicated server or domain controller Server Manager Network Policy Server Role Register Server in Active Directory

30 NPS Server Certificate Commercial Certification Authority You need to buy a certificate for each server Automatically trusted Single purpose certificate Active Directory Certificate Services Need knowledge of PKI Automatic enrollment Single or multi purpose certificate

31 NPS Server Certificate OpenSSL Free Single or multi purpose certificate Root CA must be placed under Trusted Root Authorities Self-signed Free No trust

32 Configure the NPS Server Add each switch as RADIUS client Choose the correct Vendor Specify a strong shared secret Configure Connection Request Policy Configure Network Policies

33 Configure NPS Server Logging Log File (ias log file format) SQL Database Event Viewer

34 Configure Connection Request Policy on NPS Make sure that the request comes from the switch NAS IPv4 Address Ethernet NAS Port Type

35 Configure Network Policies on NPS Configure a strong authentication method Make sure that only authorized users have access by using security groups in the condition

36 NPS Proxy

37 NPS Proxy Network access servers are configured as RADIUS clients on the RADIUS proxy Provide authentication for users which are not member of the domain Process large number of connection requests Outsourced services

38 Load Balancing with NPS Proxy When (PEAP)-EAP-TLS is used due to extra load Configure network access servers to send connection request to multiple NPS servers Use NPS as NPS proxy to load balance connection requests Priority: Specify order of importance of NPS proxy server (lower is higher priority) Weight: How many connection requests can be send

39 Understanding Virtual LANs

40 Use of Virtual LANs Reduce size of the broadcast domain on the network Layer 2 Access port carry only one VLAN Trunk port supports multiple VLANs Route traffic between VLANs using a layer-3 device

41 Dynamic VLAN Assignment Feature to place the wired client into a specific VLAN Use Network Policy Server to create Network Policy, assign VLAN ID RADIUS attributes [64 ] Tunnel-Type = VLAN [65] Tunnel-Medium-Type = IEEE-802 [81] Tunnel-Private-Group-Id=VLAN ID

42 Dynamic VLAN Assignment When no VLAN is supplied or 802.1x authentication is disabled, the switch add the wired client into the default VLAN When incorrect VLAN information is supplied by the RADIUS server and 802.1x authentication is enabled, switch port is placed into unauthorized state Important: Be sure that VLAN 1 is not the default VLAN. If authentication fails, the wired client can still access the network Shutdown switch ports when not in use

43 Dynamic VLAN Assignment When VLAN information is correctly supplied by the RADIUS server, the switch port is placed in that VLAN If multi-host mode is enabled on the switch port, all hosts are placed in the same VLAN as the first authenticated host When re-authentication fails, the switch assigns the switch port to guest or restricted VLAN

44 Guest-VLAN Allows unauthenticated wired clients access to a specific VLAN When to use: Client Operating System is not supported No 802.1x client software exist on the wired on wireless client

45 Restricted-VLAN Allows wired clients who are failing authentication to access a specific VLAN Clients are 802.1x compliant When to use: When the authentication process fails Certificate on the wired client computer has expired Invalid password Limit access to Internet or CA by using ACLs

46 802.1x Dynamic ACL Assignment Access Control Lists provides a way to control access to network resources Downloadable ACL [ 5000] Cisco-AV-Pair = ip:inacl#201=deny tcp any host eq www RADIUS attributes ACLs must exists on the switch [11 ] Filter-Id = #ACL(.in or.out)

47 Understanding 802.1x Authentication

48 802.1x Authentication Process

49 802.1x Message Exchange

50 802.1x MAC Authentication Bypass MAC-Address used for authentication Active Directory Database can be used Create username/password equal to MAC Address Can be used as faillback method When to use: Printers

51 802.1x Authentication with Port Security 802.1x used to authenticates the switch port Port security is used to manage network access Can be limited to one or more MAC addresses When client is authenticated: MAC address is added to port security list

52 802.1x Authentication and NAP Integration between 802.1x and Network Access Protection First authentication, next healt state

53 Switch Configuration

54 802.1x Port State Port authorization state is controlled by using the following command: dot1x port-control <interface> Force-authorized Disable 802.1x. The port sends normal traffic without 802.1x based authentication of the client Force-unauthorized No connection is possible and ignoring authentication attempts Auto Allow EAPOL packets and enables 802.1x authentication

55 802.1x Timers Periodic Re-Authentication Specify re-authentication of the client Quiet Period The switch remains idle for a certain time and tries again when the switch cannot authenticate the client Switch-to-Client Retransmission Time If the switch does not receive an answer at boot time from the client Switch sends EAP-Request/identity frame Client sends EAP-Response/identity frame

56 802.1x Switch Configuration Cisco Catalyst ports PoE

57 Relax, it s demo time

58 802.1x Authentication Demo

59 802.1x Authentication Demo 802.1x Authentication using EAP-TLS 802.1x Authentication using PEAP-EAP-TLS 802.1x Authentication using PEAP-EAP-TLS + VLAN x Authentication using PEAP-EAP-TLS + dynamic ACL (2 methods)

60 Things to think about

61 When it goes wrong Certificate enrollment Certificate renewal/expiration Password based authentication User and Machine authentication RADIUS server not available Non 802.1x capable endpoints

62

Configuring IEEE 802.1x Port-Based Authentication

Configuring IEEE 802.1x Port-Based Authentication CHAPTER 9 Configuring IEEE 802.1x Port-Based Authentication This chapter describes how to configure IEEE 802.1x port-based authentication on the Catalyst 2960 switch. IEEE 802.1x authentication prevents

More information

Configuring IEEE 802.1x Port-Based Authentication

Configuring IEEE 802.1x Port-Based Authentication CHAPTER 8 Configuring IEEE 802.1x Port-Based Authentication This chapter describes how to configure IEEE 802.1x port-based authentication on the switch. IEEE 802.1x authentication prevents unauthorized

More information

Network Security 1. Module 7 Configure Trust and Identity at Layer 2

Network Security 1. Module 7 Configure Trust and Identity at Layer 2 Network Security 1 Module 7 Configure Trust and Identity at Layer 2 1 Learning Objectives 7.1 Identity-Based Networking Services (IBNS) 7.2 Configuring 802.1x Port-Based Authentication 2 Module 7 Configure

More information

Configuring 802.1X Port-Based Authentication

Configuring 802.1X Port-Based Authentication CHAPTER 39 This chapter describes how to configure IEEE 802.1X port-based authentication to prevent unauthorized client devices from gaining access to the network. This chapter includes the following major

More information

Configuring IEEE 802.1x Port-Based Authentication

Configuring IEEE 802.1x Port-Based Authentication CHAPTER 10 Configuring IEEE 802.1x Port-Based Authentication IEEE 802.1x port-based authentication prevents unauthorized devices (clients) from gaining access to the network. Unless otherwise noted, the

More information

Configuring 802.1X Port-Based Authentication

Configuring 802.1X Port-Based Authentication CHAPTER 10 This chapter describes how to configure IEEE 802.1X port-based authentication on the Catalyst 3750 switch. As LANs extend to hotels, airports, and corporate lobbies, creating insecure environments,

More information

With 802.1X port-based authentication, the devices in the network have specific roles.

With 802.1X port-based authentication, the devices in the network have specific roles. This chapter contains the following sections: Information About 802.1X, page 1 Licensing Requirements for 802.1X, page 8 Prerequisites for 802.1X, page 8 802.1X Guidelines and Limitations, page 9 Default

More information

Configuring 802.1X Port-Based Authentication

Configuring 802.1X Port-Based Authentication CHAPTER 37 This chapter describes how to configure IEEE 802.1X port-based authentication to prevent unauthorized client devices from gaining access to the network. This chapter includes the following major

More information

ISE Primer.

ISE Primer. ISE Primer www.ine.com Course Overview Designed to give CCIE Security candidates an intro to ISE and some of it s features. Not intended to be a complete ISE course. Some topics are not discussed. Provides

More information

802.1X: Background, Theory & Implementation

802.1X: Background, Theory & Implementation Customized for NCET Conference 2007 802.1X: Background, Theory & Implementation March 16, 2007 Presented by: Jennifer Jabbusch, CISSP, HP MASE, CAD Mike McPherson, HP ProCurve Neal Hamilton, HP ProCurve

More information

Table of Contents. Why doesn t the phone pass 802.1X authentication?... 16

Table of Contents. Why doesn t the phone pass 802.1X authentication?... 16 Table of Contents ABOUT 802.1X... 3 YEALINK PHONES COMPATIBLE WITH 802.1X... 3 CONFIGURING 802.1X SETTINGS... 4 Configuring 802.1X using Configuration Files... 4 Configuring 802.1X via Web User Interface...

More information

Configuring Network Admission Control

Configuring Network Admission Control 45 CHAPTER This chapter describes how to configure Network Admission Control (NAC) on Catalyst 6500 series switches. With a PFC3, Release 12.2(18)SXF2 and later releases support NAC. Note For complete

More information

About 802.1X... 3 Yealink IP Phones Compatible with 802.1X... 3 Configuring 802.1X Settings... 5 Configuring 802.1X using configuration files...

About 802.1X... 3 Yealink IP Phones Compatible with 802.1X... 3 Configuring 802.1X Settings... 5 Configuring 802.1X using configuration files... About 802.1X... 3 Yealink IP Phones Compatible with 802.1X... 3 Configuring 802.1X Settings... 5 Configuring 802.1X using configuration files...5 Configuring 802.1X via web user interface...8 Configuring

More information

The table below lists the protocols supported by Yealink SIP IP phones with different versions.

The table below lists the protocols supported by Yealink SIP IP phones with different versions. Table of Contents About 802.1X... 3 Yealink IP Phones Compatible with 802.1X... 3 Configuring 802.1X Settings... 5 Configuring 802.1X Using Configuration Files... 6 Configuring 802.1X via Web User Interface...

More information

Configuring 802.1X Settings on the WAP351

Configuring 802.1X Settings on the WAP351 Article ID: 5078 Configuring 802.1X Settings on the WAP351 Objective IEEE 802.1X authentication allows the WAP device to gain access to a secured wired network. You can configure the WAP device as an 802.1X

More information

Policy User Interface Reference

Policy User Interface Reference Authentication, page 1 Authorization Policy Settings, page 4 Endpoint Profiling Policies Settings, page 5 Dictionaries, page 9 Conditions, page 11 Results, page 22 Authentication This section describes

More information

Operation Manual Security. Table of Contents

Operation Manual Security. Table of Contents Table of Contents Table of Contents Chapter 1 802.1x Configuration... 1-1 1.1 802.1x Overview... 1-1 1.1.1 802.1x Standard Overview... 1-1 1.1.2 802.1x System Architecture... 1-1 1.1.3 802.1x Authentication

More information

ilight/gigapop eduroam Discussion Campus Network Engineering

ilight/gigapop eduroam Discussion Campus Network Engineering ilight/gigapop eduroam Discussion Campus Network Engineering By: James W. Dickerson Jr. May 10, 2017 What is eduroam?» eduroam (education roaming) is an international roaming service for users in research,

More information

802.1X Authentication Services Configuration Guide, Cisco IOS Release 15SY

802.1X Authentication Services Configuration Guide, Cisco IOS Release 15SY 802.1X Authentication Services Configuration Guide, Cisco IOS Release 15SY Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000

More information

Cisco TrustSec How-To Guide: Monitor Mode

Cisco TrustSec How-To Guide: Monitor Mode Cisco TrustSec How-To Guide: Monitor Mode For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table of Contents Table of Contents... 2 Introduction...

More information

Network Access Flows APPENDIXB

Network Access Flows APPENDIXB APPENDIXB This appendix describes the authentication flows in Cisco Identity Services Engine (ISE) by using RADIUS-based Extensible Authentication Protocol (EAP) and non-eap protocols. Authentication verifies

More information

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ] s@lm@n Cisco Exam 642-737 Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ] Cisco 642-737 : Practice Test Question No : 1 RADIUS is set up with multiple servers

More information

RADIUS Configuration Note WINS : Wireless Interoperability & Network Solutions

RADIUS Configuration Note WINS : Wireless Interoperability & Network Solutions RADIUS Configuration Note WINS : Wireless Interoperability & Network Solutions MERUNETWORKS.COM February 2013 1. OVERVIEW... 3 2. AUTHENTICATION AND ACCOUNTING... 4 3. 802.1X, CAPTIVE PORTAL AND MAC-FILTERING...

More information

Configure RADIUS DTLS on Identity Services Engine

Configure RADIUS DTLS on Identity Services Engine Configure RADIUS DTLS on Identity Services Engine Contents Introduction Prerequisites Requirements Components Used Configure Configurations 1. Add network device on ISE and enable DTLS protocol. 2. Configure

More information

Cisco Virtual Office: Easy VPN Deployment Guide

Cisco Virtual Office: Easy VPN Deployment Guide Cisco Virtual Office: Easy VPN Deployment Guide This guide provides detailed design and implementation information for deployment of Easy VPN in client mode with the Cisco Virtual Office. Please refer

More information

Agile Controller-Campus V100R002C10. Permission Control Technical White Paper. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

Agile Controller-Campus V100R002C10. Permission Control Technical White Paper. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD. V100R002C10 Permission Control Technical White Paper Issue 01 Date 2016-04-15 HUAWEI TECHNOLOGIES CO., LTD. 2016. All rights reserved. No part of this document may be reproduced or transmitted in any form

More information

Wireless LAN Security. Gabriel Clothier

Wireless LAN Security. Gabriel Clothier Wireless LAN Security Gabriel Clothier Timeline 1997: 802.11 standard released 1999: 802.11b released, WEP proposed [1] 2003: WiFi alliance certifies for WPA 2004: 802.11i released 2005: 802.11w task group

More information

Port-based authentication with IEEE Standard 802.1x. William J. Meador

Port-based authentication with IEEE Standard 802.1x. William J. Meador Port-based authentication 1 Running head: PORT-BASED AUTHENTICATION Port-based authentication with IEEE Standard 802.1x William J. Meador Port-based authentication 2 Port based authentication Preface You

More information

Cisco Exam Questions & Answers

Cisco Exam Questions & Answers Cisco 300-208 Exam Questions & Answers Number: 300-208 Passing Score: 800 Time Limit: 120 min File Version: 38.4 http://www.gratisexam.com/ Exam Code: 300-208 Exam Name: Implementing Cisco Secure Access

More information

FiberstoreOS. Security Configuration Guide

FiberstoreOS. Security Configuration Guide FiberstoreOS Security Configuration Guide Contents 1 Configuring Port Security...6 1.1 Overview...6 1.2 Topology... 7 1.3 Configurations...7 1.4 Validation... 8 2 Configuring Vlan Security... 9 2.1 Overview...9

More information

FiberstoreOS. Security Configuration Guide

FiberstoreOS. Security Configuration Guide FiberstoreOS Security Configuration Guide Contents 1 Configuring Port Security...1 1.1 Overview...1 1.2 Topology... 2 1.3 Configurations...2 1.4 Validation... 3 2 Configuring Vlan Security... 4 2.1 Overview...4

More information

Configuring Network Admission Control

Configuring Network Admission Control CHAPTER 59 This chapter describes how to configure Network Admission Control (NAC) in Cisco IOS Release 12.2SX. Note For complete syntax and usage information for the commands used in this chapter, see

More information

Layer 2 authentication on VoIP phones (802.1x)

Layer 2 authentication on VoIP phones (802.1x) White Paper www.siemens.com/open Layer 2 authentication on VoIP phones (802.1x) IP Telephony offers users the ability to log-on anywhere in the world. Although this offers mobile workers great advantages,

More information

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1 Cisco ISE Overview, page 2 Key Functions, page 2 Identity-Based Network Access, page 2 Support for Multiple Deployment Scenarios, page 3 Support for UCS Hardware, page 3 Basic User Authentication and Authorization,

More information

Troubleshooting Cisco ISE

Troubleshooting Cisco ISE APPENDIXD This appendix addresses several categories of troubleshooting information that are related to identifying and resolving problems that you may experience when you use Cisco Identity Services Engine

More information

Juniper Exam JN0-314 Junos Pulse Access Control, Specialist (JNCIS-AC) Version: 7.0 [ Total Questions: 222 ]

Juniper Exam JN0-314 Junos Pulse Access Control, Specialist (JNCIS-AC) Version: 7.0 [ Total Questions: 222 ] s@lm@n Juniper Exam JN0-314 Junos Pulse Access Control, Specialist (JNCIS-AC) Version: 7.0 [ Total Questions: 222 ] Topic 1, Volume A Question No : 1 - (Topic 1) A customer wants to create a custom Junos

More information

Cross-organisational roaming on wireless LANs based on the 802.1X framework Author:

Cross-organisational roaming on wireless LANs based on the 802.1X framework Author: Cross-organisational roaming on wireless LANs based on the 802.1X framework Author: Klaas Wierenga SURFnet bv P.O. Box 19035 3501 DA Utrecht The Netherlands e-mail: Klaas.Wierenga@SURFnet.nl Keywords:

More information

The following chart provides the breakdown of exam as to the weight of each section of the exam.

The following chart provides the breakdown of exam as to the weight of each section of the exam. Introduction The CWSP-205 exam, covering the 2015 objectives, will certify that the successful candidate understands the security weaknesses inherent in WLANs, the solutions available to address those

More information

Cisco 4400 Series Wireless LAN Controllers PEAP Under Unified Wireless Networks with Microsoft Internet Authentication Service (IAS)

Cisco 4400 Series Wireless LAN Controllers PEAP Under Unified Wireless Networks with Microsoft Internet Authentication Service (IAS) Cisco 4400 Series Wireless LAN Controllers PEAP Under Unified Wireless Networks with Microsoft Internet Authentication Service (IAS) HOME SUPPORT PRODUCT SUPPORT WIRELESS CISCO 4400 SERIES WIRELESS LAN

More information

Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX Series Switch

Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX Series Switch Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX Series Switch 802.1x Port-Based Network Access Control (PNAC) authentication on EX Series switches provides

More information

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards First Published: May 17, 2005 Last Updated: July 28, 2010 This document provides configuration tasks for the 4-port Cisco HWIC-4ESW and the 9-port

More information

Authentication and Authorization Policies

Authentication and Authorization Policies Chapter 13 Authentication and Authorization Policies The previous chapter focused on the levels of authorization you should provide for users and devices based on your logical Security Policy. You will

More information

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards This document provides configuration tasks for the 4-port Cisco HWIC-4ESW and the 9-port Cisco HWIC-D-9ESW EtherSwitch high-speed WAN interface

More information

Cisco IP Phone Security

Cisco IP Phone Security Overview, page 1 Security Enhancements for Your Phone Network, page 2 View the Current Security Features on the Phone, page 2 View Security Profiles, page 3 Supported Security Features, page 3 Overview

More information

Security Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 9300 Switches)

Security Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 9300 Switches) Security Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 9300 Switches) First Published: 2017-07-31 Last Modified: 2017-11-03 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive

More information

Abstract. Avaya Solution & Interoperability Test Lab

Abstract. Avaya Solution & Interoperability Test Lab Avaya Solution & Interoperability Test Lab Application Notes for Avaya Aura Telephony Infrastructure in a Converged VoIP and Data Network using HP Networking Switches configured with 802.1X Authentication

More information

802.1x Radius Setup Guide Working AirLive AP with Win X Radius Server

802.1x Radius Setup Guide Working AirLive AP with Win X Radius Server OvisLink 8000VPN VPN Guide 802.1x Radius Setup Guide Working AirLive AP with Win2003 802.1X Radius Server Table of Content Secured Enterprise Wireless Environment Configuration Guide... 3 WHAT IS THIS

More information

Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide

Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide The Cisco Structured Wireless-Aware Network (SWAN) provides the framework to integrate and extend wired and wireless networks to deliver

More information

Introduction to 802.1X Operations for Cisco Security

Introduction to 802.1X Operations for Cisco Security Introduction to 802.1X Operations for Cisco Security Number: 650-472 Passing Score: 800 Time Limit: 120 min File Version: 5.0 http://www.gratisexam.com/ Cisco 650-472 Introduction to 802.1X Operations

More information

Troubleshooting Web Authentication on a Wireless LAN Controller (WLC)

Troubleshooting Web Authentication on a Wireless LAN Controller (WLC) Troubleshooting Web Authentication on a Wireless LAN Controller (WLC) Document ID: 108501 Contents Introduction Prerequisites Requirements Components Used Related Products Conventions Web Authentication

More information

PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server

PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server Document ID: 112175 Contents Introduction Prerequisites Requirements Components Used Conventions Configure Network Diagram Windows

More information

Web and MAC Authentication

Web and MAC Authentication 3 Web and MAC Authentication Contents Overview..................................................... 3-2 Client Options.............................................. 3-3 General Features............................................

More information

Configuration Security

Configuration Security NN47200-501 Document status: Standard Document version: 0401 Document date: 12 November 2008 All Rights Reserved While the information in this document is believed to be accurate and reliable, except as

More information

Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN

Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN Requirements Ethernet LAN switches are vulnerable to attacks that involve spoofing (forging) of source IP

More information

Wired Dot1x Version 1.05 Configuration Guide

Wired Dot1x Version 1.05 Configuration Guide Wired Dot1x Version 1.05 Configuration Guide Document ID: 64068 Introduction Prerequisites Requirements Components Used Conventions Microsoft Certificate Services Installation Install the Microsoft Certificate

More information

Securing Your Wireless LAN

Securing Your Wireless LAN Securing Your Wireless LAN Pejman Roshan Product Manager Cisco Aironet Wireless Networking Session Number 1 Agenda Requirements for secure wireless LANs Overview of 802.1X and TKIP Determining which EAP

More information

Access Security Guide for YA/YB.16.01

Access Security Guide for YA/YB.16.01 HPE ArubaOS-Switch Access Security Guide for YA/YB.16.01 Abstract This switch software guide is intended for network administrators and support personnel, and applies to the switch models listed on this

More information

Technical White Paper for Huawei 802.1X

Technical White Paper for Huawei 802.1X Technical White Paper for Huawei 802.1X Huawei Technologies Co., Ltd. October 2004 Table of Contents 1 Overview...1 2 Basic Operating Mechanism of 802.1X...1 2.1 System Architecture...1 2.1.1 Port PAE...2

More information

HPE IMC BYOD WLAN 802.1X Authentication and Security Check Using inode Configuration Examples

HPE IMC BYOD WLAN 802.1X Authentication and Security Check Using inode Configuration Examples HPE IMC BYOD WLAN 802.1X Authentication and Security Check Using inode Configuration Examples Part Number: 5200-1385 Software version: IMC UAM 7.2 (E0403) Document version: 2 The information in this document

More information

Configuration Guide. For 802.1X VLAN Assignment and MAB. T2600G-28TS _v2_ or Above T2600G-52TS_v2_ or Above

Configuration Guide. For 802.1X VLAN Assignment and MAB. T2600G-28TS _v2_ or Above T2600G-52TS_v2_ or Above Configuration Guide For 802.1X VLAN Assignment and MAB T2600G-28TS _v2_170323 or Above T2600G-52TS_v2_1703023 or Above T2600G-28MPS_v2_170928 or Above 1910012315 REV1.0.0 December 2017 CONTENTS 1 Overview...

More information

WHITE PAPER: 802.1X PORT AUTHENTICATION WITH MICROSOFT S ACTIVE DIRECTORY

WHITE PAPER: 802.1X PORT AUTHENTICATION WITH MICROSOFT S ACTIVE DIRECTORY Written By: Philip Kwan March 2003 March 2003 2003 Foundry Networks, Inc. Summary Microsoft s Active Directory service is one of the most popular authentication directories in use today. This white paper

More information

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users Learning Objectives Explain why authentication is a critical aspect of network security Explain

More information

Rhodes University Wireless Network

Rhodes University Wireless Network Rhodes University Wireless Network Like many organisations, Rhodes aims to secure its wireless network against unauthorised use. This document explains how this is achieved. Network Overview The University

More information

Configuring the Client Adapter through the Windows XP Operating System

Configuring the Client Adapter through the Windows XP Operating System APPENDIX E Configuring the Client Adapter through the Windows XP Operating System This appendix explains how to configure and use the client adapter with Windows XP. The following topics are covered in

More information

Identity-Based Networking Services: IP Telephony In IEEE 802.1X-Enabled Networks Deployment and Configuration Guide

Identity-Based Networking Services: IP Telephony In IEEE 802.1X-Enabled Networks Deployment and Configuration Guide Identity-Based Networking Services: IP Telephony In IEEE 802.1X-Enabled Networks Deployment and Configuration Guide 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

More information

CCBOOTCAMP Webinar 3/15/2011 CCIE Security / RS x. Tim Rowley CCIE#25960, CCSI#33858, CISSP

CCBOOTCAMP Webinar 3/15/2011 CCIE Security / RS x. Tim Rowley CCIE#25960, CCSI#33858, CISSP CCBOOTCAMP Webinar 3/15/2011 CCIE Security / RS - 802.1x Tim Rowley CCIE#25960, CCSI#33858, CISSP What is it? Components Basic Operation Basic Configuration Advanced Features and Configuration Verification

More information

HP 5120 SI Switch Series

HP 5120 SI Switch Series HP 5120 SI Switch Series Security Configuration Guide Part number: 5998-1815 Software version: Release 1505 Document version: 6W102-20121111 Legal and notice information Copyright 2012 Hewlett-Packard

More information

whitepaper How to Use 802.1X on HP Jetdirect Print Servers May 2008 Table of Contents:

whitepaper How to Use 802.1X on HP Jetdirect Print Servers May 2008 Table of Contents: How to Use 802.1X on HP Jetdirect Print Servers whitepaper May 2008 Table of Contents: Introduction... 2 What is 802.1X?... 6 Public Key Infrastructure and Public Key Certificate Basics... 7 What Equipment

More information

Configuring Local EAP

Configuring Local EAP Information About Local EAP, page 1 Restrictions on Local EAP, page 2 (GUI), page 3 (CLI), page 6 Information About Local EAP Local EAP is an authentication method that allows users and wireless clients

More information

Security Setup CHAPTER

Security Setup CHAPTER CHAPTER 8 This chapter describes how to set up your bridge s security features. This chapter contains the following sections: Security Overview, page 8-2 Setting Up WEP, page 8-7 Enabling Additional WEP

More information

Configuring FlexConnect Groups

Configuring FlexConnect Groups Information About FlexConnect Groups, page 1, page 3 Configuring VLAN-ACL Mapping on FlexConnect Groups, page 8 Information About FlexConnect Groups To organize and manage your FlexConnect access points,

More information

Deliverable DJ Inter-NREN roaming technical specification document

Deliverable DJ Inter-NREN roaming technical specification document 22.06.06 Deliverable DJ5.1.4: Inter-NREN roaming technical specification document Deliverable DJ5.1.4 Contractual Date: 31/01/06 Actual Date: 22/06/06 Contract Number: 511082 Instrument type: Integrated

More information

802.1X: Deployment Experiences and Obstacles to Widespread Adoption

802.1X: Deployment Experiences and Obstacles to Widespread Adoption 802.1X: Deployment Experiences and Obstacles to Widespread Adoption Terry Simons University of Utah; open1x.org Terry.Simons@utah.edu Jon Snyder Portland State University jon@pdx.edu 802.1X Adoption Ratified

More information

Securing a Wireless LAN

Securing a Wireless LAN Securing a Wireless LAN This module describes how to apply strong wireless security mechanisms on a Cisco 800, 1800, 2800, or 3800 series integrated services router, hereafter referred to as an access

More information

Radius, LDAP, Radius used in Authenticating Users

Radius, LDAP, Radius used in Authenticating Users CSCD 303 Lecture 5 Fall 2017 Kerberos Radius, LDAP, Radius used in Authenticating Users Introduction to Centralized Authentication Kerberos is for authentication only and provides Single Sign-on (SSO)

More information

New Windows build with WLAN access

New Windows build with WLAN access New Windows build with WLAN access SecRep 24 17-18 May 2016 Ahmed Benallegue/Hassan El Ghouizy/Priyan Ariyansinghe ECMWF network_services@ecmwf.int ECMWF May 19, 2016 Introduction Drivers for the new WLAN

More information

Administrator's Guide

Administrator's Guide Administrator's Guide Contents Administrator's Guide... 7 Using Web Config Network Configuration Software... 8 About Web Config... 8 Accessing Web Config... 8 Changing the Administrator Password in Web

More information

What Is Wireless Setup

What Is Wireless Setup What Is Wireless Setup Wireless Setup provides an easy way to set up wireless flows for 802.1x, guest, and BYOD. It also provides workflows to configure and customize each portal for guest and BYOD, where

More information

Contents. Introduction

Contents. Introduction Contents Introduction Prerequisites Requirements Components Used Configure Network Diagram ISE - Configuration Steps 1. SGT for Finance and Marketing 2. Security group ACL for traffic Marketing ->Finance

More information

Securing Wireless LANs with Certificate Services

Securing Wireless LANs with Certificate Services 1 Securing Wireless LANs with Certificate Services PHILIP HUYNH University of Colorado at Colorado Springs Abstract Wireless Local Access Network (WLAN) is used popularly in almost everywhere from the

More information

Building a Secure Wireless Network. Use i and WPA to Protect the Channel and Authenticate Users. May, 2007

Building a Secure Wireless Network. Use i and WPA to Protect the Channel and Authenticate Users. May, 2007 Agenda: Securing Wireless Networks Building a Secure Wireless Network Joel M Snyder Senior Partner Opus One jms@opus1.com Using encryption and authentication Handling unauthenticated users Managing RF

More information

Cisco TrustSec How-To Guide: Global Switch Configuration

Cisco TrustSec How-To Guide: Global Switch Configuration Cisco TrustSec How-To Guide: Global Switch Configuration For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table of Contents Table of Contents...

More information

Junos Pulse Access Control Service

Junos Pulse Access Control Service Junos Pulse Access Control Service RADIUS Server Management Guide Release 4.4 Published: 2013-02-15 Part Number: Juniper Networks, Inc. 1194 rth Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000

More information

Configuring the VPN Client

Configuring the VPN Client Configuring the VPN Client This chapter explains how to configure the VPN Client. To configure the VPN Client, you enter values for a set of parameters known as a connection entry. The VPN Client uses

More information

802.1x. ACSAC 2002 Las Vegas

802.1x. ACSAC 2002 Las Vegas 802.1x ACSAC 2002 Las Vegas Jeff.Hayes@alcatel.com 802.1 Projects The IEEE 802.1 Working Group is chartered to concern itself with and develop standards and recommended practices in the following areas:

More information

LAB: Configuring LEAP. Learning Objectives

LAB: Configuring LEAP. Learning Objectives LAB: Configuring LEAP Learning Objectives Configure Cisco ACS Radius server Configure a WLAN to use the 802.1X security protocol and LEAP Authenticate with an access point using 802.1X security and LEAP

More information

Configure 802.1x Authentication with PEAP, ISE 2.1 and WLC 8.3

Configure 802.1x Authentication with PEAP, ISE 2.1 and WLC 8.3 Configure 802.1x Authentication with PEAP, ISE 2.1 and WLC 8.3 Contents Introduction Prerequisites Requirements Components Used Configure Network Diagram Configuration Declare RADIUS Server on WLC Create

More information

Network Virtualization Access Control Design Guide

Network Virtualization Access Control Design Guide Network Virtualization Access Control Design Guide This document provides design guidance for enterprises that want to provide Internet and limited corporate access for their guests and partners. Several

More information

ArubaOS-Switch Access Security Guide for YA/YB.16.04

ArubaOS-Switch Access Security Guide for YA/YB.16.04 ArubaOS-Switch Access Security Guide for YA/YB.16.04 Part Number: 5200-3106a Published: September 2017 Edition: 2 Copyright 2017 Hewlett Packard Enterprise Development LP Notices The information contained

More information

HIGH DENSITY ACCESS POINTS

HIGH DENSITY ACCESS POINTS Xirrus High Density Access Points are the only Wi-Fi solutions of their kind featuring the ultimate in scalable performance and flexible upgradability to economically serve today s requirements and grow

More information

EXAM - PW Certified Wireless Security Professional (CWSP) Buy Full Product.

EXAM - PW Certified Wireless Security Professional (CWSP) Buy Full Product. CWNP EXAM - PW0-204 Certified Wireless Security Professional (CWSP) Buy Full Product http://www.examskey.com/pw0-204.html Examskey CWNP PW0-204 exam demo product is here for you to test the quality of

More information

CWA URL Redirect support on C891FW

CWA URL Redirect support on C891FW Introduction, page 1 Prerequisites for, page 2 Configuring, page 3 HTTP Proxy Configuration, page 8 Configuration Examples for, page 8 Important Notes, page 14 Additional References for, page 14 Feature

More information

Securing Wireless LAN Controllers (WLCs)

Securing Wireless LAN Controllers (WLCs) Securing Wireless LAN Controllers (WLCs) Document ID: 109669 Contents Introduction Prerequisites Requirements Components Used Conventions Traffic Handling in WLCs Controlling Traffic Controlling Management

More information

Configure Guest Flow with ISE 2.0 and Aruba WLC

Configure Guest Flow with ISE 2.0 and Aruba WLC Configure Guest Flow with ISE 2.0 and Aruba WLC Contents Introduction Prerequisites Requirements Components Used Background Information Guest Flow Configure Step 1. Add Aruba WLC as NAD in ISE. Step 2.

More information

HP Unified Wired-WLAN Products

HP Unified Wired-WLAN Products HP Unified Wired-WLAN Products Security Configuration Guide HP 830 Unified Wired-WLAN PoE+ Switch Series HP 850 Unified Wired-WLAN Appliance HP 870 Unified Wired-WLAN Appliance HP 11900/10500/7500 20G

More information

WiNG 5.x How-To Guide

WiNG 5.x How-To Guide WiNG 5.x How-To Guide Tunneling Remote Traffic using L2TPv3 Part No. TME-08-2012-01 Rev. A MOTOROLA, MOTO, MOTOROLA SOLUTIONS and the Stylized M Logo are trademarks or registered trademarks of Motorola

More information

Guide to Configuring eduroam Using the Aruba Wireless Controller and ClearPass RADIUS

Guide to Configuring eduroam Using the Aruba Wireless Controller and ClearPass RADIUS Guide to Configuring eduroam Using the Aruba Wireless Controller and ClearPass RADIUS Best Practice Document Produced by the UNINETT-led Campus Networking working group Authors: Tom Myren (UNINETT), John-Egil

More information

Getting the Most out of your BYOD Investment A Deep Dive of ISE BYOD Policy

Getting the Most out of your BYOD Investment A Deep Dive of ISE BYOD Policy Getting the Most out of your BYOD Investment A Deep Dive of ISE BYOD Policy Kevin Redmon System Test Engineer Agenda Introduction RADIUS the Backbone of BYOD Testing the Waters Current BYOD Solution The

More information

Cisco TrustSec How-To Guide: Central Web Authentication

Cisco TrustSec How-To Guide: Central Web Authentication Cisco TrustSec How-To Guide: Central Web Authentication For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table of Contents Table of Contents... 1

More information

etoken Integration Guide etoken and ISA Server 2006

etoken Integration Guide etoken and ISA Server 2006 etoken Integration Guide etoken and ISA Server 2006 March 2007 Contact Information Support If you have any questions regarding this package, its documentation and content or how to obtain a valid software

More information