CENTRAL AUTHENTICATION USING RADIUS AND 802.1X

Similar documents
Configuring IEEE 802.1x Port-Based Authentication

Configuring IEEE 802.1x Port-Based Authentication

Configuring IEEE 802.1x Port-Based Authentication

IEEE 802.1X RADIUS Accounting

IEEE 802.1X Multiple Authentication

Layer 2 authentication on VoIP phones (802.1x)

Network Edge Authentication Topology

IEEE 802.1X VLAN Assignment

Operation Manual 802.1x. Table of Contents

Table of Contents X Configuration 1-1

Cisco Exam Questions and Answers (PDF) Cisco Exam Questions BrainDumps

With 802.1X port-based authentication, the devices in the network have specific roles.

With 802.1X port-based authentication, the devices in the network have specific roles.

802.1x Port Based Authentication

Table of Contents X Configuration 1-1

Configuring 802.1X Port-Based Authentication

DGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide. Figure 9-1 Port Security Global Settings window

802.1X: Port-Based Authentication Standard for Network Access Control (NAC)

Chapter 4 Configuring 802.1X Port Security

Configuring 802.1X. Finding Feature Information. Information About 802.1X

Configuring 802.1X Settings on the WAP351

IEEE 802.1x, RADIUS AND DYNAMIC VLAN ASSIGNMENT

Configuring IEEE 802.1X Port-Based Authentication

Configuring 802.1X Port-Based Authentication

Configuring Port-Based and Client-Based Access Control (802.1X)

802.1X: Background, Theory & Implementation

Application Note. Using RADIUS with G6 Devices

PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

Securing Wireless LANs with Certificate Services

Configuring MAC Authentication Bypass

Configuring 802.1X Port-Based Authentication

Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions

Table of Contents. 4 System Guard Configuration 4-1 System Guard Overview 4-1 Guard Against IP Attacks 4-1 Guard Against TCN Attacks 4-1

Brocade FastIron Flexible Authentication

Authentication and Security: IEEE 802.1x and protocols EAP based

Network Security 1. Module 7 Configure Trust and Identity at Layer 2

Exam Questions CWSP-205

Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX Series Switch

802.1X Authentication Services Configuration Guide, Cisco IOS Release 15SY

802.1x Configuration. Page 1 of 11

Configuring IEEE 802.1x Port-Based Authentication

ISE Version 1.3 Self Registered Guest Portal Configuration Example

Authentication and Security: IEEE 802.1x and protocols EAP based

BYOD: BRING YOUR OWN DEVICE.

Controlled/uncontrolled port and port authorization status

Abstract. Avaya Solution & Interoperability Test Lab

RSA Solution Brief. Providing Secure Access to Corporate Resources from BlackBerry. Devices. Leveraging Two-factor Authentication. RSA Solution Brief

IEEE 802.1X with ACL Assignments

Identity-Based Networking Services Command Reference, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Efficient Port-based Network Access Control for IP DSLAMs in Ethernet-based Fixed Access Networks

IEEE 802.1X Open Authentication

Cisco TrustSec How-To Guide: Phased Deployment Overview

Add a Wireless Network to an Existing Wired Network using a Wireless Access Point (WAP)

Securing the Empowered Branch with Cisco Network Admission Control. September 2007

REMOTE AUTHENTICATION DIAL IN USER SERVICE

Securing Wireless Networks by By Joe Klemencic Mon. Apr

802.1x. ACSAC 2002 Las Vegas

Table of Contents 1 AAA Overview AAA Configuration 2-1

Configuring Client Profiling

Cisco TrustSec How-To Guide: Monitor Mode

Monitor Mode Deployment with Cisco Identity Services Engine. Secure Access How -To Guides Series

CCNA Exploration Network Fundamentals

Cisco Exam Questions & Answers

Simplifying your 802.1X deployment

CHAPTER. Introduction. Last revised on: February 13, 2008

Network Virtualization Access Control Design Guide

Delivering a Secure BYOD Solution with XenMobile MDM and Cisco ISE

Reviewer s guide. PureMessage for Windows/Exchange Product tour

Configuring Authentication Types

Cisco Unified Wireless Network Solution Overview

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

WHITE PAPER: 802.1X PORT AUTHENTICATION WITH MICROSOFT S ACTIVE DIRECTORY

Abstract. Avaya Solution & Interoperability Test Lab

Cisco Exam Questions & Answers

DumpsFree. DumpsFree provide high-quality Dumps VCE & dumps demo free download

Secure Mobility. Klaus Lenssen Senior Business Development Manager Security

Nortel Ethernet Routing Switch 5000 Series Configuration Security. Release: 6.1 Document Revision:

Operation Manual Security. Table of Contents

Per-User ACL Support for 802.1X/MAB/Webauth Users

AAA Server Groups. Finding Feature Information. Information About AAA Server Groups. AAA Server Groups

Cross-organisational roaming on wireless LANs based on the 802.1X framework Author:

RADIUS Configuration Note WINS : Wireless Interoperability & Network Solutions

Vendor: Cisco. Exam Code: Exam Name: Cisco Sales Expert. Version: Demo

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Configuring the Client Adapter through Windows CE.NET

Information Technology Policy Board Members. SUBJECT: Update to County WAN/LAN Wireless Standards

Operation Manual AAA RADIUS HWTACACS H3C S5500-EI Series Ethernet Switches. Table of Contents

802.1X: Port-Based Authentication Standard for Network Access

Configuration Security

Configure IBNS 2.0 for Single-Host and Multi- Domain Scenarios

Configuring Web-Based Authentication

User Directories and Campus Network Authentication - A Wireless Case Study

Encryption Vision & Strategy

Provide One Year Free Update!

Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2. Microsoft Windows Family of Operating Systems

Numerics. Index 1. SSH See SSH. connection inactivity time 2-3 console, for configuring authorized IP managers 11-5 DES 6-3, 7-3

MS Switch Access Policies (802.1X) Host Modes

Cisco WAP351 Wireless-N Dual Radio Access Point with 5-Port Switch

Cisco IOS Firewall Authentication Proxy

Transcription:

CENTRAL AUTHENTICATION USING RADIUS AND 802.1X This is part of my experience I implemented in the Organization while I was doing my summer interns as the Part of my Curriculum. This Entirely is a very much workable solution but need some prerequisites like the understanding of some security protocols like RADIUS, 802.1x and the basic understanding of Linux Operating System. CHALLENGE Having information-rich business environment, the network is the base of our daily operation and the foundation for our strategic direction. Companies depend on an efficient network to enable critical business application, communication and collaboration. The network must be highly secure, reliable and available to the external and the internal users. Making full use of business opportunities and overcoming technical challenges begin with maintaining high performance, high availability and high quality-of service levels in your network. To grow your business and deliver next generation services, you need to evolve your network; migrate to new IP services; and converge data, voice, and video all while efficiency scaling and deploying diverse and complex technologies. Coping up with all this above stated challenges need the person to be equipped with all kind of the IT Infrastructure available in the IT market today. But again there is nothing like the Free Lunch ; means every thing bring with it the Security Breach with itself. The Need for the Enterprise Network can be enlisted as below: 1. The Infrastructure should be usable by the different users at the same time should give the Users the Ease for the Usability and the Flexibility to use by providing them the Feel at home with the Desktop Environment. 2. The Authentication mechanism should be properly in place with the authentication done on the Central place to provide the Exact Security needed to the User Information to the Users password and login name database 3. The Password traveling on the Network should be properly encrypted on the network. 4. The User should be given the proper privilege depending upon the user credentials presented to him in the Login and the privilege should be dynamic irrespective of the Machine used by him for login and the Work Purpose 5. There should be central Administrative and Monitoring position available to him for easy maintenance of the User profile and the privileges authorized to him depending upon the login credentials provided by him in the First place. 6. The Network Infrastructure should reflect the Exact Business Domain and the Operational Hierarchy of the Organization with proper policies in place reflecting the same. 1

SOLUTION The Solution comes in Place with leveraging some very basic technologies available ; the only need lies in exploring the same. I here propose some workable and easy to implement solution that is very much workable and already tried out and tested by me in the real ti me environment. 802.1x INTRODUCTION The following are a list of terms and technologies used within 802.1x: Supplicant (Client) is the network access device requesting LAN services. Authenticator is the network access point that has 802.1x authentication enabled. This includes LAN switch ports and Wireless Access Points (WAP). Authentication Server is the server that performs the authentication, allowing or denying access to the network based on username / password. The 802.1x standard specifies that Remote Authentication Dial-In User Service (RADIUS) is the required Authentication Server that supports the following RFC s: RFC 2284 PPP Extensible Authentication Protocol (EAP) RFC 2865 Remote Authentication Dial In User Service (RADIUS) RFC 2869 RADIUS Extensions EAP is the protocol that is used between the client and the authenticator. The 802.1x standard specifies encapsulation methods for transmitting EAP messages so they can be carried over different media typed. These include, but are not limited to: EAP Over LAN (EAPOL) EAP Over Wireless (EAPOW) Port Access Entry (PAE) is the 802.1x logical component of the client and authenticator that exchange EAP messages. 2

UNDERSTANDING 802.1X Introduction The IEEE 802.1x is a standardized method for securing network access from the network devices. Traditionally, network security has predominantly been the domain of network Servers and clients, based on login authentication to specific resources. If a network user wanted access to network server resources (file and print), then a login challenge needed to be successfully completed. In the case of an all Microsoft domain based network, then the login request is presented to the user when they started up their PC. The PC login username / password would be authenticated against a domain controller, and if successful then the user would be granted access to file & print services specified by the network administrator. This kind of client / server authentication is often used for other network services including email, intranet and other specialized applications Although client / server authentication is a proven method for securing network resources, it does not provide a total network security mechanism that will deter unauthorized access. To counter this, many network equipment vendors have implemented other networkbased administrative solutions, including VLANs, Access Control Lists (ACLs) and Media Access Control (MAC) locks. All of which are an effective mechanism for securing network access, but can be administrator intensive depending on what the security criteria is. Each control provides a unique advantage, but are often unique to each vendor. By complimenting the existing network security methods with 802.1x, administrators can be confident that their network perimeter (edge access) is completely secure, as well as having the confidence with interoperability amongst multiple vendors by deploying an IEEE based standard for security. Since 802.1x is only a perimeter security technology, network administrators should continue to deploy existing security policies to control network traffic: 802.1x will deny unauthorized network access, but it will not control network traffic from authorized users. This may be a concern for network administrators that want to secure specific network areas with the use of existing methods including VLANs, ACL s or MAC filtering where it is required. 802.1x Authentication Process Once 802.1x authentication is enabled (both in the client and authenticator), a successful authentication must be completed before ANY traffic is allowed to transit the network from the client, including critical traffic like DHCP requests regardless of whether link is established between the client and authenticator (switch port). 3

Before Authentication To ensure that no unauthorized traffic is transmitted, before successful authentication, the authenticator s PAE is set to uncontrolled. That means that the only messages that will be accepted from the client is EAP requests which will be forwarded to the Authentication server see figure 1 Authentication Process Once activated (powered on and connected to the switch), the 802.1x client will transmit the appropriate EAP message to the authenticator (switch port). The switch port with 802.1x authentication enabled is set to an uncontrolled state, accepting only EAP messages (all other traffic will be discarded). Upon receipt of the clients EAP message, the switch will forward the request to the authentication (RADIUS) server without changing its contents. Although the EAP contents are not changed, the encapsulation must be translated from the originating EAP message to a RADIUS request, therefore the only supported RADIUS servers are ones that support EAP (see RFC Compliance). 4

Upon receipt of the RADIUS message, the authentication server will grant or deny access to the network. An RADIUS response will then be transmitted back to the switch, which will determine whether the port remains in an uncontrolled state (access denied), or changes to a controlled state (access granted). If the authentication fails, the authenticator (switch port) will remain in an uncontrolled state, and in some cases the port will be disabled (depends on vendor implementation). Although the client is the device that requires authentication, either the client or switch can initiate the process. This is determined by timers which are set in both the client and the switch. 5

AUTHENTICATION FLOWCHART 6

SUMMARY: By implementing IEEE 802.1x, administrators can protect the network from unauthorized user access, minimizing potential security breaches including Denial of Service (DoS) attacks within their network infrastructure. Although implementing 802.1x provides enhanced network edge security, it is important for network administrators to plan and deploy this technology based on their requirements, taking into consideration devices like VoIP phones and Wireless Access Points. It is important to note that 802.1x technology is complimentary with existing security technologies, and is not a replacement. Since 802.1x can be considered to be a perimeter security measure, there will still be the need for network security techniques like VLANs and ACLs. 7

REFRENCES: IEEE RFC 3580 CISCO CATALYST SWITCH SOFWARE CONFIGURATION GUIDE, Cisco IOS Release 12.2(37) SE May 2007 www.freeradius.org www.ietf.org 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback