IEEE 802.1x, RADIUS AND DYNAMIC VLAN ASSIGNMENT

Similar documents
Network Security 1. Module 7 Configure Trust and Identity at Layer 2

Radius, LDAP, Radius, Kerberos used in Authenticating Users

TopGlobal MB8000 Hotspots Solution

Standard For IIUM Wireless Networking

Configuring RADIUS Servers

Virtual Private Networks (VPNs)

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

RADIUS Tunnel Attribute Extensions

Operation Manual AAA RADIUS HWTACACS H3C S5500-EI Series Ethernet Switches. Table of Contents

Operation Manual Security. Table of Contents

Radius, LDAP, Radius used in Authenticating Users

RADIUS - QUICK GUIDE AAA AND NAS?

RADIUS Configuration Note WINS : Wireless Interoperability & Network Solutions

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]

User Databases. ACS Internal Database CHAPTER

Configuring L2TP over IPsec

Configuring RADIUS. Finding Feature Information. Prerequisites for RADIUS

RADIUS Configuration. Overview. Introduction to RADIUS. Client/Server Model

This primer covers the following major topics: 1. Getting Familiar with ACS. 2. ACS Databases and Additional Server Interaction

Network Systems. Bibliography. Outline. General principles about Radius server. Radius Protocol

Mobile WiMAX Security

Controlled/uncontrolled port and port authorization status

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users

Layer 2 authentication on VoIP phones (802.1x)

Cisco Exam Questions and Answers (PDF) Cisco Exam Questions BrainDumps

Configuring IEEE 802.1x Port-Based Authentication

Virtual Private Networks.

IEEE 802.1X RADIUS Accounting

Authentication and Security: IEEE 802.1x and protocols EAP based

Configuring IEEE 802.1x Port-Based Authentication

DHCP Overview. Information About DHCP. DHCP Overview

Csci388. Wireless and Mobile Security Access Control: 802.1X, EAP, and RADIUS. Importance of Access Control. WEP Weakness. Wi-Fi and IEEE 802.

Table of Contents 1 AAA Overview AAA Configuration 2-1

L2TP Configuration. L2TP Overview. Introduction. Typical L2TP Networking Application

Wireless LAN Security. Gabriel Clothier

PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

RADIUS Logical Line ID

Chapter 8. User Authentication

CENTRAL AUTHENTICATION USING RADIUS AND 802.1X

Configuring Authentication, Authorization, and Accounting

Cross-organisational roaming on wireless LANs based on the 802.1X framework Author:

User Guide IP Connect CSD

DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0

Configuring TACACS. Finding Feature Information. Prerequisites for Configuring TACACS

PPPoE on ATM. Finding Feature Information. Prerequisites for PPPoE on ATM. Restrictions for PPPoE on ATM

Configuring DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon

Release README August 2005

Wireless LAN Controller Web Authentication Configuration Example

A device that bridges the wireless link on one side to the wired network on the other.

Network Access Flows APPENDIXB

aaa max-sessions maximum-number-of-sessions The default value for aaa max-sessions command is platform dependent. Release 15.0(1)M.

Exam HP2-Z32 Implementing HP MSM Wireless Networks Version: 7.1 [ Total Questions: 115 ]

Summary. Deployment Guide: Configuring the Cisco Wireless Security Suite 1 OL

Configuring RADIUS and TACACS+ Servers

Configuring RADIUS Clients

Agile Controller-Campus V100R002C10. Permission Control Technical White Paper. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

Table of Contents 1 AAA Overview AAA Configuration 2-1

BW1330. High Performance Hotspot Access Point. Browan Communications. 6 August 2007 Version 1.0

Configuring the Client Adapter through the Windows XP Operating System

1100 Dexter Avenue N Seattle, WA NetMotion Mobility Architecture A Look Under the Hood

DHCP Server RADIUS Proxy

bintec R230a R230aw ADSL router with SIP proxy and IPSec

Copyright 2011 Nomadix, Inc. All Rights Reserved Agoura Road Suite 102 Agoura Hills CA USA White Paper

Firewall Authentication Proxy for FTP and Telnet Sessions

BW1330. High Performance Hotspot Access Point

Cisco Wireless LAN Controller Module

Overview. RADIUS Protocol CHAPTER

TSIN02 - Internetworking

Configuring RADIUS. Information About RADIUS. RADIUS Network Environments. Send document comments to

Configuring a Basic Wireless LAN Connection

Cisco How Virtual Private Networks Work

RADIUS Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values

RADIUS Commands. Cisco IOS Security Command Reference SR

Numerics INDEX. 2.4-GHz WMIC, contrasted with 4.9-GHz WMIC g 3-6, x authentication 4-13

Monitoring Radius Servers

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

FAQ on Cisco Aironet Wireless Security

Network Controller 3500 Quick Start Guide

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

REMOTE AUTHENTICATION DIAL IN USER SERVICE

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

ilight/gigapop eduroam Discussion Campus Network Engineering

MCSA Guide to Networking with Windows Server 2016, Exam

Table of Contents. 4 System Guard Configuration 4-1 System Guard Overview 4-1 Guard Against IP Attacks 4-1 Guard Against TCN Attacks 4-1

UIP1869V User Interface Guide

Operation Manual Security. Table of Contents

Chapter 4 Configuring 802.1X Port Security

Authentication and Security: IEEE 802.1x and protocols EAP based

Using PEAP and WPA PEAP Authentication Security on a Zebra Wireless Tabletop Printer

Cisco Exam Securing Wireless Enterprise Networks Version: 7.0 [ Total Questions: 53 ]

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

802.1x Configuration. FSOS 802.1X Configuration

Xceedium Xio Framework: Securing Remote Out-of-band Access

Cisco 5921 Embedded Services Router

Configuring Basic AAA on an Access Server

Colubris Networks Configuration Guide

Application Note. Using RADIUS with G6 Devices

IP Mobility vs. Session Mobility

Configuring Management Access

FortiNAC. Cisco Airespace Wireless Controller Integration. Version: 8.x. Date: 8/28/2018. Rev: B

Transcription:

IEEE 802.1x, RADIUS AND DYNAMIC VLAN ASSIGNMENT Hüseyin ÇOTUK Information Technologies hcotuk@etu.edu.tr Ahmet ÖMERCİOĞLU Information Technologies omercioglu@etu.edu.tr Nurettin ERGİNÖZ Master Student nerginoz@etu.edu.tr ABSTRACT Remote Authentication Dial-In User Service (RADIUS) is a widely deployed protocol enabling centralized authentication, authorization, and accounting for network access. Originally developed for dial-up remote access, RADIUS is now supported by Virtual Private Network (VPN) servers, wireless access points, authenticating Ethernet switches, Digital Subscriber Line (DSL) access, and other network access types. This report provides an overview of RADIUS and the Extensible Authentication Protocol (EAP) and discusses how to minimize or resolve various security issues of the RADIUS protocol using implementation and deployment best practices. Keywords: radius, IEEE 802.1x, EAP, authenticator, NAS, authorization, authentication, PEAP, accounting 1. INTRODUCTION Network security is a complicated subject, historically only tackled by well-trained and experienced experts. However, as more and more people become ``wired'', an increasing number of people need to understand the basics of security in a networked world. Remote Authentication Dial-In User Service (RADIUS) is a widely deployed protocol enabling centralized authentication, authorization, and accounting for network access. Originally developed for dial-up remote access, RADIUS is now supported by Virtual Private Network (VPN) servers, wireless access points, authenticating Ethernet switches, Digital Subscriber Line (DSL) access, and other network access types. This report provides an overview of RADIUS and the Extensible Authentication Protocol (EAP) and discusses how to minimize or resolve various security issues of the RADIUS protocol using implementation and deployment best practices. 2. PROBLEM DEFINITION It's very important to understand that in security, one simply cannot say what's the best system? There are two extremes: absolute security and absolute access. The closest we can get to an absolutely secure machine is one unplugged from the network, power supply, locked in a safe, and thrown at the bottom of the ocean. Unfortunately, it isn't terribly useful in this state. A machine with absolute access is extremely convenient to use: it's simply there, and will do whatever you tell it, without questions, authorization, passwords, or any other mechanism. Unfortunately, this isn't terribly practical, either: the Internet is a bad neighborhood now, and it isn't long before some bonehead will tell the computer to do something like self-destruct, after which, it isn't terribly useful to you. Every organization needs to decide for itself where between the two extremes of total security and total access they need to be. A policy needs to articulate this, and then define how that will be enforced with practices and such. Everything that is done in the name of security, then, must enforce that policy uniformly. ``Unauthorized access'' is a very high-level term that can refer to a number of different sorts of attacks. The goal of these attacks is to access some resource that your machine should not provide the attacker. For example, a host might be a web server, and should provide anyone with requested web pages. However, that host should not provide command shell access without being sure that the person making such a request is someone who should get it, such as a local administrator. 3. IEEE 802.1x NETWORK AUTHENTICATION Security and flexibility are often seen as mutually exclusive requirements in a network, yet both are equally important. Security is crucial on any network. Flexibility, in particular the ability to roam, is increasingly fundamental. Therefore, Ethernet networks need a device authentication method that is highly secure but not tied to a port s physical location. In addition, the appropriate network access for users needs to be determined from their authentication credentials. 802.1x user authentication solves these multiple requirements. What is more, it is relatively uncomplicated and has very little impact on network performance. It is also a protocol that is mediumindependent equally effective on wireless and wired connections. 802.1x user authentication is rapidly

becoming an expected component of any Ethernet infrastructure. The IEEE 802.1x standard manages port-based network access. It authenticates devices attached to a LAN port by initiating a connection and requesting login details. Access is prevented if authentication fails. As well as being valuable for authenticating and controlling user traffic to a protected network, 802.1x is effective for dynamically varying encryption keys. 802.1x attaches the Extensible Authentication Protocol (EAP) to both wired and wireless LAN media, and supports multiple authentication methods, such as token cards, one-time passwords, certificates, and public key authentication. 802.1x was designed to accommodate the following requirements: Network Control Right at the Port Level: The best place to control network access is where the user attaches - at the port. It is also logical to apply packet and protocol filtering at the port. By controlling a user s network attachment point, the network environment can be customized to meet that user s needs and access agreements. Authentication, Authorization and Accounting: If an organization already uses Authentication, Authorization, and Accounting (AAA) technology to control users network access, (either through a firewall or dial-in remote access), 802.1x can use these AAA servers to provide AAA functions to new 802.1x clients. Public Network Security: Network owners that extend their networks into public arenas (for example, universities) must control user access. Before the advent of 802.1x, a user could plug into a live 802 port and gain full access to a network. This problem became even greater as the use of wireless LANs grew, because any user within physical range of a wireless access point could attempt to access the network. Distribution of Dynamic Encryption Keys: Wired Equivalent Privacy (WEP) was designed to provide the security level equivalent to that of a wired network. WEP uses symmetric encryption keys to provide security between wireless devices, but this is limited by the complications of allocating and managing the encryption keys. 802.1x counters this by providing a method for the allocation of WEP keys to access points. 4. RADIUS PROTOCOL RADIUS is an authentication, authorization and accounting client-server protocol. The client is a Network Access Server which desires to authenticate its links. The server is a server which has access to a user database with authentication information. It has been developed by Livingston Enterprises around 1989 and further improved by Merit (University of Michigan). The following RFC's have been accepted at the IETF in 1997: Remote Access Dialin User Service (RADIUS) [RFC2138] RADIUS Accounting [RFC2139] The protocol is supported and used by many terminal server vendors such as Cisco, Ascend, Livingston and others. It is a client/server protocol where a client (Network Access Servers) sends a request, which is responded by the server (RADIUS server). The protocol is based on the UDP transport protocol. The main reason to use this protocol instead of the more reliable TCP transport protocol is that when a RADIUS server fails, TCP takes to much time to determine this and switch to a secondary server. With UDP you can build your own retransmission scheme which can detect a failure of a RADIUS server at an earlier stage. Some ISPs (commonly modem, DSL, or wireless 802.11 services) require you to enter a username and password in order to connect to the Internet. Before access to the network is granted, this information is passed to a Network Access Server (NAS) device over the Point-to-Point Protocol (PPP), then to a RADIUS server over the RADIUS protocol. The RADIUS server checks that the information is correct using authentication schemes like PAP, CHAP or EAP. If accepted, the server will then authorize access to the ISP system and select an IP address, L2TP parameters, etc. The RADIUS server will also be notified if and when the session starts and stops, so that the user can be billed accordingly; or the data can be used for statistical purposes. Additionally RADIUS is widely used by VoIP service providers. It is used to pass login credentials of a SIP end point (like a broadband phone) to a SIP Registrar using digest authentication, and then to RADIUS server using RADIUS. Sometimes it is also used to collect call detail records (CDRs) later used, for instance, to bill customers for international long distance. RADIUS is currently the de-facto standard for remote authentication. It is very prevalent in both new and legacy systems. 5. IMPLEMENTATION In order to compile radius with the specified requirements,./configure command is given with the following parameters.

To configure network devices with 802.1x and radius support, following settings must be done.

Wireless access points are configured as follows: Client side settings are done as follows: 5. RESULTS The implemented system supports advanced authentication, authorization and accounting features. When a user wants to connect to a network, switch takes its request and relays this request to the radius server. Radius server asks for an identity for the user. If the user successfully introduces himself to the system, he can get access to the network. While he is getting access to the network, in the server side radius specifies the user s access rights and logs the accounting information about the user. When user logs out from the network, a logout request is sent to server and server can estimate the duration of the session. Furthermore, according to user profile radius server sets user s IP address and VLAN settings. So, user can always get the same IP address and VLAN settings regardless of the connection location. It provides mobility for the system users. Wherever he connects to the network, access rights do not change. With the help of using the same user database, users can login into the system with a unique username and a password. Either it is the easiest way for users to remember and keep these information or it is quite useful for the system administrators. In order to change user information or add a user to the system can be executed by only one step. Older systems generally cannot deal with a large number of users with distinct authentication information. This requires more storage than many embedded systems possess. This system requires less system resources. In the further stages of the project, TACACS+ protocols shall be considered. TACACS+ encrypts all of the packets and it uses TCP protocol. Radius

encrypts only the important attributes of the packet like password and it uses UDP protocol. But nowadays, it is not standardized for all authentication requirements. TACACS+ is developed by Cisco and other vendors do not support this protocol yet. Cisco is still working on the TACACS+ to supply RFC requirements. [26] http://www.cisco.com/univercd/cc/td/doc/produc t/software/ios122/122newft/122limit/122x/122xb /122xb_2/fteaprad.htm [27] http://www.belgeler.org/howto/p8021x-howtointro.html After the TACACS+ is supported by all vendors and required specifications are achieved, this protocol can be adapted to current project. REFERENCES [1] RFC 2865 Remote Authentication Dial In User Service (RADIUS) [2] RFC 2866 RADIUS Accounting [3] RFC 2618 RADIUS Authentication Client MIB [4] RFC 2619 RADIUS Authentication Server MIB [5] RFC 2620 RADIUS Accounting Client MIB [6] RFC 2621 RADIUS Accounting Server MIB [7] RFC 3579 RADIUS Support for EAP [8] RFC 3580 IEEE 802.1X RADIUS Usage Guidelines [9] RFC 4014 RADIUS Attributes Suboption for the DHCP Relay Agent Information Option [10] RFC 2548 Microsoft Vendor-specific RADIUS Attributes [11] RFC 2809 Implementation of L2TP Compulsory Tunneling via RADIUS [12] RFC 2867 RADIUS Accounting Modifications for Tunnel Protocol Support [13] RFC 2868 RADIUS Attributes for Tunnel Protocol Support [14] RFC 2869 RADIUS Extensions [15] RFC 2882 Network Access Servers Requirements [16] RFC 3576 Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS) [17] RFC 4590 RADIUS Extension for Digest Authentication [18] Paranoid Penguin - Securing WLANs with WPA and FreeRADIUS, Part I [19] Paranoid Penguin - Securing Your WLAN with WPA and FreeRADIUS, Part II [20] Paranoid Penguin - Securing Your WLAN with WPA and FreeRADIUS, Part III [21] http://www.ietf.org/iesg/implementations/radiu s-implementation.txt [22] http://www.stat.ufl.edu/system/man/portmaster/r ADIUS/guide/2server.html [23] http://www.portmasters.com/tech/docs/radius/intr oducing.html [24] http://www.csee.umbc.edu/help/oracle8/network. 815/a67766/03_radiu.htm [25] http://www.portmasters.com/tech/technotes/500/5 10008.html

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback