Layer 2 authentication on VoIP phones (802.1x)

Similar documents
PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Cisco Exam Questions and Answers (PDF) Cisco Exam Questions BrainDumps

Network Security 1. Module 7 Configure Trust and Identity at Layer 2

CENTRAL AUTHENTICATION USING RADIUS AND 802.1X

Cisco TrustSec How-To Guide: Monitor Mode

802.1x Port Based Authentication

Wireless Integration Overview

Vendor: Cisco. Exam Code: Exam Name: Implementing Advanced Cisco Unified Wireless Security (IAUWS) v2.0. Version: Demo

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]

PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

Monitor Mode Deployment with Cisco Identity Services Engine. Secure Access How -To Guides Series

IEEE 802.1x, RADIUS AND DYNAMIC VLAN ASSIGNMENT

Chapter 4 Configuring 802.1X Port Security

XML and/or IEEE 802.1x Certificate over secure link Administration Manual

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

Deploying Windows Server 2003 Internet Authentication Service (IAS) with Virtual Local Area Networks (VLANs)

The Real Time IP System for medium-sized up to very large enterprises. HiPath

Question: 1 The NAC Agent uses which port and protocol to send discovery packets to an ISE Policy Service Node?

Configuring Funk Odyssey Software, Avaya AP-3 Access Point, and Avaya

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

Exam Questions CWSP-205

Authentication and Security: IEEE 802.1x and protocols EAP based

Abstract. Avaya Solution & Interoperability Test Lab

Application Note. Using RADIUS with G6 Devices

802.1X: Port-Based Authentication Standard for Network Access Control (NAC)

Configuring IEEE 802.1x Port-Based Authentication

Configuring IEEE 802.1x Port-Based Authentication

Implementing Security in Windows 2003 Network (70-299)

Documentation. OpenScape Business V1 Internet Telephony Configuration Guide. Siemens Enterprise Communications

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco Secure Access Solutions. Version: Demo

Cisco TrustSec How-To Guide: Phased Deployment Overview

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Dolby Conference Phone. Configuration guide for Cisco Unified Communications Manager

Standard For IIUM Wireless Networking

Network Security Management. Network Access Control & Port. For IT and industrial Networks

Introduction to 802.1X Operations for Cisco Security Professionals (802.1X)

Configuring Voice VLAN

RADIUS Configuration Note WINS : Wireless Interoperability & Network Solutions

ACCP-V6.2Q&As. Aruba Certified Clearpass Professional v6.2. Pass Aruba ACCP-V6.2 Exam with 100% Guarantee

Authentication and Security: IEEE 802.1x and protocols EAP based

BYOD: BRING YOUR OWN DEVICE.

Configuring IEEE 802.1x Port-Based Authentication

MSM320, MSM410, MSM422, MSM430,

DumpsFree. DumpsFree provide high-quality Dumps VCE & dumps demo free download

2012 Cisco and/or its affiliates. All rights reserved. 1

Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX Series Switch

CompTIA Network+ Study Guide Table of Contents

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

Application Notes for Enterasys Secure Networks Dynamic Intrusion Response Solution in an Avaya IP Telephony Infrastructure - Issue 1.

HiPath optipoint application module LDAP Functionality on optipoint application module

ForeScout CounterACT. Configuration Guide. Version 4.3

ForeScout CounterACT. Controller Plugin. Configuration Guide. Version 1.0

Exam HP2-Z32 Implementing HP MSM Wireless Networks Version: 7.1 [ Total Questions: 115 ]

optipoint 400 standard 3.0 IP-Based Feature Telephone with Mini Switch and Power Over LAN

Dolby Conference Phone. Configuration Guide for Microsoft Skype for Business

ITDUMPS QUESTION & ANSWER. Accurate study guides, High passing rate! IT dumps provides update free of charge in one year!

Pulse Policy Secure X Network Access Control (NAC) White Paper

DGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide. Figure 9-1 Port Security Global Settings window

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

HP Certified Professional

Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN

User Directories and Campus Network Authentication - A Wireless Case Study

Selected Network Security Technologies

Cisco Network Admission Control (NAC) Solution

Abstract. Avaya Solution & Interoperability Test Lab

Enterasys Network Access Control

Cisco Questions & Answers

BEST PRACTICE - NAC AUF ARUBA SWITCHES. Rollenbasierte Konzepte mit Aruba OS Switches in Verbindung mit ClearPass Vorstellung Mobile First Features

WLAN Handset 2212 Installation and Configuration for VPN

Aerohive Configuration Guide RADIUS Authentication

IPv6 Support for LDAP

Dolby Conference Phone. Configuration Guide for Unify OpenScape Enterprise Express 8.0.x

Forescout. Configuration Guide. Version 4.4

Cisco Meraki. Spectralink VIEW Certified Configuration Guide

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Securing Wireless LANs with Certificate Services

802.1X: Background, Theory & Implementation

Agile Controller-Campus V100R002C10. Permission Control Technical White Paper. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

Dolby Conference Phone. Configuration guide for Unify OpenScape Enterprise Express 8.0.x

Configuring Local EAP

Nortel Ethernet Routing Switch 5000 Series Configuration Security. Release: 6.1 Document Revision:

Understanding Cisco Unified Communications Security

CSCE 813 Internet Security Network Access Control

Network Security and Cryptography. 2 September Marking Scheme

Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller

Configuration Security

FortiNAC. Cisco Airespace Wireless Controller Integration. Version: 8.x. Date: 8/28/2018. Rev: B

Simplifying your 802.1X deployment

Abstract. Avaya Solution & Interoperability Test Lab

IEEE 802.1X VLAN Assignment

ITCertMaster. Safe, simple and fast. 100% Pass guarantee! IT Certification Guaranteed, The Easy Way!

Dolby Conference Phone 3.1 configuration guide for West

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

TestsDumps. Latest Test Dumps for IT Exam Certification

Campus Network Design. 2003, Cisco Systems, Inc. All rights reserved. 2-1

Exam : PW Title : Certified wireless security professional(cwsp) Version : DEMO

Table of Contents X Configuration 1-1

Controlled/uncontrolled port and port authorization status

Abstract. Avaya Solution & Interoperability Test Lab

Managing Networks for Successful VoIP Implementations

Transcription:

White Paper www.siemens.com/open Layer 2 authentication on VoIP phones (802.1x) IP Telephony offers users the ability to log-on anywhere in the world. Although this offers mobile workers great advantages, it presents new challenges for system administrators who need to ensure that they only allow authorized users into their enterprise network. The standard 802.1x provides an authentication process verifying that only permitted devices are allowed onto the network. In addition to supporting security, 802.1x also reduces costs by simplifying adds / moves / changes and allows employees to more easily change locations. This paper discusses the reasons customers ask for 802.1x, the technical principles of 802.1x, and the methods for deploying 802.1x certificates on end devices. A white paper issued by: Siemens Enterprise Communications Siemens Enterprise Communications GmbH & Co. KG 2007, All rights reserved

Content Layer 2 authentication on VoIP phones (802.1x) 3 Introduction 3 The protocol: how it works 3 802.1x in a one-wire-to-the-desk scenario 5 Deployment 5 Status 7

Layer 2 authentication on VoIP phones (802.1x) Introduction 802.1x blocks unauthorized physical user access to the network What is 802.1x? is an IEEE Standard for port-based access control in order to enhance the security of local area networks, allowing a user to be authenticated by a central authority. The authentication is based on layer 2 of the OSI layer model and utilizes the following methods: digital certificates, User/Password, One Time Password (OTP) or MAC address. What are the advantages of 802.1x? Using 802.1x, access to the network is restricted to authorized entities. Together with a management system, it is possible to restrict access to particular resources and / or tag access to the network with QoS levels. It is also possible to have billing information for every connection. How can 802.1x improve profitability? enhanced network security (reduced risk of unauthorized usage of network resource, intrusion attempts, network attacks) simplified administration through central user management increased user mobility (project teams etc.) The protocol: how it works A VoIP phone acts as an 802.1x supplicant The authentication mechanism EAP-TLS (Extensible Authentication Protocol Transport Layer Security) is based on a device specific certificate. This device specific certificate is checked against the one in the user database. In the following diagram, you can see the different components within an 802.1x infrastructure. The 802.1x supplicant is typically an IP end device such as a laptop, PC or a VoIP phone. The 802.1x authenticator functionality is provided by an Ethernet switch in a LAN environment or a Wireless Access Point in a WLAN environment. The authentication server is a RADIUS server.

Components of the 802.1x architecture Using the authentication mechanism EAP-TLS the following sequence is executed. (Port of Ethernet switch is configured for EAP-TLS as well): 1. The IP telephone (supplicant) is connected, but the switch port is only opened for EAPOL packets. Remark: The phone sends an EAPOL Start to the LAN switch, to show "there is a new device". This message isn't necessary if a "Layer up" event is created during plugin of the LAN cable into port of the LAN switch. 2. The LAN switch (authenticator) sends an EAP (Extensible Authentication Protocol) request to the IP telephone requesting an authentication method, e.g. EAP-TLS. In case of EAP-TLS the RADIUS server sends its certificate to the phone. 3. The IP telephone checks the received RADIUS server certificate against the certificates stored in the phone's trusted store and answers the request by sending its certificate to the LAN switch using EAP-TLS Remark: All the communication between (1) and (3) is routed via the data VLAN. 4. The LAN switch forwards this information to a RADIUS Server (Authentication- Server) and the RADIUS Server verifies the information against the User Database (DB) 5. If the verification is successful, the LAN switch is informed and the switch port is opened for normal traffic according to its pre-configured privileges (VLAN, DiffServ/ToS, etc.). From now on typically voice VLAN is used. The VLAN ID is either provided by the DHCP server or via the administration (DLS or locally on the phone).

802.1x in a one-wire-to-the-desk scenario Also, in a one wire-to-the-desk scenario, the VoIP phone acts as a supplicant In typical VoIP scenarios today, PCs are plugged to the VoIP phone, eliminating the need of a second Ethernet cable from the cabinet switch to the same desk. An internal Ethernet switch in the VoIP phone relays all frames that are destined to the PC. Special care has to be taken, when using 802.1x in such a single-wire-to-the desk scenario. With standard 802.1x port-based authentication, the LAN port is opened for both, the telephone and the PC, if only one of them is authenticated. This would create a security hole, since the PC port of an authenticated VoIP phone is unprotected. The LAN switch features MultiDomain Authentication (Cisco s terminology) or MultiUser Authentication (Enterasys terminology) instead provide support for independent device-based authentications of different devices that are connected (via a VoIP phone) to the same LAN port. In such a way, the respective LAN switch is able to authenticate the VoIP phone and the PC, and both can be in separate VLANs.. Remark: for the detailed descriptions of the supported authentication options please refer to LAN switch vendor provided documentation. Deployment Deployment of 802.1x devices in a 802.1x-secured network has its challenges: at time of deployment, the device does not yet have the credentials on board that are necessary to connect to the network. Downloading will involve communication via the LAN switch. So how can the phones get access to its 802.1x certificates, private keys and CA certificate? One possibility is to download the certificates onto the end devices in an off-line, separate network. Another possibility is to allow access to a default VLAN throughout the whole 802.1xsecured network, but only allow the device to contact the servers needed to download the certificates. Deployment via a Default VLAN First communication via default VLAN to get the certificate, second communication in an authenticated way To prepare the deployment, the company specific certificates are made available within Deployment Server (the DLS) for all Siemens hard phones via an Import File, 1. The initial phase (i.e. in the quarantine phase) is to be handled over the Default VLAN (in the Enterasys case), or in the data VLAN with limited access, i.e. only to the DHCP server and DLS. In this phase, the 802.1x device specific certificate together with all other configuration data are downloaded onto the IP phone. Note: Until certificates have been installed for 802.1x, the phone ignores all EAP-TLS requests, assuming that a device that does not support 802.1x could be put on the Default VLAN by the switch (otherwise; the challenge would fail at this point and the port would be closed). Once the certificates have been installed, the phone takes part in the EAP-TLS exchange. 2. After having received the credentials all further communication will be authenticated by the next LAN switch.

2 802.1x (EAP-TLS) Radius Server 802.1x (EAP-TLS) 1a 1 WBM DLS Deployment via an off-line Network Preparation for Step 1: Company specific certificates (i.e. phone specific certificate and CA certificate) are made available via Import File within the Deployment Server (DLS) for all Siemens hard phones to be authenticated Step 1: 802.1x certificates are distributed to all Siemens hard phones within an off-line network (without 802.1x enabled) with a separate DLS and DHCP server. Off-line, the DLS has the 802.1x certificates preconfigured in its database. Preparation for Step 2: Configure the Layer-2 switches so that, without the company specific certificates, no communication at all is allowed; i.e. no port will be opened in such a case.

Step 2: All phones are plugged in at their destination locations. As the phones are now preconfigured with the correct company specific certificates, access to the "real-life" DHCP and DLS is granted. All other configuration data is distributed via the DLS. Status The standard can be found at: http://standards.ieee.org/getieee802/portfolio.html. Additionally you can find information about 802.1x under http://en.wikipedia.org/wiki/802.1x. and on the Siemens Enterprise Communications Wikipedia site: http://wiki.siemensenterprise.com including a 802.1x admin guide to know how to configure 802.1x within the VoIP environment http://wiki.siemensenterprise.com/images/e/ed/admin_manual_802.1x_optipoint_410-420_family.pdf 802.1x is currently available on optipoint 410, 420 and on the optipoint WL2. 802.1x is planned on OpenStage for the second half of 2007. Remark: For the opticlient 130 (S) 802.1x is not relevant due to the fact that 802.1x is based on layer 2 and is handled by the PC itself. 802.1x deployments have been tested with the Enterasys Matrix N Series; Nortel BayStack 5520; HP ProCurve Switch 3500yl; Huawei S3026C and Netgear FSM726S Managed Stackable Switch (no multi-user authentication), and Cisco s Catalyst 3560.

Abbreviations DHCP Dynamic Host Communication Protocol DLS Deployment Server EAP Extensible Authentication Protocol IP Internet Protocol LAN Local Area Network LDAP Lightweight Directory Access Protocol MAC Media Access Control Public Key Infrastructure TLS Transport Layer Security VLAN Virtual Local Area Network WLAN Wireless Local Area Network

www.siemens.com/open All rights reserved. All trademarks used are owned by Siemens Enterprise Communications or their respective owners. Siemens Enterprise Communications GmbH & Co. KG The information provided in this whitepaper contains merely general descriptions or characteristics of performance which in case of actual use do not always apply as described or which may change as a result of further development of the products. An obligation to provide the respective characteristics shall only exist if expressly agreed in the terms of the contract. Availability and technical specifications are subject to change without notice. Printed in Germany. Siemens Enterprise Communications GmbH & Co. KG Hofmannstraße 51 D-81359 München

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback