Network Security 1. Module 7 Configure Trust and Identity at Layer 2

Similar documents
Configuring IEEE 802.1x Port-Based Authentication

Configuring IEEE 802.1X Port-Based Authentication

Chapter 4 Configuring 802.1X Port Security

PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

Network Access Flows APPENDIXB

802.1x Port Based Authentication

Configuring 802.1X Port-Based Authentication

802.1x Configuration. FSOS 802.1X Configuration

Authentication and Security: IEEE 802.1x and protocols EAP based

With 802.1X port-based authentication, the devices in the network have specific roles.

Configuring 802.1X. Finding Feature Information. Information About 802.1X

Wired Dot1x Version 1.05 Configuration Guide

Table of Contents. Why doesn t the phone pass 802.1X authentication?... 16

With 802.1X port-based authentication, the devices in the network have specific roles.

Configuring IEEE 802.1x Port-Based Authentication

Configuring Authentication Types

About 802.1X... 3 Yealink IP Phones Compatible with 802.1X... 3 Configuring 802.1X Settings... 5 Configuring 802.1X using configuration files...

Authentication and Security: IEEE 802.1x and protocols EAP based

Wireless LAN Security. Gabriel Clothier

Table of Contents. 4 System Guard Configuration 4-1 System Guard Overview 4-1 Guard Against IP Attacks 4-1 Guard Against TCN Attacks 4-1

Configuring IEEE 802.1x Port-Based Authentication

Configuring 802.1X Settings on the WAP351

802.1x Configuration. Page 1 of 11

IEEE 802.1X VLAN Assignment

IEEE 802.1X RADIUS Accounting

Configuring the Client Adapter through the Windows XP Operating System

Managing External Identity Sources

FAQ on Cisco Aironet Wireless Security

Port-based authentication with IEEE Standard 802.1x. William J. Meador

ISE Primer.

Controlled/uncontrolled port and port authorization status

Configuring IEEE 802.1x Port-Based Authentication

Configuring the Client Adapter through Windows CE.NET

Cisco S802dot1X - Introduction to 802.1X(R) Operations for Cisco Security Professionals.

The table below lists the protocols supported by Yealink SIP IP phones with different versions.

Configuring 802.1X Port-Based Authentication

Cisco Exam Questions & Answers

Aruba PEAP-GTC Supplicant Plug-In Guide

Cisco Wireless LAN Controller Module

Question: 1 The NAC Agent uses which port and protocol to send discovery packets to an ISE Policy Service Node?

REMOTE AUTHENTICATION DIAL IN USER SERVICE

IEEE 802.1x, RADIUS AND DYNAMIC VLAN ASSIGNMENT

Configuring a Basic Wireless LAN Connection

802.1x Configuration Commands

Htek IP Phones 802.1x Guide

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]

Configuring EAP-FAST CHAPTER

Implementing X Security Solutions for Wired and Wireless Networks

Cisco Secure ACS for Windows v3.2 With PEAP MS CHAPv2 Machine Authentication

Configure Network Access Manager

Protected EAP (PEAP) Application Note

Vendor: Cisco. Exam Code: Exam Name: Implementing Advanced Cisco Unified Wireless Security (IAUWS) v2.0. Version: Demo

Cisco 4400 Series Wireless LAN Controllers PEAP Under Unified Wireless Networks with Microsoft Internet Authentication Service (IAS)

Table of Contents X Configuration 1-1

Cisco Exam Questions and Answers (PDF) Cisco Exam Questions BrainDumps

IEEE 802.1X Multiple Authentication

Securing Your Wireless LAN

Htek 802.1X Authentication

Juniper Exam JN0-314 Junos Pulse Access Control, Specialist (JNCIS-AC) Version: 7.0 [ Total Questions: 222 ]

802.1X: Background, Theory & Implementation

Configuring MAC Authentication Bypass

Secure ACS for Windows v3.2 With EAP TLS Machine Authentication

Exam Questions CWSP-205

RSA SecurID Ready with Wireless LAN Controllers and Cisco Secure ACS Configuration Example

accounting (SSID configuration mode) through encryption mode wep accounting (SSID configuration mode) through

Wireless LAN Profile Setup

Cisco Systems, Inc. Aironet Access Point

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

Table of Contents X Configuration 1-1

Configuring 802.1X Port-Based Authentication

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Cisco Exam Questions & Answers

AAA Server Groups. Finding Feature Information. Information About AAA Server Groups. AAA Server Groups

Operation Manual 802.1x. Table of Contents

Upon completion of this chapter, you will be able to perform the following tasks: Describe the Features and Architecture of Cisco Secure ACS 3.

Guidelines for the Deployment of Cisco Secure ACS for Windows NT/2000 Servers in a Cisco Catalyst Switch Environment

Cisco Desktop Collaboration Experience DX650 Security Overview

Security Setup CHAPTER

Agile Controller-Campus V100R002C10. Permission Control Technical White Paper. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

802.1x. ACSAC 2002 Las Vegas

IEEE 802.1X workshop. Networkshop 34, 4 April Josh Howlett, JRS Technical Support, University of Bristol. Copyright JNT Association

Configuring the Client Adapter through the Windows XP Operating System

Configuring Port-Based and Client-Based Access Control (802.1X)

Configuring the WMIC for the First Time

802.1X Environment Establishment and Telephone Set Configuration Description

Configuring RADIUS Servers

ENHANCING PUBLIC WIFI SECURITY

Csci388. Wireless and Mobile Security Access Control: 802.1X, EAP, and RADIUS. Importance of Access Control. WEP Weakness. Wi-Fi and IEEE 802.

accounting (SSID configuration mode) through encryption mode wep

Securing a Wireless LAN

Summary. Deployment Guide: Configuring the Cisco Wireless Security Suite 1 OL

User Databases. ACS Internal Database CHAPTER

Install Certificate on the Cisco Secure ACS Appliance for PEAP Clients

DumpsFree. DumpsFree provide high-quality Dumps VCE & dumps demo free download

IEEE 802.1X Open Authentication

TestsDumps. Latest Test Dumps for IT Exam Certification

This primer covers the following major topics: 1. Getting Familiar with ACS. 2. ACS Databases and Additional Server Interaction

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

Exam : PW Title : Certified wireless security professional(cwsp) Version : DEMO

Cisco Questions & Answers

Transcription:

Network Security 1 Module 7 Configure Trust and Identity at Layer 2 1

Learning Objectives 7.1 Identity-Based Networking Services (IBNS) 7.2 Configuring 802.1x Port-Based Authentication 2

Module 7 Configure Trust and Identity at Layer 2 7.1 Identity-Based Networking Services (IBNS) 3

Identity Based Network Services Unified Control of User Identity for the Enterprise Cisco VPN Concentrators, IOS Routers, PIX Security Appliances Cisco Secure ACS OTP Server Hard and Soft Tokens Firewall Router Internet Remote Offices VPN Clients 4

802.1x Roles Supplicant Authenticator Authentication Server 5

802.1x Authenticator and Supplicant Cisco Secure ACS The perimeter router acts as the authenticator Internet Home Office The remote user s PC acts as the supplicant 6

802.1x Components 7

How 802.1x Works End User (client) Catalyst 2950 (switch) Authentication Server (RADIUS) 802.1x RADIUS Actual authentication conversation occurs between the client and Authentication Server using EAP. The authenticator is aware of this activity, but it is just a middleman. 8

How 802.1x Works (Continued) End User (client) Catalyst 2950 (switch) Authentication Server (RADIUS) EAPOL - Start EAP Request Identity EAP Response/Identity EAP Request/OTP EAP Response/OTP EAP Success RADIUS Access - Request RADIUS Access - Challenge RADIUS Access - Request RADIUS Access - Accept Port Authorized EAPOL Logoff Port Unauthorized 9

EAP Characteristics EAP The Extensible Authentication Protocol Extension of PPP to provide additional authentication features A flexible protocol used to carry arbitrary authentication information. Typically rides on top of another protocol such as 802.1x or RADIUS. EAP can also be used with TACACS+ Specified in RFC 2284 Support multiple authentication types : EAP-MD5: Plain Password Hash (CHAP over EAP) EAP-TLS (based on X.509 certificates) LEAP (EAP-Cisco Wireless) PEAP (Protected EAP) 10

EAP Selection Cisco Secure ACS supports the following varieties of EAP: EAP-MD5 An EAP protocol that does not support mutual authentication. EAP-TLS EAP incorporating Transport Layer Security (TLS). LEAP An EAP protocol used by Cisco Aironet wireless equipment. LEAP supports mutual authentication. PEAP Protected EAP, which is implemented with EAP-Generic Token Card (GTC) and EAP-MSCHAPv2 protocols. EAP-FAST EAP Flexible Authentication via Secured Tunnel (EAP- FAST), a faster means of encrypting EAP authentication, supports EAP-GTC authentication. 11

Cisco LEAP Lightweight Extensible Authentication Protocol Client ACS Server Access Point Derives per-user, per-session key Enhancement to IEEE802.11b Wired Equivalent Privacy (WEP) encryption Uses mutual authentication both user and AP needs to be authenticated 12

EAP-TLS Extensible Authentication Protocol Transport Layer Security Client Access Point ACS Server Switch RFC 2716 Used for TLS Handshake Authentication (RFC2246) Requires PKI (X.509) Certificates rather than username/password Mutual authentication Requires client and server certificates Certificate Management is complex and costly 13

PEAP Protected Extensible Authentication Protocol Client Access Point Switch ACS Server TLS Tunnel Internet-Draft by Cisco, Microsoft & RSA Enhancement of EAP-TLS Requires server certificate only Mutual authentication username/password challenge over TLS Channel Available for use with Microsoft and Cisco products 14

How Does Basic Port Based Network Access Work? 4500/4000 Series 3550/2950 Series Cisco Secure ACS AAA Radius Server Host device attempts to connects to Switch 1 6500 Series Access Points 2 Switch Request ID 802.1x Capable Ethernet LAN Access Devices 3 4 Send ID/Password or Certificate Switch Forward credentials to ACS Server 7 applies policies 6 and enables port. Client now has secure access 5 Authentication Successful Actual authentication conversation is between client and Auth Server using EAP. 802.1x RADIUS The switch detects the 802.1x compatible client, forces authentication, then acts as a middleman during the authentication, Upon successful authentication the switch sets the port to forwarding, and applies the designated policies. 15

ACS Deployment in a Small LAN Firewall Client Catalyst 2950/3500 Switch Router Internet Cisco Secure ACS 16

ACS Deployment in a Global Network Client Region 1 Switch 1 Firewall Region 2 Switch 2 ACS1 ACS2 ACS3 Switch 3 Region 3 17

Cisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user successfully completes the EAP authentication process the Cisco Secure ACS responds to the switch with a RADIUS authenticationaccept packet granting that user access to the network. 18

Module 7 Configure Trust and Identity at Layer 2 7.2 Configuring 802.1x Port-Based Authentication 19

802.1x Port-Based Authentication Configuration Enable 802.1x Authentication (required) Configure the Switch-to-RADIUS-Server Communication (required) Enable Periodic Re-Authentication (optional) Manually Re-Authenticating a Client Connected to a Port (optional) Resetting the 802.1x Configuration to the Default Values (optional) 20

802.1x Port-Based Authentication Configuration (Cont.) Changing the Quiet Period (optional) Changing the Switch-to-Client Retransmission Time (optional) Setting the Switch-to-Client Frame-Retransmission Number (optional) Enabling Multiple Hosts (optional) Resetting the 802.1x Configuration to the Default Values (optional) 21

Enabling 802.1x Authentication Switch# configure terminal Enter global configuration mode Switch(config)# aaa new-model Enable AAA Switch(config)# aaa authentication dot1x default group radius Create an 802.1x authentication method list 22

Enabling 802.1x Authentication (Cont.) Switch(config)# interface fastethernet0/12 Enter interface configuration mode Switch(config-if)# dot1x port-control auto Enable 802.1x authentication on the interface Switch(config-if)# end Return to privileged EXEC mode 23

Configuring Switch-to-RADIUS Communication Switch(config)# radius-server host 172.l20.39.46 auth-port 1812 key rad123 Configure the RADIUS server parameters on the switch. 24

Enabling Periodic Re-Authentication Switch# configure terminal Enter global configuration mode Switch(config)# dot1x re-authentication Enable periodic re-authentication of the client, which is disabled by default. Switch(config)# dot1x timeout re-authperiod seconds Set the number of seconds between re-authentication attempts. 25

Manually Re-Authenticating a Client Connected to a Port Switch(config)# dot1x re-authenticate interface fastethernet0/12 Starts re-authentication of the client. 26

Enabling Multiple Hosts Switch# configure terminal Enter global configuration mode Switch(config)# interface fastethernet0/12 Enter interface configuration mode, and specify the interface to which multiple hosts are indirectly attached. Switch(config-if)# dot1x multiple-hosts Allow multiple hosts (clients) on an 802.1x-authorized port. 27

Resetting the 802.1x Configuration to the Default Values Switch# configure terminal Enter global configuration mode Switch(config)# dot1x default Reset the configurable 802.1x parameters to the default values. 28

Displaying 802.1x Statistics Switch# show dot1x statistics Display 802.1x statistics Switch# show dot1x statistics interface interface-id Display 802.1x statistics for a specific interface. 29

Displaying 802.1x Status Switch# show dot1x Display 802.1x administrative and operational status. Switch# show dot1x interface interface-id Display 802.1x administrative and operational status for a specific interface. 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback