Network Security 1 Module 7 Configure Trust and Identity at Layer 2 1
Learning Objectives 7.1 Identity-Based Networking Services (IBNS) 7.2 Configuring 802.1x Port-Based Authentication 2
Module 7 Configure Trust and Identity at Layer 2 7.1 Identity-Based Networking Services (IBNS) 3
Identity Based Network Services Unified Control of User Identity for the Enterprise Cisco VPN Concentrators, IOS Routers, PIX Security Appliances Cisco Secure ACS OTP Server Hard and Soft Tokens Firewall Router Internet Remote Offices VPN Clients 4
802.1x Roles Supplicant Authenticator Authentication Server 5
802.1x Authenticator and Supplicant Cisco Secure ACS The perimeter router acts as the authenticator Internet Home Office The remote user s PC acts as the supplicant 6
802.1x Components 7
How 802.1x Works End User (client) Catalyst 2950 (switch) Authentication Server (RADIUS) 802.1x RADIUS Actual authentication conversation occurs between the client and Authentication Server using EAP. The authenticator is aware of this activity, but it is just a middleman. 8
How 802.1x Works (Continued) End User (client) Catalyst 2950 (switch) Authentication Server (RADIUS) EAPOL - Start EAP Request Identity EAP Response/Identity EAP Request/OTP EAP Response/OTP EAP Success RADIUS Access - Request RADIUS Access - Challenge RADIUS Access - Request RADIUS Access - Accept Port Authorized EAPOL Logoff Port Unauthorized 9
EAP Characteristics EAP The Extensible Authentication Protocol Extension of PPP to provide additional authentication features A flexible protocol used to carry arbitrary authentication information. Typically rides on top of another protocol such as 802.1x or RADIUS. EAP can also be used with TACACS+ Specified in RFC 2284 Support multiple authentication types : EAP-MD5: Plain Password Hash (CHAP over EAP) EAP-TLS (based on X.509 certificates) LEAP (EAP-Cisco Wireless) PEAP (Protected EAP) 10
EAP Selection Cisco Secure ACS supports the following varieties of EAP: EAP-MD5 An EAP protocol that does not support mutual authentication. EAP-TLS EAP incorporating Transport Layer Security (TLS). LEAP An EAP protocol used by Cisco Aironet wireless equipment. LEAP supports mutual authentication. PEAP Protected EAP, which is implemented with EAP-Generic Token Card (GTC) and EAP-MSCHAPv2 protocols. EAP-FAST EAP Flexible Authentication via Secured Tunnel (EAP- FAST), a faster means of encrypting EAP authentication, supports EAP-GTC authentication. 11
Cisco LEAP Lightweight Extensible Authentication Protocol Client ACS Server Access Point Derives per-user, per-session key Enhancement to IEEE802.11b Wired Equivalent Privacy (WEP) encryption Uses mutual authentication both user and AP needs to be authenticated 12
EAP-TLS Extensible Authentication Protocol Transport Layer Security Client Access Point ACS Server Switch RFC 2716 Used for TLS Handshake Authentication (RFC2246) Requires PKI (X.509) Certificates rather than username/password Mutual authentication Requires client and server certificates Certificate Management is complex and costly 13
PEAP Protected Extensible Authentication Protocol Client Access Point Switch ACS Server TLS Tunnel Internet-Draft by Cisco, Microsoft & RSA Enhancement of EAP-TLS Requires server certificate only Mutual authentication username/password challenge over TLS Channel Available for use with Microsoft and Cisco products 14
How Does Basic Port Based Network Access Work? 4500/4000 Series 3550/2950 Series Cisco Secure ACS AAA Radius Server Host device attempts to connects to Switch 1 6500 Series Access Points 2 Switch Request ID 802.1x Capable Ethernet LAN Access Devices 3 4 Send ID/Password or Certificate Switch Forward credentials to ACS Server 7 applies policies 6 and enables port. Client now has secure access 5 Authentication Successful Actual authentication conversation is between client and Auth Server using EAP. 802.1x RADIUS The switch detects the 802.1x compatible client, forces authentication, then acts as a middleman during the authentication, Upon successful authentication the switch sets the port to forwarding, and applies the designated policies. 15
ACS Deployment in a Small LAN Firewall Client Catalyst 2950/3500 Switch Router Internet Cisco Secure ACS 16
ACS Deployment in a Global Network Client Region 1 Switch 1 Firewall Region 2 Switch 2 ACS1 ACS2 ACS3 Switch 3 Region 3 17
Cisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user successfully completes the EAP authentication process the Cisco Secure ACS responds to the switch with a RADIUS authenticationaccept packet granting that user access to the network. 18
Module 7 Configure Trust and Identity at Layer 2 7.2 Configuring 802.1x Port-Based Authentication 19
802.1x Port-Based Authentication Configuration Enable 802.1x Authentication (required) Configure the Switch-to-RADIUS-Server Communication (required) Enable Periodic Re-Authentication (optional) Manually Re-Authenticating a Client Connected to a Port (optional) Resetting the 802.1x Configuration to the Default Values (optional) 20
802.1x Port-Based Authentication Configuration (Cont.) Changing the Quiet Period (optional) Changing the Switch-to-Client Retransmission Time (optional) Setting the Switch-to-Client Frame-Retransmission Number (optional) Enabling Multiple Hosts (optional) Resetting the 802.1x Configuration to the Default Values (optional) 21
Enabling 802.1x Authentication Switch# configure terminal Enter global configuration mode Switch(config)# aaa new-model Enable AAA Switch(config)# aaa authentication dot1x default group radius Create an 802.1x authentication method list 22
Enabling 802.1x Authentication (Cont.) Switch(config)# interface fastethernet0/12 Enter interface configuration mode Switch(config-if)# dot1x port-control auto Enable 802.1x authentication on the interface Switch(config-if)# end Return to privileged EXEC mode 23
Configuring Switch-to-RADIUS Communication Switch(config)# radius-server host 172.l20.39.46 auth-port 1812 key rad123 Configure the RADIUS server parameters on the switch. 24
Enabling Periodic Re-Authentication Switch# configure terminal Enter global configuration mode Switch(config)# dot1x re-authentication Enable periodic re-authentication of the client, which is disabled by default. Switch(config)# dot1x timeout re-authperiod seconds Set the number of seconds between re-authentication attempts. 25
Manually Re-Authenticating a Client Connected to a Port Switch(config)# dot1x re-authenticate interface fastethernet0/12 Starts re-authentication of the client. 26
Enabling Multiple Hosts Switch# configure terminal Enter global configuration mode Switch(config)# interface fastethernet0/12 Enter interface configuration mode, and specify the interface to which multiple hosts are indirectly attached. Switch(config-if)# dot1x multiple-hosts Allow multiple hosts (clients) on an 802.1x-authorized port. 27
Resetting the 802.1x Configuration to the Default Values Switch# configure terminal Enter global configuration mode Switch(config)# dot1x default Reset the configurable 802.1x parameters to the default values. 28
Displaying 802.1x Statistics Switch# show dot1x statistics Display 802.1x statistics Switch# show dot1x statistics interface interface-id Display 802.1x statistics for a specific interface. 29
Displaying 802.1x Status Switch# show dot1x Display 802.1x administrative and operational status. Switch# show dot1x interface interface-id Display 802.1x administrative and operational status for a specific interface. 30