Authentication and Security: IEEE 802.1x and protocols EAP based

Similar documents
Authentication and Security: IEEE 802.1x and protocols EAP based

Network Security 1. Module 7 Configure Trust and Identity at Layer 2

Csci388. Wireless and Mobile Security Access Control: 802.1X, EAP, and RADIUS. Importance of Access Control. WEP Weakness. Wi-Fi and IEEE 802.

Wireless LAN Security. Gabriel Clothier

Chapter 4 Configuring 802.1X Port Security

Table of Contents. 4 System Guard Configuration 4-1 System Guard Overview 4-1 Guard Against IP Attacks 4-1 Guard Against TCN Attacks 4-1

FAQ on Cisco Aironet Wireless Security

Security in IEEE Networks

The following chart provides the breakdown of exam as to the weight of each section of the exam.

802.1x Configuration. FSOS 802.1X Configuration

Table of Contents X Configuration 1-1

Controlled/uncontrolled port and port authorization status

802.1x Port Based Authentication

Exam HP2-Z32 Implementing HP MSM Wireless Networks Version: 7.1 [ Total Questions: 115 ]

Standard For IIUM Wireless Networking

Configuring Authentication Types

Exam Questions CWSP-205

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

802.1X: Background, Theory & Implementation

802.1x. ACSAC 2002 Las Vegas

Designing AirPort Extreme n Networks

N_Max Wireless USB Adapter

Securing a Wireless LAN

Configuring a VAP on the WAP351, WAP131, and WAP371

Implementing X Security Solutions for Wired and Wireless Networks

Operation Manual 802.1x. Table of Contents

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]

Chapter 10 Security Protocols of the Data Link Layer

COPYRIGHTED MATERIAL. Contents

With 802.1X port-based authentication, the devices in the network have specific roles.

Securing Your Wireless LAN

Agile Controller-Campus V100R002C10. Permission Control Technical White Paper. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

Table of Contents X Configuration 1-1

Configuring Port-Based and Client-Based Access Control (802.1X)

TopGlobal MB8000 Hotspots Solution

TABLE OF CONTENTS CHAPTER TITLE PAGE

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Configuring FlexConnect Groups

Unified Services Routers

Web and MAC Authentication

Network Security. Chapter 10 Security Protocols of the Data Link Layer

Configure Network Access Manager

Configuring a Wireless LAN Connection

802.1x Configuration. Page 1 of 11

Network Security. Chapter 11 Security Protocols of the Data Link Layer. Scope of Link Layer Security Protocols

Wireless-N Business Notebook Adapter

Configuring WLANsWireless Device Access

Ju-A A Lee and Jae-Hyun Kim

PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

IEEE 802.1x, RADIUS AND DYNAMIC VLAN ASSIGNMENT

Cisco Exam Questions and Answers (PDF) Cisco Exam Questions BrainDumps

Configuring Local EAP

Configuring Hybrid REAP

Rapid spanning tree protocol

Network Systems. Bibliography. Outline. General principles about Radius server. Radius Protocol

IEEE 802.1X workshop. Networkshop 34, 4 April Josh Howlett, JRS Technical Support, University of Bristol. Copyright JNT Association

Wireless technology Principles of Security

Configuring IEEE 802.1x Port-Based Authentication

Configuring FlexConnect Groups

VPN Routers DSR-150/250/500/1000AC. Product Highlights. Features. Overview. Comprehensive Management Capabilities. Web Authentication Capabilities

Appendix E Wireless Networking Basics

Port-based authentication with IEEE Standard 802.1x. William J. Meador

Cisco Exactexams Questions & Answers

ENHANCING PUBLIC WIFI SECURITY

Designing AirPort Networks

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

Cisco Exam Questions & Answers

Operation Manual Security. Table of Contents

A Secure Wireless LAN Access Technique for Home Network

Qian Yang 802.1X AUTHENTICATION AND AUTHORIZATION IN WIRED NETWORK

Network. NEC Portable Projector NP905/NP901W WPA Setting Guide. Security WPA. Supported Authentication Method WPA-PSK WPA-EAP WPA2-PSK WPA2-EAP

Chapter 24 Wireless Network Security

New Windows build with WLAN access

802.1X: Deployment Experiences and Obstacles to Widespread Adoption

Network Access Flows APPENDIXB

Procedure: You can find the problem sheet on the Desktop of the lab PCs.

TestsDumps. Latest Test Dumps for IT Exam Certification

Summary. Deployment Guide: Configuring the Cisco Wireless Security Suite 1 OL

With 802.1X port-based authentication, the devices in the network have specific roles.

Configuring a WLAN for Static WEP

Configuring the Client Adapter through the Windows XP Operating System

Configuring 802.1X. Finding Feature Information. Information About 802.1X

b/g/n 1T1R Wireless USB Adapter. User s Manual

Exam : PW Title : Certified wireless security professional(cwsp) Version : DEMO

Designing AirPort Networks

Data Link Protocols. TCP/IP Suite and OSI Reference Model

Protected EAP (PEAP) Application Note

Configuring the Client Adapter

Configuring IEEE 802.1x Port-Based Authentication

Connecting Devices to the PSD-BYOD Network

A Comparison of Data-Link and Network Layer Security for IEEE Networks

Cisco 4400 Series Wireless LAN Controllers PEAP Under Unified Wireless Networks with Microsoft Internet Authentication Service (IAS)

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

ClearPass QuickConnect 2.0

Network Working Group

Configuring the Client Adapter through Windows CE.NET

Table of Contents. Why doesn t the phone pass 802.1X authentication?... 16

CENTRAL AUTHENTICATION USING RADIUS AND 802.1X

Configuring IEEE 802.1x Port-Based Authentication

Configuring the WMIC for the First Time

Transcription:

Authentication and Security: IEEE 802.1x and protocols EAP based Pietro Nicoletti piero[at]studioreti.it 802-1-X-2008-Eng - 1 P. Nicoletti: see note pag. 2

Copyright note These slides are protected by copyright and international treaties. The title and the copyrights concerning the slides (inclusive, but non only, every image, photograph, animation, video, audio, music and text) are the author s (see Page 1) property. The slides can be copied and used by research institutes, schools and universities affiliated to the Ministry of Public Instruction and the Ministry of University and Scientific Research and Technology, for institutional purpose, not for profit. In this case there is not requested any authorization. Any other complete or partial use or reproduction (inclusive, but not only, reproduction on discs, networks and printers) is forbidden without written authorization of the author in advance. The information contained in these slides are believed correct at the moment of publication. They are supplied only for didactic purpose and not to be used for installation-projects, products, networks etc. However, there might be changes without notice. The authors are not responsible for the content of the slides. In any case there can not be declared conformity with the information contained in these slides. In any case this note of copyright may never be removed and must be written also in case of partial use. 802-1-X-2008-Eng - 2 P. Nicoletti: see note pag. 2

Radius R.A.D.I.U.S.:Remote Authentication Dial-In User Service protocol is used to exchange authentication message from Authenticator and Server The client is responsible for passing user information to designated RADIUS servers, and then acting on the response which is returned RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning all configuration information necessary for the client to deliver service to the user RADIUS protocol has been used in the past by Internet Service Providers to authenticate users connected via Dial-Up line to the Access Server 802-1-X-2008-Eng - 3 P. Nicoletti: see note pag. 2

IEEE 802.1x Define a Port Base Network Access Control functions Use physical access characteristics of IEEE 802 LAN infrastructures in order to provide a means of authenticating and authorizing devices attached to a LAN port that has point-to-point connection characteristics (Dial-Up), and of preventing access to that port in cases where the authentication and authorization process fails Can be implemented on Switch and Wireless Access Point 802-1-X-2008-Eng - 4 P. Nicoletti: see note pag. 2

802.1x main elements Authenticator: is an entity at one end of a point-to-point LAN segment that requires to authenticate the entity attached to the other end of that link Authentication Server: is an entity that provides an Authentication Service to an Authenticator. This service determines, from the credentials provided by the Supplicant, whether the Supplicant is authorized to access the services provided by the Authenticator 802-1-X-2008-Eng - 5 P. Nicoletti: see note pag. 2

802.1x main elements Supplicant: is an entity at one end of a point-to-point LAN segment that is being authenticated by an Authenticator attached to the other end of that link (example a Switch) can also an entity that want to be associated and authenticated in a Wireless LAN environment through Access Point Port Access Entity (PAE): Is a entity protocol associated to the authenticator, the supplicant or both 802-1-X-2008-Eng - 6 P. Nicoletti: see note pag. 2

802.1x function and protocols used to authenticate supplicant May 2008 Protocol used for communication between Autenticator and Authenticator Server: EAP (Extensible Authentication Protocol) over RADIUS protocol RADIUS is a Layer 7 protocol (application layer) Protocol used for communication between Supplicant and Authenticator EAPOL that means EAP Over LAN Is a Layer 2 Protocol because the supplicant may not have an IP address until is authenticated and has been received the IP address by DHCP Server 802-1-X-2008-Eng - 7 P. Nicoletti: see note pag. 2

Authentication elements 802-1-X-2008-Eng - 8 P. Nicoletti: see note pag. 2

802.1x Authentication Model 802.1x Functions PC (Supplicant) EAPOL (layer 2) Access Point or Switch (Authenticator) EAP over RADIUS (layer 7) RADIUS Authentication Server Communications for Authentication 802-1-X-2008-Eng - 9 P. Nicoletti: see note pag. 2

Use of Controlled & Uncontrolled Port Uncontrolled Port is the entity used for service packets exchange her necessary to establishing the authorization or the access prohibition 802-1-X-2008-Eng - 10 P. Nicoletti: see note pag. 2

Authorized & Unauthorized port 802-1-X-2008-Eng - 11 P. Nicoletti: see note pag. 2

Access based on Authentication & Address MAC 802-1-X-2008-Eng - 12 P. Nicoletti: see note pag. 2

EAP protocol PPP Extensible Authentication Protocol (EAP) defined in RFC 2284 Protocol code EAP = c227 Support multiple authentication mechanisms without needing to pre-negotiate a specific mechanism during the LCP phase PPP was originally only supporting authentications based up PAP (Authentication Protocol password), protocol code c023 CHAP (Authentication Protocol handshake Challenge), c223 protocol code 802-1-X-2008-Eng - 13 P. Nicoletti: see note pag. 2

EAP frame 1 Request 2 Response 3 Success 4 Failure 802-1-X-2008-Eng - 14 P. Nicoletti: see note pag. 2

EAPOL frame EAPOL frames are transmitted to the multicast address 01-80-C2-00-00-03 The EAPOL fame on Ethernet v 2.0: the code protocol inserted in the Type field is 88-8E PREAM. SFD DSAP SSAP TYPE 88-8E DATA FCS Ottetti 7 1 6 6 2 da 46 a 1500 4 802-1-X-2008-Eng - 15 P. Nicoletti: see note pag. 2

EAPOL over Ethernet V 2.0 frame PREAM. SFD DSAP SSAP TYPE 88-8E DATA FCS Bytes 7 1 6 6 2 da 46 a 1500 4 Protocol Vers. 01 H Packet Type 1 byte Packet body length 2 byte Packet body 00H EAP-Packet 01H EAPOL-Start 02H EAPOL-Logoff 03H EAPOL-Key 04H EAPOL-Encapsulated-ASF-Alert. 802-1-X-2008-Eng - 16 P. Nicoletti: see note pag. 2

EAPOL over 802.x frames LLC Header Protocol DSAP SSAP CONTROL Identifier INFORMATION 0AA 0AA 03 000000 88-8E OUI Protocol Type Protocol Vers. 01 H Packet Type 1 byte Packet body length 2 byte Packet body 00H EAP-Packet 01H EAPOL-Start 02H EAPOL-Logoff 03H EAPOL-Key 04H EAPOL-Encapsulated-ASF-Alert. 802-1-X-2008-Eng - 17 P. Nicoletti: see note pag. 2

EAP & EAPOL over wireless networks 802-1-X-2008-Eng - 18 P. Nicoletti: see note pag. 2

EAP Authentication method Microsoft Cisco Authentication Layer TLS EAP SIM TTLS PEAP EAP-FAST LEAP EAP Layers EAP EAPOL MAC Layer 802.3 802.11 802-1-X-2008-Eng - 19 P. Nicoletti: see note pag. 2

LEAP (Lightweight Extensible Authentication Protocol) EAP-Cisco Wireless Authentication protocol based on username e password sent via MS-CHAP without the digital certificates Easy and fast to configure because don t need the certificates management Limits: Need interface drivers that support LEAP Supported only in wireless NIC 802-1-X-2008-Eng - 20 P. Nicoletti: see note pag. 2

EAP-TLS Mutual Authentication (client and server) Based on Digital Certificates for Server and Client The server have the CA (Certification Authority) and the Server Certificate The Client have the CA (Certification Authority) and the Client Certificate Is necessary to generate the CA Certificate, The Server Certificate and the Clients Certificates (one ore more) The data sent during authentication process are exchanged in a secure encrypted tunnel 802-1-X-2008-Eng - 21 P. Nicoletti: see note pag. 2

EAP-TTLS Similar EAP-TLS Only CA and Server Certificate are necessary The client authentication is based on: CA Certificate and specific client Authentication based on: Username/Password CHAP, MSCHAPv2, MD5 802-1-X-2008-Eng - 22 P. Nicoletti: see note pag. 2

Protected Extensible Authentication Protocol (PEAP) May 2008 Based on EAP-TTLS Authentication Method: Phase 1: establish a secure tunnel through EAP-TTLS authentication Phase 2: realize the supplicant authentication based on EAP protocol plus other specific information of PEAP Only CA and Server Certificate are necessary The client is authenticated via: CA Certificate and Username/Password MSCHAPv2 802-1-X-2008-Eng - 23 P. Nicoletti: see note pag. 2

WPA (WiFi Protected Access) WPA is a standard-based security solution from the WiFi Alliance that addresses the vulnerabilities in native WLANs WPA provides enhanced data protection and access control for WLAN systems. WPA addresses all known Wired Equivalent Privacy (WEP) vulnerabilities in the original IEEE 802.11 security implementation and brings an immediate security solution to WLAN networks in both enterprise and small office, home office (SOHO) environments. Use Pre Shared Key (WPA-PSK) for Authentication e Data Encryption WPA-PSK may be in Hexadecimal format or ASCI format (also known as Pass Phrase) 802-1-X-2008-Eng - 24 P. Nicoletti: see note pag. 2

WPA2 / 802.11i WPA 2 is the next generation of Wi-Fi security. WPA 2 is the Wi-Fi Alliance interoperable implementation of the ratified IEEE 802.11i standard WPA 2 implements the National Institute of Standards and Technology (NIST)-recommended Advanced Encryption Standard (AES) encryption algorithm with the use of Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) AES Counter Mode is a block cipher that encrypts 128-bit blocks of data at a time with a 128-bit encryption key. 802-1-X-2008-Eng - 25 P. Nicoletti: see note pag. 2

WPA2 / 802.11i: Server Radius or PSK Normally WPA2 use RADIUS Server for Authentication and Encryption Key Generation Can even work with Pre Shared Key (PSK) witch can long up to 256 bits (64 Hexadecimal digit) Same PSK used on AP and Clients pass-phrase can be use instead of hexadecimal number sequence the standard suggest to use a pass-phrase with minimum 20 characters for security 802-1-X-2008-Eng - 26 P. Nicoletti: see note pag. 2

Authentication Systems Compare 802-1-X-2008-Eng - 27 P. Nicoletti: see note pag. 2

Dynamic VLAN Assignment & 802.1 x Extensions 802-1-X-2008-Eng - 28 P. Nicoletti: see note pag. 2

Dynamic VLAN Assignment An extention of the 802.1x standard specifications: The new version of 802.1x 2004 define a new type VLAN assignment authentication based RFC 2868 of 2000 and above all RFC 3580 of 2003 define some new RADIUS protocol attributes (AV = Attribute Value) Through this new function the assignation of VLAN can be done: Per Port Per Protocol Authentication based 802-1-X-2008-Eng - 29 P. Nicoletti: see note pag. 2

Advantages of Dynamic VLAN Assignment based on authentication Simplifies the network operators' work They do not need change the configuration of VLAN on the ports following the users witch are moving The user's VLAN depends on his credentials The users' ports are set up for the dynamic assignment based on the authentication The user wherever moves in the network keep the credentials for his VLAN Easy to manages VLAN Guest for the guests in switched and wireless networks 802-1-X-2008-Eng - 30 P. Nicoletti: see note pag. 2

Advantages of Dynamic VLAN Assignment based on authentication Increases the security on the business SwitcheLAN Not authenticated user is put on quarantine VLAN Every user connected to the network is identified (certificates, username, password) by his credentials Switch applies policies and enables port. Set port VLAN to 100 - DMZ User has access to DMZ or Quarantine network. Login Request Login Request Login Request Authentication timeout. Retries expired. Client is not 802.1x capable. Put them in the quarantine zone! 802-1-X-2008-Eng - 31 P. Nicoletti: see note pag. 2

RADIUS protocol and new attributes New RADIUS attributes: Tunnel-Type=VLAN (13) Tunnel-Medium-Type=802 (6) Tunnel-Private-Group-ID=VLANID (xxxx) 802-1-X-2008-Eng - 32 P. Nicoletti: see note pag. 2

RADIUS Protocol:Tunnel type 1 Point-to-Point Tunneling Protocol (PPTP) [1] 2 Layer Two Forwarding (L2F) [2] 3 Layer Two Tunneling Protocol (L2TP) [3] 4 Ascend Tunnel Management Protocol (ATMP) [4] 5 Virtual Tunneling Protocol (VTP) 6 IP Authentication Header in the Tunnel-mode (AH) [5] 7 IP-in-IP Encapsulation (IP-IP) [6] 8 Minimal IP-in-IP Encapsulation (MIN-IP-IP) [7] 9 IP Encapsulating Security Payload in the Tunnel-mode (ESP) [8] 10 Generic Route Encapsulation (GRE) [9] 11 Bay Dial Virtual Services (DVS) 12 IP-in-IP Tunneling [10] 13 Virtual LANs (VLAN) 802-1-X-2008-Eng - 33 P. Nicoletti: see note pag. 2

RADIUS Protocol:Tunnel-Medium type 1 IPv4 (IP version 4) 2 IPv6 (IP version 6) 3 NSAP 4 HDLC (8-bit multidrop) 5 BBN 1822 6 802 (includes all 802 media plus Ethernet "canonical format") 7 E.163 (POTS) 8 E.164 (SMDS, Frame Relay, ATM) 9 F.69 (Telex) 10 X.121 (X.25, Frame Relay) 11 IPX 12 Appletalk 13 Decnet IV 14 Banyan Vines 15 E.164 with NSAP format subaddress 802-1-X-2008-Eng - 34 P. Nicoletti: see note pag. 2

Dynamic VLAN assignment configuration On the Switch: Specify VLAN Assignment authentication based Specify a parking VLAN for non-authorized users On RADIUS Server config file add the following parameters Tunnel-Type=13 Tunnel-Medium-Type=6 Tunnel-Private-Group-ID=xxxx 802-1-X-2008-Eng - 35 P. Nicoletti: see note pag. 2

Configuration example on HP switch aaa authentication port-access eap-radius radius-server host 10.200.150.5 key test12345 aaa port-access authenticator 4 (port 4 of the switch) aaa port-access authenticator 4 unauth-vid 100 Parking VLAN is: VLAN 100 802-1-X-2008-Eng - 36 P. Nicoletti: see note pag. 2

FreeRadiusconfiguration example File /etc/raddb/user Users: off, connect, stealth Part of User Local Data Base off Auth-Type := Local, User-Password == "invisibile" Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 2 connect Auth-Type := EAP Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 1 stealth Auth-Type := EAP Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 2 802-1-X-2008-Eng - 37 P. Nicoletti: see note pag. 2

VLAN and Users VLAN and Users in the previous example: off = VLAN 2 (authentication based on MD5 or PEAP Username/Password) connect = VLAN 1 authentication based on EAP-TLS Stealth = VLAN 2 authentication based on EAP-TLS Users not authenticated are in Parking VLAN 100 802-1-X-2008-Eng - 38 P. Nicoletti: see note pag. 2

Dynamic VLAN assignment limits If a hub or a VLAN-Unaware switch is connected to a switch port with dynamic VLAN enabled and if user authenticates himself, the switch port is opened and also other users can connect in network through that authenticated port HUB 802-1-X-2008-Eng - 39 P. Nicoletti: see note pag. 2

Port Security to prevent intrusion On new switch, as for instance the recent ones of Cisco and HP, it is possible to configure the switch to accept a single MAC address for port. Is possible to define the MAC address enabled to the access. The can accept only the first MAC address seen on the port (typically that of PC which authenticates himself) Example on HP Switch Configure port A1 to automatically accept the first device (MAC address) it detects as the only authorized device for that port. (The default device limit is 1.) This command also configures the port to send an alarm to a network management station and disable itself if an intruder is detected on the port. ProCurve(config)# port-security a1 learn-mode static action send-disable 802-1-X-2008-Eng - 40 P. Nicoletti: see note pag. 2

How to increase the security To increase the security on port the switch can periodically repeat the user's authentication Example on HP switch aaa port-access authenticator 4 reauth-period 30 Switch repeat the authentication on port 4 every 30 secondi 802-1-X-2008-Eng - 41 P. Nicoletti: see note pag. 2

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback