View
20
Download
0
Category
Preview:
Citation preview
1
Network Security 1
Module 7 – Configure Trust and Identity at Layer 2
2
Learning Objectives
7.1 Identity-Based Networking Services (IBNS)
7.2 Configuring 802.1x Port-Based Authentication
3
Module 7 – Configure Trust and Identity at Layer 2
7.1 Identity-Based Networking Services (IBNS)
4
Identity Based Network Services
Cisco VPN Concentrators, IOS Routers, PIX Security Appliances
Unified Control of User Identity for the EnterpriseUnified Control of User Identity for the Enterprise
Router
Internet
Hard and Soft Tokens
Hard and Soft TokensCisco Secure ACS
Firewall
VPN Clients
Remote Offices
OTP ServerOTP Server
5
802.1x Roles
Authentication ServerAuthenticator
Supplicant
6
802.1x Authenticator and Supplicant
The perimeter router acts as the authenticator
Internet
Cisco Secure ACS
Home Office
The remote user’s PC acts as the supplicant
7
802.1x Components
8
How 802.1x Works
Authentication Server(RADIUS)End User
(client)Catalyst 2950
(switch)
802.1x RADIUS
Actual authentication conversation occurs between the client andAuthentication Server using EAP. The authenticator is aware of this
activity, but it is just a middleman.
9
How 802.1x Works (Continued)Authentication Server (RADIUS)
End User (client) Catalyst 2950 (switch)
EAPOL - Start
EAP – Request IdentityRADIUS Access - Request
EAP – Response/IdentityRADIUS Access - ChallengeEAP – Request/OTP
RADIUS Access - RequestEAP – Response/OTP
EAP – Success RADIUS Access - Accept
Port Authorized
EAPOL – Logoff
Port Unauthorized
10
EAP Characteristics
• EAP – The Extensible Authentication Protocol• Extension of PPP to provide additional authentication features• A flexible protocol used to carry arbitrary authentication information.• Typically rides on top of another protocol such as 802.1x or RADIUS.
EAP can also be used with TACACS+• Specified in RFC 2284• Support multiple authentication types :
EAP-MD5: Plain Password Hash (CHAP over EAP)EAP-TLS (based on X.509 certificates)LEAP (EAP-Cisco Wireless)PEAP (Protected EAP)
11
EAP Selection
• Cisco Secure ACS supports the following varieties of EAP:• EAP-MD5 – An EAP protocol that does not support mutual
authentication. • EAP-TLS – EAP incorporating Transport Layer Security (TLS).• LEAP—An EAP protocol used by Cisco Aironet wireless equipment.
LEAP supports mutual authentication. • PEAP – Protected EAP, which is implemented with EAP-Generic
Token Card (GTC) and EAP-MSCHAPv2 protocols. • EAP-FAST – EAP Flexible Authentication via Secured Tunnel (EAP-
FAST), a faster means of encrypting EAP authentication, supportsEAP-GTC authentication.
12
Cisco LEAP
Lightweight Extensible Authentication Protocol
ClientACS Server
Access Point
•Derives per-user, per-session key•Enhancement to IEEE802.11b Wired Equivalent Privacy (WEP) encryption•Uses mutual authentication – both user and AP needs to be authenticated
13
EAP-TLS
Client
Extensible Authentication Protocol – Transport Layer Security
Access Point ACS Server
•RFC 2716•Used for TLS Handshake Authentication (RFC2246)•Requires PKI (X.509) Certificates rather than username/password• Mutual authentication•Requires client and server certificates•Certificate Management is complex and costly
Switch
14
PEAP
Protected Extensible Authentication ProtocolAccess Point
Client
•Internet-Draft by Cisco, Microsoft & RSA•Enhancement of EAP-TLS•Requires server certificate only• Mutual authentication•username/password challenge over TLS Channel•Available for use with Microsoft and Cisco products
Switch
TLS Tunnel
ACS Server
15
How Does Basic Port Based Network Access Work?
Switch Request ID
Send ID/Password or Certificate Switch Forward credentials to ACS Server
Authentication SuccessfulClient now has secure access
802.1x
Cisco Secure ACSAAA Radius Server
802.1x Capable Ethernet
LAN Access Devices
1
2
3 4
567 applies policies and enables
port.
Host device attempts to connects to Switch
Actual authentication conversation is between client and Auth Server using EAP.
6500 Series Access Points
4500/4000 Series3550/2950 Series
RADIUSThe switch detects the 802.1x compatible client, forces authentication, then acts as a middleman during the authentication, Upon successful authentication the switch sets
the port to forwarding, and applies the designated policies.
16
ACS Deployment in a Small LAN
Firewall
Cisco Secure ACS
ClientCatalyst 2950/3500
Switch Router
Internet
17
ACS Deployment in a Global NetworkRegion 2Region 1
Client
ACS1
Switch 1 FirewallSwitch 2
ACS2
ACS3
Region 3
Switch 3
18
Cisco Secure ACS RADIUS Response
Cisco Secure ACS
Cisco Catalyst SwitchEnd User
802.1x RADIUS
After a user successfully completes the EAP authentication process the Cisco Secure ACS responds to the switch with a RADIUS authentication-
accept packet granting that user access to the network.
19
Module 7 – Configure Trust and Identity at Layer 2
7.2 Configuring 802.1x Port-Based Authentication
20
802.1x Port-Based Authentication Configuration
Enable 802.1x Authentication (required)
Configure the Switch-to-RADIUS-Server Communication (required)
Enable Periodic Re-Authentication (optional)
Manually Re-Authenticating a Client Connected to a Port (optional)
Resetting the 802.1x Configuration to the Default Values (optional)
21
802.1x Port-Based Authentication Configuration (Cont.)
Changing the Quiet Period (optional)
Changing the Switch-to-Client Retransmission Time (optional)
Setting the Switch-to-Client Frame-Retransmission Number (optional)
Enabling Multiple Hosts (optional)
Resetting the 802.1x Configuration to the Default Values (optional)
22
Enabling 802.1x Authentication
Switch#
configure terminal
• Enter global configuration modeSwitch(config)#
aaa new-model
• Enable AAASwitch(config)#
aaa authentication dot1x default group radius
• Create an 802.1x authentication method list
23
Enabling 802.1x Authentication (Cont.)
Switch(config)#
interface fastethernet0/12
• Enter interface configuration modeSwitch(config-if)#
dot1x port-control auto
• Enable 802.1x authentication on the interfaceSwitch(config-if)#
end
• Return to privileged EXEC mode
24
Configuring Switch-to-RADIUS Communication
Switch(config)#
radius-server host 172.l20.39.46 auth-port 1812 key rad123
• Configure the RADIUS server parameters on the switch.
25
Enabling Periodic Re-Authentication
configure terminal
Switch#
• Enter global configuration mode
dot1x re-authentication
Switch(config)#
• Enable periodic re-authentication of the client, which is disabled by default.
dot1x timeout re-authperiod seconds
Switch(config)#
• Set the number of seconds between re-authentication attempts.
26
Manually Re-Authenticating a Client Connected to a Port
dot1x re-authenticate interface fastethernet0/12
Switch(config)#
• Starts re-authentication of the client.
27
Enabling Multiple Hosts
configure terminal
Switch#
• Enter global configuration mode
interface fastethernet0/12
Switch(config)#
• Enter interface configuration mode, and specify the interface to which multiple hosts are indirectly attached.
dot1x multiple-hosts
Switch(config-if)#
• Allow multiple hosts (clients) on an 802.1x-authorized port.
28
Resetting the 802.1x Configuration to the Default Values
configure terminal
Switch#
• Enter global configuration mode
dot1x default
Switch(config)#
• Reset the configurable 802.1x parameters to the default values.
29
Displaying 802.1x Statistics
Switch#
show dot1x statistics
• Display 802.1x statisticsSwitch#
show dot1x statistics interface interface-id
• Display 802.1x statistics for a specific interface.
30
Displaying 802.1x Status
Switch#
show dot1x
• Display 802.1x administrative and operational status.Switch#
show dot1x interface interface-id
• Display 802.1x administrative and operational status for a specific interface.
Recommended