Upload
informatica-bezmiliana
View
270
Download
1
Embed Size (px)
Citation preview
8/3/2019 802.1x Port and MAC Base Function
1/17
1
802.1x mechanism
802.1x solution & Non-802.1x solution
D-Link 802.1X Based Security Solution Port-Based 802.1x and MAC-based 802.1xPort-Based 802.1x with Guest VLAN function
D-Link Non-802.1X Based Security SolutionMAC-Based Access Control (MAC)MAC-Based Access Control (MAC) with Guest VLAN
WEB-Based Access Control (WAC)
Agenda
8/3/2019 802.1x Port and MAC Base Function
2/17
2
802.1X & Non-802.1X
802.1X Authentication MechanismThe 802.1X authentication mechanism consists of three components:
Authentication Server ( RADIUS Server ) The Authentication Servervalidates the identity of the client and notifies the switch.Authenticator ( Switch ) The Authenticator requests identity information fromthe client, verifying that information with the Authentication Server, and relayinga response to the client.Client Requests access to the LAN and switch services and responds to therequests from the switch. The Workstation must be running 802.1X-Compliant client software. ( e.g. Windows XP has embedded 802.1X suppliant)
Disadvantage of 802.1XEven though 802.1X is a secure authentication method, however the
popularity of the 802.1X supplicant agent and the RADIUS server arealways the challenges for deployment. Its not only costly but alsoresource consuming for setup and maintenance.
8/3/2019 802.1x Port and MAC Base Function
3/17
3
Non-802.1x Authentication MechanismOn the contrary, Non-802.1X method makes the authentication deployment easier andmore user-friendly . It can compensate what 802.1X technology lacks, and facilitate thedeployment. This clientless mechanism is not only flexible but also provide requiredsecurity.The benefit
To reduce the difficult of deployment ( you dont care about client software issue) Save maintain cost ( Radius Server becomes optional)To increate User-friendly (ex: MAC function, which makes users dont key -in username& password during the authentication)
Emerging solutions of Non- 802.1X authentication are demanding. Theyre mostlywithout extra client software needed, easy to deployment and maintain.
Therefore D-Link develops comprehensive solutions for either 802.1X or Non-802.1Xenvironment to increase productivity without compromising the security of the network.
802.1X & Non-802.1X
8/3/2019 802.1x Port and MAC Base Function
4/17
4
D-Link 802.1X Based Security Solution
802.1x mechanism802.1x Port-Based and 802.1x MAC-Based
Implanting Port-Based 802.1x with Guest VLAN
8/3/2019 802.1x Port and MAC Base Function
5/17
5
802.1x Auth Request
What is 802.1x Authentication?o Authenticate User Identity
The 802.1X protocol is the popular LAN authentication protocol ratified by the IEEE.It enables user authentication in both wireless and wired environment. The 802.1Xservice is included in the Microsoft Windows XP & Vista operating systems already.
802.1x
Port-based 802.1x: users have to be authenticated before accessing the network, andswitches will unlock the the port only after users pass authentication
D- Links Implementation
MAC-based 802.1x: D-Link switch can perform authentication per MAC address. Itmeans each switch port can authenticate multiple PCs access right.
Username: Crowley
Password: ***********
Radius
Username Password-------------- --------------Crowley mygoca-ahAnderson busy2Shinglin 4wireless
Radius Server
8/3/2019 802.1x Port and MAC Base Function
6/17
6
IEEE 802.1x Definition
Defines a Client / Server -based access control and authentication protocol thatrestricts unauthorized devices from connecting to a LAN through publiclyaccessible ports . The Authentication Server authenticates each Client connected to aswitch port before making available any services offered by the switch or the LAN.
Authentication Server
.. 802.1x ClientUnauthorized device
Switch(Authenticator)
802.1x Client 802.1x Client 802.1x Client
Client
Radius Server(Authentication Server)
Internet
8/3/2019 802.1x Port and MAC Base Function
7/17
7
NIC Card
Ethernet 802.3,Wireless PC Card, etc.
Network Port
Access Point,Ethernet Switch, etc.
AAA Server
Any EAP Server,Mostly RADIUS
Client Authenticator Authentication Server
Before Authentication
EAP Over LANEAP Over Wireless(802.3 or 802.11)
Encapsulated EAPMessages, typically on
RADIUS
Client Authenticator
Authentication ServerBefore a Client is authenticated, 802.1x access control allows only EAPOL traffic passthrough the port to which the client is connected. After authentication is successful,normal traffic can pass through the port.
* RADIUS Server provides Authentication, Authorization, Accounting (AAA) service
The three different roles in IEEE 802.1x:
EAPOLpacket
Normalpacket
After Authentication
8/3/2019 802.1x Port and MAC Base Function
8/17
8
Device Roles: Client
Client:
The device (Workstation) that requests access to the LAN, switch services and responds tothe user identity/challenge from the switch and radius server.
The Workstation must be running 802.1x-Compliant client software such as that offered in the MicrosoftWindows XP operating system.
Workstation
(Client)
RADIUS Server
(Authentication Server)
Switch
(Authenticator)
802.1x Device Role
Identity/ challenge
8/3/2019 802.1x Port and MAC Base Function
9/17
9
Device Roles: Authentication Server
Authentication Server:
The Authentication Server validates the identity of the clients and notifies the switchwhether or not the client is authorized to access the LAN. RADIUS operates in aclient/server model in which secure authentication information is exchanged between theRADIUS server and one or more RADIUS clients.
* Remote Authentication Dial-In User Service (RADIUS)
RADIUS Server
(Authentication Server)
Switch(Authenticator)
Workstation
(Client)
802.1x Device Role (Cont)
Request/ challenge
8/3/2019 802.1x Port and MAC Base Function
10/17
10
Device Roles: Authenticator
Authenticator:
The Authenticator acts as an intermediary (proxy) between the Client and the AuthenticationServer , requesting identity information from the Client , verifying that information with theAuthentication Server, and relaying a request/response (identity & challenge) between theClient and Authentication Server .
Workstation
(Client)
RADIUS Server
(Authentication Server)
Switch
(Authenticator)
802.1x Device Role (Cont)
Identity/ challenge
Request/ challenge
8/3/2019 802.1x Port and MAC Base Function
11/17
11
Workstation(Client)
RADIUS Server(Authentication Server)
Switch(Authenticator)
Port Authorized
Port Unauthorized
802.1X Authentication process
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity RADIUS Access-Request
RADIUS Access-ChallengeEAP-Request/OTP
EAP-Response/OTP RADIUS Access-Request
RADIUS Access-AcceptEAP-Success
EAPOL-Logoff
* OTP (One-Time-Password)
RADIUS Account-Stop
RADIUS Ack
1
2
3
4
5
8/3/2019 802.1x Port and MAC Base Function
12/17
12
Client
* OTP (One-Time-Password)
Workstation(Client)
IP: 192.168.0.100
RADIUS Server(Authentication Server)
IP: 192.168.0.10
Switch(Authenticator)IP: 192.168.0.1
802.1X Authentication process
Radius Server
1
2
2
3
3
4
4
5
5
Client to Switch
Server to Switch Switch to Server
Switch to Client
8/3/2019 802.1x Port and MAC Base Function
13/17
13
James Gary
802.1x clientWinXP built-in
Port Based 802.1x Example:
Win2003 Server
RADIUS Server service
All of the clients connected the L2 HUB can pass through switch(DES-3828) once a client(Kobe) is authenticated.
L2 Switch/HUB
Ryan
802.1x clientWinXP built-in
Port Based 802.1xEnabled Ports 1-12
User PaswordJames 123
Internet
Username: JamesPassword: 123
Username/PasswordConfirmed !!!
DES-3828
802.1x clientWinXP built-in
port 1
192.168.0.100
192.168.0.10
Page 18
8/3/2019 802.1x Port and MAC Base Function
14/17
14
DES3828 Configuration
resetenable 802.1xconfig 802.1x capability ports 1-24 authenticatorconfig radius add 1 192.168.0.10 key 123456 default
Client PCs configurationRun 802.1x software.
RADIUS Server configuration Radius: Windows NT/Windows 2000/2003 Server Radius Server Service or third-party RADIUS serverprogram
1. Enable 802.1x State by device2. Configure client connected ports.
(Note: Uplink port shouldnt enable authenticator). 3. Configure Radius Server setting
Port Based 802.1x Command Example:
8/3/2019 802.1x Port and MAC Base Function
15/17
15
James Gary
802.1x clientWinXP built-in
MAC Based 802.1x Example:
DES-3828
802.1x clientWinXP built-in
Win2003 Server
RADIUS Server service
Each client needs to provide correct username/password to pass the authentication so thatit can access the networkNOTICE: The L2 switch or hub should support 802.1x pass-through. Otherwise, the 802.1x packet (destMAC=0180c2000003, inside the IEEE reserved range,0180c2000001~0F) will be dropped by switch, andtherefore cannot reach DES-3828.
L2 Switch/HUB
Ryan
802.1x clientWinXP built-in
. . . . DES-3828 is only capable of learningup to 16 MAC address per port
MAC Based 802.1xEnabled Ports 1-12 Internet
Username: JamesPassword: 123
192.168.0.100
Username/PasswordConfirmed !!!
User PaswordJames 123
192.168.0.10
Page 18
8/3/2019 802.1x Port and MAC Base Function
16/17
16
DES3828 Configuration
resetenable 802.1xconfig 802.1x auth_mode mac_basedconfig 802.1x capability ports 1-24 authenticatorconfig radius add 1 192.168.0.10 key 123456 default
Client PCs configurationRun 802.1x software.
RADIUS Server configuration Radius: Windows NT/Windows 2000/2003 Server Radius Server Service or third-party RADIUS serverprogram
1. Enable 802.1x State by device, and change tomac_based mode
2. Configure client connected ports.(Note: Uplink port shouldnt enable authenticator).
3. Configure Radius Server setting
MAC Based 802.1x Example:
8/3/2019 802.1x Port and MAC Base Function
17/17
17
Port-based 802.1xOnce a port is authorized by a client, the others usersconnecting to the same port through hub or switch canpass through the switch.
MAC-based 802.1x1. Once a port is authorized by a client, only this clientcan pass through the switch.
2. The switch is not only checking the username / password, but also checking whether the max. MACallowed is reached or not. If reached, deny new MAC
802.1x Port Based vs MAC Based
Page 14
Page 16