802.1x Port and MAC Base Function

8/3/2019 802.1x Port and MAC Base Function

1/17

1

802.1x mechanism

802.1x solution & Non-802.1x solution

D-Link 802.1X Based Security Solution Port-Based 802.1x and MAC-based 802.1xPort-Based 802.1x with Guest VLAN function

D-Link Non-802.1X Based Security SolutionMAC-Based Access Control (MAC)MAC-Based Access Control (MAC) with Guest VLAN

WEB-Based Access Control (WAC)

Agenda


2/17

2

802.1X & Non-802.1X

802.1X Authentication MechanismThe 802.1X authentication mechanism consists of three components:

Authentication Server ( RADIUS Server ) The Authentication Servervalidates the identity of the client and notifies the switch.Authenticator ( Switch ) The Authenticator requests identity information fromthe client, verifying that information with the Authentication Server, and relayinga response to the client.Client Requests access to the LAN and switch services and responds to therequests from the switch. The Workstation must be running 802.1X-Compliant client software. ( e.g. Windows XP has embedded 802.1X suppliant)

Disadvantage of 802.1XEven though 802.1X is a secure authentication method, however the

popularity of the 802.1X supplicant agent and the RADIUS server arealways the challenges for deployment. Its not only costly but alsoresource consuming for setup and maintenance.


3/17

3

Non-802.1x Authentication MechanismOn the contrary, Non-802.1X method makes the authentication deployment easier andmore user-friendly . It can compensate what 802.1X technology lacks, and facilitate thedeployment. This clientless mechanism is not only flexible but also provide requiredsecurity.The benefit

To reduce the difficult of deployment ( you dont care about client software issue) Save maintain cost ( Radius Server becomes optional)To increate User-friendly (ex: MAC function, which makes users dont key -in username& password during the authentication)

Emerging solutions of Non- 802.1X authentication are demanding. Theyre mostlywithout extra client software needed, easy to deployment and maintain.

Therefore D-Link develops comprehensive solutions for either 802.1X or Non-802.1Xenvironment to increase productivity without compromising the security of the network.

802.1X & Non-802.1X


4/17

4

D-Link 802.1X Based Security Solution

802.1x mechanism802.1x Port-Based and 802.1x MAC-Based

Implanting Port-Based 802.1x with Guest VLAN


5/17

5

802.1x Auth Request

What is 802.1x Authentication?o Authenticate User Identity

The 802.1X protocol is the popular LAN authentication protocol ratified by the IEEE.It enables user authentication in both wireless and wired environment. The 802.1Xservice is included in the Microsoft Windows XP & Vista operating systems already.

802.1x

Port-based 802.1x: users have to be authenticated before accessing the network, andswitches will unlock the the port only after users pass authentication

D- Links Implementation

MAC-based 802.1x: D-Link switch can perform authentication per MAC address. Itmeans each switch port can authenticate multiple PCs access right.

Username: Crowley

Password: ***********

Radius

Username Password-------------- --------------Crowley mygoca-ahAnderson busy2Shinglin 4wireless

Radius Server


6/17

6

IEEE 802.1x Definition

Defines a Client / Server -based access control and authentication protocol thatrestricts unauthorized devices from connecting to a LAN through publiclyaccessible ports . The Authentication Server authenticates each Client connected to aswitch port before making available any services offered by the switch or the LAN.

Authentication Server

.. 802.1x ClientUnauthorized device

Switch(Authenticator)

802.1x Client 802.1x Client 802.1x Client

Client

Radius Server(Authentication Server)

Internet


7/17

7

NIC Card

Ethernet 802.3,Wireless PC Card, etc.

Network Port

Access Point,Ethernet Switch, etc.

AAA Server

Any EAP Server,Mostly RADIUS

Client Authenticator Authentication Server

Before Authentication

EAP Over LANEAP Over Wireless(802.3 or 802.11)

Encapsulated EAPMessages, typically on

RADIUS

Client Authenticator

Authentication ServerBefore a Client is authenticated, 802.1x access control allows only EAPOL traffic passthrough the port to which the client is connected. After authentication is successful,normal traffic can pass through the port.

* RADIUS Server provides Authentication, Authorization, Accounting (AAA) service

The three different roles in IEEE 802.1x:

EAPOLpacket

Normalpacket

After Authentication


8/17

8

Device Roles: Client

Client:

The device (Workstation) that requests access to the LAN, switch services and responds tothe user identity/challenge from the switch and radius server.

The Workstation must be running 802.1x-Compliant client software such as that offered in the MicrosoftWindows XP operating system.

Workstation

(Client)

RADIUS Server

(Authentication Server)

Switch

(Authenticator)

802.1x Device Role

Identity/ challenge


9/17

9

Device Roles: Authentication Server

Authentication Server:

The Authentication Server validates the identity of the clients and notifies the switchwhether or not the client is authorized to access the LAN. RADIUS operates in aclient/server model in which secure authentication information is exchanged between theRADIUS server and one or more RADIUS clients.

* Remote Authentication Dial-In User Service (RADIUS)

RADIUS Server



Workstation

(Client)

802.1x Device Role (Cont)

Request/ challenge


10/17

10

Device Roles: Authenticator

Authenticator:

The Authenticator acts as an intermediary (proxy) between the Client and the AuthenticationServer , requesting identity information from the Client , verifying that information with theAuthentication Server, and relaying a request/response (identity & challenge) between theClient and Authentication Server .

Workstation

(Client)

RADIUS Server


Switch

(Authenticator)

802.1x Device Role (Cont)

Identity/ challenge

Request/ challenge


11/17

11

Workstation(Client)

RADIUS Server(Authentication Server)


Port Authorized

Port Unauthorized

802.1X Authentication process

EAPOL-Start

EAP-Request/Identity

EAP-Response/Identity RADIUS Access-Request

RADIUS Access-ChallengeEAP-Request/OTP

EAP-Response/OTP RADIUS Access-Request

RADIUS Access-AcceptEAP-Success

EAPOL-Logoff

* OTP (One-Time-Password)

RADIUS Account-Stop

RADIUS Ack

1

2

3

4

5


12/17

12

Client

* OTP (One-Time-Password)

Workstation(Client)

IP: 192.168.0.100

RADIUS Server(Authentication Server)

IP: 192.168.0.10

Switch(Authenticator)IP: 192.168.0.1

802.1X Authentication process

Radius Server

1

2

2

3

3

4

4

5

5

Client to Switch

Server to Switch Switch to Server

Switch to Client


13/17

13

James Gary

802.1x clientWinXP built-in

Port Based 802.1x Example:

Win2003 Server

RADIUS Server service

All of the clients connected the L2 HUB can pass through switch(DES-3828) once a client(Kobe) is authenticated.

L2 Switch/HUB

Ryan


Port Based 802.1xEnabled Ports 1-12

User PaswordJames 123

Internet

Username: JamesPassword: 123

Username/PasswordConfirmed !!!

DES-3828


port 1

192.168.0.100

192.168.0.10

Page 18


14/17

14

DES3828 Configuration

resetenable 802.1xconfig 802.1x capability ports 1-24 authenticatorconfig radius add 1 192.168.0.10 key 123456 default

Client PCs configurationRun 802.1x software.

RADIUS Server configuration Radius: Windows NT/Windows 2000/2003 Server Radius Server Service or third-party RADIUS serverprogram

1. Enable 802.1x State by device2. Configure client connected ports.

(Note: Uplink port shouldnt enable authenticator). 3. Configure Radius Server setting

Port Based 802.1x Command Example:


15/17

15

James Gary


MAC Based 802.1x Example:

DES-3828


Win2003 Server

RADIUS Server service

Each client needs to provide correct username/password to pass the authentication so thatit can access the networkNOTICE: The L2 switch or hub should support 802.1x pass-through. Otherwise, the 802.1x packet (destMAC=0180c2000003, inside the IEEE reserved range,0180c2000001~0F) will be dropped by switch, andtherefore cannot reach DES-3828.

L2 Switch/HUB

Ryan


. . . . DES-3828 is only capable of learningup to 16 MAC address per port

MAC Based 802.1xEnabled Ports 1-12 Internet

Username: JamesPassword: 123

192.168.0.100

Username/PasswordConfirmed !!!

User PaswordJames 123

192.168.0.10

Page 18


16/17

16

DES3828 Configuration

resetenable 802.1xconfig 802.1x auth_mode mac_basedconfig 802.1x capability ports 1-24 authenticatorconfig radius add 1 192.168.0.10 key 123456 default

Client PCs configurationRun 802.1x software.

RADIUS Server configuration Radius: Windows NT/Windows 2000/2003 Server Radius Server Service or third-party RADIUS serverprogram

1. Enable 802.1x State by device, and change tomac_based mode

2. Configure client connected ports.(Note: Uplink port shouldnt enable authenticator).

3. Configure Radius Server setting

MAC Based 802.1x Example:


17/17

17

Port-based 802.1xOnce a port is authorized by a client, the others usersconnecting to the same port through hub or switch canpass through the switch.

MAC-based 802.1x1. Once a port is authorized by a client, only this clientcan pass through the switch.

2. The switch is not only checking the username / password, but also checking whether the max. MACallowed is reached or not. If reached, deny new MAC

802.1x Port Based vs MAC Based

Page 14

Page 16

Documents

802.1x Port and MAC Base Function