802.

1X AUTHENTICATION

Hermawan - 20118081

CNSL - LAB

831 Teleworker Cable Provider

VPN Head-End

Partner/Vendor

Service Provider/ Internet

City Hall

Airport
Library

One physical network, must accommodate multiple logical networks (user groups) each with own rules.
CNSL - LAB

IDENTITY: SO, YOU SAID MAC ADDRESS ?

Win 2K & XP allow easy change for MAC addresses MAC address is not an authentication mechanism

CNSL - LAB

DETERMINING WHO GETS ACCESS AND WHAT THEY CAN DO

Campus Network
User Identity Based Network Access User Based Policies Applied (BW, QoS etc)

Unauthorized Users/Devices

Authorized Users/Devices

Equivalent to placing a Security Guard at each Switch Port Only Authorized users can get Network Access Unauthorized users can be placed into Guest VLANs Prevents unauthorized APs
CNSL - LAB

WHAT EXACTLY IS 802.1X?

Standard set by the IEEE 802.1 working group. Describes a standard link layer protocol used for transporting higher-level authentication protocols. Works between the Supplicant and the Authenticator.

Maintains backend communication to an Authentication Server.

CNSL - LAB

SOME IEEE TERMINOLOGY

IEEE Terms
Supplicant Authenticator

Normal People Terms

Client Network Access Device

Authentication Server

AAA/RADIUS Server

CNSL - LAB

WHAT DOES IT DO?

Transport authentication information in the form of Extensible Authentication Protocol (EAP) payloads.
The authenticator (switch) becomes the middleman for relaying EAP received in 802.1x packets to an authentication server by using RADIUS to carry the EAP information.

802.1x Header

EAP Payload

CNSL - LAB

WHAT IS RADIUS?
RADIUS The Remote Authentication Dial In User Service A protocol used to communicate between a network device and an authentication server or database. Allows the communication of login and authentication information. i.e.. Username/Password, OTP, etc. Allows the communication of arbitrary value pairs using Vendor Specific Attributes (VSAs).
UDP Header RADIUS Header
CNSL - LAB

EAP Payload

802.1X ENHANCING LAN SECURITY

TOPOLOGY

CNSL - LAB

WIRED ACCESS CONTROL MODEL

Client and Switch Talk 802.1x

Switch Speaks to Auth Server Using RADIUS

Actual Authentication Conversation Is between Client and Auth Server Using EAP; the Switch Is Just a Middleman, but Is Aware of Whats Going on

RADIUS acts as the transport for EAP, from the authenticator (switch) to the authentication server (RADIUS server)

RADIUS is also used to carry policy instructions back to the authenticator in the form of AV pairs.
CNSL - LAB

IDENTITY BASED NETWORK SERVICES

Switch applies policies and enables port.

Set port to enable set port vlan 10

802.1x Capable Client

Login Request

VLAN 10

Login Info Engineering VLAN

IEEE802.1x + VLANS + VVID + ACL + QoS

Verify Login and Check with Policy DB

Login Good! Apply Policies

4000 Series 3550/2950 Series

Login + Certificate Login Verified

6500 Series Access Points

802.1x Capable Access Devices

AAA Radius Server 802.1x Authentication Server

CNSL - LAB

Active Directory
Login and Certificate Services

802.1X CLIENT IMPLEMENTATION IN WINDOWS

Wired interfaces enabled by default Wireless interfaces integrated with the wireless configuration client Enabled by default if privacy is enabled Dynamic keys usage enforcement User and computer authentication enabled by default

CNSL - LAB

802.1X IN MICROSOFT WINDOWS

MACHINE AND USER AUTHENTICATION
Startup Machine
Machine credentials available (use machine credentials)
Machine authentication success Machine authentication failure

User logon
User credentials available (use user credentials) User authentication success
CNSL - LAB

User authentication failure

User logoff

WINDOWS MACHINE AUTHENTICATION

Power Up Load NDIS drivers 802.1x Authenticate as Computer DHCP Setup Secure Channel to DC Update GPOs Apply Computer GPOs Present GINA (Ctrl-Alt-Del) Login

What is Machine Authentication?

The ability of a Windows workstation to authenticate under its own identity, independent of the requirement for an interactive user session.

What is it used for?

Machine authentication is used at boot time by Windows OSes to authenticate and communicate with Windows Domain Controllers in order to pull down machine group policies.

Why do we care?
Pre-802.1x this worked under the assumption that network connectivity was a given. Post-802.1x the blocking of network access prior to 802.1x authentication breaks the machine based group policy model UNLESS the machine can authenticate using its own identity in 802.1x .
CNSL - LAB

802.1X IN MICROSOFT WINDOWS

802.1X AUTHENTICATION CONFIGURATION PAGE

Same for wired and wireless Provides control over computer and guest authentication EAP method setting

CNSL - LAB

WHAT IS EAP?
EAP The Extensible Authentication Protocol A flexible protocol used to carry arbitrary authentication information.

CNSL - LAB

EAP
PEAP
MS-CHAPv2 TLS

TLS

MD5

IKE

GSS_API
Kerberos

method layer

EAP

EAP layer

PPP

802.3

802.5

802.11

Other

media layer

CNSL - LAB

802.1X AUTHENTICATION CLIENT

EAP METHODS AVAILABLE IN WINDOWS

EAP-TLS (Transport Level Security) default setting for 802.1x client in Windows
PEAP (Protected EAP) allows inner methods
TLS (certificate based)
Microsoft Challenge Handshake Authentication Protocol v2 (MSCHAPv2) (password based)

EAP-MD5 available for wired networks only

Doesnt provide encrypted session between supplicant and authenticator Transfers password hashes in clear
CNSL - LAB

802.1X AUTHENTICATION CLIENT

EAP METHODS WIRED AND WIRELESS NETWORKS

CNSL - LAB

EAP WITH MD5

Peer Authenticator

cleartext password
cleartext password

Random challenge

R = MD5(password,challenge)

Check that MD5(password,challenge) equals the response

CNSL - LAB

802.1X WITH EAP-TLS

LOCAL STORE CERTIFICATES
Uses both user and computer certificates Certificates deployed through auto-enrollment, Web enrollment, certificate import, or manual request using the Certificates snap-in Local computer store is always available

The user store (for a current user) is only available after a successful user logon

CNSL - LAB

802.1X WITH EAP-TLS

CONFIGURATION PAGE

Mutual authentication enabled by default Simple certificate selection

CNSL - LAB

802.1X WITH EAP-TLS

SMART CARD CERTIFICATES

User must enter PIN to access the certificate on the smart card.
PIN input is not required again on subsequent reauthentication tries like session time-out or roaming on wireless networks. When roaming out of range and back in range, user will be re-prompted for PIN.

Managing user certificates stored on local hard drives can be difficult, and some users may move among computers.
CNSL - LAB

802.1X WITH PEAP-MSCHAPV2

WHAT TO CONSIDER
Password-based authentication not all networks have a PKI deployment. Single sign-on (SSO). Enables both machine and user authentication. Windows logon credentials can be automatically used (default setting), or credentials can be provided by user.

CNSL - LAB

802.1X WITH PEAP-MSCHAPV2

CONFIGURATION PAGE

By default, fast reconnect feature is disabled.

CNSL - LAB

CAMPUS IDENTITY - SUPPLICANTS

Possible End-Points :
Windows HP Jet Direct

Solaris

7920

Apple

Windows XP Yes Windows 2000 Yes (SP3 + KB) Linux Yes HP-UX Yes Solaris - Yes HP Printers Yes Windows 98 Limited Windows NT4 Limited Apple yes IP Phones yes WLAN APs yes .

IP Phones

WLAN APs

Pocket PC
CNSL - LAB

802.1X
PORT BASED NETWORK ACCESS CONTROL
Falls under 802.1 NOT 802.11 This is a NETWORK standard, not a wireless standard Is PART of the 802.11i draft Provides Network Authentication, NOT encryption

CNSL - LAB

KNOW BEFORE YOU START !

802.1x Implementation requires various knowledge from different domains Switch or AP Compliance and configuration Certificate Services (Hidden part of the ICEBERG) if you intend to you EAP-TLS Radius Server, especially when you have a multi-domain-directory infrastructure

Smart-card services, if you intend to use them instead of user certificates

Various Client Deployment Scenarios

CNSL - LAB

DEMO WIRED CLIENT AUTHENTICATION 802.1X WITH PEAP-MSCHAPV2

Cisco Switch Configuration Active Directory Configuration Installation of IAS (Radius) Installation of Certificate Services XP Client Configuration

CNSL - LAB

NEW HORIZONS' PARTNERS

CNSL - LAB