Title: First Slide in a Presentation
Download
Report
Transcript Title: First Slide in a Presentation
CNIT 221 Security 1 ver.2
Module 7
City College of San Francisco
Spring 2007
©
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved.
© 2004,
2005 Cisco
1
1
Network Security 1
Module 7 – Configure Trust and Identity at
Layer 2
© 2005 Cisco Systems, Inc. All rights reserved.
2
Learning Objectives
• 7.1 Identity-Based Networking Services (IBNS)
• 7.2 Configuring 802.1x Port-Based
Authentication
© 2005 Cisco Systems, Inc. All rights reserved.
3
Module 7 – Configure Trust and
Identity at Layer 2
7.1 Identity-Based Networking Services (IBNS)
© 2005 Cisco Systems, Inc. All rights reserved.
4
Cisco Identity Based Networking Services (IBNS)
• Cisco IBNS is an integrated solution combining
several Cisco products that offer authentication,
access control, and user policies to secure network
connectivity and resources.
• Cisco IBNS is an IEEE 802.1x-based technology
that authenticates users based on personal identity
verification.
• IEEE 802.1x is a Layer 2 protocol designed to
provide port-based network access.
© 2005 Cisco Systems, Inc. All rights reserved.
5
Identity Based Network Services
Unified Control of User Identity for the Enterprise
Cisco VPN Concentrators, IOS Routers, PIX Security Appliances
Cisco Secure ACS
Hard and Soft
Tokens
OTP Server
Internet
Firewall
VPN
Clients
Router
Remote
Offices
© 2005 Cisco Systems, Inc. All rights reserved.
6
802.1x
•
802.1x is a standardized framework defined by the
IEEE that is designed to provide port-based
network access.
•
The 802.1x framework defines three roles in the
authentication process:
1. Supplicant = endpoint that needs network access
2. Authenticator = switch or access point
3. Authentication Server = RADIUS, TACACS+, LDAP
•
The authentication process consists of exchanges
of Extensible Authentication Protocol (EAP)
messages between the supplicant and the
authentication server.
© 2005 Cisco Systems, Inc. All rights reserved.
7
802.1x Roles
Supplicant
Authenticator
Authentication Server
Microsoft Windows XP includes 802.1x supplicant support
© 2005 Cisco Systems, Inc. All rights reserved.
8
802.1x Authenticator and Supplicant
Cisco Secure ACS
The perimeter router
acts as the authenticator
Internet
Home
Office
The remote user’s PC
acts as the supplicant
© 2005 Cisco Systems, Inc. All rights reserved.
9
How 802.1x Works
Authentication Server
End User
Catalyst 2950
(client)
(switch)
802.1x
(RADIUS)
RADIUS
Actual authentication conversation occurs between the client and
Authentication Server using EAP.
The authenticator is aware of this activity, but it is just a middleman.
© 2005 Cisco Systems, Inc. All rights reserved.
10
How 802.1x Works (Continued)
End User (client)
EAPOL - Start
Authentication Server (RADIUS)
Catalyst 2950 (switch)
Port Unauthorized
EAP – Request Identity
RADIUS Access - Request
EAP – Response/Identity
EAP – Request/OTP
RADIUS Access - Challenge
EAP – Response/OTP
RADIUS Access - Request
EAP – Success
RADIUS Access - Accept
Port Authorized
EAPOL – Logoff
Port Unauthorized
© 2005 Cisco Systems, Inc. All rights reserved.
11
802.1x and EAP
• Prior to the client authentication, the port will only
allow 802.1x protocol, CDP, and STP traffic.
• EAP is the transport protocol used by 802.1x to
authenticate supplicants against an authentication
server such as RADIUS.
–RFC 3748 updated EAP to support IEEE 802
• On LAN media, the supplicant and authenticator
use the EAP over LANs (EAPOL) encapsulation.
© 2005 Cisco Systems, Inc. All rights reserved.
12
EAP Characteristics
• EAP – The Extensible Authentication Protocol
• Extension of PPP to provide additional authentication features
• A flexible protocol used to carry arbitrary authentication information.
• Typically rides on top of another protocol such as 802.1x or RADIUS.
EAP can also be used with TACACS+
• Specified in RFC 2284
• Support multiple authentication types :
EAP-MD5: Plain Password Hash (CHAP over EAP)
EAP-TLS (based on X.509 certificates)
LEAP (EAP-Cisco Wireless)
PEAP (Protected EAP)
© 2005 Cisco Systems, Inc. All rights reserved.
13
EAP Selection
• Cisco Secure ACS supports the following varieties of EAP:
• EAP-MD5 – An EAP protocol that does not support mutual
authentication.
• EAP-TLS – EAP incorporating Transport Layer Security (TLS).
• LEAP—An EAP protocol used by Cisco Aironet wireless equipment.
LEAP supports mutual authentication.
• PEAP – Protected EAP, which is implemented with EAP-Generic
Token Card (GTC) and EAP-MSCHAPv2 protocols.
• EAP-FAST – EAP Flexible Authentication via Secured Tunnel (EAPFAST), a faster means of encrypting EAP authentication, supports
EAP-GTC authentication.
© 2005 Cisco Systems, Inc. All rights reserved.
14
Cisco LEAP
Lightweight Extensible Authentication Protocol
Client
ACS Server
Access Point
•
Derives per-user, per-session key
•
Enhancement to IEEE802.11b Wired Equivalent Privacy
(WEP) encryption
•
Uses mutual authentication – both user and AP needs to
be authenticated
© 2005 Cisco Systems, Inc. All rights reserved.
15
Mutual Authentication
• Cisco LEAP as well as other secure EAP variations
support mutual authentication.
• The authentication server sends a challenge to the
client and the client responds to the challenge with
a hash of a secret password known by the client
and the network.
–Password is never sent over the wire
• When the client is authenticated, the same process
is repeated in reverse order so the client can
authenticate the server.
© 2005 Cisco Systems, Inc. All rights reserved.
16
EAP-TLS
EAP – Transport Layer Security
Client
Access Point
Server cert, cert request
ACS Server
Switch
•RFC 2716 – Developed by Microsoft
•Used for TLS Handshake Authentication (RFC2246)
•Requires PKI (X.509) Certificates rather than username/password
• Mutual authentication
•Requires client and server certificates
•Certificate Management is complex and costly
© 2005 Cisco Systems, Inc. All rights reserved.
17
PEAP
Protected Extensible Authentication Protocol
Client
Access Point
Switch
ACS
Server
TLS Tunnel
•Internet-Draft by Cisco, Microsoft & RSA
•Enhancement of EAP-TLS
•Requires server certificate only
• Mutual authentication
•username/password challenge over TLS Channel
•Available for use with Microsoft and Cisco products
© 2005 Cisco Systems, Inc. All rights reserved.
18
How Does Basic Port Based Network
Access Work?
Cisco Secure ACS
AAA Radius Server
4500/4000 Series
3550/2950 Series
Host device attempts to connects to Switch
1
6500 Series
Access Points
802.1x Capable Ethernet
2
LAN Access Devices
Switch Request ID
3
4
Send ID/Password or Certificate
7
6
applies policies
and enables
port.
Client now has secure access
Switch Forward credentials to ACS Server
5
Authentication Successful
Actual authentication conversation is between client and Auth Server using EAP.
802.1x
RADIUS
The switch detects the 802.1x compatible client, forces authentication, then acts as a
middleman during the authentication, Upon successful authentication the switch sets
the port to forwarding, and applies the designated policies.
© 2005 Cisco Systems, Inc. All rights reserved.
19
ACS Deployment in a Small LAN
Firewall
Client
Catalyst 2950/3500
Switch
Router
Internet
Cisco Secure
ACS
© 2005 Cisco Systems, Inc. All rights reserved.
20
Cisco Secure ACS RADIUS Response
Cisco Secure ACS
Cisco Catalyst Switch
End User
802.1x
RADIUS
After a user successfully completes the EAP authentication process the
Cisco Secure ACS responds to the switch with a RADIUS authenticationaccept packet granting that user access to the network.
© 2005 Cisco Systems, Inc. All rights reserved.
21
Module 7 – Configure Trust and
Identity at Layer 2
7.2 Configuring 802.1x Port-Based
Authentication
© 2005 Cisco Systems, Inc. All rights reserved.
22
802.1x Port-Based Authentication Configuration
– Enable 802.1x Authentication (required)
– Configure the Switch-to-RADIUS-Server Communication
(required)
– Enable Periodic Re-Authentication (optional)
– Manually Re-Authenticating a Client Connected to a Port
(optional)
© 2005 Cisco Systems, Inc. All rights reserved.
23
802.1x Port-Based Authentication Configuration
(Cont.)
– Changing the Switch-to-Client Retransmission Time
(optional)
– Setting the Switch-to-Client Frame-Retransmission
Number (optional)
– Enabling Multiple Hosts (optional)
– Resetting the 802.1x Configuration to the Default Values
(optional)
© 2005 Cisco Systems, Inc. All rights reserved.
24
Enabling 802.1x Authentication
Switch#
configure terminal
• Enter global configuration mode
Switch(config)#
aaa new-model
• Enable AAA
Switch(config)#
aaa authentication dot1x default group radius
• Create an 802.1x authentication method list
© 2005 Cisco Systems, Inc. All rights reserved.
25
Enabling 802.1x Authentication (Cont.)
Switch(config)#
interface fastethernet0/12
• Enter interface configuration mode
Switch(config-if)#
dot1x port-control auto
• Enable 802.1x authentication on the interface
Switch(config-if)#
end
• Return to privileged EXEC mode
© 2005 Cisco Systems, Inc. All rights reserved.
26
Configuring Switch-to-RADIUS Communication
Switch(config)#
radius-server host 172.l20.39.46 auth-port 1812 key rad123
• Configure the RADIUS server parameters on the
switch.
© 2005 Cisco Systems, Inc. All rights reserved.
27
Enabling Periodic Re-Authentication
Switch#
configure terminal
• Enter global configuration mode
Switch(config)#
dot1x re-authentication
• Enable periodic re-authentication of the client, which
is disabled by default.
Switch(config)#
dot1x timeout re-authperiod seconds
• Set the number of seconds between re-authentication
attempts.
© 2005 Cisco Systems, Inc. All rights reserved.
28
Manually Re-Authenticating a Client
Connected to a Port
Switch(config)#
dot1x re-authenticate interface fastethernet0/12
• Starts re-authentication of the client.
© 2005 Cisco Systems, Inc. All rights reserved.
29
Enabling Multiple Hosts
Switch#
configure terminal
• Enter global configuration mode
Switch(config)#
interface fastethernet0/12
• Enter interface configuration mode, and specify the
interface to which multiple hosts are indirectly
attached.
Switch(config-if)#
dot1x multiple-hosts
• Allow multiple hosts (clients) on an 802.1x-authorized
port.
© 2005 Cisco Systems, Inc. All rights reserved.
30
Resetting the 802.1x Configuration to the
Default Values
Switch#
configure terminal
• Enter global configuration mode
Switch(config)#
dot1x default
• Reset the configurable 802.1x parameters to the
default values.
© 2005 Cisco Systems, Inc. All rights reserved.
31
Displaying 802.1x Statistics
Switch#
show dot1x statistics
• Display 802.1x statistics
Switch#
show dot1x statistics interface interface-id
• Display 802.1x statistics for a specific interface.
© 2005 Cisco Systems, Inc. All rights reserved.
32
Displaying 802.1x Status
Switch#
show dot1x
• Display 802.1x administrative and operational status.
Switch#
show dot1x interface interface-id
• Display 802.1x administrative and operational status
for a specific interface.
© 2005 Cisco Systems, Inc. All rights reserved.
33
©
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved.
© 2005,
2005 Cisco
34
34