802.1x best practises
DESCRIPTION
802.1x Best Practises. Ing. Peter Feciľak Peter.Fecilak @tuke.sk 29.04.2008 , KPI, FEI, TUKE. Content of the presentation. Basic terminology - 802.1x - RADIUS server - Dynamic VLAN membership Why to implement 802.1x ? Problems in 802.1x implementation Discussion. What is 802.1x ?. - PowerPoint PPT PresentationTRANSCRIPT
![Page 2: 802.1x Best Practises](https://reader033.vdocuments.site/reader033/viewer/2022061520/56814a1f550346895db747b8/html5/thumbnails/2.jpg)
Content of the presentation
• Basic terminology- 802.1x- RADIUS server- Dynamic VLAN membership
• Why to implement 802.1x ?
• Problems in 802.1x implementation
• Discussion...
![Page 3: 802.1x Best Practises](https://reader033.vdocuments.site/reader033/viewer/2022061520/56814a1f550346895db747b8/html5/thumbnails/3.jpg)
What is 802.1x ?
• IEEE standard for port-based Network Access Control
• Provides port-based authentication
• Supported in wired/wireless environment
![Page 4: 802.1x Best Practises](https://reader033.vdocuments.site/reader033/viewer/2022061520/56814a1f550346895db747b8/html5/thumbnails/4.jpg)
802.1x terminology
![Page 5: 802.1x Best Practises](https://reader033.vdocuments.site/reader033/viewer/2022061520/56814a1f550346895db747b8/html5/thumbnails/5.jpg)
Radius authentication server
• Provides authentication and other AAA services for end-device by a number of authentication mechanisms
• Each authentication mechanism has its own level of security(EAP/MD5, EAP/LEAP, EAP/PEAP)
• Can be linked to external user/computer database – ActiveDirectory / LDAP / MYSQL
![Page 6: 802.1x Best Practises](https://reader033.vdocuments.site/reader033/viewer/2022061520/56814a1f550346895db747b8/html5/thumbnails/6.jpg)
Radius authentication server
• Supports delegation of requests(e.g. eduroam)
• Runs on different platforms
MS Windows:Cisco Secure Access Control Server
Linux:Freeradius / old version of CS ACS
![Page 7: 802.1x Best Practises](https://reader033.vdocuments.site/reader033/viewer/2022061520/56814a1f550346895db747b8/html5/thumbnails/7.jpg)
Authenticator – access layer
• Provides port-based authentication and dynamic VLAN membership via RADIUS server(EAP and Radius protocol)
• Three types of VLANs:– Dynamic VLAN from RADIUS– AUTH-FAIL VLAN– GUEST-VLAN
• Catalyst switches supports periodical re-authentication (Steve Riley vulnerability from 2005)
![Page 8: 802.1x Best Practises](https://reader033.vdocuments.site/reader033/viewer/2022061520/56814a1f550346895db747b8/html5/thumbnails/8.jpg)
802.1x Supplicant
• Application that provides authentication via EAP against authenticator
• Possible types of authentication:– Computer (domain account)– User (domain account, OTP…)– Computer with user account
![Page 9: 802.1x Best Practises](https://reader033.vdocuments.site/reader033/viewer/2022061520/56814a1f550346895db747b8/html5/thumbnails/9.jpg)
802.1x Supplicant
• Supported under Windows and Linux as well
• Linux authentication tools:– Xsupplicant (wired)– WPA_supplicant (wireless)– open1x
![Page 10: 802.1x Best Practises](https://reader033.vdocuments.site/reader033/viewer/2022061520/56814a1f550346895db747b8/html5/thumbnails/10.jpg)
802.1x Linux Supplicant
fecilak@travelko:~$ cat /etc/xsupplicant/xsupplicant.conf
default_interface = eth0
default { type = wired allow_types = eap-peap identity = "pfecilak"
eap-peap { inner_id = "pfecilak" root_cert = NONE chunk_size = 1398 random_file = /dev/urandom allow_types = all session_resume = yes
eap-mschapv2 { username = "pfecilak" password = “Moje1Tajne2Heslo3!#" } }}
![Page 11: 802.1x Best Practises](https://reader033.vdocuments.site/reader033/viewer/2022061520/56814a1f550346895db747b8/html5/thumbnails/11.jpg)
802.1x Windows Supplicant
• Native 802.1x supplicant under:– MS Windows XP– MS Vista– MS Windows 2000 (latest SP)
• External supplicants:– Cisco Secure Services Agent
![Page 12: 802.1x Best Practises](https://reader033.vdocuments.site/reader033/viewer/2022061520/56814a1f550346895db747b8/html5/thumbnails/12.jpg)
802.1x Windows Supplicant
![Page 13: 802.1x Best Practises](https://reader033.vdocuments.site/reader033/viewer/2022061520/56814a1f550346895db747b8/html5/thumbnails/13.jpg)
802.1x Windows Supplicant
User-authentication GUI agent:
![Page 14: 802.1x Best Practises](https://reader033.vdocuments.site/reader033/viewer/2022061520/56814a1f550346895db747b8/html5/thumbnails/14.jpg)
Why to implement 802.1x ?
• Provide port-based control for accessing network resources (problems with controlling physical access)
• Identify regular network users. Provide them easy access to network resources. Isolate non-regular users from internal infrastructure.
![Page 15: 802.1x Best Practises](https://reader033.vdocuments.site/reader033/viewer/2022061520/56814a1f550346895db747b8/html5/thumbnails/15.jpg)
Why to implement 802.1x ?
• Apply different security levels for specified communities of users.
• Provide mobility features via RADIUS and Dynamic VLAN membership
![Page 16: 802.1x Best Practises](https://reader033.vdocuments.site/reader033/viewer/2022061520/56814a1f550346895db747b8/html5/thumbnails/16.jpg)
Number of Security Levels
• Identify User/Computer roles and grand them access to network resources as defined by their security level.
![Page 17: 802.1x Best Practises](https://reader033.vdocuments.site/reader033/viewer/2022061520/56814a1f550346895db747b8/html5/thumbnails/17.jpg)
Problems in 802.1x implementation
• Devices that does not support 802.1x connected to access-layer causes problems(e.g. hubs/unmanagable switches)
• Computers connected via IP phones that doesn’t support 802.1x has problem with authentication
• Periodical re-authentication can cause problems in large domain
![Page 18: 802.1x Best Practises](https://reader033.vdocuments.site/reader033/viewer/2022061520/56814a1f550346895db747b8/html5/thumbnails/18.jpg)
Problems in 802.1x implementation
• Computer authentication with User to VLAN mapping can cause problem during IP settings renewal process
• Authentication tab not shown in local area network configuration(needs Wireless Zero Configuration)
![Page 19: 802.1x Best Practises](https://reader033.vdocuments.site/reader033/viewer/2022061520/56814a1f550346895db747b8/html5/thumbnails/19.jpg)
Best practises
• When 802.1x is used mainly in MS Windows domain, use Cisco Secure ACS and computer domain accounts
• Do not use dynamic VLAN membership with User to VLAN mapping. Better is computer authentication with domain account
![Page 20: 802.1x Best Practises](https://reader033.vdocuments.site/reader033/viewer/2022061520/56814a1f550346895db747b8/html5/thumbnails/20.jpg)
Best practises
• Scale the number of RADIUS servers concerning whether re-authentication is enabled and the number of end clients that will use 802.1x authentication
• I recommend to use 1 server for 100 computers when re-authentication at every 5 minutes is used
![Page 21: 802.1x Best Practises](https://reader033.vdocuments.site/reader033/viewer/2022061520/56814a1f550346895db747b8/html5/thumbnails/21.jpg)
Best practises
Classification to profiles for providing different security-levels:
• User Network– For regular users granting access to network resources
• Visitors Network– For guest access from internal infrastructure granting
only internet access• Guest/Auth-fail VLAN
– Fully isolated network. No network resources can be accessed.
![Page 22: 802.1x Best Practises](https://reader033.vdocuments.site/reader033/viewer/2022061520/56814a1f550346895db747b8/html5/thumbnails/22.jpg)
Discussion/Questions and Answers
![Page 23: 802.1x Best Practises](https://reader033.vdocuments.site/reader033/viewer/2022061520/56814a1f550346895db747b8/html5/thumbnails/23.jpg)
Redundant topologies
![Page 24: 802.1x Best Practises](https://reader033.vdocuments.site/reader033/viewer/2022061520/56814a1f550346895db747b8/html5/thumbnails/24.jpg)
Redundant topologies
![Page 25: 802.1x Best Practises](https://reader033.vdocuments.site/reader033/viewer/2022061520/56814a1f550346895db747b8/html5/thumbnails/25.jpg)
Problem
![Page 26: 802.1x Best Practises](https://reader033.vdocuments.site/reader033/viewer/2022061520/56814a1f550346895db747b8/html5/thumbnails/26.jpg)
Solution – redundant gateways
192.168.1.0/24
192.168.1.2
192.168.1.1
![Page 27: 802.1x Best Practises](https://reader033.vdocuments.site/reader033/viewer/2022061520/56814a1f550346895db747b8/html5/thumbnails/27.jpg)
Solution – HSRP
192.168.1.0/24
192.168.1.2
192.168.1.1
MasGW-1-1 GW-1-2
Virtual Router
192.168.1.2 192.168.1.1
192.168.1.3
Master Slave
Master192.168.1.3
SlaveSLAVE
MASTER192.168.1.3
![Page 28: 802.1x Best Practises](https://reader033.vdocuments.site/reader033/viewer/2022061520/56814a1f550346895db747b8/html5/thumbnails/28.jpg)
First Hop Redundancy Protocols
HSRP
VRRP
GLBP
![Page 29: 802.1x Best Practises](https://reader033.vdocuments.site/reader033/viewer/2022061520/56814a1f550346895db747b8/html5/thumbnails/29.jpg)
Example - HSRP
192.168.1.2 192.168.1.1
IP: 192.168.1.100Netmask: 255.255.255.0
Gateway: 192.168.1.3
GW-1-1(config)# interface FastEthernet 0/0GW-1-1(config-if)# ip address 192.168.1.2 255.255.255.0GW-1-1(config-if)# standby 1 priority 80GW-1-1(config-if)# standby 1 preemptGW-1-1(config-if)# standby 1 ip 192.168.1.3GW-1-1(config-if)# no shutdown
GW-1-2(config)# interface FastEthernet 0/0GW-1-2(config-if)# ip address 192.168.1.1 255.255.255.0GW-1-2(config-if)# standby 1 priority 150GW-1-2(config-if)# standby 1 preemptGW-1-2(config-if)# standby 1 ip 192.168.1.3GW-1-2(config-if)# no shutdown
![Page 30: 802.1x Best Practises](https://reader033.vdocuments.site/reader033/viewer/2022061520/56814a1f550346895db747b8/html5/thumbnails/30.jpg)
Configuration statements - HSRP
192.168.1.2 192.168.1.1
IP: 192.168.1.100Netmask: 255.255.255.0
Gateway: 192.168.1.3
GW-1-1(config)# interface FastEthernet 0/0GW-1-1(config-if)# ip address 192.168.1.2 255.255.255.0GW-1-1(config-if)# standby 1 priority 80GW-1-1(config-if)# standby 1 preemptGW-1-1(config-if)# standby 1 ip 192.168.1.3GW-1-1(config-if)# no shutdown
GW-1-2(config)# interface FastEthernet 0/0GW-1-2(config-if)# ip address 192.168.1.1 255.255.255.0GW-1-2(config-if)# standby 1 priority 150GW-1-2(config-if)# standby 1 preemptGW-1-2(config-if)# standby 1 ip 192.168.1.3GW-1-2(config-if)# no shutdown