802.1X Authentication802.1X Authentication

Deniz KayaMicrosoft, Cisco, Ironport TrainerCCSI, CCNP, MCT, MCSE, ICSI, ICSP, CPTS

…While the Assets Needing to be Protected are Expanding

Service Provider/Internet

Teleworker

City Hall

VPNHead-End

CableProvider

831

AirportLibrary

Partner/Vendor

One physical network, must accommodate multiple logical networks (user groups) each with own rules.

IDENTITY:So, you said MAC Address ?

Win 2K & XP allow easy change for MAC addresses

MAC address is not an authentication mechanism…

Determining “who” gets access and “what” they can do

User Identity BasedNetwork Access

User Based Policies Applied(BW, QoS etc)

Campus Network

• Equivalent to placing a Security Guard at each Switch Port

• Only Authorized users can get Network Access

• Unauthorized users can be placed into “Guest” VLANs

• Prevents unauthorized APs

AuthorizedUsers/Devices

UnauthorizedUsers/Devices

What Exactly Is 802.1x?

• Standard set by the IEEE 802.1 working group.

• Describes a standard link layer protocol used for transporting higher-level authentication protocols.

• Works between the Supplicant and the Authenticator.

• Maintains backend communication to an Authentication Server.

Some IEEE Terminology

IEEE Terms Normal People Terms

Supplicant Client

Authenticator Network Access Device

Authentication Server AAA/RADIUS Server

What Does it Do?

• Transport authentication information in the form of Extensible Authentication Protocol (EAP) payloads.

• The authenticator (switch) becomes the middleman for relaying EAP received in 802.1x packets to an authentication server by using RADIUS to carry the EAP information.

802.1x Header EAP Payload

What is RADIUS?

• RADIUS – The Remote Authentication Dial In User Service

• A protocol used to communicate between a network device and an authentication server or database.

• Allows the communication of login and authentication information. i.e.. Username/Password, OTP, etc.

• Allows the communication of arbitrary value pairs using “Vendor Specific Attributes” (VSAs).

RADIUS Header EAP PayloadUDP Header

802.1x – enhancing LAN securityTopology

DHCP Exchange

Filepeers

Controlle

d Port

Domain Controller

Certificate AuthoritySupplies client certs and

Certificate Revocation Lists (CRL)

EAP Connection

802.11/.1XAccess PointLaptop

Domain User/Machine

Certificate

ServerCertificate

RADIUS(IAS)

Uncontro

lled P

ort

Wired Access Control Model

Client and Switch Talk 802.1x Switch Speaks to Auth Server Using RADIUS

Actual Authentication Conversation Is between Client and Auth Server Using EAP;the Switch Is Just a Middleman, but Is Aware of What’s Going on

• RADIUS acts as the transport for EAP, from the authenticator (switch) to the authentication server (RADIUS server)

•RADIUS is also used to carry policy instructions back to the authenticator in the form of AV pairs.

Identity Based Network Services

Login Request

Login Info

Verify Login and Check with Policy DB

Login Good!Apply Policies

• Set port to enable• set port vlan 10

VLAN 10

Engineering VLAN

Switch applies policies and enables port.

Login + Certificate

Login Verified

AAA Radius Server

802.1x Authentication Server

Active Directory

Login and Certificate Services

6500 Series Access Points

4000 Series

3550/2950 Series

802.1x Capable Access Devices

802.1x Capable ClientIEEE802.1x+ VLANS+ VVID+ ACL+ QoS

802.1x client implementation in Windows

• Wired interfaces – enabled by default

• Wireless interfaces – integrated with the wireless configuration client– Enabled by default if privacy is enabled– Dynamic keys usage enforcement

• User and computer authentication enabled by default

802.1x in Microsoft WindowsMachine and user authentication

Startup

Machine

Machine credentials available(use machine credentials)

Machine authentication success Machine authentication failure

User logon

User credentials available(use user credentials)

User authentication success User authentication failure

User logoff

Windows Machine Authentication

Power Up

Load NDIS

drivers

DHCP Setup Secure Channel to DC

Update GPOs Apply Computer

GPOs

Present GINA (Ctrl-Alt-Del)

Login

802.1x Authenticate as Computer

• What is Machine Authentication?The ability of a Windows workstation to authenticate under it’s own identity, independent of the requirement for an interactive user session.

• What is it used for?Machine authentication is used at boot time by Windows OSes to authenticate and communicate with Windows Domain Controllers in order to pull down machine group policies.

• Why do we care?Pre-802.1x this worked under the assumption that network connectivity was a given. Post-802.1x the blocking of network access prior to 802.1x authentication breaks the machine based group policy model – UNLESS the machine can authenticate using its own identity in 802.1x .

802.1x in Microsoft Windows802.1x authentication configuration page

• Same for wired and wireless

• Provides control over computer and guest authentication

• EAP method setting

What is EAP?

• EAP – The Extensible Authentication Protocol

• A flexible protocol used to carry arbitrary authentication information.

EAP

TLSTLS GSS_APIGSS_APIKerberosKerberos

PEAPPEAPMS-CHAPv2MS-CHAPv2

TLSTLSIKEIKEMD5MD5

EAPEAP

PPPPPP 802.3802.3 802.5802.5 802.11802.11 Other…Other…

methodmethodlayerlayer

EAPEAPlayerlayer

mediamedialayerlayer

802.1x authentication clientEAP methods available in Windows

• EAP-TLS (Transport Level Security) – default setting for 802.1x client in Windows

• PEAP (Protected EAP) allows inner methods– TLS (certificate based)– Microsoft Challenge Handshake Authentication

Protocol v2 (MSCHAPv2) (password based)

• EAP-MD5 – available for wired networks only– Doesn’t provide encrypted session between

supplicant and authenticator– Transfers password hashes in clear

802.1x authentication clientEAP methods – wired and wireless networks

EAP with MD5

identity-request

AuthenticatorPeer

identity-response (username)

success or failure

MD5-challenge-request

MD5-challenge-response

cleartext password

R = MD5(password,challenge)

cleartext password

Check that MD5(password,challenge)equals the response

Random challenge

802.1x with EAP-TLSLocal store certificates

• Uses both user and computer certificates

• Certificates deployed through auto-enrollment, Web enrollment, certificate import, or manual request using the Certificates snap-in

• Local computer store is always available

• The user store (for a current user) is only available after a successful user logon

802.1x with EAP-TLSConfiguration page

• Mutual authentication enabled by default

• Simple certificate selection

802.1x with EAP-TLSSmart card certificates

• User must enter PIN to access the certificate on the smart card.– PIN input is not required again on subsequent re-

authentication tries – like session time-out or roaming on wireless networks.

– When roaming out of range and back in range, user will be re-prompted for PIN.

• Managing user certificates stored on local hard drives can be difficult, and some users may move among computers.

802.1x with PEAP-MSCHAPv2What to consider

• Password-based authentication – not all networks have a PKI deployment.

• Single sign-on (SSO).

• Enables both machine and user authentication.

• Windows logon credentials can be automatically used (default setting), or credentials can be provided by user.

802.1x with PEAP-MSCHAPv2Configuration page

• By default, fast reconnect feature is disabled.

Campus Identity - Supplicants

• Possible End-Points : Windows XP – YesWindows 2000 – Yes (SP3 + KB)Linux – YesHP-UX – YesSolaris - YesHP Printers – YesWindows 98 – LimitedWindows NT4 – LimitedApple – yesIP Phones – yesWLAN APs – yes….

Windows HP Jet Direct

Solaris 7920 Apple

IP Phones WLAN APsPocket PC

802.1xPort based network access control

• Falls under 802.1 NOT 802.11

• This is a NETWORK standard, not a wireless standard

• Is PART of the 802.11i draft

• Provides Network Authentication, NOT encryption

Know before you start !

• 802.1x Implementation requires various knowledge from different domains – Switch or AP Compliance and configuration– Certificate Services (Hidden part of the

ICEBERG) if you intend to you EAP-TLS– Radius Server, especially when you have a

multi-domain-directory infrastructure– Smart-card services, if you intend to use

them instead of user certificates– Various Client Deployment Scenarios

Demo – Wired Client Authentication 802.1x with PEAP-MSCHAPv2

• Cisco Switch Configuration

• Active Directory Configuration

• Installation of IAS (Radius)

• Installation of Certificate Services

• XP Client Configuration

New Horizons' Partners