1

Network Security 1

Module 7 – Configure Trust and Identity at Layer 2

2

Learning Objectives

7.1 Identity-Based Networking Services (IBNS)

7.2 Configuring 802.1x Port-Based Authentication

3

Module 7 – Configure Trust and Identity at Layer 2

7.1 Identity-Based Networking Services (IBNS)

4

Identity Based Network Services

Cisco VPN Concentrators, IOS Routers, PIX Security Appliances

Unified Control of User Identity for the EnterpriseUnified Control of User Identity for the Enterprise

Router

Internet

Hard and Soft Tokens

Hard and Soft TokensCisco Secure ACS

Firewall

VPN Clients

Remote Offices

OTP ServerOTP Server

5

802.1x Roles

Authentication ServerAuthenticator

Supplicant

6

802.1x Authenticator and Supplicant

The perimeter router acts as the authenticator

Internet

Cisco Secure ACS

Home Office

The remote user’s PC acts as the supplicant

7

802.1x Components

8

How 802.1x Works

Authentication Server(RADIUS)End User

(client)Catalyst 2950

(switch)

802.1x RADIUS

Actual authentication conversation occurs between the client andAuthentication Server using EAP. The authenticator is aware of this

activity, but it is just a middleman.

9

How 802.1x Works (Continued)Authentication Server (RADIUS)

End User (client) Catalyst 2950 (switch)

EAPOL - Start

EAP – Request IdentityRADIUS Access - Request

EAP – Response/IdentityRADIUS Access - ChallengeEAP – Request/OTP

RADIUS Access - RequestEAP – Response/OTP

EAP – Success RADIUS Access - Accept

Port Authorized

EAPOL – Logoff

Port Unauthorized

10

EAP Characteristics

• EAP – The Extensible Authentication Protocol• Extension of PPP to provide additional authentication features• A flexible protocol used to carry arbitrary authentication information.• Typically rides on top of another protocol such as 802.1x or RADIUS.

EAP can also be used with TACACS+• Specified in RFC 2284• Support multiple authentication types :

EAP-MD5: Plain Password Hash (CHAP over EAP)EAP-TLS (based on X.509 certificates)LEAP (EAP-Cisco Wireless)PEAP (Protected EAP)

11

EAP Selection

• Cisco Secure ACS supports the following varieties of EAP:• EAP-MD5 – An EAP protocol that does not support mutual

authentication. • EAP-TLS – EAP incorporating Transport Layer Security (TLS).• LEAP—An EAP protocol used by Cisco Aironet wireless equipment.

LEAP supports mutual authentication. • PEAP – Protected EAP, which is implemented with EAP-Generic

Token Card (GTC) and EAP-MSCHAPv2 protocols. • EAP-FAST – EAP Flexible Authentication via Secured Tunnel (EAP-

FAST), a faster means of encrypting EAP authentication, supportsEAP-GTC authentication.

12

Cisco LEAP

Lightweight Extensible Authentication Protocol

ClientACS Server

Access Point

•Derives per-user, per-session key•Enhancement to IEEE802.11b Wired Equivalent Privacy (WEP) encryption•Uses mutual authentication – both user and AP needs to be authenticated

13

EAP-TLS

Client

Extensible Authentication Protocol – Transport Layer Security

Access Point ACS Server

•RFC 2716•Used for TLS Handshake Authentication (RFC2246)•Requires PKI (X.509) Certificates rather than username/password• Mutual authentication•Requires client and server certificates•Certificate Management is complex and costly

Switch

14

PEAP

Protected Extensible Authentication ProtocolAccess Point

Client

•Internet-Draft by Cisco, Microsoft & RSA•Enhancement of EAP-TLS•Requires server certificate only• Mutual authentication•username/password challenge over TLS Channel•Available for use with Microsoft and Cisco products

Switch

TLS Tunnel

ACS Server

15

How Does Basic Port Based Network Access Work?

Switch Request ID

Send ID/Password or Certificate Switch Forward credentials to ACS Server

Authentication SuccessfulClient now has secure access

802.1x

Cisco Secure ACSAAA Radius Server

802.1x Capable Ethernet

LAN Access Devices

1

2

3 4

567 applies policies and enables

port.

Host device attempts to connects to Switch

Actual authentication conversation is between client and Auth Server using EAP.

6500 Series Access Points

4500/4000 Series3550/2950 Series

RADIUSThe switch detects the 802.1x compatible client, forces authentication, then acts as a middleman during the authentication, Upon successful authentication the switch sets

the port to forwarding, and applies the designated policies.

16

ACS Deployment in a Small LAN

Firewall

Cisco Secure ACS

ClientCatalyst 2950/3500

Switch Router

Internet

17

ACS Deployment in a Global NetworkRegion 2Region 1

Client

ACS1

Switch 1 FirewallSwitch 2

ACS2

ACS3

Region 3

Switch 3

18

Cisco Secure ACS RADIUS Response

Cisco Secure ACS

Cisco Catalyst SwitchEnd User

802.1x RADIUS

After a user successfully completes the EAP authentication process the Cisco Secure ACS responds to the switch with a RADIUS authentication-

accept packet granting that user access to the network.

19

Module 7 – Configure Trust and Identity at Layer 2

7.2 Configuring 802.1x Port-Based Authentication

20

802.1x Port-Based Authentication Configuration

Enable 802.1x Authentication (required)

Configure the Switch-to-RADIUS-Server Communication (required)

Enable Periodic Re-Authentication (optional)

Manually Re-Authenticating a Client Connected to a Port (optional)

Resetting the 802.1x Configuration to the Default Values (optional)

21

802.1x Port-Based Authentication Configuration (Cont.)

Changing the Quiet Period (optional)

Changing the Switch-to-Client Retransmission Time (optional)

Setting the Switch-to-Client Frame-Retransmission Number (optional)

Enabling Multiple Hosts (optional)

Resetting the 802.1x Configuration to the Default Values (optional)

22

Enabling 802.1x Authentication

Switch#

configure terminal

• Enter global configuration modeSwitch(config)#

aaa new-model

• Enable AAASwitch(config)#

aaa authentication dot1x default group radius

• Create an 802.1x authentication method list

23

Enabling 802.1x Authentication (Cont.)

Switch(config)#

interface fastethernet0/12

• Enter interface configuration modeSwitch(config-if)#

dot1x port-control auto

• Enable 802.1x authentication on the interfaceSwitch(config-if)#

end

• Return to privileged EXEC mode

24

Configuring Switch-to-RADIUS Communication

Switch(config)#

radius-server host 172.l20.39.46 auth-port 1812 key rad123

• Configure the RADIUS server parameters on the switch.

25

Enabling Periodic Re-Authentication

configure terminal

Switch#

• Enter global configuration mode

dot1x re-authentication

Switch(config)#

• Enable periodic re-authentication of the client, which is disabled by default.

dot1x timeout re-authperiod seconds

Switch(config)#

• Set the number of seconds between re-authentication attempts.

26

Manually Re-Authenticating a Client Connected to a Port

dot1x re-authenticate interface fastethernet0/12

Switch(config)#

• Starts re-authentication of the client.

27

Enabling Multiple Hosts

configure terminal

Switch#

• Enter global configuration mode

interface fastethernet0/12

Switch(config)#

• Enter interface configuration mode, and specify the interface to which multiple hosts are indirectly attached.

dot1x multiple-hosts

Switch(config-if)#

• Allow multiple hosts (clients) on an 802.1x-authorized port.

28

Resetting the 802.1x Configuration to the Default Values

configure terminal

Switch#

• Enter global configuration mode

dot1x default

Switch(config)#

• Reset the configurable 802.1x parameters to the default values.

29

Displaying 802.1x Statistics

Switch#

show dot1x statistics

• Display 802.1x statisticsSwitch#

show dot1x statistics interface interface-id

• Display 802.1x statistics for a specific interface.

30

Displaying 802.1x Status

Switch#

show dot1x

• Display 802.1x administrative and operational status.Switch#

show dot1x interface interface-id

• Display 802.1x administrative and operational status for a specific interface.