1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.

Slides:



Advertisements
Similar presentations
Authentication.
Advertisements

Encrypting Wireless Data with VPN Techniques
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—2-1 Ethernet LANs Operating Cisco IOS Software.
無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – b  Security Mechanisms in b  Security Problems in b  Solutions for b.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
802.1x EAP Authentication Protocols
Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP x EAP API.
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-1 Security Olga Torstensson Halmstad University.
(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,
Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.
Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
KIRAN CHAMARTHI NETWORK SECURITY
802.1X in Windows Tom Rixom Alfa & Ariss. Overview 802.1X/EAP 802.1X in Windows Tunneled Authentication Certificates in Windows WIFI Client in Windows.
Remote Networking Architectures
802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Virtual Private Networks
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University
EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.
1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x OVERVIEW Sudhir Nath Product Manager, Trust.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Windows 2003 and 802.1x Secure Wireless Deployments.
Virtual Private Networks (Tunnels). When Are VPN Tunnels Used? VPN with PPTP tunnel Used if: All routers support VPN tunnels You are using MS-CHAP or.
RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.
Configuring Routing and Remote Access(RRAS) and Wireless Networking
© 2004, Cisco Systems, Inc. All rights reserved.
Network Security1 – Chapter 5 (B) – Using IEEE 802.1x Purpose: (a) port authentication (b) access control An IEEE standard
Mobile and Wireless Communication Security By Jason Gratto.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 5 City College.
Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.
WIRELESS LAN SECURITY Using
Chapter 7: Protecting Advanced Communications
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 6: Implement Wireless Scalability.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
1 © 2004 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS Identity Based Networking Terena Rhodes, June 04 Eric Marin EMEA Consulting Engineer.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 8 City College.
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
KAIS T Comparative studies on authentication and key exchange methods for wireless LAN Jun Lei, Xiaoming Fu, Dieter Hogrefe, Jianrong Tan Computers.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
Copyright © 2006 Heathkit Company, Inc. All Rights Reserved Introduction to Networking Technologies Wireless Security.
Introduction to Port-Based Network Access Control EAP, 802.1X, and RADIUS Anthony Critelli Introduction to Port-Based Network Access Control.
Network Security. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Remote Authentication Dial-In User Service (RADIUS)
Port Based Network Access Control
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
Wireless Security - Encryption Joel Jaeggli For AIT Wireless and Security Workshop.
Implementing Network-Edge Security with 802.1x
Configuring and Troubleshooting Routing and Remote Access
802.1x OVERVIEW Sudhir Nath Product Manager, Trust & Identity
Cisco Real Exam Dumps IT-Dumps
On and Off Premise Secure Access
– Chapter 5 (B) – Using IEEE 802.1x
Presentation transcript:

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College of San Francisco Spring 2007

2 © 2005 Cisco Systems, Inc. All rights reserved. Network Security 1 Module 7 – Configure Trust and Identity at Layer 2

3 © 2005 Cisco Systems, Inc. All rights reserved. Learning Objectives 7.1 Identity-Based Networking Services (IBNS) 7.2 Configuring 802.1x Port-Based Authentication

4 © 2005 Cisco Systems, Inc. All rights reserved. Module 7 – Configure Trust and Identity at Layer Identity-Based Networking Services (IBNS)

5 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Identity Based Networking Services (IBNS) Cisco IBNS is an integrated solution combining several Cisco products that offer authentication, access control, and user policies to secure network connectivity and resources. Cisco IBNS is an IEEE 802.1x-based technology that authenticates users based on personal identity verification. IEEE 802.1x is a Layer 2 protocol designed to provide port-based network access.

6 © 2005 Cisco Systems, Inc. All rights reserved. Identity Based Network Services Unified Control of User Identity for the Enterprise Cisco VPN Concentrators, IOS Routers, PIX Security Appliances Router Internet Cisco Secure ACS Firewall VPN Clients Hard and Soft Tokens Remote Offices OTP Server

7 © 2005 Cisco Systems, Inc. All rights reserved x 802.1x is a standardized framework defined by the IEEE that is designed to provide port-based network access. The 802.1x framework defines three roles in the authentication process: 1.Supplicant = endpoint that needs network access 2.Authenticator = switch or access point 3.Authentication Server = RADIUS, TACACS+, LDAP The authentication process consists of exchanges of Extensible Authentication Protocol (EAP) messages between the supplicant and the authentication server.

8 © 2005 Cisco Systems, Inc. All rights reserved x Roles Authentication Server Authenticator Supplicant Microsoft Windows XP includes 802.1x supplicant support

9 © 2005 Cisco Systems, Inc. All rights reserved x Authenticator and Supplicant The perimeter router acts as the authenticator Internet Cisco Secure ACS Home Office The remote user’s PC acts as the supplicant

10 © 2005 Cisco Systems, Inc. All rights reserved. How 802.1x Works Authentication Server (RADIUS) Catalyst 2950 (switch) End User (client) 802.1x RADIUS Actual authentication conversation occurs between the client and Authentication Server using EAP. The authenticator is aware of this activity, but it is just a middleman.

11 © 2005 Cisco Systems, Inc. All rights reserved. How 802.1x Works (Continued) Authentication Server (RADIUS) Catalyst 2950 (switch) End User (client) EAPOL - Start EAP – Request Identity EAP – Response/Identity RADIUS Access - Request EAP – Request/OTP RADIUS Access - Challenge EAP – Response/OTP RADIUS Access - Request RADIUS Access - AcceptEAP – Success Port Authorized EAPOL – Logoff Port Unauthorized

12 © 2005 Cisco Systems, Inc. All rights reserved x and EAP Prior to the client authentication, the port will only allow 802.1x protocol, CDP, and STP traffic. EAP is the transport protocol used by 802.1x to authenticate supplicants against an authentication server such as RADIUS. –RFC 3748 updated EAP to support IEEE 802 On LAN media, the supplicant and authenticator use the EAP over LANs (EAPOL) encapsulation.

13 © 2005 Cisco Systems, Inc. All rights reserved. EAP Characteristics EAP – The Extensible Authentication Protocol Extension of PPP to provide additional authentication features A flexible protocol used to carry arbitrary authentication information. Typically rides on top of another protocol such as 802.1x or RADIUS. EAP can also be used with TACACS+ Specified in RFC 2284 Support multiple authentication types : EAP-MD5: Plain Password Hash (CHAP over EAP) EAP-TLS (based on X.509 certificates) LEAP (EAP-Cisco Wireless) PEAP (Protected EAP)

14 © 2005 Cisco Systems, Inc. All rights reserved. EAP Selection Cisco Secure ACS supports the following varieties of EAP: EAP-MD5 – An EAP protocol that does not support mutual authentication. EAP-TLS – EAP incorporating Transport Layer Security (TLS). LEAP—An EAP protocol used by Cisco Aironet wireless equipment. LEAP supports mutual authentication. PEAP – Protected EAP, which is implemented with EAP-Generic Token Card (GTC) and EAP-MSCHAPv2 protocols. EAP-FAST – EAP Flexible Authentication via Secured Tunnel (EAP- FAST), a faster means of encrypting EAP authentication, supports EAP-GTC authentication.

15 © 2005 Cisco Systems, Inc. All rights reserved. Cisco LEAP Lightweight Extensible Authentication Protocol Derives per-user, per-session key Enhancement to IEEE802.11b Wired Equivalent Privacy (WEP) encryption Uses mutual authentication – both user and AP needs to be authenticated Access Point Client ACS Server

16 © 2005 Cisco Systems, Inc. All rights reserved. Mutual Authentication Cisco LEAP as well as other secure EAP variations support mutual authentication. The authentication server sends a challenge to the client and the client responds to the challenge with a hash of a secret password known by the client and the network. –Password is never sent over the wire When the client is authenticated, the same process is repeated in reverse order so the client can authenticate the server.

17 © 2005 Cisco Systems, Inc. All rights reserved. EAP-TLS EAP – Transport Layer Security RFC 2716 – Developed by Microsoft Used for TLS Handshake Authentication (RFC2246) Requires PKI (X.509) Certificates rather than username/password Mutual authentication Requires client and server certificates Certificate Management is complex and costly Access Point Client Switch ACS Server Server cert, cert request

18 © 2005 Cisco Systems, Inc. All rights reserved. PEAP Protected Extensible Authentication Protocol Internet-Draft by Cisco, Microsoft & RSA Enhancement of EAP-TLS Requires server certificate only Mutual authentication username/password challenge over TLS Channel Available for use with Microsoft and Cisco products Access Point Client Switch TLS Tunnel ACS Server

19 © 2005 Cisco Systems, Inc. All rights reserved. How Does Basic Port Based Network Access Work? The switch detects the 802.1x compatible client, forces authentication, then acts as a middleman during the authentication, Upon successful authentication the switch sets the port to forwarding, and applies the designated policies. Switch Request ID Send ID/Password or Certificate Switch Forward credentials to ACS Server Authentication Successful Client now has secure access 802.1x RADIUS Cisco Secure ACS AAA Radius Server 802.1x Capable Ethernet LAN Access Devices applies policies and enables port. Host device attempts to connects to Switch Actual authentication conversation is between client and Auth Server using EAP SeriesAccess Points 4500/4000 Series 3550/2950 Series

20 © 2005 Cisco Systems, Inc. All rights reserved. ACS Deployment in a Small LAN Cisco Secure ACS Client Catalyst 2950/3500 Switch Firewall Router Internet

21 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Secure ACS RADIUS Response After a user successfully completes the EAP authentication process the Cisco Secure ACS responds to the switch with a RADIUS authentication- accept packet granting that user access to the network. Cisco Secure ACS Cisco Catalyst Switch End User 802.1x RADIUS

22 © 2005 Cisco Systems, Inc. All rights reserved. Module 7 – Configure Trust and Identity at Layer Configuring 802.1x Port-Based Authentication

23 © 2005 Cisco Systems, Inc. All rights reserved x Port-Based Authentication Configuration –Enable 802.1x Authentication (required) –Configure the Switch-to-RADIUS-Server Communication (required) –Enable Periodic Re-Authentication (optional) –Manually Re-Authenticating a Client Connected to a Port (optional)

24 © 2005 Cisco Systems, Inc. All rights reserved x Port-Based Authentication Configuration (Cont.) –Changing the Switch-to-Client Retransmission Time (optional) –Setting the Switch-to-Client Frame-Retransmission Number (optional) –Enabling Multiple Hosts (optional) –Resetting the 802.1x Configuration to the Default Values (optional)

25 © 2005 Cisco Systems, Inc. All rights reserved. Enabling 802.1x Authentication configure terminal Switch# Enter global configuration mode aaa new-model Switch(config)# Enable AAA aaa authentication dot1x default group radius Switch(config)# Create an 802.1x authentication method list

26 © 2005 Cisco Systems, Inc. All rights reserved. Enabling 802.1x Authentication (Cont.) interface fastethernet0/12 Switch(config)# Enter interface configuration mode dot1x port-control auto Switch(config-if)# Enable 802.1x authentication on the interface end Switch(config-if)# Return to privileged EXEC mode

27 © 2005 Cisco Systems, Inc. All rights reserved. Configuring Switch-to-RADIUS Communication radius-server host 172.l auth-port 1812 key rad123 Switch(config)# Configure the RADIUS server parameters on the switch.

28 © 2005 Cisco Systems, Inc. All rights reserved. Enabling Periodic Re-Authentication configure terminal Switch# Enter global configuration mode dot1x re-authentication Switch(config)# Enable periodic re-authentication of the client, which is disabled by default. dot1x timeout re-authperiod seconds Switch(config)# Set the number of seconds between re-authentication attempts.

29 © 2005 Cisco Systems, Inc. All rights reserved. Manually Re-Authenticating a Client Connected to a Port dot1x re-authenticate interface fastethernet0/12 Switch(config)# Starts re-authentication of the client.

30 © 2005 Cisco Systems, Inc. All rights reserved. Enabling Multiple Hosts configure terminal Switch# Enter global configuration mode interface fastethernet0/12 Switch(config)# Enter interface configuration mode, and specify the interface to which multiple hosts are indirectly attached. dot1x multiple-hosts Switch(config-if)# Allow multiple hosts (clients) on an 802.1x-authorized port.

31 © 2005 Cisco Systems, Inc. All rights reserved. Resetting the 802.1x Configuration to the Default Values configure terminal Switch# Enter global configuration mode dot1x default Switch(config)# Reset the configurable 802.1x parameters to the default values.

32 © 2005 Cisco Systems, Inc. All rights reserved. Displaying 802.1x Statistics show dot1x statistics Switch# Display 802.1x statistics show dot1x statistics interface interface-id Switch# Display 802.1x statistics for a specific interface.

33 © 2005 Cisco Systems, Inc. All rights reserved. Displaying 802.1x Status show dot1x Switch# Display 802.1x administrative and operational status. show dot1x interface interface-id Switch# Display 802.1x administrative and operational status for a specific interface.

34 © 2005 Cisco Systems, Inc. All rights reserved. 34 © 2005, Cisco Systems, Inc. All rights reserved.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.