Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.

Published byMae Hunter Modified over 8 years ago

Similar presentations

Presentation on theme: "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College."— Presentation transcript:

1 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College of San Francisco Spring 2007

2 2 © 2005 Cisco Systems, Inc. All rights reserved. Network Security 1 Module 7 – Configure Trust and Identity at Layer 2

3 3 © 2005 Cisco Systems, Inc. All rights reserved. Learning Objectives 7.1 Identity-Based Networking Services (IBNS) 7.2 Configuring 802.1x Port-Based Authentication

4 4 © 2005 Cisco Systems, Inc. All rights reserved. Module 7 – Configure Trust and Identity at Layer 2 7.1 Identity-Based Networking Services (IBNS)

5 5 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Identity Based Networking Services (IBNS) Cisco IBNS is an integrated solution combining several Cisco products that offer authentication, access control, and user policies to secure network connectivity and resources. Cisco IBNS is an IEEE 802.1x-based technology that authenticates users based on personal identity verification. IEEE 802.1x is a Layer 2 protocol designed to provide port-based network access.

6 6 © 2005 Cisco Systems, Inc. All rights reserved. Identity Based Network Services Unified Control of User Identity for the Enterprise Cisco VPN Concentrators, IOS Routers, PIX Security Appliances Router Internet Cisco Secure ACS Firewall VPN Clients Hard and Soft Tokens Remote Offices OTP Server

7 7 © 2005 Cisco Systems, Inc. All rights reserved. 802.1x 802.1x is a standardized framework defined by the IEEE that is designed to provide port-based network access. The 802.1x framework defines three roles in the authentication process: 1.Supplicant = endpoint that needs network access 2.Authenticator = switch or access point 3.Authentication Server = RADIUS, TACACS+, LDAP The authentication process consists of exchanges of Extensible Authentication Protocol (EAP) messages between the supplicant and the authentication server.

8 8 © 2005 Cisco Systems, Inc. All rights reserved. 802.1x Roles Authentication Server Authenticator Supplicant Microsoft Windows XP includes 802.1x supplicant support

9 9 © 2005 Cisco Systems, Inc. All rights reserved. 802.1x Authenticator and Supplicant The perimeter router acts as the authenticator Internet Cisco Secure ACS Home Office The remote user’s PC acts as the supplicant

10 10 © 2005 Cisco Systems, Inc. All rights reserved. How 802.1x Works Authentication Server (RADIUS) Catalyst 2950 (switch) End User (client) 802.1x RADIUS Actual authentication conversation occurs between the client and Authentication Server using EAP. The authenticator is aware of this activity, but it is just a middleman.

11 11 © 2005 Cisco Systems, Inc. All rights reserved. How 802.1x Works (Continued) Authentication Server (RADIUS) Catalyst 2950 (switch) End User (client) EAPOL - Start EAP – Request Identity EAP – Response/Identity RADIUS Access - Request EAP – Request/OTP RADIUS Access - Challenge EAP – Response/OTP RADIUS Access - Request RADIUS Access - AcceptEAP – Success Port Authorized EAPOL – Logoff Port Unauthorized

12 12 © 2005 Cisco Systems, Inc. All rights reserved. 802.1x and EAP Prior to the client authentication, the port will only allow 802.1x protocol, CDP, and STP traffic. EAP is the transport protocol used by 802.1x to authenticate supplicants against an authentication server such as RADIUS. –RFC 3748 updated EAP to support IEEE 802 On LAN media, the supplicant and authenticator use the EAP over LANs (EAPOL) encapsulation.

13 13 © 2005 Cisco Systems, Inc. All rights reserved. EAP Characteristics EAP – The Extensible Authentication Protocol Extension of PPP to provide additional authentication features A flexible protocol used to carry arbitrary authentication information. Typically rides on top of another protocol such as 802.1x or RADIUS. EAP can also be used with TACACS+ Specified in RFC 2284 Support multiple authentication types : EAP-MD5: Plain Password Hash (CHAP over EAP) EAP-TLS (based on X.509 certificates) LEAP (EAP-Cisco Wireless) PEAP (Protected EAP)

14 14 © 2005 Cisco Systems, Inc. All rights reserved. EAP Selection Cisco Secure ACS supports the following varieties of EAP: EAP-MD5 – An EAP protocol that does not support mutual authentication. EAP-TLS – EAP incorporating Transport Layer Security (TLS). LEAP—An EAP protocol used by Cisco Aironet wireless equipment. LEAP supports mutual authentication. PEAP – Protected EAP, which is implemented with EAP-Generic Token Card (GTC) and EAP-MSCHAPv2 protocols. EAP-FAST – EAP Flexible Authentication via Secured Tunnel (EAP- FAST), a faster means of encrypting EAP authentication, supports EAP-GTC authentication.

15 15 © 2005 Cisco Systems, Inc. All rights reserved. Cisco LEAP Lightweight Extensible Authentication Protocol Derives per-user, per-session key Enhancement to IEEE802.11b Wired Equivalent Privacy (WEP) encryption Uses mutual authentication – both user and AP needs to be authenticated Access Point Client ACS Server

16 16 © 2005 Cisco Systems, Inc. All rights reserved. Mutual Authentication Cisco LEAP as well as other secure EAP variations support mutual authentication. The authentication server sends a challenge to the client and the client responds to the challenge with a hash of a secret password known by the client and the network. –Password is never sent over the wire When the client is authenticated, the same process is repeated in reverse order so the client can authenticate the server.

17 17 © 2005 Cisco Systems, Inc. All rights reserved. EAP-TLS EAP – Transport Layer Security RFC 2716 – Developed by Microsoft Used for TLS Handshake Authentication (RFC2246) Requires PKI (X.509) Certificates rather than username/password Mutual authentication Requires client and server certificates Certificate Management is complex and costly Access Point Client Switch ACS Server Server cert, cert request

18 18 © 2005 Cisco Systems, Inc. All rights reserved. PEAP Protected Extensible Authentication Protocol Internet-Draft by Cisco, Microsoft & RSA Enhancement of EAP-TLS Requires server certificate only Mutual authentication username/password challenge over TLS Channel Available for use with Microsoft and Cisco products Access Point Client Switch TLS Tunnel ACS Server

19 19 © 2005 Cisco Systems, Inc. All rights reserved. How Does Basic Port Based Network Access Work? The switch detects the 802.1x compatible client, forces authentication, then acts as a middleman during the authentication, Upon successful authentication the switch sets the port to forwarding, and applies the designated policies. Switch Request ID Send ID/Password or Certificate Switch Forward credentials to ACS Server Authentication Successful Client now has secure access 802.1x RADIUS Cisco Secure ACS AAA Radius Server 802.1x Capable Ethernet LAN Access Devices 1 2 34 5 6 7 applies policies and enables port. Host device attempts to connects to Switch Actual authentication conversation is between client and Auth Server using EAP. 6500 SeriesAccess Points 4500/4000 Series 3550/2950 Series

20 20 © 2005 Cisco Systems, Inc. All rights reserved. ACS Deployment in a Small LAN Cisco Secure ACS Client Catalyst 2950/3500 Switch Firewall Router Internet

21 21 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Secure ACS RADIUS Response After a user successfully completes the EAP authentication process the Cisco Secure ACS responds to the switch with a RADIUS authentication- accept packet granting that user access to the network. Cisco Secure ACS Cisco Catalyst Switch End User 802.1x RADIUS

22 22 © 2005 Cisco Systems, Inc. All rights reserved. Module 7 – Configure Trust and Identity at Layer 2 7.2 Configuring 802.1x Port-Based Authentication

23 23 © 2005 Cisco Systems, Inc. All rights reserved. 802.1x Port-Based Authentication Configuration –Enable 802.1x Authentication (required) –Configure the Switch-to-RADIUS-Server Communication (required) –Enable Periodic Re-Authentication (optional) –Manually Re-Authenticating a Client Connected to a Port (optional)

24 24 © 2005 Cisco Systems, Inc. All rights reserved. 802.1x Port-Based Authentication Configuration (Cont.) –Changing the Switch-to-Client Retransmission Time (optional) –Setting the Switch-to-Client Frame-Retransmission Number (optional) –Enabling Multiple Hosts (optional) –Resetting the 802.1x Configuration to the Default Values (optional)

25 25 © 2005 Cisco Systems, Inc. All rights reserved. Enabling 802.1x Authentication configure terminal Switch# Enter global configuration mode aaa new-model Switch(config)# Enable AAA aaa authentication dot1x default group radius Switch(config)# Create an 802.1x authentication method list

26 26 © 2005 Cisco Systems, Inc. All rights reserved. Enabling 802.1x Authentication (Cont.) interface fastethernet0/12 Switch(config)# Enter interface configuration mode dot1x port-control auto Switch(config-if)# Enable 802.1x authentication on the interface end Switch(config-if)# Return to privileged EXEC mode

27 27 © 2005 Cisco Systems, Inc. All rights reserved. Configuring Switch-to-RADIUS Communication radius-server host 172.l20.39.46 auth-port 1812 key rad123 Switch(config)# Configure the RADIUS server parameters on the switch.

28 28 © 2005 Cisco Systems, Inc. All rights reserved. Enabling Periodic Re-Authentication configure terminal Switch# Enter global configuration mode dot1x re-authentication Switch(config)# Enable periodic re-authentication of the client, which is disabled by default. dot1x timeout re-authperiod seconds Switch(config)# Set the number of seconds between re-authentication attempts.

29 29 © 2005 Cisco Systems, Inc. All rights reserved. Manually Re-Authenticating a Client Connected to a Port dot1x re-authenticate interface fastethernet0/12 Switch(config)# Starts re-authentication of the client.

30 30 © 2005 Cisco Systems, Inc. All rights reserved. Enabling Multiple Hosts configure terminal Switch# Enter global configuration mode interface fastethernet0/12 Switch(config)# Enter interface configuration mode, and specify the interface to which multiple hosts are indirectly attached. dot1x multiple-hosts Switch(config-if)# Allow multiple hosts (clients) on an 802.1x-authorized port.

31 31 © 2005 Cisco Systems, Inc. All rights reserved. Resetting the 802.1x Configuration to the Default Values configure terminal Switch# Enter global configuration mode dot1x default Switch(config)# Reset the configurable 802.1x parameters to the default values.

32 32 © 2005 Cisco Systems, Inc. All rights reserved. Displaying 802.1x Statistics show dot1x statistics Switch# Display 802.1x statistics show dot1x statistics interface interface-id Switch# Display 802.1x statistics for a specific interface.

33 33 © 2005 Cisco Systems, Inc. All rights reserved. Displaying 802.1x Status show dot1x Switch# Display 802.1x administrative and operational status. show dot1x interface interface-id Switch# Display 802.1x administrative and operational status for a specific interface.

34 34 © 2005 Cisco Systems, Inc. All rights reserved. 34 © 2005, Cisco Systems, Inc. All rights reserved.

Download ppt "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College."

Similar presentations

Authentication.

Authentication.
Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.

Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—2-1 Ethernet LANs Operating Cisco IOS Software.

© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—2-1 Ethernet LANs Operating Cisco IOS Software.
無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – 802.11b  Security Mechanisms in 802.11b  Security Problems in 802.11b  Solutions for 802.11b.

無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – b  Security Mechanisms in b  Security Problems in b  Solutions for b.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP 802.3802.5802.11 802.1x EAP API.

Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP x EAP API.
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-1 Security Olga Torstensson Halmstad University.

© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-1 Security Olga Torstensson Halmstad University.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,

WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,
Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.
Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
KIRAN CHAMARTHI NETWORK SECURITY

KIRAN CHAMARTHI NETWORK SECURITY
802.1X in Windows Tom Rixom Alfa & Ariss. Overview 802.1X/EAP 802.1X in Windows Tunneled Authentication Certificates in Windows WIFI Client in Windows.

802.1X in Windows Tom Rixom Alfa & Ariss. Overview 802.1X/EAP 802.1X in Windows Tunneled Authentication Certificates in Windows WIFI Client in Windows.
Remote Networking Architectures

Remote Networking Architectures
802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security.

802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security.

Similar presentations

Ads by Google