Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © 2004 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS Identity Based Networking Terena Rhodes, June 04 Eric Marin EMEA Consulting Engineer.

Published byAngelica Houston Modified over 8 years ago

Similar presentations

Presentation on theme: "1 © 2004 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS Identity Based Networking Terena Rhodes, June 04 Eric Marin EMEA Consulting Engineer."— Presentation transcript:

1 1 © 2004 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS Identity Based Networking Terena Rhodes, June 04 Eric Marin EMEA Consulting Engineer Cisco Systems

2 222 © 2003 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS Port-Based Network Authentication Have the client (a user or a device) request a service—in this case access to the network Verify the client’s claim of identity—authentication Reference the configured policies for the requesting client Grant or deny the services as per the policy— authorization

3 333 © 2003 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS A Closer Look… Login Req. Actual Authentication Conversation Is between Client and Auth Server Using EAP; the Switch Is Just a Middleman, but Is Aware of What’s Going on Send CredentialsForward Credentials to ACS Server Authentication SuccessfulAccept 802.1x RADIUS Policy Instructions

4 444 © 2003 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS Agenda Protocols and Mechanisms behind 802.1x Identity-Based Policy Enforcement Understanding Microsoft Environments

5 555 © 2003 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS IEEE 802.1x? Standard set by the IEEE 802.1 working group— ratified in December of 2001 Designed to address and provide port-based access control using authentication Describes a standard link layer protocol used for transporting higher-level authentication protocols Actual enforcement is via MAC-based filtering and port state monitoring

6 666 © 2003 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS Some IEEE Terminology IEEE Terms Normal People Terms SupplicantClient AuthenticatorNetwork Access Device Authentication ServerAAA/RADIUS Server

7 777 © 2003 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS Current Prevalent Authentication Methods EAP-MD5: Uses MD5-based Challenge-Response for authentication EAP-TLS: Uses x.509 v3 PKI certificates and the TLS mechanism for authentication EAP-MSCHAPv2: Uses username/password MSCHAPv2 Challenge Response authentication LEAP: Uses username/password authentication PEAP: Protected EAP tunnel mode EAP encapsulator; tunnels other EAP types in an encrypted tunnel—much like web-based SSL EAP-TTLS: Other EAP methods over an extended EAP-TLS encrypted tunnel EAP-GTC: Generic token and OTP authentication

8 888 © 2003 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS Agenda Protocols and Mechanisms behind 802.1x Identity-Based Policy Enforcement Understanding Microsoft Environments

9 999 © 2003 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS IBNS Features and Benefits Enhanced Port Based Access Control Greater flexibility and mobility for a stratified user community Enhanced User Productivity Added support for converged VoIP networks Centralized Management with AAA server Wireless Mobility with 802.1X and EAP Authentication Types Catalyst Switch Portfolio Basic 802.1X Support 802.1X with VLANs 802.1X with Port Security 802.1X with VVID 802.1X Guest VLANs 802.1X with ACLs

10 10 © 2003 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS Dynamic VLAN Assignment Dynamic VLAN assignment based on identity Allows VLAN assignment, by group, or individual, at the time of authentication VLANs assigned by name—allows for more flexible VLAN management Allows VLAN policies to be applied to groups of users (i.e., VLAN QoS, VLAN ACLs, etc.)

11 11 © 2003 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS Dynamic VLAN Mechanism RADIUS AV-Pairs used to send back VLAN configuration information to authenticator. AV-Pair usage for VLANs is IEEE specified in the 802.1x standard. AV-Pairs used – all are IETF standard: [64] Tunnel-Type – “VLAN” (13) [65] Tunnel-Medium-Type – “802” (6) [81] Tunnel-Private-Group-ID -

12 12 © 2003 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS ACS Configuration Group Policy Configuration – VLAN Assignment

13 13 © 2003 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS Guest Access Guest clients do NOT have an 802.1x supplicant. This type of guest access is provided by the switch. If client does not respond to 802.1x auth requests before timeout, guest access will be applied. Default timeout is 30 seconds with 3 retries. Total timeout period is 90 secs by default. Login Request User has access to DMZ or “Quarantine” network. Switch applies policies and enables port. Login Request Authentication timeout. Retries expired. Client is not 802.1x capable. Put them in the quarantine zone! Set port VLAN to 100 - DMZ

14 14 © 2003 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS IEEE 802.1x with Voice VLAN 123456789101112 Problem – How to connect a PC (dot1x client) through an IP Phone (non-dot1x client) to a dot1x enabled switch port? Answer – Switch identifies IP Phone (as a Cisco phone) and bypasses dot1x authentication – BUT – still forces authentication for downstream device Radius Server Dot1x ClientNon Dot1x Client Dot1x port

15 15 © 2003 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS Example Configuration—ACL download

16 16 © 2003 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS What is just around the corner … QoS Parameters The user will have their port assigned a particular QoS policy based on their login. Initially it will be one of several ‘templates’. Port Naming The port name in the switch’s CLI will be rewritten with the username used during login. This allows for simplified administration and accounting of LANs. Accounting The NAS Port info will be sent to the RADIUS server to tie a user to a physical location; A start / stop update will be used to determine user movement.

17 17 © 2003 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS Agenda Protocols and Mechanisms behind 802.1x Identity-Based Policy Enforcement Understanding Microsoft Environments

18 18 © 2003 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS Windows Boot Cycle Overview Power UpLoad NDIS drivers DHCPSetup Secure Channel to DC Update GPOsApply Computer GPOs Present GINA (Ctrl-Alt-Del) Login Inherent Assumption of Network Connectivity

19 19 © 2003 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS Windows Machine Authentication Power Up Load NDIS drivers DHCP Setup Secure Channel to DC Update GPOs Apply Computer GPOs Present GINA (Ctrl-Alt-Del) Login 802.1x Authenticate as Computer

20 20 © 2003 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS Microsoft and Machine Authentication What is Machine Authentication? The ability of a Windows workstation to authenticate under it’s own identity, independent of the requirement for an interactive user session What is it used for? Machine authentication is used at boot time by Windows OSes to authenticate and communicate with Windows Domain Controllers in order to pull down machine group policies Why do we care? Pre-802.1x this worked under the assumption that network connectivity was a given; post-802.1x the blocking of network access prior to 802.1x authentication breaks the machine-based group policy model—UNLESS the machine can authenticate using its own identity in 802.1x

21 21 © 2003 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS Different Modes of Authentication in Microsoft Environments Controlled by registry keys Authentication by machine only No need for user authentication if machine authentication is successful Authentication by user only No machine authentication taking place at all—be careful, this breaks group and system policies Authentication by user and machine Uses authentication of both user and machine; switches contexts when going from one to the other

22 22 © 2003 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS Microsoft Issues with DHCP DHCP is a parallel event, independent of 802.1x authentication With wired interfaces a successful 802.1x authentication DOES NOT force an DHCP address discovery (no media-connect signal) This produces a problem if not properly planned DHCP starts once interface comes up If 802.1x authentication takes too long, DHCP may time out… Host may also be put into a different VLAN upon 802.1X authentication

23 23 © 2003 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS DHCP Timeout Problem Power Up Load NDIS Drivers DHCP Setup Secure Channel to DC Present GINA (Ctrl-Alt-Del) Login DHCP—Timeout at 62 Sec. 802.1x Auth—Variable Timeout

24 24 © 2003 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS Microsoft Fixes Operation Login Req. At this point, DHCP proceeds normally. Send Credentials Forward Credentials to ACS Server Auth Successful (EAP-Success) Accept 802.1x RADIUS/DHCP VLAN Assignment Authentication Server Authenticator Supplicant ICMP echo (x3) for default gw from “old IP” as soon as EAP-Success frame is rcvd DHCP-Request (D=255.255.255.255) (after pings have gone unanswered) DHCP-NAK (wrong subnet) DHCP-Discover (D=255.255.255.255)

25 25 © 2003 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS Conclusion Situation gets better and better on the supplicant side Authorization part of AAA gives IBN great extensibility 802.1X being deployed more & more on switches Also present on Cisco IOS routers combined with IPsec VPN access

26 26 © 2003 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS 26 © 2002, Cisco Systems, Inc. All rights reserved. Questions?

27 27 © 2003 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS 27 © 2003, Cisco Systems, Inc. All rights reserved.

Download ppt "1 © 2004 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS Identity Based Networking Terena Rhodes, June 04 Eric Marin EMEA Consulting Engineer."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Network Security.

Network Security.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 VLANs LAN Switching and Wireless – Chapter 3.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 VLANs LAN Switching and Wireless – Chapter 3.
1 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet security Ethernet: Layer 2 Security Eric Vyncke Cisco Systems Distinguished Engineer.

1 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet security Ethernet: Layer 2 Security Eric Vyncke Cisco Systems Distinguished Engineer.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,

WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,
Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.

Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.
Wireless Security with 802.1X Copyright 2005 Michael Griego This work is the intellectual property of the author. Permission is granted for this material.

Wireless Security with 802.1X Copyright 2005 Michael Griego This work is the intellectual property of the author. Permission is granted for this material.
802.1X in Windows Tom Rixom Alfa & Ariss. Overview 802.1X/EAP 802.1X in Windows Tunneled Authentication Certificates in Windows WIFI Client in Windows.

802.1X in Windows Tom Rixom Alfa & Ariss. Overview 802.1X/EAP 802.1X in Windows Tunneled Authentication Certificates in Windows WIFI Client in Windows.
802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security.

802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Implementing RADIUS AAA Phil & Rick. Content Terms and Concepts Access Control What is AAA? Benefits of AAA What is RADIUS? Microsoft IAS Overview Installation.

Implementing RADIUS AAA Phil & Rick. Content Terms and Concepts Access Control What is AAA? Benefits of AAA What is RADIUS? Microsoft IAS Overview Installation.
EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.

EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.
1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x OVERVIEW Sudhir Nath Product Manager, Trust.

1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x OVERVIEW Sudhir Nath Product Manager, Trust.

Similar presentations

Ads by Google