Im p le m e n tin g 8 0 2 .1 X · Im p le m e n tin g 8 0 2 .1 X Rich Cropp Penn State University...
Transcript of Im p le m e n tin g 8 0 2 .1 X · Im p le m e n tin g 8 0 2 .1 X Rich Cropp Penn State University...
![Page 1: Im p le m e n tin g 8 0 2 .1 X · Im p le m e n tin g 8 0 2 .1 X Rich Cropp Penn State University rac@psu.edu K e v in M ille r Duke University kevin.miller@duke.edu F a ll 2 0 0](https://reader033.fdocuments.in/reader033/viewer/2022041421/5e1f5571ec7f0217ac171cd4/html5/thumbnails/1.jpg)
Implementing 802.1XImplementing 802.1X
Rich CroppRich CroppPenn State UniversityPenn State University
[email protected]@psu.edu
Kevin MillerDuke University
Fall 2006 Internet2 Member MeetingDecember 6, 2006
![Page 2: Im p le m e n tin g 8 0 2 .1 X · Im p le m e n tin g 8 0 2 .1 X Rich Cropp Penn State University rac@psu.edu K e v in M ille r Duke University kevin.miller@duke.edu F a ll 2 0 0](https://reader033.fdocuments.in/reader033/viewer/2022041421/5e1f5571ec7f0217ac171cd4/html5/thumbnails/2.jpg)
! What is 802.1X?! Why use 802.1X?! Why not use 802.1X?! Authentication! Infrastructure! Deployment! Management! Questions?
Agenda
![Page 3: Im p le m e n tin g 8 0 2 .1 X · Im p le m e n tin g 8 0 2 .1 X Rich Cropp Penn State University rac@psu.edu K e v in M ille r Duke University kevin.miller@duke.edu F a ll 2 0 0](https://reader033.fdocuments.in/reader033/viewer/2022041421/5e1f5571ec7f0217ac171cd4/html5/thumbnails/3.jpg)
!! IEEE Standard for PortIEEE Standard for Port--Based Network Based Network Access ControlAccess Control
!! Provides authentication framework for LAN Provides authentication framework for LAN accessaccess
!! Uses the Extensible Authentication Uses the Extensible Authentication Protocol (EAP)Protocol (EAP)
!! One of the components of 802.11iOne of the components of 802.11i
What is 802.1X
![Page 4: Im p le m e n tin g 8 0 2 .1 X · Im p le m e n tin g 8 0 2 .1 X Rich Cropp Penn State University rac@psu.edu K e v in M ille r Duke University kevin.miller@duke.edu F a ll 2 0 0](https://reader033.fdocuments.in/reader033/viewer/2022041421/5e1f5571ec7f0217ac171cd4/html5/thumbnails/4.jpg)
802.1X 802.1X
![Page 5: Im p le m e n tin g 8 0 2 .1 X · Im p le m e n tin g 8 0 2 .1 X Rich Cropp Penn State University rac@psu.edu K e v in M ille r Duke University kevin.miller@duke.edu F a ll 2 0 0](https://reader033.fdocuments.in/reader033/viewer/2022041421/5e1f5571ec7f0217ac171cd4/html5/thumbnails/5.jpg)
802.1X 802.1X
![Page 6: Im p le m e n tin g 8 0 2 .1 X · Im p le m e n tin g 8 0 2 .1 X Rich Cropp Penn State University rac@psu.edu K e v in M ille r Duke University kevin.miller@duke.edu F a ll 2 0 0](https://reader033.fdocuments.in/reader033/viewer/2022041421/5e1f5571ec7f0217ac171cd4/html5/thumbnails/6.jpg)
802.1X 802.1X
(RADIUS Server)
(Access Point)
(Laptop)
Internet
![Page 7: Im p le m e n tin g 8 0 2 .1 X · Im p le m e n tin g 8 0 2 .1 X Rich Cropp Penn State University rac@psu.edu K e v in M ille r Duke University kevin.miller@duke.edu F a ll 2 0 0](https://reader033.fdocuments.in/reader033/viewer/2022041421/5e1f5571ec7f0217ac171cd4/html5/thumbnails/7.jpg)
802.1X 802.1X
(RADIUS Server)
(Access Point)
(Laptop)
Internet
![Page 8: Im p le m e n tin g 8 0 2 .1 X · Im p le m e n tin g 8 0 2 .1 X Rich Cropp Penn State University rac@psu.edu K e v in M ille r Duke University kevin.miller@duke.edu F a ll 2 0 0](https://reader033.fdocuments.in/reader033/viewer/2022041421/5e1f5571ec7f0217ac171cd4/html5/thumbnails/8.jpg)
Why use 802.1X?Why use 802.1X?
!! Strong AuthenticationStrong Authentication•• UserUser--based or machinebased or machine--basedbased
!! Enable scalable overEnable scalable over--thethe--air air encryptionencryption
!! Assign network profile by AuthNAssign network profile by AuthN•• Vlan, ACL, QoSVlan, ACL, QoS
!! Contain SSID spoofing (wireless)Contain SSID spoofing (wireless)
![Page 9: Im p le m e n tin g 8 0 2 .1 X · Im p le m e n tin g 8 0 2 .1 X Rich Cropp Penn State University rac@psu.edu K e v in M ille r Duke University kevin.miller@duke.edu F a ll 2 0 0](https://reader033.fdocuments.in/reader033/viewer/2022041421/5e1f5571ec7f0217ac171cd4/html5/thumbnails/9.jpg)
Why not use 802.1XWhy not use 802.1X
!! Common alternatives: Web, VPN, Common alternatives: Web, VPN, MACMAC
!! Long dependency chainLong dependency chain•• Client: supplicant, EAP, encryption Client: supplicant, EAP, encryption
(hardware)(hardware)
•• Network: AP/switch supportNetwork: AP/switch support
•• Middleware: RADIUS, authentication Middleware: RADIUS, authentication serverserver
![Page 10: Im p le m e n tin g 8 0 2 .1 X · Im p le m e n tin g 8 0 2 .1 X Rich Cropp Penn State University rac@psu.edu K e v in M ille r Duke University kevin.miller@duke.edu F a ll 2 0 0](https://reader033.fdocuments.in/reader033/viewer/2022041421/5e1f5571ec7f0217ac171cd4/html5/thumbnails/10.jpg)
AuthenticationAuthentication
!! Choosing an EAP typeChoosing an EAP type•• X.509 Certificates X.509 Certificates
!! EAPEAP--TLSTLS
•• Plaintext password (LDAP, Kerberos, OTP)Plaintext password (LDAP, Kerberos, OTP)!! EAPEAP--TTLS:PAPTTLS:PAP
•• Windows hashed password Windows hashed password !! PEAP:MSCHAPv2PEAP:MSCHAPv2!! EAPEAP--TTLS:MSCHAPv2TTLS:MSCHAPv2
!! UserID formatUserID format•• userid vs userid@realmuserid vs userid@realm
![Page 11: Im p le m e n tin g 8 0 2 .1 X · Im p le m e n tin g 8 0 2 .1 X Rich Cropp Penn State University rac@psu.edu K e v in M ille r Duke University kevin.miller@duke.edu F a ll 2 0 0](https://reader033.fdocuments.in/reader033/viewer/2022041421/5e1f5571ec7f0217ac171cd4/html5/thumbnails/11.jpg)
AuthenticationAuthentication! Guest login – 802.1X or other?! AuthZ
•Allow/deny•Access profile (ACL, vlan, ...)
! Credentials•Common•Dedicated•Merge of several sources
![Page 12: Im p le m e n tin g 8 0 2 .1 X · Im p le m e n tin g 8 0 2 .1 X Rich Cropp Penn State University rac@psu.edu K e v in M ille r Duke University kevin.miller@duke.edu F a ll 2 0 0](https://reader033.fdocuments.in/reader033/viewer/2022041421/5e1f5571ec7f0217ac171cd4/html5/thumbnails/12.jpg)
InfrastructureInfrastructure!! RADIUS ServerRADIUS Server
•• Open SolutionOpen Solution’’s Radiators Radiator•• Funk Steelbelted RADIUSFunk Steelbelted RADIUS•• Cisco ACSCisco ACS•• Microsoft IASMicrosoft IAS•• FreeRADIUSFreeRADIUS
!! Multiple/Redundant RADIUS ServersMultiple/Redundant RADIUS Servers!! RADIUS Transaction RateRADIUS Transaction Rate!! Certificate for RADIUS ServerCertificate for RADIUS Server
•• Purchase?Purchase?•• SelfSelf--signed?signed?
!! Logging, query toolsLogging, query tools
![Page 13: Im p le m e n tin g 8 0 2 .1 X · Im p le m e n tin g 8 0 2 .1 X Rich Cropp Penn State University rac@psu.edu K e v in M ille r Duke University kevin.miller@duke.edu F a ll 2 0 0](https://reader033.fdocuments.in/reader033/viewer/2022041421/5e1f5571ec7f0217ac171cd4/html5/thumbnails/13.jpg)
InfrastructureInfrastructure
!! AP / Switch support for 802.1XAP / Switch support for 802.1X
!! Wired 802.1X migration supportWired 802.1X migration support•• MAC BasedMAC Based
•• Default VLANDefault VLAN
![Page 14: Im p le m e n tin g 8 0 2 .1 X · Im p le m e n tin g 8 0 2 .1 X Rich Cropp Penn State University rac@psu.edu K e v in M ille r Duke University kevin.miller@duke.edu F a ll 2 0 0](https://reader033.fdocuments.in/reader033/viewer/2022041421/5e1f5571ec7f0217ac171cd4/html5/thumbnails/14.jpg)
DeploymentDeployment!! SSID nameSSID name
!! Broadcast SSIDBroadcast SSID
!! Multiple SSIDsMultiple SSIDs•• Open (current, guest, provisioning)Open (current, guest, provisioning)•• 802.1X802.1X
•• Client behaviorClient behavior
!! Encryption: DynWEP, WPA, WPA2Encryption: DynWEP, WPA, WPA2•• Overloading SSIDOverloading SSID
!! What about devices that donWhat about devices that don’’t support 802.1X?t support 802.1X?
!! Client configurationClient configuration
!! Which supplicant?Which supplicant?
![Page 15: Im p le m e n tin g 8 0 2 .1 X · Im p le m e n tin g 8 0 2 .1 X Rich Cropp Penn State University rac@psu.edu K e v in M ille r Duke University kevin.miller@duke.edu F a ll 2 0 0](https://reader033.fdocuments.in/reader033/viewer/2022041421/5e1f5571ec7f0217ac171cd4/html5/thumbnails/15.jpg)
Supplicants and Supported EAP TypesSupplicants and Supported EAP Types
EAP-TLS
EAP-FAST
LEAP
MD5PEAP
EAP-TLS
EAP-TTLS
PAP EAP-TTLS
MSCHAPv2
EAP-TTLS
MSCHAP
EAP-TTLS
CHAP
WinXP/2000/VistaNative
MacOS 10.4Native
wpa_supplicant
Odyssey
Aegis
SecureW2
PEAP
MSCHAPv2
![Page 16: Im p le m e n tin g 8 0 2 .1 X · Im p le m e n tin g 8 0 2 .1 X Rich Cropp Penn State University rac@psu.edu K e v in M ille r Duke University kevin.miller@duke.edu F a ll 2 0 0](https://reader033.fdocuments.in/reader033/viewer/2022041421/5e1f5571ec7f0217ac171cd4/html5/thumbnails/16.jpg)
ManagementManagement!! How quickly can you make changes on the How quickly can you make changes on the
wireless or wired network infrastructure?wireless or wired network infrastructure?
!! How do you encourage use of 802.1X in How do you encourage use of 802.1X in ““dual modedual mode”” configurations?configurations?
!! Can you disconnect authenticated users in Can you disconnect authenticated users in your network hardware/software?your network hardware/software?
!! Can you effectively troubleshoot a user Can you effectively troubleshoot a user connection problem?connection problem?
![Page 17: Im p le m e n tin g 8 0 2 .1 X · Im p le m e n tin g 8 0 2 .1 X Rich Cropp Penn State University rac@psu.edu K e v in M ille r Duke University kevin.miller@duke.edu F a ll 2 0 0](https://reader033.fdocuments.in/reader033/viewer/2022041421/5e1f5571ec7f0217ac171cd4/html5/thumbnails/17.jpg)
IT ParticipationIT Participation!! IT Management / OversightIT Management / Oversight
!! Security OfficerSecurity Officer
!! Security OpsSecurity Ops
!! Wireless Network OpsWireless Network Ops
!! RADIUS Server OpsRADIUS Server Ops
!! Authentication, Authorization Service OpsAuthentication, Authorization Service Ops
!! Customer SupportCustomer Support
!! Customer CommunicationsCustomer Communications
![Page 18: Im p le m e n tin g 8 0 2 .1 X · Im p le m e n tin g 8 0 2 .1 X Rich Cropp Penn State University rac@psu.edu K e v in M ille r Duke University kevin.miller@duke.edu F a ll 2 0 0](https://reader033.fdocuments.in/reader033/viewer/2022041421/5e1f5571ec7f0217ac171cd4/html5/thumbnails/18.jpg)
ChecklistChecklist!! Network equipment (AP/switch) supports 802.1X Network equipment (AP/switch) supports 802.1X
(Wireless: WPA)(Wireless: WPA)
!! EAP type decisionEAP type decision
!! RADIUS setup to AuthN, AuthZRADIUS setup to AuthN, AuthZ
!! ClientClient--side experience known, documented, testedside experience known, documented, tested
!! Tools to query logs for troubleshooting & security Tools to query logs for troubleshooting & security opsops
!! Process (tool?) to implement large scale network Process (tool?) to implement large scale network changeschanges
!! Communications plan to keep users apprised of Communications plan to keep users apprised of changeschanges
![Page 19: Im p le m e n tin g 8 0 2 .1 X · Im p le m e n tin g 8 0 2 .1 X Rich Cropp Penn State University rac@psu.edu K e v in M ille r Duke University kevin.miller@duke.edu F a ll 2 0 0](https://reader033.fdocuments.in/reader033/viewer/2022041421/5e1f5571ec7f0217ac171cd4/html5/thumbnails/19.jpg)
Fall 2006 Internet2 Member MeetingDecember 6, 2006
Questions?Questions?