802.1X Configuration .


54 views
Uploaded on:
Description
802.1X Configuration. Ter ena 802.1X workshop t he Net herlands, Amsterdam, March 30 th. Paul Dekkers. Overview. EAP. What makes EAP flexible. Man-in-the-Middle attack. That’s why we need a good EAP mechanism!. RADIUS proxy-ing. RADIUS. Client-Server model
Transcripts
Slide 1

802.1X Configuration Ter ena 802.1X workshop t he Net herlands, Amsterdam, March 30 th Paul Dekkers

Slide 2

Overview

Slide 3

EAP

Slide 4

What makes EAP adaptable

Slide 5

Man-in-the-Middle assault That\'s the reason we require a decent EAP component!

Slide 6

RADIUS intermediary ing

Slide 7

RADIUS Client-Server demonstrate Authenticator is a RADIUS customer Authentication-server is the RADIUS server RADIUS server can be a customer also

Slide 8

RADIUS – what\'s in the bundle UDP, ports 1645/1646 or 1812/1813 Mind the firewall! Characteristics, similar to User-Name, User-Password, EAP-Message Shared Secret

Slide 9

RADIUS and REALMS Use well-picked domains: ideally like an email address, user@institution.ccTLD Important with PROXY-ing

Slide 10

Guest Access

Slide 11

Traffic partition without 1x

Slide 12

Traffic detachment with 1x Supplicant Authenticator (AP or switch) RADIUS server University X RADIUS server SURFnet office User DB User DB Guest Paul.Dekkers@surfnet.nl Internet Guest VLAN Employee VLAN Central RADIUS intermediary server Students VLAN

Slide 13

Traffic division with 1x

Slide 14

Hands-on setup

Slide 15

Configuration : Radiator Linear Global design AuthPort 1812 AcctPort 1813 LogDir/var/log/sweep DbDir/and so on/radiator Clients Handlers

Slide 16

Configuration : Radiator RADIUS Clients <Client 192.168.1.2> Secret 6.6obaFkm&RNs666 Identifier AP1 IdenticalClients 192.168.1.3, 192.168.1.4 </Client>

Slide 17

Configuration : Radiator <Handler Realm=surfnet.nl> <AuthBy FILE> Filename clients </AuthBy> </Handler>

Slide 18

Configuration : Radiator <Handler Realm=surfnet.nl> <AuthBy FILE> Filename clients EAPType TTLS, PEAP, MSCHAP-V2 EAPTLS_CAFile root-ca.pem EAPTLS_CertificateFile server.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile private.pem EAPTLS_PrivateKeyPassword mystery EAPTLS_MaxFragmentSize 1024 AutoMPPEKeys </AuthBy> </Handler>

Slide 19

Configuration : Radiator <Handler Realm=surfnet.nl, Request-Type=Accounting-Request> # Accept, and log </Handler> <Handler Realm=surfnet.nl, TunnelledByTTLS=1> # PAP </Handler> <Handler Realm=surfnet.nl, TunnelledByPEAP=1> # EAP-MSCHAPv2 </Handler> <Handler Realm=surfnet.nl> # EAP-TTLS and EAP-PEAP </Handler>

Slide 20

Configuration : Radiator, Identifiers and Catch-all <AuthBy RADIUS> Identifier SURFNET-PROXY Host range proxy.surfnet.nl Secret Sdfg8WeR98r09d8fg AuthPort 1812 AcctPort 1813 </AuthBy> <Handler> AuthBy SURFNET-PROXY </Handler>

Slide 21

RADIUS intermediary circle Good arrangement is more intricate, regularly needs in anticipation for intermediary circles

Slide 22

Configuration: Access-Point

Slide 23

Cisco AP - RADIUS AP1(config)#aaa new-show aaa aggregate server range rad_eap server 192.87.116.63 auth-port 1812 acct-port 1813 aaa validation login eap_methods assemble rad_eap aaa bookkeeping system acct_methods begin stop bunch rad_acct span server have 192.87.116.63 auth-port 1812 acct-port 1813 key X

Slide 24

Cisco AP - Wireless Interface AP1(config)# interface dot11Radio 0 AP1(config-if)# encryption mode figures wep40 AP1(config-if)# communicate key change 1800 AP1(config-if)# no ssid torrent AP1(config-if)# ssid SURFnet AP1(config-if-ssid)# confirmation open eap eap_methods AP1(config-if-ssid)# visitor mode AP1(config-if-ssid)# ^Z

Slide 25

Cisco switch – empower RADIUS Switch# arrange terminal Switch(config)# aaa new-demonstrate Switch(config)# span server have 192.168.100.1x auth-port 1812 key <secret>

Slide 26

Cisco switch – empower 802.1x Switch(config)# aaa verification dot1x default amass sweep Switch(config)# dot1x framework auth-control Switch(config)# interface fastethernet0/1 Switch(config-if)# traversing tree portfast Switch(config-if)# switchport mode get to Switch(config-if)# switchport get to vlan 10 Switch(config-if)# dot1x port-control auto Switch(config-if)# end Switch(config-if)# dot1x visitor vlan 60

Slide 27

Windows and wired 802.1x

Slide 28

Extra in hands-on Configuration of VLAN\'s: Can you empower "meandering" with another gathering? Could you make a SSID for clients without 802.1x?

Recommended
View more...