802 1x configuration l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
802.1X Configuration PowerPoint Presentation
Download Presentation
802.1X Configuration

Loading in 2 Seconds...

play fullscreen
1 / 28

802.1X Configuration - PowerPoint PPT Presentation


  • 400 Views
  • Uploaded on

802.1X Configuration. Ter ena 802.1X workshop t he Net herlands, Amsterdam, March 30 th. Paul Dekkers. Overview. EAP. What makes EAP flexible. Man-in-the-Middle attack. That’s why we need a good EAP mechanism!. RADIUS proxy-ing. RADIUS. Client-Server model

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '802.1X Configuration' - libitha


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
802 1x configuration

802.1X Configuration

Terena 802.1X workshop

the Netherlands, Amsterdam, March 30th

Paul Dekkers

man in the middle attack
Man-in-the-Middle attack

That’s why we need a good EAP mechanism!

radius
RADIUS
  • Client-Server model
    • Authenticator is a RADIUS client
    • Authentication-server is the RADIUS server
    • RADIUS server can be a client as well
radius what s in the packet
RADIUS – what’s in the packet
  • UDP, ports 1645/1646 or 1812/1813Mind the firewall!
  • Attributes, like User-Name, User-Password, EAP-Message
  • Shared Secret
radius and realms
RADIUS and REALMS
  • Use well-chosen realms: preferably like an e-mail address,user@institution.ccTLDImportant with PROXY-ing
traffic separation with 1x
Traffic separation with 1x

Supplicant

Authenticator

(AP or switch)

RADIUS server

University X

RADIUS server

SURFnet office

User DB

User DB

Guest

Paul.Dekkers@surfnet.nl

Internet

Guest

VLAN

Employee

VLAN

Central RADIUS

proxy server

Students

VLAN

configuration radiator
Configuration:Radiator

Linear

Global configurationAuthPort 1812AcctPort 1813LogDir /var/log/radius

DbDir /etc/radiator

Clients

Handlers

configuration radiator16
Configuration:Radiator

RADIUS Clients

<Client 192.168.1.2>Secret 6.6obaFkm&RNs666

Identifier AP1

IdenticalClients 192.168.1.3, 192.168.1.4

</Client>

configuration radiator17
Configuration:Radiator

<Handler Realm=surfnet.nl>

<AuthBy FILE>

Filename users

</AuthBy>

</Handler>

configuration radiator18
Configuration:Radiator

<Handler Realm=surfnet.nl>

<AuthBy FILE>

Filename users EAPType TTLS, PEAP, MSCHAP-V2

EAPTLS_CAFile root-ca.pem EAPTLS_CertificateFile server.pem

EAPTLS_CertificateType PEM

EAPTLS_PrivateKeyFile private.pem EAPTLS_PrivateKeyPassword secret EAPTLS_MaxFragmentSize 1024 AutoMPPEKeys

</AuthBy>

</Handler>

configuration radiator19
Configuration:Radiator

<Handler Realm=surfnet.nl, Request-Type=Accounting-Request>

# Accept, and log

</Handler>

<Handler Realm=surfnet.nl, TunnelledByTTLS=1>

# PAP

</Handler>

<Handler Realm=surfnet.nl, TunnelledByPEAP=1>

# EAP-MSCHAPv2

</Handler>

<Handler Realm=surfnet.nl>

# EAP-TTLS and EAP-PEAP

</Handler>

configuration radiator identifiers and catch all
Configuration:Radiator, Identifiers and Catch-all

<AuthBy RADIUS>

Identifier SURFNET-PROXY

Host radius-proxy.surfnet.nlSecret Sdfg8WeR98r09d8fg

AuthPort 1812

AcctPort 1813

</AuthBy>

<Handler>

AuthBy SURFNET-PROXY

</Handler>

radius proxy loop
RADIUS proxy-loop
  • Good configuration is more complex, often lacks in prevention for proxy-loops
cisco ap radius
Cisco AP - RADIUS

AP1(config)#aaa new-model

aaa group server radius rad_eap

server 192.87.116.63 auth-port 1812 acct-port 1813

aaa authentication login eap_methods group rad_eap

aaa accounting network acct_methods start-stop group rad_acct

radius-server host 192.87.116.63 auth-port 1812 acct-port 1813 key X

cisco ap wireless interface
Cisco AP - Wireless Interface

AP1(config)#interface dot11Radio 0

AP1(config-if)#encryption mode ciphers wep40

AP1(config-if)#broadcast-key change 1800

AP1(config-if)#no ssid tsunami

AP1(config-if)#ssid SURFnet

AP1(config-if-ssid)#authentication open eap eap_methods

AP1(config-if-ssid)#guest-mode

AP1(config-if-ssid)#^Z

cisco switch enable radius
Cisco switch – enable RADIUS

Switch# configure terminal

Switch(config)# aaa new-model

Switch(config)# radius-server host 192.168.100.1x auth-port 1812 key <secret>

cisco switch enable 802 1x
Cisco switch – enable 802.1x

Switch(config)# aaa authentication dot1x default group radius

Switch(config)# dot1x system-auth-control

Switch(config)# interface fastethernet0/1

Switch(config-if)# spanning-tree portfast

Switch(config-if)# switchport mode access

Switch(config-if)# switchport access vlan 10

Switch(config-if)# dot1x port-control auto

Switch(config-if)# end

Switch(config-if)# dot1x guest-vlan 60

extra in hands on
Extra in hands-on
  • Configuration of VLAN’s:Can you enable “roaming” with another group?Can you create an SSID for users without 802.1x?