1 / 26

IEEE 802.1X

IEEE 802.1X. Port Based Network Access Control. Definition. “Port-based network access control allows a network administrator to restrict the use of IEEE 802 LAN service access points (ports) to secure communication between authenticated and authorized devices.”

otto
Download Presentation

IEEE 802.1X

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IEEE 802.1X Port Based Network Access Control

  2. Definition • “Port-based network access control allows a network administrator to restrict the use of IEEE 802 LAN service access points (ports) to secure communication between authenticated and authorized devices.” • “IEEE Std 802.1X specifies an architecture, functional elements, and protocols that support mutualauthentication between the clients of ports attached to the same LAN and secure communication between the ports.”

  3. Definition • “Port-based network access control allows a network administrator to restrict the use of IEEE 802 LAN service access points (ports) to secure communication between authenticated and authorized devices.” • “IEEE Std 802.1X specifies an architecture, functional elements, and protocols that support mutualauthentication between the clients of ports attached to the same LAN and secure communication between the ports.” • Layer 2 Access to the medium. • Access control applied to ports. • Authentication. • Secure communication.

  4. Basic Topology • There are three elements: • The Supplicantwhich in this example is a wireless 802.11 Client A. • The Authenticator which in this case is a wireless 802.11 access point WAP. • The Authentication Server.

  5. Extensible Authentication Protocol EAP • The IEEE 802.1X standard specifies the use of EAP, the Extensible Authentication Protocol (RFC 3748) to support authentication using a centrally administered Authentication Server. • The implementation of EAP was initially defined for PPP protocols; however, our main focus is in the use in LAN networks. • Consequently, the standard also defines EAP encapsulation over LANs (EAPoL) to convey the necessary exchanges between the supplicant and the authenticator.

  6. EAPoL Format • Nothing more than an EAP message encapsulated by an Ethernet Frame. • That’s all . Destination Source Type 888EH EAP Message Version Type Length Value

  7. Association Phase All traffic • Client A, the supplicant, associates with the Wireless Access Point WAP. • This is equivalent to connecting a cable to a LAN switch port. In such case, there are electrical signals, but nothing more significant is going on. • All traffic is blocked at the WAP Authenticator.

  8. Jargon EAP • In the initial stage of authentication, only EAP messages are accepted. • The technical jargon for this is Open Uncontrolled Virtual Port. • Any other traffic is blocked and ignored at the authenticator. • The technical jargon for this is Closed Controlled Virtual Port. • In reality, the ports do not even exist, this is just technical babble. • It is simply that the Authenticator listens to authentication messages and ignores/blocks anything else, that’s all. Other traffic

  9. EAP Transactions EAPoL-Start Other traffic • The supplicant sends a EAP message start encapsulated inside a WLAN frame (EAPoL). • The message is an EAPoL-start.

  10. EAP Transactions EAP-request-id Other traffic • The WLAN Authenticator reply with an EAP-request-identity. • The supplicant client responds with the username in clear-text EAP-response-id

  11. EAP Transactions EAP-response-id Other traffic RADIUS or TACACS+ • The Authenticator sends now a RADIUS or TACACS+ message. • Let’s assume that we are just using RADIUS for simplicity of the explanation.

  12. EAP Transactions EAP Other traffic RADIUS or TACACS+ • EAP messages do not continue unchanged toward the authentication server. • The authenticator talks another protocol, like RADIUS or TACACS+ to the Authentication Server. • So, in one hand, the authenticator talks EAP and in the other RADIUS or TACACS+. • WAP is a proxy or translator or intermediary.

  13. EAP Transactions EAP-response-id Other traffic RADIUS –access-request • The EAP response with the username, triggers a RADIUS message access request. • RADIUS Authentication Server receives the message and checks the policies and user database to find a match. • RADIUS server prepares a reply message.

  14. EAP Transactions Other traffic • RADIUS server prepares a reply message. • Radius server replies with an Access Challenge. • The WAP authenticator translates the RADIUS message to an EAP message which is sent to the supplicant. RADIUS –access-challenge

  15. EAP Transactions Other traffic • The WAP authenticator translates the RADIUS message to an EAP message which is sent to the supplicant as an EAP challenge-request. • The Supplicant receives the message and it prepares an answer. EAP challenge RADIUS –access-challenge

  16. EAP Transactions EAP challenge • The Supplicant receives the message and it prepares an answer. • It hashes a password with a well known algorithm. telecomS144 RADIUS –access-challenge MD5 AX1Z05FE2CD48

  17. EAP Transactions • The Supplicant receives the message and it prepares an answer. • It hashes a password with a well known algorithm. • It answers the challenge with a EAP-Challenge-Response. telecomS144 Challenge Response MD5 AX1Z05FE2CD48

  18. EAP Transactions RADIUS-Access-Request • The authenticator sends a RADIUS message Access-Request that contains the HASH to the Radius Server. • The Radius Server runs an stored password thru the same algorithm to find if the result matches the HASH received. telecomS144 Challenge Response MD5 AX1Z05FE2CD48

  19. EAP Transactions RADIUS-Access-Request • The authenticator sends a RADIUS message Access-Request that contains the HASH to the Radius Server. • The Radius Server runs an stored password thru the same algorithm to find if the result matches the received HASH. telecomS144 telecomS144 Challenge Response MD5 MD5 AX1Z05FE2CD48 AX1Z05FE2CD48

  20. EAP Transactions RADIUS –access-accept EAP success • The supplicant receives the approval of authentication. • The final part of the authentication process is the creation of a dynamic encryption key. • IEEE 802.11i describes this process which is called Robust Security Network (RSN) with two new protocols, the 4-Way Handshake and the Group Key Handshake

  21. Radius TACACS+ IEEE 802.1X

  22. IEEE 802.1x • IEEE 802.1X is the IEEE standard for Port based Network Access Control . • It provides an authentication mechanism to devices attaching to LAN or WLAN infrastructure. • IEEE 802.1X defines the encapsulation of the Extensible Authentication Protocol over Ethernet type networks. • 802.1X authentication involves three parties: • A supplicant (which is a CLIENT) • An authenticator (an access point) • An authentication server (a RADIUS server)

  23. IEEE 802.1x • The authenticator (access point) acts like a security guard to a protected network. • The supplicant (CLIENT) is not allowed access through the authenticator (access point) to the protected side of the network until the supplicant’s identity has been validated and authorized.

  24. IEEE 802.1x • The supplicant presents credentials, (user name / password or a digital certificate), to the authenticator. • The authenticator forwards the credentials to the authentication server for verification. • If the authentication server determines the credentials are valid, the supplicant (client device) is allowed to access resources located on the protected side of the network.

  25. Cisco Support • Cisco implementation of RADIUS is compatible with Microsoft PEAP-MS-CHAP-v2 and PEAP-GTC. • Cisco proprietary product ACS includes Radius and TACACS+ implementation. • TACACS+ is Cisco only.

  26. RADIUS/TACACS+ • RADIUS is a distributed client/server system that secures networks against unauthorized access. • RADIUS clients run on Cisco routers and relays authentication requests to a central RADIUS server that contains all user authentication and network service access information.

More Related