![Page 1: Network Security 1askoik.kapsi.fi/koulu/NetSec1/NS1_v20_Module07-new.pdfCisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user](https://reader030.vdocuments.mx/reader030/viewer/2022011923/605718184069e0393356ca57/html5/thumbnails/1.jpg)
1
Network Security 1
Module 7 – Configure Trust and Identity at Layer 2
![Page 2: Network Security 1askoik.kapsi.fi/koulu/NetSec1/NS1_v20_Module07-new.pdfCisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user](https://reader030.vdocuments.mx/reader030/viewer/2022011923/605718184069e0393356ca57/html5/thumbnails/2.jpg)
2
Learning Objectives
7.1 Identity-Based Networking Services (IBNS)
7.2 Configuring 802.1x Port-Based Authentication
![Page 3: Network Security 1askoik.kapsi.fi/koulu/NetSec1/NS1_v20_Module07-new.pdfCisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user](https://reader030.vdocuments.mx/reader030/viewer/2022011923/605718184069e0393356ca57/html5/thumbnails/3.jpg)
3
Module 7 – Configure Trust and Identity at Layer 2
7.1 Identity-Based Networking Services (IBNS)
![Page 4: Network Security 1askoik.kapsi.fi/koulu/NetSec1/NS1_v20_Module07-new.pdfCisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user](https://reader030.vdocuments.mx/reader030/viewer/2022011923/605718184069e0393356ca57/html5/thumbnails/4.jpg)
4
Identity Based Network Services
Cisco VPN Concentrators, IOS Routers, PIX Security Appliances
Unified Control of User Identity for the EnterpriseUnified Control of User Identity for the Enterprise
Router
Internet
Hard and Soft Tokens
Hard and Soft TokensCisco Secure ACS
Firewall
VPN Clients
Remote Offices
OTP ServerOTP Server
![Page 5: Network Security 1askoik.kapsi.fi/koulu/NetSec1/NS1_v20_Module07-new.pdfCisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user](https://reader030.vdocuments.mx/reader030/viewer/2022011923/605718184069e0393356ca57/html5/thumbnails/5.jpg)
5
802.1x Roles
Authentication ServerAuthenticator
Supplicant
![Page 6: Network Security 1askoik.kapsi.fi/koulu/NetSec1/NS1_v20_Module07-new.pdfCisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user](https://reader030.vdocuments.mx/reader030/viewer/2022011923/605718184069e0393356ca57/html5/thumbnails/6.jpg)
6
802.1x Authenticator and Supplicant
The perimeter router acts as the authenticator
Internet
Cisco Secure ACS
Home Office
The remote user’s PC acts as the supplicant
![Page 7: Network Security 1askoik.kapsi.fi/koulu/NetSec1/NS1_v20_Module07-new.pdfCisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user](https://reader030.vdocuments.mx/reader030/viewer/2022011923/605718184069e0393356ca57/html5/thumbnails/7.jpg)
7
802.1x Components
![Page 8: Network Security 1askoik.kapsi.fi/koulu/NetSec1/NS1_v20_Module07-new.pdfCisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user](https://reader030.vdocuments.mx/reader030/viewer/2022011923/605718184069e0393356ca57/html5/thumbnails/8.jpg)
8
How 802.1x Works
Authentication Server(RADIUS)End User
(client)Catalyst 2950
(switch)
802.1x RADIUS
Actual authentication conversation occurs between the client andAuthentication Server using EAP. The authenticator is aware of this
activity, but it is just a middleman.
![Page 9: Network Security 1askoik.kapsi.fi/koulu/NetSec1/NS1_v20_Module07-new.pdfCisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user](https://reader030.vdocuments.mx/reader030/viewer/2022011923/605718184069e0393356ca57/html5/thumbnails/9.jpg)
9
How 802.1x Works (Continued)Authentication Server (RADIUS)
End User (client) Catalyst 2950 (switch)
EAPOL - Start
EAP – Request IdentityRADIUS Access - Request
EAP – Response/IdentityRADIUS Access - ChallengeEAP – Request/OTP
RADIUS Access - RequestEAP – Response/OTP
EAP – Success RADIUS Access - Accept
Port Authorized
EAPOL – Logoff
Port Unauthorized
![Page 10: Network Security 1askoik.kapsi.fi/koulu/NetSec1/NS1_v20_Module07-new.pdfCisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user](https://reader030.vdocuments.mx/reader030/viewer/2022011923/605718184069e0393356ca57/html5/thumbnails/10.jpg)
10
EAP Characteristics
• EAP – The Extensible Authentication Protocol• Extension of PPP to provide additional authentication features• A flexible protocol used to carry arbitrary authentication information.• Typically rides on top of another protocol such as 802.1x or RADIUS.
EAP can also be used with TACACS+• Specified in RFC 2284• Support multiple authentication types :
EAP-MD5: Plain Password Hash (CHAP over EAP)EAP-TLS (based on X.509 certificates)LEAP (EAP-Cisco Wireless)PEAP (Protected EAP)
![Page 11: Network Security 1askoik.kapsi.fi/koulu/NetSec1/NS1_v20_Module07-new.pdfCisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user](https://reader030.vdocuments.mx/reader030/viewer/2022011923/605718184069e0393356ca57/html5/thumbnails/11.jpg)
11
EAP Selection
• Cisco Secure ACS supports the following varieties of EAP:• EAP-MD5 – An EAP protocol that does not support mutual
authentication. • EAP-TLS – EAP incorporating Transport Layer Security (TLS).• LEAP—An EAP protocol used by Cisco Aironet wireless equipment.
LEAP supports mutual authentication. • PEAP – Protected EAP, which is implemented with EAP-Generic
Token Card (GTC) and EAP-MSCHAPv2 protocols. • EAP-FAST – EAP Flexible Authentication via Secured Tunnel (EAP-
FAST), a faster means of encrypting EAP authentication, supportsEAP-GTC authentication.
![Page 12: Network Security 1askoik.kapsi.fi/koulu/NetSec1/NS1_v20_Module07-new.pdfCisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user](https://reader030.vdocuments.mx/reader030/viewer/2022011923/605718184069e0393356ca57/html5/thumbnails/12.jpg)
12
Cisco LEAP
Lightweight Extensible Authentication Protocol
ClientACS Server
Access Point
•Derives per-user, per-session key•Enhancement to IEEE802.11b Wired Equivalent Privacy (WEP) encryption•Uses mutual authentication – both user and AP needs to be authenticated
![Page 13: Network Security 1askoik.kapsi.fi/koulu/NetSec1/NS1_v20_Module07-new.pdfCisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user](https://reader030.vdocuments.mx/reader030/viewer/2022011923/605718184069e0393356ca57/html5/thumbnails/13.jpg)
13
EAP-TLS
Client
Extensible Authentication Protocol – Transport Layer Security
Access Point ACS Server
•RFC 2716•Used for TLS Handshake Authentication (RFC2246)•Requires PKI (X.509) Certificates rather than username/password• Mutual authentication•Requires client and server certificates•Certificate Management is complex and costly
Switch
![Page 14: Network Security 1askoik.kapsi.fi/koulu/NetSec1/NS1_v20_Module07-new.pdfCisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user](https://reader030.vdocuments.mx/reader030/viewer/2022011923/605718184069e0393356ca57/html5/thumbnails/14.jpg)
14
PEAP
Protected Extensible Authentication ProtocolAccess Point
Client
•Internet-Draft by Cisco, Microsoft & RSA•Enhancement of EAP-TLS•Requires server certificate only• Mutual authentication•username/password challenge over TLS Channel•Available for use with Microsoft and Cisco products
Switch
TLS Tunnel
ACS Server
![Page 15: Network Security 1askoik.kapsi.fi/koulu/NetSec1/NS1_v20_Module07-new.pdfCisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user](https://reader030.vdocuments.mx/reader030/viewer/2022011923/605718184069e0393356ca57/html5/thumbnails/15.jpg)
15
How Does Basic Port Based Network Access Work?
Switch Request ID
Send ID/Password or Certificate Switch Forward credentials to ACS Server
Authentication SuccessfulClient now has secure access
802.1x
Cisco Secure ACSAAA Radius Server
802.1x Capable Ethernet
LAN Access Devices
1
2
3 4
567 applies policies and enables
port.
Host device attempts to connects to Switch
Actual authentication conversation is between client and Auth Server using EAP.
6500 Series Access Points
4500/4000 Series3550/2950 Series
RADIUSThe switch detects the 802.1x compatible client, forces authentication, then acts as a middleman during the authentication, Upon successful authentication the switch sets
the port to forwarding, and applies the designated policies.
![Page 16: Network Security 1askoik.kapsi.fi/koulu/NetSec1/NS1_v20_Module07-new.pdfCisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user](https://reader030.vdocuments.mx/reader030/viewer/2022011923/605718184069e0393356ca57/html5/thumbnails/16.jpg)
16
ACS Deployment in a Small LAN
Firewall
Cisco Secure ACS
ClientCatalyst 2950/3500
Switch Router
Internet
![Page 17: Network Security 1askoik.kapsi.fi/koulu/NetSec1/NS1_v20_Module07-new.pdfCisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user](https://reader030.vdocuments.mx/reader030/viewer/2022011923/605718184069e0393356ca57/html5/thumbnails/17.jpg)
17
ACS Deployment in a Global NetworkRegion 2Region 1
Client
ACS1
Switch 1 FirewallSwitch 2
ACS2
ACS3
Region 3
Switch 3
![Page 18: Network Security 1askoik.kapsi.fi/koulu/NetSec1/NS1_v20_Module07-new.pdfCisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user](https://reader030.vdocuments.mx/reader030/viewer/2022011923/605718184069e0393356ca57/html5/thumbnails/18.jpg)
18
Cisco Secure ACS RADIUS Response
Cisco Secure ACS
Cisco Catalyst SwitchEnd User
802.1x RADIUS
After a user successfully completes the EAP authentication process the Cisco Secure ACS responds to the switch with a RADIUS authentication-
accept packet granting that user access to the network.
![Page 19: Network Security 1askoik.kapsi.fi/koulu/NetSec1/NS1_v20_Module07-new.pdfCisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user](https://reader030.vdocuments.mx/reader030/viewer/2022011923/605718184069e0393356ca57/html5/thumbnails/19.jpg)
19
Module 7 – Configure Trust and Identity at Layer 2
7.2 Configuring 802.1x Port-Based Authentication
![Page 20: Network Security 1askoik.kapsi.fi/koulu/NetSec1/NS1_v20_Module07-new.pdfCisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user](https://reader030.vdocuments.mx/reader030/viewer/2022011923/605718184069e0393356ca57/html5/thumbnails/20.jpg)
20
802.1x Port-Based Authentication Configuration
Enable 802.1x Authentication (required)
Configure the Switch-to-RADIUS-Server Communication (required)
Enable Periodic Re-Authentication (optional)
Manually Re-Authenticating a Client Connected to a Port (optional)
Resetting the 802.1x Configuration to the Default Values (optional)
![Page 21: Network Security 1askoik.kapsi.fi/koulu/NetSec1/NS1_v20_Module07-new.pdfCisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user](https://reader030.vdocuments.mx/reader030/viewer/2022011923/605718184069e0393356ca57/html5/thumbnails/21.jpg)
21
802.1x Port-Based Authentication Configuration (Cont.)
Changing the Quiet Period (optional)
Changing the Switch-to-Client Retransmission Time (optional)
Setting the Switch-to-Client Frame-Retransmission Number (optional)
Enabling Multiple Hosts (optional)
Resetting the 802.1x Configuration to the Default Values (optional)
![Page 22: Network Security 1askoik.kapsi.fi/koulu/NetSec1/NS1_v20_Module07-new.pdfCisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user](https://reader030.vdocuments.mx/reader030/viewer/2022011923/605718184069e0393356ca57/html5/thumbnails/22.jpg)
22
Enabling 802.1x Authentication
Switch#
configure terminal
• Enter global configuration modeSwitch(config)#
aaa new-model
• Enable AAASwitch(config)#
aaa authentication dot1x default group radius
• Create an 802.1x authentication method list
![Page 23: Network Security 1askoik.kapsi.fi/koulu/NetSec1/NS1_v20_Module07-new.pdfCisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user](https://reader030.vdocuments.mx/reader030/viewer/2022011923/605718184069e0393356ca57/html5/thumbnails/23.jpg)
23
Enabling 802.1x Authentication (Cont.)
Switch(config)#
interface fastethernet0/12
• Enter interface configuration modeSwitch(config-if)#
dot1x port-control auto
• Enable 802.1x authentication on the interfaceSwitch(config-if)#
end
• Return to privileged EXEC mode
![Page 24: Network Security 1askoik.kapsi.fi/koulu/NetSec1/NS1_v20_Module07-new.pdfCisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user](https://reader030.vdocuments.mx/reader030/viewer/2022011923/605718184069e0393356ca57/html5/thumbnails/24.jpg)
24
Configuring Switch-to-RADIUS Communication
Switch(config)#
radius-server host 172.l20.39.46 auth-port 1812 key rad123
• Configure the RADIUS server parameters on the switch.
![Page 25: Network Security 1askoik.kapsi.fi/koulu/NetSec1/NS1_v20_Module07-new.pdfCisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user](https://reader030.vdocuments.mx/reader030/viewer/2022011923/605718184069e0393356ca57/html5/thumbnails/25.jpg)
25
Enabling Periodic Re-Authentication
configure terminal
Switch#
• Enter global configuration mode
dot1x re-authentication
Switch(config)#
• Enable periodic re-authentication of the client, which is disabled by default.
dot1x timeout re-authperiod seconds
Switch(config)#
• Set the number of seconds between re-authentication attempts.
![Page 26: Network Security 1askoik.kapsi.fi/koulu/NetSec1/NS1_v20_Module07-new.pdfCisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user](https://reader030.vdocuments.mx/reader030/viewer/2022011923/605718184069e0393356ca57/html5/thumbnails/26.jpg)
26
Manually Re-Authenticating a Client Connected to a Port
dot1x re-authenticate interface fastethernet0/12
Switch(config)#
• Starts re-authentication of the client.
![Page 27: Network Security 1askoik.kapsi.fi/koulu/NetSec1/NS1_v20_Module07-new.pdfCisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user](https://reader030.vdocuments.mx/reader030/viewer/2022011923/605718184069e0393356ca57/html5/thumbnails/27.jpg)
27
Enabling Multiple Hosts
configure terminal
Switch#
• Enter global configuration mode
interface fastethernet0/12
Switch(config)#
• Enter interface configuration mode, and specify the interface to which multiple hosts are indirectly attached.
dot1x multiple-hosts
Switch(config-if)#
• Allow multiple hosts (clients) on an 802.1x-authorized port.
![Page 28: Network Security 1askoik.kapsi.fi/koulu/NetSec1/NS1_v20_Module07-new.pdfCisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user](https://reader030.vdocuments.mx/reader030/viewer/2022011923/605718184069e0393356ca57/html5/thumbnails/28.jpg)
28
Resetting the 802.1x Configuration to the Default Values
configure terminal
Switch#
• Enter global configuration mode
dot1x default
Switch(config)#
• Reset the configurable 802.1x parameters to the default values.
![Page 29: Network Security 1askoik.kapsi.fi/koulu/NetSec1/NS1_v20_Module07-new.pdfCisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user](https://reader030.vdocuments.mx/reader030/viewer/2022011923/605718184069e0393356ca57/html5/thumbnails/29.jpg)
29
Displaying 802.1x Statistics
Switch#
show dot1x statistics
• Display 802.1x statisticsSwitch#
show dot1x statistics interface interface-id
• Display 802.1x statistics for a specific interface.
![Page 30: Network Security 1askoik.kapsi.fi/koulu/NetSec1/NS1_v20_Module07-new.pdfCisco Secure ACS RADIUS Response Cisco Secure ACS End User Cisco Catalyst Switch 802.1x RADIUS After a user](https://reader030.vdocuments.mx/reader030/viewer/2022011923/605718184069e0393356ca57/html5/thumbnails/30.jpg)
30
Displaying 802.1x Status
Switch#
show dot1x
• Display 802.1x administrative and operational status.Switch#
show dot1x interface interface-id
• Display 802.1x administrative and operational status for a specific interface.