SlideShare a Scribd company logo

Implementing 802.1x Authentication

Download as PPT, PDF
D
dkaya

The document provides an overview of 802.1x authentication, describing it as a network security standard that uses a link layer protocol to manage user access based on identity. It explains the roles of components such as the authenticator (switch), supplicant (client), and the use of RADIUS for communication between them. Furthermore, it highlights how machine authentication functions and the different Extensible Authentication Protocol (EAP) methods supported, particularly in Microsoft Windows environments.

Technology
1 of 30
Downloaded 1,099 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Most read
22
23
24
25
Most read
26
27
28
29
30
Most read
802.1X Authentication Deniz Kaya Microsoft, Cisco, Ironport Trainer CCSI, CCNP, MCT, MCSE, ICSI, ICSP, CPTS
… While the Assets Needing to be Protected are Expanding Service Provider/ Internet Teleworker City Hall VPN Head-End Cable Provider 831 Library Partner/Vendor One physical network, must accommodate multiple logical networks (user groups) each with own rules. Airport
IDENTITY: So, you said MAC Address ? Win 2K & XP allow easy change for MAC addresses MAC address is not an authentication mechanism…
Determining “who” gets access and “what” they can do User Identity Based Network Access User Based Policies Applied (BW, QoS etc) Campus Network Equivalent to placing a Security Guard at each Switch Port Only Authorized users can get Network Access Unauthorized users can be placed into “Guest” VLANs Prevents unauthorized APs Authorized Users/Devices Unauthorized Users/Devices
What Exactly Is 802.1x? Standard set by the IEEE 802.1 working group. Describes a standard link layer protocol used for transporting higher-level authentication protocols . Works between the Supplicant and the Authenticator . Maintains backend communication to an Authentication Server .
Some IEEE Terminology AAA/RADIUS Server Authentication Server Network Access Device Authenticator Client Supplicant Normal People Terms IEEE Terms
What Does it Do? Transport authentication information in the form of Extensible Authentication Protocol (EAP) payloads. The authenticator (switch) becomes the middleman for relaying EAP received in 802.1x packets to an authentication server by using RADIUS to carry the EAP information. 802.1x Header EAP Payload
What is RADIUS? RADIUS – The Remote Authentication Dial In User Service A protocol used to communicate between a network device and an authentication server or database. Allows the communication of login and authentication information. i.e.. Username/Password, OTP, etc. Allows the communication of arbitrary value pairs using “Vendor Specific Attributes” (VSAs). RADIUS Header EAP Payload UDP Header
802.1x – enhancing LAN security Topology
Wired Access Control Model RADIUS acts as the transport for EAP, from the authenticator (switch) to the authentication server (RADIUS server) RADIUS is also used to carry policy instructions back to the authenticator in the form of AV pairs. Client and Switch Talk 802.1x Switch Speaks to Auth Server Using RADIUS Actual Authentication Conversation Is between Client and Auth Server Using EAP; the Switch Is Just a Middleman, but Is Aware of What’s Going on
Identity Based Network Services Set port to enable set port vlan 10 VLAN 10 Engineering VLAN AAA Radius Server 802.1x Authentication Server Active Directory Login and Certificate Services 802.1x Capable Access Devices 802.1x Capable Client IEEE802.1x + VLANS + VVID + ACL + QoS Login Request Login Info Verify Login and Check with Policy DB Login Good! Apply Policies Switch applies policies and enables port. Login + Certificate Login Verified 6500 Series Access Points 4000 Series 3550/2950 Series
802.1x client implementation in Windows Wired interfaces – enabled by default Wireless interfaces – integrated with the wireless configuration client Enabled by default if privacy is enabled Dynamic keys usage enforcement User and computer authentication enabled by default
802.1x in Microsoft Windows Machine and user authentication Startup Machine Machine credentials available (use machine credentials) Machine authentication success Machine authentication failure User logon User credentials available (use user credentials) User authentication success User authentication failure User logoff
Windows Machine Authentication Power Up Load NDIS drivers DHCP Setup Secure Channel to DC Update GPOs Apply Computer GPOs Present GINA (Ctrl-Alt-Del) Login 802.1x Authenticate as Computer What is Machine Authentication? The ability of a Windows workstation to authenticate under it’s own identity, independent of the requirement for an interactive user session. What is it used for? Machine authentication is used at boot time by Windows OSes to authenticate and communicate with Windows Domain Controllers in order to pull down machine group policies. Why do we care? Pre-802.1x this worked under the assumption that network connectivity was a given. Post-802.1x the blocking of network access prior to 802.1x authentication breaks the machine based group policy model – UNLESS the machine can authenticate using its own identity in 802.1x .
802.1x in Microsoft Windows 802.1x authentication configuration page Same for wired and wireless Provides control over computer and guest authentication EAP method setting
What is EAP? EAP – The Extensible Authentication Protocol A flexible protocol used to carry arbitrary authentication information.
EAP TLS GSS_API Kerberos PEAP MS-CHAPv2 TLS IKE MD5 EAP PPP 802.3 802.5 802.11 Other… method layer EAP layer media layer
802.1x authentication client EAP methods available in Windows EAP-TLS (Transport Level Security) – default setting for 802.1x client in Windows PEAP (Protected EAP) allows inner methods TLS (certificate based) Microsoft Challenge Handshake Authentication Protocol v2 (MSCHAPv2) (password based) EAP-MD5 – available for wired networks only Doesn’t provide encrypted session between supplicant and authenticator Transfers password hashes in clear
802.1x authentication client EAP methods – wired and wireless networks
EAP with MD5 Authenticator Peer cleartext password cleartext password Random challenge identity-request identity-response (username) success or failure MD5-challenge -request MD5-challenge -response R = MD5(password,challenge) Check that MD5(password,challenge) equals the response
802.1x with EAP-TLS Local store certificates Uses both user and computer certificates Certificates deployed through auto-enrollment, Web enrollment, certificate import, or manual request using the Certificates snap-in Local computer store is always available The user store (for a current user) is only available after a successful user logon
802.1x with EAP-TLS Configuration page Mutual authentication enabled by default Simple certificate selection
802.1x with EAP-TLS Smart card certificates User must enter PIN to access the certificate on the smart card. PIN input is not required again on subsequent re-authentication tries – like session time-out or roaming on wireless networks. When roaming out of range and back in range, user will be re-prompted for PIN. Managing user certificates stored on local hard drives can be difficult, and some users may move among computers.
802.1x with PEAP-MSCHAPv2 What to consider Password-based authentication – not all networks have a PKI deployment. Single sign-on (SSO). Enables both machine and user authentication. Windows logon credentials can be automatically used (default setting), or credentials can be provided by user.
802.1x with PEAP-MSCHAPv2 Configuration page By default, fast reconnect feature is disabled.
Campus Identity - Supplicants Possible End-Points : Windows XP – Yes Windows 2000 – Yes (SP3 + KB) Linux – Yes HP-UX – Yes Solaris - Yes HP Printers – Yes Windows 98 – Limited Windows NT4 – Limited Apple – yes IP Phones – yes WLAN APs – yes … . Windows HP Jet Direct Solaris 7920 Apple IP Phones WLAN APs Pocket PC
802.1x Port based network access control Falls under 802.1 NOT 802.11 This is a NETWORK standard, not a wireless standard Is PART of the 802.11i draft Provides Network Authentication, NOT encryption
Know before you start ! 802.1x Implementation requires various knowledge from different domains Switch or AP Compliance and configuration Certificate Services (Hidden part of the ICEBERG) if you intend to you EAP-TLS Radius Server, especially when you have a multi-domain-directory infrastructure Smart-card services, if you intend to use them instead of user certificates Various Client Deployment Scenarios
Demo – Wired Client Authentication 802.1x with PEAP-MSCHAPv2 Cisco Switch Configuration Active Directory Configuration Installation of IAS (Radius) Installation of Certificate Services XP Client Configuration
New Horizons' Partners

More Related Content

What's hot (20)

PPTX
Vpc notes
Krunal Shah
 
PDF
Building DataCenter networks with VXLAN BGP-EVPN
Cisco Canada
 
PDF
Useful cli commands v1
Aruba, a Hewlett Packard Enterprise company
 
PPT
Virtual Private Network main
Kanika Gupta
 
PDF
CCNAv5 - S1: Chapter 7 - Transport Layer
Vuz Dở Hơi
 
PPTX
CCNA 2 Routing and Switching v5.0 Chapter 5
Nil Menon
 
PPT
Vlan
ilias ahmed
 
PPTX
CCNA ppt
Sumant Garg
 
PPTX
CCNA PPT
AIRTEL
 
PPT
CCNA Chapter1
Mohammed Ali
 
PDF
VPN - Virtual Private Network
Peter R. Egli
 
PPTX
802.1x authentication
Xiaoqi Zhao
 
PDF
Optimizing Aruba WLANs for Roaming Devices
Aruba, a Hewlett Packard Enterprise company
 
PPTX
CCNA v6.0 ITN - Chapter 10
Irsandi Hasan
 
PPTX
Virtual Private Network(VPN)
Abrish06
 
PPTX
CCNA ppt Day 1
VISHNU N
 
PPTX
Routing Information Protocol
Kashif Latif
 
ODP
pfSense presentation
Simon Vass
 
PDF
20 - IDNOG03 - Franki Lim (ARISTA) - Overlay Networking with VXLAN
Indonesia Network Operators Group
 
PPTX
Virtual Private Network VPN
Farah M. Altufaili
 
Vpc notes
Krunal Shah
 
Building DataCenter networks with VXLAN BGP-EVPN
Cisco Canada
 
Useful cli commands v1
Aruba, a Hewlett Packard Enterprise company
 
Virtual Private Network main
Kanika Gupta
 
CCNAv5 - S1: Chapter 7 - Transport Layer
Vuz Dở Hơi
 
CCNA 2 Routing and Switching v5.0 Chapter 5
Nil Menon
 
Vlan
ilias ahmed
 
CCNA ppt
Sumant Garg
 
CCNA PPT
AIRTEL
 
CCNA Chapter1
Mohammed Ali
 
VPN - Virtual Private Network
Peter R. Egli
 
802.1x authentication
Xiaoqi Zhao
 
Optimizing Aruba WLANs for Roaming Devices
Aruba, a Hewlett Packard Enterprise company
 
CCNA v6.0 ITN - Chapter 10
Irsandi Hasan
 
Virtual Private Network(VPN)
Abrish06
 
CCNA ppt Day 1
VISHNU N
 
Routing Information Protocol
Kashif Latif
 
pfSense presentation
Simon Vass
 
20 - IDNOG03 - Franki Lim (ARISTA) - Overlay Networking with VXLAN
Indonesia Network Operators Group
 
Virtual Private Network VPN
Farah M. Altufaili
 

Viewers also liked (20)

PPTX
Real-world 802.1X Deployment Challenges
Aruba, a Hewlett Packard Enterprise company
 
PPT
802.1x
Alp isik
 
PPTX
802.1x
akruthi k
 
PDF
Ieee 802.1 x
Swapnil Kapate
 
PPTX
802.1x Authentication Standard
Dan Miller
 
PDF
ACSR Clear Pass Policy Manager
Ali Badr
 
PDF
Report Master
Bilel Trabelsi
 
PDF
Ieee 802.1 x
matoko
 
PDF
Mobile Devices & BYOD Security – Deployment & Best Practices
Cisco Canada
 
PPTX
Présentation Master
Bilel Trabelsi
 
PDF
IEEE 802.1X and Axis’ Implementation
Axis Communications
 
PDF
802.1x Implementation Plan for Seacoast
Sithideth Banavong
 
PDF
ISE-802.1X-MAB
Emerson Barros Rivas
 
PDF
Heartbleed && Wireless
Luis Grangeia
 
PDF
Attacking and Securing WPA Enterprise Networks
Northeast Ohio Information Security Forum
 
PDF
Aruba ClearPass Guest 6.3 User Guide
Aruba, a Hewlett Packard Enterprise company
 
PPTX
Mitigating worm attacks
dkaya
 
PDF
Identity Services Engine Overview and Update
Cisco Canada
 
PDF
Demystifying TrustSec, Identity, NAC and ISE
Cisco Canada
 
PPTX
VMworld 2015: Networking Virtual SAN's Backbone
VMworld
 
Real-world 802.1X Deployment Challenges
Aruba, a Hewlett Packard Enterprise company
 
802.1x
Alp isik
 
802.1x
akruthi k
 
Ieee 802.1 x
Swapnil Kapate
 
802.1x Authentication Standard
Dan Miller
 
ACSR Clear Pass Policy Manager
Ali Badr
 
Report Master
Bilel Trabelsi
 
Ieee 802.1 x
matoko
 
Mobile Devices & BYOD Security – Deployment & Best Practices
Cisco Canada
 
Présentation Master
Bilel Trabelsi
 
IEEE 802.1X and Axis’ Implementation
Axis Communications
 
802.1x Implementation Plan for Seacoast
Sithideth Banavong
 
ISE-802.1X-MAB
Emerson Barros Rivas
 
Heartbleed && Wireless
Luis Grangeia
 
Attacking and Securing WPA Enterprise Networks
Northeast Ohio Information Security Forum
 
Aruba ClearPass Guest 6.3 User Guide
Aruba, a Hewlett Packard Enterprise company
 
Mitigating worm attacks
dkaya
 
Identity Services Engine Overview and Update
Cisco Canada
 
Demystifying TrustSec, Identity, NAC and ISE
Cisco Canada
 
VMworld 2015: Networking Virtual SAN's Backbone
VMworld
 
Ad

Similar to Implementing 802.1x Authentication (20)

PDF
Configuring Wired 802.1x Authentication on Windows Server 2012.pdf
djameleddine2015
 
PDF
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Priyanka Aash
 
PDF
At8000 s configurando_8021x
NetPlus
 
PPTX
IEEE 802.1 x
Anwesh Dixit
 
PDF
8021x feature config_guide
Wilson Ospina
 
PPT
WLAN and IP security
Chaitanya Tata, PMP
 
PPS
Iuwne10 S04 L04
Ravi Ranjan
 
PDF
radius dhcp dot1.x (802.1x)
rinnocente
 
PPT
Ali shahbazi khojasteh dot1X
Ali Shahbazi Khojasteh
 
PPT
Introdutction – 802.1x Port-Based Authentication
cszxd
 
PPT
Introdutction – 802.1x Port-Based Authentication
cszxd
 
PDF
Ieee 802.1 x
Mohamed Gamel
 
PDF
802 11 3
rphelps
 
PDF
Sw8021x
university fsr
 
PPTX
MVA slides lesson 6
Fabio Almeida- Oficina Eletrônica
 
PPTX
98 366 mva slides lesson 6
suddenven
 
PPT
11 01 Tbd I Radius Security
santosh_bhatkhande
 
PPT
Security threats in the LAN
Agora Group
 
PPT
Ch11 Hacking Wireless Networks it-slideshares.blogspot.com
phanleson
 
PDF
RADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure
Karri Huhtanen
 
Configuring Wired 802.1x Authentication on Windows Server 2012.pdf
djameleddine2015
 
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Priyanka Aash
 
At8000 s configurando_8021x
NetPlus
 
IEEE 802.1 x
Anwesh Dixit
 
8021x feature config_guide
Wilson Ospina
 
WLAN and IP security
Chaitanya Tata, PMP
 
Iuwne10 S04 L04
Ravi Ranjan
 
radius dhcp dot1.x (802.1x)
rinnocente
 
Ali shahbazi khojasteh dot1X
Ali Shahbazi Khojasteh
 
Introdutction – 802.1x Port-Based Authentication
cszxd
 
Introdutction – 802.1x Port-Based Authentication
cszxd
 
Ieee 802.1 x
Mohamed Gamel
 
802 11 3
rphelps
 
Sw8021x
university fsr
 
MVA slides lesson 6
Fabio Almeida- Oficina Eletrônica
 
98 366 mva slides lesson 6
suddenven
 
11 01 Tbd I Radius Security
santosh_bhatkhande
 
Security threats in the LAN
Agora Group
 
Ch11 Hacking Wireless Networks it-slideshares.blogspot.com
phanleson
 
RADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure
Karri Huhtanen
 
Ad

More from dkaya (10)

PPTX
Ccna security
dkaya
 
PPT
Hacking Cisco Networks and Countermeasures
dkaya
 
PPT
Sniffing SSL Traffic
dkaya
 
PPT
Intrusion Discovery on Windows
dkaya
 
PPT
Implementing Cisco AAA
dkaya
 
PPT
Cisco Ccna Certification
dkaya
 
PPT
Cisco Switch Security
dkaya
 
PPT
Mitigating Layer2 Attacks
dkaya
 
PPTX
Microsoft Days 09 Windows 2008 Security
dkaya
 
PPT
Ironport Data Loss Prevention
dkaya
 
Ccna security
dkaya
 
Hacking Cisco Networks and Countermeasures
dkaya
 
Sniffing SSL Traffic
dkaya
 
Intrusion Discovery on Windows
dkaya
 
Implementing Cisco AAA
dkaya
 
Cisco Ccna Certification
dkaya
 
Cisco Switch Security
dkaya
 
Mitigating Layer2 Attacks
dkaya
 
Microsoft Days 09 Windows 2008 Security
dkaya
 
Ironport Data Loss Prevention
dkaya
 

Recently uploaded (20)

PDF
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
PDF
Persuasive AI: risks and opportunities in the age of digital debate
Speck&Tech
 
PDF
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
PPTX
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
PDF
Français Patch Tuesday - Juillet
Ivanti
 
PDF
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
PDF
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
PPTX
Building and Operating a Private Cloud with CloudStack and LINBIT CloudStack ...
ShapeBlue
 
PDF
TrustArc Webinar - Data Privacy Trends 2025: Mid-Year Insights & Program Stra...
TrustArc
 
PPT
Interview paper part 3, It is based on Interview Prep
SoumyadeepGhosh39
 
PDF
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
PDF
Human-centred design in online workplace learning and relationship to engagem...
Tracy Tang
 
PPTX
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
PPTX
Building a Production-Ready Barts Health Secure Data Environment Tooling, Acc...
Barts Health
 
PDF
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
PDF
Windsurf Meetup Ottawa 2025-07-12 - Planning Mode at Reliza.pdf
Pavel Shukhman
 
PDF
Rethinking Security Operations - SOC Evolution Journey.pdf
Haris Chughtai
 
PDF
Wojciech Ciemski for Top Cyber News MAGAZINE. June 2025
Dr. Ludmila Morozova-Buss
 
PDF
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
PDF
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
Persuasive AI: risks and opportunities in the age of digital debate
Speck&Tech
 
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
Français Patch Tuesday - Juillet
Ivanti
 
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
Building and Operating a Private Cloud with CloudStack and LINBIT CloudStack ...
ShapeBlue
 
TrustArc Webinar - Data Privacy Trends 2025: Mid-Year Insights & Program Stra...
TrustArc
 
Interview paper part 3, It is based on Interview Prep
SoumyadeepGhosh39
 
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
Human-centred design in online workplace learning and relationship to engagem...
Tracy Tang
 
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
Building a Production-Ready Barts Health Secure Data Environment Tooling, Acc...
Barts Health
 
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
Windsurf Meetup Ottawa 2025-07-12 - Planning Mode at Reliza.pdf
Pavel Shukhman
 
Rethinking Security Operations - SOC Evolution Journey.pdf
Haris Chughtai
 
Wojciech Ciemski for Top Cyber News MAGAZINE. June 2025
Dr. Ludmila Morozova-Buss
 
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 

Implementing 802.1x Authentication

  • 1. 802.1X Authentication Deniz Kaya Microsoft, Cisco, Ironport Trainer CCSI, CCNP, MCT, MCSE, ICSI, ICSP, CPTS
  • 2. … While the Assets Needing to be Protected are Expanding Service Provider/ Internet Teleworker City Hall VPN Head-End Cable Provider 831 Library Partner/Vendor One physical network, must accommodate multiple logical networks (user groups) each with own rules. Airport
  • 3. IDENTITY: So, you said MAC Address ? Win 2K & XP allow easy change for MAC addresses MAC address is not an authentication mechanism…
  • 4. Determining “who” gets access and “what” they can do User Identity Based Network Access User Based Policies Applied (BW, QoS etc) Campus Network Equivalent to placing a Security Guard at each Switch Port Only Authorized users can get Network Access Unauthorized users can be placed into “Guest” VLANs Prevents unauthorized APs Authorized Users/Devices Unauthorized Users/Devices
  • 5. What Exactly Is 802.1x? Standard set by the IEEE 802.1 working group. Describes a standard link layer protocol used for transporting higher-level authentication protocols . Works between the Supplicant and the Authenticator . Maintains backend communication to an Authentication Server .
  • 6. Some IEEE Terminology AAA/RADIUS Server Authentication Server Network Access Device Authenticator Client Supplicant Normal People Terms IEEE Terms
  • 7. What Does it Do? Transport authentication information in the form of Extensible Authentication Protocol (EAP) payloads. The authenticator (switch) becomes the middleman for relaying EAP received in 802.1x packets to an authentication server by using RADIUS to carry the EAP information. 802.1x Header EAP Payload
  • 8. What is RADIUS? RADIUS – The Remote Authentication Dial In User Service A protocol used to communicate between a network device and an authentication server or database. Allows the communication of login and authentication information. i.e.. Username/Password, OTP, etc. Allows the communication of arbitrary value pairs using “Vendor Specific Attributes” (VSAs). RADIUS Header EAP Payload UDP Header
  • 9. 802.1x – enhancing LAN security Topology
  • 10. Wired Access Control Model RADIUS acts as the transport for EAP, from the authenticator (switch) to the authentication server (RADIUS server) RADIUS is also used to carry policy instructions back to the authenticator in the form of AV pairs. Client and Switch Talk 802.1x Switch Speaks to Auth Server Using RADIUS Actual Authentication Conversation Is between Client and Auth Server Using EAP; the Switch Is Just a Middleman, but Is Aware of What’s Going on
  • 11. Identity Based Network Services Set port to enable set port vlan 10 VLAN 10 Engineering VLAN AAA Radius Server 802.1x Authentication Server Active Directory Login and Certificate Services 802.1x Capable Access Devices 802.1x Capable Client IEEE802.1x + VLANS + VVID + ACL + QoS Login Request Login Info Verify Login and Check with Policy DB Login Good! Apply Policies Switch applies policies and enables port. Login + Certificate Login Verified 6500 Series Access Points 4000 Series 3550/2950 Series
  • 12. 802.1x client implementation in Windows Wired interfaces – enabled by default Wireless interfaces – integrated with the wireless configuration client Enabled by default if privacy is enabled Dynamic keys usage enforcement User and computer authentication enabled by default
  • 13. 802.1x in Microsoft Windows Machine and user authentication Startup Machine Machine credentials available (use machine credentials) Machine authentication success Machine authentication failure User logon User credentials available (use user credentials) User authentication success User authentication failure User logoff
  • 14. Windows Machine Authentication Power Up Load NDIS drivers DHCP Setup Secure Channel to DC Update GPOs Apply Computer GPOs Present GINA (Ctrl-Alt-Del) Login 802.1x Authenticate as Computer What is Machine Authentication? The ability of a Windows workstation to authenticate under it’s own identity, independent of the requirement for an interactive user session. What is it used for? Machine authentication is used at boot time by Windows OSes to authenticate and communicate with Windows Domain Controllers in order to pull down machine group policies. Why do we care? Pre-802.1x this worked under the assumption that network connectivity was a given. Post-802.1x the blocking of network access prior to 802.1x authentication breaks the machine based group policy model – UNLESS the machine can authenticate using its own identity in 802.1x .
  • 15. 802.1x in Microsoft Windows 802.1x authentication configuration page Same for wired and wireless Provides control over computer and guest authentication EAP method setting
  • 16. What is EAP? EAP – The Extensible Authentication Protocol A flexible protocol used to carry arbitrary authentication information.
  • 17. EAP TLS GSS_API Kerberos PEAP MS-CHAPv2 TLS IKE MD5 EAP PPP 802.3 802.5 802.11 Other… method layer EAP layer media layer
  • 18. 802.1x authentication client EAP methods available in Windows EAP-TLS (Transport Level Security) – default setting for 802.1x client in Windows PEAP (Protected EAP) allows inner methods TLS (certificate based) Microsoft Challenge Handshake Authentication Protocol v2 (MSCHAPv2) (password based) EAP-MD5 – available for wired networks only Doesn’t provide encrypted session between supplicant and authenticator Transfers password hashes in clear
  • 19. 802.1x authentication client EAP methods – wired and wireless networks
  • 20. EAP with MD5 Authenticator Peer cleartext password cleartext password Random challenge identity-request identity-response (username) success or failure MD5-challenge -request MD5-challenge -response R = MD5(password,challenge) Check that MD5(password,challenge) equals the response
  • 21. 802.1x with EAP-TLS Local store certificates Uses both user and computer certificates Certificates deployed through auto-enrollment, Web enrollment, certificate import, or manual request using the Certificates snap-in Local computer store is always available The user store (for a current user) is only available after a successful user logon
  • 22. 802.1x with EAP-TLS Configuration page Mutual authentication enabled by default Simple certificate selection
  • 23. 802.1x with EAP-TLS Smart card certificates User must enter PIN to access the certificate on the smart card. PIN input is not required again on subsequent re-authentication tries – like session time-out or roaming on wireless networks. When roaming out of range and back in range, user will be re-prompted for PIN. Managing user certificates stored on local hard drives can be difficult, and some users may move among computers.
  • 24. 802.1x with PEAP-MSCHAPv2 What to consider Password-based authentication – not all networks have a PKI deployment. Single sign-on (SSO). Enables both machine and user authentication. Windows logon credentials can be automatically used (default setting), or credentials can be provided by user.
  • 25. 802.1x with PEAP-MSCHAPv2 Configuration page By default, fast reconnect feature is disabled.
  • 26. Campus Identity - Supplicants Possible End-Points : Windows XP – Yes Windows 2000 – Yes (SP3 + KB) Linux – Yes HP-UX – Yes Solaris - Yes HP Printers – Yes Windows 98 – Limited Windows NT4 – Limited Apple – yes IP Phones – yes WLAN APs – yes … . Windows HP Jet Direct Solaris 7920 Apple IP Phones WLAN APs Pocket PC
  • 27. 802.1x Port based network access control Falls under 802.1 NOT 802.11 This is a NETWORK standard, not a wireless standard Is PART of the 802.11i draft Provides Network Authentication, NOT encryption
  • 28. Know before you start ! 802.1x Implementation requires various knowledge from different domains Switch or AP Compliance and configuration Certificate Services (Hidden part of the ICEBERG) if you intend to you EAP-TLS Radius Server, especially when you have a multi-domain-directory infrastructure Smart-card services, if you intend to use them instead of user certificates Various Client Deployment Scenarios
  • 29. Demo – Wired Client Authentication 802.1x with PEAP-MSCHAPv2 Cisco Switch Configuration Active Directory Configuration Installation of IAS (Radius) Installation of Certificate Services XP Client Configuration

Editor's Notes

  • #2: My name is Deniz Kaya and today I will be speaking about 802.1x authentication standard, how to configure it on Cisco Catalyst Switches and also 802.1x authentication client in Microsoft Windows. In the year 2000, IEEE created the 802.1x specification. This was done to further protect wired and wireless networks. First of all, I want to lay the groundwork of what 802.1x authentication really is, and how it enhances network security. We'll talk briefly about the specifics of the protocol, and we'll also get into implementation and EAP methods (Extensible Authentication Protocol methods). And then we'll talk about the kind of configuration and the type of scenarios that you'll be using 802.1x in.