802.1X Authentication
Deniz Kaya
Microsoft, Cisco, Ironport Trainer
CCSI, CCNP, MCT, MCSE, ICSI, ICSP
…While the Assets Needing to be
Protected are Expanding
831
Teleworker
Partner/Vendor
Cable
Provider
VPN
Head-End
Service Provider/
Internet
City Hall
Airport
Library
One physical network, must
accommodate multiple logical
networks (user groups) each
with own rules.
IDENTITY:
So, you said MAC Address ?
Win 2K & XP allow easy
change for MAC
addresses
MAC address is not an
authentication
mechanism…
Determining “who” gets access and
“what” they can do
Campus Network
User Identity Based
Network Access
Unauthorized
Users/Devices
•
•
•
•
User Based Policies Applied
(BW, QoS etc)
Authorized
Users/Devices
Equivalent to placing a Security Guard at each Switch Port
Only Authorized users can get Network Access
Unauthorized users can be placed into “Guest” VLANs
Prevents unauthorized APs
What Exactly Is 802.1x?
• Standard set by the IEEE 802.1 working
group.
• Describes a standard link layer protocol
used for transporting higher-level
authentication protocols.
• Works between the Supplicant and the
Authenticator.
• Maintains backend communication to an
Authentication Server.
Some IEEE Terminology
IEEE Terms
Normal People
Terms
Supplicant
Client
Authenticator
Network Access Device
Authentication Server
AAA/RADIUS Server
What Does it Do?
• Transport authentication information in the form of
Extensible Authentication Protocol (EAP) payloads.
• The authenticator (switch) becomes the middleman for
relaying EAP received in 802.1x packets to an
authentication server by using RADIUS to carry the
EAP information.
802.1x Header
EAP Payload
What is RADIUS?
• RADIUS – The Remote Authentication Dial In
User Service
• A protocol used to communicate between a
network device and an authentication server or
database.
• Allows the communication of login and
authentication information. i.e..
Username/Password, OTP, etc.
• Allows the communication of arbitrary value
pairs using “Vendor Specific Attributes” (VSAs).
UDP Header RADIUS Header
EAP Payload
802.1x – enhancing LAN security
Topology
Wired Access Control Model
Client and Switch Talk 802.1x
Switch Speaks to Auth Server Using RADIUS
Actual Authentication Conversation Is between Client and Auth Server Using EAP;
the Switch Is Just a Middleman, but Is Aware of What’s Going on
• RADIUS acts as the transport for EAP, from the
authenticator (switch) to the authentication server (RADIUS
server)
•RADIUS is also used to carry policy instructions back to
the authenticator in the form of AV pairs.
Identity Based Network Services
Switch applies policies and
enables port.
• Set port to enable
• set port vlan 10
802.1x Capable Client
IEEE802.1x
+ VLANS
+ VVID
+ ACL
+ QoS
Login Request
VLAN 10
Login InfoVLAN
Engineering
Login Good!
Apply Policies
Verify Login and
Check with Policy DB
4000 Series
3550/2950 Series
Login + Certificate
Login Verified
6500 Series
Access Points
802.1x Capable Access Devices
AAA Radius Server
802.1x Authentication Server
Active Directory
Login and Certificate Services
802.1x client implementation in
Windows
• Wired interfaces – enabled by default
• Wireless interfaces – integrated with the
wireless configuration client
– Enabled by default if privacy is enabled
– Dynamic keys usage enforcement
• User and computer authentication
enabled by default
802.1x in Microsoft Windows
Machine and user authentication
Startup
Machine
Machine credentials available
(use machine credentials)
Machine authentication success
Machine authentication failure
User logon
User credentials available
(use user credentials)
User authentication success
User authentication failure
User logoff
Windows Machine Authentication
Power
Up
Load
NDIS
drivers
802.1x
Authenticate
as Computer
DHCP
Setup Secure
Channel to DC
Update GPOs
Apply
Computer
GPOs
Present GINA
(Ctrl-Alt-Del)
Login
• What is Machine Authentication?
The ability of a Windows workstation to authenticate under it’s own identity,
independent of the requirement for an interactive user session.
• What is it used for?
Machine authentication is used at boot time by Windows OSes to
authenticate and communicate with Windows Domain Controllers in order to
pull down machine group policies.
• Why do we care?
Pre-802.1x this worked under the assumption that network connectivity was
a given. Post-802.1x the blocking of network access prior to 802.1x
authentication breaks the machine based group policy model – UNLESS the
machine can authenticate using its own identity in 802.1x .
802.1x in Microsoft Windows
802.1x authentication configuration page
• Same for wired and
wireless
• Provides control
over computer and
guest authentication
• EAP method setting
What is EAP?
• EAP – The Extensible Authentication
Protocol
• A flexible protocol used to carry arbitrary
authentication information.
EAP
TLS
MD5
PEAP
MS-CHAPv2
TLS
IKE
GSS_API
Kerberos
EAP
layer
EAP
PPP
802.3
802.5
method
layer
802.11
Other…
media
layer
802.1x authentication client
EAP methods available in Windows
• EAP-TLS (Transport Level Security) – default
setting for 802.1x client in Windows
• PEAP (Protected EAP) allows inner methods
– TLS (certificate based)
– Microsoft Challenge Handshake Authentication
Protocol v2 (MSCHAPv2) (password based)
• EAP-MD5 – available for wired networks only
– Doesn’t provide encrypted session between
supplicant and authenticator
– Transfers password hashes in clear
802.1x authentication client
EAP methods – wired and wireless networks
EAP with MD5
Peer
Authenticator
cleartext password
cleartext password
Random challenge
R = MD5(password,challenge)
Check that
MD5(password,challenge)
equals the response
802.1x with EAP-TLS
Local store certificates
• Uses both user and computer certificates
• Certificates deployed through autoenrollment, Web enrollment, certificate
import, or manual request using the
Certificates snap-in
• Local computer store is always available
• The user store (for a current user) is only
available after a successful user logon
802.1x with EAP-TLS
Configuration page
• Mutual authentication
enabled by default
• Simple certificate
selection
802.1x with EAP-TLS
Smart card certificates
• User must enter PIN to access the certificate
on the smart card.
– PIN input is not required again on subsequent reauthentication tries – like session time-out or
roaming on wireless networks.
– When roaming out of range and back in range, user
will be re-prompted for PIN.
• Managing user certificates stored on local hard
drives can be difficult, and some users may
move among computers.
802.1x with PEAP-MSCHAPv2
What to consider
• Password-based authentication – not all
networks have a PKI deployment.
• Single sign-on (SSO).
• Enables both machine and user
authentication.
• Windows logon credentials can be
automatically used (default setting), or
credentials can be provided by user.
802.1x with PEAP-MSCHAPv2
Configuration page
• By default, fast
reconnect feature
is disabled.
Campus Identity - Supplicants
• Possible End-Points :
Windows
Solaris
IP Phones
HP Jet Direct
7920
WLAN APs
Apple
Pocket PC
Windows XP – Yes
Windows 2000 – Yes (SP3 + KB)
Linux – Yes
HP-UX – Yes
Solaris - Yes
HP Printers – Yes
Windows 98 – Limited
Windows NT4 – Limited
Apple – yes
IP Phones – yes
WLAN APs – yes
….
802.1x
Port based network access control
• Falls under 802.1 NOT 802.11
• This is a NETWORK standard, not a
wireless standard
• Is PART of the 802.11i draft
• Provides Network Authentication, NOT
encryption
Know before you start !
• 802.1x Implementation requires various
knowledge from different domains
– Switch or AP Compliance and configuration
– Certificate Services (Hidden part of the
ICEBERG) if you intend to you EAP-TLS
– Radius Server, especially when you have a
multi-domain-directory infrastructure
– Smart-card services, if you intend to use
them instead of user certificates
– Various Client Deployment Scenarios
Demo – Wired Client Authentication
802.1x with PEAP-MSCHAPv2
•
•
•
•
•
Cisco Switch Configuration
Active Directory Configuration
Installation of IAS (Radius)
Installation of Certificate Services
XP Client Configuration
New Horizons' Partners