802.1X Configuration
advertisement
802.1X Configuration Terena 802.1X workshop the Netherlands, Amsterdam, March 30th Paul Dekkers Overview 2 EAP 3 What makes EAP flexible 4 Man-in-the-Middle attack That’s why we need a good EAP mechanism! 5 RADIUS proxy-ing 6 RADIUS • Client-Server model – Authenticator is a RADIUS client – Authentication-server is the RADIUS server – RADIUS server can be a client as well 7 RADIUS – what’s in the packet • UDP, ports 1645/1646 or 1812/1813 Mind the firewall! • Attributes, like User-Name, User-Password, EAP-Message • Shared Secret 8 RADIUS and REALMS • Use well-chosen realms: preferably like an e-mail address, user@institution.ccTLD Important with PROXY-ing 9 Guest Access 10 Traffic separation without 1x 11 Traffic separation with 1x Supplicant Authenticator RADIUS server (AP or switch) University X Guest RADIUS server SURFnet office User DB Internet Paul.Dekkers@surfnet.nl Employee VLAN User DB Students VLAN Guest VLAN Central RADIUS proxy server 12 Traffic separation with 1x 13 Hands-on setup 14 Configuration: Radiator Linear Global configuration AuthPort 1812 AcctPort 1813 LogDir /var/log/radius DbDir /etc/radiator Clients Handlers 15 Configuration: Radiator RADIUS Clients <Client 192.168.1.2> Secret 6.6obaFkm&RNs666 Identifier AP1 IdenticalClients 192.168.1.3, 192.168.1.4 </Client> 16 Configuration: Radiator <Handler Realm=surfnet.nl> <AuthBy FILE> Filename users </AuthBy> </Handler> 17 Configuration: Radiator <Handler Realm=surfnet.nl> <AuthBy FILE> Filename users EAPType TTLS, PEAP, MSCHAP-V2 EAPTLS_CAFile root-ca.pem EAPTLS_CertificateFile server.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile private.pem EAPTLS_PrivateKeyPassword secret EAPTLS_MaxFragmentSize 1024 AutoMPPEKeys </AuthBy> </Handler> 18 Configuration: Radiator <Handler Realm=surfnet.nl, Request-Type=Accounting-Request> # Accept, and log </Handler> <Handler Realm=surfnet.nl, TunnelledByTTLS=1> # PAP </Handler> <Handler Realm=surfnet.nl, TunnelledByPEAP=1> # EAP-MSCHAPv2 </Handler> <Handler Realm=surfnet.nl> # EAP-TTLS and EAP-PEAP </Handler> 19 Configuration: Radiator, Identifiers and Catch-all <AuthBy RADIUS> Identifier SURFNET-PROXY Host radius-proxy.surfnet.nl Secret Sdfg8WeR98r09d8fg AuthPort 1812 AcctPort 1813 </AuthBy> <Handler> AuthBy SURFNET-PROXY </Handler> 20 RADIUS proxy-loop • Good configuration is more complex, often lacks in prevention for proxy-loops 21 Configuration: Access-Point 22 Cisco AP - RADIUS AP1(config)#aaa new-model aaa group server radius rad_eap server 192.87.116.63 auth-port 1812 acct-port 1813 aaa authentication login eap_methods group rad_eap aaa accounting network acct_methods start-stop group rad_acct radius-server host 192.87.116.63 auth-port 1812 acct-port 1813 key X 23 Cisco AP - Wireless Interface AP1(config)#interface dot11Radio 0 AP1(config-if)#encryption mode ciphers wep40 AP1(config-if)#broadcast-key change 1800 AP1(config-if)#no ssid tsunami AP1(config-if)#ssid SURFnet AP1(config-if-ssid)#authentication open eap eap_methods AP1(config-if-ssid)#guest-mode AP1(config-if-ssid)#^Z 24 Cisco switch – enable RADIUS Switch# configure terminal Switch(config)# aaa new-model Switch(config)# radius-server host 192.168.100.1x auth-port 1812 key <secret> 25 Cisco switch – enable 802.1x Switch(config)# aaa authentication dot1x default group radius Switch(config)# dot1x system-auth-control Switch(config)# interface fastethernet0/1 Switch(config-if)# spanning-tree portfast Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 10 Switch(config-if)# dot1x port-control auto Switch(config-if)# end Switch(config-if)# dot1x guest-vlan 60 26 Windows and wired 802.1x 27 Extra in hands-on • Configuration of VLAN’s: Can you enable “roaming” with another group? Can you create an SSID for users without 802.1x? 28
