Œ Authentication: The user or machine sends a Network Access

advertisement
FONTANNAUD Olivier
MARC Antoine
FI2A G2 P2
27/03/08
English Projectr
802.1X
1/7
Companies today have to protect their information. They need to install a very safe
network and prevent strangers to steal sensitive data. That's why the 802.1x protocol
has been created. It has been designed to protect physically the access a network.
I - Standard presentation
802.1X is a standard created by the IEEE organization (Institute of electrical and
electronics engineers) in June 2001. The purpose of 802.1X is to identify a user who
wants to access a network by the help of an authentication server.
It works with three entities:
1) The supplicant : It's the client asking to access the network
2) The authenticator: It's the network equipment which the client connects to. It will
ask the server if the client has right to access the network or not.
3) The authentication server: It’s the server possessing the list of users and decide if
the client will be authorized to access the network or not.
3 Steps of connections when you're using 802.1X
2/7
The
supplicant try to connect on a port waiting for an 802.1X authentication. At
this time the port is on not controlled mode.
The supplicant enter his access information (login and password), and the switch
communicate with the authentication server with the EAP protocol.
If the authentication successful the port change state to controlled mode and the
supplicant can access to network resources.
II- Protocol presentation
1) EAP
Communication between the supplicant and the authenticator is assured by the EAPOL
protocol (Extensible Authentication Protocol Over Lan). It was created to transport
authentication information and use different methods.
Here are the different methods:
 EAP-TLS (Transport Layer Security):
This method is based on digital certificates. The server and the client authenticate
themselves mutually while coding the exchanged data during this phase. A public and a
private key are used to create a secure tunnel between the client and the server. With
this protocol the client doesn’t have to type a password because the certificate allows the
authentication.
 EAP-MD5 Challenge:
3/7
With this method the user will be identified with his login and password. But these data
are coded on the network. The challenge/answer method is used. The server sends a
challenge to the client, then the client send his password related to that challenge. With
this password the server compare the result with the password in his database. If the
password are the same the access is authorized else the access is refused.
 Protected EAP (PEAP):
With the PEAP only the authentication server has a digital certificate. It transmits it to the
client who will be able to authenticate it. Then a secure TLS tunnel is created is
established between the client and the server. The client is authenticated with any EAP
method but he will benefit of secure transmission by the help of the TLS tunnel.
 EAP-TTLS (Tunneled Transport Layer Security):
This method combines all the advantages of authentication with the login / password
couple, the coded data with the tunnel and the server authentication with a certificate.
2) Radius
Communication between the authenticator (network equipment) and the authentication
server is assured by the EAP over RADIUS protocol (Remote Authentication Dial-In User
Service).
Radius protocol makes the link between identification data and user database by assuring
the transport of normalized authentication data. The authentication operation is initiated
by a client of the RADIUS service who can be a wireless access point, a firewall, a switch,
another server. The server uses an external base if necessary to treat with this operation:
SQL database, LDAP directory, users account.
4/7
RADIUS servers use the AAA concept:
Authentication: The user or machine sends a Network Access Server) a request for
access to a particular network resource.
Authorization:
The RADIUS server checks that the information is correct using
authentication schemes like EAP.
Accounting:
When network access is granted to the user by the authenticator, an
Accounting Start request is sent by the authenticator to the RADIUS server to signal the
start of the user's network access.
II- 802.1X implementation
Here, you can see Martin, Mario and Marion trying to access the network. Thanks to
802.1X they will be able to access to the network resources like the printer, web server,
etc.
Martin is an administrator; he can access all the resources on the network. When he is
authenticated by the authentication server (EAP mechanism) he is assigned to the
“admin” virtual network.
Marion and Mario are just employees, they can’t access to the entire network. As an
example Mario is a student, he can’t access to the printer but Marion is a teacher she
will be able to print documents.
5/7
802.1X allows:
Forces all users to authenticate before network port is opened
Work well with a wide variety of devices (PDA, laptop, etc.)
Various authorizations can be configured (time to access resources, limited access)
Dynamic virtual network (vLAN) attribution
Limitations:
 Limited authorization at layer 2 only (by vLAN)
 Does not have the ability to control network traffic from authorized users
 Doesn’t give many information about the client connection, just when it starts, stop
and how much it’s used
As a conclusion, we can say that 802.1X will be probably used a lot in the future because
it’s very flexible. This protocol will be very useful for the technologic evolution centered
on the wireless because a computer is not assigned to a vLAN by the port but by the
authentication mechanism. But 802.1X has its limits; maybe a more advanced standard
with authorizations at layer 3 will be created someday?
BIBLIOGRAPHY
6/7
http://wapiti.enic.fr/Commun/ens/peda/options/ST/RIO/pub/exposes/expos
esrio2005/sert-deprey/vlan.htm
http://fr.wikipedia.org/wiki/Protocole_AAA
http://2003.jres.org/actes/paper.111.pdf
http://fr.wikipedia.org/wiki/Radius_%28informatique%29
http://fr.wikipedia.org/wiki/IEEE_802.1
http://www.netcraftsmen.net/welcher/papers/dot1x.html
7/7
Download