802.1x_Port_and_MAC_base_function

canoeornithologistNetworking and Communications

Oct 26, 2013 (3 years and 11 months ago)

103 views

1


802.1x mechanism



802.1x solution & Non
-
802.1x solution



D
-
Link
802.1X Based

Security Solution


Port
-
Based 802.1x and MAC
-
based 802.1x


Port
-
Based 802.1x with Guest VLAN function



D
-
Link
Non
-
802.1X Based

Security Solution


MAC
-
Based Access Control (MAC)


MAC
-
Based Access Control (MAC) with Guest VLAN


WEB
-
Based Access Control (WAC)


Agenda

2

802.1X & Non
-
802.1X


802.1X Authentication Mechanism


The 802.1X authentication mechanism consists of three components:


Authentication Server

(
RADIUS Server
)

The

Authentication Server
validates the identity of the client and notifies the switch.


Authenticator

(
Switch
)

The Authenticator requests identity information from
the client, verifying that information with the Authentication Server, and relaying
a response to the client.


Client


Requests access to the LAN and switch services and responds to the
requests from the switch. The Workstation must be running
802.1X
-
Compliant
client software.

(
e.g.

Windows XP has embedded 802.1X suppliant)




Disadvantage of 802.1X


Even though 802.1X is a secure authentication method, however the
popularity of the 802.1X supplicant agent and the RADIUS server are
always the challenges for deployment. It’s not only costly but also
resource consuming for setup and maintenance.

3


Non
-
802.1x Authentication Mechanism


On the contrary, Non
-
802.1X method
makes the authentication deployment easier

and
more
user
-
friendly
. It can compensate what 802.1X technology lacks, and facilitate the
deployment. This clientless mechanism is not only flexible but also provide required
security.


The benefit


To reduce the difficult of deployment
( you don’t care about client software issue)


Save maintain cost
( Radius Server becomes optional)


To increate User
-
friendly
(ex: MAC function, which makes users don’t key
-
in username
& password during the authentication)



Emerging solutions of Non
-
802.1X authentication are demanding. They’re mostly
without extra client software needed, easy to deployment and maintain.



Therefore D
-
Link develops comprehensive solutions for either 802.1X or Non
-
802.1X
environment to increase productivity without compromising the security of the network.

802.1X & Non
-
802.1X

4

D
-
Link 802.1X Based Security Solution



802.1x mechanism

802.1x Port
-
Based and 802.1x MAC
-
Based





Implanting Port
-
Based 802.1x with Guest VLAN

5

802.1x Auth Request

What is 802.1x Authentication?

o
Authenticate User Identity

The 802.1X protocol is the popular LAN authentication protocol ratified by the IEEE.

It enables user authentication in both wireless and wired environment. The 802.1X

service is included in the Microsoft Windows XP & Vista operating systems already.

802.1x


Port
-
based 802.1x:

users have to be authenticated before accessing the network, and
switches will unlock the the port only after users pass authentication

D
-
Link’s Implementation


MAC
-
based 802.1x:

D
-
Link switch can perform authentication per MAC address. It
means each switch port can authenticate multiple PCs’ access right.

Username: Crowley
Password: ***********

Radius

Username Password

--------------

--------------

Crowley mygoca
-
ah

Anderson busy2

Shinglin 4wireless

Radius Server

6

IEEE 802.1x Definition



Defines a
Client
/
Server
-
based access control

and
authentication protocol

that
restricts unauthorized devices from connecting to a LAN through publicly
accessible ports
. The
Authentication Server

authenticates each
Client
connected to a
switch port before making available any services offered by the switch or the LAN.

Authentication Server

……..

802.1x Client

Unauthorized device

Switch

(Authenticator)

802.1x Client

802.1x Client

802.1x Client

Client

Radius Server

(Authentication Server)

Interne
t

7

NIC Card


Ethernet 802.3,

Wireless PC Card, etc.

Network Port


Access Point,


Ethernet Switch, etc.

AAA Server


Any EAP Server,


Mostly RADIUS

“Client”

“Authenticator”

“Authentication Server”

Before Authentication

EAP Over LAN

EAP Over Wireless

(802.3 or 802.11)

Encapsulated EAP
Messages, typically on
RADIUS



Client



Authenticator



Authentication Server

Before

a
Client

is authenticated, 802.1x access control allows
only EAPOL traffic

pass
through the port to which the client is connected.
After

authentication is successful,
normal traffic can pass through the port.

* RADIUS

Server provides Authentication, Authorization, Accounting (AAA) service



The three different roles in IEEE 802.1x:

EAPOL

packet

Normal

packet

After Authentication

8



Device Roles:
Client

Client:


The

device (Workstation) that requests access to the LAN, switch services and responds to
the user identity/challenge from the switch and radius server.


The Workstation must be running
802.1x
-
Compliant client software

such as that offered in the Microsoft
Windows XP operating system.

Workstation

(Client)

RADIUS Server

(Authentication Server)

Switch

(Authenticator)

802.1x Device Role

Identity/

challenge

9



Device Roles:
Authentication Server

Authentication Server:

The

Authentication Server

validates the identity of the clients and notifies the switch
whether or not the client is authorized to access the LAN.
RADIUS

operates in a
client/server model in which secure authentication information is exchanged between the
RADIUS

server and one or more
RADIUS

clients.


* Remote Authentication Dial
-
In User Service

(RADIUS)

RADIUS Server

(Authentication Server)

Switch

(Authenticator)

Workstation

(Client)

802.1x Device Role (Cont)

Request/

challenge

10



Device Roles:
Authenticator

Authenticator:

The Authenticator acts as an intermediary (proxy) between the
Client

and the
Authentication
Server
, requesting identity information from the
Client
, verifying that information with the
Authentication Server,

and relaying a request/response (identity & challenge) between the
Client
and

Authentication Server
.

Workstation

(Client)

RADIUS Server

(Authentication Server)

Switch

(Authenticator)

802.1x Device Role (Cont)

Identity/

challenge

Request/

challenge

11

Workstation

(Client)

RADIUS Server

(Authentication Server)

Switch

(Authenticator)

Port Authorized

Port Unauthorized

802.1X Authentication process

EAPOL
-
Start

EAP
-
Request/Identity

EAP
-
Response/Identity

RADIUS Access
-
Request

RADIUS Access
-
Challenge

EAP
-
Request/OTP

EAP
-
Response/OTP

RADIUS Access
-
Request

RADIUS Access
-
Accept

EAP
-
Success

EAPOL
-
Logoff

* OTP (One
-
Time
-
Password)

RADIUS Account
-
Stop

RADIUS Ack

1

2

3

4

5

12

Client

* OTP (One
-
Time
-
Password)

Workstation

(Client)


IP: 192.168.0.100

RADIUS Server

(Authentication Server)

IP: 192.168.0.10

Switch

(Authenticator)

IP: 192.168.0.1

802.1X Authentication process

Radius Server

1

2

2

3

3

4

4

5

5

Client to Switch

Server to Switch

Switch to Server

Switch to Client

13

James

Gary

802.1x client

WinXP built
-
in

Port Based

802.1x Example:

Win2003 Server

RADIUS Server service



All of the clients connected the L2 HUB can pass through switch(DES
-
3828) once a client
(Kobe) is authenticated.

L2 Switch/HUB

Ryan

802.1x client

WinXP built
-
in

Port

Based 802.1x

Enabled Ports 1
-
12


User Pasword


James

123

Internet

Username: James

Password: 123

Username/Password

Confirmed !!!

DES
-
3828

802.1x client

WinXP built
-
in

port 1

192.168.0.100

192.168.0.10

Page 18

14



DES3828 Configuration


reset

enable 802.1x

config 802.1x capability ports 1
-
24 authenticator

config radius add 1 192.168.0.10 key 123456 default




Client PCs configuration

Run 802.1x software.




RADIUS Server configuration

Radius: Windows NT/Windows 2000/2003 Server Radius Server Service or third
-
party RADIUS server
program

1. Enable 802.1x State by device

2. Configure client connected ports.


(Note: Uplink port shouldn’t enable authenticator).

3. Configure Radius Server setting

Port Based 802.1x Command Example:

15

James

Gary

802.1x client

WinXP built
-
in

MAC Based

802.1x Example:

DES
-
3828

802.1x client

WinXP built
-
in

Win2003 Server

RADIUS Server service



Each client

needs to provide correct username/password to pass the authentication so that
it can access the network


NOTICE:

The L2 switch or hub should support 802.1x pass
-
through. Otherwise, the 802.1x packet (dest
MAC=0180c2000003, inside the IEEE reserved range,0180c2000001~0F) will be dropped by switch, and
therefore cannot reach DES
-
3828.


L2 Switch/HUB

Ryan

802.1x client

WinXP built
-
in

. . . .

DES
-
3828 is only capable of learning
up to
16

MAC address per port

MAC

Based 802.1x

Enabled Ports 1
-
12

Interne
t

Username: James

Password: 123

192.168.0.100

Username/Password

Confirmed !!!


User Pasword


James

123

192.168.0.10

Page 18

16



DES3828 Configuration


reset

enable 802.1x

config 802.1x auth_mode mac_based

config 802.1x capability ports 1
-
24 authenticator

config radius add 1 192.168.0.10 key 123456 default




Client PCs configuration

Run 802.1x software.




RADIUS Server configuration

Radius: Windows NT/Windows 2000/2003 Server Radius Server Service or third
-
party RADIUS server
program

1. Enable 802.1x State by device, and change to


mac_based mode

2. Configure client connected ports.


(Note: Uplink port shouldn’t enable authenticator).

3. Configure Radius Server setting

MAC Based 802.1x Example:

17


Port
-
based 802.1x


Once a port is authorized by a client,
the others

users
connecting to the same port through hub or switch can
pass through the switch.



MAC
-
based 802.1x


1. Once a port is authorized by a client,
only

this client
can pass through the switch.



2. The switch is not only checking the username /
password, but also checking whether the max. MAC
allowed is reached or not. If reached, deny new MAC


802.1x Port Based vs MAC Based

Page 14

Page 16