Beruflich Dokumente
Kultur Dokumente
H c Bin 0985 196 884 bien.ho@truongtan.edu.vn CCIE Written, CCNP, CCNA MCSA, MCITP-EA Security+, Security+ CEH
Worcester
10 NASs
RADIUS Implementation
Boston 10,000 Users
10 NASs
1 AAA Server
http://www.truongtan.edu.vn
What Is RADIUS?
Client/Server protocol that enables remote access servers to communicate with a central server to authenticate and authorize users to access that system Standardized method of info exchange between RADIUS Client and Server Simply put, a mechanism for delivering information
User RADIUS Client RADIUS Server
RADIUS Request/Response
http://www.truongtan.edu.vn
RADIUS Clients
PPP Servers VPN Firewalls Wireless Lan Access Points
http://www.truongtan.edu.vn
Steel-Belted Radius
Central hub for distributed services
Authentication Authorization Accounting
http://www.truongtan.edu.vn
Server Groups
RADIUS_1
RADIUS_2
TACACS+_1 TACACS+ 1
TACACS 2 TACACS+_2
Workstation
http://www.truongtan.edu.vn
Authentication
Provides the method of identifying users including login users, and password dialog, challenge and response, messaging support, and, depending on the security protocol you select, encryption t l l t ti
http://www.truongtan.edu.vn
Example of Authentication
! username myuser password secure_password ! aaa new-model aaa authentication ppp default group radius group tacacs+ local aaa authentication login admin local ! radius-server host 10.0.1.12 key cisco tacacs server tacacs-server host 10.0.1.14 key cisco 10 0 1 14 ! line vty 0 4 login authentication admin
http://www.truongtan.edu.vn
Authorization
Provides the method for remote access control, including control one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet t f IP IPX ARA dT l t
http://www.truongtan.edu.vn
Example of Authorization
aaa new-model g aaa authentication login admin local aaa authentication ppp dialins group radius local aaa authorization network myauth group radius local ! username myuser password secure password secure_password ! radius-server host 10.0.1.12 key radiuskey ! interface group-async 1 i t f group-range 1 16 encapsulation ppp ppp authentication chap dialins ppp authorization myauth line 1 16 autoselect ppp autoselect during-login login authentication admin modem dialin
http://www.truongtan.edu.vn
Accounting
Provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands ( t d d (such as PPP) number of packets, h PPP), b f k t and number of bytes
http://www.truongtan.edu.vn
Example of Accounting
aaa new-model aaa authentication login admin local aaa authentication ppp dialins group radius local aaa authorization network myauth group radius local aaa accounting network myacct start-stop g g y p group radius p ! username myuser password secure_password ! radius-server host 10.0.1.12 key radiuskey ! interface group-async 1 group-range 1 16 encapsulation ppp ppp authentication chap dialins ppp authorization scoobee ppp accounting myacct
http://www.truongtan.edu.vn
RADIUS
Authentication/Authorization: 1645 and 1812 Accounting: 1646 and 1813
UDP Encrypts only passwords up to 16 bytes AAA combined as one service Industry standard
http://www.truongtan.edu.vn
aaa new-model aaa authentication login default group tacacs+ aaa authorization network default group tacacs+ aaa accounting network myacct start-stop group tacacs-server host 10.0.1.12 tacacs-server host 10.0.1.14 tacacs-server key cisco123 tacacs-server host 10.0.1.12 key cisco123
http://www.truongtan.edu.vn
Network Configuration
http://www.truongtan.edu.vn
2.
RADIUS Client
Access Request Packet (username/password)
3.
RADIUS Server
Validation / Authentication
PPP/SLIP connection
http://www.truongtan.edu.vn
5.
RADIUS Client
4.
RADIUS Server
ACCEPT/REJECT
http://www.truongtan.edu.vn
2.
RADIUS Client
ACCT Start/Stop
3.
RADIUS Server
RADIUS Packets
4.
ACCT dB
SQL INSERT statement
.ACT file
What happens:
1. 2. 2 3. 4.
User logs on, gets service (ACCT Start) User plays on Internet (Time) User disconnects RADIUS Client generates and sends ACCT Stop w/billing data
http://www.truongtan.edu.vn
Plaintext a te t
Encryption Shared Secret Session Key Ciphertext Decryption
Plaintext a te t
User 1
Plaintext
Decryption D ti
Ciphertext Ci h t t
Encryption E ti
Plaintext
http://www.truongtan.edu.vn
PSTN
Internet
Router
http://www.truongtan.edu.vn
Web Interface
http://www.truongtan.edu.vn
Software
Microsoft Windows 2000 Server, with SP4 installed Windows 2000 Advanced Server, with the following conditions: With SP4 installed i t ll d Without Microsoft Windows 2000 Cluster Service installed Without other features specific to Microsoft Windows 2000 Advanced Server enabled Microsoft Windows Server 2003 Enterprise Edition Microsoft Windows Server 2003 Standard Edition http://www.truongtan.edu.vn
http://www.truongtan.edu.vn
Valid Credentials
X
Invalid/No Credentials
Corporate Network
No Access
Corporate Resources
http://www.truongtan.edu.vn
Cisco IBNS
Unified Control of User Identity for the Enterprise
Cisco VPN Concentrators, Cisco IOS Routers, Cisco PIX Firewalls
Hard and Soft Tokens
OTP Server
VPN Clients
1 2 3
Login L i response
http://www.truongtan.edu.vn
http://www.truongtan.edu.vn
Supplicant pp
Authenticator
Authentication Server
EAPOL
RADIUS
http://www.truongtan.edu.vn
The Th controlled port i open only when th d i t ll d t is l h the device connected to the port has been authorized by 802.1x.
Controlled
EAPOL
Uncontrolled
EAPOL
Uncontrolled Port Provides a Path for The uncontrolled port provides only. Extensible Authentication path for (EAPOL) traffic only AND CDP Traffic ONLY a Protocol over LAN (EAPOL) http://www.truongtan.edu.vn
EAPOL
RADIUS
The actual authentication conversation occurs between the client and the authentication server using EAP. The authenticator is aware of this activity, g y but it is just an intermediary.
http://www.truongtan.edu.vn
EAPOL-start EAPOL start EAP Request/Identity EAP Response/Identity EAPAuth Exchange EAP Success/EAP Failure Port Authorized Policies EAPOLLogoff EAPOL L ff Port Unauthorized
EAPmethod dependent
Auth Exchange with AAA Server Auth Success/Reject j
http://www.truongtan.edu.vn
What Is EAP?
EAP the Extensible Authentication Protocol EAPthe A flexible transport protocol used to carry arbitrary authentication informationnot the authentication method itself Typically runs directly over data-link layers such as PPP or IEEE 802 media Originally specified in RFC 2284, obsolete by RFC 3748 Supports multiple authentication types
http://www.truongtan.edu.vn
Cryptographic-based
EAP-TLS: Uses x.509 v3 PKI certificates and the TLS mechanism for authentication
Other
EAP-GTC: Generic token and OTP authentication
http://www.truongtan.edu.vn
EAP Methods
EAP MD5 EAP-MD5 EAP-TLS PEAP with EAP-MS-CHAPv2
http://www.truongtan.edu.vn
RADIUS
http://www.truongtan.edu.vn
EAPOL-start EAP Request/Identity EAP Response/Identity EAP Request/TLS start EAP Response/TLS client h ll R /TLS li t hello EAP Response/Identity EAP Request/TLS start EAP Response/TLS Client Hello
EAP Response/TLS Server Hello, Server Cert, Server Key Exchange, Cert Request, Server Hello Done EAP Response/TLS ClientCert Client Key Exchange ClientCert, Exchange, Cert Verify, Change Ciph Spec, TLS Finished EAP Request/TLS Change_Ciph_Spec,TLS Finished EAP Response EAP Success EAP Response EAP Success Protected Tunnel
http://www.truongtan.edu.vn
RADIUS
EAP Response/TLS Server Hello, Server Cert, Server Key Exchange, Server Hello Done EAP Response/Cert Verify, Change Ciph Spec EAP Request/TLS Change Ciph_Spec [Identity Request] equest/ S C a ge_C p Spec [ de t ty equest] Identity response EAP-MS-CHAPv2 Challenge EAP-MS-CHAPV2 Response EAP MS CHAPV2 R EAP Success Identity response EAP-MS-CHAPv2 Challenge EAP-MS-CHAPV2 Response EAP MS CHAPV2 R EAP Success Phase 2 Protected
http://www.truongtan.edu.vn
Port unauthorized
http://www.truongtan.edu.vn
http://www.truongtan.edu.vn
Enable AAA
switch(config)#
aaa new-model
Enable AAA
switch(config)#
(Optional ) Configure the switch for user RADIUS authorization for all network-related service requests, such as VLAN assignment
http://www.truongtan.edu.vn
dot1x system-auth-control
(Optional) Enable the optional guest VLAN behavior globally on the switch
http://www.truongtan.edu.vn
show dot1x
View the IEEE 802.1x status for all ports or a specific port
http://www.truongtan.edu.vn
http://www.truongtan.edu.vn
Q&A
http://www.truongtan.edu.vn