Introdutction – 802.1x Port-Based Authentication
- 1. Page 1 Introdutction – 802.1x Port-Based Authentication Supplicant: IEEE 802.1X Client · Microsoft Native and Cisco Secure Service Clients (SSC) - Windows 2000 and later support 802.1x Authenticator: Access Device · Cisco Catalyst Switches and Access Points - Cisco 2960 (IOS version 12.2(52)SE ) Back-End Database · AD, LDAP To prevent unauthorized devices from accessing the network
- 2. Page 2 Introduction – Authentication Process
- 3. Page 3 Introduction – IEEE 802.1X Protocols Extensible Authentication Protocol (EAP) A flexible transport protocol used to encapsulate and carry authentication information
- 4. Page 4 Introduction – Deault Security with 802.1x Unknown User DHCP TFTP KRB5 HTTP No Authentication Required No access control Hard to identify users ?
- 5. Page 5 Introduction – Deault Security with 802.1x Unknown User DHCP TFTP KRB5 HTTP Before Authentication Strictly access control Still hard to identify users Only EAPOL,CDP,and STP traffic pass before authentication ? EAPOL
- 6. Page 6 Introduction – Deault Security with 802.1x ID: yichun Pwd:yichun DHCP TFTP KRB5 HTTP After Authentication User or device is known Identity-based access control Single MAC per port (except for IP phone and VMware)
- 7. Page 7 Introduction – Deault Security with 802.1x Unknown User DHCP TFTP EAPOL Clients without supporting 802.1x cannot send EAPOL Only windows 2000 and later support 802.1x No access without EAPOL ? No response
- 8. Page 8 Introduction – IEEE 802.1X Decision-making Start Is the client IEEE 802.1x capable? Start IEEE 802.1x port-based authentication Assign the port to a restricted VLAN Assign the port to a VLAN Done Done IEEE 802.1x authentication process times out. Is MAC authentication bypass enable? 1 Use MAC authentication bypass Assign the port to a restricted VLAN Assign the port to a VLAN Done Done Use inaccessible authentication bypass (critical authentication) to assign the critical port to a VLAN Done No Y es Client identity is invalid Client identity is valid All authentication servers are down Y es All authentication servers are down The switch gets an EAPOL message, and the EAPOL message exchange begins. Client MAC address identity is valid Client MAC address identity is invalid 1 = This occurs if the switch does not detect EAPOL packets from the client.
- 9. Page 9 Introduction – MAC Authentication Bypass (MAB) Devices with known MAC are granted to access to the internet Clients change nothing while implementing authentication
- 10. Page 10 Trunk Trunk Trunk 廠區 - Core Switch Cisco Catalyst 6509 switch 機房 Cisco Catalyst 3560 switch End-user 端 Cisco Catalyst 2960 switch End-user PC/NB Radius server & Active Directory 10.36.3.200 10.36.3.201 Unknown users Valid users VLAN 362 10.36.232.16~ 10.36.235.254 MAC Authentication starts! Authentication FAIL! - Invalid MAC Invalid MAC is assigned to VLAN 362 10.36.232.16 MAC Authentication success! User-specific VLANThis user is assigned to VLAN 390 10.39.X.X X X Deny accessing Deny accessing
- 11. Page 11 System Environment Environment and Equipment – Microsoft Windows Server 2003 R2 – Cisco Catelyst 2960 series • IOS Version: 12.2 (52) SE *12.2(40) and later support MAC-Auth-Bypass Software – Internet Authentication Service (IAS) – Active Directory – DNS Server
Editor's Notes
- #1: IAS Server - 10.36.3.200 - 10.36.3.201 - 10.62.1.200