Académique Documents
Professionnel Documents
Culture Documents
Gary Freeman
Table Of Contents
1 1.1 1.2 1.3 1.4 1.5 1.6 1.7 2 EXECUTIVE SUMMARY ..................................................................................................... 3 OVERVIEW .............................................................................................................................. 3 PURPOSE ................................................................................................................................. 3 SCOPE OF THIS REPORT:......................................................................................................... 3 THE BENEFITS OF EXISTING OPEN SWITCH PORT ACCESS ................................................. 4 THE DRAWBACK OF EXISTING OPEN SWITCH PORT ACCESS ............................................. 4 EXISTING THREATS TO CORPORATE NETWORK: .................................................................... 4 ACRONYMS AND ABBREVIATIONS .......................................................................................... 5 TECHNOLOGY SUMMARY ................................................................................................ 6 THE 802.1X SOLUTION:........................................................................................................... 6 PROS AND CONS OF METHODS FOR SECURING LAN ACCESS............................................... 6 802.1X DEVICE ROLES ............................................................................................................ 7 BENEFITS OF DEPLOYING 802.1X ........................................................................................... 7 DIAGRAM: PORT AUTHENTICATION WITH 802.1X .................................................................. 8 HOW PORT AUTHENTICATION WITH 802.1X WORKS............................................................. 8 PEAP OVERVIEW.................................................................................................................... 9 MS-CHAP V2 OVERVIEW ...................................................................................................... 9 PEAP WITH MS-CHAP V2 OPERATION................................................................................ 10 PEAP SUPPORT IN WINDOWS ............................................................................................. 10
2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 3 3.1 3.2 3.3 4 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8
FEASIBILITY STUDY ......................................................................................................... 11 FUNCTIONAL OBJECTIVE ...................................................................................................... 11 ASSUMPTIONS AND CONSTRAINTS ....................................................................................... 11 MATERIALS AND METHODS .................................................................................................. 12 RECOMMENDATIONS AND CONCLUSION ................................................................. 18 RECOMMENDATION SUMMARY ............................................................................................ 18 PILOT IMPLEMENTATION BEST PRACTICES .......................................................................... 18 RESOURCE ROLES AND RESPONSIBILITIES ........................................................................... 18 OPERATIONAL REQUIREMENTS ............................................................................................ 19 PRODUCTION CONFIGURATION REQUIREMENTS .................................................................. 20 PRODUCTION IMPACT: PILOT ................................................................................................ 21 FUTURE CONSIDERATIONS FOR 802.1X ................................................................................ 21 REFERENCES ......................................................................................................................... 22
Page 2
Gary Freeman
1 Executive Summary
1.1 Overview
COMPANY-IT Network Services has worked diligently to provide ongoing support and availability to the numerous workgroups within the Company Group of Companies. This is achieved by replacing hubs with Cisco switches in areas with a large end-user population, providing DHCP, DNS and WINS services to a majority of LAN users nationally and ensuring that all workgroup switch ports remain open to accommodate the ease of connectivity to the corporate LAN for Field Services. However, security has been a challenge for LAN segments, as rogue equipment can be connected to the network and can thwart efforts to contain viruses and other attacks as they themselves can be infected and roam with users making it impossible to track. The latest open standard protocol for port-based authentication, 802.1x, provides a roadmap for implementing improved switch port security. Not surprisingly, an authentication server long a cornerstone of remote access security - plays a pivotal role in securing an 802.1x port authentication.
1.2 Purpose
The purpose of this document is to: Outline the specific issues with COMPANY-owned switch port access, and describes how 802.1x addresses them, Describes the role of an authentication server and 802.1x security methods in securing user access to the corporate network, Propose in detail the necessary equipment, versions of code and the required roles and responsibilities to support an 802.1x environment, Define other purposes for 802.1x in the COMPANY-IT Network environment.
Page 3
Gary Freeman
including the Cisco ACS RADIUS server to enforce the policies on the switch and at for the user. Also, although there will be some mention of tests which involved both Cisco Switches and Avaya 802.11b/g Access Points, this recommendation will address Cisco Switches specifically.
Page 4
Gary Freeman
Page 5
Gary Freeman
2 Technology Summary
2.1 The 802.1x Solution:
IEEE 802.1x is an open-standards-based protocol for authenticating network clients (or ports) on a user-ID or device-ID basis. This process is called portlevel authentication. The authentication is done with RADIUS and separates it into three distinct groups: the Supplicant, Authenticator, and Authentication Server (RADIUS). IEEE 802.1X provides automated user identification, centralized authentication, key management, and provisioning of LAN connectivity. It even provides support for roaming access for LAN, Wireless and VPN users. Ciscos marketing term for the combined technologies that authenticates users equipment with the IEEE802.1x through Cisco LAN switches or WLAN equipment is referred to as Identity-Based Network Services (IBNS). In the open-standards community 802.1x is fondly referred to as AUTH-X.
Virtual LANs
802.1x
Rate limiting The technology lets users throttle bandwidth to an Mostly a proprietary Ethernet switch port. It can be used to limit technology thats supported on certain types of traffic such as peer-to-peer more expensive LAN gear. traffic, or denial-of-service attack patterns to levels that dont affect network performance.
Page 6
Gary Freeman
Page 7
Gary Freeman
Unauthorized users are placed into guest VLANs that can alert administrators of their presence.
Page 8
Gary Freeman
server passes this on to the Active Directory and the Active Directory does not have a policy for that SID, then the host can initiate authentication by sending an EAPOL-start frame that prompts the switch to request the host's identity after the user has logged in locally. More information on Ciscos implementation of 802.1x on Catalyst 6500 series switches can be found at http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_c hapter09186a008019f00a.html#25114
Page 9
Gary Freeman
passwords until the correct one is determined. Using the combination of PEAP with MS-CHAP v2, the MS-CHAP v2 exchange is protected with the strong security of the TLS channel.
Page 10
Gary Freeman
3 Feasibility Study
3.1 Functional Objective
The objective of the study is to demonstrate the effectiveness of 802.1x Port Authentication and Company Corporate Company Desktop with the following criteria: Assess ease of deployment Develop project specifications Evaluate 802.1x performance Determine dependencies
Page 11
Gary Freeman
Page 12
Gary Freeman
Page 13
Gary Freeman
Page 14
Gary Freeman
Open a web browser and ensure that client can connect to the certificate authority website (optional)
3.3.6.6 Force re-authentication on the client and ensure its transparent and doesnt require manual intervention from the client.
Page 15
Gary Freeman
3.3.10
Page 16
Gary Freeman
3.3.11
CONS MS IAS RADIUS doesnt appear to have the Cisco device listed properly for EAP frame type and there doesnt appear to be too many options for Cisco EAP frames (had to specify an Async Modem) Wasnt able to test advanced Cisco features such as dynamic VLANs, Guest VLAN quarantines or ARP traffic inspection do to documentation from Cisco that was geared toward their authentication server Not able to validate the RADIUS server certificate because the PKI wasnt a trusted source
Page 17
Gary Freeman
Page 18
Gary Freeman
NOTE: Cisco Catalyst 2924, 5000, and 5500 do not fully support 802.1x and there are known bugs for what implementation support there is for the Catalyst 5000 with this field notice: http://www.cisco.com/en/US/products/products_security_advisory09186a00800b13 8d.shtml Cisco Identity-Based Network Services (IBNS) implies that all of the components used to implement the Dot1x policies are Cisco products, including the RADIUS server.
Page 19
Gary Freeman
Page 20
Gary Freeman
default. This option would really benefit an EAP re-authentication on wireless networks as the data needs to be encrypted.
Page 21
Gary Freeman
802.1x DHCP authentication 802.1x Quarantine VLAN for guests 802.1x Guest VLAN for access to the Internet 802.1x Wireless Networking Security
4.8 References
PEAP with MS-CHAP Version 2 for Secure Password-based Wireless Access http://www.microsoft.com/technet/community/columns/cableguy/cg0702.mspx Configuring 802.1x Authentication on Catalyst 6500 Series Switches http://www.cisco.com/en/US/products/hw/switches/ps708/25114 IEEE 802.1x Standards Publication http://standards.ieee.org/getieee802/download/802.1X-2001.pdf Microsoft Windows 2003: Internet Authentication Service http://www.microsoft.com/windowsserver2003/technologies/ias/default.mspx Enterprise Deployment of Secure Wired Networks Using Microsoft Windows http://www.microsoft.com/downloads/details.aspx?FamilyID=05951071-6b20-4cef-993947c397ffd3dd&DisplayLang=en Network Access Quarantine Control in Windows Server 2003 http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspx The Advantages of Protected Extensible Authentication Protocol (PEAP) http://www.microsoft.com/windowsserver2003/techinfo/overview/peap.mspx Obtaining and Installing a VeriSign WLAN Server Certificate for PEAP-MS-CHAP v2 Wireless Authentication http://download.microsoft.com/download/9/f/d/9fd73f17-2fdf-4409-b2d231437c7f29f3/WLANCertEnroll.doc PACKET: Hardened" Cisco AAA appliance joins identity-based networking http://www.ieng.com/en/US/about/ac123/ac114/ac173/ac224/about_cisco_packet_technology0900ae cd800b19a3.html Cisco: Identity Based Networking Services Solution FAQ http://www.stratacom.com/en/US/products/hw/switches/ps708/products_qanda_item09186a008012dc81 .shtml
Page 22