Presented By

Ayush Kumar 153/11

Yagargala Niranjan Roll No.

NATIONAL INSTITUTE OF TECHNOLOGY

JAMSHEDPUR, INDIA 831014
1

IEEE 802.1X is an IEEE standard for port based network access control. It is a part of the 802.1 group of networking protocols.It provides an authentication mechanism to devices wishing to attach to a lan or wlan. IEEE 802.1x defines the encapsulation authentication protocol. 802.1x authentication involves three parties :
The supplicant is a client device (laptop) that wishes to attach to the lan

/wlan, though the term supplicant is also used to refer to the software,running on the client that provides credentials to the authenticator.
The authenticator is anetwork device, such as an Ethernet switch or

wireless access point.

The authentication server is typically a host, running software supporting

the radius and eap protocols.

3

802.1x port based access control has the effect of creating two different point of access to the authenticators attachment to the LAN. One point of access allows the exchange of frames between the system and other systems on the LAN, often this uncontrolled port allows authentication(eap message) to be exchanged. The other point of access allows the exchange of frames only if port is authorized. When a host connects to LAN port on 802.1x, switch the authenticity of host is determined by switch port, according to protocol specified by 802.1x, before the services offered by switch, according to protocol specified by 802.1x, are made. On that port, only eapol frames are exchanged until the authentication is complete.

 The

802.1x specification includes two main features, aimed specifically, at supporting the use of port access control in 802.11 LANs. ports : The ability of making use of the mac address of the station and access points the destination addresss. management: It is the ability for an access point to distribute or obtain global key information to/from attached stations,by means of eapol message.
5

Logical

Key

In an 802.11 LAN environment, stations are not physically connected to the network. In addition, multiple connecting stations share the network access media(the rf air space). A special case of shared media access exists in IEEE 802.11, wireless LANs in which a station must form an association with access point in order to make use of LAN. The protocol that establishes the association allows the station and access point to learn each others mac address. This effectively creates a logical port that the station can use to communicate with the access point..this allows the supplicant to associate with the access point before dynamically derived encryption keys are applicable.
6

station must first associate with a given access point. Once the station is associated with access point, it can exchange the eap messages with the authentication server to authorize the port. Before the logical port has been authorized it can only exchange eap messages.

 Stands

for Dynamic Host Configuration Protocol. It automatically assigns an IP address to each computer attached to router. Actually, static IP address can become a security risk, because the address is always same. Moreover static IPs are easier to track for data mining companies. On the other hand dynamic IP addressing has less security risks, as the computer is assigned new IP address each time the the customer logs on. Also, it is cost effective.
8

One of the areas where IPv6 solely lacks feature parity with IPv4, is user authentication, and source IP spoofing prevention in large scale carrier Ethernet Network. IPv4 DHCP is used to address the individual end users. Access layer switches use DHCP spoofing and uses source host name in DHCP request sent by client. DHCP servers log IP address assigned to customers. DHCPv6 snooping is not widely supported. SOLUTION : DHCPv6 requests sent by IPv6 hosts or cpe devices must be encapsulated in DHCPv6 envelopes, every time the request is released. GETTING CREATIVE Use VLAN per customer. Monitor ND messages.

10

 Provides

fundamental services in many IP networks. Primary purpose: To allow ip configuration information to be passed to hosts on an on-demand basis. This allows unconfigured hosts to be attached to a network and to obtain a valid IP address and other basic configuration information.
11

 The

services provided by DHCP is critical, as settings provide IP address, DNS server address and defines how hosts communicate over the network. runs over UDP and as one side of the UDP does not have an IP address during the conversation, DHCP is an inherently insecure protocol.
12

DHCP

 Presence

of unauthorised DHCP servers on

network. A port usually has no way of knowing that it is being attacked. Simplest attack(DoS attack): Prevents client to obtain their configuration from DHCP.
May use DHCP server for further access to

network. May set an incorrect DNS server on the network.

13

First technique is token based with servers and clients exchanging passwords token. Delayed authentication : Uses a shared symmetry key and sends only a hash based on a varying part of the key. Prevent mac address spoofing. Utilise active detection techniques to identify rogue DNS server. Block DHCP at the firewall, separating your network from network.
14

Refers to processes executing the authentication protocols and algorithms associated with a port.
Before authentication: authenticators PAE is set to uncontrolled state.

After authentication: result true, then state changes to controlled state and will allow other network services to flow.
If fail, then may be disabled or remain in uncontrolled state. Ciscos implementation uses unauthorized and authorized state uses 8550 switches and radius servers with clients. The 802.1x is not supported on trunk port, dynamic ports and dynamic access ports.

15

16

Switch # configure terminal: enter global configuration mode. Switch(config)#AAA new model: enable AAA. Switch(config)#AAA authentication dot 1x default group radious: create an 802.1x authentication method list . use default keyword followed by the method that are to be used .

Switch(config)#interface fast Ethernet 0/1: specify interface to be enabled for 802.1x authentication .
Switch(config-if)#dot 1x host control auto : enable authentication method on the interface . example auto ,force authorized, force unauthorized. Switch(config-if)# end :returns to privileged exec mode. Switch# showdot1x:verify your entries. Switch#copy running _config startup:save your enties in the backup file.

17

 In

this step switch should be configured with radious server name or ip address, radius server UDP ,encryption key optional . is required so that switch can forward the authentication messages from client to radius server.

This

18

 Switch(config)#interface Switch(config-if)#dot Switch(config-if)#dot

fast Ethernet 0/1

1x host_control auto 1x multiplehost

19

 From

the start program select control panel.

Select

network and internet connection and then select network connection .

Right

click on local area network and then click properties .

authentication method . EAP types.
20

Select Select

 NAC

(Network Access Control) is a system which decides what systems are connected to network.

Keeps

attached computer as free as possible from virus and spyware. your computer fails security checks then your computer will be quarantired.
21

If

It allows for automatic authentication by the device without requiring the user to manually login every time they connect to wireless network.
XPRESS connect is the automatic configuration tool for configuring client devices for 802.1x It eliminates common configuration mistakes.

22

 When

we look at multiple device authentication on a single port with 802.1x, we are pretty good with solution if we are using 802.1x to authenticate each device individually. phones that are not 1x capable, and we are using MAC-auth for that.
23

VOIP

Because it is outside the scope of 802.1x . Switch vendors mixes 802.1x to be mixed with MACauth but they do so with their own implementation. MAC-auth: authenticates a device using MAC address. Also WEB- auth ,MAC-sec ,802.1x- REV is being used in recent years.

Multiple device authentication can be tricky to secure but it is possible with current 802.1x version.

24

This figure clearly shows the combination of supplicant that can be staff laptop, authenticator device ( i.e: switch), and the backend is under the control of radius sever which assures the credentials of the client matches with the credentials of database.
25

This fig. clearly shows the infected laptop from being prevented to attach it self to other ports on the network. This fig. also shows the use of NAC apart from 802.1x which makes the infected laptop to be placed in quarantine VLAN .this system was implemented in JANET community.
26

 This fig. shows the organizational LAN to be connected to ex-switch. 802.1x identifies the point at which the attackers are going to access the network and thus preventing them to use the network. It also provides guest access this can be done securely by providing sockets , such as DMZ sockets.
27

It can be bypassed . PWNIE express: Released a product that any can buy that uses the infrastructure to bypass even having to do authentication in the first place . 802.1x does not authenticate every packet , meaning if you can set the middle and capture a source MAC address then you are in. PWNIE express captures all EAPOL authentication packets. Create a bridge between switch and PC. 802.1X CAN ALSO BE HACKED.
28

29

30