Agenda

802.1x mechanism 802.1x solution & Non-802.1x solution D-Link 802.1X Based Security Solution Port-Based 802.1x and MAC-based 802.1x Port-Based 802.1x with Guest VLAN function D-Link Non-802.1X Based Security Solution
MAC-Based Access Control (MAC) MAC-Based Access Control (MAC) with Guest VLAN WEB-Based Access Control (WAC)

802.1X & Non-802.1X

802.1X Authentication Mechanism The 802.1X authentication mechanism consists of three components:

Authentication Server (RADIUS Server)The Authentication Server

validates the identity of the client and notifies the switch. Authenticator (Switch)The Authenticator requests identity information from the client, verifying that information with the Authentication Server, and relaying a response to the client. Client Requests access to the LAN and switch services and responds to the requests from the switch. The Workstation must be running 802.1X-Compliant client software. (e.g. Windows XP has embedded 802.1X suppliant)

Disadvantage of 802.1X Even though 802.1X is a secure authentication method, however the popularity of the 802.1X supplicant agent and the RADIUS server are always the challenges for deployment. Its not only costly but also resource consuming for setup and maintenance.

802.1X & Non-802.1X

Non-802.1x Authentication Mechanism On the contrary, Non-802.1X method makes the authentication deployment easier and more user-friendly. It can compensate what 802.1X technology lacks, and facilitate the deployment. This clientless mechanism is not only flexible but also provide required security. The benefit

To reduce the difficult of deployment ( you dont care about client software issue) Save maintain cost ( Radius Server becomes optional) To increate User-friendly (ex: MAC function, which makes users dont key-in username & password during the authentication)

Emerging solutions of Non-802.1X authentication are demanding. Theyre mostly without extra client software needed, easy to deployment and maintain. Therefore D-Link develops comprehensive solutions for either 802.1X or Non-802.1X environment to increase productivity without compromising the security of the network.

D-Link 802.1X Based Security Solution

802.1x mechanism
802.1x Port-Based and 802.1x MAC-Based

Implanting Port-Based 802.1x with Guest VLAN

What is 802.1x Authentication?

802.1x
o Authenticate User Identity
The 802.1X protocol is the popular LAN authentication protocol ratified by the IEEE. It enables user authentication in both wireless and wired environment. The 802.1X service is included in the Microsoft Windows XP & Vista operating systems already.

D-Links Implementation
Port-based 802.1x: users have to be authenticated before accessing the network, and
switches will unlock the the port only after users pass authentication

MAC-based 802.1x: D-Link switch can perform authentication per MAC address. It
means each switch port can authenticate multiple PCs access right.
Username -------------Crowley Anderson Shinglin Password -------------mygoca-ah busy2 4wireless

Radius Server

Radius

802.1x Auth Request Username: Crowley Password: ***********

IEEE 802.1x Definition

Defines a Client/Server-based access control and authentication protocol that
restricts unauthorized devices from connecting to a LAN through publicly accessible ports. The Authentication Server authenticates each Client connected to a switch port before making available any services offered by the switch or the LAN.
Authentication Server

Interne t

Radius Server
(Authentication Server)

Switch
(Authenticator)

Client

802.1x Client Unauthorized device

802.1x Client

802.1x Client

802.1x Client

..
6

Client
NIC Card

After Authentication Normal packet EAPOL packet

Authenticator
Network Port Access Point, Ethernet Switch, etc.

Authentication Server
AAA Server Any EAP Server, Mostly RADIUS
Encapsulated EAP Messages, typically on RADIUS

Ethernet 802.3, Wireless PC Card, etc.

Before Authentication EAP Over LAN EAP Over Wireless (802.3 or 802.11)

The three different roles in IEEE 802.1x: Client

Authenticator Authentication Server

Before a Client is authenticated, 802.1x access control allows only EAPOL traffic pass through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port. * RADIUS Server provides Authentication, Authorization, Accounting (AAA) service
7

802.1x Device Role

Device Roles: Client

Identity/ challenge

Switch
Workstation (Client)

RADIUS Server

(Authenticator)

(Authentication Server)

Client:
The device (Workstation) that requests access to the LAN, switch services and responds to the user identity/challenge from the switch and radius server.
The Workstation must be running 802.1x-Compliant client software such as that offered in the Microsoft Windows XP operating system.

802.1x Device Role (Cont)

Device Roles: Authentication Server

Request/ challenge

Switch (Authenticator)
Workstation
(Client)

RADIUS Server (Authentication Server)

Authentication Server:
The Authentication Server validates the identity of the clients and notifies the switch whether or not the client is authorized to access the LAN. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
* Remote Authentication Dial-In User Service (RADIUS)

802.1x Device Role (Cont)

Device Roles: Authenticator

Identity/ challenge

Request/ challenge

Switch
Workstation (Client)

RADIUS Server

(Authenticator)

(Authentication Server)

Authenticator:
The Authenticator acts as an intermediary (proxy) between the Client and the Authentication Server, requesting identity information from the Client, verifying that information with the Authentication Server, and relaying a request/response (identity & challenge) between the Client and Authentication Server.

10

802.1X Authentication process

Workstation (Client) Switch (Authenticator) RADIUS Server (Authentication Server)

EAPOL-Start
1 2

EAP-Request/Identity EAP-Response/Identity EAP-Request/OTP RADIUS Access-Request RADIUS Access-Challenge RADIUS Access-Request RADIUS Access-Accept Port Authorized EAPOL-Logoff RADIUS Account-Stop RADIUS Ack

EAP-Response/OTP
4

EAP-Success
5

Port Unauthorized

* OTP (One-Time-Password)

11

802.1X Authentication process

Workstation (Client) IP: 192.168.0.100

Switch (Authenticator) IP: 192.168.0.1

RADIUS Server (Authentication Server) IP: 192.168.0.10

Client to Switch

Client
Switch to Client 1 2 3 5

Radius Server
Switch to Server Server to Switch 2 3 4 5

* OTP (One-Time-Password)

12

Port Based 802.1x Example:

Port Based 802.1x Enabled Ports 1-12 DES-3828

Internet

port 1

Username/Password Confirmed !!! Win2003 Server

Username: James Password: 123

L2 Switch/HUB
192.168.0.10

RADIUS Server service User James Pasword 123

James 192.168.0.100 802.1x client WinXP built-in

Gary

Ryan

802.1x client WinXP built-in

802.1x client WinXP built-in

All of the clients connected the L2 HUB can pass through switch(DES-3828) once a client (Kobe) is authenticated.
Page 18

13

Port Based 802.1x Command Example:

DES3828 Configuration reset enable 802.1x config 802.1x capability ports 1-24 authenticator config radius add 1 192.168.0.10 key 123456 default Client PCs configuration Run 802.1x software. RADIUS Server configuration Radius: Windows NT/Windows 2000/2003 Server Radius Server Service or third-party RADIUS server program
1. Enable 802.1x State by device 2. Configure client connected ports. (Note: Uplink port shouldnt enable authenticator). 3. Configure Radius Server setting

14

MAC Based 802.1x Example:

MAC Based 802.1x Enabled Ports 1-12 DES-3828

Interne t

Username/Password Confirmed !!! Win2003 Server Username: James Password: 123

L2 Switch/HUB

RADIUS Server service User James Pasword 123

James 192.168.0.100 802.1x client WinXP built-in

Gary

Ryan

....

192.168.0.10

DES-3828 is only capable of learning up to 16 MAC address per port

802.1x client WinXP built-in

802.1x client WinXP built-in

Each client needs to provide correct username/password to pass the authentication so that it can access the network
NOTICE: The L2 switch or hub should support 802.1x pass-through. Otherwise, the 802.1x packet (dest MAC=0180c2000003, inside the IEEE reserved range,0180c2000001~0F) will be dropped by switch, and therefore cannot reach DES-3828.

Page 18

15

MAC Based 802.1x Example:

DES3828 Configuration reset enable 802.1x config 802.1x auth_mode mac_based config 802.1x capability ports 1-24 authenticator config radius add 1 192.168.0.10 key 123456 default Client PCs configuration Run 802.1x software. RADIUS Server configuration Radius: Windows NT/Windows 2000/2003 Server Radius Server Service or third-party RADIUS server program
1. Enable 802.1x State by device, and change to mac_based mode 2. Configure client connected ports. (Note: Uplink port shouldnt enable authenticator). 3. Configure Radius Server setting

16

802.1x Port Based vs MAC Based

Port-based 802.1x
Once a port is authorized by a client, the others users connecting to the same port through hub or switch can pass through the switch.

MAC-based 802.1x
1. Once a port is authorized by a client, only this client can pass through the switch. 2. The switch is not only checking the username / password, but also checking whether the max. MAC allowed is reached or not. If reached, deny new MAC

Page 14 Page 16

17