21 August 2009

802.1x

PPP is a data link protocol commonly used to establish a direct connection between two networking nodes.
PPP can provide connection authentication, transmission encryption privacy, and compression.

PPP -> alone provides username/password authentication (CHAP, PAP)
PPP + EAP -> Any type of authentication (EAP-MD5, PEAP)
PPP + EAP + RAS -> works fine
PPP + EAP + RAS + AAA -> RADIUS protocol takes care of the authentication
EAPOL + RAS + AAA -> 802.1x

L2TP and Microsoft’s secure RAS made PPP popular.
EAP is a universal authentication framework.
EAPOL is a standard for passing EAP over LAN.


802.1x is an IEEE standard for Port-Based Network Access Control.
802.1x works at Layer 2 to authentication and authorize devices on LAN switches and wireless APs.
It won’t work with multiple PC's connecting to a switch via a hub.

-> The user/client that wants to be authenticated is called a supplicant.
-> The actual server doing the authentication, typically a RADIUS server, is called the authentication server.
-> And the device in between, such as a wireless access point, is called the authenticator.



Benefits of IEEE 802.1X
1. Leverages existing standards EAP and RADIUS
2. Authentication based on Network Access Identifier and credentials
3. Centralized authentication, authorization, and accounting
4. Scalable through EAP types
5. Supports password authentication and One-Time Passwords (OTP)

Configure Freeradius:
/etc/raddb/clients.conf -> "client localhost { secret = testing }"
/etc/raddb/users -> "user1 User-Password := "pass1""
/sbin/radiusd -X
/bin/radtest user1 pass1 localhost 0 testing

Configure Switch (Nortel ERS 4550):
vlan members remove 1 1-11
vlan members add 16 1-11
vlan ports 12 tagging enable

radius-server host 192.168.10.254
radius-server key "testing"
radius-server port 1812

eapol enable
##EAPOL Administrative Status #> ENABLE
##EAPOL Administrative Status for ports #> Auto

Configure PC:
enable the following windows services:
-> Extensible Authentication Protocol Service
-> Wired AutoConfig / Wireless Zero Configuration

Local Area Connection properties -> Authentication -> Enable IEEE 802.1x authentication
Local Area Connection properties -> Authentication -> network auth method -> Protected EAP
Local Area Connection properties -> Authentication -> settings -> Authentication method -> EAP-MSCHAP v2


Reference:
http://www.javvin.com/protocol8021X.html
http://www.netcraftsmen.net/welcher/papers/dot1x.html
http://www.ipv6.com/articles/wireless/8021x-Wireless.htm
http://www.zyxeltech.de/SNotep335wt/app/8021x.htm
http://en.opensuse.org/RadiusServerHOWTO
http://www.ibm.com/developerworks/library/l-radius/
Posted by ~mE at 16:20
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)