Agenda
802.1x mechanism 802.1x solution & Non-802.1x solution D-Link 802.1X Based Security Solution Port-Based 802.1x and MAC-based 802.1x Port-Based 802.1x with Guest VLAN function D-Link Non-802.1X Based Security Solution
MAC-Based Access Control (MAC) MAC-Based Access Control (MAC) with Guest VLAN WEB-Based Access Control (WAC)
�802.1X & Non-802.1X
802.1X Authentication Mechanism The 802.1X authentication mechanism consists of three components:
Authentication Server (RADIUS Server)The Authentication Server
validates the identity of the client and notifies the switch. Authenticator (Switch)The Authenticator requests identity information from the client, verifying that information with the Authentication Server, and relaying a response to the client. Client Requests access to the LAN and switch services and responds to the requests from the switch. The Workstation must be running 802.1X-Compliant client software. (e.g. Windows XP has embedded 802.1X suppliant)
Disadvantage of 802.1X Even though 802.1X is a secure authentication method, however the popularity of the 802.1X supplicant agent and the RADIUS server are always the challenges for deployment. Its not only costly but also resource consuming for setup and maintenance.
�802.1X & Non-802.1X
Non-802.1x Authentication Mechanism On the contrary, Non-802.1X method makes the authentication deployment easier and more user-friendly. It can compensate what 802.1X technology lacks, and facilitate the deployment. This clientless mechanism is not only flexible but also provide required security. The benefit
To reduce the difficult of deployment ( you dont care about client software issue) Save maintain cost ( Radius Server becomes optional) To increate User-friendly (ex: MAC function, which makes users dont key-in username & password during the authentication)
Emerging solutions of Non-802.1X authentication are demanding. Theyre mostly without extra client software needed, easy to deployment and maintain. Therefore D-Link develops comprehensive solutions for either 802.1X or Non-802.1X environment to increase productivity without compromising the security of the network.
�D-Link 802.1X Based Security Solution
802.1x mechanism
802.1x Port-Based and 802.1x MAC-Based
Implanting Port-Based 802.1x with Guest VLAN
�What is 802.1x Authentication?
802.1x
o Authenticate User Identity
The 802.1X protocol is the popular LAN authentication protocol ratified by the IEEE. It enables user authentication in both wireless and wired environment. The 802.1X service is included in the Microsoft Windows XP & Vista operating systems already.
D-Links Implementation
Port-based 802.1x: users have to be authenticated before accessing the network, and
switches will unlock the the port only after users pass authentication
MAC-based 802.1x: D-Link switch can perform authentication per MAC address. It
means each switch port can authenticate multiple PCs access right.
Username -------------Crowley Anderson Shinglin Password -------------mygoca-ah busy2 4wireless
Radius Server
Radius
802.1x Auth Request Username: Crowley Password: ***********
�IEEE 802.1x Definition
Defines a Client/Server-based access control and authentication protocol that
restricts unauthorized devices from connecting to a LAN through publicly accessible ports. The Authentication Server authenticates each Client connected to a switch port before making available any services offered by the switch or the LAN.
Authentication Server
Interne t
Radius Server
(Authentication Server)
Switch
(Authenticator)
Client
802.1x Client Unauthorized device
802.1x Client
802.1x Client
802.1x Client
..
6
�Client
NIC Card
After Authentication Normal packet EAPOL packet
Authenticator
Network Port Access Point, Ethernet Switch, etc.
Authentication Server
AAA Server Any EAP Server, Mostly RADIUS
Encapsulated EAP Messages, typically on RADIUS
Ethernet 802.3, Wireless PC Card, etc.
Before Authentication EAP Over LAN EAP Over Wireless (802.3 or 802.11)
The three different roles in IEEE 802.1x: Client
Authenticator Authentication Server
Before a Client is authenticated, 802.1x access control allows only EAPOL traffic pass through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port. * RADIUS Server provides Authentication, Authorization, Accounting (AAA) service
7
�802.1x Device Role
Device Roles: Client
Identity/ challenge
Switch
Workstation (Client)
RADIUS Server
(Authenticator)
(Authentication Server)
Client:
The device (Workstation) that requests access to the LAN, switch services and responds to the user identity/challenge from the switch and radius server.
The Workstation must be running 802.1x-Compliant client software such as that offered in the Microsoft Windows XP operating system.
�802.1x Device Role (Cont)
Device Roles: Authentication Server
Request/ challenge
Switch (Authenticator)
Workstation
(Client)
RADIUS Server (Authentication Server)
Authentication Server:
The Authentication Server validates the identity of the clients and notifies the switch whether or not the client is authorized to access the LAN. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
* Remote Authentication Dial-In User Service (RADIUS)
�802.1x Device Role (Cont)
Device Roles: Authenticator
Identity/ challenge
Request/ challenge
Switch
Workstation (Client)
RADIUS Server
(Authenticator)
(Authentication Server)
Authenticator:
The Authenticator acts as an intermediary (proxy) between the Client and the Authentication Server, requesting identity information from the Client, verifying that information with the Authentication Server, and relaying a request/response (identity & challenge) between the Client and Authentication Server.
10
�802.1X Authentication process
Workstation (Client) Switch (Authenticator) RADIUS Server (Authentication Server)
EAPOL-Start
1 2
EAP-Request/Identity EAP-Response/Identity EAP-Request/OTP RADIUS Access-Request RADIUS Access-Challenge RADIUS Access-Request RADIUS Access-Accept Port Authorized EAPOL-Logoff RADIUS Account-Stop RADIUS Ack
EAP-Response/OTP
4
EAP-Success
5
Port Unauthorized
* OTP (One-Time-Password)
11
�802.1X Authentication process
Workstation (Client) IP: 192.168.0.100
Switch (Authenticator) IP: 192.168.0.1
RADIUS Server (Authentication Server) IP: 192.168.0.10
Client to Switch
Client
Switch to Client 1 2 3 5
Radius Server
Switch to Server Server to Switch 2 3 4 5
* OTP (One-Time-Password)
12
�Port Based 802.1x Example:
Port Based 802.1x Enabled Ports 1-12 DES-3828
Internet
port 1
Username/Password Confirmed !!! Win2003 Server
Username: James Password: 123
L2 Switch/HUB
192.168.0.10
RADIUS Server service User James Pasword 123
James 192.168.0.100 802.1x client WinXP built-in
Gary
Ryan
802.1x client WinXP built-in
802.1x client WinXP built-in
All of the clients connected the L2 HUB can pass through switch(DES-3828) once a client (Kobe) is authenticated.
Page 18
13
�Port Based 802.1x Command Example:
DES3828 Configuration reset enable 802.1x config 802.1x capability ports 1-24 authenticator config radius add 1 192.168.0.10 key 123456 default Client PCs configuration Run 802.1x software. RADIUS Server configuration Radius: Windows NT/Windows 2000/2003 Server Radius Server Service or third-party RADIUS server program
1. Enable 802.1x State by device 2. Configure client connected ports. (Note: Uplink port shouldnt enable authenticator). 3. Configure Radius Server setting
14
�MAC Based 802.1x Example:
MAC Based 802.1x Enabled Ports 1-12 DES-3828
Interne t
Username/Password Confirmed !!! Win2003 Server Username: James Password: 123
L2 Switch/HUB
RADIUS Server service User James Pasword 123
James 192.168.0.100 802.1x client WinXP built-in
Gary
Ryan
....
192.168.0.10
DES-3828 is only capable of learning up to 16 MAC address per port
802.1x client WinXP built-in
802.1x client WinXP built-in
Each client needs to provide correct username/password to pass the authentication so that it can access the network
NOTICE: The L2 switch or hub should support 802.1x pass-through. Otherwise, the 802.1x packet (dest MAC=0180c2000003, inside the IEEE reserved range,0180c2000001~0F) will be dropped by switch, and therefore cannot reach DES-3828.
Page 18
15
�MAC Based 802.1x Example:
DES3828 Configuration reset enable 802.1x config 802.1x auth_mode mac_based config 802.1x capability ports 1-24 authenticator config radius add 1 192.168.0.10 key 123456 default Client PCs configuration Run 802.1x software. RADIUS Server configuration Radius: Windows NT/Windows 2000/2003 Server Radius Server Service or third-party RADIUS server program
1. Enable 802.1x State by device, and change to mac_based mode 2. Configure client connected ports. (Note: Uplink port shouldnt enable authenticator). 3. Configure Radius Server setting
16
�802.1x Port Based vs MAC Based
Port-based 802.1x
Once a port is authorized by a client, the others users connecting to the same port through hub or switch can pass through the switch.
MAC-based 802.1x
1. Once a port is authorized by a client, only this client can pass through the switch. 2. The switch is not only checking the username / password, but also checking whether the max. MAC allowed is reached or not. If reached, deny new MAC
Page 14 Page 16
17
