802.1x
This is an IEEE standard for layer 2 Access Control and Authentication.
Defines a method of associating users with rights using Filter or Vlan assignment
Memorize the Supplicant / Authenticator/ Authentication server. You can use that for CCDA, or CISSP.
802.1x is based on the EAP Extensible Authentication protocol. This is a framework.
EAP(method) is the actual authentication mechanism used.
The Supplicant
will have some software installed on it
802.1x Junos Pulse or OAC or third party.
It cannot send any layer 3 till the 802.1x authorization has been completed.
The negotiation of 802.1x is done using EAP messages.
The Authenticator.Blocks all traffic till he has finished negotiating their access.
The request he receives is an EAP over LAN.
It extracts the identity of the user and credentials and sends them to the RADIUS
or authenticating server using a standard format.
The Authenticating server Will evaluate the credentials and can also return additional information
Like which VLAN to put him on or other instructions.
What is EAP
It is an enhancement to PPP
In layman terms.
You arrive at the gate.
You say Hell (EAP Start)
The guard says show me ID (EAP request identity)
You give him ID (EAP response)
The guard calls Security Room and asks if he can come in. (Radius request)
The Security Room says to the guard ask him a challenge (Radius Access Challenge)
The Security guard relays that to you.
You respond
The guard relays your response to the Security Room.
They say, let him in and give him this ID (optional)
The guard says success and gives you an ID (vlan)
Supported EAP.
EAP- TTLS this stands for Tunneled Transport Layer Security.
This is the default for OAC.
It has two phases.
The first one is where the Authenticating server presents a certificate X509 to the supplicant.
This will create a Secure Tunnel.
The second is the supplicant can go back to presenting its credentials.
EAP-JUAC is Juniper
and allows the OAC software to take advantage of the full set of features like host enforcer.
EAP-JUAC is the default protocol for the INNER protocol.
Junos pulse can support using the NAP for the 802.1x
Third party
EAP-TLS enables non-juniper supplicants to authenticate using the PKI
EAP-SoH is a statement of health, this works with windows.
To use EAP-SOH you must use EAP-PEAP as the outer protocol OAC/Pulse.
EAP-GTC for tokens
PAP plaintext passwords.
CHap microsoft CHAP EAP-MD5 EaP-MS-CHAPv2
Ok, the above mentioned an Inner Join and an Outer Join.
Outer Authentication.
(I am thinking Access joins, sorry)
Example 1:
Assign the Users a VLAN based on their LDAP group membership.
The pulse will push the VLAN 20 to the switch (Authenticator) who will assign it to the client
Example 2:
When you daisy chain a PC to a Phone to a switch. Each item will need a different VLAN.
1. The switches must support the dual VLAN assignment this is usually done with CDP/LLDP
2. Either use the phones 802.1x
3. or you can use the phones MAC by using a MAC database as the authentication realm.
Radius elements in 802.1x
The Juniper Radius is based on their older product called "Steel Belted Radius"
It is a license you can put on the MAG to enable the Radius on it or you can use an external RADIUS
server.
The RADIUS will receive the EAP messages from the supplicants.
It will perform authentication.
It will send out additional attributes (like the VLAN, enforcer settings)
The Switch 802.1x or AP will apply those setting to the supplicant session.
RADIUS servers include
Clients - these are the Authenticators 802.1x who apply for supplicants.
Vendors - list of client manufacturers like 802.1x Juniper switches or Cisco802.1x.
Dictionary - This is the list of attributes that we talked about that are available.
{{VSA vendor specific attributes}}}
Users - List of usernames and passwords. They can also query an external server for those like AD/Ldap
Radius Proxy allows the MAG to use an external Authenticating Server (RADIUS)
The MAG will "proxy" the request to it and then update the Authenticator.
The Data from the MAG to the AAA in the "inner tunnel" is cleartext.
The Junos MAG will add the attributes based on the ROLE
MAC Authentication for client-less devices.
First problem with MAC authentication is user spoofing.
You can set up separate VLANs for the devices so they cannot cross into the corporate LAN.
You can also set up Packet Filters so they can only run specific protocols .
You must have a database with all the MACs required.
Great BAY BEacon Endpoint profiler - is a product that can analyze the endpoints
It identifies them and can tell if they can run the 802.1x or need MAC authentication.
It can mine data from those devices for the monitoring part.
It helps facilitate mobility of those devices.
Beacon can help with compliance in strict security settings.
set system radius-server x.x.x.x secret
set profile ac1
authentication-order radius
radius { authentication server x.x.x.x.}
the radius is the MAG.
On the switch
set protocols dot1x authenticator authentication-profile-name AC1 interface ge-0/0/2
supplicant single
re-authentication 3600
guest-vlan remediation
server-reject-vlan remediation
guest is for unauthenticated
server reject is for failed authentication.
Radius-dictionary creates values that specific manufacturers can use.
802.1x TTLS PEAP for clients
802.1x MD5 TLS for phones.
Junos Pulse
Outer EAP-TTLS
inner EAP_juac
No comments:
Post a Comment