66
1
1
3
Topology 1
supplicant authenticator Radius
server192.168.49.10192.168.49.150
192.168.49.5200:1b:24:b5:da:b3
network
4
1) Eap
2) Neap (non-eap)
Authentication types that ers’s support
5
• 802.1X provides port-based authentication, which involves communications between a supplicant, authenticator, and authentication server. Port refers to a single point of attachment to the LAN infrastructure. The supplicant is often software on a client device, such as a laptop; the authenticator is a network device, such as an ethernet switch or wireless access point; and the authentication server is typically a host running software supporting the RADIUS and EAP protocols.
EAP Authentication concept 1/2
6
EAP Authentication concept 2/2
• The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant’s identity has been validated and authorized. An analogy to this is providing a valid passport at an airport before being allowed to pass through security to the terminal. With 802.1X port-based authentication, the supplicant provides credentials, such as user name / password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. If the credentials are valid (in the authentication server database), the supplicant (client device) is allowed to access resources located on the protected side of the network.
7
Neap Authentication concept
• Neap is developed, cause eap does not useful for the dummy user or some user device, and still authentication security is neccesary.
• Neap uses to authenticate the user’s mac address, ip address, port number of the authenticator. It can either use only mac, ip address or the combinastion of the above.
8
802.1X Conversation
RADIUS Server(Authentication Server)
Ethernet Switch (RADIUS Client)
PC_Client (EAP Client/Supplicant)
EAP over EthernetEAPoL
Auth Requests &Return Attributes
Port-Start
EAPoL-Start
EAP-Request/Identity
EAP-Response/IdentityRadius-Access-Request
Radius-Access-ChallengeEAP-Request (Credentials)
EAP-Response (Credentials)Radius-Access-Request
Radius-Access-Accept
EAP- Success
Access to the Network Blocked
Access Allowed
Switch to Radius Server communication
Client to Switchcommunication
9
802.1X Ethernet packet
Dest. MAC0180C200000F*0180C2000003
Type8180*888E
ProtocolVersion
01
PacketType
6 bytes 6 bytes 2 bytes 1 byte
SourceMAC
1 byte
PacketBody
Length
2 bytes
PacketBody
n bytes
00 EAP-Packet
01 EAPOL-Start *
02 EAPOL-Logoff *
03 EAPOL-Key
04 EAPOL-Encapsulated-ASF-Alert
Code Identifier Length Data
1 byte 1 byte 2 bytes n bytes
DescriptorType
KeyLength
RelayCounter
Key IV
1 bytes 2 bytes 8 bytes 16 bytes
KeyIndex
KeySignature
Key
1 bytes n bytes16 bytes
* No packet body field
1 Request
2 Response
3 Success
4 Failure
packet body field
packet body field
* Beta release
10
For eap ms2003 server configuration
• 2003 server should have an active directory and IAS server
• At the active directory users and groups need to be created.(as figure 1)
• At the ias radius client will be created. (as figure 2-4).
• At the ias, access policy need to be created. (as figure 5-12).
• Return to active directory and configure the user as figure 13-
11
At the active directory part 1
• A group (eapsunum1) is created, all eap users (alp isik) are configured as amember of “eapsunum1” and “Ras and ias servers” group. Or better to make the ‘eapsunum1’ group as a member of “Ras and ias servers” group.
12
Figure 1
13
At the ias server
• For radius client shared secret need to be same as the authenticator.(ers4500)
• After radius client created can be checked as figure 4.
14
Figure 2
15
Figure 3
16
Figure 4
17
At the IAS access policy 1/2
• For the access method we have chosen Ethernet.
• For the authentication method we have chosen md5, any other method could be chosen. (figure 8)
• On the created access policy, right click and properties (figure 9)
• By default some policy’s will come, delete unneccesary policy’s and implement which matches your criteria.(at the example figure 10, we have implemented nas (authenticator switch) ip addr. Matches giving ers4500’s ip) and check that if the grant remote access permission is selected.
18
• At the advanced tab (figure 11) we did not want to send anything to user/switch, for easy sample. Removed the attribution.
• At the authentication tab (figure 12) noting we have chosen but checked the eap method. (md5)
At the IAS access policy 2/2
19 Figure 5
20 Figure 6
21
Figure 7
22 Figure 8
23 Figure 9
24 Figure 10
25 Figure 11
26 Figure 12
27
• We have returned to active directory to configure user properties.
• At the account tab chosen password never expires and store password using reversible encryption.
• At the member of tab added to eapsunum1 and ras & ias server.
• At the dial-in tab we allowed the access.
At the active directory part 2
28 Figure 13
29 Figure 14
30 Figure 15
31
For eap (authenticator) switch config (ers4500)
• At the topology 1 port 3 is used for eap client (supplicant connection).
• Config is attached to document,with double click you may open the “eap port3.log”.
>enable
#config terminal
#radius-server host 192.168.49.52 port 1812 key Nortel
#interface fastEthernet 3
#eapol status auto
#exit
#eapol enable
eap port3.log
32
At the supplicant / user
• First you need to open authentication from local area connection properties, by default there is no authentication tab, from pc start, run, type services.msc, and start Wired AutoConfig. Then authentication tab will be appeared, at there click the 802.1x and choose your authentication as md5 or else.
• Over the local area connection a box will appear as figure 16.
• After click on it wıth the user name and password, and logon domain. Access will be provided. (which was criated at the active directory, logon domain is the active directory name) figure 17.
33 Figure 16
34 Figure 17
35
Successful wireshark output server side
36
Successful wireshark output user side
37
At the ms2003 event viewer it’s seen as IAS information
38
For Neap ms2003 server config
• At the 2003 server, active directory user account is different than the eap. For only mac attribute. (figure 18). User logon name need to be same as the mac of supplicant.
• At the IAS remote access policy, edit profile, authentication pap need to be chosen as figure 19.
• By default 2003 server has password policies, for gining mac address you need to remove the password policies.
39
How to remove password policy at 2003 Server 1/2
• Select Domain Security Policy from Administrative Tools.
• Click on Security Settings > Account Policies > Password Policy.
• Right-click on Minimum password length in the right pane.
• Click Properties from the context menu.
• Enter a new minimum password length. Entering a Zero (0) will remove the password requirement.
40
How to remove password policy at 2003 Server 2/2
• Double-click on Passwords must meet complexity requirements in the right pane.
• Select the Disabled option.
• Click Start > Run...And Type cmd
• Type gpupdate /force at the Command Prompt
41 Figure 18
42 Figure 19
43
For neap at the authenticator switch ers4500 1/3
neapport10.log
•At the topology 1, port 10 is used for the neap supplicant•For the switch configuration you may use the attached neapport10.log by duble click.
44
For neap at the authenticator switch ers4500 2/3
>enable
#config terminal
#radius-server host 192.168.49.52 port 1812 key Nortel
#interface fastEthernet 3
#eapol status auto
#exit
#eapol enable
#interface fastEthernet 10
#eapol status auto
#eapol multihost allow-non-eap-enable
# eap multihost non-eap-mac-max 10
#eapol multihost radius-non-eap-enable
#eapol multihost enable
#exit
45
For neap at the authenticator switch ers4500 3/3
#eapol multihost allow-non-eap-enable
#eapol multihost radius-non-eap-enable
#no eapol multihost non-eap-pwd-fmt
#eapol multihost non-eap-pwd-fmt mac-addr
#eapol enable
46
For neap at the user/supplicant
• At the user noting to be done as soon as port is connected if the mac/ip/port is macth with the server config, user will get the traffic.
47
Successful neap event view
48
On the swicth neap supplicant can be checked as below
49
50
*Please note that a device is only put into the Guest VLANproviding another user has not already passed EAP authentication.
51
ERS4500 implementations / features 1/11
RADIUS password fallback
• With the RADIUS password fallback feature, the user can log on to the switch or stack by using the local password if the RADIUS server is unavailable or unreachable for authentication.
52
• EAPOL dynamic VLAN assignment
If EAPOL-based security is enabled on an authorized port, the EAPOL feature dynamically changes the port VLAN configuration and assigns a new VLAN. The new VLAN configuration values apply according to previously stored parameters in the Authentication server.
The following VLAN configuration values are affected:
• port membership
• PVID
• port priority
ERS4500 implementations / features 2/11
53
• Single Host with Single Authentication (SHSA)
• Multiple Host with Multiple Authentication (MHMA)
• Multiple Host with Single Authentication (MHSA)
ERS4500 implementations / features 3/11
54
• Single Host with Single Authentication and Guest VLAN
• With EAPOL SHSA Single Host with Single Authentication (the simplest EAPOL port operating mode), you can connect only one client on each port that is configured for EAPOL-based security. If you attempt to add additional clients to a port, that port state changes to Unauthorized.
• You can configure a guest VLAN for non-authenticated users to access the port. Any active VLAN can be a guest VLAN.
The following rules apply for SHSA:
• When the port is EAP enabled
— If Guest VLAN is enabled, the port is placed on a Guest VLAN.
PVID of the port = Guest VLAN ID
ERS4500 implementations / features 4/11
55
• Guest Vlan
When an authentication failure occurs, a port is placed back in the Guest VLAN.
ATTENTION
EAP enabled port is not moved to guest-vlan, if guest vlan and original vlan are associated with different STGs. EAP port does not forward traffic in guest vlan or original VLAN, if EAP authentication succeeds packets are transmitted properly in the original VLAN.
ERS4500 implementations / features 5/11
56
• After the switch accesses the RADIUS server and authentication succeeds, the ports move to the Guest VLAN, or to configured VLANs, and age to allow the authentication of all incoming MAC addresses on the port. If there is at least one authenticated MAC address on the port, it blocks all other unauthenticated MAC addresses on the port.
ERS4500 implementations / features 6/11
57
802.1X or non-EAP with Fail Open VLAN
802.1X or non-EAP with Fail Open VLAN provides network connectivity
when the switch cannot connect to the RADIUS server. Every three
minutes, the switch verifies whether the RADIUS servers are reachable. If
the switch cannot connect to the primary and secondary RADIUS servers,
then after a specified number of attempts to restore connectivity, the switch
declares the RADIUS servers unreachable.
All authenticated devices move into the configured Fail Open VLAN, when
the switch declares the RADIUS servers unreachable. This prevents
the clients from being disconnected when the reauthentication timer
expires and provides the devices some form of network connectivity.
ERS4500 implementations / features 7/11
58
MHMA (Multiple Host with Multiple Authentication)
• Each user must complete EAP authentication before the port allows traffic from the corresponding MAC address. Only traffic from the authorized hosts is allowed on that port.
Transmitting EAPOL packets
• Only unicast packets are sent to a specific port so that the packets reach the correct destination.
• After the first successful authentication, only EAPOL packets and data from the authenticated MAC addresses are allowed on a particular port.
ERS4500 implementations / features 8/11
59
• A port remains on the Guest VLAN when no authenticated hosts exist on it. Until the first authenticated host, both EAP and non EAP clients are allowed on the port.
• RADIUS VLAN assignment is enabled for ports in MHMA mode. Upon successful RADIUS authentication, the port gets a VLAN value in a RADIUS attribute with EAP success. The port is added and the PVID is set to the first such VLAN value from the RADIUS server.
• Reauthenticate Now, when enabled, causes all sessions on the port to reauthenticate.
ERS4500 implementations / features 9/11
60
802.1X or non-EAP Last Assigned RADIUS VLAN
The 802.1X or non-EAP Last Assigned RADIUS VLAN functionality allows you to configure the switch such that the last received RADIUS VLAN assignment is always honoured on a port. In the previous release, if you enable the use-radius-assigned-vlan option, then only the first valid RADIUS-assigned VLAN (by EAP or non-EAP authentication) on that port is honoured. The subsequent RADIUS VLAN assignments are ignored for any user on that port. The last RADIUS-assigned VLAN (either EAP or non-EAP) determines the VLAN membership and PVID replacing any previous RADIUS-assigned VLAN values for that port.
ERS4500 implementations / features 10/11
61
ATTENTION
If a PC client is assigned to a VLAN based on a previous RADIUS Assigned VLAN, when the client goes into sleep or hibernation mode it reverts to either the default port-based VLAN or Guest VLAN configured for that port. So, the WoL Magic Packet must be sent to the default VLAN or Guest VLAN.
ERS4500 implementations / features 11/11
62
For eap/neap with guest vlan
• We need to open dhcp at ms 2003 to give ip to authenticated vlan users. (figure 20)• We need to configure dhcp relay at the ers4500
•It will provide us for authenticate user gets ip from dhcp and non-authenticate user to use guest vlan.
63 Figure 20
64
Ers 4500 dhcp relay commands
ip dhcp-relayip dhcp-relay fwd-path <next hope ip> <server ip> enableip dhcp-relay fwd-path <next hope ip> <server ip> mode bootp-dhcp
65
• Duble click to packege to see eap-radius resources
Package
66
• Thanks
