radius
TRANSCRIPT
Topic : RADIUS
Hồ Đắc Biên0985 196 8840985 196 [email protected] Written, CCNP, CCNAMCSA, MCITP-EASecurity+ CEHSecurity+, CEH
Pre- RADIUS Infrastructure
Boston 10,000 Users
Worcester10 NAS’s
Worcester
S i fi ld100,000
Management TasksSpringfield Management Tasks
NAS Devices
Multiple locations + multiple devices = management nightmare
http://www.truongtan.edu.vn
g g
RADIUS Implementation
Boston 10,000 Users
Worcester10 NAS’s
Springfield
RADIUS Server 1 AAA Server
Location – no longer an issueNAS Devices 10,000 Centrally
Managed Objects
Location no longer an issueUpdates – centrally in one place
http://www.truongtan.edu.vn
What Is RADIUS?
•Client/Server protocol that enables remote access servers to communicate with a central server to authenticate and authorize users to access that system•Standardized method of info exchange between RADIUS Client and Server•Simply put, a mechanism for delivering information
User RADIUS Client
RADIUS Server
PPP or SLIP Negotiation RADIUS Request/Response
http://www.truongtan.edu.vn
RADIUS Clients
•PPP Servers
•VPN
•Firewalls
•Wireless Lan Access Points
http://www.truongtan.edu.vn
Steel-Belted RadiusSteel-Belted Radius
Central hub for distributed services Authentication Authorization Accounting
http://www.truongtan.edu.vn
Server GroupsServer Groups
RADIUS_1
RADIUS_2
TACACS+ 1TACACS+_1
TACACS 2TACACS+_2
Workstation
http://www.truongtan.edu.vn
AuthenticationAuthentication
Provides the method of identifying users including loginProvides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security
t l l t tiprotocol you select, encryption
http://www.truongtan.edu.vn
Example of AuthenticationExample of Authentication
!!
username myuser password secure_password
!
aaa new-model
aaa authentication ppp default group radius group tacacs+ local
aaa authentication login admin local
!
radius-server host 10.0.1.12 key cisco
tacacs-server host 10 0 1 14 key ciscotacacs server host 10.0.1.14 key cisco
!
line vty 0 4
http://www.truongtan.edu.vn
login authentication admin
AuthorizationAuthorization
Provides the method for remote access control includingProvides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and
t f IP IPX ARA d T l tsupport of IP, IPX, ARA, and Telnet
http://www.truongtan.edu.vn
Example of AuthorizationExample of Authorizationaaa new-model
aaa authentication login admin localg
aaa authentication ppp dialins group radius local
aaa authorization network myauth group radius local
!
username myuser password secure passwordusername myuser password secure_password
!
radius-server host 10.0.1.12 key radiuskey
!
i t f 1interface group-async 1
group-range 1 16
encapsulation ppp
ppp authentication chap dialins
ppp authorization myauth
line 1 16
autoselect ppp
autoselect during-login
http://www.truongtan.edu.vn
login authentication admin
modem dialin
AccountingAccounting
Provides the method for collecting and sending securityProvides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times,
t d d ( h PPP) b f k texecuted commands (such as PPP), number of packets, and number of bytes
http://www.truongtan.edu.vn
Example of AccountingExample of Accountingaaa new-model
aaa authentication login admin localaaa authentication login admin local
aaa authentication ppp dialins group radius local
aaa authorization network myauth group radius local
aaa accounting network myacct start-stop group radiusg y p g p
!
username myuser password secure_password
!
radius-server host 10.0.1.12 key radiuskey
!
interface group-async 1
1 16group-range 1 16
encapsulation ppp
ppp authentication chap dialins
ppp authorization scoobee
http://www.truongtan.edu.vn
ppp authorization scoobee
ppp accounting myacct
TACACS+ and RADIUS ComparisonTACACS+ and RADIUS Comparison
TACACS+ RADIUS
Authentication/Authorization:Port Used 49
Authentication/Authorization: 1645 and 1812Accounting: 1646 and 1813
Transport TC UDPTransport Protocol TC UDP
Encryption Full packet encryption Encrypts only passwords up to 16 bytes
AAA Architecture Separate control of each AAA service AAA combined as one service
Standard/Proprietary Cisco Industry standard
http://www.truongtan.edu.vn
Standard/Proprietary Cisco Industry standard
Configuring AAA Services to work with a AAA ServerAAA Server
Cisco SecureACS1
Cisco SecureACS2
NAS
10.0.1.1210.0.1.14
router(config)# aaa new-modelrouter(config)# aaa authentication login default group tacacs+ enablerouter(config)# aaa authorization network default group tacacs+ enablerouter(config)# aaa accounting network myacct start-stop group radiusrouter(config)# tacacs-server host 10.0.1.12router(config)# tacacs-server host 10.0.1.14router(config)# tacacs-server key cisco123
http://www.truongtan.edu.vn
ORrouter(config)# tacacs-server host 10.0.1.12 key cisco123
Network ConfigurationNetwork Configuration
http://www.truongtan.edu.vn
RADIUS Messages – Authentication R tRequest
1.User
2.RADIUS Client
3.RADIUS Server
User logs on to service (Internet, Network)
ClientAccess Request Packet(username/password)
ServerValidation / Authentication
PPP/SLIP connection
http://www.truongtan.edu.vn
RADIUS Messages – Authentication Response
4.5.6. 4.RADIUS Server
5.RADIUS Client
6.User
Access Response (ACCEPT/REJECT/CHALLENGE)
RADIUS Response Packet
ACCEPT/REJECT
http://www.truongtan.edu.vn
RADIUS Messages – AccountingRADIUS Messages Accounting1.
RADIUS 2.
RADIUS 3.
ACCT4.
UserUser logs on to service (Internet, Network)
RADIUS Client
ACCT Start/Stop
RADIUS Server
RADIUS Packets
ACCTdB
SQL INSERT statement
.ACT file
What happens:1. User logs on, gets service (ACCT Start)2 User plays on Internet (Time)2. User plays on Internet (Time)3. User disconnects4. RADIUS Client generates and sends ACCT Stop w/billing data
http://www.truongtan.edu.vn
RADIUS BasicsShared Secret KeysShared Secret Keys
Plaintext Plaintext
SharedSecret
Session Key
Encryption Decryption
a te t
Ciphertext
a te t
User 1
D ti E tiPlaintext Ci h t t Plaintext
SharedSecret
Session Key
Decryption EncryptionPlaintext Ciphertext Plaintext SharedSecret
Session Key
Sh d
http://www.truongtan.edu.vn
SharedSecret
Session Key
Cisco Secure ACSCisco Secure ACSCisco Secure ACS
for WindowsRemote Client
(Dial-Up) NAS
PSTN
Internal Clients
Internet
Remote Client(VPN Client)
External User Database Server
Switch
InternetRouter
NADsAAAPSTN = public switched telephone
http://www.truongtan.edu.vn
AAA Clients
External Policy Server
PSTN = public switched telephone network
Web InterfaceWeb Interface
http://www.truongtan.edu.vn
Hardware and Software RequirementsHardware and Software Requirements
HardwareHardware Pentium 4 processor, 1.8 GHz or faster 1 GB of RAM At least 1 GB of free disk spacep Minimum graphics resolution of 256 colors at 800x600 pixels CD-Rom drive 100Base-T or faster connection
Software Microsoft Windows 2000 Server, with SP4 installed Windows 2000 Advanced Server, with the following conditions:
With SP4 i t ll d– With SP4 installed– Without Microsoft Windows 2000 Cluster Service installed– Without other features specific to Microsoft Windows 2000 Advanced
Server enabled
http://www.truongtan.edu.vn
Microsoft Windows Server 2003 Enterprise Edition Microsoft Windows Server 2003 Standard Edition
Demo : Router Authentication
http://www.truongtan.edu.vn
Trust and Identity
Implementing Cisco IBNS
Concepts of Cisco IBNS in ActionConcepts of Cisco IBNS in Action
Authorized User Identity-Based Authentication
√Valid Credentials
CorporateNetwork
XCorporateNo Access
Invalid/No Credentials
Unauthorized External
Corporate Resources
http://www.truongtan.edu.vn
Wireless User
Cisco IBNSCisco IBNS
Unified Control of User Identity for the Enterprise
Cisco VPN Concentrators, Cisco IOS Routers, Cisco PIX Firewalls
Cisco Secure ACSHard and Soft
TokensOTP Server
VPN ClientsInternet
RouterFirewall
Remote
http://www.truongtan.edu.vn
Remote Offices
Cisco IBNS Port Based Access ControlCisco IBNS Port-Based Access Control
Authentication ServerCisco Catalyst Authentication Server(Cisco SecureACS/RADIUS)
Cisco CatalystSeries 2950
(switch)End User(Client)
EAPOL-start Switch enables1 7
Login request
L i
Policy database confirms ID and grants access
Switch enables port
2
3 4
5
Login responseCheck with policy database
Policy database informs switch
grants access3 4
http://www.truongtan.edu.vn
6
IEEE 802 1xIEEE 802.1x
Standard set by the IEEE 802 1 working group Standard set by the IEEE 802.1 working group A framework designed to address and provide port-based access
control using authentication Primarily an encapsulation definition for EAP over IEEE 802 Primarily an encapsulation definition for EAP over IEEE 802
media (EAPOL is the key protocol.) Layer 2 protocol for transporting authentication messages
(EAP) between supplicant (user/PC) and authenticator (switch ( ) pp ( ) (or access point)
Assumes a secure connection Actual enforcement is via MAC-based filtering and port-state g p
monitoring
http://www.truongtan.edu.vn
802 1x Components802.1x Components
Authentication ServerAuthenticatorSupplicant Serverpp
EAPOL RADIUS
http://www.truongtan.edu.vn
802 1x Operation802.1x OperationFor each 802.1x switch port, the switch createstwo virtual access points at each porttwo virtual access points at each port.
Th t ll d t i l h th d iThe controlled port is open only when the device connected to the port has been authorized by 802.1x.
Controlled
UncontrolledEAPOL EAPOL
Uncontrolled Port Provides a Path forExtensible Authentication Protocol over LAN (EAPOL) AND CDP Traffic ONLY
The uncontrolled port provides a path for (EAPOL) traffic only
http://www.truongtan.edu.vn
Extensible Authentication Protocol over LAN (EAPOL) AND CDP Traffic ONLYa path for (EAPOL) traffic only.
How 802 1x WorksHow 802.1x WorksAuthentication Server(Ci S ACS)
Cisco Catalyst2950 S i S it h
End User(Cli t) (Cisco Secure ACS)2950 Series Switch
(NAD)(Client)
EAPOL RADIUS
The actual authentication conversation occurs between the client and the authentication server using EAP. The authenticator is aware of this activity,
http://www.truongtan.edu.vn
g ybut it is just an intermediary.
How 802 1x Works (Cont )How 802.1x Works (Cont.)Authentication Server(Cisco Secure ACS)
Cisco Catalyst 2950(Switch)
End User(Client)
EAPOL startEAPOL-start
EAP Request/Identity
EAP Response/Identity EAP–method dependent
Auth Exchange with AAA ServerEAP–Auth Exchange
Auth Success/RejectEAP Success/EAP Failure jEAP Success/EAP Failure
Port Authorized
EAPOL L ffPolicies
http://www.truongtan.edu.vn
EAPOL–Logoff
Port Unauthorized
What Is EAP?What Is EAP?
EAP the Extensible Authentication Protocol EAP—the Extensible Authentication Protocol A flexible transport protocol used to carry arbitrary authentication
information—not the authentication method itself Typically runs directly over data-link layers such
as PPP or IEEE 802 media Originally specified in RFC 2284, obsolete by
RFC 3748 Supports multiple “authentication” types
http://www.truongtan.edu.vn
Current Prevalent Authentication MethodsMethods
Challenge-response-based EAP-MD5: Uses MD5-based challenge-response for authentication LEAP: Uses username/password authentication EAP-MS-CHAPv2: uses username/password MSCHAPv2
challenge-response authentication
Cryptographic-based EAP-TLS: Uses x.509 v3 PKI certificates and the TLS mechanism
for authentication
OtherOther EAP-GTC: Generic token and OTP authentication
http://www.truongtan.edu.vn
EAP MethodsEAP Methods
EAP MD5 EAP-MD5 EAP-TLS PEAP with EAP-MS-CHAPv2
http://www.truongtan.edu.vn
EAP MD5EAP-MD5
EAPOL RADIUS
EAPOL-start
EAP Request/Identity
EAP Response/Identity EAP Response/Identity
EAP Request/Challenge EAP Request/Challenge
EAP Response/Challenge EAP Response/Challenge
EAP SuccessEAP Success
http://www.truongtan.edu.vn
EAP TLSEAP-TLSEAPOL RADIUS
EAPOL-start
EAP Request/Identity
EAP Response/IdentityEAP Response/Identity
EAP Request/TLS startEAP Request/TLS start
EAP R /TLS li t h llEAP Response/TLS client hello EAP Response/TLS Client Hello
EAP Response/TLS Server Hello, Server Cert, Server Key Exchange,Cert Request, Server Hello Done
EAP Response/TLS ClientCert Client Key Exchange
EAP Response EAP Response
EAP Response/TLS ClientCert, Client Key Exchange, Cert Verify, Change Ciph Spec, TLS Finished
EAP Request/TLS Change_Ciph_Spec,TLS Finished
http://www.truongtan.edu.vn
EAP Response EAP Response
EAP SuccessEAP Success Protected Tunnel
PEAP with MS CHAPv2PEAP with MS-CHAPv2EAPOL RADIUS
EAPOL-startEAP Request/Identity
EAP Response/Identity EAP Response/IdentityEAP Response/Identity EAP Response/Identity
EAP Request/TLS start EAP Request/TLS start
EAP Response/TLS client hello EAP Response/TLS client hello Phase 1
EAP Response/TLS Server Hello, Server Cert, Server Key Exchange, Server Hello Done
EAP Response/Cert Verify, Change Ciph Spec
EAP Request/TLS Change Ciph Spec [Identity Request]
EAP MS CHAPV2 R EAP MS CHAPV2 RPhase 2 Protected
Identity response Identity response
EAP-MS-CHAPv2 Challenge EAP-MS-CHAPv2 Challenge
equest/ S C a ge_C p _Spec [ de t ty equest]
http://www.truongtan.edu.vn
EAP-MS-CHAPV2 Response EAP-MS-CHAPV2 Response
EAP SuccessEAP Success
Protected
802 1x and Port Security802.1x and Port Security
A Attacker
I do not
A = Attacker
Hub
know A,I do
know B.
Cisco Secure
Port unauthorized
ACS/RADIUSPort Securityand
Identity
http://www.truongtan.edu.vnB = Legitimate User
Configuring 802 1x in Cisco IOSConfiguring 802.1x in Cisco IOS
Enable AAA Enable AAA. Configure 802.1x authentication. Configure RADIUS communications. Enable 802.1x globally. Configure interface and enable 802.1x. Verify 802 1x operation Verify 802.1x operation.
http://www.truongtan.edu.vn
Enable AAAEnable AAAswitch(config)#
aaa new-model
Enable AAA
aaa authentication dot1x [<list name> | default]group radius
switch(config)#
g p
Create an IEEE 802.1X authentication method list
switch(config)#
aaa authorization network {default} group radius
switch(config)#
(Optional ) Configure the switch for user RADIUS authorization for
http://www.truongtan.edu.vn
all network-related service requests, such as VLAN assignment
Configure RADIUS CommunicationsConfigure RADIUS Communications
radius-server host [host name | IP address]
switch(config)#
Specify the IP address of the RADIUS server
switch(config)#
Specify the IP address of the RADIUS server
radius-server key [string]
Specify the authentication and encryption key
radius-server vsa send [accounting | authentication]
switch(config)#
http://www.truongtan.edu.vn
(Optional) Enable the switch to recognize and use VSAs
Enable 802 1x GloballyEnable 802.1x Globally
switch(config)#
dot1x system-auth-control
switch(config)#
Enable IEEE 802.1x authentication globally on the switch
dot1x guest-vlan supplicant
switch(config)#
(Optional) Enable the optional guest VLAN behavior globally on the switch
http://www.truongtan.edu.vn
Configure Interface and Enable 802 1xConfigure Interface and Enable 802.1x
switch(config-if)#
switchport mode access / no switchport
Configure port as an access port
dot1x port-control [force-authorized |force unauthorized | auto]
switch(config-if)#
force-unauthorized | auto]
Enable IEEE 802.1x authentication on the port
dot1x host-mode multi-host
switch(config-if)#
(Optional) Allow multiple clients on an IEEE 802 1x authorized port
http://www.truongtan.edu.vn
(Optional) Allow multiple clients on an IEEE 802.1x-authorized port
Verify 802 1x OperationVerify 802.1x Operation
switch#
show dot1x
#
View the operational status of IEEE 802.1x
show dot1x [all | interface]
switch#
View the IEEE 802.1x status for all ports or a specific port
http://www.truongtan.edu.vn
Demo : 802.1X Authentication
http://www.truongtan.edu.vn
Q & AQ & A
Email : [email protected] htt //tt t /f /Forum : http://ttgtc.com/forum/
http://www.truongtan.edu.vn