about dot1x from cisco myanmar fb group

2
Yan Linn Aung asked a question. Hi guys, Do u know about dot1x authentication? http://www.shanekillen.com/2012/06/how-does-8021x-work-in-cisco.html Zaw Min Htann Lab ေတာ့ အရင္က လုပ္ဘူးတယ္ဗ. aaa server န ့ စမ္းၾကည့္ဘူးတယ္ .. portable ေလးပါပ ekon လား မသိဘူး သခာေတာ့ မမွတ္မိေတာ့ဘူး .. ကေနာ္ သိသေလာက္ကေတာ့ သူ ့သေဘာတရား က security အတြက္လုိ ့ပ ထင္ပါတယ္ .. AAA မွာ create လုပ္ထားတ့ user အေကာင့္န ့Port access လုပ္လုိက္တာပါပ .. MAC န ့ bind ထားတာကုိ ့ username , password ထပ္တုိးတာမိးလုိ ့ ထင္တာပါတယ္ ..situation သုံးမိးေလာက္ေတာ့ ရွိမယ္ထင္ပါတယ္ တစ္ခါ login ၀င္ျပီးရင္ ေနာက္တစ္ခါ login မေတာင္းေတာ့ပါဘူး ဒါေပမယ့္ အ ဒီ MAC န ့ ေနာက္ PC တစ္လုံးက clone လုပ္ျပီး ၀င္လုိ ့ရတာကုိေတာ့ စမ္းဘူးတယ္ဗ.. Zaw Min Htann ကေနာ္ တစ္ခု ေတြ ့ဘူးတာ NUS ရ ့ Student Campus Network မွာ သုံးတယ္လုိ ့.စာဖတ္ဘူးပါတယ္ ..အေဆာင္ေနတ့ ကာင္းသားေတြ သိရမယ့္ အခက္ထမွာ dot1x န ့ပက္သက္တာေတြ ပါပါတယ္ .. http://www.nus.edu.sg/comcen/gethelp/dot1x/index.html... Kyaw Wai Yan Tun stretch from packetlife explains this very well. u might want to check out http://packetlife.net/.../aug/06/simple-wired-8021x-lab/ Zay Yar Phyoe Dot1x is usually used to control network access at switch port level. There are a few ways you can use it, username/password, computer name, certificate. The basic concept is - when a device connect to a switch, switch will send the device a challenge using eap protocol, when it received a reply from the device, it will forward it to radius server for authentication. Server will verify the credentials and reply it with access accept reply together with other attributes such as vlan id, access list, etc. There are a lot of applications that you can use dot1x for. In cisco, radius server will be either ACS or ISE. Zay Yar Phyoe Dot1x implementations are usually very policy driven. It's different from a company to another company how they deploy it. Here is the flow chart of the dot1x that we deployed on one project. This is just one scenario. The dot1x authentication process of the wired network is as follow. 1.Client connects to switch port. 2.Switch checks the dot1x capability of the device. 3.Switch requests the identity of the client if the device is dot1x capable. The device is assigned to Guest VLAN, if dot1x is not supported. 4.The machine replies with a response packet containing an machine identity and the switch forward the packet to radius server. 5.If the authentication succeeded, the radius server sends accept packet to the switch together with VLAN name and the machine is assigned to dummy network. 6.User then login with username/password credential and the machine reinitiates the dot1x authentication process. The switch forwards the packet to radius server containing user identity. 7.If the authentication succeeded, the radius server sends accept packet to the switch together with VLAN name and the machine is assigned to dummy network. If the authentication failed, the radius server sends fail response to the switch. 8.If the authentication was successful, switch place the port into authorized state and assigned to the respective VLAN. If the authentication failed, switch repeats the process 2 more times before the switch finally puts the client into guest VLAN. After successful authentication, port will be in forwarding state for 60 minutes and when expired, switch will block the port. However, switch asks the client to provide the credentials again for re-authentication before it blocks the port so that it will not affect the current session.

Upload: aung-kyaw-thu

Post on 02-May-2017

223 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: About Dot1x From Cisco Myanmar Fb Group

Yan Linn Aung asked a question.

Hi guys, Do u know about dot1x authentication? http://www.shanekillen.com/2012/06/how-does-8021x-work-in-cisco.html

Zaw Min Htann Lab ေတာ အရငက လပဘးတယဗ. aaa server န စမးၾကညဘးတယ .. portable ေလးပါပ ekon လား မသဘး

ေသခာေတာ မမတမေတာဘး .. ကေနာ သသေလာကကေတာ သ သေဘာတရား က security အတြကလ ပ ထငပါတယ .. AAA မာ

create လပထားတ user အေကာငန Port access လပလကတာပါပ .. MAC န bind ထားတာက username , password

ထပတးတာမးလ ထငတာပါတယ ..situation သးမးေလာကေတာ ရမယထငပါတယ တစခါ login ၀ငျပးရင ေနာကတစခါ login

မေတာငးေတာပါဘး

ဒါေပမယ အဒ MAC န ေနာက PC တစလးက clone လပျပး ၀ငလ ရတာကေတာ စမးဘးတယဗ..

Zaw Min Htann ကေနာ တစခ ေတြ ဘးတာ NUS ရ Student Campus Network မာ သးတယလ .စာဖတဘးပါတယ ..အေဆာငေနတ

ေကာငးသားေတြ သရမယ အခကထမာ dot1x န ပကသကတာေတြ ပါပါတယ ..

http://www.nus.edu.sg/comcen/gethelp/dot1x/index.html...

Kyaw Wai Yan Tun stretch from packetlife explains this very well. u might want to check

out http://packetlife.net/.../aug/06/simple-wired-8021x-lab/

Zay Yar Phyoe Dot1x is usually used to control network access at switch port level. There are a few ways you can use it,

username/password, computer name, certificate. The basic concept is - when a device connect to a switch, switch will send

the device a challenge using eap protocol, when it received a reply from the device, it will forward it to radius server for

authentication. Server will verify the credentials and reply it with access accept reply together with other attributes such as

vlan id, access list, etc. There are a lot of applications that you can use dot1x for. In cisco, radius server will be either ACS

or ISE.

Zay Yar Phyoe Dot1x implementations are usually very policy driven. It's different from a company to another company

how they deploy it.

Here is the flow chart of the dot1x that we deployed on one project. This is just one scenario.

The dot1x authentication process of the wired network is as follow.

1.Client connects to switch port.

2.Switch checks the dot1x capability of the device.

3.Switch requests the identity of the client if the device is dot1x capable. The device is assigned to Guest VLAN, if dot1x is

not supported.

4.The machine replies with a response packet containing an machine identity and the switch forward the packet to radius

server.

5.If the authentication succeeded, the radius server sends accept packet to the switch together with VLAN name and the

machine is assigned to dummy network.

6.User then login with username/password credential and the machine reinitiates the dot1x authentication process. The

switch forwards the packet to radius server containing user identity.

7.If the authentication succeeded, the radius server sends accept packet to the switch together with VLAN name and the

machine is assigned to dummy network. If the authentication failed, the radius server sends fail response to the switch.

8.If the authentication was successful, switch place the port into authorized state and assigned to the respective VLAN. If

the authentication failed, switch repeats the process 2 more times before the switch finally puts the client into guest VLAN.

After successful authentication, port will be in forwarding state for 60 minutes and when expired, switch will block the port.

However, switch asks the client to provide the credentials again for re-authentication before it blocks the port so that it will

not affect the current session.

Page 2: About Dot1x From Cisco Myanmar Fb Group

Note: Client devices need to be configured to use windows login credential for dot1x login to enjoy seamless network

connection.

Phyo Htet Aung bro Zay yar Phyoe it is possible to integrate Microsoft AD as radius server rather than ACS? can we prefer local aaa than external radius server in case radius server failure or client is wireless AP.

Zay Yar Phyoe yes. it is possible.. But, it depends on how well you can configure Microsoft AD as radius server. You can definitely use it for basic authentication server. But, it will be difficult to implement most of the dot1x function as there are not enough documentation for that. I have never tired before. on the second question, you can configure the switch to use critical vlan feature if reachability to external radius server is lost. if we're talking about dot1x, i don't think we can use a switch as both authenticator and authentication server.

Lin Lin Oo Dot1x protocol is Port-based authentication protocol.802.1X standard defines a client-server-based access

control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible

ports. The authentication server authenticates each client connected to a switch port before making available any services

offered by the switch or the LAN.

Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL)

traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through

the port. You should use RADIUS SERVER for authentication from CLIENTS. Clients should support for

802.1x. http://www.cisco.com/.../configuration/guide/Sw8021x.html ( Cisco Link )