Port-Based Authentication using 802.1x
Authenticating Users at the LAN Switch Port using 802.1x802.1x is a new standardized port-based authentication protocol defined by the IEEE “802 task-force” in 2001.
(The “x” is part of the name of the standard) It is a method in which a LAN switch queries all new connections
as soon as they are made, but prior to any IP connectivity being allowed through the switch.
This method of authentication is commonly used to control access to Wireless Access Points, but 802.1x is also
supported on “wired” networks as well.
Cisco supports 802.1x on their Catalyst LAN switches as of CatOS 7.1 and Switch IOS 12.1.
Network communication between the switch and client is made possible, prior to any IP connectivity, by the
fact that the LAN switch encapsulates the queried credentials from the new computer within a special Ethernet
frame, then marks that frame with a special “Ethertype” label, and forwards it to the RADIUS server over the
network using normal IP routing. The packets sent between the switch and RADIUS server are encrypted. So
802.1x essentially acts as a special “tunnel” between the newly-connected computer and the RADIUS server,
with the tunnel only partially-opened for the first phase of network-access.
802.1x breaks down the authentication process into 3 distinct elements, and gives each element its own name.
Visually, the breakdown looks like this:
The 3 parts of this process are given the names “Supplicant”, which refers to the new computer trying to connect to the network, the “Authenticator”, which refers to the LAN switch that the computer is trying to connect to, and the “Authentication Server”, which refers to the RADIUS server located on the networkbackbone.
The process basically involves the Authenticator (the LAN switch) asking each newly-connected PC for a set of credentials in the form of an “EAP Type”. EAP packets come in several different types, which must be defined on the RADIUS server:
- EAP-TLS
o TLS stands for “Transport Layer Security”. This uses Certificates to authenticate identity. The
certificates must be managed on both the client and server side, with certificates installed on
each workstation in order to maintain a PKI infrastructure. This is secure, but can be a
challenge to manage as a network scales.
- EAP-TTLS
o TTLS stands for “Tunneled Transport Layer Security”. It was developed as an extension of
EAP-TLS. It also uses Certificates, but are sent to the RADIUS server through an encrypted
channel, or "Tunnel". Unlike EAP-TLS, EAP-TTLS requires only server-side certificates.
Since the Certificate is tunneled, there is no need for a certificate on the client-side.
- EAP-LEAP
o LEAP stands for “Lightweight Extensible Authentication Protocol”. This is Cisco’s
proprietary version of EAP, developed for use with their Aironet wireless products. It
encrypts packets using dynamically-generated WEP keys, and supports mutual authentication.
Although it was originally a proprietary format, Cisco has licensed LEAP to other
manufacturers.
- EAP-PEAP
o PEAP stands for “Protected Extensible Authentication Protocol”. It supports legacy passwordbased
protocols. PEAP tunnels between network-clients and the RADIUS server, like the
competing standard TTLS. Also like TTLS, PEAP authenticates clients using only server-side
certificates. It was developed by Microsoft, Cisco and RSA Security.
The process basically involves the Authenticator (the LAN switch) asking each newly-connected PC for a set of credentials in the form of an “EAP Type”. EAP packets come in several different types, which must be defined on the RADIUS server:
- EAP-TLS
o TLS stands for “Transport Layer Security”. This uses Certificates to authenticate identity. The
certificates must be managed on both the client and server side, with certificates installed on
each workstation in order to maintain a PKI infrastructure. This is secure, but can be a
challenge to manage as a network scales.
- EAP-TTLS
o TTLS stands for “Tunneled Transport Layer Security”. It was developed as an extension of
EAP-TLS. It also uses Certificates, but are sent to the RADIUS server through an encrypted
channel, or "Tunnel". Unlike EAP-TLS, EAP-TTLS requires only server-side certificates.
Since the Certificate is tunneled, there is no need for a certificate on the client-side.
- EAP-LEAP
o LEAP stands for “Lightweight Extensible Authentication Protocol”. This is Cisco’s
proprietary version of EAP, developed for use with their Aironet wireless products. It
encrypts packets using dynamically-generated WEP keys, and supports mutual authentication.
Although it was originally a proprietary format, Cisco has licensed LEAP to other
manufacturers.
- EAP-PEAP
o PEAP stands for “Protected Extensible Authentication Protocol”. It supports legacy passwordbased
protocols. PEAP tunnels between network-clients and the RADIUS server, like the
competing standard TTLS. Also like TTLS, PEAP authenticates clients using only server-side
certificates. It was developed by Microsoft, Cisco and RSA Security.
Tidak ada komentar:
Posting Komentar