Download - Network Access and 802.1X
![Page 1: Network Access and 802.1X](https://reader035.vdocuments.net/reader035/viewer/2022062222/56815da3550346895dcbcd00/html5/thumbnails/1.jpg)
High-quality Internet for higher education and research
Network Access and 802.1X
Klaas WierengaSURFnet
[email protected], April 3, 2006
![Page 2: Network Access and 802.1X](https://reader035.vdocuments.net/reader035/viewer/2022062222/56815da3550346895dcbcd00/html5/thumbnails/2.jpg)
High-quality Internet for higher education and research
Contents
• Network access• Wireless access• 802.1X• Conclusions
![Page 3: Network Access and 802.1X](https://reader035.vdocuments.net/reader035/viewer/2022062222/56815da3550346895dcbcd00/html5/thumbnails/3.jpg)
High-quality Internet for higher education and research
Network Access
![Page 4: Network Access and 802.1X](https://reader035.vdocuments.net/reader035/viewer/2022062222/56815da3550346895dcbcd00/html5/thumbnails/4.jpg)
High-quality Internet for higher education and research
Access to the campus network
• Connection is either via a trusted or an untrusted network
? ?
Campus network
Bad outside world
![Page 5: Network Access and 802.1X](https://reader035.vdocuments.net/reader035/viewer/2022062222/56815da3550346895dcbcd00/html5/thumbnails/5.jpg)
High-quality Internet for higher education and research
Intermezzo: protecting traffic
• VPN’s can be used to protect the data sent to and received from the trusted network
Campus network
Bad outside world
Secured tunnel
![Page 6: Network Access and 802.1X](https://reader035.vdocuments.net/reader035/viewer/2022062222/56815da3550346895dcbcd00/html5/thumbnails/6.jpg)
High-quality Internet for higher education and research
Access to the trusted network
• How do you protect access to the trusted network?– Wired– Wireless
?
Campus network
Bad outside world
![Page 7: Network Access and 802.1X](https://reader035.vdocuments.net/reader035/viewer/2022062222/56815da3550346895dcbcd00/html5/thumbnails/7.jpg)
High-quality Internet for higher education and research
Access to wireless LAN’s
![Page 8: Network Access and 802.1X](https://reader035.vdocuments.net/reader035/viewer/2022062222/56815da3550346895dcbcd00/html5/thumbnails/8.jpg)
High-quality Internet for higher education and research
Wireless LANs are unsafe
root@ibook:~# tcpdump -n -i eth119:52:08.995104 10.0.1.2 > 10.0.1.1:
icmp: echo request 19:52:08.996412 10.0.1.1 > 10.0.1.2:
icmp: echo reply 19:52:08.997961 10.0.1.2 > 10.0.1.1:
icmp: echo request 19:52:08.999220 10.0.1.1 > 10.0.1.2:
icmp: echo reply 19:52:09.000581 10.0.1.2 > 10.0.1.1:
icmp: echo request 19:52:09.003162 10.0.1.1 > 10.0.1.2:
icmp: echo reply ^C
![Page 9: Network Access and 802.1X](https://reader035.vdocuments.net/reader035/viewer/2022062222/56815da3550346895dcbcd00/html5/thumbnails/9.jpg)
High-quality Internet for higher education and research
Requirements
• Identify users uniquely at the edge of the network– Prevent session hijacking
• Scalable• Easy to deploy and use• Open
• Give away for tomorrow: allow for guest use
![Page 10: Network Access and 802.1X](https://reader035.vdocuments.net/reader035/viewer/2022062222/56815da3550346895dcbcd00/html5/thumbnails/10.jpg)
High-quality Internet for higher education and research
Possible solutions
Standard solutions provided by AP’s:
• Open access: scalable, not secure• MAC-addres: not scalable, not secure• WEP: not scalable, not secure
Alternative solutions:
• Web-gateway+RADIUS• VPN-gateway
• 802.1X+RADIUS
![Page 11: Network Access and 802.1X](https://reader035.vdocuments.net/reader035/viewer/2022062222/56815da3550346895dcbcd00/html5/thumbnails/11.jpg)
High-quality Internet for higher education and research
Access to the campus WLAN
• Initial connection is either to a trusted or an untrusted network
Trusted local network
Not trusted local network
![Page 12: Network Access and 802.1X](https://reader035.vdocuments.net/reader035/viewer/2022062222/56815da3550346895dcbcd00/html5/thumbnails/12.jpg)
High-quality Internet for higher education and research
Open network + web gateway
• Open (limited) network, gateway between (W)LAN and de rest of the network intercepts all traffic (session intercept)
• Can use a RADIUS backend to verify user credentials• Guest use easy• Browser necessary
• Hard to maintain accountability– Session hijacking
![Page 13: Network Access and 802.1X](https://reader035.vdocuments.net/reader035/viewer/2022062222/56815da3550346895dcbcd00/html5/thumbnails/13.jpg)
High-quality Internet for higher education and research
Open network + VPN Gateway
• Open (limited) network, client must authenticate on a VPN-concentrator to get to rest of the network
• Client software needed• Proprietary• Hard to scale • VPN-concentrators are expensive• Guest use hard (sometimes VPN in VPN)
• All traffic encrypted
• NB: VPN’s are the method of choice for protecting data on a WAN
![Page 14: Network Access and 802.1X](https://reader035.vdocuments.net/reader035/viewer/2022062222/56815da3550346895dcbcd00/html5/thumbnails/14.jpg)
High-quality Internet for higher education and research
IEEE 802.1X
• True port based access solution (Layer 2) between client and AP/switch• Several available authentication-mechanisms through the use of EAP
(Extensible Authentication Protocol)• Standardised• Also encrypts all data, using dynamic keys• RADIUS back-end:
– Scalable– Re-use existing trust relationships
• Easy integration with dynamic VLAN assignment (802.1Q)• Client software necessary (OS-built in or third-party)• For wireless and wired
![Page 15: Network Access and 802.1X](https://reader035.vdocuments.net/reader035/viewer/2022062222/56815da3550346895dcbcd00/html5/thumbnails/15.jpg)
High-quality Internet for higher education and research
Summary
• Standard available security options of AP’s don’t work
• Web-redirect+RADIUS: scalable, not secure• VPN-based: not scalable, secure• 802.1X: scalable, secure
![Page 16: Network Access and 802.1X](https://reader035.vdocuments.net/reader035/viewer/2022062222/56815da3550346895dcbcd00/html5/thumbnails/16.jpg)
High-quality Internet for higher education and research
802.1X
![Page 17: Network Access and 802.1X](https://reader035.vdocuments.net/reader035/viewer/2022062222/56815da3550346895dcbcd00/html5/thumbnails/17.jpg)
High-quality Internet for higher education and research
802.1X/EAP
• Authenticated/Unauthenticated Port• Supplicant/Authenticator/Authentication Server• Uses EAP (Extensible Authentication Protocol)• Allows authentication based on user credentials
Authenticator
UnAuthenticated(EAP)
Authenticated
SupplicantAuthentication Server
Intranet
![Page 18: Network Access and 802.1X](https://reader035.vdocuments.net/reader035/viewer/2022062222/56815da3550346895dcbcd00/html5/thumbnails/18.jpg)
High-quality Internet for higher education and research
EAP over LAN (EAPOL)
Authenticator(802.1X Switch/AP)
Intranet`
Supplicant(802.1X Client)
EAPOL EAP RADIUS
EAP RADIUSconverted to
EAPOL
Authentication Server(EAP RADIUS Server)
![Page 19: Network Access and 802.1X](https://reader035.vdocuments.net/reader035/viewer/2022062222/56815da3550346895dcbcd00/html5/thumbnails/19.jpg)
High-quality Internet for higher education and research
Through the protocol stack
EAP
Ethernet
EAPOL RADIUS (TCP/IP)
802.
1XAuth. Server
(RADIUS server)Authenticator(AccessPoint, Switch)
Supplicant(laptop,desktop)
Ethernet
![Page 20: Network Access and 802.1X](https://reader035.vdocuments.net/reader035/viewer/2022062222/56815da3550346895dcbcd00/html5/thumbnails/20.jpg)
High-quality Internet for higher education and research
Secure access to the campus LAN with 802.1X
datasignaling
RADIUS server (Authentication
Server)
Internet
Authenticator(AP or switch) User
DB
[email protected]_a.nl
StudentVLAN
GuestsVLAN
EmployeeVLAN
Supplicant
• 802.1X
• (VLAN assignment)
![Page 21: Network Access and 802.1X](https://reader035.vdocuments.net/reader035/viewer/2022062222/56815da3550346895dcbcd00/html5/thumbnails/21.jpg)
High-quality Internet for higher education and research
Conclusions
![Page 22: Network Access and 802.1X](https://reader035.vdocuments.net/reader035/viewer/2022062222/56815da3550346895dcbcd00/html5/thumbnails/22.jpg)
High-quality Internet for higher education and research
Summary
• There is a difference between providing access to campus resources over the Internet and providing network access
• Access via the Internet: VPN
• Network access: 802.1X• Tomorrow: How 802.1X can be leveraged for guest
access