module 9: planning network access. overview introducing network access selecting network access...
TRANSCRIPT
Module 9: Planning Network Access
Overview
Introducing Network Access
Selecting Network Access Connection Methods
Selecting a Remote Access Policy Strategy
Selecting a Network Access Authentication Method
Planning a Network Access Strategy
Lesson: Introducing Network Access
Network Access Requirements
Network Access Connections
Network Access Authentication Protocols
Connection Security Best Practices
Security Hosts
Network Access Requirements
ConnectivityProtocol supportAuthenticationEncryption
ConnectivityProtocol supportAuthenticationEncryption
Network Access Server
IASServer
DHCP Server
DomainController
Dial-Up ClientWireless Access Point
Wireless LAN Client
VPN Client
LAN Client
Network Access Connections
Network Access Server
IASServer
DHCP Server
DomainController
Dial-Up ClientWireless Access Point
VPN Client
LAN
Wireless Clients
Network Access Authentication Protocols
Protocol Description
EAPEAP is a Point-to-Point Protocol (PPP)–based authentication mechanism that was adapted for use on point-to-point LAN segments
PEAP PEAP is an EAP type that addresses a security issue in EAP by first creating a secure channel that is both encrypted and integrity-protected with TLS
IEEE.802.1x IEEE 802.1x uses the physical characteristics of the switched LAN infrastructure to authenticate devices attached to a LAN port.
KerberosKerberos authentication provides single sign on to resources within a domain and to resources residing in trusted domains.
Connection Security Best Practices
Configure Ethernet network adapters
Smart card
Protected EAP
MD5-Challenge
Support public key interactive logon
Use IPSec
Use a RADIUS infrastructure
Security Hosts
Compare security hosts
Security host that performs authentication checks during a connection request
Security host that is called during the authentication process of the connection
Use an interactive logon model
Lesson: Selecting Network Access Connection Methods
LAN Solution Considerations
VPN Solution Considerations
Dial-Up Solution Considerations
Multimedia: Planning for VPN and Dial-Up Clients
Wireless Solution Considerations
RADIUS Authentication Infrastructure
Guidelines for Selecting Network Access Connection Methods
LAN Solution Considerations
Administrator
User
Web Server
DomainController
LAN
VPN Solution Considerations
VPN TunnelTunneling Protocols
Tunneled Data
VPN TunnelTunneling Protocols
Tunneled Data
VPN ClientVPN Client
VPN ServerVPN Server
Address and Name Server AllocationAddress and Name Server AllocationDHCPServer
DomainController
AuthenticationAuthentication
PPP ConnectionPPP Connection
Transit NetworkTransit Network
Dial-Up Solution Considerations
Dial-Up ClientDial-Up Client
Address and Name Server AllocationAddress and Name Server AllocationDHCPServer
DomainController
AuthenticationAuthentication
Remote AccessServer
Remote AccessServer
WAN Options:Telephone, ISDN,
or X.25
WAN Options:Telephone, ISDN,
or X.25
LAN and Remote AccessProtocols
LAN and Remote AccessProtocols
Multimedia: Planning for VPN and Dial-Up Clients
The objective of this presentation is to explain how to plan for VPN and dial-up clients
You will learn how to:
Plan a server running Routing and Remote Access to provide dial-up or VPN services
Select a Routing and Remote Access configuration for dial-up or VPN services
Choose between a dial-up and a VPN solution
Wireless Solution Considerations
DHCPServer
IAS Server
DomainController
Wireless Client(Station)
Wireless Client(Station)
Wireless Access Point
Wireless Access Point
Address and Name Server AllocationAddress and Name Server Allocation
AuthenticationAuthenticationPortsPorts
RADIUS Authentication Infrastructure
InternetInternet
RADIUS Server(IAS)
RADIUS Server(IAS)
RADIUS Client(RRAS)
RADIUS Client(RRAS)
ClientClient
Dials in to a local RADIUS client to gain network connectivityDials in to a local RADIUS client to gain network connectivity
11
Forwards requests to a RADIUS serverForwards requests to a RADIUS server
22
Authenticates requests and stores accounting information
Authenticates requests and stores accounting information
33
Domain ControllerDomain
Controller
Communicates to the RADIUS client to grant or deny accessCommunicates to the RADIUS client to grant or deny access
44
Guidelines for Selecting Network Access Connection Methods
Select network access connection methods for your enterpriseSelect network access connection methods for your enterprise
Determine client requirementsDetermine client requirements
Determine infrastructure requirementsDetermine infrastructure requirements
Practice: Selecting Network Access Connection Methods
In this practice, you will select network access connection methods based on the provided scenario
Lesson: Selecting a Remote Access Policy Strategy
Remote Access Policies
Remote Access Policy Conditions
User Account Dial-in Properties
User Profile Options
Guidelines for Selecting a Remote Access Policy Strategy
Remote Access Policies
A remote access policy:A remote access policy:
Is stored locally, not in Active Directory
Consists of: Conditions User permissions Profile
Is stored locally, not in Active Directory
Consists of: Conditions User permissions Profile
Remote Access Policy Conditions
IP AddressesIP Addresses
Authentication Type
Authentication Type
NAS-Port TypeNAS-Port Type
Time of DayTime of Day
AttributesAttributes
Caller IDsCaller IDs
User GroupsUser Groups
User Account Dial-in Properties
Callback OptionsCallback Options
Apply Static Routes
Apply Static Routes Remote Access
PermissionRemote Access
Permission
Verify Caller IDVerify Caller ID
Assign a Static IP Address
Assign a Static IP Address
Dial-In PropertiesDial-In Properties
User Profile Options
Component Defines the…
Authentication Authentication protocols that are to be used
Encryption Level of MPPE encryption that is to be accepted
Dial-in constraints Constraints that you would like to apply in the policy
IP IP address that is assigned to the client, and what IP filters will be applied to the connection
MultilinkAllowable multilink connections where multiple ports can be combined for a connection
AdvancedAdditional connection attributes (whether RADIUS or vendor-specific) that can be sent to the network access server to which the client is connecting
Guidelines for Selecting a Remote Access Policy Strategy
Identify the remote access permissions that will be usedIdentify the remote access permissions that will be used
Identify the remote access conditions that will be usedIdentify the remote access conditions that will be used
Identify the remote access profile that will be usedIdentify the remote access profile that will be used
Practice: Determining a Remote Access Policy Strategy
In this practice, you will plan a remote access strategy by using the provided scenario to define the required remote access options
Lesson: Selecting a Network Access Authentication Method
Server Authentication Models and Methods
IAS as an Authentication Server
Guidelines for Selecting IAS as an Authentication Provider
Server Authentication Models and Methods
Windows AuthenticationWindows AuthenticationRADIUSRADIUS
WirelessWireless
Dial-UpDial-Up
VPNVPN
802.1xEAP
802.11
Open system
Shared key
IAS as an Authentication Server
CentralOffice
IASIAS
Windows Server 2003Domain Controller
Windows Server 2003Domain Controller
Partner Network
RRASRRAS
ISP
RRASRRAS
Internet
= RADIUS Client and Server Connection= RADIUS Client and Server Connection
Centralized remote access policies
Authentication provider
Centralized remote access policies
Authentication provider
Guidelines for Selecting IAS as an Authentication Provider
Determine if you have a heterogeneous environment to supportDetermine if you have a heterogeneous environment to support
Determine if you have multiple access serversDetermine if you have multiple access servers
Determine if you have third-party Internet access providersDetermine if you have third-party Internet access providers
Determine your authentication needsDetermine your authentication needs
Practice: Selecting Centralized Authentication for Network Access Using IAS
In this practice, you will select a centralized authentication for network access by using IAS
Lesson: Planning a Network Access Strategy
Network Access Connection Strategy
Security-Based Authentication Methods
Remote Access Policy Strategies
Guidelines for Planning a Network Access Strategy
Network Access Connection Strategy
Selecting a network access connection strategy includes:Selecting a network access connection strategy includes:
Evaluating enterprise requirements
Creating a comprehensive network access plan
Evaluating enterprise requirements
Creating a comprehensive network access plan
Security-Based Authentication Methods
Security-based authentication requirementsSecurity-based authentication requirements
Secure network access
Strong authentication and encryption
Secure network access
Strong authentication and encryption
Remote Access Policy Strategies
To determine a strategy:To determine a strategy:
Determine connection request conditions that need policies
Define policies to reflect requirements
Determine connection request conditions that need policies
Define policies to reflect requirements
Guidelines for Planning a Network Access Strategy
Identify who will access the network and how they will access itIdentify who will access the network and how they will access it
Identify who will be allowed access to network resourcesIdentify who will be allowed access to network resources
Identify how the approved users will access the networkIdentify how the approved users will access the network
Integrate your authentication strategy across all of the remote access methodsIntegrate your authentication strategy across all of the remote access methods
Lab A: Planning Network Access
Exercise 1: Planning for the LAN and Wireless Environment
Exercise 2: Planning for the WAN Environment
Course Evaluation