Professional Documents
Culture Documents
Johan Loos
Johan at accessdenied.be
Who?
Understanding 802.1x
802.1x EAP Authentication Methods
PKI Requirements
Understanding Network Policy Server Role
Understanding VLANs
Understanding 802.1x Authentication
Switch Configuration
Relax, Its Demo Time
Things to think about
Visibility:
Clients are authenticated
Identity can be used for security audits and forensics
Security:
Strongest authentication methods should be used
Transparancy:
No involvement of end-user
Supplicant
Authenticator
Authentication Server
EAP-MD5
EAP-LEAP
EAP-SIM
User Authentication
Specifies that when users are not logged on to the
computer, authentication is performed by using the
computer credentials
Computer Authentication
Authentication is always performed by using only the
computer credentials
Guest Authentication
Allows connection to the network that are regulated by
the restrictions and permissions that are set for the guest
account
OpenSSL
Free
Single or multi purpose certificate
Root CA must be placed under Trusted Root Authorities
Self-signed
Free
No trust
Periodic Re-Authentication
Specify re-authentication of the client
Quiet Period
The switch remains idle for a certain time and tries again
when the switch cannot authenticate the client
Switch-to-Client Retransmission Time
If the switch does not receive an answer at boot time from
the client
Switch sends EAP-Request/identity frame
Client sends EAP-Response/identity frame
Certificate enrollment
Certificate renewal/expiration
Password based authentication
User and Machine authentication
RADIUS server not available
Non 802.1x capable endpoints