Professional Documents
Culture Documents
SECS02L02 - Implementing Cisco IBNS
SECS02L02 - Implementing Cisco IBNS
SECS02L02 - Implementing Cisco IBNS
Valid Credentials
Corporate
√ Network
X No Access
Corporate
Invalid/No Credentials Resources
Unauthorized External
Wireless User
VPN
Internet Clients
Router
Firewall
Remote
Offices
1 7
EAPOL-start Switch enables
port 5
Login request 2
Policy database
confirms ID and
Login response 3 4 grants access
Check with policy database
Authentication
Supplicant Authenticator
Server
EAPOL RADIUS
Controlled
EAPOL Uncontrolled EAPOL
Uncontrolled
The uncontrolled
Port Provides
port provides
a Path for
Extensible Authentication
a path
Protocol
for (EAPOL)
over LANtraffic
(EAPOL)
only. AND CDP Traffic ONLY
EAPOL RADIUS
The actual authentication conversation occurs between the client and the
authentication server using EAP. The authenticator is aware of this activity,
but it is just an intermediary.
EAPOL-start
EAP Request/Identity
EAP Response/Identity EAP–method dependent
EAP–Auth Exchange Auth Exchange with AAA Server
Port Authorized
Policies
EAPOL–Logoff
Port Unauthorized
© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-9
What Is EAP?
EAP-MD5
EAP-TLS
PEAP with EAP-MS-CHAPv2
EAP-FAST
EAPOL RADIUS
EAPOL-start
EAP Request/Identity
EAPOL-start
EAP Request/Identity
EAP Response/Identity
EAP Response/Identity
EAP Request/TLS start
EAP Request/TLS start
EAP Response/TLS client hello
EAP Response/TLS Client Hello
EAPOL-start
EAP Request/Identity
EAP Response/TLS Server Hello, Server Cert, Server Key Exchange, Server Hello Done
EAPOL-start
EAP Request/Identity
A = Attacker
Hub
I do not
know A,
I do
know B.
Port unauthorized
Cisco Secure
Port Security ACS/RADIUS
and
Identity
B = Legitimate User
A = Attacker
I do not know A;
I do know B, and
B gets VLAN 10.
Port unauthorized
Cisco Secure
ACS/RADIUS
Identity with VLAN Assignment
B = Legitimate User
Remediation
A = Attacker Server
Non-IEEE
802.1x -compliant I do not know A,
(no supplicant) I do know B, and
B gets VLAN 10.
Port is put into
guest VLAN.
Identity with
Guest VLAN Cisco Secure
ACS/RADIUS
B = Legitimate User
Remediation
A = Attacker Server
Is IEEE 802.1x-
I do not know A,
compliant, but fails I do know B, and
authentication
Port is put into B gets VLAN 10.
protected VLAN.
Identity with
Protected VLAN Cisco Secure
ACS/RADIUS
B = Legitimate User
Enable AAA.
Configure 802.1x authentication.
Configure RADIUS communications.
Enable 802.1x globally.
Configure interface and enable 802.1x.
Verify 802.1x operation.
switch(config)#
aaa authentication dot1x [<list name> | default]
group radius
Create an IEEE 802.1X authentication method list
switch(config)#
aaa authorization network {default} group radius
(Optional ) Configure the switch for user RADIUS authorization for
all network-related service requests, such as VLAN assignment
switch(config)#
radius-server host [host name | IP address]
Specify the IP address of the RADIUS server
switch(config)#
radius-server key [string]
Specify the authentication and encryption key
switch(config)#
radius-server vsa send [accounting | authentication]
(Optional) Enable the switch to recognize and use VSAs
switch(config)#
dot1x system-auth-control
switch(config)#
dot1x guest-vlan supplicant
switch(config-if)#
dot1x port-control [force-authorized |
force-unauthorized | auto]
switch(config-if)#
dot1x host-mode multi-host
switch(config-if)#
dot1x guest-vlan vlan-id
(Optional) Specify active VLAN as an IEEE 802.1x guest VLAN
switch(config-if)#
dot1x auth-fail vlan vlan-id
(Optional) Specify an active VLAN as an IEEE 802.1x restricted
VLAN
switch#
show dot1x [all | interface]
View the IEEE 802.1x status for all ports or a specific port
switch#
show aaa servers
View the status and operational information for all configured AAA
servers