P. 1


|Views: 19|Likes:
Published by pedrinimmo

More info:

Published by: pedrinimmo on Nov 24, 2010
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less






Implementation of the IEEE 802.1 x Security Standard

Subject: Information Security Professor: Carlos Orozco Corona


Luis Enrique Villasenor Aguilar A01 062500 Luis Alberto Ramirez Garcia A01 062572

Pedro Mendez Montejano A01 063026 Patrick Michael Murphy Rlos A01 08361 0

Due Date: May 3rd, 2010


Introduction 3

What is 802.1x? 4

Functionality of the protocol 5

Constructing the solution 6

Configuring the DNS server 7

Configuring the Domain Controller 9

Configuring the DHCP server 16

Configuring lAS server 19

Configuring the Certification Authority 20

Adding users and computers to the domain 22

Adding groups to the domain 25

Configuring RADIUS client in the server 27

Creating the Certificate in the CA. 29

Configuring Remote Access Policies for the RADIUS client. 35

Configuring the Authenticator device (switch) 39

Configuring the supplicants (clients) .40

Conclusion 41



Security has become a really important issue when talking about communications inside a company or in external environment that surrounds it. Every day hundreds or maybe thousands of operations are made by the employees that work for it and these operations need to comply with certain standards to assure they are secure and that the information they manage travels safely through the network in which these transactions are completed.

Managing this security concept can become a problem if there is no knowledge about the new technologies and the services they can provide when they are well used. During the execution of this final project we (referring to the whole team) figured it out what the IEEE 802.1x standard can make for facilitate the administration of the connection to a network belonging to a company and make this connection secure by validating the previous acceptance of an equipment to it.

First we had to research about the elements that were needed to implement the standard as a solution to the problem presented at the beginning of the semester. Once the research was finished we started to implement every element as a part for the whole scheme, we encounter several problems that we had to solve but as the time was passing we were able to understand a several number of details regarding the installation of the components for the infrastructure.

This document presents first a short view of what is the 802.1 x standard as a framework to understand the purpose of implementing it as the final project. Then we present a step-by-step description about the installation of every component of the solution.

By the end of this document we expect the reader to have the general idea of what it takes to create the scenario to provide security within a network using this standard and maybe will be capable of try to implement it by itself.


What is 802.1 x?

802.1 x is an IEEE standard for port-based network access control and provides an authentication mechanism to devices wishing to connect to a network meaning a LAN or a WLAN. In its basic functionality it works with Extensible Authentication Protocol or EAP.

The infrastructure where this standard works is composed by three entities: a supplicant, an authenticator and an authentication server. Each one of these three components has its functions well defined and when they are put together to reach the final goal, if they are correctly configured it, a device will be able to access a network, if not then the equipment will reject the connection.

The supplicant is the device that wants to connect to the network; we can see it as the client and can be a laptop for example. In some occasions the term "supplicant" is also used to refer us to the software controlling the configuration inside the client that is responsible of giving the credentials to the authenticator.

The authenticator is a network device: an Ethernet switch or an access point and is responsible of transferring the credentials given by the supplicant to the authentication server to proceed with the authentication. Finally the authentication server is the equipment running software supporting the RADIUS and the EAP. We will describe what RADIUS is later in this document.

In this scenario, the authenticator stops the client to access the network until he is identified as the one he says he is and only if its access is permitted. To do this authentication the client needs to provide certain credentials as user name with its corresponding password or certificates to the authenticator, they are then passed to the authentication server. If the authentication server validates these credentials the client is granted with access to the secure side of the network, if not he will not be able to connect to it.


Functionality of the protocol

The process of authentication made by the different devices is the one described next:

-Initialization: When a new supplicant is detected requiring access to a network, the port of the switch where the client was connected change its status to unauthorized and only provides access to information regarding 802.1x traffic and drops every other kind of packets.

-Initiation: Once the process is started, the authenticator will send EAP- Request Identity frames to a specially Layer 2 address on the local network segment. The supplicant will be listening on this address and when he receives the frames he will respond with an EAP-Response Identity frame containing an identifier for the supplicant (User 10 for example). The authenticator encapsulates this information in a RADIUS Access-Request packet and sends it to the authentication server.

-Negotiation: The authentication server sends a reply to the authenticator in a RADIUS Access-Challenge packet containing an EAP Request specifying the EAP method that will be used to complete the procedure. The authenticator encapsulates the EAP Request and transmits it to the supplicant. By this time the client will be able to respond what method he is willing to perform or start the requested EAP Method specified by the server.

-Authentication: If the authentication server and the supplicant agree on an EAP Method, EAP Requests and EAP Responses are sent between them by the authenticator until the Authentication server responds with an EAP-Success Message or an EAP-Failure Message. If the authentication is successful the authenticator sets the port to an authorized state and normal traffic is allowed, if not the port will remain unauthorized. When the supplicant logs off sends a log-off message to the authenticator and then he will set the port to an unauthorized state again waiting for the next connection to happen. The message sent by the server to give solution to the process is a RADIUS Access-Accept packet or a RADIUS Access Reject packet.



Now that we understand how the standard works we can proceed to implement the solution with all the elements needed to comply with the level of security provided by the general idea of the protocol. First we will enumerate the parts that compose our solution:

-DNS server with Active Directory

-DHCP server

-lAS server

-Domain Controller

-Switch functioning as the RADIUS client for the server

-Configuration for the RADIUS client in the server

-Certificate Authority in the server

-Switch configured to provide 802.1 x authentication traffic pass

-Client configured to use authentication to connect to a network and providing remote access to the server.

In general the equipment used to support this whole infrastructure is presented in the following list:

-Server Dell Power Edge 800 holding the DNS server, the lAS server, the DHCP server and the domain controller.

-Switch Cisco Catalyst 2950 as the authenticator for the project

-Clients mounted on Virtual machines with Windows XP and Windows server and physical machines with Windows 7 as the supplicants.

Now we are going to describe how the implementation of each one of these components was made by the members of the team.


Configuring the DNS server

The first component that we are going to install is the DNS server. To do this we open the Menu and select the "Manage your server" option:

£.! Manage Your Server :2_earch Help and Support center ~

~ 5erver:lTE5MOCSF8130M

Adding Roles to Your Server

Adding roles to YOUf server lets it perform specific tasks, For example, the File server role enable, your server to share Files, To edd e role, start the COrlfigureVour Server Wizard by clicking Add 0 r remove a role.


Qi Read about server roles

Managing Your Server Roles


Help and Support Micro,oFtTechNet Deployment and Resource Kits List of Common Administrative Tasks

Windows Server Communities

What's New

strategic Technology Protedion Program

Figure 1. "Manage your server" Window

Once there we are going to select the option "Add or remove role" in order to add the new DNS server and configure it on this equipment:


Print server Applicationsefvef(IIsJASP.NET)

Mail server (POP3, 5MTPj No

rermnelsever No

cemote eccess r vcu serve- No

Domairl Controller (Adive DiredofY) No


Streerninq rnedia server No

WINS server No

Figure 2. Selecting the DNS server as a new role

An announcement saying that the wizard for the installation of the DNS server will begin is going to appear so we say yes. When the wizard starts he will ask you to introduce the installation CD to copy some files that were not used in the installation of the as, and once you do that he will probably ask you to change your IP so it can be a static one instead of dynamically assigned IP.


Deployment and Resource Kits ust of Common Admini~tr-3tive Tasks

Windol"Js5erverCommunitie~ Wh-3t'sNel"J

Strategic recbrolocv protecttco Proqrem

Figure 3. Assigning an static IP to the server

By default the DNS server IP address will take the value of the IP we are assigning to the server because the DNS is going to be configured on the same equipment. When the wizard is finished we can check if the installation is complete going to the Administrative Tools window, there we can see if the DNS appears as an installed component or not.

Configuring the Domain Controller

Next we are going to create the Active Directory with the Domain Controller in our server; these elements are the ones that are going to allow us to manage the users and computers that will be able to access the network because they control the lists of admitted equipments and users. To start creating this part we are going to open the "Manage your server" menu, once there as in the first part we select "Add new role" and select the Active Directory option:


Figure 4. Selecting Domain Controller to be installed in the server

Again, an add will say what components are going to be install and after that we accept. The wizard to create the Active Directory will appear and we click "Next".

Figure 5. Starting the Active Directory creation wizard


We are going to select the first option that says "Domain controller for a new domain":

Select this option to create a new child domain, new domain tree, or new forest This 81011'81 will become the first domain controller in the new domain

r e,dditional domain controller for an e~Hing domain

ill Proceeding with this option will delete all local accounts on thi s server

Figure 6. Selecting domain type

r: _C:hilddomain in en exetna dcrrein uee

r: Domain tree in an e~isting forest

Figure 7. Specifying kind of domain to new creation


We select the option "Domain in a new forest because at this moment we haven't create a domain of any kind so there's no other option, if we have created other domains then we can add this controller to one of those domains but this is not the case. We have to specify the full name for the domain in the next format: name.com or name.org for example. Once we named the domain it can take a moment while validating this instance as the identifier for the new domain so you have to be patient.


New Dum.ain N.ame

SpE!cily a name lor Ihe new domain

Typelhei,"IIDNS neme forthe new dornen

[IQr example: heedcuerte s. exerrole.mcrcson.comj

FI.lIIDNS neme tornew comein

... _-=====

Figure 8. Naming the new domain

After this, we are going to type the NetBIOS domain name, as a recommendation we say that the best thing is to name it as the first part of your domain so you can easily identify it.


Specif~aNeiBIOS name lor Ihe neON domain

Thi~ i~ the name thai users 01 earlier versions of Wifldol/»~ ONill use to idefltif~ Ihe f1eON domain_ Click Ne~1 to accept the flame ~hOONfI_ ortope a neON name

[lOmaiflN8tBIOSflam8 IImiiIiIiI __j

Figure 9. NetBIOS domain name

We let the default options to the place where the database regarding the Domain will be created, if we are going to manipulate or using too much this information then we can change the place but as this is not the case we are going to let them there. After all of these steps are finished a window with the summary of the process will be displayed and will say that there is a problem with the installation, this is really common because is like the question "what was first: the egg or the hen?" in this case is applied to "what was first: the DNS server or the Active Directory?" and I know that it might sound stupid but even books published by Microsoft say this.

You have to select the option "Install and configure DNS server on this computer, and set this computer to use this DNS server as its preferred DNS server". Then you will select the permissions to compatibility between the machines that will form part of the domain:



Select defeult permissions foruser end QIOl.lp obects

.j !

Some server programs, such -3S Windows NT Hemote eccese Service. read irforrnation stored on domain controllers

Figure 10. Selecting permissions for machines in the domain

Finally we have to write the restore password so when the server restarts we can

enter with this new password:

... =======::....:=::::11

Figure 11. Restore mode password


A new summary describing the whole configuration will be displayed and when we accept this new summary the domain configuration will star, this might take a while so you have to be patient:

Figure 12. Configuring the Domain

When the waiting stops you will receive a new message saying the domain was successfully installed.


Figure 13. Finishing the Active Directory creation wizard

The new configuration needs to be applied to the server so we have to restart the equipment.

Configuring the DHCP server

Now we need to configure a DHCP server which is the one that will perform the task of giving IP's to the clients authenticated and accepted to the network. To do this we are going to enter the "Manage your server" menu and then "Add or remove a role".

As in the first two components we have installed this will display the window where we select the DHCP server role, we click on it and then "Next", a summary is displayed saying we are going to install. The wizard initiates and asks for a name and a description to the new scope we are going to give this server:


Cor.Figurir.g DHCP Server ...


Q.e~crip~ion IOHCP server for the INFOSEC domain

I -

Figure 14. Name and description for the DHCP server

Then the wizard continues and asks for the range of IP's the server is going to

distribute within its clients:


The ConFigure Your server Wizard is addir.g the selected role to t his server.

ConFiguring DHCP server ..


IPAddressRange You define the scope address range b1' identil1'ing a set of consecu tivelP addresses

Figure 15. Range of IP's for the DHCP server


When we click "Next" a window appears and asks you for the range of IP's you don't want to distribute, in this case we are not going to have exceptions so we click "Next". After this appears a window in which you can select the amount of time a client will be able to possess an IP and use it:

Figure 16. Selecting the valid time for an IP to be used

After this is done, the wizard asks you to specify the name of the domain and the IP of the DNS server you will be using with this DHCP server.


Figure 17. Integrating the DHCP with the DNS and the domain controller

If you are using a WINS server you can also integrate it with the DHCP, but in our scenario we are not going to use the WINS server so we skip that part. Finally you activate this scope since the moment you finish and the DHCP server creation wizard is finished.

Configuring lAS server

To configure the Internet Authentication Service in the server we go to Control Panel, Add or remove components and Add or Remove Windows Components. Once we are there we select Networking services but before click "Ok" we need to view the "Details" so we click on the button and select the lAS service to be able to install it. Now we can click "Ok" and the installation wizard will begin. In this case is going to happen really fast and you don't configure anything, you just have to wait.

If you want to check that it was well done you go to "Administrative tools" and select "Internet Authentication Service". You will see the window where later you are to configure some things:


( oj"] Wek_ome to Internet Authentication .~ Service

Figure 18. Internet Authentication Service Window

Configuring the Certification Authority

To configure the Certification Authority (CA) in the server, you need to go to Control Panel, Add or remove components and Add or Remove Windows Components. Once there you select Certificate services and begin the installation. A warning is going to appear saying that after you create the CA you will not be able to change the names for the CA or the Active Directory because a binding between them is made and if you change the names for one of them you will be corrupting the association existing in the equipment so you have to be careful with what you are going to do:


Figure 19. Warning to prevent changes in the names of the CA or the AD

When the wizard initiates we have to select the kind of CA we want to create, in our case it will be the type "Enterprise root CA" which is the most trusted and powerful kind of CA we can possibly install:

Figure 20. Selecting the type of CA to be installed


We assign a name for the CA an then we click "Next":

Enter information toidenbfy this CA

Common name for thh (,6,:

Proyectc Fmal

Distingl.jithed name suffix

IDC-'NFOsEcDc-com .E're\liewofddingui~hedname

leN -Provectc Fin.3LDC=INFOS E CDC=cQm

Figure 21. Naming the CA

After this the wizard asks you for the place where the certificates will be located, again I recommend you to let the default configuration in order to prevent malfunctioning later in the process especially if you are not an expert changing configurations and making new settings.

When the process is finished you can go to the Start menu, Administrative tools, Certification Authority and there you will find the CA you've just created.

Adding users and computers to the domain

In order for clients to have access to the network we need to validate them in the domain so we need to create accounts for them as users and also for their computers. To do this we go to Start menu, Administrative tools and select Active Directory Users and Computers. Once there we can create the profiles we want to add to the domain.


Figure 22. Active Directory Users and Computers window

To create a new user we have to give a right click over the Users part and select New User. Here we are going to provide the user account data, first the name and the login user name that will be used by the client we are adding to the domain.

Figure 23. Adding a user to the domain


We specify the password for that account, its properties and click "Next":

Figure 24. Password selection and its properties

A summary with all the details will be displayed and the user will be created. To create an account for a computer is pretty much the same procedure, we are going to give a right click over the Computers part and we select New Computer:

The information here needs to be more precise because it's going to link equipment to the domain. We need to write the computer name of the client exactly as is specified in the client's computer so I recommend you to locate it first in the new addition of the domain.


Figure 25. New computer to the domain window

In our case we are adding a computer named "VAI01" so we write exactly that name and no other one. We click "Next" and then the computer has been added.

Adding groups to the domain

This part is very simple but still we are going to describe what has to be done. A group is a list of objects that will share some common policies or permissions that will give them the power or capacity to act in a certain form. In our scenario the group we are going to create will be the one capable of authenticate their users and computers to get access to the network.

We go to the Active Directory tree and then we enter the Users folder. In there we have to give a right click and select New group.


Figure 26. New group window

And once we finish the creation of this group we can add new users to it by going to the Members tab, we select Add, and then the window for the new users will be open:

Figure 27. New Users window


The same action is performed if we want to add the computer to the group of permitted members to the domain.

Figure 28. User and Computer added to the domain

Configuring RADIUS client in the server

Early in this document we presented the concept RADIUS and we said that we would define it later in the document, well the moment has come and it's time to describe what RADIUS means. First of all I would like to say what the letters stand for: Remote Authentication Dial in User Service, and is a networking protocol that provides centralized Authentication, Authorization and Accounting (AAA). This protocol manages the acceptance of a device getting granted with access to a network or getting rejected based on the response of the challenge planted by the Authentication server.

To create the new RADIUS client that will be managed by the server we need to go to the Internet Authentication Service console and give a right click over RADIUS client selecting new RADIUS client:


Type a friendly name and either an IPAddre:;:; or DNS neme forthe client.


Client agdress(IP orDN5)



Figure 29. Configuring the IP for the RADIUS client

In this case the RADIUS client will be in our server to manage the income traffic regarding petitions made by a client connected to the switch, so we have to put the IP of the server where we have installed the lAS service.

Then we have to select the type of device we are going to use, in our case will be a Cisco switch model 2950, so the relation has to be established with a Cisco device. Also we type the shared secret used between the devices to communicate with each other:




o fiequeslmuslconl-3inlheMessageAulhenlic-3lor-3Uribule

Figure 30. Selecting the device specification

And then we finish the creation of this new RADIUS client in the server.

Creating the Certificate in the CA

If we see our scenario as a little amount of equipments trying to getting access to a network it might seem viable to request manually certificates for each one of them but when we talk about a bigger scenario (for example a company with hundreds or thousands of employees, each one of them with a computer connected to the network) then it does not looks so attractive the idea of manually request and give certificates to each of the clients so why not to create a certificate that automatically is given to all of the computers accepted in a domain?

This last idea is possible and actually is really useful because it facilitates the work for the network administrator. We are going to explain how the certificate can be given to each one of the users in a domain automatically.

We go to Start menu and select Run, then we click mmc. Then we go to File and select Add/Remove Snap-in. We go to Add option and then select Certificate Template:


Figure 31. Adding a new Certificate template

After we have added the certificate template we need to go to left pane where all the certificates are displayed once we click on the certificate template and the select User template:

l,Iiindow t!elp

Minimum Supported CA, AlJto",nrollment
Window~2000 a.r Not.,lIo'l'led
Window~5erver2003, En Not.,lIo'l'led
Windows 2000 Notallol'l8d
Windows 2000 Notallol'l8d
Windows 2000 Not allowed
Windows Server 2003, En
Windows Server 2003, En 115.0
Window~2000 4.' Not.,lIo'l'led
Window~5erver2003, En Allowed
Windows 2000 Notallol'l8d
Windows 2000 Notallol'l8d
Windows 2000 Not allowed
Window~2000 7.' Not.,lIo'l'led
Window~2000 Not.,lIo'l'led
Windows 2000 Notallol'l8d
Windows Server Z003, En Allowed
Windows Server 2003, En Allowed
Window~2000 C., Not.,lIo'l'led
Window~2000 Not.,lIo'l'led
Windows 2000 Notallol'l8d
Windows 2000 Notallol'l8d
Window~5erver2003, En 101.0 Allowed ~~--~~=-------------------------,~~~ l'b 'It *" ",09Bi

Figure 32. Selecting the template we will use as a certificate


In the Action menu we select Duplicate template to create a new certificate template with the characteristics we will need later in the configuration of the standard:

_ " x

1til>,,",--=-Eile--\r:;;;;l~,,~tion~l,I_ielo\l=-=e'-i'\lQ_r~ite;~l,I!ir._dOW~"e-,--IP _j.I~

. "" .. 1I!J[iilI ~ ~ I @ =:::J



is 1.0 Name I.

MirJimumSIJ crteo css version AutoenfQllmerlt

Windo\'ls2000 Not allowed

: .. Ii1 Certificate Templ<lte,

ireted Sessicn \lI;nrl",",c_?nnO "_I_~lnt._'lln",,_rl_

a,icEF5 i-MUMMe. '1tiJiJ

A Exchange EPErlcryption

ode Signing



vnnoows znm

Windo\'lsSerl'er2003,En". 101.0 Allowed

1Et',,,,, I (it ~ I ~ [0"'0101-[(0"'010 n., :

Figure 33. Configuring our certificate's name

When we write the name we have to check that the option "Publish certificate in Active Directory" is selected because this is going to give us the possibility to auto enroll the users permitted to the network. Then we have to go to the Security tab and select the Read, Enroll and Autoenroll options for the certificate:


_ " x

lif5i;IO@l:iJ 11~[onsolel-[[onsoleR·.j1

Windol"ls5erver2003,En", 101,0 Allowed

Figure 34. Configuring the certificate's security options

And once we finish with this we go to the Certificate Authority console. Start menu, Administrative tools, Certification Authority. Display the Certificate folders and select the Certificates templates folder to add the template we've just created.

We select the Action menu and then we click on the New option to select the certificate we created in the last steps:


~;M§".I§,tifhi€ij¥§MNM ~" xl

~~;~BI_e~~~tion~~e~W~F~aVQ~rite~'~~~ind_'W~~~IP ~.li~0

Y' .. IIlJ[[illIiIX~'"'I[@ _

eJ Co-sole Root _j Tern late Dis la Name ~, Minimum so orted CAs Autoenrollment

'--IiI Certificate Temp~r. ~~;JII~~IliI~A;dmi;ni't;"t~" =::;==~;;;w;ind~,W:,2:000;:;==::::N':t,:IIQI'I:,d==-'Illi~

'IFW:'ir': 1r:lli101

~?rtificationAuthofitl'(Local) I;

E1~ProY8ctoFlnal tory Email Replication

:,,:'~ ~::~4d';;%i'n¥§t!ffl1!1!!;'i--.'.-"-.' h •. "C ' ;n


~ Fail8c ~elect one or more Cerlific<lle T emctses 10 enable on this Lenficetion AulhQlil~


Directory Service Email Replication

Ir-tended Pumcse

I N'M'

1!!~uthenticatedS8S8ioll Client Authenticatiorl

1~~E~c:harlge Pnvete Key Arcbival

IiICEPEnclypllon CeMicateReql.le~IAgenl

iii Code Signing Code Signing

lit Cross Certification Authorit1' <All>

lit Enrollment Agent Certificate Request Agent

IE Enrollment Agent (Computer) Certificate Request Agent

lit E~change Enrollment Agent (Dllline request) Certificate Request Agent

(ilbchangesignatureDnl1' Secure Email

~"oo," .. l_h.'_


Figure 35. Adding the certificate template

Then we go to the Active Directory Users and Computers console. Start menu, Administrative tools, Active Directory Users and Computers and we give a right click over the name of the domain, then we click over Properties and then on the Group Policy to change the default policy created for this domain.


Figure 36. Changing the default policy for the domain

We need to display the public key policies and this is made through the following route: Computer configuration, Window settings, Security settings and we are there. Once we get to this point we are able to configure the autoenrollment settings so we click over the option and select "Enroll certificates automatically" as well as the two options in it regarding the renewing process of the certificates and the updating of the certificates and the templates used.


r: Qonotelllolicertilicatesautomatically

(0: ,EllIollc:ertilic:atesautomatic:ally

~ Benew expired cerfilicates. update pending ceuicetes. and remove revcked cerfificetes

Figure 37. Configuring autoenrollment for the domain users

Configuring Remote Access Policies for the RADIUS client

After all the process we have made you are probably asking yourself "when are we going to implement the authentication?" the answer is: right now. You are ready to configure the RADIUS in the server to authenticate by using PEAP. To do this you have to go to the lAS service console and give a right click over the Remote Access Policies to create the new policy, when you click new policy a wizard will start:


Figure 38. Creating the remote access policy for the RADIUS authentication

We have to write a name and select that this is going to be a custom policy so we can configure it as we need:

Poli&y Configuration Method

The wi2ard can creete a Iypical policy, QlyQU can create a custom policy


r: jJS8 the wizard to set up a typical policy for a common scenario r:: S_et up a custom policy

Type a name that describes this policy

£olicyname 18021xremotepolic~

Exemple-Autherdcete allVPN connections

Figure 39. Naming the new policy


When we click "Next" the conditions to be declared in this policy are asked so we have to select that the policy is going to be based on the group of the domain we created early in this process named 8021xUsers:

Figure 40. Adding the group to the policy

In the ideal scenario we should also declare that the connections has to be made by Ethernet but a problem with the configuration of the switch does not let us do that because at this moment the connection is made by Fast Ethernet so if we select the first part, the policy will not work for our scheme.

Then we have to specify that if the connection matches these conditions will be granted access to the network because we could also say that has to be denied but for our purpose if it matches that means that is a permitted computer so it can enter the network.

Once we have created the conditions we need to specify the protocols that will be used to authenticate the client. We go the Authentication tab and select the first two protocols and also we click on EAP methods to specify that the PEAP will be used for this authentication:


Figure 41. Selecting the corresponding protocols

When you finish configure the policy the wizard shows you a summary of the rules you created and the configuration is completed.

Figure 42. Finishing the policy configuration wizard


Configuring the Authenticator device (switch)

For the configuration of the switch you need to connect the console port to a PC or the equipment in which you are going to configure the switch. In this case we used a common laptop.

First thing you do is enter the switch with the corresponding user and the password. When you get command prompt the first thing you should do is rename the switch to a term that you would be familiar, this is made with the following command:

set sys name="Authenticator Switch 8021 x"

Then you need to define the IP address for the VLAN the switch will use to manage the requests:

enable ip

add ip int=vlan ip= mask=

After you do this you need to define a RADIUS server and its shared secret, the server should be the one you configured it early in this process and the secret should be the one you specify when selecting the vendor of the device:

add radius server= secret="CISCO"

Finally you have to declare the authentication service in each port of the switch or at least the ones you want to use, this is made with the following command:

enable portauth

enable portauth port=<port number> type=authenticator

And you perform this action for every port, when you complete this task, the switch should be able to function as an authenticator for your infrastructure.


Configuring the supplicants (clients)

When configuring the client the first thing you should know is that it has to be declared as a member of the domain and once you are sure this has been done you can proceed with the configuration.

The client should be connected to the switch through a non-authenticated port, why? Because the first time he will receive the certificates to be able to negotiate the connection in the following occasions he try to connect. The IP should not be a problem because we have installed a DHCP server and this is going to provide an IP for the client.

When he gets an IP we can proceed to enroll it into the domain, to do this we go to Start menu, right click on My PC and Properties. Once there we go to the change option and select the domain area, we write the name of the domain and click "Ok".

A window should pop up and ask for the credentials to get access to the domain, we write the credentials and then click "Ok". We have to restart the equipment and when it turns on again it will be enrolled in the corresponding domain.

This was just the first part, when the client gets access to the network we can configure the authentication options for he to be capable of negotiate the credentials with the authenticator and the server.

We go to Start menu, Control Panel, Network and Internet Connections, Internet Connections and then we select the authentication tab for specify the algorithms to be used. The options that have to be selected are "Enable IEEE 802.1 x authentication for this network" with the EAP type set to "PEAP". We save this configuration and it should be enough to accomplish the requirements declared in the pol icy stated before.



Developing this project gave us an idea of the importance of getting a secure infrastructure in a company. For sure now we know that is something that does not require too much configuration. After you practice a lot you realize that is very simple and it can be achieved easily if you are aware of the conditions in which you want to implement this framework.

With this project we found that companies can make their communication more secure and this is something very valuable because it gives certain reputation to the enterprise that implements the solution, we say this because the image projected by the company will be seeing as an entity that worries about the information they manage and the society will note this as a plus to the services the company offers.

We certainly found a lot of details when doing the configuration of the server and the switch but at the end we learned from all of that and that learning is something very important to us.

As for the technical part we can say that this is now a secure way of communicate a network but in a few years from now the security that possess will be broken and people will need to find new methods or stronger algorithms to secure their communications.

802.1 x has proved to be a very powerful standard regarding the security within a network and not just in wired networks but also in wireless so it would be interesting to transport this scenario to a wireless scenario. Probably we have just found something to do during the summer.


You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->