The document discusses 802.1X port-based authentication and describes the components involved, including the supplicant, authenticator, authentication server, and certificate authority. It provides details on installing and configuring the authentication server software FreeRADIUS and Radiator, and installing the certificate authority on Windows Server 2003. It also outlines how a user can obtain a certificate from the local certificate authority or a public certificate authority through their browser.
5. EAP
• Extensible Authentication Protocol (EAP)
How authentication messages are to be exchanged between
the supplicant, authenticator and authentication server.
The EAP standard does not define the security protocols or
mechanisms for the authentication process.
EAP supports a number of authentication protocols to provide
security during the authentication process.
For example: MD5, MSCHAPv2, TTLS, etc.
The EAP protocol does not require the IP protocol to
communicate, because it uses the link layer.
RFC2284 (Point-to-Point Extensible Authentication Protocol)
[ Scott.Shu ] - 5 of 75.
6. Authentication Message Exchange
Supplicant Authenticator AS
EAP-Request/Identity
EAP-Response/Identity Radius Access-Request
EAP-Request/MD5 Challenge Radius Access-Challenge
EAP-Request/Identity Radius Access-Request
EAP Success Radius Access-Accept
Port Authorized
EAP Logoff
Port Scott.Shu ] - 6 of 75.
[ Unauthorized
7. Supplicant Authenticator AS
Association Request
Association Response
EAPOL Start
EAP-Request/Identity
EAP-Response/Identity Radius Access-Request
EAP-Request/MD5 Challenge Radius Access-Challenge
EAP-Request/Identity Radius Access-Request
EAP Success Radius Access-Accept
Port Authorized
EAP Logoff
Port Scott.Shu ] - 7 of 75.
[ Unauthorized
15. Authenticator
• Access Point (AP)
– Radius Server (Primary, Secondary)
(1) Radius Server’s IP Address
(2) Authentication Port Number
1812 (UDP) or 1645 (UDP / Windows System)
(3) Accounting Port Number
1813 (UDP) or 1646 (UDP / Windows System)
(4) Shared Secret
– Security Policy
WPA / WPA2
Configuring and setting up 802.1X on the AP may differ between vendors.
[ Scott.Shu ] - 15 of 75.
17. Authentication Server (AS)
• FreeRadius
• Radiator
• Microsoft Windows Server 2003
Internet Authentication Service (IAS)
• Cisco ACS
[ Scott.Shu ] - 17 of 75.
18. FreeRadius
• Installing Free-RADIUS
[ ]# wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.0.2.tar.gz
[ ]# tar zxvf freeradius-server-2.0.2.tar.gz
[ ]# cd freeradius-server
[ ]# ./configure
[ ]# make
[ ]# make install
Or directly install FreeRadius by RPM.
[ Scott.Shu ] - 18 of 75.
19. FreeRadius (cont.)
• Configuring FreeRADIUS
1. The configuration files can be found under /usr/local/etc/raddb/
2. Open the main configuration file radiusd.conf
3. Change the clients.conf file to specify what network it's serving.
4. Open the eap configuration file eap.conf.
5. The user information is stored in a plain text file users.
[ Scott.Shu ] - 19 of 75.
23. Certificate Authority (CA)
• Who needs a Certificate?
EAP Method Supplicant Authentication
Server
EAP-TLS Certificate is required Certificate is required
EAP-TTLS Certificate is optional Certificate is required
PEAP Certificate is optional Certificate is required
EAP-FAST
LEAP
[ Scott.Shu ] - 23 of 75.
24. • Installing
– Install the IIS Service
– Install the CA Service
• Configuring
• For User (Client side)
– Obtain a certificate from the CA by MMC
– Obtain a certificate from the CA by Internet
browser (Easy Way)
– Obtain a certificate from a Public Certificate
Authority by Internet browser
[ Scott.Shu ] - 24 of 75.
25. Install the IIS Service
• Click Start > Control
Panel > Add or Remove
Programs
• Click Add/Remove
Windows Components.
[ Scott.Shu ] - 25 of 75.
26. • Click on Application
Server and press on the
Details button.
[ Scott.Shu ] - 26 of 75.
27. • Click to select IIS and
click OK.
[ Scott.Shu ] - 27 of 75.
28. • Now, total disk spaces
required: 15.1 MB
• Click on Next
[ Scott.Shu ] - 28 of 75.
29. • After the wizard
completes the installation,
click Finish.
[ Scott.Shu ] - 29 of 75.
30. Install the CA Service
• Click Start > Control
Panel > Add or Remove
Programs
• Click Add/Remove
Windows Components.
• Select Certificate
Services.
[ Scott.Shu ] - 30 of 75.
31. • You will get a warning
about domain
membership and
computer renaming
constraints, and then click
Yes.
[ Scott.Shu ] - 31 of 75.
32. • On the CA Type page,
click Stand-alone root CA,
and then click Next.
[ Scott.Shu ] - 32 of 75.
33. • On this page, in the
Common name for this
CA box, type the name of
the server, and then click
Next.
[ Scott.Shu ] - 33 of 75.
34. • If the private key already
exists, Do you want to
overwrite this key with a
new one?
• Just click Yes.
• You will not get this
prompt if this is your first
time installation.
[ Scott.Shu ] - 34 of 75.
35. • On this page, accept the
default settings, and then
just click Next.
[ Scott.Shu ] - 35 of 75.
36. • You will get a prompt to
stop IIS, click Yes.
[ Scott.Shu ] - 36 of 75.
37. • On this page, accept the
default settings, and then
just click Next.
[ Scott.Shu ] - 37 of 75.
38. • Enable Active Server
Pages (ASPs), by click
Yes.
[ Scott.Shu ] - 38 of 75.
39. • After the installation
process is completed,
click Finish.
[ Scott.Shu ] - 39 of 75.
54. Obtain a DC from the CA by
Internet browser
• Open an Internet browser
such as IE or Firefox.
• Type the following URL in
the address bar:
http://10.7.15.165/certsrv
where 10.7.15.165 is the CA server IP
address.
• In this page, click
Request a certificate
[ Scott.Shu ] - 54 of 75.
55. • Click Web Browser
Certificate
[ Scott.Shu ] - 55 of 75.
56. • To complete your
certificate, type the
requested information.
[ Scott.Shu ] - 56 of 75.
57. • You will get a prompt to
conform your request,
just click Yes.
[ Scott.Shu ] - 57 of 75.
58. • Wait…
• After the CA administrator
issue your certificate …
Next slide …
[ Scott.Shu ] - 58 of 75.
59. • Open an Internet browser
such as IE or Firefox.
• Type the following URL in
the address bar again:
http://10.7.15.165/certsrv
where 10.7.15.165 is the CA server IP
address.
• In this page, click
Download a CA certificate,
certificate chain, or CRL
[ Scott.Shu ] - 59 of 75.
60. • In this page, click
Download CA Certificate
[ Scott.Shu ] - 60 of 75.
61. • Click Save or Open
“certnew.cer”
[ Scott.Shu ] - 61 of 75.
62. • Open the certificate
• Install this CA certificate,
click Install certificate…
[ Scott.Shu ] - 62 of 75.
68. • Open the certificate again
• Now, it’s a effective
certificate.
[ Scott.Shu ] - 68 of 75.
69. Obtain a DC from a Public
Certificate Authority
• Open an Internet browser
such as IE or Firefox.
• Type the following URL in
the address bar:
http://archimedes.csisoftware.net/
• In this page, click
Request a certificate
[ Scott.Shu ] - 69 of 75.
70. • Click Web Browser
Certificate
[ Scott.Shu ] - 70 of 75.
71. • To complete your
certificate, type the
requested information.
[ Scott.Shu ] - 71 of 75.
72. • You will get a prompt to
conform your request,
just click Yes.
[ Scott.Shu ] - 72 of 75.
75. Testbed
OS, Programs
Supplicant Windows XP Prof. SP3
Notebook Odyssey Client
Authentication Windows XP
Server (Radius 1) Radiator 4.0
Authentication Linux
Server (Radius 2) FreeRadius
Certificate Windows Server 2003
Authority Enterprise SP1
Access Point
[ Scott.Shu ] - 75 of 75.