Identify-Based Networking Systems Configuration Guide

pdf
Số trang Identify-Based Networking Systems Configuration Guide 116 Cỡ tệp Identify-Based Networking Systems Configuration Guide 3 MB Lượt tải Identify-Based Networking Systems Configuration Guide 0 Lượt đọc Identify-Based Networking Systems Configuration Guide 0
Đánh giá Identify-Based Networking Systems Configuration Guide
4.6 ( 8 lượt)
Nhấn vào bên dưới để tải tài liệu
Đang xem trước 10 trên tổng 116 trang, để tải xuống xem đầy đủ hãy nhấn vào bên trên
Chủ đề liên quan

Nội dung

Identify-Based Networking Systems Configuration Guide Version 1.0 December 2005 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0403R) Identify-Based Networking Systems Configuration Guide © 2005 Cisco Systems, Inc. All rights reserved. C O N T E N T S CHAPTER 1 Introduction to Identity-Based Networking Systems Overview 1-1 1-1 What is IEEE 802.1X? 1-2 Key Components of IEEE 802.1X 1-3 Supplicant 1-3 Authenticator 1-3 Authentication Server 1-3 EAP Methods 1-3 EAP-MD5 1-4 EAP-TLS 1-4 PEAP with EAP-MSCHAPv2 EAP-FAST 1-7 1-6 Cisco Systems Product and Software Support 1-8 Cisco Catalyst Series Switches 1-8 Cisco Systems Routers 1-9 Cisco Systems Wireless LAN Access Points and Controllers Cisco Secure Access Control Server 1-10 CHAPTER 2 Authenticators 1-10 2-1 Cisco IOS 2-1 RADIUS Configuration for Cisco IOS 2-1 Global IEEE 802.1X Configuration for Cisco IOS 2-2 Interface IEEE 802.1X Configuration for Cisco IOS 2-2 Verify IEEE 802.1X Operation for Cisco IOS 2-2 Basic Configuration Example for Cisco IOS 2-3 show dot1x interface Example for Cisco IOS 2-3 Cisco Catalyst OS 2-4 RADIUS Configuration for Cisco Catalyst OS 2-4 Global IEEE 802.1X Configuration for Cisco Catalyst OS 2-4 Port IEEE 802.1X Configuration for Cisco Catalyst OS 2-4 Verify IEEE 802.1X Operation for Cisco Catalyst OS 2-5 Basic Configuration Example for Cisco Catalyst OS 2-5 show port dot1x [mod/port] Example for Cisco Catalyst OS 2-5 Cisco Aironet Wireless LAN Access Points Running Cisco IOS 2-6 Identify-Based Networking Systems Configuration Guide Version 1.0 December 2005 iii Contents RADIUS Configuration for Cisco Aironet Wireless LAN APs Running Cisco IOS 2-6 Global Configuration for Cisco Aironet Wireless LAN APs Running Cisco IOS 2-6 Interface Configuration for Cisco Aironet Wireless LAN APs Running Cisco IOS 2-7 Verify IEEE 802.1X Operation for Cisco Aironet Wireless LAN APs Running Cisco IOS 2-7 Basic Configuration Example for Cisco Aironet Wireless LAN APs Running Cisco IOS 2-7 show dot11 associations Example for Cisco Aironet Wireless LAN APs Running Cisco IOS 2-8 CHAPTER 3 Deploying EAP—MD5 3-1 Authentication Server Configuration 3-1 Create a User in the ACS Database 3-1 Configure the User in the ACS Database 3-2 Configure a AAA Server 3-3 Configure a AAA Client 3-4 Summary of Network Configuration 3-5 Global Authentication Setup for EAP-MD5 3-6 Client Configuration 3-7 Open the Meetinghouse AEGIS client 3-7 Create the Machine Authentication Profile 3-8 Configure the Machine Authentication Profile 3-9 Create the User Authentication Profile 3-9 Configure the User Authentication Profile 3-10 Create a Network Profile 3-11 Configure the Port Settings 3-12 Configure the Network Profile 3-13 Apply the Network Profile 3-14 Verify Client Authentication 3-15 CHAPTER 4 Deploying EAP—TLS 4-1 Authentication Server Configuration 4-1 Create an Unknown User Policy 4-1 Configure an Unknown User Policy 4-2 Select an External User Database 4-3 Choose to Configure the Windows Database 4-4 Configure the Windows Database 4-5 Configure a AAA Server 4-7 Configure a AAA Client 4-8 Verify the Network Configuration 4-8 Global Authentication Setup for EAP-TLS 4-8 Client Configuration 4-9 Identify-Based Networking Systems Configuration Guide iv Version 1.0 December 2005 Contents Open the Funk Odyssey Client 4-9 Configure Machine Account Parameters for Connection Settings 4-10 Create a Machine Profile 4-11 Configure Authentication Information for the Machine Profile 4-12 Configure the Authentication Method for the Machine Profile 4-14 Create a User Profile 4-15 Configure the Authentication Information for the User Profile 4-16 Configure the Authentication Method for the User Profile 4-18 Add a Trusted Server 4-19 Configure a Trusted Server Entry 4-20 Select the Trusted Root Certification Authority 4-21 Save the Trusted Server Entry 4-21 Verify the Trusted Servers 4-22 Apply an Adapter to the User Profile 4-23 Add the Adapter to the User Profile 4-23 Verify the Network Connection for the User Profile 4-24 CHAPTER 5 Deploying PEAP with EAP-MSCHAPv2 5-1 Authentication Server Configuration 5-1 Create an External User Database 5-1 Configure an External User Database 5-1 Select an External User Database 5-1 Choose to Configure the Windows Database Configure the Windows Database 5-2 Configure a AAA Server 5-3 Configure a AAA Client 5-3 Verify the Network Configuration 5-3 Global Authentication Setup 5-3 5-2 Client Configuration 5-4 Enable IEEE 802.1X for the Local Area Connection Configure the PEAP Properties 5-6 Configure the EAP-MSCHAPv2 Properties 5-7 CHAPTER 6 Deploying EAP-FAST 5-4 6-1 Authentication Server Configuration 6-1 Create an External User Database 6-1 Configure an External User Database 6-1 Select an External User Database 6-1 Choose to Configure the Windows Database 6-2 Identify-Based Networking Systems Configuration Guide Version 1.0 December 2005 v Contents Configure the Windows Database 6-2 Configure a AAA Server 6-2 Configure a AAA Client 6-2 Verify the Network Configuration 6-2 Global Authentication Setup 6-2 Client Configuration 6-4 Create a Profile for EAP-FAST 6-5 Edit the Profile Configuration 6-5 Configure the System Parameters of the Profile 6-6 Configure the Network Security for the Profile 6-7 Configure the EAP-FAST Settings for the Profile 6-8 APPENDIX A Optional Cisco IOS & Cisco Catalyst OS Configuration Commands A-1 Cisco IOS A-1 RADIUS Configuration for Cisco IOS A-1 Global IEEE 802.1X Configuration for Cisco IOS A-2 Interface IEEE 802.1X Configuration for Cisco IOS A-2 Cisco Catalyst OS A-3 Global IEEE 802.1X Configuration for Cisco Catalyst OS A-3 Port IEEE 802.1X Configuration for Cisco Catalyst OS A-4 Cisco Aironet Wireless LAN Access Points Running Cisco IOS A-4 RADIUS Configuration for Cisco Aironet Wireless LAN Access Points Running Cisco IOS A-5 Interface Configuration for Cisco Aironet Wireless LAN Access Points Running Cisco IOS A-5 APPENDIX B Installing an X.509v3 PKI Certificate on the Client Access the Certificate Authority Request a Certificate B-1 B-2 Complete the Certificate Request Install the Certificate B-3 B-4 Certificate Installation Complete Verify Certificate Installation APPENDIX C B-1 B-5 B-6 Installing an X.509v3 PKI Certificate on the CS ACS Select ACS Certificate Setup C-1 C-1 Select Generate Certificate Signing Request Submit a Certificate Signing Request C-3 Copy the Certificate Signing Request C-4 Access the Certificate Authority C-2 C-5 Identify-Based Networking Systems Configuration Guide vi Version 1.0 December 2005 Contents Request an Advanced Certificate Submit a Certificate Request C-6 C-7 Complete the Certificate Request C-7 Download the Certificate onto ACS Install the Certificate onto ACS C-9 Verify ACS Certificate Installation APPENDIX D References C-8 C-10 D-1 Cisco Product Documentation Partner Product Documentation Industry Standards D-1 D-1 D-2 Identify-Based Networking Systems Configuration Guide Version 1.0 December 2005 vii Contents Identify-Based Networking Systems Configuration Guide viii Version 1.0 December 2005 C H A P T E R 1 Introduction to Identity-Based Networking Systems Overview The need for complete network security has never been greater nor as well understood. Malicious users threaten to steal, manipulate, and impede information. Numerous solutions address perimeter defense, but the greatest threat of information theft and unauthorized access remains within the internal network boundaries. One point of concern is the relative ease of physical and logical access to a corporate network. Both physical and logical access has been extended to enable a greater level of mobility, providing several benefits to business operations and overall productivity. However this greater level of mobility, combined with very limited security solutions, has also increased the overall risk of network exposure. This document outlines a framework and system based on technology standards that allow the network administrator to implement true identity-based network access control, down to the user and individual access-port at the network edge. The system provides user and/or device identification using strong authentication technologies known to be secure and reliable. The identity of the users and/or devices can be further leveraged by mapping them to policies that grant or deny network access, set network parameters, and work with other security features to enforce items such as posture assessments. This configuration guide focuses on the basic deployment of an identity-based networking system using IEEE 802.1X. The Identity-Based Networking System from Cisco Systems provides the network with these services and capabilities: • User and/or device authentication • Map the identity of a network entity to a defined set of policies configured by management • Grant or deny network access, at the port level, based on configured authorization policies • Enforce additional policies, such as resource access, when access is granted These capabilities are introduced when a Cisco end-to-end system is implemented with the Cisco Catalyst family of switches, wireless LAN access points and controllers, and the CiscoSecure Access Control Server (ACS). Additional components of the system include an IEEE 802.1X compliant client operating system, such as Windows XP, and an optional X.509 Public Key Infrastructure (PKI) certificate architecture. Cisco IP phones also interoperate with an identity-based networking system based on IEEE 802.1X when deployed on a Cisco end-to-end infrastructure. In compliance with the IEEE 802.1X standard, Cisco Catalyst switches can perform basic port-based network access control. Once IEEE 802.1X compliant client software is configured on the end device, the Cisco Catalyst switches running IEEE 802.1X features authenticate the requesting user or system in conjunction with a back-end CiscoSecure ACS server. Identify-Based Networking Systems Configuration Guide Version 1.0 December 2005 1-1 Chapter 1 Introduction to Identity-Based Networking Systems What is IEEE 802.1X? The high level message exchange in Figure 1-1 illustrates how port-based access control works within an identity-based system. First a client, such as a laptop, connects to an IEEE 802.1X-enabled network and sends a start message to the LAN switch. Once the start message is received, the LAN switch sends a login request to the client and the client replies with a login response. The switch forwards the response to the policy database, which authenticates the user. After the user identity is confirmed, the policy database authorizes network access for the user and informs the LAN switch. The LAN switch then enables the port connected to the client. Figure 1-1 Port-Based Access Control User or device credentials and reference information are processed by the CiscoSecure ACS. The CiscoSecure ACS is able to reference user or device policy profile information either: • Internally using the integrated user database • Externally using database sources such as Microsoft Active Directory, LDAP, Novell NDS, or Oracle databases This enables the integration of the system into exiting user management structures and schemes, thereby simplifying overall deployment. What is IEEE 802.1X? The development of protocols, such as IEEE 802.1X, combined with the ability of network devices and components to communicate using existing protocols, provides network managers with the flexibility to manage network access control and policies. The association of the identity of a network-connected entity to a corresponding set of control policies has never before been as secure and as flexible. Proper design and deployment offer the network manager increased security and control of access to network segments and resources. IEEE 802.1X is a protocol standard that provides an encapsulation definition for the transport of the Extensible Authentication Protocol (EAP) at the media-access control layer over any Point-to-Point Protocol (PPP) or IEEE 802 media. IEEE 802.1X enables the implementation of port-based network access control to a network device. IEEE 802.1X transports EAP messages between a supplicant and an authenticator. The authenticator then typically relays the EAP information to an authentication server via the RADIUS protocol. IEEE 802.1X not only provides the capability to permit or deny network connectivity based on user or machine identity, but also works in conjunction with higher layer protocols to enforce network policy. Identify-Based Networking Systems Configuration Guide 1-2 Version 1.0 December 2005
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.