LAN_client_authentication(1).pdf

(3518 KB) Pobierz

Allied Telesis Solutions

LAN Client Authentication

Tested Solution:

LAN Client Authentication

Public/Private

Zone

x600

Windows 2008

server

Enterprise CA

server

Client devices

AR770

x900 stack

8000GS

Private Zone

Client devices

Internet

10/100 Link

1 Gigabit Link

Link aggregation

Introduction

The key to strong LAN security, and seamless mobility within an Enterprise network, is to

identity

and

authenticate

the user at their point

of connection to the network.

Authentication is necessary to safeguard valuable network resources from intruders. Identification is necessary in order to give users a

consistent level of network access regardless of their physical location within the network.

Moreover, identification and authentication are integral to the client health-check process that is a core component of a NAC solution.

This solution will explain how to:

■

Configure Allied Telesis switches to ensure that ALL devices connecting to the network can be authenticated and identified.

Configure Microsoft Windows 2008 Server as the authentication server within the network.

Use the highly secure certificate-based method of user authentication

Allied Telesis

Page 1

www.alliedtelesis.com

LLIED

ELESIS

OLUTIONS

| LAN Client Authentication

Contents

■

Introduction

see page 3

Network scenario

see page 3

Switch Configurations

see page 4

Setting up the Windows 2008 Server

see page 10

Configuring IP interface(s)

see page 10

Installing Active Directory

see page 11

Adding users and groups to Active Directory

see page 15

Installing Network Policy Server

see page 19

Registering NPS with Active Directory

see page 20

Obtaining a server certificate for the server that is running NPS

see page 21

Setting up a Connection Request Policy

see page 24

Setting up Network Policies

see page 26

■

Setting up Client PCs to perform 802.1x authentication

see page 36

Joining the PCs to the domain

see page 36

Configuring the PC as an 802.1x supplicant

see page 38

Performing 802.1x authentication

see page 39

■

802.1x Authentications with Certificates

see page 41

Configuring Policies on the Network Policy Server to use certificates

see page 41

Setting up the client PC to perform Certificate Authentication

see page 43

Obtain user certificates

see page 43

Download the Certificate Authority server’s Root certificate

see page 45

Set up the NIC card to perform authentication by certificate

see page 49

■

Verifying the authentication from the Switch command-line

see page 52

Multiple supplicants on the same x600 port, assigned to different VLANs

see page 52

■

Setting up MAC-based authentication

see page 54

Configuring the Network Policy server to Proxy MAC-based RADIUS requests to the VCStack RADIUS server

see page 55

Creating MAC address entries in the Active Directory User database

see page 60

■

Appendix 1 – Setting up a DHCP server

see page 61

Setting up the x900 VCStack as a DHCP server

see page 61

Setting up the Windows 2008 server as the DHCP server

see page 63

■

Appendix 2 – Setting up the Windows 2008 Network Policy Server to authenticate Management access to the

switches

see page 67

Allied Telesis

Page 2

www.alliedtelesis.com

LLIED

ELESIS

OLUTIONS

| LAN Client Authentication

Network scenario

The solution is based upon the network illustrated on page 1. There are two zones within the network:

■

A fully private zone in which only registered users (i.e., users registered in the Active Directory hosted on the Windows Server) may connect.

A private/public zone in which registered users, unknown guests, and trusted (but unregistered) users from other branches of the same

company may connect.

Solution description

The guiding principles in the design of this network are

resiliency

and

security

The

core

of the network is an x900 Virtual Chassis Stack. Aggregated Gigabit links radiate from this stack to the access switches and the servers.

In the

Private Zone

, the access switches are

AT-8000GS switches

. These Layer 2 switches are configured for 802.1x and MAC-based authentication

on all their edge-facing ports. The only devices that are connected to these ports are registered client PCs (configured for 802.1x authentication)

and printers, scanners. The printers and scanners do not include 802.1x clients, so the ports to which they are connected fall back to MAC-based

authentication.

The switch in the

Public/Private Zone

is an x600 Layer 3 switch. The edge-facing ports on this switch are configured for triple authentication.

Therefore, all the ports are capable of performing 802.1x, MAC-based and Web-based authentication. So, registered users will be authenticated by

802.1x, and any printers or scanners installed in that zone are MAC authenticated.

The

trusted visitors

who are visiting from another office, who are not registered in the local central user database, will be given a special

username/password that they can use with WEB-auth to obtain Internet access, and some intranet access. Their user accounts will be created on

the Local Radius server in the x600. These user accounts will be associated with the group

otheroffices,

so those users will be dynamically

allocated to VLAN40 when they have been authenticated.

The

external guests

will be given a different username/password for a user account in the local RADIUS server that is associated with the group

externalvisitors,

so these users will be dynamically allocated to VLAN50 when they have been authenticated.

The x600 switch will use Layer 3 to switch data to the core. This places a Layer 3 boundary between the Public/Private zone and the core, which

makes it easier to control what traffic may leave the Public/Private Zone. It does mean that a set of IP subnets need to be provisioned specifically

for the Public/Private zone, but that is a simple matter to configure on the DHCP server.

Allied Telesis

Page 3

www.alliedtelesis.com

LLIED

ELESIS

OLUTIONS

| LAN Client Authentication

Switch Configurations

x600

This is the switch in the Private/Public Zone. Its edge ports are configured for triple authentication. Therefore, 802.1x, MAC-based, and Web-based

authentication are enabled on those ports.

The switch uses three different RADIUS servers.

The Network Policy Server within the windows 2008 server at 192.168.2.254 is the RADIUS server for 802.1x requests.

So that the authentication of visitors from other offices is entirely self-contained within the Private/Public Zone, the x600 uses its own internal

RADIUS database for the authentication of Web-based authentication requests. This way, a specific username/password can be created for each

such visitor as they arrive, and entered into the RADIUS database of the x600, without any changes having to be made to the central Network

Policy Server. These entries can be removed from the x600 RADIUS database again when the visitor departs.

MAC-based authentication requests are forwarded to yet a different RADIUS server. This is because the default strong password requirements on

the Microsoft Active Directory will not accept users whose username and password is a MAC address (as MAC authentication requires). So the

MAC-based authentication requests are passed to a RADIUS server hosted in the virtual chassis stack at the core of the network.

The switch is also configured with a DHCP service specifically for the Guest VLAN. This is because the visiting users will initially be placed into the

Guest VLAN when they first connect, as they will fail authentication. The DHCP service on the switch will allocate IP addresses to users in the

Guest VLAN. Those PCs can then use that IP address as their source address for their Web authentication session. To perform Web authentication,

those users will need to browse to 192.168.160.10 (the switch’s IP address in the Guest VLAN) or to any address outside the 192.168.160.0/24

subnet. Their Web browser will then be presented with a login page, into which they can enter the username/password they have been given for

accessing the network.

Once successfully authenticated (by entering the correct username/password into this login page), they will be re-allocated to their appropriate

VLAN - which is VLAN40 for visitors from other offices, and VLAN50 for external guests. Once they are re-allocated to this VLAN, they need an IP

address that belongs to the subnet for that VLAN. This is where the brief lease-time on the DHCP leases provided by the switch comes in.

Because the PC’s link to the switch does not go down at the completion of the authentication, the PC will not necessarily attempt to renew its

DHCP lease at that moment. By defining a very brief lease time on the DHCP lease that is allocated to the PC while it is in the Guest VLAN, we

ensure that the PC will have to renew its lease within 30 seconds of the completion of the authentication. As the PC has been put into a new

VLAN when the authentication is completed, its first DHCP renewal after the authentication will provide it with a lease for an IP address in the

subnet used on that new VLAN. Note that all the VLANs except the Guest VLAN have been configured to relay DHCP requests to another DHCP

server.

hostname Triple-Auth

The Network Policy server in the windows 2008 server is used

for validation of 802.1x authentication requests

radius-server host 192.168.2.254 key MS-IAS

aaa group server radius NPS

server 192.168.2.254

aaa authentication dot1x default group NPS

radius-server host 192.168.2.252 key MAC-AUTH

aaa group server radius MAC-Auth

server 192.168.2.252

aaa authentication auth-mac default group MAC-Auth

radius-server host 127.0.0.1 key awplus-local-radius-server

aaa group server radius Internal

server 127.0.0.1

aaa authentication auth-Web default group Internal

A separate RADIUS server, that accepts MAC users that have

a MAC address as both username and password, is used for

validation of MAC-based authentication requests

The validation of Web-based authentication requests is

performed within the switch’s own RADIUS server

Management sessions on the switch will be authenticated by

RADIUS, using the windows 2008 Network Policy server. If the

server is unavailable, then the switch will fall back to using the

local user database to authenticate the request

aaa authentication login default group NPS local

Allied Telesis

Page 4

www.alliedtelesis.com

LLIED

ELESIS

OLUTIONS

| LAN Client Authentication

crypto pki trustpoint local

crypto pki enroll local

radius-server local

server enable

nas 127.0.0.1 key awplus-local-radius-server

group otheroffices

vlan 40

group externalvisitors

vlan 50

user InternalVisitor password ikiG4JcsKEwFlhL

group otheroffices

user ExternalVisitor password ikiG4JcsKEwFlhL

group externalvisitors

vlan database

vlan 2 name uplink

vlan 10 name Accounting

vlan 20 name Engineering

vlan 30 name Marketing

vlan 40 name OtherOffices

vlan 50 name ExternalGuests

vlan 60 name GuestsVLAN

interface port1.0.1-1.0.22

auth-mac enable

auth-Web enable

dot1x port-control auto

auth host-mode multi-supplicant

auth guest-vlan 60

auth dynamic-vlan-creation type multi

spanning-tree portfast

spanning-tree portfast bpdu-guard enable

interface port1.0.23-1.0.24

switchport access vlan 2

static-channel-group 1

ip dhcp pool Temporary

network 192.168.160.0 255.255.255.0

range 192.168.160.20 192.168.160.40

default-router 192.168.160.10

lease 0 0 0 30

subnet-mask 255.255.255.0

service dhcp-server

interface vlan2

ip address 192.168.2.10/24

interface vlan10

ip address 192.168.110.10/24