I
RON
S
HIELD
W
HITE
P
APER
W
HITE
P
APER
: 802.1X P
ORT
A
UTHENTICATION
W
ITH
M
ICROSOFT
’
S
A
CTIVE
D
IRECTORY
Step 7: Create a Remote Access Policy to govern access.
• From the IAS management screen, right-click on Remote Access Policies and select New Remote
Access Policy.
• Enter a Policy Friendly Name to describe the policy.
• Select the Attribute Type to regulate access with. The one that makes the most sense for Foundry
802.1X Port Authentication is Day-and-Time-Restriction.
• Set the days and times that users are allowed to authenticate. This example allowed all days and times.
Figure 7. Access Policy With Day-And-Time Restriction
• Once all of the conditions have been added (our example only uses the Day-And-Time-Restriction
condition), click on the “Next” button to proceed.
• On the Add Remote Access Policy – Permission screen, select “Grant remote access permission” and
click on the “Next” button to proceed.
• On the Add Remote Access Policy – User Profile screen, click on the “Edit Profile…” button.
Figure 8. Granting Permission
March 2003
©2003 Foundry Networks, Inc.
9
Version 1.0.0
All Rights Reserved.
I
RON
S
HIELD
W
HITE
P
APER
W
HITE
P
APER
: 802.1X P
ORT
A
UTHENTICATION
W
ITH
M
ICROSOFT
’
S
A
CTIVE
D
IRECTORY
• On the Edit Dial-In Profile screen, select the “ Authentication” tab and check the “ Extensible
Authentication Protocol” option.
• From the “… EAP type” drop-down box, select “MD5-Challenge” option to support the Foundry
devices. Uncheck all other authentication types listed under the drop down-box.
• On the Edit Dial-In Profile screen, select the “Encryption” tab and check the “Strongest” encryption
option. This step is not required for EAP-MD5, but is performed as a safeguard to eliminate weaker
encryption options is used in the future.
• On the Edit Dial-In Profile screen, select the “IP” tab and check “Client may request an IP address”
to support DHCP.
• Click on the “OK” button and then the “Finish” button to complete the Policy.
Figure 9. Setting EAP Type
Figure 10. Setting Encryption Level
Step 8: Turn on Remote Access Logging.
• From the IAS management screen, select the Remote Access Logging option. On the right pane,
right-click the Local File and select Properties.
• Under the “Settings” tab, select the desired logging features.
• Under the “Local File” tab, make sure the Log File Format is set to IAS Format and set the duration to
keep the log entries for.
March 2003
©2003 Foundry Networks, Inc.
10
Version 1.0.0
All Rights Reserved.
I
RON
S
HIELD
W
HITE
P
APER
W
HITE
P
APER
: 802.1X P
ORT
A
UTHENTICATION
W
ITH
M
ICROSOFT
’
S
A
CTIVE
D
IRECTORY
Figure 11. Setting Up Logging Features
Figure 12. Setting Log Format & Size
Step 9: Configuring passwords for reversible encrypted format to support EAP-MD5. This step is required due
to the way passwords are handled using EAP-MD5.
• From the “Active Directory Users and Computers” menu option, right-click the name of your Active
Directory domain and select Properties.
• From the Properties screen, select the “Group Policy” tab. Highlight the “Default Domain Policy” and
click on the “Edit” button.
• Under the “Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy”
tree, set the “Store password using reversible encryption…” to Enable.
Figure 13. Enabling Password Reversible Encryption for MD5 Support
March 2003
©2003 Foundry Networks, Inc.
11
Version 1.0.0
All Rights Reserved.
I
RON
S
HIELD
W
HITE
P
APER
W
HITE
P
APER
: 802.1X P
ORT
A
UTHENTICATION
W
ITH
M
ICROSOFT
’
S
A
CTIVE
D
IRECTORY
Step 10: Create the Active Directory User Accounts that will be used by each user to authenticate to the
network. One user account will need to be created for each person authenticating to Active Directory. For
installations that have existing Active Directory User Accounts, perform the configurations outlined in Step 11 for
each existing user account.
Step 11: Enable “Dial-In” access and “Password Reversible Encryption” for user accounts.
• After the account is created, double-click on the user account to display the user account Properties.
• Under the “Dial-In” tab, click on the “Allow Access” radio button for Remote Access Permission.
• Under the “Account” tab, check the “Store password using reversible encryption” option.
NOTE: If your Active Directory is already populated with the existing user accounts, you must reset the
passwords after completing Step 11 to activate the Reversible Encrypted Password Format configured in Step 9
and Step 11. This can be accomplished by having each user change their passwords for their Active Directory
user account or by the system administrator.
For new accounts created in Step 10, the passwords will have the
reversible encryption feature set due to the configuration changes made in Step 9.
Figure 14. Granting Dial-in Access
Figure 15. Setting Password Reversible Encryption
March 2003
©2003 Foundry Networks, Inc.
12
Version 1.0.0
All Rights Reserved.
I
RON
S
HIELD
W
HITE
P
APER
W
HITE
P
APER
: 802.1X P
ORT
A
UTHENTICATION
W
ITH
M
ICROSOFT
’
S
A
CTIVE
D
IRECTORY
Configuring 802.1X Port Authentication
Foundry devices will support up to eight RADIUS servers and will authenticate against them in the order they
were added to the device’s configuration. To configure a Foundry device to support 802.1X Port Authentication,
the following procedures are required:
• Configure the Foundry device (Authenticator) to interact with one or more Authentication Server(s)
(RADIUS, IAS, etc.).
• Configure the Foundry device to act as the Authenticator.
• Configure the Foundry device’s interaction with the Client device (optional step).
Step 1: Configure the Foundry device to use RADIUS for authenticating 802.1X security and define one or more
RADIUS, IAS, or other authentication servers.
Syntax: [no] aaa authentication dot1x default
BigIron(config)# aaa authentication dot1x default radius
Configure the device to use one or multiple RADIUS, IAS, or other authentication servers. Set the authentication
and accounting port numbers to match the RADIUS server’s settings and specify the secret key to authenticate
to the RADIUS server. The secret key string must be identical to the secret key string used on the authentication
server.
Syntax: radius-server host | [auth-port acct-port default key
dot1x]
BigIron(config)# radius-server host 192.168.100.100 auth-port 1812 acct-port 1813
default key mysecretpassword dot1x
BigIron(config)# radius-server host 192.168.101.150 auth-port 1812 acct-port 1813
default key mysecretpassword dot1x
Step 2: Enable the 802.1X authentication feature on the Foundry device and enable the necessary ports for
802.1X Port Authentication. This enables the Foundry device to act as an 802.1X Authenticator.
Syntax: [no] dot1x-enable
BigIron(config)# dot1x-enable
To configure 802.1X for individual ports, you can use the “enable” command with the port number. A range can
also be specified to help make the configuration work faster. Be careful not to add any uplink ports or ports for
critical servers that do not require 802.1X Port Authentication – access may be lost to these hosts.
BigIron(config-dot1x)# enable Ethernet 2/1 to 2/24
BigIron(config-dot1x)# enable Ethernet 3/1 to 3/24
BigIron(config-dot1x)# enable Ethernet 4/1 to 4/10
BigIron(config-dot1x)# enable Ethernet 4/17 to 4/24
BigIron(config-dot1x)# write memory
March 2003
©2003 Foundry Networks, Inc.
13
Version 1.0.0
All Rights Reserved.
Chia sẻ với bạn bè của bạn: |