I ron s hield w hite p aper
tải về 1.4 Mb. Chế độ xem pdf
|
- Điều hướng trang này:
- Step 7
- Day-and-Time-Restriction.
- Authentication
- Encryption
- Step 8
- Active Directory Users and Computers
- Store password using reversible encryption… ” to Enable
- Properties
- Configuring 802.1X Port Authentication
- Syntax
| I
RON S HIELD W HITE P APER W HITE P APER
: 802.1X P ORT
A UTHENTICATION
W
M ICROSOFT
’ S A CTIVE D IRECTORY
• From the IAS management screen, right-click on Remote Access Policies and select New Remote Access Policy. • Enter a Policy Friendly Name to describe the policy. • Select the Attribute Type to regulate access with. The one that makes the most sense for Foundry 802.1X Port Authentication is Day-and-Time-Restriction. • Set the days and times that users are allowed to authenticate. This example allowed all days and times.
Figure 7. Access Policy With Day-And-Time Restriction • Once all of the conditions have been added (our example only uses the Day-And-Time-Restriction condition), click on the “Next” button to proceed. • On the Add Remote Access Policy – Permission screen, select “Grant remote access permission” and click on the “Next” button to proceed. • On the Add Remote Access Policy – User Profile screen, click on the “Edit Profile…” button.
Figure 8. Granting Permission March 2003 ©2003 Foundry Networks, Inc.
9
Version 1.0.0 All Rights Reserved.
I RON S HIELD W HITE P APER W HITE P APER
: 802.1X P ORT
A UTHENTICATION
W
M ICROSOFT
’ S A CTIVE D IRECTORY
• On the Edit Dial-In Profile screen, select the “Authentication” tab and check the “Extensible Authentication Protocol” option. • From the “… EAP type” drop-down box, select “MD5-Challenge” option to support the Foundry devices. Uncheck all other authentication types listed under the drop down-box. • On the Edit Dial-In Profile screen, select the “Encryption” tab and check the “Strongest” encryption option. This step is not required for EAP-MD5, but is performed as a safeguard to eliminate weaker encryption options is used in the future. • On the Edit Dial-In Profile screen, select the “IP” tab and check “Client may request an IP address” to support DHCP. • Click on the “OK” button and then the “Finish” button to complete the Policy.
Figure 9. Setting EAP Type
Figure 10. Setting Encryption Level
Step 8: Turn on Remote Access Logging.
• From the IAS management screen, select the Remote Access Logging option. On the right pane, right-click the Local File and select Properties. • Under the “Settings” tab, select the desired logging features. • Under the “Local File” tab, make sure the Log File Format is set to IAS Format and set the duration to keep the log entries for. March 2003 ©2003 Foundry Networks, Inc.
10
Version 1.0.0 All Rights Reserved.
I RON S HIELD W HITE P APER W HITE P APER
: 802.1X P ORT
A UTHENTICATION
W
M ICROSOFT
’ S A CTIVE D IRECTORY
Figure 11. Setting Up Logging Features Figure 12. Setting Log Format & Size
to the way passwords are handled using EAP-MD5.
• From the “Active Directory Users and Computers” menu option, right-click the name of your Active Directory domain and select Properties. • From the Properties screen, select the “Group Policy” tab. Highlight the “Default Domain Policy” and click on the “Edit” button. • Under the “Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy” tree, set the “Store password using reversible encryption…” to Enable.
Figure 13. Enabling Password Reversible Encryption for MD5 Support March 2003 ©2003 Foundry Networks, Inc.
11
Version 1.0.0 All Rights Reserved.
I RON S HIELD W HITE P APER W HITE P APER
: 802.1X P ORT
A UTHENTICATION
W
M ICROSOFT
’ S A CTIVE D IRECTORY
Step 10: Create the Active Directory User Accounts that will be used by each user to authenticate to the network. One user account will need to be created for each person authenticating to Active Directory. For installations that have existing Active Directory User Accounts, perform the configurations outlined in Step 11 for each existing user account.
• After the account is created, double-click on the user account to display the user account Properties. • Under the “Dial-In” tab, click on the “Allow Access” radio button for Remote Access Permission. • Under the “Account” tab, check the “Store password using reversible encryption” option.
NOTE: If your Active Directory is already populated with the existing user accounts, you must reset the passwords after completing Step 11 to activate the Reversible Encrypted Password Format configured in Step 9 and Step 11. This can be accomplished by having each user change their passwords for their Active Directory user account or by the system administrator. For new accounts created in Step 10, the passwords will have the reversible encryption feature set due to the configuration changes made in Step 9.
Figure 14. Granting Dial-in Access
Figure 15. Setting Password Reversible Encryption
March 2003 ©2003 Foundry Networks, Inc.
12
Version 1.0.0 All Rights Reserved.
I RON S HIELD W HITE P APER W HITE P APER
: 802.1X P ORT
A UTHENTICATION
W
M ICROSOFT
’ S A CTIVE D IRECTORY
Foundry devices will support up to eight RADIUS servers and will authenticate against them in the order they were added to the device’s configuration. To configure a Foundry device to support 802.1X Port Authentication, the following procedures are required:
• Configure the Foundry device (Authenticator) to interact with one or more Authentication Server(s) (RADIUS, IAS, etc.). • Configure the Foundry device to act as the Authenticator. • Configure the Foundry device’s interaction with the Client device (optional step).
Step 1: Configure the Foundry device to use RADIUS for authenticating 802.1X security and define one or more RADIUS, IAS, or other authentication servers.
BigIron(config)# aaa authentication dot1x default radius
Configure the device to use one or multiple RADIUS, IAS, or other authentication servers. Set the authentication and accounting port numbers to match the RADIUS server’s settings and specify the secret key to authenticate to the RADIUS server. The secret key string must be identical to the secret key string used on the authentication server.
BigIron(config)# radius-server host 192.168.100.100 auth-port 1812 acct-port 1813 default key mysecretpassword dot1x BigIron(config)# radius-server host 192.168.101.150 auth-port 1812 acct-port 1813 default key mysecretpassword dot1x
Step 2: Enable the 802.1X authentication feature on the Foundry device and enable the necessary ports for 802.1X Port Authentication. This enables the Foundry device to act as an 802.1X Authenticator.
BigIron(config)# dot1x-enable
To configure 802.1X for individual ports, you can use the “enable” command with the port number. A range can also be specified to help make the configuration work faster. Be careful not to add any uplink ports or ports for critical servers that do not require 802.1X Port Authentication – access may be lost to these hosts.
BigIron(config-dot1x)# enable Ethernet 2/1 to 2/24 BigIron(config-dot1x)# enable Ethernet 3/1 to 3/24 BigIron(config-dot1x)# enable Ethernet 4/1 to 4/10 BigIron(config-dot1x)# enable Ethernet 4/17 to 4/24 BigIron(config-dot1x)# write memory
March 2003 ©2003 Foundry Networks, Inc.
13
Version 1.0.0 All Rights Reserved.
|