Implementing 802.1X Security Solutions for Wired a

文件名称: Implementing 802.1X Security Solutions for Wired and Wireless Networks.pdf

所属分类: 其它

开发工具:

文件大小: 6mb

下载次数: 0

上传时间: 2019-08-14

提供者: drji*****

下载 (6mb)

不能下载？报告错误

详细说明： Configuring Wireless Access Points 159 IP Address 159 SSID 160 Radio Settings 161 Transmit Power 161 RF Channel 163 Data Rates 164 Preamble 165 Beacon Period 165 Fragmentation 165 Authenticator Management 167 Authenticator Administrative Interface 167 Terminal Connection 167 Web Browser Interface 168 SNMP 169 Administrator Access C ontrol 169 Authenticator MIB 169 Chapter 8 Configuring Authentication Servers 171 Authentication Server Recap 171 Choosing RADIUS Servers 172 Commercial RADIUS Servers 172 Open-Source RADIUS Servers 173 Outsourcing RADIUS Functionality 173 Installing RADIUS Software 174 Review Release Notes 174 Establish a Server 175 System Requirements 175 Physical Location 175 Verify Network Connections 176 Configure Administrator Account Access 176 Security Tips 182 Install the Software 183 Common RADIUS Configuration Parameters 184 Accessing RADIUS Configuration 184 Configuring RADIUS Clients and Users 186 Configuring RADIUS Clients 186 Configuring RADIUS Users 187 Configuring User Profiles 188 Authentication Methods 188 Native User Authentication 188 Pass-Through Authentication 189 Proxy RADIUS Authentication 189 Concurrent Connections 189 Shared Secret 190 Replication 191 xvi Contents 68608ftoc.qxd:Layout 1 2/18/08 9:55 PM Page xvi Chapter 9 Troubleshooting 193 Troubleshooting Approaches 193 Gather Information 194 Find the Root Problem (and Fix It) 195 Test Tools 195 Viewing System Configuration 195 Viewing System Statistics 196 Debugging Processes 197 Viewing Wireless Communications 197 Signal Tester 197 Spectrum Analyzer 199 Packet Analyzer 199 Network Connectivity Issues 200 Network Interface Problems 200 Faulty Client Cards 201 Wireless Coverage Holes 202 RF Interference 203 Infrastructure Problems 203 Supplicant Issues 204 Missing Supplicant 204 Missing Supplicant Behavior 205 Peripheral Devices 206 Hubs 207 Bad Credentials 209 Bad Credentials Behavior 210 Incorrect EAP-Method 211 Authenticator Issues 212 No 802.1X Support 212 802.1X Not Enabled 212 RADIUS Server Address Incorrect 212 EAP-Method Not Supported 213 Authentication Server Issues 213 Missing Authentication Server 213 Missing Authentication Server Behavior 213 Verifying the Authentication Server 215 Guest Access Issues 215 Local Visitor Problems 215 Visitor with No Supplicant 216 Visitor with Active Supplicant 216 Visitor with Active Supplicant Behavior 217 Remote Visitor Problems 219 Appendix RFC 3748: Extensible Authentication Protocol (EAP) 221 Extensible Authentication Protocol (EAP) 221 Abstract 222 Table of Contents 222 Contents xvii 68608ftoc.qxd:Layout 1 2/18/08 9:55 PM Page xvii 1. Introduction 224 1.1. Specification of Requirements 224 1.2. Terminology 224 1.3. Applicability 226 2. Extensible Authentication Protocol (EAP) 227 2.1. Support for Sequences 229 2.2. EAP Multiplexing Model 229 2.3. Pass-Through Behavior 231 2.4. Peer-to-Peer Operation 232 3. Lower Layer Behavior 234 3.1. Lower Layer Requirements 234 3.2. EAP Usage Within PPP 236 3.2.1. PPP Configuration Option Format 237 3.3. EAP Usage Within IEEE 802 237 3.4. Lower Layer Indications 237 4. EAP Packet Format 238 4.1. Request and Response 239 4.2. Success and Failure 241 4.3. Retransmission Behavior 243 5. Initial EAP Request/Response Types 244 5.1. Identity 245 5.2. Notification 247 5.3. Nak 248 5.3.1. Legacy Nak 248 5.3.2. Expanded Nak 250 5.4. MD5-Challenge 252 5.5. One-Time Password (OTP) 253 5.6. Generic Token Card (GTC) 254 5.7. Expanded Types 255 5.8. Experimental 257 6. IANA Considerations 257 6.1. Packet Codes 258 6.2. Method Types 258 7. Security Considerations 258 7.1. Threat Model 258 7.2. Security Claims 259 7.2.1. Security Claims Terminology for EAP Methods 261 7.3. Identity Protection 262 7.4. Man-in-the-Middle Attacks 263 7.5. Packet Modification Attacks 263 7.6. Dictionary Attacks 264 7.7. Connection to an Untrusted Network 265 7.8. Negotiation Attacks 265 7.9. Implementation Idiosyncrasies 265 7.10. Key Derivation 266 xviii Contents 68608ftoc.qxd:Layout 1 2/18/08 9:55 PM Page xviii 7.11. Weak Ciphersuites 268 7.12. Link Layer 268 7.13. Separation of Authenticator and Backend Authentication Server 269 7.14. Cleartext Passwords 270 7.15. Channel Binding 270 7.16. Protected Result Indications 271 8. Acknowledgements 273 9. References 273 9.1. Normative References 273 9.2. Informative References 274 Appendix A. Changes from RFC 2284 276 Authors’ Addresses 278 Full Copyright Statement 279 Intellectual Property 280 Acknowledgement 280 Glossary 281 Index 315 Introduction xxi Part I Concepts 1 Chapter 1 Network Architecture Concepts 3 Computer Network Defined 3 Network Components 4 Client Devices 5 Servers 5 Network Hardware 7 Switches and Hubs 7 Routers 8 Access Points 9 Network Interface Cards 10 Media 12 Metallic Wire 12 Optical Fiber 13 Air 14 Network Types 14 Personal Area Networks 14 Local Area Networks 16 Metropolitan Area Networks 18 Optical Fiber Infrastructure 18 Wi-Fi Mesh 18 WiMAX 19 Wide Area Networks 20 Logical Network Architecture 20 IEEE 802 Standards 22 Contents xi 68608ftoc.qxd:Layout 1 2/18/08 9:55 PM Page xi Wireless Impairments 23 Roaming Delays 23 Coverage Holes 25 RF Interference 28 Addressing 29 IEEE 802.11 Multicasting 30 Setting the DTIM Interval 30 Chapter 2 Port-Based Authentication Concepts 33 802.1X Port-Based Authentication Terminology 33 Authentication Benefits 36 Primary Components 38 Supplicant 39 Authenticator 39 Authentication Server 39 A Simple Analogy: Getting the Protocols Straight 40 Port-Based Authentication Operation 42 A Simple Analogy—Understanding the Overall System 42 Supplicant to Authentication Server: EAP-Methods 44 Supplicant to Authenticator: 802.1X / EAPOL 45 Authenticator to Authentication Server: RADIUS 49 A Historical Perspective 51 Part II Standards and Protocols 53 Chapter 3 EAPOL Protocol 55 EAPOL Recap 55 EAPOL Encapsulation 56 EAPOL Packet Structure 57 Version Field 57 Type Field 58 Length Field 58 Packet Body Field 59 EAPOL Packet Types 59 EAP-Packet 59 EAPOL-Start 59 EAPOL-Logoff 60 EAPOL-Key 60 Descriptor Type Field 61 Descriptor Body Field for RC4 61 EAPOL-Encapsulated-ASF-Alert 62 EAP Packet Structure 63 EAP Code Field 63 EAP Identifier Field 63 EAP Length Field 64 EAP Data Field 64 xii Contents 68608ftoc.qxd:Layout 1 2/18/08 9:55 PM Page xii EAP Packet Types 64 EAP-Request 65 EAP-Response 65 EAP Request/Response Types 65 EAP-Success 66 EAP-Failure 67 802.3 Frame Structure 67 802.11 Frame Structure 69 Chapter 4 RADIUS Protocols 71 RADIUS Recap 71 RADIUS Packet Structure 72 Code Field 73 Identifier Field 73 Length Field 74 Authenticator Field 74 Request Authenticator 75 Response Authenticator 75 Attributes Field 76 RADIUS Packet Types 76 RADIUS Access-Request 76 RADIUS Access-Challenge 77 RADIUS Access-Accept 77 RADIUS Access-Reject 78 RADIUS Accounting-Request 78 RADIUS Accounting-Response 79 RADIUS Attributes 79 RADIUS Attributes Format 79 Type Field 80 Length Field 82 Value Field 82 EAP-Message Attribute 82 Message-Authenticator Attribute 83 Password-Retry Attribute 84 User-Name Attribute 85 User-Password Attribute 85 NAS-IP-Address Attribute 86 NAS-Port Attribute 86 Service-Type Attribute 87 Vendor-Specific Attribute 88 Vendor-ID Field 89 String Field 89 Session-Timeout Attribute 89 Idle-Timeout Attribute 89 Termination-Action Attribute 90 Contents xiii 68608ftoc.qxd:Layout 1 2/18/08 9:55 PM Page xiii Authentication Server Selection Considerations 90 Attributes 91 EAP-Methods 91 Chapter 5 EAP-Methods Protocol 93 EAP-Methods Recap 93 EAP-Method Encapsulation 94 EAP-Method Packet Structure 95 EAP-Method Type Field 95 EAP-Method Data Field 96 Original EAP-Method Types 98 Identity 99 Notification 100 Legacy NAK 101 Expanded NAK 103 MD5-Challenge 105 Value-Size Field 106 Value Field 106 Name Field 106 One-Time Password 106 Generic Token Card 107 Expanded Types 107 Vendor-ID Field 108 Vendor-Type Field 108 Experimental 108 Additional EAP-Method Types 109 EAP-TLS 109 EAP-TTLS 111 PEAP 112 LEAP 112 EAP-FAST 113 EAP-SIM 113 Wi-Fi Alliance Certification 113 EAP-Method Selection Considerations 114 Security Policies 114 Existing Security Infrastructure 114 Client Devices 114 Part III Implementation 117 Chapter 6 Configuring Supplicants 119 Supplicant Recap 119 Choosing Supplicants 120 Windows Authentication Client 121 SecureW2 121 Juniper Odyssey Access Client 121 xiv Contents 68608ftoc.qxd:Layout 1 2/18/08 9:55 PM Page xiv wpa_supplicant 122 Open1X 123 Common Supplicant Configuration Parameters 123 802.1X Activation 123 Configuring Windows XP 802.1X Wi-Fi Clients 123 Configuring Windows XP 802.1X Ethernet Clients 127 Configuring Client Radios 129 Configuration Update Approaches 129 Distributed Update Approach 129 Centralized Update Approach 130 Client Radio Settings 130 IP Address 131 Wireless Network Connection Properties 134 Transmit Power 134 Data Rate 135 Wireless Modes 136 Ad Hoc Channel 138 Power Management 139 Protection Mechanisms 140 Chapter 7 Configuring Authenticators 143 Authenticator Recap 143 Choosing Authenticators 145 802.1X Support 145 Authentication Server Support 146 Miscellaneous Features 148 Common Authenticator Configuration Parameters 148 802.1X Activation 149 RADIUS Server Identification 149 Local Authentication Server Configuration 150 Enable the Local Authentication Server 150 Identify Authorized Access Points 151 Identify Authorized Users 151 Guest VLAN Configuration 152 Port Activation 153 Forced-Unauthorized 153 Forced-Authorized 154 Auto 154 VLAN Identification 156 Multiple MAC Address Support 156 Retry Number 157 Retry Timeout Value 157 Quiet Period Value 158 Re-authentication Activation 158 Re-authentication Period Value 158 Contents xv 68608ftoc.qxd:Layout 1 2/18/08 9:55 PM Page xv

(系统自动生成,下载前可以参看下载内容)