INSTITUTO TECNOLÓGICO Y DE ESTUDIOS

SUPERIORES DE MONTERREY, CAMPUS MORELIA

Implementation of the IEEE 802.1x Security

Standard

Subject: Information Security

Professor: Carlos Orozco Corona

Students:
Luis Enrique Villaseñor Aguilar A01062500
Luis Alberto Ramírez García A01062572
Pedro Méndez Montejano A01063026
Patrick Michael Murphy Ríos A01083610

Due Date: May 3 rd, 2010

 INDEX

Introduction……………………………………………………………………………….3

What is 802.1x? ......................................................................................................4

Functionality of the protocol……………………………………………………..5

Constructing the solution……………………………………………………………...6

Configuring the DNS server……………………………………………………..7

Configuring the Domain Controller……………………………………………..9

Configuring the DHCP server…………………………………………………..16

Configuring IAS server…………………………………………………………..19

Configuring the Certification Authority…………………………………………20

Adding users and computers to the domain…………………………………..22

Adding groups to the domain…………………………………………………...25

Configuring RADIUS client in the server……………………………………...27

Creating the Certificate in the CA………………………………………………29

Configuring Remote Access Policies for the RADIUS client……………….35

Configuring the Authenticator device (switch)………………………………..39

Configuring the supplicants (clients)…………………………………………..40

Conclusion………………………………………………………………………………41

2
 INTRODUCTION
Security has become a really important issue when talking about communications
inside a company or in external environment that surrounds it. Every day hundreds
or maybe thousands of operations are made by the employees that work for it and
these operations need to comply with certain standards to assure they are secure
and that the information they manage travels safely through the network in which
these transactions are completed.

Managing this security concept can become a problem if there is no knowledge

about the new technologies and the services they can provide when they are well
used. During the execution of this final project we (referring to the whole team)
figured it out what the IEEE 802.1x standard can make for facilitate the
administration of the connection to a network belonging to a company and make
this connection secure by validating the previous acceptance of an equipment to it.

First we had to research about the elements that were needed to implement the
standard as a solution to the problem presented at the beginning of the semester.
Once the research was finished we started to implement every element as a part
for the whole scheme, we encounter several problems that we had to solve but as
the time was passing we were able to understand a several number of details
regarding the installation of the components for the infrastructure.

This document presents first a short view of what is the 802.1x standard as a
framework to understand the purpose of implementing it as the final project. Then
we present a step-by-step description about the installation of every component of
the solution.

By the end of this document we expect the reader to have the general idea of what
it takes to create the scenario to provide security within a network using this
standard and maybe will be capable of try to implement it by itself.

3
 What is 802.1x?

802.1x is an IEEE standard for port-based network access control and provides an
authentication mechanism to devices wishing to connect to a network meaning a
LAN or a WLAN. In its basic functionality it works with Extensible Authentication
Protocol or EAP.

The infrastructure where this standard works is composed by three entities: a

supplicant, an authenticator and an authentication server. Each one of these three
components has its functions well defined and when they are put together to reach
the final goal, if they are correctly configured it, a device will be able to access a
network, if not then the equipment will reject the connection.

The supplicant is the device that wants to connect to the network; we can see it as
the client and can be a laptop for example. In some occasions the term “supplicant”
is also used to refer us to the software controlling the configuration inside the client
that is responsible of giving the credentials to the authenticator.

The authenticator is a network device: an Ethernet switch or an access point and is

responsible of transferring the credentials given by the supplicant to the
authentication server to proceed with the authentication. Finally the authentication
server is the equipment running software supporting the RADIUS and the EAP. We
will describe what RADIUS is later in this document.

In this scenario, the authenticator stops the client to access the network until he is
identified as the one he says he is and only if its access is permitted. To do this
authentication the client needs to provide certain credentials as user name with its
corresponding password or certificates to the authenticator, they are then passed
to the authentication server. If the authentication server validates these credentials
the client is granted with access to the secure side of the network, if not he will not
be able to connect to it.

4
Functionality of the protocol

The process of authentication made by the different devices is the one described
next:

-Initialization: When a new supplicant is detected requiring access to a network, the

port of the switch where the client was connected change its status to unauthorized
and only provides access to information regarding 802.1x traffic and drops every
other kind of packets.

-Initiation: Once the process is started, the authenticator will send EAP- Request
Identity frames to a specially Layer 2 address on the local network segment. The
supplicant will be listening on this address and when he receives the frames he will
respond with an EAP-Response Identity frame containing an identifier for the
supplicant (User ID for example). The authenticator encapsulates this information
in a RADIUS Access-Request packet and sends it to the authentication server.

-Negotiation: The authentication server sends a reply to the authenticator in a

RADIUS Access-Challenge packet containing an EAP Request specifying the EAP
method that will be used to complete the procedure. The authenticator
encapsulates the EAP Request and transmits it to the supplicant. By this time the
client will be able to respond what method he is willing to perform or start the
requested EAP Method specified by the server.

-Authentication: If the authentication server and the supplicant agree on an EAP

Method, EAP Requests and EAP Responses are sent between them by the
authenticator until the Authentication server responds with an EAP-Success
Message or an EAP-Failure Message. If the authentication is successful the
authenticator sets the port to an authorized state and normal traffic is allowed, if
not the port will remain unauthorized. When the supplicant logs off sends a log-off
message to the authenticator and then he will set the port to an unauthorized state
again waiting for the next connection to happen. The message sent by the server
to give solution to the process is a RADIUS Access-Accept packet or a RADIUS
Access Reject packet.

5
 CONSTRUCTING THE SOLUTION

Now that we understand how the standard works we can proceed to implement the
solution with all the elements needed to comply with the level of security provided
by the general idea of the protocol. First we will enumerate the parts that compose
our solution:

-DNS server with Active Directory

-DHCP server

-IAS server

-Domain Controller

-Switch functioning as the RADIUS client for the server

-Configuration for the RADIUS client in the server

-Certificate Authority in the server

-Switch configured to provide 802.1x authentication traffic pass

-Client configured to use authentication to connect to a network and providing

remote access to the server.

In general the equipment used to support this whole infrastructure is presented in

the following list:

-Server Dell Power Edge 800 holding the DNS server, the IAS server, the DHCP
server and the domain controller.

-Switch Cisco Catalyst 2950 as the authenticator for the project

-Clients mounted on Virtual machines with Windows XP and Windows server and
physical machines with Windows 7 as the supplicants.

Now we are going to describe how the implementation of each one of these
components was made by the members of the team.

6
Configuring the DNS server

The first component that we are going to install is the DNS server. To do this we
open the Menu and select the “Manage your server” option:

Figure 1. “Manage your server” Window

Once there we are going to select the option “Add or remove role” in order to add
the new DNS server and configure it on this equipment:

7
 Figure 2. Selecting the DNS server as a new role

An announcement saying that the wizard for the installation of the DNS server will
begin is going to appear so we say yes. When the wizard starts he will ask you to
introduce the installation CD to copy some files that were not used in the
installation of the OS, and once you do that he will probably ask you to change
your IP so it can be a static one instead of dynamically assigned IP.

8
 Figure 3. Assigning an static IP to the server

By default the DNS server IP address will take the value of the IP we are assigning
to the server because the DNS is going to be configured on the same equipment.
When the wizard is finished we can check if the installation is complete going to the
Administrative Tools window, there we can see if the DNS appears as an installed
component or not.

Configuring the Domain Controller

Next we are going to create the Active Directory with the Domain Controller in our
server; these elements are the ones that are going to allow us to manage the users
and computers that will be able to access the network because they control the
lists of admitted equipments and users. To start creating this part we are going to
open the “Manage your server” menu, once there as in the first part we select “Add
new role” and select the Active Directory option:

9
 Figure 4. Selecting Domain Controller to be installed in the server

Again, an add will say what components are going to be install and after that we
accept. The wizard to create the Active Directory will appear and we click “Next”.

Figure 5. Starting the Active Directory creation wizard

10
We are going to select the first option that says “Domain controller for a new
domain”:

Figure 6. Selecting domain type

Figure 7. Specifying kind of domain to new creation

11
We select the option “Domain in a new forest because at this moment we haven’t
create a domain of any kind so there’s no other option, if we have created other
domains then we can add this controller to one of those domains but this is not the
case. We have to specify the full name for the domain in the next format:
name.com or name.org for example. Once we named the domain it can take a
moment while validating this instance as the identifier for the new domain so you
have to be patient.

Figure 8. Naming the new domain

After this, we are going to type the NetBIOS domain name, as a recommendation
we say that the best thing is to name it as the first part of your domain so you can
easily identify it.

12
 Figure 9. NetBIOS domain name

We let the default options to the place where the database regarding the Domain
will be created, if we are going to manipulate or using too much this information
then we can change the place but as this is not the case we are going to let them
there. After all of these steps are finished a window with the summary of the
process will be displayed and will say that there is a problem with the installation,
this is really common because is like the question “what was first: the egg or the
hen?” in this case is applied to “what was first: the DNS server or the Active
Directory?” and I know that it might sound stupid but even books published by
Microsoft say this.

You have to select the option “Install and configure DNS server on this computer,
and set this computer to use this DNS server as its preferred DNS server”. Then
you will select the permissions to compatibility between the machines that will form
part of the domain:

13
 Figure 10. Selecting permissions for machines in the domain

Finally we have to write the restore password so when the server restarts we can
enter with this new password:

Figure 11. Restore mode password

14
A new summary describing the whole configuration will be displayed and when we
accept this new summary the domain configuration will star, this might take a while
so you have to be patient:

Figure 12. Configuring the Domain

When the waiting stops you will receive a new message saying the domain was
successfully installed.

15
 Figure 13. Finishing the Active Directory creation wizard

The new configuration needs to be applied to the server so we have to restart the
equipment.

Configuring the DHCP server

Now we need to configure a DHCP server which is the one that will perform the
task of giving IP’s to the clients authenticated and accepted to the network. To do
this we are going to enter the “Manage your server” menu and then “Add or
remove a role”.

As in the first two components we have installed this will display the window where
we select the DHCP server role, we click on it and then “Next”, a summary is
displayed saying we are going to install. The wizard initiates and asks for a name
and a description to the new scope we are going to give this server:

16
 Figure 14. Name and description for the DHCP server

Then the wizard continues and asks for the range of IP’s the server is going to
distribute within its clients:

Figure 15. Range of IP’s for the DHCP server

17
When we click “Next” a window appears and asks you for the range of IP’s you
don’t want to distribute, in this case we are not going to have exceptions so we
click “Next”. After this appears a window in which you can select the amount of
time a client will be able to possess an IP and use it:

Figure 16. Selecting the valid time for an IP to be used

After this is done, the wizard asks you to specify the name of the domain and the
IP of the DNS server you will be using with this DHCP server.

18
 Figure 17. Integrating the DHCP with the DNS and the domain controller

If you are using a WINS server you can also integrate it with the DHCP, but in our
scenario we are not going to use the WINS server so we skip that part. Finally you
activate this scope since the moment you finish and the DHCP server creation
wizard is finished.

Configuring IAS server

To configure the Internet Authentication Service in the server we go to Control

Panel, Add or remove components and Add or Remove Windows Components.
Once we are there we select Networking services but before click “Ok” we need to
view the “Details” so we click on the button and select the IAS service to be able to
install it. Now we can click “Ok” and the installation wizard will begin. In this case is
going to happen really fast and you don’t configure anything, you just have to wait.

If you want to check that it was well done you go to “Administrative tools” and
select “Internet Authentication Service”. You will see the window where later you
are to configure some things:

19
 Figure 18. Internet Authentication Service Window

Configuring the Certification Authority

To configure the Certification Authority (CA) in the server, you need to go to

Control Panel, Add or remove components and Add or Remove Windows
Components. Once there you select Certificate services and begin the installation.
A warning is going to appear saying that after you create the CA you will not be
able to change the names for the CA or the Active Directory because a binding
between them is made and if you change the names for one of them you will be
corrupting the association existing in the equipment so you have to be careful with
what you are going to do:

20
 Figure 19. Warning to prevent changes in the names of the CA or the AD

When the wizard initiates we have to select the kind of CA we want to create, in
our case it will be the type “Enterprise root CA” which is the most trusted and
powerful kind of CA we can possibly install:

Figure 20. Selecting the type of CA to be installed

21
We assign a name for the CA an then we click “Next”:

Figure 21. Naming the CA

After this the wizard asks you for the place where the certificates will be located,
again I recommend you to let the default configuration in order to prevent
malfunctioning later in the process especially if you are not an expert changing
configurations and making new settings.

When the process is finished you can go to the Start menu, Administrative tools,
Certification Authority and there you will find the CA you’ve just created.

Adding users and computers to the domain

In order for clients to have access to the network we need to validate them in the
domain so we need to create accounts for them as users and also for their
computers. To do this we go to Start menu, Administrative tools and select Active
Directory Users and Computers. Once there we can create the profiles we want to
add to the domain.

22
 Figure 22. Active Directory Users and Computers window

To create a new user we have to give a right click over the Users part and select
New User. Here we are going to provide the user account data, first the name and
the login user name that will be used by the client we are adding to the domain.

Figure 23. Adding a user to the domain

23
We specify the password for that account, its properties and click “Next”:

Figure 24. Password selection and its properties

A summary with all the details will be displayed and the user will be created. To
create an account for a computer is pretty much the same procedure, we are going
to give a right click over the Computers part and we select New Computer:

The information here needs to be more precise because it’s going to link
equipment to the domain. We need to write the computer name of the client exactly
as is specified in the client’s computer so I recommend you to locate it first in the
new addition of the domain.

24
 Figure 25. New computer to the domain window

In our case we are adding a computer named “VAIO1” so we write exactly that
name and no other one. We click “Next” and then the computer has been added.

Adding groups to the domain

This part is very simple but still we are going to describe what has to be done. A
group is a list of objects that will share some common policies or permissions that
will give them the power or capacity to act in a certain form. In our scenario the
group we are going to create will be the one capable of authenticate their users
and computers to get access to the network.

We go to the Active Directory tree and then we enter the Users folder. In there we
have to give a right click and select New group.

25
 Figure 26. New group window

And once we finish the creation of this group we can add new users to it by going
to the Members tab, we select Add, and then the window for the new users will be
open:

Figure 27. New Users window

26
The same action is performed if we want to add the computer to the group of
permitted members to the domain.

Figure 28. User and Computer added to the domain

Configuring RADIUS client in the server

Early in this document we presented the concept RADIUS and we said that we
would define it later in the document, well the moment has come and it’s time to
describe what RADIUS means. First of all I would like to say what the letters stand
for: Remote Authentication Dial in User Service, and is a networking protocol that
provides centralized Authentication, Authorization and Accounting (AAA). This
protocol manages the acceptance of a device getting granted with access to a
network or getting rejected based on the response of the challenge planted by the
Authentication server.

To create the new RADIUS client that will be managed by the server we need to go
to the Internet Authentication Service console and give a right click over RADIUS
client selecting new RADIUS client:

27
 Figure 29. Configuring the IP for the RADIUS client

In this case the RADIUS client will be in our server to manage the income traffic
regarding petitions made by a client connected to the switch, so we have to put the
IP of the server where we have installed the IAS service.

Then we have to select the type of device we are going to use, in our case will be a
Cisco switch model 2950, so the relation has to be established with a Cisco device.
Also we type the shared secret used between the devices to communicate with
each other:

28
 Figure 30. Selecting the device specification

And then we finish the creation of this new RADIUS client in the server.

Creating the Certificate in the CA

If we see our scenario as a little amount of equipments trying to getting access to a

network it might seem viable to request manually certificates for each one of them
but when we talk about a bigger scenario (for example a company with hundreds
or thousands of employees, each one of them with a computer connected to the
network) then it does not looks so attractive the idea of manually request and give
certificates to each of the clients so why not to create a certificate that
automatically is given to all of the computers accepted in a domain?.

This last idea is possible and actually is really useful because it facilitates the work
for the network administrator. We are going to explain how the certificate can be
given to each one of the users in a domain automatically.

We go to Start menu and select Run, then we click mmc. Then we go to File and
select Add/Remove Snap-in. We go to Add option and then select Certificate
Template:
29
 Figure 31. Adding a new Certificate template

After we have added the certificate template we need to go to left pane where all
the certificates are displayed once we click on the certificate template and the
select User template:

Figure 32. Selecting the template we will use as a certificate

30
In the Action menu we select Duplicate template to create a new certificate
template with the characteristics we will need later in the configuration of the
standard:

Figure 33. Configuring our certificate’s name

When we write the name we have to check that the option “Publish certificate in
Active Directory” is selected because this is going to give us the possibility to auto
enroll the users permitted to the network. Then we have to go to the Security tab
and select the Read, Enroll and Autoenroll options for the certificate:

31
 Figure 34. Configuring the certificate’s security options

And once we finish with this we go to the Certificate Authority console. Start menu,
Administrative tools, Certification Authority. Display the Certificate folders and
select the Certificates templates folder to add the template we’ve just created.

We select the Action menu and then we click on the New option to select the
certificate we created in the last steps:

32
 Figure 35. Adding the certificate template

Then we go to the Active Directory Users and Computers console. Start menu,
Administrative tools, Active Directory Users and Computers and we give a right
click over the name of the domain, then we click over Properties and then on the
Group Policy to change the default policy created for this domain.

33
 Figure 36. Changing the default policy for the domain

We need to display the public key policies and this is made through the following
route: Computer configuration, Window settings, Security settings and we are
there. Once we get to this point we are able to configure the autoenrollment
settings so we click over the option and select “Enroll certificates automatically” as
well as the two options in it regarding the renewing process of the certificates and
the updating of the certificates and the templates used.

34
 Figure 37. Configuring autoenrollment for the domain users

Configuring Remote Access Policies for the RADIUS client

After all the process we have made you are probably asking yourself “when are we
going to implement the authentication?” the answer is: right now. You are ready to
configure the RADIUS in the server to authenticate by using PEAP. To do this you
have to go to the IAS service console and give a right click over the Remote
Access Policies to create the new policy, when you click new policy a wizard will
start:

35
 Figure 38. Creating the remote access policy for the RADIUS authentication

We have to write a name and select that this is going to be a custom policy so we
can configure it as we need:

Figure 39. Naming the new policy

36
When we click “Next” the conditions to be declared in this policy are asked so we
have to select that the policy is going to be based on the group of the domain we
created early in this process named 8021xUsers:

Figure 40. Adding the group to the policy

In the ideal scenario we should also declare that the connections has to be made
by Ethernet but a problem with the configuration of the switch does not let us do
that because at this moment the connection is made by Fast Ethernet so if we
select the first part, the policy will not work for our scheme.

Then we have to specify that if the connection matches these conditions will be
granted access to the network because we could also say that has to be denied
but for our purpose if it matches that means that is a permitted computer so it can
enter the network.

Once we have created the conditions we need to specify the protocols that will be
used to authenticate the client. We go the Authentication tab and select the first
two protocols and also we click on EAP methods to specify that the PEAP will be
used for this authentication:

37
 Figure 41. Selecting the corresponding protocols

When you finish configure the policy the wizard shows you a summary of the rules
you created and the configuration is completed.

Figure 42. Finishing the policy configuration wizard

38
Configuring the Authenticator device (switch)

For the configuration of the switch you need to connect the console port to a PC or
the equipment in which you are going to configure the switch. In this case we used
a common laptop.

First thing you do is enter the switch with the corresponding user and the
password. When you get command prompt the first thing you should do is rename
the switch to a term that you would be familiar, this is made with the following
command:

set sys name=”Authenticator Switch 8021x”

Then you need to define the IP address for the VLAN the switch will use to manage
the requests:

enable ip

add ip int=vlan ip=192.168.1.99 mask=255.255.255.0

After you do this you need to define a RADIUS server and its shared secret, the
server should be the one you configured it early in this process and the secret
should be the one you specify when selecting the vendor of the device:

add radius server=192.168.1.1 secret=”CISCO”

Finally you have to declare the authentication service in each port of the switch or
at least the ones you want to use, this is made with the following command:

enable portauth

enable portauth port=<port number> type=authenticator

And you perform this action for every port, when you complete this task, the switch
should be able to function as an authenticator for your infrastructure.

39
Configuring the supplicants (clients)

When configuring the client the first thing you should know is that it has to be
declared as a member of the domain and once you are sure this has been done
you can proceed with the configuration.

The client should be connected to the switch through a non-authenticated port,

why? Because the first time he will receive the certificates to be able to negotiate
the connection in the following occasions he try to connect. The IP should not be a
problem because we have installed a DHCP server and this is going to provide an
IP for the client.

When he gets an IP we can proceed to enroll it into the domain, to do this we go to

Start menu, right click on My PC and Properties. Once there we go to the change
option and select the domain area, we write the name of the domain and click “Ok”.

A window should pop up and ask for the credentials to get access to the domain,
we write the credentials and then click “Ok”. We have to restart the equipment and
when it turns on again it will be enrolled in the corresponding domain.

This was just the first part, when the client gets access to the network we can
configure the authentication options for he to be capable of negotiate the
credentials with the authenticator and the server.

We go to Start menu, Control Panel, Network and Internet Connections, Internet

Connections and then we select the authentication tab for specify the algorithms to
be used. The options that have to be selected are “Enable IEEE 802.1x
authentication for this network” with the EAP type set to “PEAP”. We save this
configuration and it should be enough to accomplish the requirements declared in
the policy stated before.

40
 CONCLUSION

Developing this project gave us an idea of the importance of getting a secure

infrastructure in a company. For sure now we know that is something that does not
require too much configuration. After you practice a lot you realize that is very
simple and it can be achieved easily if you are aware of the conditions in which you
want to implement this framework.

With this project we found that companies can make their communication more
secure and this is something very valuable because it gives certain reputation to
the enterprise that implements the solution, we say this because the image
projected by the company will be seeing as an entity that worries about the
information they manage and the society will note this as a plus to the services the
company offers.

We certainly found a lot of details when doing the configuration of the server and
the switch but at the end we learned from all of that and that learning is something
very important to us.

As for the technical part we can say that this is now a secure way of communicate
a network but in a few years from now the security that possess will be broken and
people will need to find new methods or stronger algorithms to secure their
communications.

802.1x has proved to be a very powerful standard regarding the security within a
network and not just in wired networks but also in wireless so it would be
interesting to transport this scenario to a wireless scenario. Probably we have just
found something to do during the summer.

41