You are on page 1of 21

.

- ,


9.1

, , .


,

IP.
? ,
. ,
. , :

:
:
o ()
o ()

:
, ( , )

: ,

:
Glava 9- 1

.- ,

?
. :

(eavesdrop):

(insert)

IP
(spoof)

hijacking:

denial of service:
( ,
), .

,
( ),

.
OSI. 9.1
OSI.
.
OSI

Firewalls, virus scanning

6
5
4
3

IPSec (VPN)

802.1X, WPA, WEP

9.1 OSI

Glava 9- 2

.- ,

),

( 6) .
-- (hop-by-hop)
MAC ,
--.
a ( ).


, IP

.
,
.

9.2

. IP
:

Web (Web )

( )

Glava 9- 3

.- ,


( ,
).

9.3

, ()

(Authentication, Authorization, Accounting)

AAA , :
, () . ,
:
,
, ,

.

: (Remote Dial-In Remote Access Service) RADIUS ),
TACACS+ (Terminal Access Controller Access Control System plus),
DIAMETER.

9.3.1 TACACS+
TACACS+ (Terminal Access Controller Access Control System plus)
TACACS, . TACACS UDP
a , TACACS+ TCP
TACACS ( XTACACS
TACACS , Cisco)
,
,
. ,

Glava 9- 4

.- ,

, IPSec
(, ) .
TACACS+
. TACACS+
,
, ,
, ,

.

9.3.2 RADIUS
RADIUS (Remote Dial-In Remote Access Service) dial-up
. / ,
RADIUS RADIUS .
RADIUS AP (ccess Point)
RADIUS .
RADIUS
. , (Network Access
Server NAS) (,
), RADIUS

RADIUS . RADIUS
, , challenge response (
RADIUS ).

AAA RADIUS , RADIUS


,
( ). RADIUS
/-

Glava 9- 5

.- ,

RADIUS
.
RADIUS UDP .
UDP
RADIUS . RADIUS
, ,
RADIUS (
).
TCP . ,
UDP RADIUS
. ,
RADIUS
( TCP).
IP ( , )
RADIUS AAA ,
AAA.

9.3.3 DIAMETER
DIAMETER RADIUS .
peer-to-peer ( )
, / ,
RADIUS .

DIAMETER .
DIAMETER
, RADIUS
. DIAMETER RADIUS

( : IPv6 , Mobile IP, .).
DIAMETER RADIUS
RADIUS ,

Glava 9- 6

.- ,


. DIAMETER ,
RADIUS
/ peer-to-peer .
DIAMETER , ,
RADIUS .

9.4

RADIUS
RADIUS AAA

RFC 2865 RFC 2866


RFC 2869. :

/ (NAS)
RADIUS .
RADIUS ,
. RADIUS
,

RADIUS

RADIUS (RADIUS proxy) RADIUS


( ,
ISP).

RADIUS
,
.
RADIUS
RADIUS
.

RADIUS
:
-

PAP (Cleartext Password Authentication Protocol)

CHAP (Challenge Handshake Authentication Protocol)


Glava 9- 7

.- ,

Challenge Response

EAP (Extensible Authentication Protocol)

RADIUS

.
RADIUS UDP .
UDP TCP TACACS+
RADIUS ,
RFC 2865 .
RADIUS RADIUS
.(
).
TCP, . TCP .
, (
) UDP

UDP

multithreding RADIUS (
). RADIUS
UDP . RADIUS UDP
1812
1813 . RADIUS
1645 1646 (
). RADIUS
9.1. , RADIUS
Access Request ( ) RADIUS
Access-Accept Access-Reject .

Glava 9- 8

.- ,
Network Access Server
(RADIUS client)

RADIUS server

Access-Request
Access Challenge
Challenge Reply
Access-Accept / Access-Reject
Accounting-Request
Accounting-Reply

9.1 RADIUS

1....n
9.2 RADIUS
RADIUS 9.2
1 ,
.
9.2.
1
. RADIUS
, UDP
.
,
( 20 4096).

Glava 9- 9

.- ,

16
.
Request Authenticator (
) Access-Request,
Access-Accept, Access-Reject Access-Challenge
Response Authenticator ( ).
Message Digest Algorithm (MD5),

RADIUS RADIUS .

Access-Request

Access-Accept

Access-Reject

Accounting-Request

Accounting-Response

11

Access-Challenge

12

Status-Server()

13

Status-Client()

255

Reserved

9.2 RADIUS

,
. RFC 2865 60

.

.

Glava 9- 10

.- ,

9.4.1 RADIUS
RADIUS Access-Request
,

. .
User-Password

.

Access-Request .
Access-Accept .
Access-Reject .
Access-Accept Access-Reject
Access-Request
.

9.4.2 RADIUS
RADIUS
RADIUS , ,
.
.
.
,

.
.
Access-Accept
,
.

Glava 9- 11

.- ,

Access-Reject
.

9.4.3 RADIUS
RADIUS
RADIUS . RADIUS


. RADIUS RADIUS
- . (NAS),
RADIUS .
: ,
. (RADIUS)

.
RADIUS
Accounting Start
(. NAS
NAS). . RADIUS
(.
1-4096 ).
Accounting Stop
,
. RADIUS AccessResponse RADIUS
. RADIUS RADIUS UDP
. UDP 1646,
1813
.
RADIUS ,
.

Glava 9- 12

.- ,

9.4.4 RADIUS
RADIUS
.

FreeRadius open source RADIUS Linux

IAS (Internet Authentication Services) Microsoft RADIUS

Cisco Secure RADIUS Cisco

RADIUS open source


, ,
. RFC 2865 2866 RADIUS. FreeRadius
open source RADIUS .
RADIUS
, FreeRadius ,
.

9.5

802.1X EAP
IP 802.1X

EAP. 802.1X IP ( ,
),
. 802.1X
, ,
:

, EAP- Transport Layer Security


[EAP-TLS]

, EAP- One Time


Password [EAP-OTP], EAP Message Digest 5 [EAP- MD5]

Glava 9- 13

.- ,

-, AP Subscriber
Identification Module [EAP-SIM].

, EAP Tunnelled TLS Authentication Protocol


[EAP-TTLS] .

EAP , Cisco LEAP [Lightweight EAP]

802.1X EAP,
( RFC 2284) (.
Ethernet) .
IEEE 802.1X
, , , IEEE
802.1X .
, (
: WEP, 3DES AES).
TLS.

9.5.1 802.1X
IEEE 802.1X ,
9.3.
. ,
dial-up .
(PAE Port Authentication Entities)
.
, .
,
RADIUS . 802.1X ..
,
.
DHCP
.

Glava 9- 14

.- ,

EAP LAN (EAPOL)


EAP Wireless (EAPOW)

(PAE)

EAP RADIUS

(PAE)

9.3 802.1X

( )

802.11
(Access Point)

RADIUS

1: 802.11 Association Request


2: 802.11 Association Reply
EAPOW
3: EAPOW-Start
4: EAP Request/Identity
5: EAP-Reply/Identity

5: RADIUS-Access-Request

6: EAP-Request

6: RADIUS-Access-Challenge

7: EAP-Reply/Credentials

7: RADIUS-Access-Request

8: EAP-Success

8: RADIUS-Access-Accept

9: EAPOW Key(WEP)

9.4 802.1X -

, .
EAP
Glava 9- 15

.- ,

.
, EAP
LAN (EAPOL) EAP WLAN (EAPOW),
RADIUS EAP RADIUS. ,

802.1X, EAP
IP ( : , ).
EAP (, RADIUS)

.
AP firewall
. RADIUS
RADIUS , .
RADIUS
,
. EAPOW-Key
. 802.1X , EAP
. IP
802.1X
. IP
(, ,
). 802.1X.

EAP ( EAPMD5). NAS

EAP

.
802.1X AAA , RADIS
.

9.5.2 EAP Extensible Authentication Protocol


802.1X EAP . P

Glava 9- 16

.- ,

(PPP Point-to-Point-Protocol). EAP


peer-to-peer
. ,
PPP 802.11 ( 4). EAP
, RADIUS
. RADIUS
.

EAP

: EAP-MD5, EAP-TLS, EAP-TTLS, LEAP, PEAP, EAPFAST EAP-SIM. EAP ,


. .

MD5

TLS

TTLS

LEAP

PEAP

FAST

SIM

EAP
802.1X
PPP

802.11

9.5 802.1X/EAP
EAP MD5
EAP-MD5

Challenge Handshake Authentication Protocol (CHAP),


EAP 802.1X .
EAP
.
.
EAP TLS
EAP-TLS (TLS-Transport Layer Security) e
. TLS
. SSL Secure Socket Layer ( ),
(,
). EAP TLS Windows XP, Windows
2000 Windows 2003 .
Glava 9- 17

.- ,

. EAP-TLS
.
EAP TLS
EAP-TLS EAP-TLS TLS
. EAP-TLS
RADIUS .
,

TLS . TTLS
: PAP, CHAP, MS-CHAPv1, MS-CHAPv2, PAP/Token Card EAP.

, EAP-TTLS
Protected EAP (PEAP).
LEAP
Cisco
EAP , LEAP Light EAP. LEAP
, Cisco .

EAP 802.1X . LEAP MS-CHAPv1 ,
,
.
.
PEAP
Protected EAP (PEAP)
( )
EAP . ( EAPTTLS) TLS
. PEAP TTLS, IP
. EAP
PPP, 802.1X.
,
Glava 9- 18

.- ,

. :
, ,
,
. EAP
PEAP. PEAP EAP TLS.
EAP PEAP
. PEAP ()
. PEAP e Cisco,
Cisco Microsoft.
PEAP v2

PEAP. PEAPv2,
MS-CHAPv2, .
EAP-FAST
EAP-FAST
EAP-TLS . PEAP
TLS.
EAP-FAST
,
. EAP-FAST
MS-CHAPv2 PEAPv2. EAP-FAST
IETF Cisco,

Cisco IP .
EAP-SIM
EAP-SIM EAP

GSM

Subscriber Identity Module (SIM) . SIM GSM


.
GSM/GPRS .

Glava 9- 19

.- ,

9.5.3

EAP

802.1X/EAP

EAP
.

.
P-MD5 ,
,
.
EAP-TLS
, RADIUS ,
RADIUS . EAP-TLS
CA Certification Authority
. .
TTLS PEAP, PEAP
,
Cisco Microsoft.
, LEAP,

(Cisco),
. IP ,

. .
EAP-FAST LEAP
, ( IETF),
LEAP,
PEAPv2 IETF.

Glava 9- 20

.- ,

PEAP
EAP
EAPOW

RADIUS
UDP

802.1X

IP

802.11 ( WPA; WEP)

802.3; Fast Ethernet; T1

9.7 802.1X PEAP


IP
802.1X/EAP PEAP (
). 802.1X PEAP
9.7.

Glava 9- 21