Network security-port access authentication based on MAC addresses

I have previously compiled an access authentication article based on 802.1x protocol, which is a common method to achieve network security, but the premise is that the client needs to pass the corresponding media (authentication software) to achieve access authentication, so in case the customer does not want to bother so much and wants everything to be solved by the service provider, this is of course not a problem, today, I will introduce a user-friendly access authentication method, which is based on the user's MAC address, the principle is to use the user's MAC address as the user name and password. When the user accesses the network, the data frame is sent, network devices perform corresponding authentication by obtaining the user name and password. Of course, such authentication can be performed by the network device itself, or the authentication task can be handed over to the AAA Server, make up here to implement these two methods, the overall implementation is relatively simple, small make up here to elaborate.

Network Device local authentication experiment topology:

Experimental Equipment: One Huawei S2000 switch and two PCs

Step 1:

Set IP, PC1--192.168.102.100 for two PCs

PC2--192.168.102.200

Test whether to Ping PC2 on PC1 before access authentication is set.

Setp 2: Set the access authentication mechanism on the switch, but do not set the local trust account first, so the two hosts cannot communicate

Switch configuration:

[Sw] mac-authentication // switch enables MAC authentication in global configuration mode

[Sw] int eth 1/0/1 // enter interface 1

[Sw-Ethernet1/0/1] mac-authentication // enable MAC authentication for interface 1

[Sw] int eth 1/0/2 // enter interface 1

[Sw-Ethernet1/0/2] mac-authentication // enable MAC authentication for interface 1

Ping PC2 on PC1 after testing the network connectivity of the two machines

Setp 3: Add two valid local logon accounts and passwords (two PCs for MAC) to the vswitch so that the two PCs can pass authentication.

MAC 000C29F4C65A of PC1

MAC 3CE5A6CE1891 of PC2

[Sw] local-user 000C29F4C65A // Add account 1

[Sw-luser-000c29f4c65a] password simple 000c29f4c65a // The plaintext password must be in lowercase

[Sw-luser-000c29f4c65a] service-type lan-access // set local Login

[Sw] local-user 3CE5A6CE1891 // Add local Account 2

[Sw-luser-3ce5a6ce1891] password simple 3ce5a6ce1891 // The plaintext password must be in lowercase

[Sw-luser-3ce5a6ce1891] service-type lan-access // set local Login

Test the connectivity of the two PCs again

In this way, the small compilation experiment is completed, but this method can only be applied to some small enterprises. For communication operators, it is impossible to store account information in network devices, therefore, we will use AAA certification to complete a series of work. For Authentication servers, we provide two types of authentication server: Microsoft IAS and Cisco ACS (quite powerful)

The following is the topology to be implemented by the editor:

Experimental Device: One Huawei S2000 switch, two PCs, one radius server (built on windows server 2003)

IP address planning:

PC1--192.168.102.100

PC2--192.168.102.200

SW vlan1 -- 192.168.102.253

Radius server -- 192.168.102.254

MAC 3CE5A6583E7E of PC1

MAC 3CE5A6CE1891 of PC2

Setp 1: Configure sw

[Sw] mac-authentication // switch enables MAC authentication in global configuration mode

[Sw] int eth 1/0/1 // enter interface 1

[Sw-Ethernet1/0/1] mac-authentication // enable MAC authentication for interface 1

[Sw] int eth 1/0/2 // enter interface 1

[Sw-Ethernet1/0/2] mac-authentication // enable MAC authentication for interface 1

[Sw] int vlan 1 // enter vlan Interface Mode

[Sw-Vlan-interface1] ip address 192.168.102.253 255.255.255.0 // set ip address

[Sw] radius scheme radius // create the radius Authentication mode, which is named radius

[Sw-radius] primary authentication 192.168.102.254 // set the master authentication server address

[Sw-radius] key authentication 123456 // sets the pre-shared key for verification

[Sw-radius] accounting optional // optional

[Sw-radius] server-type standard // set the service type to standard

The concept of a region for authenticated users is as follows: the host PC is located in one region, and the switch comes with a default region system, so you can use it directly.

[Sw] domain system // enter the Region

[Sw-isp-system] radius-scheme radius // set the radius Authentication mode as the self-built radius

[Sw-isp-system] accounting optional // optional

[Sw-isp-system] access-limit enable 10 // you can change the number of authenticated users at the same time.

Step 2: Set up and configure the radius server. The following two types are available: IAS and ACS.

The setup and configuration of IAS is shown here

Follow the steps below to open

Check "Internet authentication service"

Click Next to install

Enable Internet authentication after installation

Create a new radius client after opening the client. Note that the radius client here is the network device SW.

After clicking, you are required to enter the information of the radius client and click Next.

The client supplier will be selected. By default, you can enter pre-shared key 123456.

Click Finish.

See it. This is the small version of the radius client.

Of course, you should also note that you should modify the "Remote Access Policy". If you are not clear, you can leave only one policy. The result is as follows:

 

Add user accounts and passwords, right-click my computer, and choose manage to open local users and groups.

Go to "user" subitem, right-click and select "new user"

Create a PC1 user

Create a PC2 user

Modify two users to allow remote access

Test. ping PC2 on PC1.

Ping PC1 on PC2

Next we will implement ACS

Before installing ACS, it is best to uninstall IAS to avoid listening port conflicts. At the same time, ACS relies on Java virtual machine, so jdk must be installed. Here, we use jdk 7, ACS4.0, as for jdk installation, I will not elaborate on it. Simply double-click the next step.

Install ACS

The addition of another user is the same

Then enable the Log Access Audit Function

Test. ping PC2 on PC1.

Ping PC1 on PC2

View the log audit of ACS

Well, all the work has been completed so far. Readers can make some extensions, for example, implement authentication in different network segments (small editors here are all of the same network segments, and enterprises will not do this ), all of the above is just a basic learning guide for the reader, hoping to help you.