Configuration and application of Radius Authentication Server (802.1x)
Author: Beijing Normal University Zhuhai branch-School of Information Technology-Jiangnan
Environment: Windows 2003 Radius server + Cisco 2950 switch + Windows XP/2003 Client
IEEE 802.1x protocol
IEEE 802.1x is a port-based network access control protocol. The Authentication architecture of this protocol uses the logical functions of "controllable port" and "uncontrollable port, in this way, authentication and service separation are achieved, ensuring the efficiency of network transmission. The IEEE 802 LAN standard occupies the main share of local area network applications, but the LAN defined by the traditional IEEE 802 system does not provide access authentication, as long as the user can access control devices such as hubs and switches, the user can access resources of other devices in the LAN. This is a security risk and is not easy to manage the users connected to the LAN. IEEE 802.1x is a port-based network access control technology that authenticates and controls access devices (primarily computers) at the physical access level of LAN devices. If the user device connected to the vswitch Port passes authentication, the user can access resources in the LAN or access external networks (such as the Internet). If the user device fails authentication, in this case, you cannot access resources in the LAN or access the Internet, which is equivalent to disconnecting physically.
IEEE 802. the 1x Protocol adopts the existing Extended Authentication Protocol (EAP), which is an extension of the PPP Protocol proposed by IETF, it was first developed to address the IEEE 802.11 standard Wireless LAN authentication. Although IEEE802.1x defines a port-based network access control protocol, in practice, this Protocol is only applicable to the point-to-point connection between access devices and access ports. The port can be a physical port, it can also be a logical port. There are two typical application methods: one is that a physical port of an Ethernet switch connects only one computer, and the other is a wireless LAN (WLAN) access method. The former is based on physical ports, while the latter is based on logical ports. Currently, almost all Ethernet switches support the IEEE 802.1x protocol.
RADIUS server
RADIUS (Remote Authentication Dial In User Service) server provides three basic functions: Authentication, Authorization, and Accounting ), the 3A function is provided. Audit is also called "accounting" or "billing ".
The RADIUS protocol adopts the Client/Server (C/S) working mode. The Network Access Server (NAS) is a RADIUS client that transmits user authentication information to the specified RADIUS Server and then processes the returned response. The RADIUS server is responsible for receiving user connection requests, verifying the identity of the user, and then returning all required information to the client user, it can also be used as a proxy client for other RADIUS servers or other authentication-type servers. All data transmitted between the server and the client is verified by using the shared key. The user password between the client and the RADIUS server is encrypted and sent, providing the security of the password.
Composition of IEEE 802.1x Authentication System
A complete IEEE 802.1x-based authentication system consists of three parts: the authentication client, the authenticated user, and the authentication server (role.
Authenticate the client. The authenticated client is the role played by the end user, generally a personal computer. It requests access to network services and responds to the request packets of the authenticator. The authenticated client must run software conforming to the IEEE 802.1x client standard. Currently, the most typical software is the IEEE 802.1x client supported by the Windows XP operating system. In addition, some network device manufacturers have developed their own IEEE 802.1x client software.
The authenticator is generally an access device such as a switch. This device is responsible for controlling the connection status between the device and the network based on the current authentication status of the authentication client. The device that assumes the authenticated role has two types of ports: The controlled Port and the uncontrolled Port ). Users connected to a controlled port can access network resources only after authentication. users connected to an uncontrolled port can directly access network resources without authentication. By connecting a user to a controlled port, the user can be controlled. The uncontrolled port is mainly used to connect the authentication server to ensure normal communication between the server and the switch.
The authentication server is usually a RADIUS server. The authentication server works with the validators during the authentication process to provide users with authentication services. The authentication server saves the user name and password, as well as the corresponding authorization information. One authentication server can provide authentication services for multiple authenticated users, so that users can be centrally managed. The authentication server is also responsible for managing audit data sent from the authenticated user. Microsoft's Windows Server 2003 operating system comes with a RADIUS Server component.
Lab Topology
Install the RADIUS server
If the computer is an independent Server of Windows Server 2003 (not upgraded to a domain controller or added to a domain), you can use SAM to manage user account information; if it is a Windows Server 2003 domain controller, the user account information is managed using the active directory database. Although Billy uses SAM to manage user account information in the Active Directory database for security and stability, the RADIUS server provides the same authentication function. In order to facilitate the experiment, we will take an independent Server running Windows Server 2003 as an example. The IP address of this computer is 172.16.2.254.
In "Control Panel", double-click "add or delete programs" and select "Add/delete Windows Components" in the displayed dialog box"
In the displayed "Windows component wizard", select the "Network Service" component and click "details"
Select the "Internet Authentication Service" sub-component, click OK, and then click "Next" to install
Open the "Internet Authentication Service" window in "Administrative Tools" under "Control Panel"
- Four pages in total:
- Previous Page
- 1
- 2
- 3
- 4
- Next Page