OpenStage IEEE 802.1x Configuration Management Administrator Documentation Issue 6

Documentation
IEEE 802.1x
Configuration Management
Administration Manual
A31003-J4200-M100-6-76A9
Communication for the open minded
Siemens Enterprise Communications

www.siemens.com/open
Copyright Siemens Enterprise

Communications GmbH & Co. KG
is a trademark licensee of Siemens AG
Hofmannstr. 51, 81359 Mnchen, Germany
Reference No.: A31003-J4200-M100-6-76A9
Communication for the open minded

Siemens Enterprise Communications
www.siemens.com/open
The information provided in this document contains

merely general descriptions or characteristics of
performance which in case of actual use do not
always apply as described or which may change as
a result of further development of the products. An
obligation to provide the respective characteristics
shall only exist if expressly agreed in the terms of
contract. Subject to availability. Right of modification reserved. The trademarks used are owned by
Siemens Enterprise Communications GmbH & Co.
KG or their respective owners.
bkTOC.fm
Contents
Contents
1 802.1X Authentication for IP Telephones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1.1 What is 802.1x? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1.2 Why is 802.1x important? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1.3 Who needs 802.1x? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 IEEE 802.1x Authentication of Telephones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Setting up and Using IEEE 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3.1 Connection overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3.2 IEEE 802.1X Security How It Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3.2.1 Overview EAP-TLS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.3.3 Necessary environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.3.4 Secondary documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2 Install the authentication server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2.1 Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2.1.1 Linux Solution under SuSE Linux 9.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2.1.2 Microsoft Solution with Windows Server 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.1.3 Cisco Solution with CISCO Secure Access Control Server (ACS) . . . . . . . . . . . . . . 3
2.1.4 Certificate Administration in DLS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2 Flow chart to the introduction of IEEE 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.3 Installation under SuSE Linux 9.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3.1 Download and install OpenSSL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3.1.1 Download OpenSSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3.1.2 Install OpenSSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3.2 Download and Install FreeRADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3.2.1 Download FreeRADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3.2.2 Install FreeRADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3.3 Obtaining or creating Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.3.4 Configure Server for TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.3.5 Certificate extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.3.5.1 Sample CA Certificate in TXT format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.4 Installing under Windows Server 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.4.1 Installing the Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.4.2 Installing the Internet Information Services (IIS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.4.3 Installing the Certificate Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.4.3.1 Selecting the Certification Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.4.3.2 Setting up the CA (Certificate Authority). . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.4.4 Installing the Internet Authentication Service (IAS) . . . . . . . . . . . . . . . . . . . . . . . . . 35
2.4.5 Creating a User Account in the Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.4.5.1 Creating Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
2.4.5.2 Creating a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
2.4.5.3 Creating a Group in the Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
22. Januar 2010
IEEE 802.1x Configuration Management, Administration Manual
0-1
bkTOC.fm
Contents
2.4.6 Internet Authentication Service (IAS) - Access Rights . . . . . . . . . . . . . . . . . . . . . . 48

2.4.6.1 Setting up the Authenticator as DNS Host . . . . . . . . . . . . . . . . . . . . . . . . . . 49
2.4.6.2 Creating a RADIUS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
2.4.6.3 Creating a RADIUS Client and Verifiying the IP Address (Switch) . . . . . . . . . 53
2.4.6.4 Setting the Password for the RADIUS Client . . . . . . . . . . . . . . . . . . . . . . . . . . 54
2.4.6.5 EAP Configuration in the IAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
2.4.6.6 Selecting the EAP Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
2.4.7 Installing Certificates under Windows XP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
2.4.7.1 Installing the Root Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
2.4.7.2 Validating the Root Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
2.4.7.3 Export the Certificate from the Certificate Store . . . . . . . . . . . . . . . . . . . . . . . 70
2.4.7.4 Installing a User Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
2.4.7.5 Validating the User Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
2.4.7.6 Export the User Certificate from the Certificate Store . . . . . . . . . . . . . . . . . . . 78
2.5 CISCO Secure Access Control Server (ACS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
2.5.1 Generating Certificate Chains with OPEN SSL Windows . . . . . . . . . . . . . . . . . . . 81
2.5.1.1 Creating a Key Pair for CA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
2.5.1.2 Creating Certificates for the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
2.5.1.3 Creating Certificates for Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
2.5.1.4 Overview of Files Generated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
2.5.2 Installing ACS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
2.5.3 Configuring ACS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
2.5.3.1 Generating Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
2.5.3.2 Setting the Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
2.5.3.3 Creating AAA Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
2.5.3.4 Creating a User Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
2.5.3.5 Creating Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
2.6 Administrating Certificates in the DLS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
2.6.1 Plug&Play Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
3 Plug and Play with IEEE 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
3.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
3.2 Test environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
3.3 DHCP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
3.4 Configuring Plug & Play in DLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.4.1 Plug&Play Creating profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.5 DHCP Address Pool (Scope) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.6 Example for Cisco Catalyst 3560 Konfiguration (Port used fa0/12) . . . . . . . . . . . . . . . . 5
3.6.1 Restrictions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.6.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.6.2.1 Cisco configuration (Port used fa0/12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.7 Example for a freeradius configuration (user file) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.8 Plug and Play function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.8.1 Plug and Play function with VLAN sent from DLS . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.8.2 Phones and PC interoperability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
0-2
22. Januar 2010

bkTOC.fm
Contents
3.8.2.1 Example: Phone has certificate the PC has no certificate . . . . . . . . . . . . . . . .

3.9 Switch Configuration Samples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.9.1 Switch - Example 1: "Cisco Configuration" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.9.2 Switch Example 2: "Enterasys Matrix N1 Platinum Configuration" . . . . . . . . . . . . .
3.9.3 Switch Example 3: "ProCurve Configuration" . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
12
13
13
15
19
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
22. Januar 2010

0-3
bkTOC.fm
Contents
0-4
22. Januar 2010

c01.fm
802.1X Authentication for IP Telephones

Introduction
1.1
Introduction
1.1.1
What is 802.1x?
802.1x is used to authenticate an Entity (e.g. a PC or a telephone) within the network.

Authentication takes place on Layer 2 (OSI) and is based on the MAC address of the
Entity.
An Entity can be a server, PC, laptop, printer, or an IP telephone.
1.1.2
It controls access to the network.

Access can be controlled and restricted to certain resources by using a management system.
Access of unauthorized devices/persons is made difficult.
1.1.3
Why is 802.1x important?
Who needs 802.1x?
All enterprises who want to prevent unauthorized devices from accessing the company
network.
Economic aspects have to be taken into consideration:
ease of mobility within the network;
flexible office;
project teams that only cooperate for certain periods of time;
guest accounts in the network, e.g. business partners;
as well as administrative aspects:
assignment of network resources;
business management applications (e.g. SAP);
rules-based administration of groups.
22. Januar 2010

1-1
c01.fm

IEEE 802.1x Authentication of Telephones
1.2
802.1x Authentication is done using digital certificates and EAP-TLS via a RADIUS Server.
Initial State / Preparation / Deployment
The switch only allows access to the telephone management tool (DLS).
The telephone only "sees" the DLS (the DLS takes care of the IP address) and is not registered at any proxy.
The telephone is not logged on to the customer network.
The DLS server downloads the certificates generated in the CA (trust center) onto the
telephone (user certificate and server certificate).
802.1x Authentication Procedure
Entity
(SuppliKant)
EAPOL
RADIUS
Switch
(Authentifikator)
Radius-Server
(AuthentifizierungsServer)
1-2
The 802.1x authentication is triggered by a reboot of the telephone.

The network switch sends an 802.1x request to the port to which the telephone and PC (if
available) are connected.
The telephone and/or PC respond to this request.
Mutual authentication is made by exchanging certificates (user certificate and Radius certificate); in case of phone and Radius server both certificates are available.
The Entity may only send one 802.1x request for the network access; all other data packets from this Entity are discarded (EAP protocol).
The Layer 2 switch forwards the request to the Radius server.
The RADIUS server (IAS from Microsoft or Free Radius Server under Linux) compares
the certificates using a database connected via e.g. Active Directory.
22. Januar 2010
c01.fm

In case of a positive result of the certificate comparison, the Radius server sends a success
message to the Layer 2 switch.
The Layer 2 switch releases the switch port to which the authenticated devices are connected.
With this the first-time authentication is completed.
Periodic re-authentications can be configured via the switch.
Procedure for a complete authentication using EAPOL
Entity
(Authenticator)
RADIUS Server
2. EAPoL Start
3. EAP Request/Identity
4. EAP Response/Identity
4. RADIUS Access Request
5. EAP Request
5. RADIUS Access Challenge
6. EAP Response
6. RADIUS Access Request
7. EAP Success
7. RADIUS Access Accept

Network access permitted
8. is disconnected, e.g. from the

PC, proxy EAP logoff is carried out
via IP telephone.
Network access blocked
1.
The port to the user system is in unauthorized status, i.e. network access is refused.
2.
The Entity begins the exchange with an EAPoL start message.
22. Januar 2010

1-3
c01.fm

3.
The "normal" EAP exchange begins when the authenticator sends an EAP request/identity
packet.
4.
The Entity then responds with an EAP response/identity which is forwarded by the authenticator as a RADIUS access request.
5.
The RADIUS server responds with a RADIUS access challenge packet, which is transmitted by the authenticator to the user system using a suitable protocol with all necessary data.
6.
This then sends the data entered by the user back to the authenticator as an EAP response. The authenticator then packs and forwards the results data in the data field of a
RADIUS access request.
7.
The RADIUS server approves access with a RADIUS access accept after which the authenticator sends an EAP success to the Entity and sets the port to authorized status.
The Entity is authorized to use the network and can access the network.
8.
If for example the PC is disconnected from the Entity, it sends an EAPoL logoff to the
authenticator which in turn resets the ports for the PC to unauthorized so that an unknown
device cannot be connected.
>
1-4
The user system does not necessarily have to send an EAPoL start message. The
authenticator can send an EAP request/identity to update the authentication data.
22. Januar 2010

c01.fm

Setting up and Using IEEE 802.1x
1.3
1.3.1
Connection overview
802.1X was first introduced for wireless devices to secure the access and data via an access
points to a local area network (LAN). The same standard is used to secure access of wired devices via an access switch to a LAN.
An IP phone for example OP410/420 uses the protocol EAPOL respectively EAP-TLS,
which is a certificate based authentication.
This certificate based authentication ( EAP-TLS) is much more secure than the other methods and matches also the requirement of a device like a phone or a PC.
IEEE 802.1x
Security for IP networks connectivity
22. Januar 2010

1-5
c01.fm

1.3.2
IEEE 802.1X Security How It Works
Radius Server
Asset DB
1. The IP phone (supplicant) is
(e.g. Meta Directory)
connected to the LAN and is blo-
cked on the switch port

2. The LAN switch (authenticator)
sends an EAP request to the IP
phone
1
2
3. The IP phone responds via EAPTLS with its device certificate
4. The LAN switch forwarsds this to

the Radius server (authentication server) which searches for
the device in the asset database
5. Due to the rights of the "User",

the corresponding port on the
LAN switch is configured (VLAN,
ToS, etc.) and the IP phone release from its quarantine
Important:
The LAN switch must support
"multi-domain" autentication on the
switch port
D LS
PKI
IIEEE802.1x is not designed for

" Multi-User Authentication".
(The port access control procedure
assumes that the ports that serve it
offer a point-to-point connection
between the Supplicant and an
individual Authenticator.
1-6
22. Januar 2010

c01.fm

802.1X without multi-user authentication

There are two alternatives available if
802.1X does not support MultiUser Authentication.
1.
Single Host Authentication

Only a single device is only allowed to access the LAN if it is
authenticated.
2.
Multi Host Authentication

A device can be authenticated
and then opens the port for all
other devices.
Only the variant with "Single-Host-Authentication" is really secure

A disadvantage of the "Multi Host Authentication" variant is also that the
port is closed if the authenticated device is removed and re-authentication
is active.
22. Januar 2010

1-7
c01.fm

1.3.2.1
Overview EAP-TLS
The figure below shows the data flow between IEEE 802.1x components during an EAP-TLSbased authentication.
IP Phone
Access Switch
RADIUS Server
EAPOL-Start
EAP-Request/
Identity
EAP-Response/
Identity = optiClient
RADIUS Access-Request/
EAP-Message/EAP-Response/
Identity= optiClient
EAP-Request/
EAP-Type=EAP-TLS
(TLS Start, S bit set)
EAP-Response/
EAP-TYPE=EAP-TLS
(TLS client_hello)
EAP-TYPE=EAP-TLS
(TLS client_hello)
EAP-Request/
EAP-Type=EAP-TLS
(TLS server_hello,
TLS certificate,
TLS server_key_exchange,
TLS certificate_request,
TLS server_hello_done)
EAP-Response/
EAP-TYPE=EAP-TLS
(TLS certificate,
TLS client_key_exchange,
TLS certificate_verify,
TLS change_cipher_spec,
TLS finished)
RADIUS Access-Challenge/
EAP-Message/EAP-Request/
EAP-TYPE=EAP-TLS
EAP-TYPE=EAP-TLS
(TLS server_hello,
TLS certificate,
TLS server_key_exchange,
TLS certificate_request.
TLS server_hello_done)
EAP-TYPE=EAP-TLS
(TLS certificate,
TLS client_key_exchange,
TLS certificate_verify,
TLS change_cipher_spec,
TLS finished)
EAP-Request/
EAP-Type=EAP-TLS
(TLS change_cipher_spec
TLS finished)
EAP-TYPE=EAP-TLS
(TLS change_cipher_spec,
TLS finished)
EAP-Response/
EAP-TYPE=EAP-TLS
EAP-TYPE=EAP-TLS
EAP-Success
1-8
RADIUS Access-Accept/
EAP-Message/EAP-Success
(other attributes)
22. Januar 2010

c01.fm

1.3.3
IP phones
All versions of optiPoint HFA with firmware V5 R4.2.0 or later
All versions of optiPoint SIP V6 with firmware V6 R2.67.0 or later
All versions of optiPoint SIP V7 with firmware V7 R0.9.0 or later
The following versions apply if EAPOL-Logoff with 802.1x is not activated or there are
no certificates on the phone
All versions of optiPoint HFA with firmware V5 R4.6.0 or later
All versions of optiPoint V7 with firmware V7 R1.3.0 or later
OpenStage 20, 40 and OpenStage 60/80 AB Software Release V1 R3.2.15 (FP 4.3)
and V0 R7.10,138 (FP 4.4)
Access Switch, which supports 802.1X
Cisco Catalyst 3560
ProCurve Switch 3500yl (HP)
Enterasys Matrix N1 Platinum
Nortel
Huawei
Necessary environment
among others
RADIUS Server which supports EAP-TLS
IAS
Cisco Radius
Cisco ACS
FreeRadius
among others
Public Key Infrastructure (PKI) including a Certificate Services CA (CA) which can create
and distribute certificates to the RADIUS and Deployment Server (DLS).
22. Januar 2010

1-9
c01.fm

1.3.4
Secondary documentation
The following table lists some references you may find useful. The IEEE standard is fairly readable. The RFC's are also fairly clearly written.
IEEE 802.1x standard document
EAP standard, RFC 2284
EAP TLS, RFC 2716
One-Time Password, RFC 1938
EAP: IETF draft search page
RADIUS, RFC 2865
RADIUS Accounting, RFC 2866
RADIUS Tunneling Attributes support, RFCs 2867
RADIUS Tunneling Attributes support, RFCs 2868
RADIUS Extensions, RFC 2869
RADIUS Support for EAP, RFC 3579
1-10
22. Januar 2010

c02.fm
Install the authentication server

Installation Overview
The following components are needed to introduce IEEE 802.1x:

RADIUS server as authentication server
(including a supplicant, such as a PC and telephone)
2.1
Authenticator (switch) with IEEE802.1x implementation
The RADIUS server can be installed as a Linux or Windows Server 2003 solution. A computer with a Windows Server 2003 Enterprise version is used with the necessary administration
tools for the Microsoft solution.
You can also use Flow chart to the introduction of IEEE 802.1x to branch to the descriptions
of the individual installation steps.
2.1.1
Linux Solution under SuSE Linux 9.0
Perform the following steps
Download OpenSSL on page 6

Install OpenSSL on page 7
Download FreeRADIUS on page 7
Install FreeRADIUS on page 7
Obtaining or creating Certificates on page 9
Configure Server for TLS on page 12
22. Januar 2010

2-1
c02.fm

2.1.2
Microsoft Solution with Windows Server 2003
Installing the Active Directory on page 17
Installing the Internet Information Services (IIS) on page 26
Installing the Certificate Services on page 28
2-2
Selecting the Certification Type on page 29

Setting up the CA (Certificate Authority) on page 30
Installing the Internet Authentication Service (IAS) on page 35
Creating a User Account in the Active Directory on page 38
Creating Users on page 39
Creating a Group on page 44
Internet Authentication Service (IAS) - Access Rights on page 48
Setting up the Authenticator as DNS Host on page 49
Creating a RADIUS Client on page 52
Creating a RADIUS Client and Verifiying the IP Address (Switch) on page 53
Setting the Password for the RADIUS Client on page 54
EAP Configuration in the IAS on page 56
Selecting the EAP Type on page 61
Installing Certificates under Windows XP on page 66
Installing the Root Certificate on page 67
Validating the Root Certificate on page 70
Export the Certificate from the Certificate Store on page 70
Installing a User Certificate on page 71
Validating the User Certificate on page 77
Export the User Certificate from the Certificate Store on page 78
22. Januar 2010

c02.fm

2.1.3
Cisco Solution with CISCO Secure Access Control Server (ACS)
Generating Certificate Chains with OPEN SSL Windows on page 81
Installing ACS on page 84
Configuring ACS on page 89

Generating Certificates on page 90
Setting the Authentication Methods on page 99
Creating AAA Clients on page 101
Creating a User Group on page 103
2.1.4
Certificate Administration in DLS
Plug&Play Template on page 110
22. Januar 2010

2-3
c02.fm

Flow chart to the introduction of IEEE 802.1x
2.2

E A P
D oes
th e c u s to m e r
a lr e a d y h a v e
c e r t if ic a te s ?
N o
Y es
C o n fig u r e IA S ?
N o
N o
In s ta ll A c tiv e
D ir e c to r y
Y es
C o n f ig u r e
C IS C O A C S ?
Y es
Is A c tiv e D ir e c to r y
a lr e a d y a v a ila b le ?
Y es
In s ta ll O p e n S S L fo r
W in d o w s a n d
g e n e r a te c e r tific a te
c h a in
In s ta ll C is c o A C S
c o n fig u r a tio n
p ro g ra m a n d
c o n fig u r e C is c o A C S
N o
C o n fig u r e F r e e
R A D IU S
Y es
N o
In s ta ll O p e n S S L
L in u x
In s ta ll In te r n e t
In fo r m a tio n S e r v ic e s
(IIS )
In s ta ll c e r tific a tio n
s e r v ic e s
In s ta ll In te r n e t
A u t h e n t if ic a t io n
S e r v ic e ( IA S )
I n s t a ll F r e e R A D I U S
fo r L IN U X
C re a te a u s e r
a c c o u n t in th e A c tiv e
D ir e c to r y
C o n f ig u r e a n d e x p o r t
c e r tific a te s ; C o n fig u r e
F re e R A D IU S S e rv e r
fo r L IN U X
C e r tific a te h a n d o v e r
b y t h e c lie n t
C o n fig u r e o th e r
R A D IU S ?
Y es
In s ta ll a n o th e r
R A D IU S
C o n fig u r e IA S a c c e s s
r ig h ts fo r th e
A u th e n tic a to r
( S w itc h )
C o n fig u r e c e r tific a te s
u n d e r W in d o w s X P
a n d e x p o rt th e
c e r t if ic a t e s
N o
End
A ll n e c e s s a r y c e r tific a te s a r e a v a ila b le :
S e r v e r c e r t if ic a t e , C lie n t c e r t ific a t e
Im p o r t c e r t if ic a t e s t o
D LS
For further information click on the

blue shapes
P lu g a n d P la y w ith
c e r tific a te
R e b o o t th e te le p h o n e
2-4
22. Januar 2010

c02.fm

For further information click

on the blue shapes
Is th e te le p h o n e
c e r tif ie d ?
No
No
C a n t h e te le p h o n e
c o n n e c t to D L S ?
A s k th e n e tw o rk
a d m in is tr a to r fo r
guest V LA N access
Yes
No
Yes
Yes
V L A N - I D r e c e iv e d ?
P lu g a n d P la y w it h
c e r t if ic a t e
R e b o o t th e te le p h o n e
W as EAP
s u c c e s s fu l?
No
P o r t is c lo s e d ;
N e tw o r k p r o b le m ;
N o c o n n e c t io n t o
R A D IU S ; C e r tific a te s
n o t v a lid
End
S IP tr a c e a n d fa u lt
r e p a ir
End
Yes
W a s S IP
r e g is t r a t io n
s u c c e s s fu l?
No
Yes
End
22. Januar 2010

2-5
c02.fm

Installation under SuSE Linux 9.0
2.3
FreeRADIUS/WinXP Authentication Setup

This post describes how to build a FreeRADIUS server for TLS and PEAP authentication, and
how to configure the Windows XP clients ( Supplicants). The server is configured for a home
(or test) network.
Three papers have been written about TLS authentication with a FreeRADIUS server:
1.
www.missl.cs.umd.edu/wireless/eaptls
2.
www.freeradius.org/doc/EAPTLS.pdf
3.
www.denobula.com
These papers provide an excellent background, but are somewhat out of date. Where appropriate, I will simply refer to these documents rather than repeating the information. I recommend that you follow the steps I give below rather than the steps in these documents.
In the steps below, I give examples from the FreeRADIUS server that I installed yesterday in
my Red Hat 9 computer. If you follow this example, please make the needed changes to the
names of the files. I installed the FreeRADIUS and OpenSSL files in special local directories.
This ensures that there is no interaction between the base Linux files and the new files. It also
allows you to easily remove all of the newly installed files.
>
One word of caution: Be prepared for unforeseen events when using trial versions
of FreeRADIUS and OpenSSL or if they come from "beta" software versions. Do not
be surprised if you encounter problems.
2.3.1
Download and install OpenSSL
2.3.1.1
Download OpenSSL
You first have to download the latest stable released version of OpenSSL (OpenSSL-0.9.7).
Save the software in a home directory. You can download the current version from the following
FTP directory:
ftp://ftp.openssl.org/snapshot/
2-6
22. Januar 2010

c02.fm

2.3.1.2
Install OpenSSL
Execute the following steps:
mkdir -p /usr/src/802/openssl
cd /usr/src/802/openssl
cp /home/jbibe/openssl-0.9.7-stable-SNAP-20040202.tar.gz \
openssl-0.9.7-stable-SNAP-20040202.tar.gz
gunzip openssl-0.9.7-stable-SNAP-20040202.tar.gz
tar xvf openssl-0.9.7-stable-SNAP-20040202.tar
cd openssl-0.9.7-stable-SNAP-20040202
./config shared --prefix=/usr/local/openssl
make
make install
When you perform the config, make, and make-install here and in the FreeRADIUS install described below, I recommend that you log the information. For example, instead of using the
simple "make" command, use:
make > mymake.log 2>&1
If you encounter problems, you can review mymake.log (or myconfig.log, or myinstall.log) for
errors.
This completes the work with OpenSSL, except for building the required certificates.
2.3.2
Download and Install FreeRADIUS
2.3.2.1
Download FreeRADIUS
The first step is to download and install the latest snapshot versions of FreeRADIUS
http://www.freeradius.org/
2.3.2.2
Install FreeRADIUS
First possibility
#
#
#
#
cd /usr/local/src
wget ftp://ftp.freeradius.org/pub/radius/freeradius-1.0.0.tar.gz
tar zxfv freeradius-1.0.0.tar.gz
cd freeradius-1.0.0
22. Januar 2010

2-7
c02.fm

1.
Configure, make and install:

# ./configure
# make
# make install
2.
You can pass options to configure. Use ./configure --help or read the README file, for
more information.
When you perform the config, make, and make-install here and in the FreeRADIUS install
described below, I recommend that you log the information. For example, instead of using
the simple "make" command, use:
make > maymake.log 2>&1
If you encounter problems, you can review mymake.log (or myconfig.log, or myinstall.log)
for errors.
The binaries are installed in /usr/local/bin and /usr/local/sbin. The configuration files
are found under /usr/local/etc/raddb.
If something went wrong, check the INSTALL and README included with the source. The
RADIUS FAQ also contains valuable information.
Second possibility
Download ftp.freeradius.org/pub/radius/CVS-snapshots
Use the following nine steps
mkdir -p /usr/src/802/radius
cd /usr/src/802/radius
cp /home/jbibe/freeradius-snapshot-20040203.tar.gz \
freeradius-snapshot-20040203.tar.gz
gunzip freeradius-snapshot-20040203.tar.gz
tar xvf freeradius-snapshot-20040203.tar
cd freeradius-snapshot-20040203
./configure --with-openssl-includes=/usr/local/openssl/include \
--with-openssl-libraries=/usr/local/openssl/lib \
--prefix=/usr/local/radius
make
make install
That completes the work with FreeRADIUS, except for

building certificates
making the changes to the FreeRADIUS configuration files
2-8
22. Januar 2010

c02.fm

moving the server certificates to their final location

building a Wrapper for radiusd (RADIUS-Server).
2.3.3
>
Obtaining or creating Certificates

OpenSSL must be installed to use either EAP-TLS, EAP-TTLS, or PEAP!
When using EAP-TLS, both the Authentication Server and all the Supplicants (clients)
need certificates[RFC2459] .
Using EAP-TTLS or PEAP, only the Authentication Server requires certificates; Supplicant
certificates are optional.
You get certificates from the Certificate Authority (CA). If there is no local CA available,
OpenSSL may be used to generate self-signed certificates.
Included with the FreeRADIUS source are some helper scripts to generate self-signed certificates. The scripts are located under the scripts/ folder included with the FreeRADIUS source:
CA.all is a shell script that generates certificates based on some questions it ask.
CA.certs generates certificates non-interactively based on pre-defined information at the

start of the script
>
The scripts uses a Perl script called CA.pl, included with OpenSSL. The path to this
Perl script in CA.all and CA.certs may need to be changed to make it work.
More information on how to generate your own certificates can be found in the SSL
certificates HOWTO.
Server and client certificates are needed for TLS and PEAP. To produce the required certificates, I recommend that you use CA.all that is included with FreeRADIUS. CA.all uses the
configuration information in openssl.cnf.
1.
openssl.cnf Update openssl.cnf for your configuration. The configuration file is located at:
/usr/local/openssl/ssl
A portion of the information from my openssl.cnf is given below. (The company information
is does not describe an actual company located in Brentwood, TN.) Note that the configuration information includes the password "whatever". It is the certificate password.
When CA.all executes, it uses this information three times. The first pass through this
information produces the root certificates. If you set up your configuration as shown below,
you will be able to accept all of the settings in the first pass. The second pass through this
22. Januar 2010

2-9
c02.fm

information produces the client certificates. You only need to change the common Name
to the client name. In this case, the common Name was changed to jbibe. The third pass
through this information produces the server certificates. You only need to change the
commonName to the server name. In this case, the common Name was changed to micron.
Example
...
# req_extensions = v3_req
# The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Tennessee
localityName = Locality Name (eg, city)
localityName_default = Brentwood
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Helava
organizationalUnitName = Organizational Unit Name
organizationalUnitName_default = Engineering
commonName = Common Name (eg, YOUR name)
commonName_max = 64
commonName_default = HAI
emailAddress = Email Address
emailAddress_max = 40
emailAddress_default = ohb@cmcast.net
# SET-ex3 = SET extension number 3
[ req_attributes ]
2-10
22. Januar 2010

c02.fm

challengePassword = A challenge password

challengePassword_min = 4
challengePassword_max = 20
challengePassword_default = whatever
unstructuredName = An optional company name
2.
CA.all -- Update the CA.all script for your requirements. The file is located at:
/usr/src/802/radius/freeradius-snapshot-20040203/scripts
If you use the default password "whatever", you only need to verify that the path in the
script points to the installed openssl information. No changes should be necessary, but
there is one gotcha. At about line 30, the path will probably be in error. Look for the following line and update the path as needed
echo "newreq.pem" | /usr/local/openssl/ssl/misc/CA.pl -newca
When CA.all executes, it produces nine certificates:

root.pem, root.p12, root.der
cert-clt.pem, cert-clt.p12, cert-clt.der
cert-srv.pem, cert-srv.p12, cert-srv.der
For TLS and PEAP, the server needs root.pem and cert-srv.pem.
For TLS, the Windows XP client needs root.der and cert-clt.p12.
For PEAP, the Windows XP client needs root.der.
22. Januar 2010

2-11
c02.fm

2.3.4
Configure Server for TLS
There are only a few changes and additions needed for TLS authentication. The clients.conf, users und radiusd.conf are located at:
/usr/local/radius/etc/raddb
1.
clients.conf -- This file contains the basic configuration for the Access Point. Look for
the following line then uncomment and modify as appropriate:
#client 192.168.0.0/24 {
client 192.168.1.0/24 {
secret = AP_Shared_Secret
shortname = WLAN
}
2.
users This file contains the basic user information. Look for the following line and then
add the user name:
#"John Doe" Auth-Type := Local, User-Password == "hello"
#
jbibe
>
3.
Note that for TLS, you should not include an Auth-Type or a password. The server
is able to determine the correct Auth-Type, and a password is not needed because
the client uses a client certificate for authentication.
radiusd.conf This file contains the server configuration information. Look for the following lines and then change the default_eap_type from md5 to tls:
eap {
default_eap_type = md5
Change md5 to tls.
Move down to the following line, and then uncomment and modify the information, as
shown below:
>
2-12
Note that the the server certificates, dh file and random file are placed in a new directory 1x on the system. Modify the path as needed for your server.
22. Januar 2010

c02.fm

#tls {
tls {
private_key_password = whatever
private_key_file = /usr/local/radius/etc/1x/cert-srv.pem
certificate_file = /usr/local/radius/etc/1x/cert-srv.pem
CA_file = /usr/local/radius/etc/1x/root.pem
dh_file = /usr/local/radius/etc/1x/dh
random_file = /usr/local/radius/etc/1x/random
fragment_size = 1024
include_length = yes
}
No other changes are needed in radiusd.conffor TLS.
4.
Server Certificates, DH File, and Random File a new directory was added 1x in the
radius etc directory, and then the server certificates were copied (root.pem and certsrv.pem) into the directory. Finally, the following trick was used to produce dh and random:
date > dh
date > random
If you prefer, use your keyboard to enter some random characters in these files. Or even
better, use the OpenSSL tools to produce the random information for these files.
5.
Run-Radius The only server addition remaining is wrapper for radiusd. A new file runradius was added in the /usr/local/radius/sbin directory.
----- Wrapper Script -----------------------------------#!/bin/sh -x
LD_LIBRARY_PATH=/usr/local/openssl/lib
LD_PRELOAD=/usr/local/openssl/lib/libcrypto.so
export LD_LIBRARY_PATH LD_PRELOAD
/usr/local/radius/sbin/radiusd $@
---------------------------------------------------------
22. Januar 2010

2-13
c02.fm

2.3.5
Certificate extension
The PEM format uses the header and footer lines:

-----BEGIN CERTIFICATE---------END CERTIFICATE----it will also handle files containing:
-----BEGIN X509 CERTIFICATE---------END X509 CERTIFICATE----Trusted certificates have the lines :
-----BEGIN TRUSTED CERTIFICATE---------END TRUSTED CERTIFICATE----The conversion to UTF8 format used with the name options assumes that T61Strings use the
ISO8859-1 character set. This is wrong but Netscape and MSIE do this as do many certificates.
So although this is incorrect it is more likely to display the majority of certificates correctly.
The -fingerprint option takes the digest of the DER encoded certificate. This is commonly
called a ``fingerprint''. Because of the nature of message digests the fingerprint of a certificate
is unique to that certificate and two certificates with the same fingerprint can be considered to
be the same.
The Netscape fingerprint uses MD5 whereas MSIE uses SHA1.
The -email option searches the subject name and the subject alternative name extension. Only
unique email addresses will be printed out: it will not print the same address more than once.
-inform DER|PEM|NET
This specifies the input format normally the command will expect an X509 certificate but this
can change if other options such as -req are present. The DER format is the DER encoding of
the certificate and PEM is the base64 encoding of the DER encoding with header and footer
lines added. The NET option is an obscure Netscape server format that is now obsolete.
For further information please regard chapter 7.1.2 and 7.1.3 of RFC 2459 .
2-14
22. Januar 2010

c02.fm

2.3.5.1
Sample CA Certificate in TXT format
Example:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=GB, ST=Surrey, O=Best CA Ltd,
OU=Class 1 Public Primary Certification Authority,
CN=Best CA Ltd
Validity
Not Before: Feb 5 19:50:16 2000 GMT
Not After : Feb 4 19:50:16 2001 GMT
Subject: C=GB, ST=Surrey, O=Best CA Ltd,
OU=Class 1 Public Primary Certification Authority,
CN=Best CA Ltd
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:dd:3c:f6:9a:be:d2:66:20:0c:7d:0c:ae:bc:18:
cc:f4:e8:89:8d:16:b3:5c:16:75:06:33:f9:08:4f:
d6:9b:f4:6b:e7:4d:0f:44:af:8b:87:dc:79:78:93:
e8:e4:20:19:df:f0:0d:04:4d:2c:4c:ad:19:b0:31:
8c:6a:4d:a6:d6:0e:e8:ae:e2:37:75:8d:d5:1e:a2:
31:15:3c:f4:4d:ad:5d:f8:d0:23:c2:72:de:e2:73:
9b:ef:f7:84:25:b0:cf:92:4d:39:4a:18:41:ac:91:
81:28:ac:5b:f2:7d:74:e2:8f:f9:a7:c1:c0:b1:93:
dd:cd:b1:4c:23:23:63:27:30:4c:da:8e:72:e4:0d:
77:c2:22:e2:b4:43:bb:9d:ca:36:59:fc:98:91:0c:
da:c4:2c:34:03:0c:e5:91:51:e2:23:20:ae:68:5e:
30:8f:9e:f5:a5:2c:e4:bf:ab:2f:fb:82:03:31:b4:
ff:5e:90:a8:f0:be:b0:4d:aa:f3:af:2c:27:42:c8:
7e:7a:d2:c3:e8:5b:53:8d:86:db:ae:f6:7c:45:03:
35:b6:52:9d:a0:c1:e0:da:ac:6b:68:05:7e:f8:73:
41:62:63:56:b3:47:6e:11:d8:d4:6c:92:be:65:aa:
f2:a5:72:3d:4e:d9:d2:e2:8d:42:92:3e:cf:39:f9:
63:89
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
3C:BA:B3:02:44:B6:18:30:75:0A:53:90:24:22:\
22. Januar 2010
2-15
c02.fm

9F:4D:24:72:70:E5
X509v3 Authority Key Identifier:
keyid:3C:BA:B3:02:44:B6:18:30:75:0A:53:90:\
24:22:9F:4D:24:72:70:E5
DirName:/C=GB/ST=Some-State/O=Best CA Ltd/\
OU=Class 1 Public Primary Certification
Authority/CN=Best CA Ltd
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
b5:b9:80:5c:b1:29:dc:c0:03:db:28:c8:a3:08:30:ac:41:ea:
fb:ef:60:b6:b9:ca:57:c5:05:04:fc:2d:29:59:69:ba:80:39:
30:77:90:f4:0d:23:03:25:1a:95:ff:07:a8:67:8c:02:e8:1e:
f7:7f:96:06:3e:7e:90:99:b2:e1:19:81:da:5c:97:92:0f:a2:
ab:5d:ca:0e:c0:b7:52:68:69:89:62:c9:4b:29:90:77:64:80:
c4:a7:4c:18:4c:68:60:b5:e6:fa:24:58:93:b6:72:ef:5c:9b:
a0:3a:c7:f6:c5:da:d8:7c:f0:a2:20:1e:e0:04:c0:15:ec:6c:
dd:73:85:6c:a5:2e:a5:8e:b0:21:6e:28:9a:c1:d0:62:42:54:
26:b0:17:85:cf:d2:64:17:89:c3:99:94:cf:0d:bd:e5:f0:1a:
06:37:ea:8c:6b:9e:98:22:df:2e:9d:ad:a0:63:89:76:3b:ff:
e8:9f:cf:2b:e4:85:89:96:6d:4b:d2:80:3c:7b:87:d1:db:2a:
c1:1d:71:7a:d1:fe:36:59:a7:6c:19:e1:4a:93:23:6b:c0:68:
bf:ee:f4:0c:7d:77:46:b1:1a:d7:34:64:46:9d:7f:af:58:36:
77:ff:35:88:d2:3a:03:b4:29:0d:9e:a1:29:56:78:60:fe:00:
15:98:7a:17
2-16
22. Januar 2010

c02.fm

Installing under Windows Server 2003
2.4
This document describes how to install a completely new server. If you are using an exisiting
server, the dialog boxes can be different to those described here.
2.4.1
Installing the Active Directory
The Active Directory is an essential part of the Windows security model and holds the majority
of the security information, e. g.:
authentication information about users (user accounts);
information about trust levels between the individual Windows domains;
security policies.
This feature particularly prevents unauthorized access to the system. Trust levels between the
domains determine how resources may be accessed across domain boundaries. Security policies (e.g. limitation of the number of logon attempts, requests to change user passwords periodically) are system directives according to which resources are made available. The availability of the Active Directory is assured by the cooperation of all domain controllers set up in a
Windows domain.
For more information about use and properties of the Active Directory please refer to detailed
documentation available through relevant sources (e.g. search in Google).
The sample installation in the following section comprises all necessary steps. The Active Directory can be installed using the default options:
Start | Run... | Open : dcpromo.exe
22. Januar 2010

2-17
c02.fm

2-18
22. Januar 2010

c02.fm

22. Januar 2010

2-19
c02.fm

2-20
22. Januar 2010

c02.fm

22. Januar 2010

2-21
c02.fm

2-22
22. Januar 2010

c02.fm

Attention: Do not lose your password.
22. Januar 2010

2-23
c02.fm

2-24
22. Januar 2010

c02.fm

22. Januar 2010

2-25
c02.fm

2.4.2
Installing the Internet Information Services (IIS)
Internet Information Services provide the Web server, mail server and news server for the Windows Server operating system (in this case Windows Server 2003). IIS must be installed before
you install the certification service ( Page 28).
Select Control Panel, Add or Remove Programs, and Add/Remove Windows Components. Highlight Application Server and click on Details....
Make sure that Internet Information Services (IIS) is highlighted, click OK and then Next.
Keep the Windows Server 2003 CD handy so you can insert it into the drive when prompted.
2-26
22. Januar 2010

c02.fm

The Information Services are installed. Click Finish in the next dialog to complete the installation.
22. Januar 2010

2-27
c02.fm

2.4.3
Installing the Certificate Services

The Internet Information Services (IIS) Page 26 have to be installed before you
can install the Certificate Services.
If the Certificate Services ( Certificate Authority or CA) were not installed during the server
installation, you have to install it using Windows Setup. Select Add or Remove Programs and
Add/Remove Windows Components, go to Certificate Services and Details... and install
the Certificate Services CA.
Confirm the message and click Next.
2-28
22. Januar 2010

c02.fm

2.4.3.1
Selecting the Certification Type
During installation, a difference is made between to basic types of certificate authorities:
CA of the organization
Enterprise root CA
Enterprise subordinate CA
Stand-alone certificate authority
Stand-alone root CA
Stand-alone subordinate CA
Select Enterprise root CA. This is the most trustworthy CA. It should be installed before any
other CA in the network and requires the Active Directory. You have to mark Use custom settings to generate the key pair and CA certificate.Click Next.
22. Januar 2010

2-29
c02.fm

2.4.3.2
Setting up the CA (Certificate Authority)
Certificates are issued by certificate authorities. If a user requests a certificate, the certificate
authority verifies the user specifications based on fixed guidelines. If the verification is successful, the certificate authority generates a key pair and signs it with its own private key.
Enter the name of the CA and click Next.
2-30
22. Januar 2010

c02.fm

Enter the path names or accept the presets for the locations where the certificate database and
database log are to be stored. Additionally you can store the configuration information in a
shared folder. Click Next.
22. Januar 2010

2-31
c02.fm

Setup is executing the the configuration changes you requested. The ISS have to be stopped
temporarily. Confirm the request by clicking Yes.
2-32
22. Januar 2010

c02.fm

Confirm the request for the enabling the "Active Server Pages" by clicking Yes.
22. Januar 2010

2-33
c02.fm

Click Finish. The installation of the certification services is completed.
2-34
22. Januar 2010

c02.fm

2.4.4
Installing the Internet Authentication Service (IAS)
The Internet authentication service is a RADIUS server. IAS supports a wide range of authentication protocols. The following protocols, for instance, are supported:
Authentication protocols within PPP, such as

PAP (Password Authentication Protocol),
CHAP (Challenge Handshake Authentication Protocol),
MS-CHAP (Microsoft Challenge Handshake Authentication Protocol), and
EAP (Extensible Authentication Protocol)
EAP (Extensible Authentication Protocol). An infrastructure that permits the addition of random authentication methods, such as
smart cards,
certificates,
single-use passwords, and
token cards.
If MS IAS is used as a Radius, user authentication can be performed based on an

SAM or a
central user database (such as Via ADS Active Directory Service).
22. Januar 2010

2-35
c02.fm

Select Add or Remove Programs and Add/Remove Windows Components, go to Networking Services and install the "Internet Authentication Service (IAS)". Highlight Networking
Services and click on Details....
Make sure that "Internet Authentication Service (IAS)" is highlighted, click OK and then
Next.
2-36
22. Januar 2010

c02.fm

The installation of the "Internet Authentication Service (IAS)" is completed.

22. Januar 2010
2-37
c02.fm

2.4.5
Creating a User Account in the Active Directory
This user is responsible for requesting certificates in XP.

Select Administrative Tools and then Active Directory Users and Computers.
2-38
22. Januar 2010

c02.fm

2.4.5.1
Creating Users
Right-click on Users and select New to create a new user.
22. Januar 2010

2-39
c02.fm

Enter all necessary user data. The certificates contain the name in the field "full name" and not
the "User logon name".
2-40
22. Januar 2010

c02.fm

Enter a new password and confirm it. The password must comply with the password policies
as otherwise the request to create a new user is rejected. The following options should be
checked:
User cannot change password
Password never expires
The password will be used for login during the creation of the certificate. Confirm by clicking
Next. Confirm the next dialog by clicking Finish to create the new user.
Be sure to make note of your password.
22. Januar 2010

2-41
c02.fm

Select the new user from the list to specify the Properties.
2-42
22. Januar 2010

c02.fm

Select the Dial-in tab and highlight Allow access. Confirm by clicking OK.
22. Januar 2010

2-43
c02.fm

2.4.5.2
Creating a Group
A group can be assigned several users who then have the same group properties.
Right-click on New and select Group. The following dialog is displayed:
2-44
22. Januar 2010

c02.fm

2.4.5.3
Creating a Group in the Active Directory
Enter a group name and confirm by clicking OK.
22. Januar 2010

2-45
c02.fm

Right-click on the new group and select Properties. Select the Members tab and click on
Add.... Enter the object name to be used. Test the name including the domain for validity by
clicking on Check Names. Confirm by clicking OK.
2-46
22. Januar 2010

c02.fm

The new user was added to the group.
22. Januar 2010

2-47
c02.fm

2.4.6
Internet Authentication Service (IAS) - Access Rights
The Authenticator (Switch) has to be entered in the IAS. . Before you can assign access
rights, you must enter the Authenticator in the DNS. The DNS does not necessarily need to
be on the same server.
Select DNS from the Administrative Tools menu.
2-48
22. Januar 2010

c02.fm

2.4.6.1
Setting up the Authenticator as DNS Host
Right-click on the Trust domain and select New Host (A)... . The following dialog is displayed:
22. Januar 2010

2-49
c02.fm

Enter the name and IP address of the Authenticator (ENTERSASYS, Switch). Click on Add
Host. The creation of the new host is confirmed. Click OK and then Done.
2-50
22. Januar 2010

c02.fm

The host marked (example) was created in the domain Trust.
22. Januar 2010

2-51
c02.fm

2.4.6.2
Creating a RADIUS Client
The Authenticator has to be set up as a new RADIUS client. Select Start, Administrative
Tools and then Internet Authentication Service.
Right-click on RADIUS Clients and select New RADIUS Client.
2-52
22. Januar 2010

c02.fm

2.4.6.3
Creating a RADIUS Client and Verifiying the IP Address (Switch)
Enter the name of the RADIUS client and use the Resolve button in the Verify... dialog to
check whether the IP address exists for the name specified. Click on Next.
22. Januar 2010

2-53
c02.fm

2.4.6.4
Setting the Password for the RADIUS Client
The client vendor should be RADIUS Standard. The password must be identical to the password of the Authenticator (CISCO or ENTERSASYS).
2-54
22. Januar 2010

c02.fm

The Authenticator is set up as a RADIUS Client.
22. Januar 2010

2-55
c02.fm

2.4.6.5
EAP Configuration in the IAS
Select Start, Administrative Tools, and then Internet Authentication Service.
Right-click on Remote Access Policies and select New to create a new Remote Access Policy.
2-56
22. Januar 2010

c02.fm

The Remote Access Policy Wizard is displayed. Click on Next.
Enter a new Policy Name and confirm by clicking on Next.

22. Januar 2010
2-57
c02.fm

Select the Ethernet option and confirm by clicking on Next.
2-58
22. Januar 2010

c02.fm

Click Add... in the User or Group Access dialog. The Select Groups dialog is displayed. Enter the group name and click on Check Names. If the name is valid, it is underlined and shows
the link to the group in the Active Directory (see Section 2.4.5.3). Click OK and then Next. The
following dialog is displayed:
22. Januar 2010

2-59
c02.fm

Select the Group option and confirm the selected goup by clicking on Next.
2-60
22. Januar 2010

c02.fm

2.4.6.6
Selecting the EAP Type
Select Smart Card or other certificate and confirm by clicking on Next.
Complete the procedure by clicking on Finish.

22. Januar 2010
2-61
c02.fm

Double-click on the new access group. The following dialog is displayed:
2-62
22. Januar 2010

c02.fm

NAS-Port-Type matches "Ethernet" AND is selected. Click on Edit Profile..... The following
dialog is displayed:
22. Januar 2010

2-63
c02.fm

Select the Authentication tab and click on EAP Methods. The following dialog is displayed:
Smart Card or other certificate is selected. Click on Edit.... The following dialog is displayed:
2-64
22. Januar 2010

c02.fm

Select the certificate issued before (has to match the certification) and confirm all dialogs by
clicking on OK.
22. Januar 2010

2-65
c02.fm

2.4.7
Installing Certificates under Windows XP
Connect to the Certification Authority Service, e.g.: http://server/certsrv or http://192.168.3.6/

certsrv.
Remark: dont logon with http://localhost/certserv because you will enter with the windows vedentials..
Enter e.g. the user name and password you have created on Page 38 .
2-66
22. Januar 2010

c02.fm

2.4.7.1
Installing the Root Certificate
Select Download a CA certificate, certificate chain or CRL (last line).
22. Januar 2010

2-67
c02.fm

Click on the line install this CA certification chain (Certificate Authority or CA).
Confirm the message by clicking on Yes.
2-68
22. Januar 2010

c02.fm

Confirm the message by clicking on Save.
Confirm the security warning by clicking on Yes.
The system confirms the installation.
22. Januar 2010

2-69
c02.fm

2.4.7.2
Validating the Root Certificate
Select Control Panel and then Internet Options. Select the Content tab and click on the Certificates... button. Select the Trusted Root Certification Authorities tab.
The certificate chain added before is displayed in the list of stored certificates.
2.4.7.3
Export the Certificate from the Certificate Store
To continue using the certificate, it is exported via the certificate export wizard and saved as a
file. You need the saved server certificate later to import into the phones using . The name under DLS for this certificate is RADIUS Server CA Certificate 1(2).. At present, the second Radius Server CA certificate cannot be entered in the OpenStage telephone.
2-70
22. Januar 2010

c02.fm

2.4.7.4
Installing a User Certificate
Click on Home or if you are not yet or no longer logged on as an authorized user, call the Certification Authority Service and log on (see Page 67). The following dialog is displayed:
Click on Request a Certificate.
22. Januar 2010

2-71
c02.fm

Click on User Certificate.
Click on More Options.
2-72
22. Januar 2010

c02.fm

Leave the settings unchanged and click on use the Advanced Certificate Request form.
22. Januar 2010

2-73
c02.fm

Select User as Certificate Template. Check the option Mark keys as exportable. Next, click
on Submit. The request is generated.
2-74
22. Januar 2010

c02.fm

Confirm the message dialog by clicking on Yes.
Click on Install this certificate.
Confirm the message by clicking on Yes.
22. Januar 2010

2-75
c02.fm

2-76
22. Januar 2010

c02.fm

2.4.7.5
Validating the User Certificate
Check whether the certificate is stored correctly. Select Control Panel and then Internet Options. Select the Content tab and click on the Certificates... button. Select the My Certificates tab.
22. Januar 2010

2-77
c02.fm

2.4.7.6
Export the User Certificate from the Certificate Store
Using the Certificate Export Wizard the certificate can be exported and saved as a file for later
use. Click on the Export... button. The Wizard starts:
Click on Next.
Select Yes, export the private key and click on Next.
2-78
22. Januar 2010

c02.fm

Personal Information Exchange - PKCS#12 (.PFX) has to be selected. Click Next.
Enter a password and cormfirm. This password will be used for import to DLS remember implicitly.
22. Januar 2010

2-79
c02.fm

Enter a file name without extention.
Find the location of the file with the filename.pfx in the line File Name. Click on Finish. The
name under DLS for this certificate is Phone Certificate.
2-80
22. Januar 2010

c02.fm

CISCO Secure Access Control Server (ACS)
2.5
ACS is CISCOs Radius Server and features a graphical user interface for configuration and
administration.
2.5.1
Generating Certificate Chains with OPEN SSL Windows
Before you can configure certificates, you must generate them, for instance, using OPEN SSL
Windows. To do this, download the latest version of OpenSSL Light for Windows from the Internet (e.g., http://www.slproweb.com/products/Win32OpenSSL.html) and install it.
2.5.1.1
Creating a Key Pair for CA
First generate a key pair for the certificate authority (CA). Create a
root certificate key (ca.key) for this and then create the
root certificate (ca.crt).
The size of the key is specified as 2048 bits in this example.

Switch to the directory: C:\OpenSSL\bin\ and start the program openssl.*.exe. A command
prompt window opens:
All further inputs are made in this window. Note that all inputs are case-sensitive.
Creating the root certificate key
Enter the following command:
genrsa -aes256 -out ca.key 2048
Enter and confirm a password when prompted for the "pass phrase". Be sure to make note of
this password as you will need it later. The root certificate key ca.key is created.
22. Januar 2010
2-81
c02.fm

Creating the root certificate
req -new -x509 -days 3650 -key ca.key -out ca.crt -set_serial 1
Enter the password you already used and answer any subsequent questions. You can also
leave the fields blank, in which case a default value is entered. If you are sure you want the
field to remain blank, then enter .
Country Name (2 letter code) [AU]: DE
State or Province Name (full name) [Some-State]:Bavaria
Locality Name (re, city) []:Munich
Organization Name (e.g., company) [Internet Widgits Pty Ltd]:Siemens
Organizational Unit Name (e.g., section) []:lab13
Common Name (e.g., YOUR name) []:CA
Email Address []:lab13@siemens.com
The root certificate ca.crt is created.
2.5.1.2
Creating Certificates for the Server
Now create the server certificate request and the server certificate key. Create a CRL (Certificate Revocation List) to prevent the deployment of duplicate certificates.
Create the index.txt file with an editor and the content 01.
Enter the following command to create a root certificate request for the servers key:
req -new -newkey rsa:1024 -out servercert.csr -nodes -keyout servercert.key -days 3650
Answer the relevant questions with rational values. Assign a "challenge password" and an optional company name, such as siemens-sen. Two files are created with the names servercert.csr and servercert.key.
Enter the following command to create a server certificate:
x509 -req -in servercert.csr -out servercert.crt -CA ca.crt -CAkey ca.key CAserial index.txt -days 3650
Enter the password already created. A server certificate servercert.crt is created.
2-82
22. Januar 2010

c02.fm

2.5.1.3
Creating Certificates for Clients
You can now create the pairs for the clients. To do this, start by generating the certificate request and the certificate key and finally generate the certificate.
Client certificate request and key
req -new -newkey rsa:1024 -out phonecert.csr -nodes -keyout phonecert.key days 3650
Answer the relevant questions with rational values. Assign a "challenge password" and an optional company name, such as siemens-sen. Two files are created with the names
phonecert.csr and phonecert.key.
Client certificate
x509 -req -in phonecert.csr -out phonecert.crt -CA ca.crt -CAkey ca.key CAserial index.txt -days 3650
Enter the password already created. The client certificate phonecert.crt was created.
If you want to password-protect the key on the client side, then leave out the -nodes parameter
in the first call.
2.5.1.4
Overview of Files Generated
ca.key
root certificate key
ca.crt
root certificate
servercert.csr
Radius server certificate request
servercert.key
Radius server certificate key
servercert.crt
Radius server certificate
phonecert.csr
Radius client certificate request
phonecert.key
Radius client certificate key
phonecert.crt
Radius client certificate
22. Januar 2010

2-83
c02.fm

2.5.2
Installing ACS
Make sure you are running an up-to-date version of the program. A later version than the one
described here (version 4.2) may differ in terms of layout and sequence. You can obtain the
program CD directly from CISCO or you can download it from the vendors Web site. If the setup program does not start automatically, run it from the CD or the relevant storage location.
The first mask appears:
Ensure that the requirements listed are met. Do not click Next until all conditions are marked
as complete.
We recommend Cisco Switch IOS 12.2 (40) or later as the version for the requirement "Any
Cisco IOS AAA clients are running Cisco IOS release 11.1 or later".
2-84
22. Januar 2010

c02.fm

Check the ACS Internal Database only

The internal database is used for the following sample description.
Also check the Windows User Database
"Active Directory" must be installed for this option.
Leave the first option marked and click Next.
22. Januar 2010

2-85
c02.fm

You can define the display options now or later. We recommend marking all options straight
away. Click Explain if you want to see an explanation of the options. Click Next.
Leave the suggested settings and click Next.
2-86
22. Januar 2010

c02.fm

Enter an access password for the internal database. Click Next.
Leave the options marked and click Next.
22. Januar 2010

2-87
c02.fm

Complete installation with Finish. The Radius server is now available as a service on Windows
Server 2003.
2-88
22. Januar 2010

c02.fm

2.5.3
Configuring ACS
You must add the IP address 127.0.0.1 to the list of trustworthy sites before you can open ACS
in Microsoft Internet Explorer.
Java must be installed for problem-free program operation.

The actions to be performed are described in the following sections:
1.
Generating Certificate Chains with OPEN SSL Windows on page 81
2.
Generating Certificates on page 90
3.
Setting the Authentication Methods on page 99
4.
Creating AAA Clients on page 101
5.
Creating a User Group on page 103
6.
7.
Configuring a Switch
22. Januar 2010

2-89
c02.fm

2.5.3.1
Generating Certificates
Open ACS via the Start menu. The home page opens in the browser:
Click System Configuration. The System Configuration window opens with the following selection:
2-90
22. Januar 2010

c02.fm

Click ACS Certificate Setup. The ACS Certificate Setup selection window appears:
22. Januar 2010

2-91
c02.fm

Click Install ACS Certificate. The following mask appears:
2-92
22. Januar 2010

c02.fm

Activate "Read certificate from file" and enter the path for the "ServerCert.csr" file in the "Certificate file" field and the path for the "ServerCert.key" field in the "Private key file" field. Enter
the password you entered during generation ( page 82). Complete your inputs with Submit.
22. Januar 2010

2-93
c02.fm

The server certificate has already been installed. You do not have to perform a restart yet. Click
Cancel.
2-94
22. Januar 2010

c02.fm

Enter the CA certificate ( page 82) in the field and confirm with Submit.
22. Januar 2010

2-95
c02.fm

Ignore the restart prompt and click Cancel.
2-96
22. Januar 2010

c02.fm

22. Januar 2010

2-97
c02.fm

Select the certificate authority you trust in the "Certificate Trust List". This is "GVS Test CA" in
the test scenario. Click Submit followed by Cancel. Then click System Configuration in the
main column on the left. The following window appears:
Leave the settings and click Restart followed by Cancel.
2-98
22. Januar 2010

c02.fm

2.5.3.2
Setting the Authentication Methods
Switch back to the System Configuration main menu.
Click "Global Authentication Setup". The following mask appears:
22. Januar 2010

2-99
c02.fm

Apply the settings shown for EAP-TLS and click Submit + Restart.
2-100
22. Januar 2010

c02.fm

2.5.3.3
Creating AAA Clients
Click Network Configuration in the main column on the left. The following window appears:
Click Add Entry for AAA clients. The following mask appears:
22. Januar 2010

2-101
c02.fm

The "AAA Client Hostname" is "Lab13" here, for instance. Enter all of the client addresses in
the "AAA Client IP Address" field. Enter the password shared by the Radius server and switch
in the "Shared Secret" field. Select "RADIUS (Cisco IOS/PIX 6.0)" in the "Authenticate Using"
list. Click Submit + Apply.
2-102
22. Januar 2010

c02.fm

2.5.3.4
Creating a User Group
Click Group Setup in the main column on the left. The following window appears:
Select "Group 1", for instance, in the list. Click Edit Settings. The following mask appears:
22. Januar 2010

2-103
c02.fm

Click Submit. The following mask appears:
2-104
22. Januar 2010

c02.fm

Activate "[009\001] cisco-av-pair" and enter "device-traffic-class=voice" in the field so that the
telephone reaches the voice VLAN. Click Submit. The following mask appears:
22. Januar 2010

2-105
c02.fm

Activate "[006] Service-Type" and select "Call Check" in the list. Activate "[012] Framed-MTU"
and enter 1500. Click Submit + Restart. The following mask appears:
2-106
22. Januar 2010

c02.fm

Rename the group "Siemens IP Phones", for instance, to give it a unique name. Complete your
input with Submit.
22. Januar 2010

2-107
c02.fm

2.5.3.5
Creating Users
Click User Setup in the main column on the left. It contains the following window:
Enter the name of the user here, for example, PhoneCert. It must match the common name
(CN) of the client certificate. This name was specified when you generated the client certificate ( page 83). Click Add/Edit to go to the next mask.
2-108
22. Januar 2010

c02.fm

Enter PhoneCert in the fields "Real Name" and "Description". Select "ACS Internal Database"
in the list for "Password Authentication". Use the common name (CN) "PhoneCert" also for the
password. Select the "Siemens IP Phones" group you already created in the list under "Group
to which the user is assigned". Complete you input with Submit.
22. Januar 2010
2-109
c02.fm

Administrating Certificates in the DLS
2.6
Administrating Certificates in the DLS
In the DLS certificates for the following server/client configurations can be administrated:
Server: DLS
Client: IP Phone
Server: RADIUS Server
Client: IP Phone
>
Certificates can only be administrated via the DLS, not via WBM or directly on the
telephone.
Please ensure that all end devices are provided with the current time via NTP server
before the certificates are deployed.
For further information please refer to the Administrator Manual
"HiPath Deployment Service".
2.6.1
Plug&Play Template
To preconfigure certificates via Plug&Play, these need to be saved in a template in DLS which
in turn needs to be part of a profile.
To import certificates in DLS, proceed as follows:
1.
Make the phone certificate available from the user certificate for DLS (see Export the User
Certificate from the Certificate Store on page 78 or Obtaining or creating Certificates on
page 9).
2.
Make the server certificate available from the root certificate for DLS (see Export the Certificate from the Certificate Store on page 70 or Obtaining or creating Certificates on
page 9).
3.
Import the phone certificate from the user certificate.
4.
Import the server certificate from the root certificate.
5.
If a second certificate is required to enable the swap out of certificates: import the server
certificate once again from the root certificate.
6.
Then save it in a new or existing "template".
>
2-110
For more information on how to create the templates, refer to the chapter "Importing
Phone and RADIUS Certificates (Certificate for IEEE 802.1x)" and "Editing Templates (Generating and Managing Templates)" in the "HiPath Deployment Service"
Administration Manual.
22. Januar 2010
c03.fm
Plug and Play with IEEE 802.1X

Overview
3.1
Overview
A 4-phase configuration is needed to set up the plug & play feature that downloads parameters
and certificates. This section describes the 4 phases.
The creation of certificates and the RADIUS installation was described in previous sections of
this documentation.
The 4 phases are:
Configure Plug & Play in DLS
DHCP Configuration
Switch Configuration (Cisco)
Freeradius Configuration (user file)
22. Januar 2010

3-1
c03.fm

Test environment
3.2
Test environment
First of all some, here is some information about the DATA network of the test environment.
The test is done between two Catalysts 3560 (referred to as Lab 12 and Lab 11).
The XP Client, i.e. the telephone ( Supplicant), and the "Authentication Server" (Radius) are
connected to the first switch (referred to as " Authenticator" in the following sections).
The second switch is the router (Interconnection Vlan Routing connects the address ranges);
the DLS and the DHCP server are connected to this switch. The connection between the two
switches is tunneled (IEEE 802.1X-transparent).
Switch ( Authenticator)
VLAN 12
VLAN 212
Router
Vlan Interconnection
Guest Vlan 212 allowed
ACL:
212 -> DLS -> DHCP
3.3
DHCP Configuration
In case of a new telephone right out of the box, the only parameter known is the MAC address.
The presetting for DHCP is "on".
As the telephone does not have a certificate, and the switch is configured with IEEE 802.1X
Guest-Vlan, the telephone is after the EAP check assigned to the Guest Vlan 212 (address range 212).
During a Switch Monitoring (after a timeout) you can see that the port is assigned to Vlan 212.
3-2
22. Januar 2010

c03.fm

Configuring Plug & Play in DLS
3.4
Configuring Plug & Play in DLS
3.4.1
Plug&Play Creating profiles
Once you have opened the Deployment Service in a browser, proceed as follows:
1.
Go to Profile Management > Device Profile
2.
Either search for an existing device profile using the search function or create a new one..
3.
On the "Templates" tab add the previously created template of the IEEE 802.1x mask
( page 110) to the selected profile.
4.
If the current profile should be the default profile, ensure that the "Default Profile" button is
activated.
5.
The configuration date in a profile is assigned to certain terminals via virtual devices. From
the DLSs point of view, these are complete devices which will later be assigned a physical
device where all the configuration parameters of the virtual device are applied to the physical device.
For the different ways to create virtual devices and to change the assignment between virtual and physical devices, please refer to the "Workpoint Autoconfiguration (Plug & Play)"
chapter in the DLS administration manual.
22. Januar 2010

3-3
c03.fm

DHCP Address Pool (Scope)
3.5
DHCP Address Pool (Scope)
If the start address is sent following the DCHP request, the gateway address is set to
10.12.212.254 (gateway presetting for Vlan 212). Using this address the DHCP address scope
10.23.212.0 is available.
The following display shows the DHCP address pool which makes it possible to provide an IP
address (in this case 10.23.212.1) and the "DLS IP address" so that DLS can be run.
3-4
22. Januar 2010

c03.fm

Example for Cisco Catalyst 3560 Konfiguration (Port used fa0/12)
3.6
3.6.1
Restrictions
The test with other Radiuss like IAS or CISCO radius are not tested.
If the IAS Radius test is necessary it will be planned.
ACL list from Freeradius is out of this scope
Only one PC behind the phone is possible
If the Phone has the voice VLAN and the switch didnt received the cisco-av-pair string device-traffic-class=voice, The Cisco goes in a violation state and the port goes out of order (as
described).
The Plug and Play function can work in two different modes
The VOICE VLAN is over DHCP transmitted
MAB and EAP-TLS must be filled with Cisco-AVPair = "device-trafficclass=voice"
Not Recommended
The VOICE VLAN is over DLS transmitted
MAB without Cisco-AVPAir, EAP-TLS with Cisco-AVPair = "device-trafficclass=voice"
TRACE and Debug Freeradius are made for the Plug and play (Not recommended scenario)
22. Januar 2010

3-5
c03.fm

3.6.2
Configuration
3.6.2.1
Cisco configuration (Port used fa0/12
version 12.2
no service pad
service timestamps debug datetime
service timestamps log datetime
service password-encryption
!
hostname Switch
!
logging buffered 65535 debugging
enable secret 5 $1$ffD2$IsDN7o4qaMWo9nTctonq61
!
username cisco password 7 01100F175804
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
aaa session-id common
clock timezone utc 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 2:00
system mtu routing 1500
ip subnet-zero
no ip domain-lookup
ip domain-name GVS.LAB
ip dhcp excluded-address 10.23.12.254
ip dhcp excluded-address 10.23.12.1 10.23.12.100
!
!
dot1x system-auth-control
no file verify auto
!
spanning-tree mode mst
spanning-tree extend system-id
!
spanning-tree mst configuration
name GVSLAB
!
!
vlan internal allocation policy ascending
3-6
22. Januar 2010

c03.fm

!
!
interface FastEthernet0/1
switchport access vlan 12
switchport mode access
duplex half
spanning-tree portfast
!
.
!
switchport voice vlan 12
dot1x mac-auth-bypass eap
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-domain
dot1x timeout quiet-period 20
dot1x timeout tx-period 10
!
.
.
!
!
switchport trunk encapsulation dot1q
switchport mode trunk
!
description --- Trunk zu GVSLAB_r01 int fa0/14 --switchport trunk pruning vlan none
!
!
interface Vlan1
ip address 10.23.9.2 255.255.255.0
!
ip default-gateway 10.23.9.254
ip classless
ip http server
!
22. Januar 2010
3-7
c03.fm

!
ip access-list extended DLSServerOnly
!
radius-server host 10.23.12.99 auth-port 1812 acct-port 1813 key 7
1213091D515A5E577E7E
radius-server source-ports 1645-1646
!
control-plane
!
!
line con 0
password 7 030954090F03285857
line vty 0 4
password 7 030954090F03285857
line vty 5 15
exec-timeout 30 0
password 7 030954090F03285857
!
!
monitor session 1 source interface Fa0/12 , Fa0/19
monitor session 1 destination interface Fa0/23 encapsulation replicate ingress untagged vlan 112
ntp clock-period 36028550
ntp server 10.23.9.254
end
3-8
22. Januar 2010

c03.fm

Example for a freeradius configuration (user file)
3.7
admin
Auth-Type := local, User-Password == "clipublic"

Service-Type = Login-User,
Login-Service = Telnet,
Login-TCP-Port = 23,
filter-id = "Enterasys:version=1:mgmt=su:policy=test"
################################################################
# Phone1 with CN= PhoneCert1 coming from certificate
PhoneCert1
Service-Type == Framed-User
Cisco-AVPair = "device-traffic-class=voice"
################################################################
# Phone2 with CN= PhoneCert2 coming from certificate
PhoneCert2
Cisco-AVPair = "device-traffic-class=voice"
################################################################
# PC1 with CN= PcCert1 coming from certificate
PcCert1
################################################################
# PC2 with CN= PcCert2 coming from certificate
PcCert2
################################################################
# Phone1 without certificate. for P&P DLS
0001e3261dfb User-Password == "0001e3261dfb"
Service-Type == call-check,
framed-MTU = 1500
#
cisco-avpair += "ip:inacl#1=permit ip any 10.23.11.140
0.0.0.0 ",
#
cisco-avpair += "ip:inacl#2=permit ip any 10.23.12.99 0.0.0.0
"
################################################################
# Phone2 without certificate. for P&P DLS
0001e32621f1 User-Password == "0001e32621f1"
framed-MTU = 1500
#
cisco-avpair += "ip:inacl#1=permit ip any 10.23.11.140
0.0.0.0 ",
#cisco-avpair += "ip:inacl#2=permit ip any 10.23.12.99 0.0.0.0 "
22. Januar 2010

3-9
c03.fm

#################################################################
# Pc 1 without certificate no authentication
003005ad48f4 User-Password == "003005ad48f4"
framed-MTU = 1500
#################################################################
# Pc 2 without certificate no authentication
000476118a14 User-Password == "000476118a14"
framed-MTU = 1500
#################################################################
siemens
Auth-Type := local, User-Password == "siemens"
Service-Type = Login-User,
Login-Service = Telnet,
Login-TCP-Port = 23,
Nas-Identifier = Quidway
3-10
22. Januar 2010

c03.fm

Plug and Play function
3.8
3.8.1
Plug and Play function with VLAN sent from DLS
The phone begins without certificate (factory reset)

The phone is booting
The phone sends <<DHCP discover>> in untagged frame.
In Cisco Switch, the Data VLAN is in blocking state and the Voice vlan in learning state
The Cisco sends an EAP <<request identity>> to the phone
The phone does not answer (no certificates)
On no answer -> dot1x timeout in Cisco Switch.
On dot1x timeout, Cisco sends Access request to the RADIUS (MAB function) (MAB
= Mac authentication by-passed)
RADIUS returns <<Access accept>> (Because the PAP is added in USER list -> see
user list in Freeradius configuration (user file)
Cisco adds a TCAM entry for the phone into the DATA VLAN
DATA VLAN IS OPEN
The phone continuous to send <<DHCP discover>>. This DHCP message is now sent
on the DATA VLAN to the DHCP scope for DATA (DHCP server)
The phone receives an IP address in DATA VLAN scope (STILL NO VOICE VLAN)
The phone reaches the DLS (Plug and play active)
The phone receives from DLS the CERTIFCATES, the VOICE VLAN + other items
The phone is rebooting with certificates in VOICE VLAN
The Voice VLAN is in learning state in the Cisco Switch
The Cisco sends an EAP <<request identity>> to the phone
Because the certificates are now into the phone, the phone returns a <<response identity>> (tagged frame) to the switch with as user name the CN from certificate
On this message, RADIUS returns Access accept (Because the EAP-TLS is in Freeradius and the CN from the certificate is added in USER list). Now, begin the Certificate negotiation. For this user the cisco-av-pair=device-traffic-class=voice is added
and this STRING is returning to the CISCO switch. With this STRING, Cisco removes
the TCAM entry for the DATA VLAN and adds the Phone TCAM entry for the VOICE
VLAN
VOICE VLAN IS OPEN
The phone continuous to send <<DHCP discover>>. This DHCP is now sent thru the
VOICE VLAN (Tagged frame). The phone receives from the DHCP VOICE VLAN scope all the items for the SIP REGISTERING
22. Januar 2010

3-11
c03.fm

3.8.2
Phones and PC interoperability
3.8.2.1
Example: Phone has certificate the PC has no certificate
Switch#show dot1x interface fastEthernet 0/12 det

Dot1x Info for FastEthernet0/12
PAE
=
PortControl
=
ControlDirection
=
HostMode
=
ReAuthentication
=
QuietPeriod
=
ServerTimeout
=
SuppTimeout
=
ReAuthPeriod
=
ReAuthMax
=
MaxReq
=
TxPeriod
=
RateLimitPeriod
=
Mac-Auth-Bypass
=
AUTHENTICATOR
AUTO
Both
MULTI_DOMAIN
Disabled
20
30
30
3600 (Locally configured)
2
2
10
0
Enabled (EAP)
Dot1x Authenticator Client List

Domain
Supplicant
Auth SM State
Auth BEND SM Stat
Port Status
Authentication Method
Authorized By
Vlan Policy
=
=
=
=
=
=
=
=
DATA
0004.7611.8a14
AUTHENTICATED
IDLE
AUTHORIZED
MAB
Authentication Server
N/A
Domain
Supplicant
Auth SM State
Auth BEND SM Stat
Port Status
Authentication Method
Authorized By
=
=
=
=
=
=
=
VOICE
0001.e326.1dfb
AUTHENTICATED
IDLE
AUTHORIZED
Dot1x
Authentication Server
3-12
22. Januar 2010

c03.fm

Switch Configuration Samples
3.9
3.9.1
Switch - Example 1: "Cisco Configuration"
GVSLAB_s02#show dot1x interface fastEthernet 0/12

Supplicant MAC <Not Applicable>
AuthSM State
= CONNECTING
BendSM State
= IDLE
Posture
= N/A
ReAuthPeriod
= 15 Seconds (Locally Configured)
ReAuthAction
= Reauthenticate
TimeToNextReauth = N/A
PortStatus
= UNAUTHORIZED
MaxReq
= 2
MaxAuthReq
= 2
HostMode
= Multi
PortControl
= Auto
ControlDirection
= Both
QuietPeriod
= 60 Seconds
Re-authentication
= Enabled
ReAuthPeriod
= 15 Seconds
ServerTimeout
= 30 Seconds
SuppTimeout
= 30 Seconds
TxPeriod
= 30 Seconds
Guest-Vlan
= 212
AuthFail-Vlan
= 0
AuthFail-Max-Attempts = 3
Critical Port
= Disabled
GVSLAB_s02#show dot1x interface fastEthernet 0/12
Supplicant MAC <Not Applicable>
AuthSM State
= AUTHENTICATED(GUEST_VLAN)
BendSM State
= IDLE
Posture
= N/A
ReAuthPeriod
= 15 Seconds (Locally Configured)
ReAuthAction
= Reauthenticate
TimeToNextReauth = N/A
PortStatus
= AUTHORIZED(GUEST-VLAN)
MaxReq
= 2
MaxAuthReq
= 2
HostMode
= Multi(GUEST VLAN)
This table shows the port configuration (GVSLAB_s02) where the phone ( Supplicant) is connected.
22. Januar 2010
3-13
c03.fm

!
switchport voice vlan 12
dot1x port-control auto
dot1x host-mode multi-host
dot1x timeout reauth-period 15
dot1x guest-vlan 212
dot1x reauthentication
At this point it is necessary to enable the guest Vlan (address area 212) to receive execution
rights on the DHCP and DLS server.
The Vlan interconnection is created in the router. An ACL is generated to assign only execution rights for the DLS (10.23.11.140) and the DHCP (bootps and bootpc) to the guest Vlan.
The setting dot1x Host mode Multi Host and an 802.1X client authenticated at the first
VLAN client indicates that other clients are possible without restriction on the "voice VLAN" if
802.1X authentication was successful on the first VLAN.
/1/
If you set dot1x host-mode Single Host, only one 802.1X client is permitted on the
first VLAN; other devices are blocked.
If you set dot1x host-mode Multi-Domain, the telephone and PC must authenticate themselves individually.
Ensure that port-control is set to "auto".
GVSLAB_r01#show run
Building configuration...
!
interface Vlan212
ip address 10.23.212.254 255.255.255.0
ip access-group PermitDLSServerOnly in
ip helper-address 10.23.11.140
!
ip access-list extended PermitDLSServerOnly
permit ip 10.23.212.0 0.0.0.255 host 10.23.11.140
permit ip 10.23.212.0 0.0.0.255 host 10.23.12.1
permit udp any any range bootps bootpc
!
3-14
22. Januar 2010

c03.fm

3.9.2
Switch Example 2: "Enterasys Matrix N1 Platinum Configuration"
M M A T R I X
N 1
P L A T I N U M
Command Line Interface
Enterasys Networks, Inc.
50 Minuteman Rd.
Andover, MA 01810-1008 USA
Phone: +1 978 684 1000
E-mail: support@enterasys.com
WWW:
http://www.enterasys.com
(c) Copyright Enterasys Networks, Inc. 2007
Chassis Serial Number:
06125174630P
Chassis Firmware Revision: 05.42.06
Matrix N1 Platinum(su)->show config
This command shows non-default configurations only.
Use 'show config all' to show both default and non-default configurations.
begin
# ***** NON-DEFAULT CONFIGURATION *****
# ip
set ip address 10.23.9.96 mask 255.255.255.0
set ip route default 10.23.9.254
# arp
# authentication
# banner
# cdp
# cep
# ciscodp
# cli
# console
# cos port-config
# cos port-resource
# cos reference
# cos settings
# cos state
# dot1x
set dot1x enable
set dot1x auth-config authcontrolled-portcontrol forced-auth fe.1.1
set dot1x auth-config reauthperiod 120 fe.1.7
set dot1x auth-config reauthenabled true fe.1.7-8,11-12 ***** Ports Guest *******
# flowlimit
# forcelinkdown
# garp
# gvrp
# history
22. Januar 2010

3-15
c03.fm

# history
# igmp
# inlinepower
# lacp
set lacp disable
# length
# license
# line-editor
# linkflap
# lldp
# logging
set logging application RtrAcl level 8
set logging application CLI level 8
set logging application SNMP level 8
set logging application Webview level 8
set logging application System level 8
set logging application RtrFe level 8
set logging application Trace level 8
set logging application RtrLSNat level 8
set logging application FlowLimt level 8
set logging application UPN level 8
set logging application AAA level 8
set logging application Router level 8
set logging application AddrNtfy level 8
# logout
# mac
# macauthentication
set macauthentication enable
set macauthentication password demo
set macauthentication port enable fe.1.11-12
set macauthentication quietperiod 30 fe.1.11-12
set macauthentication reauthperiod 120 fe.1.11-12
set macauthentication reauthentication enable fe.1.11-12
# maclock
# mgmt-auth-notify
# movedaddrtrap
# mtu
# multiauth
set multiauth mode multi
set multiauth precedence dot1x mac pwa cep
set multiauth port mode auth-reqd fe.1.12
************ Authentication is always required ***********
# netflow
# newaddrtrap
# nodealias
# physical
3-16
22. Januar 2010

c03.fm

# policy
set policy profile 1 name "allow access voice" pvid-status enable pvid 12 (Voice VLAN)
set policy profile 2 name "allow access data" pvid-status enable pvid 112 (DATA VLAN)
set policy profile 3 name "allow access guest" pvid-status enable pvid 212 (GUEST VLAN)
set policy rule admin-profile port fe.1.7 mask 16 port-string fe.1.7 admin-pid 3
set policy rule admin-profile port fe.1.8 mask 16 port-string fe.1.8 admin-pid 3
set policy rule admin-profile port fe.1.11 mask 16 port-string fe.1.11 admin-pid
3
set policy rule admin-profile port fe.1.12 mask 16 port-string fe.1.12 admin-pid
3
***** Port 7,8, 11 and 12 should use Profile 3, i.e. go to the guest VLAN. ****
set policy autoclear enable
set policy autoclear profile enable
set policy maptable response both
!
# port
set port mirroring create fe.1.11 fe.1.2 both
set port mirroring create fe.1.12 fe.1.2 both
set port mirroring disable fe.1.12 fe.1.2
set port vlan fe.1.2 12 ******************************
set port vlan fe.1.7 12
assihn to VLAN 12 = VOIC VLAN
set port vlan fe.1.12 12 *******************************
# prompt
# pwa
set pwa enable
set pwa enhancedmode enable
set pwa gueststatus authnone
set pwa protocol chap
set pwa portcontrol enable fe.1.12
# rad
# radius
set radius enable
set radius server 1 10.23.12.99 1812 :dcf48ed62c5bfb984158d7648a9cfed2f325fbb7:
# rmon alarm
# rmon capture
# rmon channel
# rmon event
# rmon filter
# rmon history
# rmon host
# rmon matrix
# rmon stats
# rmon topN
# router
# smon
22. Januar 2010

3-17
c03.fm

# snmp
set snmp access groupRW security-model v1 exact read All write All notify All
set snmp access groupRW security-model v2c exact read All write All notify All
set snmp community public
set snmp group groupRW user public security-model v1
set snmp group groupRW user public security-model v2c
set snmp view viewname All subtree 1
set snmp view viewname All subtree 0.0
# sntp
# spantree
# ssh
# summertime
# system
set system login enterasys read-only disable password :c8f6b8ae63473088dcf9c7e80
0a245d445b50d62:
set system login mobility read-only disable password :29c6bff7ed3e5e334a43253c13
6cb9a8c5a40cb9:
# tacacs
# telnet
# timezone
# vlan
set vlan create 12,112,212 *********** Create VLAN *************
set vlan name 12 VOICE
set vlan name 112 DATA
set vlan name 212 GEST *********************************************
clear vlan egress 1 fe.1.2,7-9,11-12
set vlan egress 1 lag.0.1-48;host.0.1;fe.1.1,3-6,10,13-48 untagged
set vlan egress 12 fe.1.1,11-12 tagged ******* sign port 12 to tagged VLAN 12 *********
set vlan egress 12 fe.1.2,7-9,13 untagged
set vlan egress 112 fe.1.1 tagged
set vlan egress 112 fe.1.7-9,11-13 untagged ****** sign port 12 to untagged VLAN 112 **
set vlan egress 212 fe.1.1 tagged
set vlan egress 212 fe.1.11-12 untagged ****** sign port 12 to untagged VLAN 212 *******
set vlan dynamicegress 12,112,212 enable
******** fe 1.1 is the connection to the router ****************
# vlanauthorization
# webview
# width
end
3-18
22. Januar 2010

c03.fm

3.9.3
Switch Example 3: "ProCurve Configuration"
running configuration:
; J8164A Configuration Editor; Created on release #H.10.50
hostname "ProCurve Switch 2626-PWR"
vlan 1
name "DEFAULT_VLAN" ( Guest Vlan for unauthorized access)
untagged 25-26
ip address 192.168.1.20 255.255.255.0
no untagged 1-24
exit
vlan 202
name "voiceVlanSN2" ( Voice Vlan for Phones )
ip address 192.168.6.2 255.255.255.0
tagged 1-26
exit
vlan 2 ( Data Vlan for PCs )
name "Testust1"
untagged 1-24
ip address 192.168.2.2 255.255.255.0
tagged 25
exit
aaa authentication port-access eap-radius Configuration 802.1x Authentication Method:
eap-radius)
radius-server host 192.168.1.2
radius-server key global_key_string
aaa port-access authenticator 14,17-18,20 Ports 14, 17,18,20 made available for 802.1x
authentication.
aaa port-access authenticator 14 reauth-period 3600 authentication checked after 1 hour.
aaa port-access authenticator 14 unauth-vid 1 Clients on port 14 which cannot be authentication only have access to the guest Vlan with acess to the DLS. (Certified download)
aaa port-access authenticator 14 client-limit 3 Number of permitted authenticated devices. (on our 2626-PWR with FW H.10.50 3 must be entered here if 2 devices (phone and
PC) should be ensured access)
aaa port-access authenticator 17 reauth-period 3600 No guest VLAN is configured on port
17 as a PC is connected behind the phone.
aaa port-access authenticator 17 client-limit 3
aaa port-access authenticator 18 reauth-period 3600
aaa port-access authenticator 18 unauth-vid 1
aaa port-access authenticator 20 reauth-period 3600
aaa port-access authenticator 20 unauth-vid 1
aaa port-access authenticator active Activate the 802.1x authentication
22. Januar 2010

3-19
c03.fm

3-20
22. Januar 2010

bkIX.fm
Index
Index
A
Access Rights 48
Active Directory 17
Group 45
User 38
Allow access 43
C
CA certificate 67
Certificate
download, create 9
Formats 14
Sample 15
Certificate Authority 9, 30
certificate chain 67, 68
Certificate Export 70
Certificate Services 9, 28
Certification Authority Service 66
Certification Type 29
D
DNS Host 49
E
EAP Configuration 56
EAP Methods 64
EAP Type 61
Enterprise root CA 29
F
flow chart 4
FreeRADIUS
installation 7
I
IAS 35
IEEE 10
IIS 26
Internet Authentication Service 36
Internet Information Services 26
22. Januar 2010
Z-1
bkIX.fm
Index
L
Linux 9.0 1, 6
O
OpenSSL
Instllation 6
R
RADIUS Client 52, 53
Remote Access Policy 57
Request a Certificate 71
Root Certificate 67, 70
S
Server for TLS 12
T
TLS
Server 12
U
User Certificate 71, 72, 77
Z-2
22. Januar 2010

bkglos.fm
Glossary
Glossary
ACL
Abbreviation of Access List. This is a list of restrictions for the Guest Vlan.
Authenticator
An "Authenticator" in the context of IEEE 802.1X is a Network Access Server acting as a bouncer in a RAS solution. Clients (called "supplicants") apply for access, and the authenticator decides whether to grant or deny access after consultation with a central authentication server
using the RADIUS protocol.
Auto-Enrollment
Available since Windows Server 2003. Introduces the capability for automatically requesting
and distributing certificates if this is necessary according to the policies.
CA
see Certificate Authority
Certificate Authority
A Certificate Authority (in short: CA) is an organization which issues digital certificates. In IT, a
digital certificate is basically the equivalent to a passport and is used verify that a public key
belongs to an individual or an organization. This assignment is certified by the CA by signing
the certificate with its own signature.
Certificates comprise "keys" and additional information required for authentication as well as
encryption/decryption of sensitive or confidential data sent through the internet or other networks. Additional information may be expiry dates, references to certificate revocation lists, etc.
and are included into the certificate by the CA.
The basic task of a CA is to issue and verify these digital certificates. The CA is responsible for
providing, assigning and checking the integrity of the certificates. Therefore it is an important
part of the public key infrastructure.
A Certificate Authority may be a specific company (e.g. GlobalSign / Cybertrust, VeriSign) or
an institution within a company that has installed their own special server (e.g. the Microsoft
Certificate Server). Public organizations or federal agencies may also act as CAs (e.g. the Federal Network Agency in Germany).
22. Januar 2010

X-1
bkglos.fm
Glossary
EAP
EAP (Extensible Authentication Protocol) facilitates using a wider variety of authentication protocols and thus making unauthorized acces even more difficult.
EAPOL
The Extensible Authentication Protocol Over LAN (EAPOL, defined in IEEE 802.1X) is a transport protocol for EAP, encapsulating EAP packets. With EAPOL, EAP can also be used in heterogeneous WAN environments.
EAP-TLS
EAP-TLS is a mutation of EAP processing EAP communications via a secure TLS connection.
It can also be used for generating WEP keys and thus protect a WLAN.
EAP-TTLS
EAP-TTLS is a mutation of EAP-TLS. In addition to enabling authentication via certificates (as
does EAP-TLS), EAP-TTLS also allows the use of other EAP methods such as MD5 Challenge
and One-Time Password.
Entity
In information technoloy an entity (synonym: information object) is a uniquely defined object to
which information is assigned. The objects can be tangible (e.g. Mount Kilimandjaro) or intangible (e.g. Department RK12 of a company Demo-AG).
Each entity (the individual object) is assigned to an entity type - in the examples above "mountain" and "department". Entities are concrete occurrencies of an entity type. Sometimes the
proper term "entity type" is misused for "entity" (the individual occurrence of an entity type);
however, in most cases it is clear from the context whether the term refers to the individual object or the object type.
Individual entities of the same entity type are grouped to entity sets. The entities within an entity
set differ from each other by their properties (attribute values).
Each entity of a certain entity type can be differentiated from other entities of the same entity
type by a unique value of an attribute (e.g. the vehicle identification number for a speific car or
the ISBN number for a specific book).
An entity may be in relationship with other entities as well as with itself.
For more information about the Entity Relationship Model please refer to detailed documentation available through relevant sources (e.g. search in Google).
Entity types are e.g.
X-2
Customer identified by the attribute "Customer Number"

22. Januar 2010
bkglos.fm
Glossary
Bank account identified by the attribute "Account Number"
Book identified by the attribute "Inventory Number" (e.g. in a library)
Book identified by the attribute "ISBN" (in case of a publishing house)
IIS
HTTP server provided by Microsoft
PING
Abbreviation for "Packet Internet Groper".
In this case an Echo Request Packet is sent to the target address. If the target supports the
protocol and if it is available, it returns an Echo Reply.
Public Key Infrastructure (PKI)
Provides an arrangement for using public keys and is a combination of software, encryption
technologies and services. A PKI should provide the following functions:
Certifcation Authorities (see Certificate Authority) that can issue and revoke certificates;
Certificate Publishers where certificates are stored and can be looked up;
Tools for management of keys and certificates;
Programs and applications that can use public keys.
RADIUS
RADIUS is a protocol used for authentication in distributed RAS solutions. It facilitates the exchange of authentication, authorization and configuration data between a central authentication server and the decentralized Network Access Servers (NAS), working as clients of the RADIUS server. If a user works remotely and connects to the NAS, the NAS requests username,
password, NAS-ID and Port-ID. It then verifies the information (and, if necessary, the requirements for the session and the service ports) using the RADIUS database. Thus, for each user
the use of higher IP protocols can be allowed or denied individually and to centrally manage all
of this.
Supplicant
In the context of IEEE 802.1X, a "supplicant" is a client requesting access to a network at an
Authenticator.
22. Januar 2010

X-3
bkglos.fm
Glossary
Wrapper
In general a program acting as the interface between the calling and the "wrapped" program
code. Wrappers can be used e.g. for compatibility reasons if the wrapped code uses a different
programming language; for security reasons, i.e. to restrict or expand access; or for emulation
purposes. A program initially written for DirectX can thus be modified to e.g. use OpenGL for
graphics.
X-4
22. Januar 2010

bkabk.fm
Abbreviations
Abbreviations
This list comprises the abbreviations used in this manual.

Abbreviation
Definition
CA
Certificate Authority
DHCP
Dynamic Host Configuration Protocol.
DLS
Deployment and Licensing Service
DNS
Domain name server
EAP
Extensible Authentication Protocol
EAPOL
Extensible Authentication Protocol Over LAN
FTP
File Transfer Protocol.
IAS
Internet Authentication Service
IETF
Internet Engineering Task Force; Internet standards body
IIIS
Internet Information Server
IP
Internet Protocoll
PEAP
Protected Extensible Authentication Protocol
PKI
Public Key Infrastructure
RFC
Request For Comments; A IETF Protocol Specification
TAP
Techniker ArbeitsPlatz (in most cases an engineers notebook, equipped

with special software and hardware)
TLS
Transport Layer Security
TTLS
Tunneled Transport Layer Security
VID
Virtual LAN ID (0-4095)
VLAN
Virtual LAN
22. Januar 2010

Y-1
bkabk.fm
Abbreviations
Y-2
22. Januar 2010

IEEE 802.1x, IEEE 802.1x Configuration Management, Administration Manual

OpenStage IEEE 802.1x Configuration Management Administrator Documentation Issue 6

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

OpenStage IEEE 802.1x Configuration Management Administrator Documentation Issue 6

Uploaded by

Copyright:

Available Formats

Documentation

Communication for the open minded

Siemens Enterprise Communications

Copyright Siemens Enterprise

Communication for the open minded

The information provided in this document contains

1 802.1X Authentication for IP Telephones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

2.4.6 Internet Authentication Service (IAS) - Access Rights . . . . . . . . . . . . . . . . . . . . . . 48

22. Januar 2010

3.8.2.1 Example: Phone has certificate the PC has no certificate . . . . . . . . . . . . . . . .

22. Januar 2010

22. Januar 2010

802.1X Authentication for IP Telephones

802.1X Authentication for IP Telephones

802.1x is used to authenticate an Entity (e.g. a PC or a telephone) within the network.

It controls access to the network.

Why is 802.1x important?

Who needs 802.1x?

22. Januar 2010

802.1X Authentication for IP Telephones

IEEE 802.1x Authentication of Telephones

802.1x Authentication Procedure

The 802.1x authentication is triggered by a reboot of the telephone.

802.1X Authentication for IP Telephones

With this the first-time authentication is completed.

Periodic re-authentications can be configured via the switch.

Procedure for a complete authentication using EAPOL

4. RADIUS Access Request

5. RADIUS Access Challenge

6. RADIUS Access Request

7. RADIUS Access Accept

8. is disconnected, e.g. from the

The Entity begins the exchange with an EAPoL start message.

22. Januar 2010

802.1X Authentication for IP Telephones

22. Januar 2010

802.1X Authentication for IP Telephones

Setting up and Using IEEE 802.1x

22. Januar 2010

802.1X Authentication for IP Telephones

IEEE 802.1X Security How It Works

cked on the switch port

3. The IP phone responds via EAPTLS with its device certificate

4. The LAN switch forwarsds this to

5. Due to the rights of the "User",

IIEEE802.1x is not designed for

22. Januar 2010

802.1X Authentication for IP Telephones

802.1X without multi-user authentication

Single Host Authentication

Multi Host Authentication

Only the variant with "Single-Host-Authentication" is really secure

22. Januar 2010

802.1X Authentication for IP Telephones

22. Januar 2010

802.1X Authentication for IP Telephones

22. Januar 2010

802.1X Authentication for IP Telephones

22. Januar 2010

Install the authentication server

Install the authentication server

The following components are needed to introduce IEEE 802.1x:

Authenticator (switch) with IEEE802.1x implementation

Linux Solution under SuSE Linux 9.0