Tuesday, January 5, 2021

802.1x - Design Understanding

Hey Everyone,

I may be walking the line between sysadmin/network subs but this seems to be an allowed topic here.

I'm designing an 802.1x implementation and am trying to wrap my head around everything. I'm hoping I can recite this back and ya'll can nail me to the wall if my understanding is wrong. My intention is to make this process easily repeatable.

My Goal

Setup wired/wireless 802.1x (EAP-TTLS/PAP, so radius 'server side' cert only with clear text wrapped up in TLS) between Windows 10 supplicants and Freeradius 3.x with Active Directory group membership for authorization and using bind-as instead of kerberos to handle authentication (to avoid using Samba).

First off, I realize EAP-TLS with client certs would be more secure but I am unable to bear the administrative overhead at this time.

Assuming the above can work securly, I understand the process as follows:

  • Supplicant initiates EAP-TTLS/PAP connection to Authenticator (the access point/switch) over EAPOL.
  • Authenticator forwards connection to radius server after stripping off EAPOL.
  • Radius Server responds in the existing flow back to workstation with TLS certificate bundle.
  • Supplicant verifies radius server certificate is trusted and continues EAP over TLS.
  • Radius server decrypts TLS (removes EAP-TTLS encapsulation) and process PAP (plain text) password.
  • Radius server binds to Active Directory over TLS (a separate certificate) using LDAPS with a service account to gather group membership info of user.
  • Radius server verifies user group membership against local policy and continues to authentication.
  • Radius server rebinds using users credentials (PAP, so clear text) over LDAPS (secure) to Active Directory.
  • Bind is successful so Radius knows authentication has succeeded.
  • Radius tells Authenticator ACCEPT-ACCEPT
  • Network device/Authenticator enables port/allows association to continue.
  • Workstation gets IP address and is on network.

If anyone can shed some words of wisdom or "hey stop now because..." or maybe even a "yeah that should work well enough", I would be much appreciative. Thanks



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)