CHNG THC 802.

1X THNG QUA RADIUS SERVER

CNG TY C PHN TIN HC LC VIT

Chng thc 802.1x thng qua Radius Server

1/28

CC PHIN BN PH DUYT
Ghi nhn thay i phin bn Ngay Ngi vit Phin ban M ta s thay i

12/07/2010

L Hng Thin Phc

1.0

Khi to ti liu

Ph duyt Ngi duyt Phin ban Vai tro Trng phng IS Ngay

Trn Dng

1.0

i tng tham kho H tn Vai tro

Nguyn Ngc Phng Trc V nh Nam Mai Phm Trung Cm Hunh c Minh

Ph phng IS Nhn vin IS Nhn vin IS Nhn vin IS

CNG TY C PHN TIN HC LC VIT

Chng thc 802.1x thng qua Radius Server

2/28

MUC LUC
1TNG QUAN..........................................................................................................................4 1.1Gii thiu.............................................................................................................................4 1.2Li ch 4 1.3Mc ch..............................................................................................................................5 1.4Phm vi...............................................................................................................................5 2YU CU................................................................................................................................5 2.1H thng..............................................................................................................................5 2.1.1K thut.............................................................................................................................5 2.1.2Chc nng........................................................................................................................5 2.2Ngi dng..........................................................................................................................5 3CC THNH PHN CHNH TRONG CHNG THC 802.1X ...............................................5 3.1Supplicant............................................................................................................................5 1.1Authenticator........................................................................................................................5 3.2Authentication Server...........................................................................................................6 2K HOCH.............................................................................................................................6 2.1Hoch nh VLAN................................................................................................................6 2.2Trnh t trin khai.................................................................................................................7 2.3Thit lp chnh sch.............................................................................................................7 3TRIN KHAI............................................................................................................................8 3.1Cu hnh chng thc Radius trn DC server.......................................................................8 5.1.1Cc bc chun b trin khai Dot1x..................................................................................8 5.1.2Cu hnh VLAN...............................................................................................................16 5.1.3Cp pht DHCP..............................................................................................................21 3.2Authenticator......................................................................................................................22 3.3User computer...................................................................................................................23 5.3.1Window Vista..................................................................................................................24 5.3.2Window XP.....................................................................................................................26

CNG TY C PHN TIN HC LC VIT

Chng thc 802.1x thng qua Radius Server

3/28

TNG QUAN

1.1 Gii thiu Chng thc truy cp mng da trn Port (Port-based network access control) cung cp tnh nng chng thc v cp quyn cho thit b c kt ni vo mt cng mng LAN s dng chun kt ni vt l IEEE 802, y l c im ca kt ni point-to-point v ngn chn truy cp mc vt l (port) trong trng hp qu trnh chng thc tht bi hoc khng c quyn hn truy cp. Hai m hnh chng thc ph bin ca 802.1x: Chng thc ngi dng thng qua mng c dy

Chng thc ngi dng thng qua mng khng dy

1.2 Li ch Trin khai chng thc 802.1x em li nhng li ch sau cho h thng thng tin ca cng ty: Ngn chn truy cp i vi my tnh cha c s ng ca IS vo h thng. Tng tnh bo mt cho h thng, trnh mt mt d liu. Gip trin khai an ton h thng khng dy.

CNG TY C PHN TIN HC LC VIT

Chng thc 802.1x thng qua Radius Server

4/28

Gim bt vic qun tr khi thay i cu trc gia cc phng ban, v tr lm vic.

1.3 Mc ch Gip h thng thng tin ca cng ty hot ng hiu qu. 1.4 Phm vi Phng thc chng thc 802.1x c trin khai trn ton h thng cng ty. 2 YU CU

2.1 H thng 2.1.1 K thut H thng cn p ng nhng yu cu sau: Thit b chuyn mch h tr giao thc 802.1x. H thng qun tr m hnh domain, c ci Radius server. Phn hoch a ch IP, VLAN theo tng phng ban. Chc nng Cung cp phng thc chng thc vic truy cp bo mt vo h thng thng tin ca cng ty.

2.1.2

2.2 Ngi dng trin khai thnh cng phng thc chng thc, cn c s hp tc t pha ngi dng. Do , IS v ngi dng cn thc hin cc vic sau: IS hng dn ngi s dng cch chng thc ng nhp. Sau khi c hng dn s dng, ngi dng tun th cc bc chng thc truy cp vo h thng.

CC THNH PHN CHNH TRONG CHNG THC 802.1X

3.1 Supplicant Thit b cn chng thc truy cp vo h thng mng Dot1x, cung cp thng tin username v password cho Authenticator. Client s dng giao thc bo mt Extensible Authentication Protocol (EAP). 1.1 Authenticator Thit b h tr phng php chng thc bo mt 802.1x thng qua port mng v kim sot vic truy cp vo h thng. Authenticator nhn cc thng tin v ti khon (username) v mt khu (password) khi supplicant mun chng thc v truy cp vo h thng. Sau , chuyn cc thng tin ny n Authentication server. Nu thng tin c chp nhn, thit b s cho php Supplicant truy cp vo h thng, ngc li s block port. Ngoi ra, thit b cn thc hin cc chc nng nh: cung cp VLAN ng, DHCP

CNG TY C PHN TIN HC LC VIT

Chng thc 802.1x thng qua Radius Server

5/28

3.2 Authentication Server

Server chng thc s kim tra cc thng tin Username/Password nhn t Authenticator, cung cp cc ty chn cu hnh v dynamic VLAN, DHCP

Trnh t chng thc 802.1x 2 K HOCH

2.1 Hoch nh VLAN STT I 1 2 3 II II.1 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 II.2 2.1 2.2 2.3 CHC NNG NODES VLAN A CH H THNG (172.16.0.0 172.16.9.0) Server 172.16.0.0/24 1 Thit b mng 172.16.1.0/24 D phng 172.16.2.0 172.16.4.0/24 NGI DNG Trung Tm (172.16.10.0 172.16.19.0) DCS 5 172.16.5.10/24 ERP + QA 6 172.16.6.10/24 HPS 7 172.16.7.10/24 BPC 8 172.16.8.10/24 SBC 9 172.16.9.10/24 SSC 10 172.16.10.10/24 CIS 11 172.16.11.10/25 D phng 12-14 172.16.12.0 172.16.14.0/24 Phng Ban (172.16.20.0) IS 15 172.16.15.10/27 VPI 16 172.16.16.10/27 HRD 17 172.16.17.10/27 DIN GII lp mng c

Dnh cho cc trung tm mi.

CNG TY C PHN TIN HC LC VIT

Chng thc 802.1x thng qua Radius Server

6/28

2.4 2.5 2.6

KTC Marketing PD

18 19 20

172.16.18.10/27 172.16.19.10/27 172.16.20.10/27

2.2 Trnh t trin khai

Trin khai Dot1x cho cng ty c thc hin theo trnh t sau: TT 1 2 3 4 5 6 7 8 9 10 11 TT/ Phng ban Phng IS VPI, HRD KTC Marketing, PD CIS HPS BPC SSC SBC ERP + QA DCS Thi gian Ch thch (Ngy) 3 Trin khai v kim tra u tin 2 2 2 2 2 Khi trin khai phi cn thn, nh hng n 2 nhiu ngi trong cng 2 ty. 2 3 3

Vic trin khai thnh cng khi cc trung tm truy cp vo ti nguyn h thng v hon ton thng mng vi nhau. 2.3 Thit lp chnh sch Sau khi trin khai Dot1x, ngi dng truy cp vo ti nguyn mng phi truy cp bng account domain, c cp pht VLAN ng v DHCP. Giai on tip theo cn phi thit lp cc chnh sch trao i ti nguyn gia ngi dng trong 1 trung tm vi h thng server ca cng ty, kt ni Internetv chnh sch truy cp gia cc trung tm v phng ban vi nhau. Note: Vic xy dng chnh sch truy cp gia cc trung tm, phng ban v ti nguyn h thng cn c s tham gia v thng nht gia cc trung tm. STT 1 2 3 Trung tm/Phng ban Truy cp n Khng c truy cp n Ch thch

CNG TY C PHN TIN HC LC VIT

Chng thc 802.1x thng qua Radius Server

7/28

3 TRIN KHAI Chun b cho trin khai Dot1x cn thc hin cc bc sau: Bc bt buc: chun b h thng Cu hnh chng thc radius, cp pht DHCP ngtrn DC server Cu hnh switch chng thc port, cp pht VLAN v truy vn DHCP Cu hnh my tnh ngi dng s dng phng thc chng thc vi Radius server thng qua switch. Bc ty chn: trin khai trn ngi dng Trin khai tng trung tm theo mc 4.2. Sau khi Dot1x trin khai ton cng ty, p dng cc chnh sch truy cp.

3.1 Cu hnh chng thc Radius trn DC server

5.1.1 Cc bc chun b trin khai Dot1x a. Ci t Radius v DHCP server Cc bc ci t Radius c thc hin nh sau: B1. Vo Add or Remove progames -> Add/Remove Window Component. B2. Chn component l Network Services, v check nh hnh di

CNG TY C PHN TIN HC LC VIT

Chng thc 802.1x thng qua Radius Server

8/28

b. Cu hnh Radius Server Thc hin cc bc sau cu hnh Radius: B1. Trong Administrator Tool, chn Internet Authentication Service.

B2. Click phi chut vo Internet Authentication Service (Local), chn Register Server in Active Directory, vi thao tc trn gip IAS ly thng tin t AD khi chng thc ngi dng.

CNG TY C PHN TIN HC LC VIT

Chng thc 802.1x thng qua Radius Server

9/28

B3. thit lp thng s kt ni, click phi chut vo Internet Authentication Service (Local), chn Properties. tab Ports chn cc thng s UDP ports nh bn di.

B4. Click phi chut vo Radius Clients, chn New Radius Clients. Nhp thng tin tn kt ni v a ch IP ca thit b Authenticator. Sau khi nhp xong chn Next.

CNG TY C PHN TIN HC LC VIT

Chng thc 802.1x thng qua Radius Server

10/28

B5. Chn Radius Standard trong Client-Vendor v nhp thng tin Shared secret key chng thc thit b Authenticator khi kt ni n Radius server.

CNG TY C PHN TIN HC LC VIT

Chng thc 802.1x thng qua Radius Server

11/28

Hon tt cc bc cu hnh kt ni n thit b Authenticator c. To nhm ngi dng chng thc Dot1x Tng t thao tc to ngi dng trong domain, b sung thm 2 thao tc sau ngi dng c th chng thc. B1. Trong tab Account, chn Store Password using reversible encryption trong mc Account options.

B2. Tab Dial-in, check mc Allow access trong Remote Permission (Dial-in or VPN)

CNG TY C PHN TIN HC LC VIT

Chng thc 802.1x thng qua Radius Server

12/28

d. Thit lp nhm ngi dng B1. Chn v click chut phi vo Remote Access Policies -> New Remote Access Policy. Chn Next khi hin ln mn hnh tr gip cu hnh. B2. Nhp tn chnh sch cn cu hnh v chn Next.

CNG TY C PHN TIN HC LC VIT

Chng thc 802.1x thng qua Radius Server

13/28

B3. Trong mn hnh bn di a ra 4 phng php ng truyn kt ni, thc hin chng thc trong mng LAN, chn Ethernet.

CNG TY C PHN TIN HC LC VIT

Chng thc 802.1x thng qua Radius Server

14/28

B4. C 2 i tng thc hin cc chnh sch khi truy cp vo ti nguyn mng. Hai i tng ny c to bn AD bi ngi qun tr. - User: p dng ngi dng c th. - Group: thc hin chnh sch cho nhm ngi dng.

CNG TY C PHN TIN HC LC VIT

Chng thc 802.1x thng qua Radius Server

15/28

B5. Phng thc chng thc chn MD5 Challenge.

B6. Kt thc. 5.1.2 Cu hnh VLAN cp pht VLAN ng cho mt nhm ngi no trong t chc khi chng thc Dot1x, thc cc bc sau: B1. Sau khi to nhm ngi dng thc hin cc chnh sch no ca cng ty. Click chut phi chn nhm ngi dng.

CNG TY C PHN TIN HC LC VIT

Chng thc 802.1x thng qua Radius Server

16/28

B2. Chn Edit Profile nh hnh bn di.

CNG TY C PHN TIN HC LC VIT

Chng thc 802.1x thng qua Radius Server

17/28

B3. Trong tab Advanced, chn Add.

B4. to VLAN ng, cn nh ngha l loi thuc tnh sau - Tunnel-Medium-Type: Loi ng truyn to tunnel. - Tunnel-Type: Loi kt ni. - Tunnel-Pvt-Group-ID: nh ngha VLAN ID cho tunnel. Trong bng Add Attribute, thm thuc tnh VLAN ng, chn TunnelMedium-Type.

CNG TY C PHN TIN HC LC VIT

Chng thc 802.1x thng qua Radius Server

18/28

Chn Add trong mn hnh Multivalued Attribute Informtion. Sau chn tip gi tr 802 trong bng Enumerable Attribute Information.

CNG TY C PHN TIN HC LC VIT

Chng thc 802.1x thng qua Radius Server

19/28

B5. Tng bc 4, to Tunnel-Type nh hnh bn di.

B6. To VLAN ID.

CNG TY C PHN TIN HC LC VIT

Chng thc 802.1x thng qua Radius Server

20/28

B7. Hon tt cc bc cp pht VLAN ng nh hnh bn di.

5.1.3

Cp pht DHCP To lt IP cho tng VLAN trong DHCP server.

CNG TY C PHN TIN HC LC VIT

Chng thc 802.1x thng qua Radius Server

21/28

Lt IP address mu Cu hnh truy vn DHCP trn Authenticator Cu hnh mu gip client truy vn n DHCP server. interface Vlan1 ip address 172.16.1.1 255.255.255.0 ip helper-address 172.16.1.2 ! interface Vlan10 ip address 172.16.2.1 255.255.255.128 ip helper-address 172.16.1.2 ! interface Vlan20 ip address 172.16.2.129 255.255.255.128 ip helper-address 172.16.1.2 ! interface Vlan30 ip address 172.16.3.1 255.255.255.0 ip helper-address 172.16.1.2 3.2 Authenticator Bi vit s dng thit b Cisco Catalyst 3560G minh ha. Cu hnh Dot1x //Khi to chng thc aaa aaa new-model aaa group server radius Dot1xRadius aaa authentication dot1x default group radius aaa authorization network default group RadiusAuthorization

CNG TY C PHN TIN HC LC VIT

Chng thc 802.1x thng qua Radius Server

22/28

ip routing dot1x system-auth-control //Thit lp cc thng s chng thc cho ports interface GigabitEthernet0/5 switchport mode access dot1x pae authenticator dot1x port-control auto dot1x timeout quiet-period 2 dot1x max-req 5 spanning-tree portfast //Chui chng thc, port gip giao tip gia Authenticator v Radius server thng qua preshared key radius-server host 172.16.1.2 auth-port 1645 acct-port 1646 key hello radius-server source-ports 1645-1646 Thit lp chnh sch truy cp gia cc VLAN Cu hnh mu: //Nhm cc nodes ip access-list extended VLAN30ACL permit ip 172.16.3.0 0.0.0.255 any ip access-list extended VLANALL permit ip any any //Thit lp cc chnh sch trn nhm nodes vlan access-map PVLAN30 10 action drop match ip address VLAN30ACL vlan access-map PVLAN30 20 action forward match ip address VLANALL //Apply cc chnh sch vo VLAN vlan filter PVLAN30 vlan-list 10 3.3 User computer Trc khi cu hnh chng thc trn Window XP SP3, nu khng thy tab Authentication trong Local area connection, cn phi start dch v Wired Autoconfig.

CNG TY C PHN TIN HC LC VIT

Chng thc 802.1x thng qua Radius Server

23/28

5.3.1

Window Vista Cc bc cu hnh chng thc Dot1x trn Win Vista nh sau: B1. Trong tab Authentication, check vo Enable IEEE 802.1X authentication for this network v chn EAP type Protected EAP (PEAP).

B2. Trong ca s Protected PEAP Properties: - B chn Validate server certificate.

CNG TY C PHN TIN HC LC VIT

Chng thc 802.1x thng qua Radius Server

24/28

Trong Authentication method, chn Secured password (EAP-MSCHAPv2). Chn Enable fast reconnect.

B3. Trong EAP MSCHAPv2 Properties, chn Automatically use my Windows logon name and password (and domain if any).

CNG TY C PHN TIN HC LC VIT

Chng thc 802.1x thng qua Radius Server

25/28

5.3.2

Window XP Cc bc cu hnh chng thc Dot1x trn Win XP nh sau: B1. Network connections Local area connection Properties. B2. Trong Local area connection, chn tab Authentication. B3. Trong tab Authentication, chn: - Enable IEEE 802.1x authentication for this network. - EAP type choose Protected EAP (PEAP). - Authenticate as computer when computer information is available.

CNG TY C PHN TIN HC LC VIT

Chng thc 802.1x thng qua Radius Server

26/28

B4. Click vo Properties cu hnh PEAP. B5. Trong ca s Protected EAP Properties: - B chn Validate server certificate - Trong Select Authentication Method, chn Secure password (EAP-MSCHAP v2) v click vo configure.

- Trong ca s EAP MSCHAPv2 Properties, b chn deselect Automatically use my Windows logon name and password (and domain if any).

CNG TY C PHN TIN HC LC VIT

Chng thc 802.1x thng qua Radius Server

27/28

CNG TY C PHN TIN HC LC VIT

Chng thc 802.1x thng qua Radius Server

28/28