diff --git a/acronyms.tex b/acronyms.tex index d5c4835..1f201e7 100644 --- a/acronyms.tex +++ b/acronyms.tex @@ -7,9 +7,11 @@ %\newacronym{}{}{} %\newacronym{}{}{} %\newacronym{}{}{} +\newacronym{ap}{AP}{Access Point} \newacronym{arp}{ARP}{Address Resolution Protocol} \newacronym{bgp}{BGP}{Border Gateway Protocol} \newacronym{bpdu}{BPDU}{Bridge Protocol Data Unit} +\newacronym{cdp}{CDP}{Cisco Discovery Protocol} \newacronym{cli}{CLI}{Command Line Interface} \newacronym{cst}{CST}{Common Spanning Tree} \newacronym{cwdm}{CWDM}{} @@ -17,7 +19,10 @@ \newacronym{dhcp}{DHCP}{Dynamic Host Control Protocol} \newacronym{dknog}{DKNOG}{Danish Network Operators' Group} \newacronym{dns}{DNS}{Domain Name System} +\newacronym{dst}{DST}{Destination} \newacronym{dwdm}{DWDM}{} +\newacronym{eap}{EAP}{Extensible Authentication Protocol} +\newacronym{eapol}{EAPOL}{Extensible Authentication Protocol over Local Area Network} \newacronym{eigrp}{EIGRP}{Enhanced Interior Gateway Routing Protocol} \newacronym{evpn}{EVPN}{Ethernet Virtual Private Network} \newacronym{ftp}{FTP}{File Transfer Protocol} @@ -40,6 +45,7 @@ \newacronym{mkc}{MKC}{Mikkel Krĝll} \newacronym{mpls}{MPLS}{Multiprotocol Label Switching} \newacronym{mst}{MST}{Multiple Spanning Tree} +\newacronym{ntp}{NTP}{Network Time Protocol} \newacronym{osi}{OSI}{Open Systems Interconnection} \newacronym{ospf}{OSPF}{Open Shortest Path First} \newacronym{ospfv3}{OSPFV3}{Open Shortest Path First v3} @@ -51,12 +57,16 @@ \newacronym{pvst+}{PVST+}{Per Vlan Spanning Tree Plus} \newacronym{rfc}{RFC}{Request For Comments} \newacronym{rip}{RIP}{Routing Information Protocol} -\newacronym{rspt}{RSTP}{Rapid Spanning Tree} -\newacronym{rpvst+}{RPVST}{Rapid Per Vlan Spanning Tree} +\newacronym{rstp}{RSTP}{Rapid Spanning Tree Protocol} +\newacronym{rpvst}{RPVST}{Rapid Per Vlan Spanning Tree} +\newacronym{rpvst+}{RPVST+}{Rapid Per Vlan Spanning Tree Plus} \newacronym{sftp}{SFTP}{Secure Shell File Transfer Protocol} +\newacronym{sla}{SLA}{Service Level Agreement} \newacronym{smtp}{SMTP}{Simpe Mail Transfer Protocol} \newacronym{snmp}{SNMP}{Simple Network Management Protocol} +\newacronym{sntp}{SNTP}{Secure Network Time Protocol} \newacronym{sp}{SP}{Service Provider} +\newacronym{src}{SRC}{Source} \newacronym{ssh}{SSH}{Secure Shell} \newacronym{stp}{STP}{Spanning Tree Protocol} \newacronym{tcn}{TCN}{Topology Change Notification} @@ -65,6 +75,7 @@ \newacronym{toc}{TOC}{Table Of Contents} \newacronym{udld}{UDLD}{Unidirectional Link Detection} \newacronym{udp}{UDP}{User Datagram Protocol} +\newacronym{utc}{UTC}{Coordinated Universal Time} \newacronym{vlan}{VLAN}{Virtual Local Area Network} \newacronym{vpn}{VPN}{Virtual Private Network} \newacronym{vtp}{VTP}{Virtual Trunking Protocol} diff --git a/chapter/networkmgmt.tex b/chapter/networkmgmt.tex index 0d8e3c0..3cf5203 100644 --- a/chapter/networkmgmt.tex +++ b/chapter/networkmgmt.tex @@ -129,4 +129,38 @@ tacacs-server unkn0wn!unicAst \item user access control by way of governing policies. \end{itemize} -\fig{8021x/8021x}{8021x}{ID Management} \ No newline at end of file +\fig{8021x/8021x}{8021x}{ID Management} + +Based upon the user connecting to the network. They can be given access to +\begin{itemize} + \item the resources their group/identity have been assigned or + \item put into a guest \gls{vlan} if nothing is assigned to them or + \item simply block the client/user altogether. +\end{itemize} + +Cisco switches allow by default only the following 3 protos until the client is authenticated: \gls{eapol}, \gls{cdp}, \gls{stp} traffic to pass. + +\begin{itemize} + \item The \textbf{authenticator\footnote{Network node}} is the edge node/\gls{ap} closest to the client/user. This node controls the clients physical access to the network. The node sends encapsulated \gls{eap} frames to the authentication server by radius for validation. + \item The \textbf{authentication server} +\end{itemize} + +\fig{8021X/portauth}{portauth}{802.1X Port Auth} + +802.1X can be enabled on a Cisco switch globally by \cliline{dot1x system-auth-control} and \textit{then} enabled on the switch port{\footnotesize (s)} by \cliline{aaa authentication dot1x}. + +\clearpage + +\subsection*{Enable with Cisco config} + +\begin{txt} +aaa new-model +radius server host radiusserver.example.com key .unkown!unicAst. +aaa group server radius RADIUS-SERVER-DK + server radiusserver.example.com +aaa authetication dot1x default group RADIUS-SERVER-DK +dot1x system-auth-control +interface GigabitEthernet 0/4 + switchport mode access ! Port must be an access port prior + dot1x port-control auto ! to enable dot1x on the port +\end{txt} diff --git a/img/8021X/portauth.png b/img/8021X/portauth.png new file mode 100644 index 0000000..2c8bca8 Binary files /dev/null and b/img/8021X/portauth.png differ