mirror of
https://gitlab.com/netravnen/NetworkLabNotes.git
synced 2024-11-26 19:27:57 +00:00
Merge branch 'feature/802.1x' into develop
This commit is contained in:
chhan11
parent
5c29ce5e9c
commit
d362c3f440
15
acronyms.tex
15
acronyms.tex
|
|
@ -7,9 +7,11 @@
|
||||||
%\newacronym{}{}{}
|
%\newacronym{}{}{}
|
||||||
%\newacronym{}{}{}
|
%\newacronym{}{}{}
|
||||||
%\newacronym{}{}{}
|
%\newacronym{}{}{}
|
||||||
|
\newacronym{ap}{AP}{Access Point}
|
||||||
\newacronym{arp}{ARP}{Address Resolution Protocol}
|
\newacronym{arp}{ARP}{Address Resolution Protocol}
|
||||||
\newacronym{bgp}{BGP}{Border Gateway Protocol}
|
\newacronym{bgp}{BGP}{Border Gateway Protocol}
|
||||||
\newacronym{bpdu}{BPDU}{Bridge Protocol Data Unit}
|
\newacronym{bpdu}{BPDU}{Bridge Protocol Data Unit}
|
||||||
|
\newacronym{cdp}{CDP}{Cisco Discovery Protocol}
|
||||||
\newacronym{cli}{CLI}{Command Line Interface}
|
\newacronym{cli}{CLI}{Command Line Interface}
|
||||||
\newacronym{cst}{CST}{Common Spanning Tree}
|
\newacronym{cst}{CST}{Common Spanning Tree}
|
||||||
\newacronym{cwdm}{CWDM}{}
|
\newacronym{cwdm}{CWDM}{}
|
||||||
|
|
@ -17,7 +19,10 @@
|
||||||
\newacronym{dhcp}{DHCP}{Dynamic Host Control Protocol}
|
\newacronym{dhcp}{DHCP}{Dynamic Host Control Protocol}
|
||||||
\newacronym{dknog}{DKNOG}{Danish Network Operators' Group}
|
\newacronym{dknog}{DKNOG}{Danish Network Operators' Group}
|
||||||
\newacronym{dns}{DNS}{Domain Name System}
|
\newacronym{dns}{DNS}{Domain Name System}
|
||||||
|
\newacronym{dst}{DST}{Destination}
|
||||||
\newacronym{dwdm}{DWDM}{}
|
\newacronym{dwdm}{DWDM}{}
|
||||||
|
\newacronym{eap}{EAP}{Extensible Authentication Protocol}
|
||||||
|
\newacronym{eapol}{EAPOL}{Extensible Authentication Protocol over Local Area Network}
|
||||||
\newacronym{eigrp}{EIGRP}{Enhanced Interior Gateway Routing Protocol}
|
\newacronym{eigrp}{EIGRP}{Enhanced Interior Gateway Routing Protocol}
|
||||||
\newacronym{evpn}{EVPN}{Ethernet Virtual Private Network}
|
\newacronym{evpn}{EVPN}{Ethernet Virtual Private Network}
|
||||||
\newacronym{ftp}{FTP}{File Transfer Protocol}
|
\newacronym{ftp}{FTP}{File Transfer Protocol}
|
||||||
|
|
@ -40,6 +45,7 @@
|
||||||
\newacronym{mkc}{MKC}{Mikkel Krøll}
|
\newacronym{mkc}{MKC}{Mikkel Krøll}
|
||||||
\newacronym{mpls}{MPLS}{Multiprotocol Label Switching}
|
\newacronym{mpls}{MPLS}{Multiprotocol Label Switching}
|
||||||
\newacronym{mst}{MST}{Multiple Spanning Tree}
|
\newacronym{mst}{MST}{Multiple Spanning Tree}
|
||||||
|
\newacronym{ntp}{NTP}{Network Time Protocol}
|
||||||
\newacronym{osi}{OSI}{Open Systems Interconnection}
|
\newacronym{osi}{OSI}{Open Systems Interconnection}
|
||||||
\newacronym{ospf}{OSPF}{Open Shortest Path First}
|
\newacronym{ospf}{OSPF}{Open Shortest Path First}
|
||||||
\newacronym{ospfv3}{OSPFV3}{Open Shortest Path First v3}
|
\newacronym{ospfv3}{OSPFV3}{Open Shortest Path First v3}
|
||||||
|
|
@ -51,12 +57,16 @@
|
||||||
\newacronym{pvst+}{PVST+}{Per Vlan Spanning Tree Plus}
|
\newacronym{pvst+}{PVST+}{Per Vlan Spanning Tree Plus}
|
||||||
\newacronym{rfc}{RFC}{Request For Comments}
|
\newacronym{rfc}{RFC}{Request For Comments}
|
||||||
\newacronym{rip}{RIP}{Routing Information Protocol}
|
\newacronym{rip}{RIP}{Routing Information Protocol}
|
||||||
\newacronym{rspt}{RSTP}{Rapid Spanning Tree}
|
\newacronym{rstp}{RSTP}{Rapid Spanning Tree Protocol}
|
||||||
\newacronym{rpvst+}{RPVST}{Rapid Per Vlan Spanning Tree}
|
\newacronym{rpvst}{RPVST}{Rapid Per Vlan Spanning Tree}
|
||||||
|
\newacronym{rpvst+}{RPVST+}{Rapid Per Vlan Spanning Tree Plus}
|
||||||
\newacronym{sftp}{SFTP}{Secure Shell File Transfer Protocol}
|
\newacronym{sftp}{SFTP}{Secure Shell File Transfer Protocol}
|
||||||
|
\newacronym{sla}{SLA}{Service Level Agreement}
|
||||||
\newacronym{smtp}{SMTP}{Simpe Mail Transfer Protocol}
|
\newacronym{smtp}{SMTP}{Simpe Mail Transfer Protocol}
|
||||||
\newacronym{snmp}{SNMP}{Simple Network Management Protocol}
|
\newacronym{snmp}{SNMP}{Simple Network Management Protocol}
|
||||||
|
\newacronym{sntp}{SNTP}{Secure Network Time Protocol}
|
||||||
\newacronym{sp}{SP}{Service Provider}
|
\newacronym{sp}{SP}{Service Provider}
|
||||||
|
\newacronym{src}{SRC}{Source}
|
||||||
\newacronym{ssh}{SSH}{Secure Shell}
|
\newacronym{ssh}{SSH}{Secure Shell}
|
||||||
\newacronym{stp}{STP}{Spanning Tree Protocol}
|
\newacronym{stp}{STP}{Spanning Tree Protocol}
|
||||||
\newacronym{tcn}{TCN}{Topology Change Notification}
|
\newacronym{tcn}{TCN}{Topology Change Notification}
|
||||||
|
|
@ -65,6 +75,7 @@
|
||||||
\newacronym{toc}{TOC}{Table Of Contents}
|
\newacronym{toc}{TOC}{Table Of Contents}
|
||||||
\newacronym{udld}{UDLD}{Unidirectional Link Detection}
|
\newacronym{udld}{UDLD}{Unidirectional Link Detection}
|
||||||
\newacronym{udp}{UDP}{User Datagram Protocol}
|
\newacronym{udp}{UDP}{User Datagram Protocol}
|
||||||
|
\newacronym{utc}{UTC}{Coordinated Universal Time}
|
||||||
\newacronym{vlan}{VLAN}{Virtual Local Area Network}
|
\newacronym{vlan}{VLAN}{Virtual Local Area Network}
|
||||||
\newacronym{vpn}{VPN}{Virtual Private Network}
|
\newacronym{vpn}{VPN}{Virtual Private Network}
|
||||||
\newacronym{vtp}{VTP}{Virtual Trunking Protocol}
|
\newacronym{vtp}{VTP}{Virtual Trunking Protocol}
|
||||||
|
|
|
||||||
|
|
@ -129,4 +129,38 @@ tacacs-server unkn0wn!unicAst
|
||||||
\item user access control by way of governing policies.
|
\item user access control by way of governing policies.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
\fig{8021x/8021x}{8021x}{ID Management}
|
\fig{8021x/8021x}{8021x}{ID Management}
|
||||||
|
|
||||||
|
Based upon the user connecting to the network. They can be given access to
|
||||||
|
\begin{itemize}
|
||||||
|
\item the resources their group/identity have been assigned or
|
||||||
|
\item put into a guest \gls{vlan} if nothing is assigned to them or
|
||||||
|
\item simply block the client/user altogether.
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
|
Cisco switches allow by default only the following 3 protos until the client is authenticated: \gls{eapol}, \gls{cdp}, \gls{stp} traffic to pass.
|
||||||
|
|
||||||
|
\begin{itemize}
|
||||||
|
\item The \textbf{authenticator\footnote{Network node}} is the edge node/\gls{ap} closest to the client/user. This node controls the clients physical access to the network. The node sends encapsulated \gls{eap} frames to the authentication server by radius for validation.
|
||||||
|
\item The \textbf{authentication server}
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
|
\fig{8021X/portauth}{portauth}{802.1X Port Auth}
|
||||||
|
|
||||||
|
802.1X can be enabled on a Cisco switch globally by \cliline{dot1x system-auth-control} and \textit{then} enabled on the switch port{\footnotesize (s)} by \cliline{aaa authentication dot1x}.
|
||||||
|
|
||||||
|
\clearpage
|
||||||
|
|
||||||
|
\subsection*{Enable with Cisco config}
|
||||||
|
|
||||||
|
\begin{txt}
|
||||||
|
aaa new-model
|
||||||
|
radius server host radiusserver.example.com key .unkown!unicAst.
|
||||||
|
aaa group server radius RADIUS-SERVER-DK
|
||||||
|
server radiusserver.example.com
|
||||||
|
aaa authetication dot1x default group RADIUS-SERVER-DK
|
||||||
|
dot1x system-auth-control
|
||||||
|
interface GigabitEthernet 0/4
|
||||||
|
switchport mode access ! Port must be an access port prior
|
||||||
|
dot1x port-control auto ! to enable dot1x on the port
|
||||||
|
\end{txt}
|
||||||
|
|
|
||||||
BIN
img/8021X/portauth.png
Normal file
BIN
img/8021X/portauth.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 211 KiB |
Loading…
Reference in a new issue