{"id":496,"date":"2020-04-06T20:37:02","date_gmt":"2020-04-06T18:37:02","guid":{"rendered":"http:\/\/tech.sosthe.sk\/?page_id=496"},"modified":"2020-04-06T20:37:02","modified_gmt":"2020-04-06T18:37:02","slug":"11-ieee-802-1x-autentizacia-k-portu-ms-ias","status":"publish","type":"page","link":"http:\/\/tech.sosthe.sk\/index.php\/ccna\/cisco-ios\/11-ieee-802-1x-autentizacia-k-portu-ms-ias\/","title":{"rendered":"11. IEEE 802.1x, autentiz\u00e1cia k portu, MS IAS"},"content":{"rendered":"

Autentiz\u00e1cie pr\u00edstupu k portu<\/span><\/em><\/strong>\u00a0pomocou protokolu IEEE 802.1x je z\u00e1klad dnes popul\u00e1rnych technol\u00f3gi\u00ed zvan\u00fdch<\/span>\u00a0Network Access Control<\/span><\/em><\/strong>\u00a0(NAC),<\/span>\u00a0Network Admission Control<\/span><\/em><\/strong>\u00a0(NAC) alebo<\/span>\u00a0Network Access Protection<\/span><\/strong><\/em>\u00a0(NAP), ktor\u00e9 riadi pr\u00edstup zariadenia \/ u\u017e\u00edvate\u013eov k sieti.\u00a0V\u00fdhoda je, \u017ee pr\u00edstup kontrolujeme na okraji, teda priamo na porte (access switch), do ktor\u00e9ho je u\u017e\u00edvate\u013e pripojen\u00fd.\u00a0Princ\u00edp spo\u010d\u00edva v tom, \u017ee port na switchi je zablokovan\u00fd (nepovo\u013euje \u017eiadnu komunik\u00e1ciu) do tej doby, ne\u017e sa pripojen\u00e9 zariadenie \u00faspe\u0161ne autentizuje.\u00a0Pri tejto met\u00f3de je mo\u017en\u00e9 vyu\u017ei\u0165 aj rady \u010fal\u0161\u00edch vlastnost\u00ed, napr\u00edklad dynamick\u00e9 zara\u010fovan\u00ed do VLAN \u010di zaradenie portu do Hostovsk\u00fd VLANy, pokia\u013e ned\u00f4jde k autentifik\u00e1ciu.<\/span><\/p>\n

Protokol IEEE 802.1x<\/span><\/h3>\n

O vlastn\u00fdm protokolu\u00a0<\/span>802.1x<\/span><\/strong>\u00a0sa zmienim iba stru\u010dne.\u00a0Ide o \u0161tandard pre kontrolu pr\u00edstupu do siete zalo\u017een\u00fa na porte (\u00a0<\/span>Port-based Network Access Control<\/span><\/em>\u00a0).\u00a0Je zalo\u017een\u00fd na\u00a0<\/span>Extensible Authentication Protocol<\/span><\/em><\/strong>\u00a0(EAP) RFC 3748. Pou\u017e\u00edva sa na nov\u0161\u00edch switchoch vy\u0161\u0161ej triedy (v\u00e4\u010d\u0161ina dne\u0161n\u00fdch Cisco switchov) alebo pre bezdr\u00f4tov\u00e9 siete (pr\u00edstupov\u00e9 body AP).\u00a0V dr\u00f4tov\u00fdch sie\u0165ach sa jedn\u00e1 o fyzick\u00fa bezpe\u010dnos\u0165 na linkov\u00e9 vrstve (2. vrstva ISO \/ OSI).<\/span><\/p>\n

Ak je port v\u00a0\u00a0<\/span>neautorizovanom stave<\/span><\/em><\/strong>\u00a0(unauthorized), tak neprij\u00edma od\u00a0<\/span>klienta<\/span><\/em><\/strong>\u00a0(ozna\u010duje sa ako\u00a0<\/span>supplicant<\/span><\/em><\/strong>\u00a0) \u017eiadnu komunik\u00e1ciu mimo 802.1x prev\u00e1dzky (presnej\u0161ie, na porte je povolen\u00e9\u00a0<\/span>Extensible Authentication Protocol over LAN – EAPOL<\/span><\/em>\u00a0, CDP, Spanning Tree Protocol).\u00a0Nasleduje f\u00e1za autentiz\u00e1cie, ktor\u00fa\u00a0<\/span>authenticator<\/span><\/em><\/strong>\u00a0(v\u00e4\u010d\u0161inou switch) odovzd\u00e1va\u00a0<\/span>autentiza\u010dn\u00edmu servera<\/span><\/em><\/strong>\u00a0(v\u00e4\u010d\u0161inou RADIUS).\u00a0Pokia\u013e d\u00f4jde k \u00faspe\u0161nej autentiz\u00e1ciu, tak sa port prepne do\u00a0<\/span>autorizovan\u00e9ho stavu<\/span><\/em><\/strong>\u00a0(authorized), kedy je norm\u00e1lne funk\u010dn\u00fd.\u00a0Klient sa m\u00f4\u017ee odhl\u00e1si\u0165, potom sa port op\u00e4\u0165 prepne do neautorizovan\u00e9ho stavu.\u00a0Zaka\u017ed\u00fdm, ke\u010f sa stav linky zmen\u00ed z\u00a0\u00a0<\/span>down<\/span><\/em>\u00a0na\u00a0<\/span>up<\/span><\/em>, Tak port za\u010d\u00edna v neautorizovanom stave.<\/span><\/p>\n

\"\"<\/p>\n

Konfigur\u00e1cia v Cisco IOSu<\/span><\/h3>\n

Na Cisco switchoch sa sprev\u00e1dzkovanie tejto met\u00f3dy vykon\u00e1 v dvoch krokoch.\u00a0Najprv vyu\u017eijeme komponent\u00a0<\/span>authentication, authorization, and accounting<\/span><\/em><\/strong>\u00a0(AAA), ktor\u00e1 zais\u0165uje vlastn\u00fa autentiz\u00e1ciu (plus \u010fal\u0161ie funkcie) zariadenia \/ pou\u017e\u00edvate\u013ea.\u00a0Druh\u00fd krok spo\u010d\u00edva v konfigur\u00e1cii\u00a0<\/span>protokolu 802.1x<\/span><\/strong><\/em>\u00a0(dot1x) pre switch a jednotliv\u00e9 porty.<\/span><\/p>\n

Pomocou AAA zvol\u00edme autentiza\u010dn\u00fd met\u00f3du.\u00a0Najpou\u017e\u00edvanej\u0161ie je vyu\u017eitie extern\u00e9ho RADIUS servera.\u00a0V\u00fdhodou je odtienenie autentiza\u010dn\u00e9 met\u00f3dy od switche.<\/span><\/p>\n

Na tomto mieste uv\u00e1dzam iba z\u00e1kladn\u00fa konfigur\u00e1ciu, ktor\u00e1 je dostato\u010dn\u00e1 pre autentiz\u00e1ciu na porte.\u00a0Rad \u010fal\u0161\u00edch mo\u017enost\u00ed a funkci\u00ed bude v bud\u00facom \u010dl\u00e1nku.<\/span><\/p>\n

Nastavenie AAA cez Radius<\/span><\/h4>\n
SWITCH (config) # aaa new-model                  <\/strong>\/\/ zapnutie AAA access control model  \r\nNastavenie RADIUS servera \r\nSWITCH (config) # radius-server host 10.0.0.10 <\/strong>  \/\/ adresa alebo meno servera \r\nSWITCH (config) # radius-server key 12345 <\/strong>       \/\/ shared secret  \r\nNastavenie AAA met\u00f3dy pre 802.1x na predt\u00fdm definovan\u00fd RADIUS \r\nSWITCH (config) # aaa authentication dot1x default group radius<\/strong><\/span><\/pre>\n
Nastavenie 802.1x<\/span><\/h4>\n
SWITCH (config) # dot1x system-auth-control    <\/strong>  \/\/ zapne 802.1x glob\u00e1lne pre switch (ale funguje len na nastaven\u00fdch portoch) \r\nSWITCH (config-if) # dot1x port-control auto <\/strong>    \/\/ zapne 802.1x pre port, kde ho chceme pou\u017ei\u0165 \r\nSWITCH # show dot1x all <\/strong>                        \/\/ zobraz\u00ed info<\/span><\/pre>\n
Pozn .:<\/span><\/em><\/strong>\u00a0Defaultn\u00e1 hodnota pre<\/span>\u00a0port-control<\/span><\/strong>\u00a0je<\/span>\u00a0force-authorized<\/span><\/strong>\u00a0, teda port je v\u017edy autorizovan\u00fd a 802.1x sa nepou\u017e\u00edva.<\/span><\/p>\n
Konfigur\u00e1cia MS IAS (RADIUS) servera<\/span><\/h3>\n
Ak sa rozhodneme pre pou\u017eitie\u00a0<\/span>RADIUS<\/span><\/strong>\u00a0(Remote Authentication Dial-in User Service) servera, tak m\u00e1me k dispoz\u00edcii rad rie\u0161en\u00ed.\u00a0Jednou z mo\u017enost\u00ed je pou\u017eitie\u00a0<\/span>Internet Authentication Service<\/span><\/em><\/strong>\u00a0(IAS) od Microsoftu, \u010do je komponent Windows Servera 2003. IAS pon\u00faka slu\u017eby pre\u00a0<\/span>autentiz\u00e1ciu, autoriz\u00e1ciu, \u00fa\u010dtovanie a audit<\/span><\/em>\u00a0(\u00a0<\/span>authentication, authorization, accounting and auditing)<\/span><\/em>\u00a0.<\/span><\/p>\n
Pre praktick\u00e9 situ\u00e1cie sa odpor\u00fa\u010da in\u0161talova\u0165 IAS na dom\u00e9nov\u00fd radi\u010d, najlep\u0161ie z\u00e1rove\u0148 Global Catalog.\u00a0Tie\u017e sa odpor\u00fa\u010da ma\u0165 dva IAS servery pre pr\u00edpad v\u00fdpadku jedn\u00e9ho z nich.\u00a0Na RADIUS servera m\u00f4\u017eeme nakonfigurova\u0165, ak\u00fa autentiza\u010dn\u00fd datab\u00e1ze m\u00e1 pou\u017ei\u0165, v na\u0161om pr\u00edpade sa pou\u017e\u00edva LDAP pre pripojenie k Active Directory.\u00a0RADIUS protokol nikdy neposiela u\u017e\u00edvate\u013esk\u00e9 heslo v \u010distom texte.<\/span><\/p>\n
Krok 1 – sprev\u00e1dzkovanie IASu<\/span><\/h4>\n
    \n
  • najprv cez\u00a0<\/span>Add\u00a0<\/span><\/em><\/strong>or Remove Programs<\/span><\/em><\/strong>\u00a0prid\u00e1me komponent do syst\u00e9mu, nach\u00e1dza sa pod\u00a0<\/span>Networking Services<\/span><\/em><\/strong><\/li>\n
  • spust\u00edme management pre IAS (MMC konzoly) cez\u00a0<\/span>Administrative Tools<\/span><\/em><\/li>\n
  • aby mohol IAS pristupova\u0165 k z\u00e1znamom v AD, tak ho mus\u00edme zaregistrova\u0165 v AD – klikneme prav\u00fdm tla\u010didlom na Rootove polo\u017eku\u00a0<\/span>Internet Authentication Service (local)<\/span><\/em><\/strong>\u00a0a zvol\u00edme\u00a0<\/span>Register Server in Active Directory<\/span><\/em><\/strong><\/li>\n
  • \u010falej slu\u017ebu na\u0161tartujeme (\u0160tart Service na Rootove polo\u017eke)<\/span><\/li>\n<\/ul>\n
    Pozn .:<\/span><\/em><\/strong>\u00a0V nastaven\u00ed IAS servera m\u00f4\u017eeme nastavi\u0165 porty, na ktor\u00fdch komunikuje.\u00a0\u0160tandardne sa pou\u017e\u00edvaj\u00fa UDP porty 1812 alebo 1645 pre autentiz\u00e1ciu a 1813 alebo 1646 pre accounting.<\/span><\/p>\n
    Krok 2 – vytvorenie klienta<\/span><\/h4>\n
    Tu definujeme zariadenie (klienta), ktor\u00fd bude m\u00f4c\u0165 k serveru pristupova\u0165.\u00a0Nejedn\u00e1 sa teda priamo o klienta, ale o Authenticator (napr\u00edklad switch), ktor\u00fd bude komunikova\u0165 s RADIUS serverom.<\/span><\/p>\n
      \n
    • pod zlo\u017ekou\u00a0<\/span>RADIUS\u00a0<\/span><\/em><\/strong>Clients<\/span><\/em><\/strong>\u00a0vytvor\u00edme nov\u00e9ho klienta, \u010do je switch, kde chceme pou\u017ei\u0165 802.1x<\/span><\/li>\n
    • zad\u00e1me IP adresu \u010di meno, v Enterprise verzii m\u00f4\u017eeme \u0161pecifikova\u0165 aj rozsah pomocou CIDR not\u00e1cie<\/span><\/li>\n
    • ako\u00a0<\/span>Client-vendor<\/span><\/em><\/strong>\u00a0nastav\u00edme Cisco (inokedy sa v\u00e4\u010d\u0161inou pou\u017e\u00edva RADIUS Standard, ale nie pre Cisco)<\/span><\/li>\n
    • zad\u00e1me\u00a0<\/span>Shared secret<\/span><\/em><\/strong>\u00a0, \u010do je alfanumerick\u00fd re\u0165azec, ktor\u00fd sl\u00fa\u017ei na overenie pr\u00edstupu klienta<\/span><\/li>\n<\/ul>\n
      \"\"<\/p>\n
      Krok 3 – vytvorenie politiky pre vzdialen\u00fd pr\u00edstup<\/span><\/h4>\n
      V tre\u0165om kroku mus\u00edme vytvori\u0165\u00a0<\/span>Remote Access Policy<\/span><\/em><\/strong>\u00a0, kde sa okrem in\u00e9ho ur\u010duj\u00fa autentiza\u010dn\u00fd met\u00f3dy.\u00a0T\u00fdchto polit\u00edk m\u00f4\u017ee by\u0165 viac a pod\u013ea zadan\u00fdch podmienok (policy conditions), ktor\u00e9 m\u00f4\u017eu by\u0165 ve\u013emi pestr\u00e9, sa ur\u010duje, ktor\u00e1 z nich sa pou\u017eije.<\/span><\/p>\n
      \"\"<\/p>\n
        \n
      • vytvor\u00edme nov\u00fa politiku (prav\u00fdm tla\u010didlom na\u00a0<\/span>Remote Access Policies<\/span><\/em>\u00a0a\u00a0<\/span>New Remote Access Policy<\/span><\/em>\u00a0)<\/span><\/li>\n
      • zvol\u00edme\u00a0<\/span>custom policy<\/span><\/em><\/strong>\u00a0a zad\u00e1me meno (tu Cisco switche)<\/span><\/li>\n
      • ako\u00a0<\/span>podmienky politiky<\/span><\/em><\/strong>\u00a0(teda na \u010do sa bude politika aplikova\u0165) m\u00f4\u017eeme vybra\u0165 potrebn\u00e9\u00a0<\/span>Client-Friendly-Name<\/span><\/em>\u00a0a hodnotu\u00a0<\/span>Cisco *<\/span><\/em>\u00a0a\u00a0<\/span>NAS-Port-Type<\/span><\/em>\u00a0a\u00a0<\/span>Ethernet<\/span><\/em><\/li>\n<\/ul>\n
        Pozn .:<\/span><\/em><\/strong>\u00a0\u010eal\u0161ou mo\u017enou podmienkou je obmedzenie pr\u00edstupu u\u017e\u00edvate\u013eov.\u00a0Ak vytv\u00e1rame politiku pomocou sprievodcu, tak n\u00e1m pon\u00faka dve mo\u017enosti.\u00a0Riadenie pr\u00edstupu pomocou nastavenia u u\u017e\u00edvate\u013esk\u00e9ho konta v AD (User).\u00a0Alebo individu\u00e1lne riadenie pomocou skup\u00edn (Group).\u00a0Podmienka pre skupinu sa vol\u00e1<\/span>\u00a0Windows-Groups<\/span><\/em>\u00a0a hodnotu m\u00f4\u017eeme treba nastavi\u0165 na<\/span>\u00a0„domena \\ Domain Computers; domena \\ Domain Users“<\/span><\/em>\u00a0.\u00a0R\u00f4znym nastaven\u00edm m\u00f4\u017eeme obmedzi\u0165 autentiz\u00e1ciu napr\u00edklad pomocou konta po\u010d\u00edta\u010da.<\/span><\/p>\n
          \n
        • v \u010fal\u0161om kroku nastavujeme, \u010di politika\u00a0<\/span>povo\u013euje<\/span><\/em><\/strong>\u00a0(grant) alebo\u00a0<\/span>zakazuje<\/span><\/em><\/strong>\u00a0(deny)\u00a0<\/span>pr\u00edstup<\/span><\/em><\/strong>\u00a0.\u00a0Toto nastavenie je v\u0161ak prep\u00edsan\u00e9 nastaven\u00edm u u\u017e\u00edvate\u013esk\u00e9ho \u00fa\u010dtu v AD na z\u00e1lo\u017eke\u00a0<\/span>Dial-in<\/span><\/em>\u00a0, polo\u017eka\u00a0<\/span>Remote Access Permission<\/span><\/em><\/li>\n
        • presko\u010d\u00edme nastavenie profilu a dokon\u010d\u00edme politiku<\/span><\/li>\n<\/ul>\n
          T\u00fdm sme vytvorili politiku a nastavili parametre, pod\u013ea ktor\u00fdch sa bude vybera\u0165 na ak\u00e9 \u017eiadosti sa m\u00e1 uplatni\u0165.\u00a0Teraz mus\u00edme definova\u0165\u00a0<\/span>autentiza\u010dn\u00fd parametre<\/span><\/em><\/strong>\u00a0.<\/span><\/p>\n
            \n
          • dvojklikom otvor\u00edme na\u0161u politiku a dostaneme sa do vlastnost\u00ed<\/span><\/li>\n
          • na prvej str\u00e1nke vid\u00edme podmienky, pod\u013ea ktor\u00fdch sa politika vyhodnocuje<\/span><\/li>\n<\/ul>\n
              \n
            • \"\"\n
              Pozn .:<\/span><\/em><\/strong>\u00a0Mo\u017enost\u00ed pre nastavenie je cel\u00e1 rada.\u00a0Z\u00e1lo\u017eka<\/span>\u00a0Dial-in Constrains<\/span><\/em><\/strong>\u00a0, m\u00f4\u017eeme nastavi\u0165, ako dlho m\u00f4\u017ee by\u0165 pou\u017e\u00edvate\u013e pripojen\u00fd alebo v ktor\u00fa dobu sa m\u00f4\u017ee pripoji\u0165.\u00a0Z\u00e1lo\u017eka<\/span>\u00a0Advanced<\/span><\/em><\/strong>\u00a0, m\u00f4\u017eeme definova\u0165 ve\u013ek\u00fa radu atrib\u00fatov (vr\u00e1tane Vendor-Specific atrib\u00fatov), ktor\u00e9 bud\u00fa vr\u00e1ten\u00e9 zariadenie, ktor\u00e9 sa p\u00fdta (switch).\u00a0Z\u00e1lo\u017eka<\/span>\u00a0Encryption<\/span><\/em><\/strong>\u00a0, m\u00f4\u017eeme definova\u0165, ak\u00e9 \u0161ifrovacie met\u00f3dy s\u00fa akceptovan\u00e9, tu je dobr\u00e9 nastavi\u0165 najsilnej\u0161\u00ed \u0161ifrovanie (pokia\u013e je to mo\u017en\u00e9).<\/span><\/p>\n
              \"\"<\/li>\n
            • Kliknut\u00edm na tla\u010didlo Edit Profile,<\/em><\/strong>\u00a0sa dostaneme do nastavenia podrobnost\u00ed.\u00a0N\u00e1s zauj\u00edma hlavne z\u00e1lo\u017eka\u00a0Authentication<\/em><\/strong>\u00a0.<\/li>\n<\/ul>\n
              Na z\u00e1lo\u017eke\u00a0<\/span>Authentication<\/span><\/em><\/strong>\u00a0m\u00f4\u017eeme voli\u0165 jednu z radu autentiza\u010dn\u00fdch met\u00f3d pod\u013ea potreby a podpory na klientoch.\u00a0Pre n\u00e1\u0161 pr\u00edpad v\u0161ak tu nenastav\u00edte ni\u010d a klikneme na tla\u010didlo\u00a0<\/span>EAP Methods<\/span><\/em><\/strong>\u00a0.\u00a0Medzi\u00a0<\/span>EAP<\/span><\/strong>\u00a0met\u00f3dami m\u00f4\u017eeme vybra\u0165\u00a0<\/span>PEAP<\/span><\/em><\/strong>\u00a0alebo ak pou\u017e\u00edvame \u010dipovej karty a \/ alebo certifik\u00e1ty, tak\u00a0<\/span>Smart Card or other certificate<\/span><\/em><\/strong>\u00a0.\u00a0\u010eal\u0161ie vlastnosti sa n\u00e1sledne nastavuj\u00fa pre vybran\u00fa EAP met\u00f3du pomocou tla\u010didla\u00a0<\/span>Edit<\/span><\/em>.<\/span><\/p>\n
              \"\"<\/p>\n
              Export a import nastaven\u00ed pre IAS<\/span><\/h4>\n
              Ak m\u00e1me dva IAS servery, ktor\u00e9 maj\u00fa ma\u0165 t\u00fa ist\u00fa konfigur\u00e1ciu (z d\u00f4vodu z\u00e1lohy), tak m\u00f4\u017eeme pou\u017ei\u0165 export a import konfigur\u00e1cie.\u00a0Pou\u017eijeme pre to skriptovac\u00ed utilitu pre pr\u00edkazov\u00fd riadok\u00a0<\/span>netsh<\/code>(Network Shell).<\/span><\/p>\n
              Pre z\u00e1lohu konfigur\u00e1cie m\u00f4\u017eeme pou\u017ei\u0165 nasleduj\u00faci pr\u00edkaz, ktor\u00fd ju ulo\u017e\u00ed do s\u00faboru\u00a0<\/span>iasconfig.txt<\/span><\/em><\/p>\n
              netsh<\/strong> aaaa show config> iasconfig.txt<\/span><\/pre>\n
              Pre obnovu konfigur\u00e1cie posl\u00fa\u017ei pr\u00edkaz<\/span><\/p>\n
              netsh<\/strong> exec iasconfig.txt<\/span><\/pre>\n
              Konfigur\u00e1cia klienta Windows XP<\/span><\/h3>\n
              Windows XP<\/span><\/strong><\/em>\u00a0,<\/span>\u00a0Windows Vista<\/span><\/strong><\/em>\u00a0a<\/span>\u00a0Windows 2000 SP4<\/span><\/strong><\/em>\u00a0obsahuj\u00fa podporu pre protokol<\/span>\u00a0IEEE 802.1x<\/span><\/strong>\u00a0.\u00a0Zapnutie a konfigur\u00e1cia sa vykon\u00e1va pre jednotliv\u00e9 sie\u0165ov\u00e9 spojenie.\u00a0<\/span>Control Panel – Network Connections<\/span><\/em>\u00a0– prav\u00e9 tla\u010didlo na spojenie –<\/span>\u00a0Properties<\/span><\/em>\u00a0– z\u00e1lo\u017eka<\/span>\u00a0Authentication<\/span><\/em><\/strong>\u00a0.\u00a0Vo Windows Vista nie je podpora 802.1x \u0161tandardne zapnut\u00e1 a pre jej vyu\u017eitie je potrebn\u00e9 na\u0161tartova\u0165 slu\u017ebu<\/span>\u00a0Wired AutoConfig<\/span><\/strong><\/em>\u00a0.<\/span><\/p>\n
              Pozn .:<\/span><\/em><\/strong>\u00a0Stretol som sa probl\u00e9mom, \u017ee z\u00e1lo\u017eka<\/span>\u00a0Authentication<\/span><\/em><\/strong>\u00a0ch\u00fdbala.\u00a0Bolo to na po\u010d\u00edta\u010di, kde bola tie\u017e bezdr\u00f4tov\u00e1 sie\u0165ov\u00e1 karta a t\u00e1 bola riadenia ovl\u00e1da\u010dom v\u00fdrobcu.\u00a0Vo chv\u00edli, ke\u010f som nastavil riadenia pomocou Windows, sa na v\u0161etk\u00fdch sie\u0165ov\u00fdch kart\u00e1ch objavila z\u00e1lo\u017eka<\/span>\u00a0Authentication<\/span><\/em><\/strong>\u00a0(a v\u0161etko fungovalo)<\/span>\u00a0.<\/span><\/em><\/strong><\/p>\n
              \"\"<\/p>\n
              Nastavenie je jednoduch\u00e9 a samozrejme mus\u00ed zodpoveda\u0165 tomu, \u010do sme nastavili na RADIUS servera.<\/span><\/p>\n
                \n
              • prv\u00e1 polo\u017eka “\u00a0<\/span>Enable IEEE 802.1x authentication for this network<\/span><\/em><\/strong>\u00a0“ povo\u013euje alebo zakazuje vyu\u017eitie\u00a0<\/span>protokolu 802.1x<\/span><\/em><\/li>\n
              • pod\u00a0<\/span>EAP type<\/span><\/em><\/strong>\u00a0vyber\u00e1me autentiza\u010dn\u00e9 met\u00f3du (napr. PEAP \u010di Smart Card or other certificate)<\/span><\/li>\n
              • tla\u010didlom\u00a0<\/span>Properties<\/span><\/em><\/strong>\u00a0sa dostaneme do nastavenia podrobnost\u00ed danej autentiza\u010dn\u00e9 met\u00f3dy<\/span><\/li>\n
              • podtr\u017en\u00edkom “\u00a0<\/span>Authenticate as computer when computer information is available<\/span><\/em><\/strong>\u00a0“ povo\u013eujeme, \u010di sa m\u00f4\u017ee pok\u00fasi\u0165 o autentiz\u00e1ciu po\u010d\u00edta\u010d, ke\u010f nie je prihl\u00e1sen\u00fd pou\u017e\u00edvate\u013e<\/span><\/li>\n
              • Posledn\u00fd zatr\u017e\u00edtko “\u00a0<\/span>Authenticate as guest when user or computer information is unavailable<\/span><\/em><\/strong>\u00a0“ povo\u013euje po\u010d\u00edta\u010du, aby sa pok\u00fasil o prihl\u00e1senie pomocou \u00fa\u010dtu Guest, ke\u010f sa nem\u00f4\u017ee autentizova\u0165 pomocou konta pou\u017e\u00edvate\u013ea ani po\u010d\u00edta\u010da<\/span><\/li>\n<\/ul>\n
                Pozn .:<\/span><\/strong><\/em>\u00a0Mo\u017enos\u0165 autentizova\u0165 po\u010d\u00edta\u010d n\u00e1m dovol\u00ed vykona\u0165 autentiz\u00e1ciu vo chv\u00edli, ke\u010f je dostupn\u00e9 sie\u0165ov\u00e9 pripojenie.\u00a0To znamen\u00e1 sk\u00f4r, ne\u017e sa bude autentizova\u0165 u\u017e\u00edvate\u013e a sk\u00f4r ne\u017e sa za\u010dn\u00fa sp\u00fa\u0161\u0165a\u0165<\/span>\u00a0group policy<\/span><\/em>\u00a0a<\/span>\u00a0login skripty<\/span><\/em><\/p>\n","protected":false},"excerpt":{"rendered":"
                Autentiz\u00e1cie pr\u00edstupu k portu\u00a0pomocou protokolu IEEE 802.1x je z\u00e1klad dnes popul\u00e1rnych technol\u00f3gi\u00ed zvan\u00fdch\u00a0Network Access Control\u00a0(NAC),\u00a0Network Admission Control\u00a0(NAC) alebo\u00a0Network Access Protection\u00a0(NAP), ktor\u00e9 riadi pr\u00edstup zariadenia \/…<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":431,"menu_order":2,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"_links":{"self":[{"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/pages\/496"}],"collection":[{"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/comments?post=496"}],"version-history":[{"count":1,"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/pages\/496\/revisions"}],"predecessor-version":[{"id":504,"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/pages\/496\/revisions\/504"}],"up":[{"embeddable":true,"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/pages\/431"}],"wp:attachment":[{"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/media?parent=496"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}