200 likes | 289 Views
Wireless Security and Accounting with 802.1X. Introduction. Background Why 802.1X? What is 802.1X? Implementing 802.1X at UTD The future of 802.1X and network security. Background.
E N D
Introduction • Background • Why 802.1X? • What is 802.1X? • Implementing 802.1X at UTD • The future of 802.1X and network security
Background • Student housing apartments comprise the largest apartment complex in D/FW Metroplex – 1200 units, 67 buildings • Peak usage of almost 1000 simultaneous users • Student housing security provided by SSID cloaking, WEP, and Bluesocket gateway doing web authentication • Campus security provided by WEP, SSID cloaking, and MAC address registration
The Criteria • Client availability and ease of use • Scalable and robust • Ease of integration with existing security and identity systems • Low cost • And, of course, the best security possible
802.1X Meets the Challenge • Client availability and ease of use • Most OSes now come with 802.1X clients, more added frequently • No more requirement for SSID cloaking and MAC registration • Scalable and robust • As scalable as your APs, no extra density calculations • Ease of integration with existing security and identity systems • Most RADIUS implementations integrate with LDAP and SQL • Low cost • Only required purchase of two servers and a commercial certificate • Provides exceptional accounting information
The Best Overall Security • Authenticates users in a variety of methods • Robust, dynamically keyed encryption • Pushes the security perimeter to the absolute entry point of the network by securing connections at the AP • Protects authenticated clients from unauthenticated clients • Mutual authentication • Mitigates connection hijacking
What is 802.1X? • Port Access Authentication • Originally designed for authenticating ports on wired LANs • Port traffic, except for 802.1X, blocked until successful authentication • Three Components • Supplicant (client) • Authenticator (switch, AP, other NAS, preferably RADIUS capable) • Authentication Server (sometimes part of Authenticator, otherwise RADIUS server) • Utilizes the Extensible Authentication Protocol (EAP) • As such, it is sometimes known as EAPoL (EAP over LAN) • RADIUS server must be EAP capable
802.1X Meets Wireless • Associations (wireless clients) become virtual “ports” • Frequent reauthentications reset key information and insure no session hijacking has occured • EAPoL Key frame used to provide dynamic encryption • Now used as the basis for enterprise authentication in WPA and WPA2 (802.11i)
EAP Demystified • Originally designed for PPP authentication • Authentication framework • Authenticators only need to recognize a few well defined messages • Request/Response • Success/Failure • EAP subtypes allow for new types of authentication to be added without requiring upgrades to the Authenticators • Only Supplicants and Authentication Servers need to implement details of new EAP types
EAP Types • EAP-MD5 • Does NOT provide for dynamic encryption • User authenticated by password • Network NOT authenticated to user (no mutual authentication) • EAP-TLS • Provides for dynamic encryption • User and network mutually authenticated using certificates • EAP-TTLS and PEAP • Provides for dynamic encryption • Network authenticated using certificate • Client authentication tunneled inside of EAP-TLS
UTD Chooses PEAP • Specifically PEAP-MSCHAPv2 • Native to Windows XP and above (available from Microsoft for Windows 2000 in SP4) • Also implemented in most other supplicants (Open1X, MacOS X 10.3, etc) • Allows clients to authenticate with familiar username and password • Does not require helpdesk intervention to set up connection
Hardware Details • 802.1X Capable Access Points • UTD currently uses Proxim APs • Almost any enterprise-class AP • Two RADIUS Servers • Provides for failover • Not required to be beefy • RADIUS is a lightweight service, even with TLS sessions and frequent reauthentications • Low-end Dell PowerEdge servers
Software Details • Fedora Core OS • MySQL • Provides policy enforcement and accounting backend for RADIUS • Holds special case users that do not exist in LDAP tree • FreeRADIUS • Ties in with LDAP and SQL to form authentication, authorization, and accounting (AAA) framework for wireless LAN
PEAP Certificate • Certificate required for network authentication • Certificate must contain the TLS Web Server Authentication Extended Key Usage Attribute • Required by Microsoft supplicant • OID .1.3.6.1.5.5.7.3.1 • Exists in commercial web server SSL certificates • Commercial certificate obtained from VeriSign • No need for “roll-your-own” CA • Help desk not required to load CA certificate on user machines
MSCHAPv2 • Password hashes in LDAP tree incompatible with MSCHAPv2 • New ntPassword attribute added to LDAP schema to hold NTLMv2 hashed password • Attribute ONLY accessible to RADIUS LDAP profile • Web account management system updated to populate ntPassword attribute when password change occurs
Rollout Timeline • Six months before rollout • Web account management system updated to load NT hashed password • RADIUS servers configured and tested • Two weeks before rollout • Notification posted to students of change • Web pages with instructions for setting up 802.1X in various OSes provided • Printed versions of instructions provided at help desk and apartment complex leasing office • Rollout • Campus router interface created for wireless LAN (previously handled by Bluesocket gateway) • DHCP updated - new address space, unknown clients allowed • APs reconfigured to require 802.1X authentication
Recent Additions • Homegrown FreeRADIUS module for blocking virus infected machines • Blocks machines based on RADIUS Calling-Station-Id attribute (MAC Address) • Fed automatically from IDS • Blocking at “perimeter” extremely useful here • Windows Domain Machine Authentication • Domain member machines must be able to authenticate as a machine for domain user credentials to be processed • FreeRADIUS proxies Windows machine authentications to a Microsoft IAS RADIUS server • FreeRADIUS still controls connection policy
Where do we go from here? • Rollout to our main campus • Use of accounting data for detailed usage reports • More policy management using dynamically assigned VLANs • Authenticated guest access using temporary credentials • 802.1X for public wired switchports? • VoFi phones on the near horizon
Federated Wireless Network Authentication • I2 SALSA-NetAuth Group • Working to enable institutional members to authenticate to networks (wireless/wired) at other institutions using their home credentials. • Enable roaming between HiEd, K-12, government, industry • Employs 802.1X and RADIUS peering • Biweekly Conference Calls • Thursday 11am-12pm: Feb 24, Mar 10 • 866-411-0013, 0184827 • salsa-fwna @ internet2 list • “subscribe salsa-fwna” to sympa @ internet2
Resources • UTD 802.1X Client Setup Instructions • http://www.utdallas.edu/ir/cats/network/wlan/8021x/ • EAP Capable RADIUS Servers • FreeRADIUS http://www.freeradius.org/ • Microsoft IAS http://www.microsoft.com/ias/ • Steel Belted RADIUS http://www.funk.com/ • Radiator http://www.open.com.au/radiator/ • Federated Wireless NetAuth (FWNA) Internet2 Group • http://security.internet2.edu/fwna/