220 likes | 350 Views
Network Authentication with PKI. EDUCAUSE/Dartmouth PKI Summit July 27, 2005 Jim Jokl University of Virginia. Background: UVa Wireless LAN Project. Deploy campus-wide Wireless LAN (WLAN) Initial focus on student areas Later emphasis on faculty/staff areas Support multiple applications
E N D
Network Authentication with PKI EDUCAUSE/Dartmouth PKI SummitJuly 27, 2005Jim Jokl University of Virginia
Background: UVa Wireless LAN Project • Deploy campus-wide Wireless LAN (WLAN) • Initial focus on student areas • Later emphasis on faculty/staff areas • Support multiple applications • Focus on standard applications: Email, Web, login, file transfer, etc • Don’t focus on applications such as video • Provide security • Wireless really is different in this regard
UVa WLAN Summary • Access Point summary as of July 2005 • 796 access points in database with approximately 704 operational • ~250 older Cisco 352 802.11b (11 Mbps @ 2.4 GHz) units • Remainder are modern Cisco 1100/1200 series access points • 802.11 G/B (11-45 Mbps @ 2.4 GHz) • 802.11 A (45 Mbps @ 5 GHz) • Still need to install A/G radios in some of the 1200s • Wireless security system • Would have liked strong authentication and encryption for all WLAN access, however ……
Initial Wireless Security System • MAC address validation • Users register the hardware address of their wireless adapter • Provisions for anyone affiliated with the university to register cards for guests • Supports “random” devices • Secured wireless via Cisco LEAP • Password-based authentication • Dynamic symmetric cipher keys • Had expected this technology to be widely implemented by vendors
EAP-based Authentication Process Radius Servers Access Point UVa Network Access Point User User
Authentication Transition • Combination of LEAP and MAC registration was OK for a couple of years • However • LEAP never became mainstream and generally required a Cisco wireless card and software installation • We had anticipated native LEAP support with Windows XP • Final straw was a reported security vulnerability with the LEAP protocol
EAP-MD5 LEAP EAP-TLS EAP-TTLS PEAP Server Authentication None Password Hash Public Key Public Key Public Key Supplicant Authentication Password Hash Password Hash Public Key CHAP, PAP, MS-CHAP(v2), EAP Any EAP, like EAP-MS-CHAPv2 or Public Key Dynamic Key Delivery No Yes Yes Yes Yes Security Risks Identity exposed, Dictionary attack, MitM attack, Session hijacking Identity exposed, Dictionary attack Identity exposed MitM attack MitM attack Wireless LAN Access Control Source: wi-fiplanet.com
Background: UVa Standard Assurance CA (PKI-Lite) • On-line Web CA • Uses existing account information to validate user request • Computing ID, password, and some some database info checked • Certificate and chain automatically installed or PKCS-12 • ~20k active certificates now
UVa EAP-TLS Wireless Authentication • User verifies the Radius server’s identity using PKI • The Radius server verifies the user’s identity using PKI • An LDAP-based authorization step happens • Association is allowed and dynamic session crypto keys are exchanged User Access Point Radius Server LDAP AuthZ
OS Support for EAP-TLS • Operating System Support • Windows XP, Windows 2000 SP-4* • MacOS (10.3.3) • 3rd party software available • Very easy to use • No account management, passwords, etc • Login to your workstation and secure wireless just works • AuthZ step will make it easier to keep hacked machines off of the WLAN
EAP-TLS and the Microsoft Clients • Microsoft field in certificate for AuthN • Subject Alt Name / Other Name / Principal Name • OID 1.3.6.1.4.1.311.20.2.3 • If not present, uses CN • Uniqueness issues for many CAs • Easy to add to certificate profile • Impact on the PKI-Lite certificate profiles • Agreed to add this extension to EE cert profile
Summary: Supportedwireless “accounts” at UVa • EAP-TLS – our main wireless network • Leverage PKI for user authentication on WinXP and MacOS 10.3 • Dynamic session encryption keys • MAC Address restricted network • Provides access control and limited authentication • Especially useful for devices with limited functionality • Now integrated with our main NetReg MAC address registration system • Guest • MAC Access control and identification of UVa sponsor
UVa WLAN Authentication Transition • Transitioned to new authentication summer 2004 • Added an EAP-TLS VLAN, removed LEAP • EAP-TLS is the authentication used on the broadcast SSID • Main EAP-TLS issues encountered • Old drivers for user’s wireless cards • A few users still had certificates without Microsoft attribute • Macintosh a little harder since no Safari integration for certificate download and installation • Retained a legacy MAC registration-only VLAN • For special devices that don’t support EAP-TLS • Non-broadcast SSID • Transition completed by end of summer • Few hard problems encountered • Will add EAP-TLS VLAN for access to UVa “More Secure” network once more AuthZ work is completed
Background: University of Virginia PKI • Project Goal • Enable PKI support in a wide range of applications • Deploy two campus CAs to support two types of PKI-enabled applications • Standard Assurance CA • For better security on common applications • Improve ease of use on some applications • Identity proofing marginally stronger than used with simple passwords • High Assurance CA • For new applications requiring high security • Uses hardware tokens only - 2-factor authentication • Strong identity validation before certificate is issued
Our first PKI application Certificate AuthN Encrypted path to UVa network edge On-campus IP address Cisco 3000 concentrators Adding LDAP AuthZ IPSec and Cisco VPN client is only supported mechanism UVaAnywhere VPN Service UVaNet Internet Connections UVaAnywhere Concentrators
UVaAnywhere-Lite • Just added new SSL VPN service • For web applications only • Uses existing Cisco 3000 concentrators • PKI for authentication • Uses LDAP for authorization • Web VPN provides convenient pop-up box for navigation • Customized with library and department pages that point to their web resources
Remote Access to the More Secure Network Certificate AuthN and LDAP AuthZ SMTP Relay “LessSecure”Network Level 1 “MoreSecure”Network Level 2 Firewall VPN LPR Relay LDAP AuthZ
Hospital Net VPN PKI 2-factor Authentication with LDAP Authorization Main Campus Network Oracle ERP IN VPN Concentrators Firewall OUT S1 S2 Firewall OUT IN S3 LDAP AuthZ Servers Sn
Oracle Special Services (ERP)2-factor Cert AuthN and LDAP AuthZ OSS User VPN Concentrators S4 Main UVa Network S1 S2 Firewalls Normal User OUT IN S3 LDAP AuthZ Servers Sn
Some References • UVa Wireless LAN site • http://www.itc.virginia.edu/wireless/ • UVa PKI Site • http://www.itc.virginia.edu/desktop/pki/ • UVa VPN Sites • http://www.itc.virginia.edu/desktop/vpn • http://www.itc.virginia.edu/vpn/webvpn • HEPKI-TAG PKI-Lite • http://middleware.internet2.edu/hepki-tag/