360 likes | 1.39k Views
802.1X in Windows Tom Rixom Alfa & Ariss Overview 802.1X/EAP 802.1X in Windows Tunneled Authentication Certificates in Windows WIFI Client in Windows (WZC) Configuration examples Questions? 802.1X/EAP Port Based Network Access Control Authenticated/Unauthenticated Port
E N D
802.1X in Windows Tom Rixom Alfa & Ariss
Overview • 802.1X/EAP • 802.1X in Windows • Tunneled Authentication • Certificates in Windows • WIFI Client in Windows (WZC) • Configuration examples • Questions?
802.1X/EAP • Port Based Network Access Control • Authenticated/Unauthenticated Port • Supplicant/Authenticator/Authentication Server • Uses EAP (Extensible Authentication Protocol) • Allows authentication based on user credentials
802.1X Client • 802.1X Protocol Driver (EAPOL Driver) • Handles all EAPOL communication • Extracts EAP messages from EAPOL which can be read by applications • Inserts EAP messages into EAPOL that applications wish to send • 802.1X Client Application • Uses Driver to send and receive EAP messages • Handles EAP messages accordingly
802.1X Client in Windows • Implements 802.1X Driver (NDIS) and Application • Uses Microsoft EAP API to handle the EAP communication • Controls user interaction (Balloon) • User/Computer context
EAP in Windows • Microsoft EAP API • An EAP Module is “Microsoft DLL” that implements Microsoft EAP API • 802.1X Client calls modules using EAP API to handle authentication • Other example is the Microsoft VPN Client
EAP Modules • EAP-MD5 (Built-in) • Username/password • EAP-TLS (Built-in) • Client/server certificates (PKI) • EAP-MSCHAPV2 (Built-in) • Username/password (Windows credentials) • Protected EAP (PEAP) (Built-in) • Server certificate • Tunneled EAP Authentication • EAP-MD5,EAP-MSCHAPV2, EAP-… • EAP-TTLS • Server certificate • Tunneled Diameter Authentication • Diameter (PAP/CHAP/…), EAP
Tunneled Authentication (TTLS/PEAP) • Uses TLS tunnel to protect data • The TLS tunnel is established using the Server certificate automatically authenticating the server and preventing man-in-the-middle attacks • Allows use of dynamic session keys for line encryption
PEAP? • PEAP • Version 1, 2 • Supported by Cisco, Apple OS X Panther • http://www.ietf.org/internet-drafts/draft-josefsson-pppext-eap-tls-eap-07.txt • Microsoft PEAP (Windows XP SP1) • Version 0 • No headers • Implemented by Microsoft PEAP module • http://www.ietf.org/internet-drafts/draft-kamath-pppext-peapv0-00.txt
Certificates in Windows • PEAP (Built-in) and SecureW2 use the windows certificate trust • Certificate (Chain) of Authentication server must be installed on local computer • Certificate stores: • User • Each user has own user store in which the user can install certificates and build certificate trusts • Certificates visible only to the store owner (User) • System • Only Administrators and system applications can install certificates in system store • Certificates can be used by all applications and users
WIFI Client in WindowsWireless Zero Config (WZC) • Generic interface for configuring wireless connections • Compatibility • Wireless Ethernet Driver must be compatible with WZC to enable 802.1X • Windows XP • WPA • Windows Mobile Pocket PC 2003 • Windows 2000 requires 3rd Party WIFI Client
802.1X WIFI Scenario • The WIFI Client associates with the Access Point (SSID) • The Access Point requires 802.1X and sets the Clients “port” to the “Unauthenticated” state. • The Access Point then starts EAPOL communication by sending the EAPOL-Identity message to the Client • The 802.1X Client picks up the EAPOL communication and calls the appropriate EAP module to handle the EAP authentication • After successful authentication the EAP RADIUS Server and Client generate the MPPE keys (based on the TLS tunnel) • The RADIUS Server sends the MPPE keys (with the Access Accept) to the Access Point • The Access Point sets the Clients “port” to the “Authenticated state” allowing the client to communicate with the Intranet • The Access Point then uses the MPPE keys to encode a WEP key in an EAPOL key message • The Access Point sends the EAPOL key to the Client • The Client decodes the WEP key in the EAPOL key message using the MPPE keys it generated and sets the WEP key • WIFI Client takes over to setup rest of the connection (DHCP)
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 1 • Connection properties
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 1 • Connection properties
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 2 • Wireless Networks
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 2 • Wireless Networks
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 3 • Wireless Networks properties
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 3 • Wireless Networks properties
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 4 • Wireless Networks properties (Authentication)
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 4 • Wireless Networks properties (Authentication)
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 5 • SecureW2 properties
Configuration example #2PEAP (Wired, Windows 2K) Step 1 • Start Wireless Configuration service
Configuration example #2PEAP (Wired, Windows 2K) Step 1 • Start Wireless Configuration service
Configuration example #2PEAP (Wired, Windows 2K) Step 2 • Connection properties
Configuration example #2PEAP (Wired, Windows 2K) Step 2 • Connection properties
Configuration example #2PEAP (Wired, Windows 2K) Step 3 • Authentication properties
Configuration example #2PEAP (Wired, Windows 2K) Step 3 • Authentication properties
Configuration example #2PEAP (Wired, Windows 2K) Step 4 • PEAP properties
Configuration example #2PEAP (Wired, Windows 2K) Step 4 • Configure 3rd Party WIFI Client • Some client support dynamic WEP keys • Other clients not supporting dynamic WEP keys can be tricked: “Fake WEP Key”
Questions? • …