1 / 22

 Wi-Fi Authentication Service Pilot - GP23817 Summary  

 Wi-Fi Authentication Service Pilot - GP23817 Summary  . For this limited pilot, we want to pilot using 802.1x on the Wi-Fi environment. We want to enable 802.1x for intranet access for corporate assets s uch as laptops with mydesktop installed.

Download Presentation

 Wi-Fi Authentication Service Pilot - GP23817 Summary  

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1.  Wi-Fi Authentication Service Pilot - GP23817Summary   For this limited pilot, we want to pilot using 802.1x on the Wi-Fi environment. • We want to enable 802.1x for intranet access for corporate assets such as laptops with mydesktop installed. • We want to enable 802.1x for internet only accessfor devices such as iPads owned by employees. • We want to enable 802.1x for guest internet access sponsored by an employee. The 802.1x supplicant for intranet access will be GIT managed Anyconnect. • Detail on the timeline and user base: 1. We will build the pilot configuration in a lab - this configuration should end up being 95% correct. 2. After reporting back to STR with the configuration, we will pilot it into production on a single floor, 401ip2 - This floor is mainly GIT personnel. - There will be some detail in the configuration to work out. We will also work out any ISE-OIM integration during this phase. Expected user base - 30. 3. Once we get a solid configuration, we will again come back to STR to roll out the configuration to 13 remote pilot sites. This will make the solution available for 1000 users. We will end the entire pilot program December 1st, 2013. At this point we have all the detail worked out and be able to present to STR a go/no go for production rollout. Quick Index 2 – Wi-Fi Business Case – Reviewed Prior 3 – Current State 4 – Pilot Design 5 – Authentication Stack 6 – EAP Protocol Flow • 7 – PEAP Ladder Diagram 8– 26Backup Slides

  2. Wi-Fi Refresh and Redesign – Business Case Summary – Improve performance, coverage, security and usability while reducing costs Risks – If we don’t do this • No vendor support for end of life equipment • Half of current install base will fail Dec-2013 • Maintain dependence on wired infrastructure • No reduction in hardware costs/maintenance of other infrastructure • Poor performance for real time data such as voice and video • Limited BYOD adoption in current state Benefits – Going with a redesign • New technology provides reliable and secure transport for Voice, Video and Data • Ten fold increase in bandwidth plus provides end to end QoS • Increase WLAN coverage by 50-75% • Enables Wi-Fi to be the primary connectivity method for Oracle offices • Reduces fixed office infrastructure and cost for New, Existing and M&A upgrades by up to 34% ($8M down to $5.2M example office build) • Meets or exceeds current security and risk profile for the service: User accountability, encryption in RF space • Include new authentication methods – Improved usability for all devices (laptops, bring your own device) • Compliance – eliminates anonymous authentication accounts – assists regulatory compliance in many countries • Enables increased mobility Risks – If we do this • Potential increase in all traffic (LAN/WAN) • Require robust authentication system • Increased dependence on Wi-Fi Costs • Entire system refresh and redesign - $7M global (8 quarters) • Offloading traffic from VPN and proxy offset some costs • Only replacing EOL equipment - $2.5M

  3. AP Current State Infrastructure • 802.11ag based APs – limited bandwidth, interference prone • WAN bandwidth ranges 2-45Mb. Traffic hops through multiple intermediate sites • ASA VPN clusters at central sites, supporting both remote access and WIFI effect performance Traffic Flows • Traffic is switched centrally and backhauled to the VPN concentrator-this causes significant inefficiency, long latency, bottlenecks at WLCs and VPN concentrators • QoS and traffic policies are limited due to encrypted traffic. Authentication • VPN concentrator authenticates against ACS 4.2 which is EoL • Cisco VPN client for Intranet access • Guest access is a shared access code, without an employee sponsor. Access is limited to the Internet. Limited audit trail is available Intranet VPN Internet Access “clear-guest” Intranet Access “clear” Wireless LAN Controller Access Points Internet

  4. AP AP Pilot Design OIM Use Cases • Employee direct access to intranet - no VPN • Employee access to internet – authenticated to each employee • Guest access to internet – sponsored by an employee ISE • Security Features • 802.1x, protected EAP, backed by Oracle Identity Manager • All over the air traffic is now encrypted • DTLS protects from “man in the middle” • Guest users individually sponsored • Real time visibility of currently connected users and approximate location Wireless LAN Controller Internet Intranet

  5. Authentication Protocol Stack Diagram

  6. EAP — Protocol Flow ISE AAA-Server AccessPoint Wireless Controller Supplicant Authentication Server Client Authenticator CAPWAP

  7. PEAP Authentication Ladder Diagram Example of EAP-MSCHAPv2, tunneled inside TLS, tunneled inside EAP-PEAP. Source:http://revolutionwifi.blogspot.com/2012/07/is-wpa2-security-broken-due-to-defcon.html

  8. Backup Slides

  9. 802.1X for 802.11 Client Extensible Authentication Protocol Extensible and interoperable – Supports: • Different authentication methods or types • New encryption algorithms, including AES as a replacement for RC4 Key Benefits: • Mutual authentication between client and authentication (RADIUS) server • Encryption keys derived after authentication • Centralized policy control, where session timeout triggers re-authentication and new key AP / WLC RADIUS RADIUS Server User Database

  10. EAP-Authentication types EAP Transport EAP EAP and 802.1X Terminology Authenticator Backend Authentication Server Access Point / Wireless Controller Supplicant Switch AAA-Server ISE Client Router Access Server EAP-Server VPN Concentrator

  11. EAP Authentication Types • Tunnel-based - Common deployments use a tunneling protocol (EAP-PEAP) combined with an inner EAP type such as EAP-MSCHAPv2. • This provides security for the inner EAP type which may be vulnerable by itself. • PEAP-TLS is also available with TLS inner method but client support is limited to Windows

  12. EAP Methods Comparison * Commonly just fast session reconnect ** PACs can be provisioned anonymously for minimal complexity.

  13. Choosing an EAP Method • Most clients such as Windows, Mac OSX, Apple iOS devices support EAP-TLS, PEAP (MS-CHAPv2). • Additional supplicants can add more EAP types (Cisco AnyConnect). • Certain EAP types (TLS) can be more difficult to deploy than others depending on device type. • ISE 1.1.1 will support supplicant/certificate provisioning vis SCEP

  14. Licensed without charge for use with Cisco wireless access points, wireless LAN controllers, switches, and RADIUS servers AnyConnect Network Access Manager

  15. General 802.1X – Authentication Security 802.1AE (MACsec) – Link Encryption Operating Systems Windows XP – 32-bit Windows Vista – 32-bit & 64-bit Windows 7 – 32-bit & 64-bit Windows Server 2003 – 32-bit FIPS 140-2 Windows XP – 32-bit Requires separate FIPS drivers EAP Types Non Tunneled EAP Methods: EAP-TLS EAP-MD5 EAP-MSCHAPv2 EAP-GTC LEAP (WiFi only) Tunneled EAP Methods: EAP-PEAP (EAP-MSCHAPv2, EAP-TLS, EAP-GTC) EAP-FAST (EAP-GTC, EAP-TLS, EAP-MSCHAPv2)* EAP-TTLS (EAP-MD5, EAP-MSCHAPv2, PAP, CHAP, MSCHAP, MSCHAPv2) AnyConnect Specs

  16. Encryptions: Open Static WEP Dynamic WEP WPA Enterprise WPA2 Enterprise WPA Personal WPA2 Personal Credential Policies: Never Remember Remember Until Logout Remember Forever Single Sign-On Media: 802.3 (Ethernet) 802.11 (Wireless LAN) Session Resumption: PMK-ID Caching and Opportunistic Key Caching (Windows XP only) TLS Session Resumption (TLS, PEAP, TTLS, FAST) FAST Stateless Session Resumption Credential Types: Certificates Username / Password Tokens Smartcards AnyConnect Specs

  17. AnyConnect Profile Editor Certificate Trust Authority

  18. AnyConnect Profile Editor User Authentication

  19. Wireless Logical Diagram Proposed

  20. Simple View – Intranet Access

  21. Simple View – Internet Access

  22. Cisco Recommendation EAP Types • Non Tunneled EAP Methods:EAP-TLSEAP-MD5EAP-MSCHAPv2EAP-GTCLEAP (WiFi only) • Tunneled EAP Methods:EAP-PEAP (EAP-MSCHAPv2, EAP-TLS, EAP-GTC)EAP-FAST (EAP-GTC, EAP-TLS, EAP-MSCHAPv2)*EAP-TTLS (EAP-MD5, EAP-MSCHAPv2, PAP, CHAP, MSCHAP, MSCHAPv2)* Cisco recommend methods

More Related