1 / 26

Graphics from: networkmagazineindia/200305/cover1.shtml

Strive for excellence and learning | Honesty, openness & friendliness | Accountability | Respectful and responsive | Personal development. DeakinSecure & Friends. Wireless@Deakin David Rhodes, John Stevens Dec., 2006. 1.

mingan
Download Presentation

Graphics from: networkmagazineindia/200305/cover1.shtml

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Strive for excellence and learning | Honesty, openness & friendliness | Accountability | Respectful and responsive | Personal development DeakinSecure & Friends Wireless@Deakin David Rhodes, John Stevens Dec., 2006 1 Graphics from: http://www.networkmagazineindia.com/200305/cover1.shtml

  2. Wireless @ Deakin • Circa 2000: WEP • Insecure and easy to hack • Circa 2001: Open + PPTP VPN • ms Chapv2, rc4 (mppe) • Single (Central) point of failure • Traffic traverses WAN for local services (except for Waterfront)..

  3. Wireless @ Deakin • 2006 • New topology • Wireless Domain Services, /27 subnets • Wireless Management Platform • New Security model • (P)EAP & LDAP(Active Directory) • Management • Dynamic radio control (WMS) • Tracking

  4. Wireless @ Deakin

  5. Wireless @ Deakin - vlans f-d1-its-65k-00#show int vlan980 Vlan980 is up, line protocol is up Hardware is EtherSVI, address is 0013.6095.1740 (bia 0013.6095.1740) Description: Waterfront Wireless Management 0 Internet address is 128.184.155.29/27 f-d2-its-sw-04#Show run int FastEthernet3/0/19 interface FastEthernet3/0/19 description AP f-d2-167-ap-00 switchport trunk encapsulation dot1q switchport trunk native vlan 980 switchport mode trunk f-d2-167-ap-00#Show run int FastEthernet0.155 interface FastEthernet0.155 encapsulation dot1Q 980 native f-d2-167-ap-00#Show run int bvi1 interface BVI1 ip address 128.184.155.4 255.255.255.224

  6. Wireless @ Deakin - DNS ; 128.184.22.domain - PTR records for 128.184.22 subnet ; Wireless Management Subnets /27 ; 1st in the /27 is the primary wds ; 2nd in the /27 is the secondary wds ; $INCLUDE primary/Rev/128.184.16.SOA ; $INCLUDE primary/Standard/NS-entries ; 1 IN PTR g-eng-sc723-ap-00.net.deakin.edu.au. 2 IN PTR g-union-uc37-ap-00.net.deakin.edu.au. … cut … 25 IN PTR g-res-he1009-ap-00.net.deakin.edu.au. ; ; 2nd /27 set ; 33 IN PTR g-sci-ka4527-ap-00.net.deakin.edu.au. 34 IN PTR g-union-ua10-ap-00.net.deakin.edu.au. … cut … 38 IN PTR g-union-uc47-ap-00.net.deakin.edu.au.

  7. Wireless @ Deakin • Wireless building blocks – WDS • Wireless Domain Services (primary and secondary) allows for fast authentication and caching of credentials from RADIUS • Local access points authenticate back to WDS • Access points communicate via multicast to WDS • Campus based to reduce WAN traffic

  8. Wireless @ Deakin - wlccp • Use of two RADIUS servers for authentication per campus • Second RADIUS server remotely located • Wireless Domain Server caches successful authentication to speed up association All access points: wlccp ap username XXXX password 7 YYYYY wds access points: aaa group server radius Infrastructure server 128.184.136.87 auth-port 1645 acct-port 1646 server 139.132.1.76 auth-port 1645 acct-port 1646 ! wlccp authentication-server infrastructure method_Infrastructure wlccp wds priority 250 interface BVI1 wlccp wnm ip address 128.184.136.41

  9. Wireless @ Deakin - show Registrations: f-d1-d3-120-ap-00>show wlccp wds ap HOSTNAME MAC-ADDR IP-ADDR STATE f-d3-256-ap-00 0011.2120.0c0d 128.184.155.9 REGISTERED f-d2-167-ap-00 0014.a862.d94d 128.184.155.4 REGISTERED .. cut .. f-d3-102-ap-00 0011.211f.eb89 128.184.155.13 REGISTERED f-d1-cafe-ap-00 0011.2120.0cf6 128.184.155.2 REGISTERED f-d2-208-ap-00 0013.1905.e65e 128.184.155.8 REGISTERED f-d1-d3-120-ap-00> f-d1-d3-120-ap-00>show wlccp wnm status WNM IP Address : 128.184.136.41 Status : SECURITY KEYS SETUP client ap f-d2-systems-ap-00#show wlccp ap WDS = 000f.349b.a62c, 128.184.155.1 state = wlccp_ap_st_registered IN Authenticator = 128.184.155.1 MN Authenticator = 128.184.155.1

  10. Wireless @ Deakin - Radios f-d1-d3-120-ap-00>show wlccp wds aggregator statistics RM Aggregator Statistics: Maximum Size of the Requests Received: 1518 Requests Received Count: 2829 .. Cut .. RM Reports Received Count: 152251 Aggregate RM Reports Sent Count: 152058 General Event Reports Received Count: 0 Oversize AP-RM Reports Drop Count: 0 f-d1-d3-120-ap-00#show wlccp wds statistics WDS Statistics for last 1w4d: Current AP count: 16 Current MN count: 17 AAA Auth Attempt count: 12516 AAA Auth Success count: 1679 AAA Auth Failure count: 9653 MAC Spoofing Block count: 24 Roaming without AAA Auth count: 5217 Roaming with full AAA Auth count:543 Fast Secured Roaming count: 0 MSC Failure count: 0 KSC Failure count: 0 MIC Failure count: 0 RN Mismatch count: 0

  11. Wireless @ Deakin • Wireless building blocks - Encryption • PEAP/TTLS • Authenticated outer tunnel via Thawte signed server certificate for password exchange. • AES encryption for data exchange to the wireless point. • Using ms chapv2. • Not using client certificates, but instead either: • Deakin username / Password (AD\username or username@deakin.edu.au) • or Deakin AD machine credentials

  12. Wireless @ Deakin - encrypt dot11 ssid DeakiNet vlan 154 authentication open guest-mode mbssid guest-mode dtim-period 75 ! dot11 ssid DeakinSecure vlan 990 authentication open eap eap_methods authentication key-management wpa mbssid guest-mode dtim-period 75 ! dot11 ssid eduroam vlan 991 authentication open eap eap_methods authentication key-management wpa mbssid guest-mode dtim-period 75 ! interface Dot11Radio0 no ip address no ip route-cache encryption mode ciphers wep40 encryption vlan 990 mode ciphers aes-ccm tkip encryption vlan 991 mode ciphers aes-ccm tkip broadcast-key change 10000 capability-change broadcast-key vlan 990 change 1800 broadcast-key vlan 991 change 1800 ssid DeakiNet ssid DeakinSecure ssid eduroam

  13. Wireless @ Deakin • Wireless building blocks - Authentication Cisco AAA • TACACS+ to local console server for device management • RADIUS to local RADIUS server (Radiator on Comms server) for user access • Campus based with redundancy to nearest campus (so can continue in case of Data-centre failure) • Also allows both user and machine authentication • Two usernames exist in the Radiator password (users) file: • anonymous - for outer tunnel authentication • wdsclients - to allow the APs to authenticate with their local WDS APs.

  14. Wireless @ Deakin • Wireless building blocks – RADIUS • Radiator RADIUS Server • Installed on all comms hosts. • Midas and Funke providing RADIUS services to MDSs, PDUs, Modems and VPN via SQL lookups on UMS(P or B). • Wireless Authentication via Samba’s ntlm_auth (patched on RHEL4 for Machine Auth) against Active Directory – local AD Domain Controller first.

  15. Wireless @ Deakin • Wireless building blocks – RADIUS • Radiator RADIUS Server • Config file in /etc/radiator/radius.cfg. From src, make HOST=host configure or make configure_all will cause a restart of Radiator (necessary for changes to be implemented) when this file is made out. • Static Passwords in /etc/radiator/users (made out from src) • Certificate in /etc/radiator/certificates (made out from src)

  16. Wireless @ Deakin • Wireless building blocks – RADIUS • Radiator RADIUS Server • Startup script MUST have ORACLE_HOME set. Current script in src. • Log files in /var/log/radius. Named as yyyymmdd.log. Ie 20061212.log

  17. Wireless @ Deakin

  18. Wireless @ Deakin • Network Management • Standard templates for wds domains • Max of 25 users per wireless point (concurrent) • Max of 25 access points per /27 subnet • Wireless surveys for provisioning • http://alkaid.net.deakin.edu.au:1741/ • Rogue access point detection

  19. Wireless @ Deakin

  20. Wireless @ Deakin

  21. Wireless @ Deakin • Eduroam • Roaming between universities and beyond • RADIUS federation – National Servers, with universities/organisations being federated with the National body. • Local Eduroam service provides wireless access with limited Internet services.

  22. Wireless @ Deakin • Eduroam (cont’d) • Local RADIUS server passes credentials via National/International Eduroam servers to home organisation’s RADIUS for authentication. • Uses home server certificates for outer tunnel creation. • No Passwords passed in plain text (unless home organisation uses it, common) or capable of being logged by visited organisation. • Credentials passed using standard RADIUS shared key encryption

  23. Wireless @ Deakin

  24. Wireless @ Deakin - Client

  25. Wireless @ Deakin - Web

More Related