1 / 32

802.1x

802.1x deployment meeting 11 April 2005. 802.1x. Agenda. Welcome and Introductions (5 mins) JFH – the 802.1x protocol (20 mins) Andy Cattell – the Oddessy client (20 mins) General discussion (to lunchtime). Introduction to 802.1x.

tevy
Download Presentation

802.1x

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 802.1x deployment meeting 11 April 2005 802.1x

  2. Agenda • Welcome and Introductions (5 mins) • JFH – the 802.1x protocol (20 mins) • Andy Cattell – the Oddessy client (20 mins) • General discussion (to lunchtime)

  3. Introduction to 802.1x Slides pinched from Tom Rixom (Alfa-Ariss) without permission, and edited and extended by Josh Howlett (UOB)

  4. Overview • EAP • 802.1X • Tunnelled Authentication • WIFI Client in Windows • Configuration example • UOB deployment considerations • Questions?

  5. EAP • Extensible Authentication Protocol. • Originally defined for PPP links (ie. dial-up), to replace PAP and CHAP. • It is not an authentication protocol in itself! • It provides mechanisms for: • allowing peers to negotiate which authentication protocol (or 'method' or 'type') they are going to use • transporting the agreed authentication protocol. • indicating success or failure of the authentication protocol • EAP itself is very simple – the authentication protocols it carries vary from simple to complex!

  6. EAP Types • EAP-MD5 (Built-in Windows) • Username and challenge • EAP-TLS (Built-in Windows) • Client/server certificates (PKI) • EAP-MSCHAPV2 (Built-in Windows) • Windows credentials • EAP-OTP • One time passwords • EAP-GTC • Generic Token Cards • Lots more!

  7. EAP • Bindings: EAP method ie. EAP-MD5 EAP Transport protocol ie. PPP over serial

  8. 802.1x • Defines “Port Based Network Access Control” • Authenticated switch-port or wireless access point • Uses EAP for authentication • Jargon: 'Supplicant' = laptop/PC/printer/etc; 'Authenticator' = switch/AP; 'Authentication Server' = RADIUS server. • Enables authentication and VLAN allocation based on user credentials

  9. EAP over LAN & RADIUS • 802.1x requires EAP transported over two protocols • EAP over LAN (EAPOL): between supplicant and authenticator (within Ethernet frames) • EAP over RADIUS: between authenticator and authentication server (within UDP/IP packets)

  10. EAP over LAN and RADIUS • Bindings: EAP method EAP (W)LAN RADIUS UDP/IP

  11. Tunnelled Authentication • EAPOL messages are not encrypted. • Not acceptable in broadcast wireless environments! • Development of secure 'tunnelled' EAP methods. • These establish a secure TLS tunnel, bound to EAP, between the supplicant and the authentication server. • Credentials are transported securely through the tunnel; this is the 'inner authentication'.

  12. Tunnelled Authentication • Uses TLS tunnel to protect data • The client MAY use the servers root CA certificate OR a user certificate to authenticate the server. This is not mandatory, but use of certificates allows authentication of auth server. • Tunnelled methods also generate session keys for encryption of link between client and switch/AP.

  13. EAPOL Key

  14. Tunnelled authentication • Bindings: EAPOL keys Inner authentication Tunnelled EAP method EAP EAPOL keys (W)LAN RADIUS UDP/IP

  15. Tunnelled methods • PEAP • Protected EAP • An inner EAP exchange is transported within the TLS tunnel. • Advocated by Microsoft and Cisco. • TTLS • Tunnelled Transport Layer Security • An inner DIAMETER exchange is tunnelled within the TLS tunnel. • Advocated by Funk. • Both quite similar, TTLS perhaps better designed.

  16. Tunnelled methods • Bindings: EAPOL Keys EAP-MSCHAP, EAP-XXX PAP, CHAP, MSCHAP, etc EAP Diameter PEAP TTLS EAP EAPOL keys (W)LAN RADIUS UDP/IP

  17. Security model CA root certificate CA server certificate Inner authentication Pass-word Tunnelled EAP method RADIUS LDAP NTLM SQL etc. EAP (W)LAN RADIUS UDP/IP IP Keys Supplicant Authenticator EAP server Authn server Shared secret Can be distinct servers, or one

  18. 802.11 Ciphers • Ciphers encrypt data “on the wire” between the supplicant and the access point. • A key is a big random number known only by supplicant and authenticator. • Keys may be: • Shared: pre-configured on authenticator and supplicant • Dynamic: sent by the authentication server to supplicant and authenticator • Client and WAP must use the same cipher; if not, 802.1x authentication may succeed, but forwarded data will be garbled.

  19. 802.11 Ciphers • WEP • The much maligned 802.11b cipher sub-system • Uses RC4, a common stream cipher • Employs either 64 or 128 bit keys • Problems • Required shared keys originally  management & security issues • Shared keys also prone to dictionary attack • WEP is fundamentally broken: the key can be recovered if sufficient data is collected (part of the encrypted frame is predictable)

  20. 802.11 Ciphers • Fixing WEP • 802.11i was intended by IEEE to replace WEP, but was taking too long for the “WiFi alliance” (a vendor association) • Wifi Alliance implement a subset of 802.11i called “WPA” (May 2003) • 802.1x EAPOL dynamic key distribution • TKIP: automatic re-keying • Broadcast key rotation • Adding to confusion, some vendors have selected other subsets. • 802.11i finally ratified in June 2004; “WPA2” is the Wifi Alliance’s implementation. • Many improvements; notably the replacement of RC4 with AES

  21. 802.1X WIFI Scenario • The WIFI Client (or 'supplicant' in 802.1x jargon) associates with the Access Point. • The Access Point requires 802.1X and sets the Clients “port” to the “Unauthenticated” state. • The Access Point then starts EAPOL communication by sending the EAPOL-Identity message to the Client • The 802.1X Client picks up the EAPOL communication and calls the appropriate EAP module to handle the EAP authentication • After successful authentication the EAP RADIUS Server and Client generate the link encryption keys (based on the TLS tunnel) • The RADIUS Server sends the keys (with the Access Accept) to the Access Point • The Access Point sets the Clients “port” to the “Authenticated state” allowing the client to communicate with the Intranet • The Access Point then uses the keys to encode a WEP key in an EAPOL key message • The Access Point sends the EAPOL key to the Client • The Client decodes the WEP key in the EAPOL key message using the MPPE keys it generated and sets the WEP key • WIFI Client takes over to set-up rest of the connection (DHCP, etc)

  22. Configuration examplePEAP (Wired, Windows 2K) Step 1 • Start Wireless Configuration service

  23. Configuration examplePEAP (Wired, Windows 2K) Step 1 • Start Wireless Configuration service

  24. Configuration examplePEAP (Wired, Windows 2K) Step 2 • Connection properties

  25. Configuration examplePEAP (Wired, Windows 2K) Step 2 • Connection properties

  26. Configuration examplePEAP (Wired, Windows 2K) Step 3 • Authentication properties

  27. Configuration examplePEAP (Wired, Windows 2K) Step 3 • Authentication properties

  28. Configuration examplePEAP (Wired, Windows 2K) Step 4 • PEAP properties

  29. 802.1x deployment • Network • Mainly Cisco Aironet 1200 • Multiple broadcast SSIDs • Run 802.1x in parallel to existing service? • Switches: many may not support 802.1x! • WAP/Switch configuration very simple • DHCP • VLAN allocation issues

  30. 802.1x deployment • Authentication server • Currently use MS IAS 2000 • Probably inadequate • EAP support requires some software updates • Policy implementation is weak • Does PEAP, but not TTLS • Use FreeRADIUS to terminate EAP, with NTLM authentication to domain controllers?

  31. 802.1x deployment • EAP type • One of PEAP/TTLS or both? • If only one, which? • Some considerations • Only PEAP with MS-CHAP is built into Windows natively • TTLS perhaps the better protocol; it would allow PAP inner authentication • SecureW2 open source (ex-commercial) TTLS client for Windows • MacOS X Panther and Linux supports both TTLS and PEAP

  32. Questions?

More Related