Doc.: IEEE 802.11-01/251 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 Secure Roaming IEEE 802.11 TgF Bernard Aboba Tim Moore Microsoft.

Slides:



Advertisements
Similar presentations
Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Advertisements

Doc.: IEEE /553r0 Submission September 2001 Tim Moore, Bernard Aboba/Microsoft Authenticated Fast Handoff IEEE Tgi Tim Moore Bernard Aboba.
Doc.: IEEE /087 Submission May, 2000 Steven Gray, NOKIA Jyri Rinnemaa, Jouni Mikkonen Nokia Slide 1.
IEEE i: A Retrospective Bernard Aboba Microsoft March 2004.
Doc.: IEEE /252 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 Issues with the 802.1X State Machine IEEE 802.1X Revision PAR Bernard Aboba.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Doc.: IEEE /253 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 WEP2 Security Analysis Bernard Aboba Microsoft.
Doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE David Halasz, Stuart Norman, Glen.
AAA Services. 2 è Authentication è Authorization è Accounting.
Header and Payload Formats
Doc.: IEEE /173r1 Submission Byoung-Jo Kim, AT&T March 2003 Slide 1 Coexistence of Legacy & RSN STAs in Public WLAN Byoung-Jo “J” Kim AT&T Labs-Research.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.
AAA 1.  Authentication : who is actually the person (computer) we are talking to  Authorization : does the person (computer) we are talking to have.
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 20 RADIUS and Internet Authentication Service.
RADIUS and FreeRADIUS Frank Kuse
Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.
July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16,
Hash/MD5 background; Message Authentication
AAA 1.  Authentication : who is actually the person or a computer, with whom are we talking  Authorization : if the person or a computer, with whom.
Aug 3, 2004AAA WG, IETF 60 San Diego1 Diameter NASReq Application Status David Mitton, Document Editor.
Doc.: IEEE /TBD Submission November 2001 Warren Barkley, Tim Moore, Bernard Aboba/Microsoft IEEE 802.1X and RADIUS Security Bernard Aboba Ashwin.
Submission doc.: IEEE wng May 2013 Max Riegel, NSNSlide 1 IEEE Accounting Extensions Date: Authors:
Doc: Submission September 2003 Dorothy Stanley (Agere Systems) IETF Liaison Report September 2003 Dorothy Stanley – Agere Systems IEEE.
EAP WG EAP Key Management Framework Draft-ietf-eap-keying-03.txt Bernard Aboba Microsoft.
Giuseppe Bianchi Lecture 3.1: Handling Remote Access: RADIUS Remote Authentication Dial In User Service Recommended reading: RFC 2865, June 2000.
Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)
EAP Key Framework Draft-ietf-eap-keying-01.txt IETF 58 Minneapolis, MN Bernard Aboba Microsoft.
Doc.: IEEE /1572r0 Submission December 2004 Harkins and AbobaSlide 1 PEKM (Post-EAP Key Management Protocol) Dan Harkins, Trapeze Networks
Doc.: IEEE /0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 1 Clarifying the Behavior of PMK Caching Date: Authors:
July 16, 2003AAA WG, IETF 571 EAP Keying Framework Draft-aboba-pppext-key-problem-07.txt EAP WG IETF 57 Vienna,
1 RADIUS Mobile IPv6 Support draft-ietf-mip6-radius-01.txt Kuntal Chowdhury Avi Lior Hannes Tschofenig.
Doc.: IEEE /524r0 Submission November 2001 Bernard Aboba, MicrosoftSlide 1 Secure Remote Password (SRP) Bernard Aboba Dan Simon Tim Moore Microsoft.
Cody Brookshear Andy Borman
Doc.: IEEE /562r1 Submission November 2001 Tim Moore, Bernard Aboba/Microsoft Authenticated Fast Handoff IEEE Tgi Tim Moore Bernard Aboba.
RADIUS 2-Aug-2007.
Doc.: IEEE r Submission November 2004 Bob Beach, Symbol TechnologiesSlide 1 Fast Roaming Using Multiple Concurrent Associations Bob.
Lecture 24 Wireless Network Security
Doc.: IEEE /1063r0 Submission Nov 2005 Jon Edney, NokiaSlide 1 The Lock-out Problem - an Analysis Notice: This document has been prepared to assist.
EAP Keying Framework Draft-aboba-pppext-key-problem-06.txt EAP WG IETF 56 San Francisco, CA Bernard Aboba.
Doc.: IEEE /610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and key interactions Tim Moore.
RADEXT WG RADIUS Attribute Guidelines Greg Weber March 21 st, 2006 IETF-65, Dallas v1 draft-weber-radius-attr-guidelines-02.txt draft-wolff-radext-ext-attribute-00.txt.
Emu wg, IETF 70 Steve Hanna, EAP-TTLS draft-funk-eap-ttls-v0-02.txt draft-hanna-eap-ttls-agility-00.txt emu wg, IETF 70 Steve Hanna,
IETF 57 PANA WG PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin.
Deploying Authorization Mechanisms for Federated Services in eduroam Klaas Wierenga, EuroCAMP Helsinki, 17&18th April 2007.
Doc.: IEEE /303 Submission May 2001 Simon Blake-Wilson, CerticomSlide 1 EAP-TLS Alternative for Security Simon Blake-Wilson Certicom.
Design Guidelines Thursday July 26, 2007 Bernard Aboba IETF 69 Chicago, IL.
Doc.: IEEE /0690r0 Submission Andrew Myers, BT Slide 1 July GPP SA3 Interworking Security Issues II Andrew Myers British Telecommunications.
Requirements and Selection Process for RADIUS Crypto-Agility December 5, 2007 David B. Nelson IETF 70 Vancouver, BC.
Doc.: IEEE /0239r0 Submission March 2005 Montemurro, Smith, Edney, KumarSlide 1 Resource pre-allocation and commmunication adhoc report Notice:
Doc.: IEEE /0485r0 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Management Protection Jesse Walker and Emily Qi Intel.
RADEXT WG draft-ietf-radext-ieee802ext-09 Bernard Aboba November 4, 2013 IETF 88 Please join the Jabber room:
Doc.: IEEE /610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and key interactions Tim Moore.
Doc.: IEEE /230r0 Submission Robert Moskowitz, Trusecure/ICSALabsSlide 1 March 2002 Proxied Preauthorized Roaming Robert Moskowitz Trusecure Corporation.
Doc.: IEEE /0448r0 Submission March, 2007 Srinivas SreemanthulaSlide 1 Joiint TGU : Emergency Identifiers Notice: This document has been.
Doc.: IEEE k Submission July 2004 Bernard Aboba, MicrosoftSlide 1 IEEE k Security: A Conceptual Model Bernard Aboba Microsoft.
RADIUS By: Nicole Cappella. Overview  Central Authentication Services  Definition of RADIUS  “AAA Transaction”  Roaming  Security Issues and How.
11/20/2002IETF 55 - AAA WG, NASREQ-101 Diameter-Nasreq-10 Dave Mitton, Most recent Document Editor With Contributions from David Spence & Glen Zorn.
IEEE SISWG (P1619.3)‏ Messaging & Transport. AGENDA Transport Protocols & Channel Protection Messaging Layer Capability Exchange & Authentication Groups.
Proposed solutions to comments on section 7
RADEXT WG RADIUS Attributes for WLAN Draft-aboba-radext-wlan-00.txt
Integrity Check for Disassociate/Associate/Re-associate
Element for Legacy Indication
IEEE k Security: A Conceptual Model
Secure Roaming IEEE Tgi Bernard Aboba Tim Moore Microsoft
Mutliband-60GHz-Location-Capability-Publishing
A Joint Proposal for Security
Fast Roaming Observations
Thinking About the Site Report
Use of EAPOL-Key messages
Presentation transcript:

doc.: IEEE /251 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 Secure Roaming IEEE TgF Bernard Aboba Tim Moore Microsoft

doc.: IEEE /251 Submission May 2001 Bernard Aboba, MicrosoftSlide 2 Goals To describe security context transfer model To describe implications for TgF

doc.: IEEE /251 Submission May 2001 Bernard Aboba, MicrosoftSlide 3 A Model for Security Context Transfer Model for security context establishment –AP receives result (Accept/Reject) + authorizations from backend authentication server, implements the requested service –AP issues accounting records identified by Session-Id and Multi-Session-Id Requirements for security context transfer –To achieve the same result as if the new AP authenticated to backend authentication server Assumptions –Backend authentication server would send same Result + authorizations to new AP as it would to old AP –If so, sending result + authorizations from old AP to new AP satisfies the requirement When the assumptions are invalidated –When the backend authentication server does conditional evaluation based on: Nas-IP-Address, Nas-Port-Type, NAS-Identifier, Vendor-Id, User-Name Result is typically sending of vendor, link type or domain-specific attributes –When Access Points differ substantially in their supported services Can’t transfer context of a service that the new AP doesn’t support!

doc.: IEEE /251 Submission May 2001 Bernard Aboba, MicrosoftSlide 4 Defining Security Context Context is the definition of the service to be provided to the user How do we define services today? –IETF standards: RADIUS, COPS, LDAP –Standards in development: DIAMETER Model for security context transfer –Transport Accept message from old AP to new AP –No need to transfer Reject message – just say No! –New AP processes context transfer as though it were receiving a message from the backend authentication server –Multiple definitions of security context can be supported – one for each backend authentication protocol

doc.: IEEE /251 Submission May 2001 Bernard Aboba, MicrosoftSlide 5 Implications of Context Transfer Model Context blob types –Security context blob sub-types needed for each supported backend authentication protocol Security –Context blobs can contain security information (keys) –Need to either encrypt individual sub-elements or the entire context transfer message –RADIUS guidelines: AVPs are encrypted with the RADIUS shared secret, OR if no shared secret and if IPSEC ESP w/non-null transfer is used then null shared secret assumed Mandatory vs. non-mandatory security context blobs –Multiple security context blobs can be included in a context transfer –If a context blob type (protocol) isn’t supported by the new AP, it is ignored –Context transfer can (partially) succeed if only one blob is supported and accepted by new AP Blobs that are understood but cannot be accepted may need to be acquired from a backend server Mandatory vs. non-mandatory elements and sub-elements –If a context blob type is supported, but describes an unavailable service, context transfer fails –Assumptions underlying context transfer invalidated –Result: new AP authenticates to backend auth server

doc.: IEEE /251 Submission May 2001 Bernard Aboba, MicrosoftSlide 6 Proposal for Security Context Blob Element Identifier LengthInformation 2 octets OUITypeInformation 3 octets1 octet Element identifier for security TBD OUI = 0 for standardized sub-elements, otherwise vendor-specific Type = TBD for RADIUS, DIAMETER (assigned by Tgi) Elements, Types that are not understood may be ignored If a Type is supported, must understand mandatory AVPs within it Information field encodes RADIUS/DIAMETER AVPs (including vendor-specific) Can encode AVPs in one or both protocols if necessary (can have more than one security element) TgF Format Security Sub-element

doc.: IEEE /251 Submission May 2001 Bernard Aboba, MicrosoftSlide 7 Contents of RADIUS Sub-element RADIUS usage in IEEE 802.1X –Appendix of IEEE 802.1X standard includes (non-normative) guidelines for RADIUS usage –Defines which RADIUS AVPs make sense for use with IEEE 802.1X RADIUS context –No need to transfer entire message, just AVPs Message type assumed to be Accept Relevant AVPs are those allowable with 802.1X, included in Access-Accept + two accounting AVPs: Acct-Authentic & Acct-Multi-SessionId Issues –Are Message-Authenticator, EAP-Message attributes transferred? AP will send Success regardless of what is in EAP-Message IEEE TgF already supports integrity protection However, including all attributes may make processing simpler –How are encrypted attributes transferred? 802.1X encrypted attributes: WEP Keys, Tunnel-Password (layer 3 only) Process them as if they came from backend authentication server RADIUS: encrypt with shared secret OR if IPSEC ESP available, use a null shared secret

doc.: IEEE /251 Submission May 2001 Bernard Aboba, MicrosoftSlide 8 Reassociate & Disassociate Security Currently, reassociate, disassociate messages are not secure –Enables denial of service attacks Proposal –Enable passing of information elements in TgF move-request and move-confirm messages –Add an authenticator to reassociate and disassociate messages –On reassociate: new AP validates authenticator via move-request to old AP; if invalid, old AP ignores move-request

doc.: IEEE /251 Submission May 2001 Bernard Aboba, MicrosoftSlide 9 Appendix AVPs for use in RADIUS Context Transfer Blob

doc.: IEEE /251 Submission May 2001 Bernard Aboba, MicrosoftSlide 10 Attribute Table 802.1X Context # Attribute X X 1 User-Name 2 User-Password 3 CHAP-Password X 4 NAS-IP-Address X 5 NAS-Port X X 6 Service-Type 7 Framed-Protocol 8 Framed-IP-Address 9 Framed-IP-Netmask L3 X 10 Framed-Routing 802.1X Context # Attribute Key === 802.1X = Allowed for use with IEEE 802.1X Context = Transferred between access points during roaming if available L3 = implemented only on switches/access points with Layer 3 capabilities

doc.: IEEE /251 Submission May 2001 Bernard Aboba, MicrosoftSlide 11 Attribute Table (cont’d) 802.1X Context # Attribute X X 11 Filter-Id X X 12 Framed-MTU 13 Framed-Compression 14 Login-IP-Host 15 Login-Service 16 Login-TCP-Port X X 18 Reply-Message 19 Callback-Number 20 Callback-Id 802.1X Context # Attribute Key === 802.1X = Allowed for use with IEEE 802.1X Context = Transferred between access points during roaming if available L3 = implemented only on switches/access points with Layer 3 capabilities

doc.: IEEE /251 Submission May 2001 Bernard Aboba, MicrosoftSlide 12 Attribute Table (cont’d) 802.1X Context # Attribute L3 X 22 Framed-Route L3 X 23 Framed-IPX-Network X X 24 State X X 25 Class X X 26 Vendor-Specific X X 27 Session-Timeout X X 28 Idle-Timeout X X 29 Termination-Action X 30 Called-Station-Id X 31 Calling-Station-Id X 32 NAS-Identifier 802.1X Context # Attribute Key === 802.1X = Allowed for use with IEEE 802.1X Context = Transferred between access points during roaming if available L3 = implemented only on switches/access points with Layer 3 capabilities

doc.: IEEE /251 Submission May 2001 Bernard Aboba, MicrosoftSlide 13 Attribute Table (cont’d) 802.1X Context # Attribute X 33 Proxy-State 34 Login-LAT-Service 35 Login-LAT-Node 36 Login-LAT-Group L3 X 37 Framed-AppleTalk-Link L3 X 38 Framed-AppleTalk-Network L3 X 39 Framed-AppleTalk-Zone X 40 Acct-Status-Type X 41 Acct-Delay-Time X 42 Acct-Input-Octets X 43 Acct-Output-Octets 802.1X Context # Attribute Key === 802.1X = Allowed for use with IEEE 802.1X Context = Transferred between access points during roaming if available L3 = implemented only on switches/access points with Layer 3 capabilities

doc.: IEEE /251 Submission May 2001 Bernard Aboba, MicrosoftSlide 14 Attribute Table 802.1X Context # Attribute X 44 Acct-Session-Id X X 45 Acct-Authentic X 46 Acct-Session-Time X 47 Acct-Input-Packets X 48 Acct-Output-Packets X 49 Acct-Terminate-Cause X X 50 Acct-Multi-Session-Id 51 Acct-Link-Count X 52 Acct-Input-Gigawords X 53 Acct-Output-Gigawords X 55 Event-Timestamp 802.1X Context # Attribute Key === 802.1X = Allowed for use with IEEE 802.1X Context = Transferred between access points during roaming if available L3 = implemented only on switches/access points with Layer 3 capabilities

doc.: IEEE /251 Submission May 2001 Bernard Aboba, MicrosoftSlide 15 Attribute Table 802.1X Context # Attribute 60 CHAP-Challenge X X 61 NAS-Port-Type 62 Port-Limit 63 Login-LAT-Port X X 64 Tunnel-Type X X 65 Tunnel-Medium-Type L3 X 66 Tunnel-Client-Endpoint L3 X 67 Tunnel-Server-Endpoint L3 X 68 Acct-Tunnel-Connection L3 X 69 Tunnel-Password 70 ARAP-Password 71 ARAP-Features 802.1X Context # Attribute Key === 802.1X = Allowed for use with IEEE 802.1X Context = Transferred between access points during roaming if available L3 = implemented only on switches/access points with Layer 3 capabilities

doc.: IEEE /251 Submission May 2001 Bernard Aboba, MicrosoftSlide 16 Attribute Table 802.1X Context # Attribute 72 ARAP-Zone-Access 73 ARAP-Security 74 ARAP-Security-Data 75 Password-Retry 76 Prompt X 77 Connect-Info X 78 Configuration-Token X 79 EAP-Message X 80 Message-Authenticator X X 81 Tunnel-Private-Group-ID L3 X 82 Tunnel-Assignment-ID X X 83 Tunnel-Preference 802.1X Context # Attribute Key === 802.1X = Allowed for use with IEEE 802.1X Context = Transferred between access points during roaming if available L3 = implemented only on switches/access points with Layer 3 capabilities

doc.: IEEE /251 Submission May 2001 Bernard Aboba, MicrosoftSlide 17 Attribute Table 802.1X Context # Attribute 84 ARAP-Challenge-Response X 85 Acct-Interim-Interval X 86 Acct-Tunnel-Packets-Lost X 87 NAS-Port-Id 88 Framed-Pool L3 X 90 Tunnel-Client-Auth-ID L3 X 91 Tunnel-Server-Auth-ID X TBD NAS-IPv6-Address TBD Framed-Interface-Id L3 X TBD Framed-IPv6-Prefix TBD Login-IPv6-Host L3 X TBD Framed-IPv6-Route 802.1X Context # Attribute Key === 802.1X = Allowed for use with IEEE 802.1X Context = Transferred between access points during roaming if available L3 = implemented only on switches/access points with Layer 3 capabilities

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.