Www.swan.ac.uk/lis. Easy 802.1X Onboarding with EAPConfig files and Supplicant Configuration Automatic Discovery (SCAD) Gareth Ayres (Speaker) Stefan.

Slides:

Advertisements

Similar presentations

RadSec – A better RADIUS protocol

Advertisements

Web Visualization Technology Horner APG Ver 1.0.

Meraki Mobile Device Management

Ellucian Mobile: Don’t text and drive, kids!

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.

Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.

Swansea: When eduroam doesn't fit By Gareth Ayres Gregynog Colloquium Conf 2011.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE

On the Feasibility of Large-Scale Infections of iOS Devices

Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 MSE MSAP Functional Specifications Presenter Name: Patrick Nicholson.

SSL From Your Smartphone Support for Android Smartphones /

APACHE SERVER By Innovationframes.com »

CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd. WLAN Infrastructure Monitoring and Supplicants Workshop on Wireless Belgrade -

Using RADIUS Within the Framework of the School Environment Ed Register Consultant April 6, 2011.

CONNECTION SETTINGS FOR USE WITH THE MOTION COMPUTING MODEL-F5 TABLET COMPUTER AKA: SIMON October 8, 2011 (And other useful information.)

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Presentation By Deepak Katta

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Cosc 5/4730 Sign, convert, and install Android files on Blackberry Playbook.

Basic Network Training. Cable/DSL Modem The modem is the first link in the chain It is usually provided by the ISP and often has a coax cable connector.

Your storage on the ground; Your files in the cloud.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Troubleshooting Your Network Networking for Home and Small Businesses.

Configuring Routing and Remote Access(RRAS) and Wireless Networking

Supporting BYOD Dennis Cromwell Supporting BYOD  CISCO Study – 15B devices capable of connecting to a network by 2015  The Consumerization.

Home Control Protocol for Smart Devices Hojin Park WG!-N1505.

CIS 375—Web App Dev II Microsoft’s.NET. 2 Introduction to.NET Steve Ballmer (January 2000): Steve Ballmer "Delivering an Internet-based platform of Next.

Eduroam Louis Twomey HEAnet Library Services Day 20 th November 2014.

Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.

draft-kwatsen-netconf-zerotouch-01

Honeypot and Intrusion Detection System

Troubleshooting Windows Vista Security Chapter 4.

Michal Procházka, Jan Oppolzer CESNET.

Secure Credential Manager Claes Nilsson - Sony Ericsson

ISmart for iDevices Apple iPad/iPhone/iPod By Tamara Ottum, MxCC Librarian Updated by Sandra Couture, MxCC Ed Tech Specialist.

Wireless Authentication & 802.1X By Gareth Ayres.

Downloading and Installing Autodesk Inventor Professional 2015 This is a 4 step process 1.Register with the Autodesk Student Community 2.Downloading the.

Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

District 211 Technology iPad Setup Instructions. Turn power on & Start Setup Hold down the power button to turn on your iPad. The power button is located.

Core 3: Communication Systems. Network software includes the Network Operating Software (NOS) and also network based applications such as those running.

IPSOS / Vodafone / Novartis Kenya 17 December 2014.

Automated Certificate Management ACME + Let’s Encrypt Richard

Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS First look at the Mobile Framework Ivan Deloose,

Wireless and Mobile Security

Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.

VMWare Workstation Installation. Starting Vmware Workstation Go to the start menu and start the VMware Workstation program. *Note: The following instructions.

VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.

Networks ∙ Services ∙ People Tomasz Wolniewicz TNC15, Porto Supporting user privacy, security and ease of use in eduroam June 2015 PSNC &

SENSE Secure Enterprise Networks – Simple & Easy Stefan Winter.

Deploying Eduroam at Swansea University By Gareth Ayres RSC Wales Technical Conf 2011.

BYOD Technical workshop Simon Bright - E2BN Philip Pearce – E2BN.

Remote Access Using a Netgear DG834 Router 1http://

Website Update and Use of Official accounts Dr.Lasantha Ranwala ( MBBS,MSc-Biomedical Informatics) Medical Officer - Health Informatics RDHS Office.

Maryknoll Wireless Network Access Steps for Windows 7 As of Aug 20, 2012.

Crowd-Sourcing Wi-Fi Coverage Data to build Self- Mapping Radio Maps TNC2013 Gareth Ayres (Speaker) Jason Jones 2013.

Windows Vista Configuration MCTS : Internet Explorer 7.0.

OneDrive for Home. Office 365 and OneDrive: Services available to staff for home use.

Short Customer Presentation September The Company  Storgrid delivers a secure software platform for creating secure file sync and sharing solutions.

Enabling the Modern Workstyle with Windows 10 & Azure Active Directory Venkatesh Gopalakrishnan 2016 Redmond Summit | Identity Without Boundaries May 25,

1 E-Site - FTP Services Setup / install guide. 2 About FTP services can run on any desired port(s) Runs as a windows service Works for all sites installed.

/Reimage-Repair-Tool/ /u/6/b/ /channel/UCo47kkB-idAA-IMJSp0p7tQ /alexwaston14/reimage-system-repair/

Wireless Updates and Solutions: Eduroam, XpressConnect, and NDSU Limited Richard Frovarp Senior Software Engineer Enterprise Computing & Infrastructure.

How to root Android Phone and Tablet for free and safe.

Draft-kwatsen-netconf-zerotouch-00 Zero Touch Provisioning for NETCONF Call Home.

ETS Inside Product Launch

eduroam Managed IdP - Roadmap

JRA3-T4 eduroam development - plan Stefan Winter Task Leader JRA3-T4

How to have an Espresso Espresso User Guide.

Setting Up Chatter on Mobile devices

DHCP, DNS, Client Connection, Assignment 1 1.3

Presentation transcript:

Easy 802.1X Onboarding with EAPConfig files and Supplicant Configuration Automatic Discovery (SCAD) Gareth Ayres (Speaker) Stefan Winter, RESTENA TNC 2015

About the Authors Gareth Ayres (me) Wireless Network Officer, Swansea University PhD Student (part-time) Author of SU1X, eduroamCAT Android App Stefan Winter RESTENA SENSE R&D Lead

Introduction – Key Terms I know I don’t need this slide here, but just in case… eduroam – (education roaming) is the secure, world-wide roaming access service developed for the international research and education community. Wi-Fi – Wireless LAN based on any standard Supplicant– Software on a device that authenticates to a 802.1x network EAP - Extensible Authentication Protocol – Framework for auth

The Onboarding Problem 802.1X networks very successfull eduroam is a great example of this Requirements on connected devices: 1.Supplicant Configuration 2.Certificate(s) 3.Credentials (private key or user/pass)

The Onboarding Problem If fully configured, then devices are secure. BUT can connect without a fully configured supplicant! 1.Supplicant Configuration –Server Name checks not mandatory 2.Certificate(s) –CA Cert not mandatory MITM attacks possible without these settings

The Onboarding Problem Managed devices typically OK, as provisioned correctly. BYOD not so good: 1.Burden on users to fully configure supplicant 2.Complicated for users 3.Some devices don’t even make it possible via GUI

The Onboarding Problem Supplicant configuration tools fixing this: 1.CAT (Configuration Assistant Tool) FREE 2.CloudPath XpressConnect $$$ 3.SecureW2 $$$ 4.Apple MobileConfig files FREE 5.SU1X Free

eduroamCAT for Android eduroam CAT: Configuration Assistance Tool Users can download customised configuration tools Contains IdP’s setting, certificates etc Problem: Android Play Store Delivery model Custom apps can not run on Android by default Forced to use Play Store, but don’t want thousands of similar apps One eduroam CAT app needed, that can be customised for each IdP

App Delivery Model Solution Solution: EAPConfig files Standard way of passing EAP configuration details around XML format can be detected by the app, which digests it. IETF Internet Draft, proposed by SENSE EAP-Config Contains: –IdP information –Authentication Methods (Certificates etc) –Helpdesk / Support Information

Example EAPConfig = bouncer.swan.ac.uk radauth.swan.ac.uk radauth2.swan.ac.uk

Example EAPConfig 26

Example EAPConfig Swansea University Swansea You must agree to abide by the University Computer Regulations and…

Configuration Discovery Problem Creative Commons Licence 1.User needs internet access. 2.Need App for that 3.Need internet to get App 4.App needs EAPConfig 5.Need internet to get EAPConfig What comes first, the chicken (internet) or the egg (secure access)

Solution: SCAD SCAD : Supplicant Configuration Automatic Discovery 1.Assuming user has the app installed: A.Make repositories like play accessible from setup networks? B.Assume limited use of 3G/4G acceptable to get App

Solution: SCAD SCAD : Supplicant Configuration Automatic Discovery Three potential automatic discovery techniques: 1.DNS Lookup 2.Realm Lookup 3.Location Awareness

SCAD: DNS Lookup DNS Lookup Method 1.Assumption: Connected to setup network of home site 2.Local Domain Name discoverable? (Android argh) 3.Prepend SCAD to DOMAIN: scad.swansea.ac.uk\scad.eap-config

SCAD: Realm Lookup Ream Lookup Method: 1.Ask users to enter username (e.g 2.Take realm part 3.Prepend scad and perform lookup: scad.swansea.ac.uk/scad.eap-config

SCAD: Location Awareness Location Awareness Method: 1.Most BYOD devices are location aware 2.Tablets / Phones (Android) know location 3.GeoIP a possibility too (HTML5) 4.Requires a known DB of EAPConfigs to search 5.cat.eduroam.org is a great example of this

Android example with eduroamCAT Location Awareness discovery code started and in SVN But don’t want to implement too much until certain good idea? Maybe available as alpha for people to try soon? Using CAT API works well.

SCAD Security Considerations Security Considerations: 1.Malicious fake EAPConfig discovery 1.Connect users to fake networks? 2.Should be spotted by checking EAPConfig before installing it 3.Signing EAPConfig files like MobileConfigs 4.No credentials in EAP-Config? 2.Accidental discovery of wrong EAPConfig 1.Branding can help users avoid this

Future Work SCAD needed? Worth defining better? Other OS support for SCAD? Other apps? SU1X soon… Apple has MobileCOnfig which is good Because iOS does not allow WIFI API But SCAD maybe to discover MobileConfig?

End Questions? Gareth Ayres Stefan Winter