– Chapter 5 (B) – Using IEEE 802.1x

Slides:



Advertisements
Similar presentations
Authentication.
Advertisements

Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.
Doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE David Halasz, Stuart Norman, Glen.
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 4 Point to Point Protocol (PPP)
What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.
無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – b  Security Mechanisms in b  Security Problems in b  Solutions for b.
An Architectural Framework for Providing WLAN Roaming D.Vassis G.Kormentzas Dept. of Information and Communication Systems Engineering University of the.
WLAN Security Examining EAP and 802.1x x works at Layer 2 to authentication and authorize devices on wireless access points.
802.1x EAP Authentication Protocols
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Authentication Center for SDP Federation
Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.
802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security.
Point-to-Point Protocol (PPP) Security Connecting to remote access servers (RASs) PPP authentication PPP confidentiality Point-to-Point Tunneling Protocol.
1 Wireless LAN Security Kim W. Tracy NEIU, University Computing
Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University
EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.
IEEE 802.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.
Method of identifying mobile devices Srinivas Tenneti.
Network Security1 – Chapter 5 (B) – Using IEEE 802.1x Purpose: (a) port authentication (b) access control An IEEE standard
Wireless and Security CSCI 5857: Encoding and Encryption.
Shambhu Upadhyaya Security – i Shambhu Upadhyaya Wireless Network Security CSE 566 (Lectures 8, 9)
BY MOHAMMED ALQAHTANI (802.11) Security. What is ? IEEE is a set of standards carrying out WLAN computer communication in frequency bands.
EMU BOF EAP Method Requirements Bernard Aboba Microsoft Thursday, November 10, 2005 IETF 64, Vancouver, CA.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)
Csci388 Wireless and Mobile Security – Access Control: 802
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.
Wireless Security: The need for WPA and i By Abuzar Amini CS 265 Section 1.
CSE 8343 State Machines for Extensible Authentication Protocol Peer and Authenticator.
Doc.: IEEE /403r0 Submission July 2001 Albert Young, 3Com, et alSlide 1 Supplementary Functional Requirements for Tgi ESS Networks Submitted to.
Introduction to Port-Based Network Access Control EAP, 802.1X, and RADIUS Anthony Critelli Introduction to Port-Based Network Access Control.
Port Based Network Access Control
Doc.: IEEE /0103r0 Submission January 2004 Jesse Walker, Intel CorporationSlide 1 Some LB 62 Motions January 14, 2003.
Wireless Security - Encryption Joel Jaeggli For AIT Wireless and Security Workshop.
History and Implementation of the IEEE 802 Security Architecture
Richard EAP-WAI Authentication Protocol Stockholm, IETF 75th draft-richard-emu-wai-00.
1. Introduction In this presentation, we will review ,802.1x and give their drawbacks, and then we will propose the use of a central manager to replace.
Virtual Private Networks
Robust Security Network (RSN) Service of IEEE
CSE 4905 WiFi Security II WPA2 (WiFi Protected Access 2)
IPSec Detailed Description and VPN
History and Implementation of the IEEE 802 Security Architecture
Chapter 5 Network Security Protocols in Practice Part I
Virtual Private Networks
Virtual Private Network (VPN)
Wireless Protocols WEP, WPA & WPA2.
Unit 3: Authentication.
SECURING NETWORK TRAFFIC WITH IPSEC
Some LB 62 Motions January 13, 2003 January 2004
IP Security – Session 3 – AAA
Configuring and Troubleshooting Routing and Remote Access
Security for Next Generation Wireless LANs Merwyn Andrade 11/16/00
Security of a Local Area Network
802.1x OVERVIEW Sudhir Nath Product Manager, Trust & Identity
Secure Authentication System for Public WLAN Roaming
Virtual Private Network (VPN)
SECURING WIRELESS LANS WITH CERTIFICATE SERVICES
My name is Pascal Urien, ENST
A Joint Proposal for Security
Overview of Improvements to Key Holder Protocols
Overview of Improvements to Key Holder Protocols
Virtual Private Networks (VPN)
Security – i Shambhu Upadhyaya Wireless Network Security
Protection Mechanisms in Security Management
Pre-Authentication with 802.1X
Presentation transcript:

– Chapter 5 (B) – Using IEEE 802.1x Purpose: port authentication access control An IEEE standard http://standards.ieee.org/getieee802/download/802.1X-2001.pdf Used in both wired and wireless networks Example: used in 802.11i as the new security mechanism of IEEE 802.11 (aka WLAN), replacing the originally proposed un-secure WEP See http://sce.uhcl.edu/yang/research/WLAN%20security.doc for further discussions. Network Security

IEEE 802.1x Standard Primary goal: to allow for controlled access to the LAN environment Authentication of Layer 2 devices Before a device is allowed to connect to the physical or logical port of a switch or a wireless access point, it first needs to be authenticated and authorized. Example Uses: Ethernet, Token Ring, 802.11 WLAN Additional resource: http://www.networkdictionary.com/protocols/8021x.php Network Security

802.1x Entities Supplicant: Authenticator: Authentication server: requests to connect to a LAN Authenticator: responsible for initiating the authentication process Acting as a relay btwn the authentication server and the supplicant Authentication server: responsible for doing the actual authentication & authorization Network Security

802.1x entities Network Security

Port access entity (PAE) From section 6.2 of the IEEE 802.1x standard (http://standards.ieee.org/getieee802/download/802.1X-2001.pdf) The Port Access Entity (PAE) operates the algorithms and protocols associated with the authentication mechanisms for a given Port of the System. In the Supplicant role, the PAE is responsible for responding to requests from an Authenticator for information that will establish its credentials. The PAE that performs the Supplicant role in an authentication exchange is known as the Supplicant PAE. In the Authenticator role, the PAE is responsible for communication with the Supplicant, and for submitting the information received from the Supplicant to a suitable Authentication Server in order for the credentials to be checked and for the consequent authorization state to be determined. The PAE that performs the Authenticator role in an authentication exchange is known as the Authenticator PAE. The Authenticator PAE controls the authorized/unauthorized state of its controlled Port (see 6.3) depending on the outcome of the authentication process. Network Security

Controlled and uncontrolled access The operation of Port-based access control has the effect of creating two distinct points of access to the Authenticator System’s point of attachment to the LAN. The uncontrolled and controlled Ports are considered to be part of the same point of attachment to the LAN; any frame received on the physical Port is made available at both the controlled and uncontrolled Ports, subject to the authorization state associated with the controlled Port. Network Security

Supplicant – Authenticator - Auth. Server Network Security

802.1x communcations EAP Originally developed for PPP Allow two entities to exchange authentication data via various authentication mechanisms: One-time password, MD5 hashed username and password, etc. RFC 2284 PPP Extensible Authentication Protocol (EAP) L. Blunk, J. Vollbrecht. March 1998 (obsoleted) RFC3748 Extensible Authentication Protocol (EAP) B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson, H. Levkowetz (Ed.) June 2004 (current edition) RFC3579 RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP) B. Aboba, P. Calhoun. September 2003. Network Security

EAP Aboba, et al. Standards Track [Page 21] RFC 3748 EAP June 2004 (ftp://ftp.rfc-editor.org/in-notes/rfc3748.txt) Network Security

EAP 4 types of EAP packets Subtypes of request/response messages: Success Failure Subtypes of request/response messages: Identify: authenticator (“send your identity info”)  supplicant Notification: authenticator (“notification/warning, etc.”)  supplicant NAK: supplicant (“unacceptable! This is my desired authentication mechanism”)  authenticator MD-5 challenge: authenticator (challenge)  supplicant supplicant (response)  authenticator Network Security

EAP Subtypes of request/response messages (cont.): One-time password a password with an expiration time that is about to expire, i.e., an OTP sequence integer which is nearing 0 EAP-TLS message Allows a supplicant and an authentication server to use digital certificates to authenticate each other RFC2716 PPP EAP TLS Authentication Protocol B. Aboba, D. Simon. October 1999. A mutual authentication method Network Security

Using EAP in IEEE 802.1x Question: Is this protocol secure? Is ‘replay attack’ possible? Network Security

More EAP Scenarios in 802.1x Network Security

More EAP Scenarios in 802.1x Network Security

EAPOL EAP over LANs Allows EAP packets to be encapsulated in regular LAN frames (e.g., Ethernet, Token Ring) Source: http://standards.ieee.org/getieee802/download/802.1X-2001.pdf Network Security

EAPOL Packet type in IEEE 802.3 a) EAP-Packet. A value of 0000 0000 indicates that the frame carries an EAP packet. b) EAPOL-Start. A value of 0000 0001 indicates that the frame is an EAPOL-Start frame. c) EAPOL-Logoff. A value of 0000 0010 indicates that the frame is an explicit EAPOL-Logoff request frame. d) EAPOL-Key. A value of 0000 0011 indicates that the frame is an EAPOL-Key frame. e) EAPOL-Encapsulated-ASF-Alert. A value of 0000 0100 indicates that the frame carries an EAPOL-Encapsulated-ASF-Alert. All other possible values of this field shall not be used, as they are reserved for use in potential future extensions to this protocol. Network Security

EAPOL-Key frame Network Security

Overall 802.1x Architecture Network Security

Summary Next: NAT and security Network Security

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.