Wireless Security with 802.1X Copyright 2005 Michael Griego This work is the intellectual property of the author. Permission is granted for this material.

Slides:



Advertisements
Similar presentations
Authentication.
Advertisements

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.
1 Network Authentication with PKI EDUCAUSE/Dartmouth PKI Summit July 27, 2005 Jim Jokl University of Virginia.
Wireless and Switch Security NETS David Mitchell.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Network Access and 802.1X Klaas Wierenga SURFnet
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
802.1x EAP Authentication Protocols
Protected Extensible Authentication Protocol
Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP x EAP API.
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-1 Security Olga Torstensson Halmstad University.
WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,
Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Company LOGO WIRELESS DEPLOYMENT A successful solution to Campuswide role-based secure Wi-Fi deployment Andrea Di Fabio – Information Security Officer.
Wireless LANs A Case Study of Baylor University’s Wireless Network Copyright Bob Hartland 2002 This work is the intellectual property of the author. Permission.
Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.
Mobile Computing and Security Authenticated Network Access (ANA) Jon Peters Associate Director Dave Packham Manager of Network Engineering NetCom University.
802.1X in Windows Tom Rixom Alfa & Ariss. Overview 802.1X/EAP 802.1X in Windows Tunneled Authentication Certificates in Windows WIFI Client in Windows.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Wireless Security and Accounting with 802.1X. Introduction Background Why 802.1X? What is 802.1X? Implementing 802.1X at UTD The future of 802.1X and.
Fermilab VPN Service What is a VPN ?.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.
1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x OVERVIEW Sudhir Nath Product Manager, Trust.
What about 802.1X? An overview of possibilities for safe access to fixed and wireless networks Amsterdam, October Erik Dobbelsteijn.
Windows 2003 and 802.1x Secure Wireless Deployments.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
Virtual Private Networks (Tunnels). When Are VPN Tunnels Used? VPN with PPTP tunnel Used if: All routers support VPN tunnels You are using MS-CHAP or.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.
1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.
Configuring Routing and Remote Access(RRAS) and Wireless Networking
Chapter 20: Getting from the Office to the Road: VPNs BAI617.
Network Security1 – Chapter 5 (B) – Using IEEE 802.1x Purpose: (a) port authentication (b) access control An IEEE standard
Mobile and Wireless Communication Security By Jason Gratto.
1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.
Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.
WIRELESS LAN SECURITY Using
Wireless Network Authentication Regnauld / Büttrich, Edit: Sept 2011 Wireless Network Authentication Regnauld / Büttrich, Edit: Sept 2011.
Network Security. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Remote Authentication Dial-In User Service (RADIUS)
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
Implementing Network Access Protection
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
1 Week 6 – NPS and RADIUS Install and Configure a Network Policy Server Configure RADIUS Clients and Servers NPS Authentication Methods Monitor and Troubleshoot.
Module 8: Designing Network Access Solutions. Module Overview Securing and Controlling Network Access Designing Remote Access Services Designing RADIUS.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Module 11: Remote Access Fundamentals
Module 8: Configuring Network Access Protection
Csci388 Wireless and Mobile Security – Access Control: 802
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 6: Implement Wireless Scalability.
802.1X in SURFnet 22 May 2003.
Configuring Network Access Protection
Security for (Wireless) LANs 802.1X workshop 30 & 31 March 2004 Amsterdam.
Workshop roaming services: eduroam / govroam
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
LM/NTLMv1 Retirement Hosted by LSP Services.
Copyright © 2006 Heathkit Company, Inc. All Rights Reserved Introduction to Networking Technologies Wireless Security.
Introduction to Port-Based Network Access Control EAP, 802.1X, and RADIUS Anthony Critelli Introduction to Port-Based Network Access Control.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.
Network Security. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Remote Authentication Dial-In User Service (RADIUS)
Port Based Network Access Control
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
Wireless Security - Encryption Joel Jaeggli For AIT Wireless and Security Workshop.
Implementing Network-Edge Security with 802.1x
Module 9: Configuring Network Access
Implementing Network Access Protection
Presentation transcript:

Wireless Security with 802.1X Copyright 2005 Michael Griego This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. 1

2 Background Student housing apartments comprise one of the largest apartment complexes in the D/FW Metroplex – approximately 1200 units, 67 buildings Peak usage of around 1000 simultaneous users Student housing security provided by SSID cloaking, WEP, and Bluesocket gateway doing web authentication Campus security provided by WEP, SSID cloaking, and MAC address registration

3 The Criteria Client availability and ease of use Scalable and robust Ease of integration with existing security and identity systems Low cost And, of course, the best security possible

X Meets the Challenge Client availability and ease of use –Most OSes now come with 802.1X clients, more added frequently –No more requirement for SSID cloaking and MAC registration Scalable and robust –As scalable as your APs, no extra density calculations Ease of integration with existing security and identity systems –Most RADIUS implementations integrate with LDAP and SQL Low cost –Only required purchase of two servers and a commercial certificate Provides exceptional accounting information

5 The Best Overall Security Authenticates users in a variety of methods (EAP types) Robust, dynamically keyed encryption Pushes the security perimeter to the absolute entry point of the network by securing connections at the AP –Protects authenticated clients from unauthenticated clients –Mutual authentication –Mitigates connection hijacking

6 What is 802.1X? Port Access Authentication –Originally designed for authenticating ports on wired LANs –Port traffic, except for 802.1X, blocked until successful authentication Three Components –Supplicant (client) –Authenticator (switch, AP, other NAS, preferably RADIUS capable) –Authentication Server (sometimes part of Authenticator, otherwise RADIUS server) Utilizes the Extensible Authentication Protocol (EAP) –As such, it is sometimes known as EAPoL (EAP over LAN) –RADIUS server must be EAP capable

X Meets Wireless Associations (wireless clients) become virtual “ports” Frequent reauthentications reset key information and insure no session hijacking has occurred EAPoL Key frame used to provide dynamic encryption Now used as the basis for enterprise authentication in WPA and WPA2 (802.11i)

8 EAP Demystified Originally designed for PPP authentication Authentication framework –Authenticators only need to recognize a few well defined messages Request/Response Success/Failure –EAP subtypes allow for new types of authentication to be added without requiring upgrades to the Authenticators –Only Supplicants and Authentication Servers need to implement details of new EAP types

9 EAP Types EAP-MD5 –Does NOT provide for dynamic encryption –User authenticated by password –Network NOT authenticated to user (no mutual authentication) EAP-TLS –Provides for dynamic encryption –User and network mutually authenticated using certificates EAP-TTLS and PEAP –Provides for dynamic encryption –Network authenticated using certificate –Client authentication tunneled inside of EAP-TLS

10 UTD Chooses PEAP Specifically PEAP-MSCHAPv2 Native to Windows XP and above (available from Microsoft for Windows 2000 in SP4) Also implemented in most other supplicants (Open1X, MacOS X 10.3, etc) Allows clients to authenticate with familiar username and password Does not absolutely require helpdesk intervention to set up connection

11 Hardware Details 802.1X Capable Access Points –UTD currently uses Proxim APs –Almost any enterprise-class AP Two RADIUS Servers –Provides for failover –Not required to be beefy RADIUS is a lightweight service, even with TLS sessions and frequent reauthentications Low-end Dell PowerEdge servers

12 Software Details Fedora Core OS MySQL –Provides policy enforcement and accounting backend for RADIUS –Holds special case users that do not exist in LDAP tree FreeRADIUS –Ties in with LDAP and SQL to form authentication, authorization, and accounting (AAA) framework for wireless LAN

13 PEAP Certificate Certificate required for network authentication Certificate must contain the TLS Web Server Authentication Extended Key Usage Attribute –Required by Microsoft supplicant –OID –Exists in commercial web server SSL certificates Commercial certificate obtained from VeriSign –No need for “roll-your-own” CA –Help desk not required to load CA certificate on user machines

14 MSCHAPv2 Password hashes in LDAP tree incompatible with MSCHAPv2 New ntPassword attribute added to LDAP schema to hold NTLMv2 hashed password –Attribute ONLY accessible to RADIUS LDAP profile –Web account management system updated to populate ntPassword attribute when password change occurs

15 Rollout Timeline Six months before rollout –Web account management system updated to load NT hashed password –RADIUS servers configured and tested Two weeks before rollout –Notification posted to students of change –Web pages with instructions for setting up 802.1X in various OSes provided –Printed versions of instructions provided at help desk and apartment complex leasing office Rollout –Campus router interface created for wireless LAN (previously handled by Bluesocket gateway) –DHCP updated - new address space, unknown clients allowed –APs reconfigured to require 802.1X authentication

16 Recent Additions Homegrown FreeRADIUS module for blocking virus infected machines –Blocks machines based on RADIUS Calling-Station-Id attribute (MAC Address) –Fed automatically from IDS –Blocking at “perimeter” extremely useful here Windows Domain Machine Authentication –Domain member machines must be able to authenticate as a machine for domain user credentials to be processed –FreeRADIUS proxies Windows machine authentications to a Microsoft IAS RADIUS server –FreeRADIUS still controls connection policy

17 Where do we go from here? Rollout to our main campus Use of accounting data for detailed usage reports More policy management using dynamically assigned VLANs Authenticated guest access using temporary credentials 802.1X for public wired switch ports VoFi phones on the near horizon Federated Wireless Network Authentication -

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.