802.1X in Windows Tom Rixom Alfa & Ariss. Overview 802.1X/EAP 802.1X in Windows Tunneled Authentication Certificates in Windows WIFI Client in Windows.

Slides:



Advertisements
Similar presentations
Authentication.
Advertisements

Encrypting Wireless Data with VPN Techniques
Agenda Introduction Network Access Protection platform architecture
無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – b  Security Mechanisms in b  Security Problems in b  Solutions for b.
Implementing Security for Wireless Networks Presenter Name Job Title Company.
Network Access and 802.1X Klaas Wierenga SURFnet
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Mobile Mobile OS and Application Team: Kwok Tak Chi Law Tsz Hin So Ting Wai.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Wireless Security without a VPN! Stirling Goetz, Microsoft Consulting Services.
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
802.1x EAP Authentication Protocols
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
Protected Extensible Authentication Protocol
Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP x EAP API.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,
Chapter 8: Configuring Network Connectivity. Installing Network Adapters Network adapter cards connect a computer to a network. Installation –Plug and.
Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Wireless Security with 802.1X Copyright 2005 Michael Griego This work is the intellectual property of the author. Permission is granted for this material.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Chapter 3 Application Level Security in Wireless Network IWD2243 : Zuraidy Adnan : Sept 2012.
Wireless Security and Accounting with 802.1X. Introduction Background Why 802.1X? What is 802.1X? Implementing 802.1X at UTD The future of 802.1X and.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University
Module 11: Supporting Remote Users. Overview Establishing Remote Access Connections Connecting to Virtual Private Networks Configuring Authentication.
EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.
What about 802.1X? An overview of possibilities for safe access to fixed and wireless networks Amsterdam, October Erik Dobbelsteijn.
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.
Windows 2003 and 802.1x Secure Wireless Deployments.
Virtual Private Networks (Tunnels). When Are VPN Tunnels Used? VPN with PPTP tunnel Used if: All routers support VPN tunnels You are using MS-CHAP or.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.
Wireless Security Techniques: An Overview Bhagyavati Wayne C. Summers Anthony DeJoie Columbus State University Columbus State University Telcordia Technologies,
Mobile and Wireless Communication Security By Jason Gratto.
1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.
Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.
WIRELESS LAN SECURITY Using
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
Implementing Network Access Protection
1 Figure 2-11: Wireless LAN (WLAN) Security Wireless LAN Family of Standards Basic Operation (Figure 2-12 on next slide)  Main wired network.
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 6: Implement Wireless Scalability.
Module 8: Designing Network Access Solutions. Module Overview Securing and Controlling Network Access Designing Remote Access Services Designing RADIUS.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
A Practical Guide for Joining EduRoam EuroCAMP Torino A Practical Guide for Joining EduRoam 4 March 2005 Version 1.6.
Wireless standards Unit objective Compare and contrast different wireless standards Install and configure a wireless network Implement appropriate wireless.
VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.
Module 8: Configuring Network Access Protection
Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)
Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.
IEEE i WPA2. IEEE i (WPA2) IEEE i, is an amendment to the standard specifying security mechanisms for wireless networks. The.
Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.
Wireless Authentication & 802.1X By Gareth Ayres.
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 6: Implement Wireless Scalability.
1 © 2004 Cisco Systems, Inc. All rights reserved. Emarin Terena IBNS Identity Based Networking Terena Rhodes, June 04 Eric Marin EMEA Consulting Engineer.
Configuring Network Access Protection
Lecture 24 Wireless Network Security
Wireless and Mobile Security
Workshop roaming services: eduroam / govroam
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Implementing SSTP VPN and 802.1x with RADIUS on Windows 2012 Ing. Ondřej Ševeček | Product Manager Windows Server | GOPAS a.s. MCM: Directory | MVP: Security.
Introduction to Port-Based Network Access Control EAP, 802.1X, and RADIUS Anthony Critelli Introduction to Port-Based Network Access Control.
Mesa Wi-Fi 802.1x PEAP and EAP-TLS Authentication for Wi-Fi.
Wireless Security - Encryption Joel Jaeggli For AIT Wireless and Security Workshop.
Wireless Network Setting (Windows XP)
On and Off Premise Secure Access
Presentation transcript:

802.1X in Windows Tom Rixom Alfa & Ariss

Overview 802.1X/EAP 802.1X in Windows Tunneled Authentication Certificates in Windows WIFI Client in Windows (WZC) Configuration examples Questions?

802.1X/EAP Port Based Network Access Control Authenticated/Unauthenticated Port Supplicant/Authenticator/Authentication Server Uses EAP (Extensible Authentication Protocol) Allows authentication based on user credentials

EAP over LAN(EAPOL)

802.1X Client 802.1X Protocol Driver (EAPOL Driver) –Handles all EAPOL communication –Extracts EAP messages from EAPOL which can be read by applications –Inserts EAP messages into EAPOL that applications wish to send 802.1X Client Application –Uses Driver to send and receive EAP messages –Handles EAP messages accordingly

802.1X Client in Windows Implements 802.1X Driver (NDIS) and Application Uses Microsoft EAP API to handle the EAP communication Controls user interaction (Balloon) User/Computer context

EAP in Windows Microsoft EAP API An EAP Module is “Microsoft DLL” that implements Microsoft EAP API 802.1X Client calls modules using EAP API to handle authentication Other example is the Microsoft VPN Client

EAP Modules EAP-MD5 (Built-in) –Username/password EAP-TLS (Built-in) –Client/server certificates (PKI) EAP-MSCHAPV2 (Built-in) –Username/password (Windows credentials) Protected EAP (PEAP) (Built-in) –Server certificate –Tunneled EAP Authentication –EAP-MD5,EAP-MSCHAPV2, EAP-… EAP-TTLS –Server certificate –Tunneled Diameter Authentication –Diameter (PAP/CHAP/…), EAP

Tunneled Authentication (TTLS/PEAP) Uses TLS tunnel to protect data –The TLS tunnel is established using the Server certificate automatically authenticating the server and preventing man-in-the-middle attacks Allows use of dynamic session keys for line encryption

PEAP? PEAP –Version 1, 2 –Supported by Cisco, Apple OS X Panther – eap-07.txt Microsoft PEAP (Windows XP SP1) –Version 0 No headers –Implemented by Microsoft PEAP module – 00.txt

Certificates in Windows PEAP (Built-in) and SecureW2 use the windows certificate trust Certificate (Chain) of Authentication server must be installed on local computer Certificate stores: –User Each user has own user store in which the user can install certificates and build certificate trusts Certificates visible only to the store owner (User) –System Only Administrators and system applications can install certificates in system store Certificates can be used by all applications and users

WIFI Client in Windows Wireless Zero Config (WZC) Generic interface for configuring wireless connections Compatibility –Wireless Ethernet Driver must be compatible with WZC to enable 802.1X Windows XP –WPA Windows Mobile Pocket PC 2003 Windows 2000 requires 3 rd Party WIFI Client

EAPOL Key

802.1X WIFI Scenario The WIFI Client associates with the Access Point (SSID) The Access Point requires 802.1X and sets the Clients “port” to the “Unauthenticated” state. The Access Point then starts EAPOL communication by sending the EAPOL-Identity message to the Client The 802.1X Client picks up the EAPOL communication and calls the appropriate EAP module to handle the EAP authentication After successful authentication the EAP RADIUS Server and Client generate the MPPE keys (based on the TLS tunnel) The RADIUS Server sends the MPPE keys (with the Access Accept) to the Access Point The Access Point sets the Clients “port” to the “Authenticated state” allowing the client to communicate with the Intranet The Access Point then uses the MPPE keys to encode a WEP key in an EAPOL key message The Access Point sends the EAPOL key to the Client The Client decodes the WEP key in the EAPOL key message using the MPPE keys it generated and sets the WEP key WIFI Client takes over to setup rest of the connection (DHCP)

Configuration example #1 EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 1 Connection properties

Configuration example #1 EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 1 Connection properties

Configuration example #1 EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 2 Wireless Networks

Configuration example #1 EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 2 Wireless Networks

Configuration example #1 EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 3 Wireless Networks properties

Configuration example #1 EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 3 Wireless Networks properties

Configuration example #1 EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 4 Wireless Networks properties (Authentication)

Configuration example #1 EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 4 Wireless Networks properties (Authentication)

Configuration example #1 EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 5 SecureW2 properties

Configuration example #2 PEAP (Wired, Windows 2K) Step 1 Start Wireless Configuration service

Configuration example #2 PEAP (Wired, Windows 2K) Step 1 Start Wireless Configuration service

Configuration example #2 PEAP (Wired, Windows 2K) Step 2 Connection properties

Configuration example #2 PEAP (Wired, Windows 2K) Step 2 Connection properties

Configuration example #2 PEAP (Wired, Windows 2K) Step 3 Authentication properties

Configuration example #2 PEAP (Wired, Windows 2K) Step 3 Authentication properties

Configuration example #2 PEAP (Wired, Windows 2K) Step 4 PEAP properties

Configuration example #2 PEAP (Wired, Windows 2K) Step 4 Configure 3 rd Party WIFI Client –Some client support dynamic WEP keys –Other clients not supporting dynamic WEP keys can be tricked: “Fake WEP Key”

Questions? …