CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd. WLAN Infrastructure Monitoring and Supplicants Workshop on Wireless Belgrade -

Slides:

Advertisements

Similar presentations

Authentication.

Advertisements

RadSec – A better RADIUS protocol

Wireless Connectivity at Pace University Wireless Connectivity is: Available at every Pace location Note: In NY 55 John St. & St. George have wireless.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.

Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.

CONFIDENTIAL © Copyright Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.

Filtering and Security By Mohammad Shanehsaz June 2004.

CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd. WLAN Information Security Workshop on Wireless Belgrade Wenche Backman-Kamila.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.

CSG357 Dan Ziminski & Bill Davidge 1 Effective Wireless Security – Technology and Policy CSG 256 Final Project Presentation by Dan Ziminski & Bill Davidge.

Connect communicate collaborate RADIUS and WLAN Infrastructure Monitoring Jovana Palibrk, AMRES NA3 T2, Sofia,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Wireless Technologies Networking for Home and Small Businesses – Chapter.

Coursework 2: getting started (4) – using PhoneGap to build mobile applications (optional) Chris Greenhalgh G54UBI /

Swansea: When eduroam doesn't fit By Gareth Ayres Gregynog Colloquium Conf 2011.

802.1x EAP Authentication Protocols

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

Protected Extensible Authentication Protocol

Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP x EAP API.

WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,

Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

Deploying eduroam Deyan Stoykov, BREN E-infrastructure Autumn Workshops 8 September, 2014.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Wireless Technologies Networking for Home and Small Businesses – Chapter 7.

Company LOGO WIRELESS DEPLOYMENT A successful solution to Campuswide role-based secure Wi-Fi deployment Andrea Di Fabio – Information Security Officer.

Wireless Security with 802.1X Copyright 2005 Michael Griego This work is the intellectual property of the author. Permission is granted for this material.

© UNIVERSITY of NEW HAMPSHIRE INTEROPERABILITY LABORATORY UNH InterOperability Laboratory Bridge Functions Consortium 802.1X Port-Based Network Access.

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 MSE MSAP Functional Specifications Presenter Name: Patrick Nicholson.

RADIUS Secured and Authenticated WiFi Robert Leahy Charles Bodman Brandon Ellis.

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

Connecting to Secure Wi-Fi in QSB Boardroom Locations 01 September 2013.

What about 802.1X? An overview of possibilities for safe access to fixed and wireless networks Amsterdam, October Erik Dobbelsteijn.

Windows 2003 and 802.1x Secure Wireless Deployments.

Module 4 - Networking MIS5122: Enterprise Architecture for the IT Auditor.

Northeastern Illinois University. Authors Salwa Abdelrahim Samia Nur Eldayim Supervisor Prof. Cafatori.

Networks. What is a Network? Two or more computers linked together so they can send and receive data. We use them for sending s, downloading files,

WIRELESS LAN SECURITY Using

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Wireless Technologies Networking for Home and Small Businesses – Chapter.

Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.

Eduroam Louis Twomey HEAnet Library Services Day 20 th November 2014.

Education roaming Secure Wireless Service for Research and Education.

Summary: Windows XP wireless client utility offers the same interface regardless of the vendor. Service Pac1 has a slightly different interface than Service.

BY MOHAMMED ALQAHTANI (802.11) Security. What is ? IEEE is a set of standards carrying out WLAN computer communication in frequency bands.

High-quality Internet for higher education and research Paul Dekkers April 4th, Turkey.

Michal Procházka, Jan Oppolzer CESNET.

© Aastra – 2012 SIP-DECT 4.0 RFP 43 WLAN June 2012.

Doc.: IEEE /751r0 Submission July 2004 Max Riegel, SiemensSlide 1 Selling network access Views from a business perspective Max Riegel Siemens.

Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)

CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd. TF-Mobility: National update Wenche Backman.

SECURE WIRELESS NETWORK IN IŞIK UNIVERSITY ŞİLE CAMPUS.

Workshop roaming services: eduroam / govroam

1 Company Confidential Fluke Networks OptiView Wireless Network Analyzer Bringing the power of OptiView to Wireless LANS.

Doc.: IEEE /303 Submission May 2001 Simon Blake-Wilson, CerticomSlide 1 EAP-TLS Alternative for Security Simon Blake-Wilson Certicom.

Windows 7 Manual for Wireless connectivity at Libraries Table of Contents Windows 7 Connectivity a) Installing the Secure W2 EAP Suite b) Selection.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Wireless Technologies Networking for Home and Small Businesses – Chapter.

Networks ∙ Services ∙ People Tomasz Wolniewicz TNC15, Porto Supporting user privacy, security and ease of use in eduroam June 2015 PSNC &

Easy 802.1X Onboarding with EAPConfig files and Supplicant Configuration Automatic Discovery (SCAD) Gareth Ayres (Speaker) Stefan.

Deploying Eduroam at Swansea University By Gareth Ayres RSC Wales Technical Conf 2011.

Maryknoll Wireless Network Access Steps for Windows 7 As of Aug 20, 2012.

Introduction to Port-Based Network Access Control EAP, 802.1X, and RADIUS Anthony Critelli Introduction to Port-Based Network Access Control.

Mesa Wi-Fi 802.1x PEAP and EAP-TLS Authentication for Wi-Fi.

© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0— © 2003, Cisco Systems, Inc. All rights reserved.

SOHO Security Recommendations. Change default user/password Of the AP/router Typical  admin – admin  root – root  root – 1234  Admin - There are web.

Wireless Security - Encryption Joel Jaeggli For AIT Wireless and Security Workshop.

Wireless Network Setting (Windows XP)

eduroam Managed IdP - Roadmap

Advanced Configuration

Advanced Penetration testing

On and Off Premise Secure Access

Presentation transcript:

CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd. WLAN Infrastructure Monitoring and Supplicants Workshop on Wireless Belgrade Wenche Backman-Kamila

Agenda Supplicants in general –Windows7 (manual & automatic config) –Network manager and wpa_supplicant –Mac –WindowsXP Monitoring –Fixed part –Wireless part

SUPPLICANTS

Why supplicants? eduroam based on 802.1x –802.1x requires supplicants LOTS of different supplicants out there –all OSes have their own –iPhone, Android, Nokia etc. have their own –All differ but basic features are the same The bright side: Configure only ONCE –In web authentication credentials repeated

Supplicant details Basic features –Define EAP-method Supported methods depend on supplicant –Define certificate and server name If self-signed certificate, no server name required –Define encryption: WPA2-AES, WPA-TKIP –Define user name and password User name Anonymous identity might be supported

Supplicant best practices About certificates in PEAP and TTLS –If self-signed certificate Distribute it securely to your users –If public CA Ensure that the CA and the server name has been defined in the supplicant –If you use TLS you don’t have to worry about these recommendations Anonymous identity

Supplicants and supported EAP methods PEAP- MSCHAPv2 TTLS- MSCHAPv2 TTLS-PAPTLS Windows XP/Vista/7xx Network manager & wpa_supplicant xxxx Macxxxx

Windows7 manually 1/3

Windows7 manually 2/3

Windows7 manually 3/3

Windows7 – automatically 1/2 Installer creates XML file –XML file used to configure settings User only inputs credentials –requires admin rights Installer created with NSIS Win7 and Vista

Windows7 – automatically 2/2

Network manager/ wpa_supplicant

Mac supplicant 1/3

Mac supplicant 2/3

Mac supplicant 3/3

WinXP Configuration video available at eduroam_supplicants/setting_up_eduroam_ supplicants.html eduroam_supplicants/setting_up_eduroam_ supplicants.html

MONITORING

Monitoring

Monitoring methods for authentication Radius authentication radtest –standard command Input –Credentials –Server name and shared secret does not require a radius server for monitoring purposes doesn’t test EAP auth EAP authentication eapol_test –included in wpa_supplicant Additional input compared to radtest –Supported EAP methods (outer and inner) –Certificate Requires a radius server to carry out testing Imitates supplicant auth

More on eapol_test com/scripts/eapol_testhttp://deployingradius. com/scripts/eapol_test eapol_test –c peap-mschapv2.conf –a –s –M 22:44:66:00:00:00 –A check_eapauth rad_eap_test (

Monitoring authentication at campus Create username and password for montoring purposes Monitoring server –radtest –and/or eapol_test And additionally –ping latency, packet loss and opening of SSH connections

Monitoring at federation level Monitoring hierarchy –With credentials from each organisation –Results on web –Based on eapol_test –E.g. Checks every 10 th minute if OK –If problems every 3 rd minute

Monitoring the air interface Commercial products can be divided into three groups: –Products based on data from access points to the controllers –Products based on site survey –Solutions covering both the fixed LAN network and the air interface

Access point and controller data Cisco’s WCS –Control and monitor several controllers –Air interface data Signal strength and noise levels Channel allocation Transmit power AirWave’s Wireless Management Suite –multivendor environments

Site survey for monitoring purposes Lots of alternatives –Motorola’s AirDefense Mobile and SiteScanner –Airmagnet’s WiFi and VoFi Analyzers –WildPackets’s OmniPeek –Wireshark –Wi-Spy

Both LAN and air interface Active measures –Attach –Authentication –DHCP-server –HTTP and FTP upload and download –VoIP-test with MOS Passive measures –Signal strength and SNR 7signal’s Sapphire

Monitoring at campuses in Finland Access points are monitored –All known APs connected to controller –APs correctly configured –Radios on –Users per AP Means for AP monitoring –SSH skript –perl –Airwave

References and contact info Main reference –WLAN infrastructure BPD Other references –Monitoring and ensuring WLAN performance