Presentation is loading. Please wait.

Presentation is loading. Please wait.

RADIUS Client Kickstart

Published bySusan Shepherd Modified over 6 years ago

Similar presentations

Presentation on theme: "RADIUS Client Kickstart"— Presentation transcript:

1 RADIUS Client Kickstart
September 2002 RADIUS Client Kickstart Robert Moskowitz, ICSALabs John Vollbrecht, Interlink Networks Robert Moskowitz, ICSALabs

2 Houston, we have a problem
September 2002 Houston, we have a problem IEEE 802.1X RADIUS Usage Guidelines “IEEE Std 802.1X-2001 enables authenticated access to IEEE 802 media, including Ethernet, Token Ring, and IEEE wireless LANs. Although RADIUS support is optional within IEEE Std 802.1X-2001, it is expected that most IEEE Std 802.1X-2001 Authenticators will function as RADIUS clients.” RFC 2865 Sec 3 “A RADIUS server MUST use the source IP address of the RADIUS UDP packet to decide which shared secret to use, so that RADIUS requests can be proxied.” Robert Moskowitz, ICSALabs

3 September 2002 Stated Simply When an AP that supports 802.1x authentication is connected to the net it must be configured with: the IP address or DNS name of its RADIUS server. It must also have a shared secret with the RADIUS Server which is typically hand configured. Finally, the AP must be registered with the DNS server, or assigned a permanent IP address. This name or address must also configured in the RADIUS Server. Robert Moskowitz, ICSALabs

4 What is wrong with this picture?
September 2002 What is wrong with this picture? Setting up the RADIUS Client shared secret “The secret (password shared between the client and the RADIUS server) SHOULD be at least as large and unguessable as a well-chosen password. It is preferred that the secret be at least 16 octets. This is to ensure a sufficiently large range for the secret to provide protection against exhaustive search attacks. The secret MUST NOT be empty (length 0) since this would allow packets to be trivially forged.” This is done manually on the RADIUS Client and Server Robert Moskowitz, ICSALabs

5 More Wrongness The IP address of the AP MUST be fixed
September 2002 More Wrongness The IP address of the AP MUST be fixed No DHCP, or use MAC controlled DHCP Same IP address always assigned to a given MAC Or AP’s DNS name available DYNDNS required? No mechanism to easily rekey MANY RADIUS Clients Only the single AP with built-in RADIUS will NOT be challenged Robert Moskowitz, ICSALabs

6 September 2002 How to fix this Kickstart a Master Secret between the AP and RADIUS Server using a ‘guarded (e.g. SKIP)’ Diffie-Hellman exchange. RFC 2786 is the model Diffie-Hellman USM Key -- SNMPv3 Key ‘ignition’ Secret is bound to AP’s name, i.e. BSSID AP Boot Registration Master Secret used to establish a Boot secret bound to the AP’s IP address This is the RADIUS Client Shared Secret This can also ‘plumb’ the f RADIUS keys Robert Moskowitz, ICSALabs

7 September 2002 How to fix this Master Secret Change using Diffie-Hellman for Perfect Forward Secrecy See RFC Key Changes A Key Change forces a Boot Registration Robert Moskowitz, ICSALabs

8 Benefits No User configuration on APs
September 2002 Benefits No User configuration on APs No user interface on APs Manageability of RADIUS Client secrets Support for DHCP address assignment for APs Robert Moskowitz, ICSALabs

9 General Approach Proposal
September 2002 General Approach Proposal Kickstart design using Diffie-Hellman over SNMPv2 Controlled by MIBs (e.g. only possible in factory state) AP Boot Registration using keywrapping over RADIUS without RADIUS authentication Secret Change using Diffie-Hellman with old Diffie-Hellman (like SKIP PFS) over SNMPv2 Robert Moskowitz, ICSALabs

10 Where will work get done
September 2002 Where will work get done IETF Individual(s) submission -- No RADIUS workgroup Looking for community of interest Referenced by 802.1x Annex D Robert Moskowitz, ICSALabs

Download ppt "RADIUS Client Kickstart"

Similar presentations

Doc.: IEEE 802.11-02/516r0-I Submission September 2002 Robert Moskowitz, ICSALabsSlide 1 RADIUS Client Kickstart Robert Moskowitz, ICSALabs John Vollbrecht,

Doc.: IEEE /516r0-I Submission September 2002 Robert Moskowitz, ICSALabsSlide 1 RADIUS Client Kickstart Robert Moskowitz, ICSALabs John Vollbrecht,
Doc.: IEEE 802.11-12/0598r0 Submission May 2012 Steve Grau, Juniper NetworksSlide 1 Layer 3 Setup with Dynamic VLAN Assignment Date: 2012-05-09 Authors:

Doc.: IEEE /0598r0 Submission May 2012 Steve Grau, Juniper NetworksSlide 1 Layer 3 Setup with Dynamic VLAN Assignment Date: Authors:
CIM 2465 IP Addressing Scheme1 IP Addressing Scheme (Topic 4) Textbook: Networking Basics, CCNA 1 Companion Guide, Cisco Press Cisco Networking Academy.

CIM 2465 IP Addressing Scheme1 IP Addressing Scheme (Topic 4) Textbook: Networking Basics, CCNA 1 Companion Guide, Cisco Press Cisco Networking Academy.
Gursharan Singh Tatla SLIP and PPP 27-Mar-2011 1

Gursharan Singh Tatla SLIP and PPP 27-Mar
DHCP Dynamic Host Configuration Part 7 NVCC Professional Development TCP/IP.

DHCP Dynamic Host Configuration Part 7 NVCC Professional Development TCP/IP.
History DHCP was first defined as a standards track protocol in RFC 1531 in October 1993, as an extension to the Bootstrap Protocol (BOOTP). The motivation.

History DHCP was first defined as a standards track protocol in RFC 1531 in October 1993, as an extension to the Bootstrap Protocol (BOOTP). The motivation.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
Ch. 5 – Access Points. Overview Access Point Connection.

Ch. 5 – Access Points. Overview Access Point Connection.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
MAC Address IP Addressing DHCP Client DHCP Server Scope Exclusion Range Reservations Netsh.

MAC Address IP Addressing DHCP Client DHCP Server Scope Exclusion Range Reservations Netsh.
Wireless and Email Security CSCI 5857: Encoding and Encryption.

Wireless and Security CSCI 5857: Encoding and Encryption.
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.

Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
1 Course Number Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt.

1 Course Number Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt.
Doc.: IEEE 802.11-03/044r0 Submission January 2003 Al Petrick, IceFyre, Tim Godfrey, IntersilSlide 1 Electronic Attendance and Server Update Tim Godfrey.

Doc.: IEEE /044r0 Submission January 2003 Al Petrick, IceFyre, Tim Godfrey, IntersilSlide 1 Electronic Attendance and Server Update Tim Godfrey.
TCP/IP Protocol Suite 1 Chapter 16 Upon completion you will be able to: Host Configuration: BOOTP and DHCP Know the types of information required by a.

TCP/IP Protocol Suite 1 Chapter 16 Upon completion you will be able to: Host Configuration: BOOTP and DHCP Know the types of information required by a.
FIRST TC 2002 John Kristoff - DePaul University 1 Local Network Attacks John Kristoff +1 312 362-5878 DePaul University Chicago, IL 60604.

FIRST TC 2002 John Kristoff - DePaul University 1 Local Network Attacks John Kristoff DePaul University Chicago, IL
Santhosh Rajathayalan (25764968) Senthil Kumar Sevugan (42762375)

Santhosh Rajathayalan ( ) Senthil Kumar Sevugan ( )
Allocating IP Addressing by Using Dynamic Host Configuration Protocol.

Allocating IP Addressing by Using Dynamic Host Configuration Protocol.
Wireless Network Security CSIS 5857: Encoding and Encryption.

Wireless Network Security CSIS 5857: Encoding and Encryption.
Networking Components Assignment 3 Corbin Watkins.

Networking Components Assignment 3 Corbin Watkins.

Similar presentations

Ads by Google