Download presentation
1
Network Access and 802.1X Klaas Wierenga SURFnet
Ljubljana, April 3, 2006
2
Contents Network access Wireless access 802.1X Conclusions
3
Network Access
4
Access to the campus network
Bad outside world Campus network ? ? Connection is either via a trusted or an untrusted network
5
Intermezzo: protecting traffic
Secured tunnel Bad outside world Campus network VPN’s can be used to protect the data sent to and received from the trusted network
6
Access to the trusted network
Bad outside world Campus network ? How do you protect access to the trusted network? Wired Wireless
7
Access to wireless LAN’s
8
Wireless LANs are unsafe
tcpdump -n -i eth1 19:52: > : icmp: echo request 19:52: > : icmp: echo reply 19:52: > : icmp: echo request 19:52: > : icmp: echo reply 19:52: > : icmp: echo request 19:52: > : icmp: echo reply ^C
9
Requirements Identify users uniquely at the edge of the network
Prevent session hijacking Scalable Easy to deploy and use Open Give away for tomorrow: allow for guest use
10
Possible solutions Standard solutions provided by AP’s:
Open access: scalable, not secure MAC-addres: not scalable, not secure WEP: not scalable, not secure Alternative solutions: Web-gateway+RADIUS VPN-gateway 802.1X+RADIUS
11
Access to the campus WLAN
Not trusted local network Trusted local network Initial connection is either to a trusted or an untrusted network
12
Open network + web gateway
Open (limited) network, gateway between (W)LAN and de rest of the network intercepts all traffic (session intercept) Can use a RADIUS backend to verify user credentials Guest use easy Browser necessary Hard to maintain accountability Session hijacking
13
Open network + VPN Gateway
Open (limited) network, client must authenticate on a VPN-concentrator to get to rest of the network Client software needed Proprietary Hard to scale VPN-concentrators are expensive Guest use hard (sometimes VPN in VPN) All traffic encrypted NB: VPN’s are the method of choice for protecting data on a WAN
14
IEEE 802.1X True port based access solution (Layer 2) between client and AP/switch Several available authentication-mechanisms through the use of EAP (Extensible Authentication Protocol) Standardised Also encrypts all data, using dynamic keys RADIUS back-end: Scalable Re-use existing trust relationships Easy integration with dynamic VLAN assignment (802.1Q) Client software necessary (OS-built in or third-party) For wireless and wired
15
Summary Standard available security options of AP’s don’t work
Web-redirect+RADIUS: scalable, not secure VPN-based: not scalable, secure 802.1X: scalable, secure
16
802.1X
17
802.1X/EAP Authenticated/Unauthenticated Port
Supplicant/Authenticator/Authentication Server Uses EAP (Extensible Authentication Protocol) Allows authentication based on user credentials
18
EAP over LAN (EAPOL)
19
Through the protocol stack
Supplicant (laptop, desktop) Authenticator (AccessPoint, Switch) Auth. Server (RADIUS server) EAP 802.1X EAPOL RADIUS (TCP/IP) Ethernet Ethernet
20
Secure access to the campus LAN with 802.1X
Supplicant Authenticator (AP or switch) RADIUS server (Authentication Server) User DB Internet Employee VLAN Guests VLAN Student VLAN 802.1X (VLAN assignment) signaling data
21
Conclusions
22
Summary There is a difference between providing access to campus resources over the Internet and providing network access Access via the Internet: VPN Network access: 802.1X Tomorrow: How 802.1X can be leveraged for guest access
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.