Presentation is loading. Please wait.

Presentation is loading. Please wait.

12-July-2006IETF 66, Montreal1 Implementation Experience with a New Wireless EAP Method David Mitton RSA Security, Inc.

Published byClaud Short Modified over 9 years ago

Similar presentations

Presentation on theme: "12-July-2006IETF 66, Montreal1 Implementation Experience with a New Wireless EAP Method David Mitton RSA Security, Inc."— Presentation transcript:

1 12-July-2006IETF 66, Montreal1 Implementation Experience with a New Wireless EAP Method David Mitton RSA Security, Inc.

2 12-July-2006IETF 66, Montreal2 New EAP Method 32, SecurID Token Authentication Uses Protected-OTP EAP Framework draft-nystrom-eap-potp-04.txt EAP Method 32 - profile of POTP for RSA SecurID Applications: –Dial PPP –VPN (PPTP) –Wired 802.1x –802.11i Wireless 802.1x

3 12-July-2006IETF 66, Montreal3 Problems with Wireless Deployment Development and testing on single vendor access point worked flawlessly When deployed to the field, began getting problem reports Three different vendors; three different types of problems

4 12-July-2006IETF 66, Montreal4 Typical Components Diagram

5 12-July-2006IETF 66, Montreal5 Typical Message Flow

6 12-July-2006IETF 66, Montreal6 Case 1: Response Not Accepted EAP 32 Request message is forwarded from AP to STA, but AP returns EAP Failure upon receiving response. AP decides to block EAP based on method value.

7 12-July-2006IETF 66, Montreal7 Case 2: Fumbled Forwarding EAP32 Request passes from RADIUS to EAPOL but not the Response Method dependencies in the code that packs and unpacks EAP messages from RADIUS messages Causes the AP to retransmit Request every 30 seconds. STA responds each time, but Response is lost Session-Timeout value (120) ignored by AP

8 12-July-2006IETF 66, Montreal8 Case 3: Session Interference Re-sync condition causes a long authentication, AP decides to send new Identity Request to STA in midst of exchange. (2.5 seconds after previous exchange) AP has bad policy on length of authentication process. Not tied to message exchange. Did not honor Session-Timeout attribute in Access-Challenge.

9 12-July-2006IETF 66, Montreal9 Bad Assumptions Method type #s should all be passed, or be management configurable Avoid method dependent processing for EAP forwarding – why? Session timeout should: –use Session-Timeout attribute, –sensitive to message ID change, and message to message timing, not overall elapsed time

10 12-July-2006IETF 66, Montreal10 Suggested Testing Requirements Allow all method values Retransmission of individual messages should be manageable (Session-Timeout) Timeout of authentication session should be tied to session inactivity not arbitrary or inaccessible numbers Anything that returns keys should work (e.g. meets RFC 3748)

11 12-July-2006IETF 66, Montreal11 How do we get Open and Interoperable EAP products? Products that only support a short list of protocols are preventing new security! Who is responsible? –Vendors? –Wi-Fi Alliance? –IEEE 802.11? What can we do here?

Download ppt "12-July-2006IETF 66, Montreal1 Implementation Experience with a New Wireless EAP Method David Mitton RSA Security, Inc."

Similar presentations

Authentication.

Authentication.
1 Needham-Schroeder Key Descriptor 11/12/2002 Needham-Schroeder Key Descriptor Robert G. Moskowitz ICSAlabs IEEE 802 Plenary Meeting Kauai, Nov 12, 2002.

1 Needham-Schroeder Key Descriptor 11/12/2002 Needham-Schroeder Key Descriptor Robert G. Moskowitz ICSAlabs IEEE 802 Plenary Meeting Kauai, Nov 12, 2002.
Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Service Bus Service Bus Access Control.

Service Bus Service Bus Access Control.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
PEAP & EAP-TTLS 1.EAP-TLS Drawbacks 2.PEAP 3.EAP-TTLS 4.EAP-TTLS – Full Example 5.Security Issues 6.PEAP vs. EAP-TTLS 7.Other EAP methods 8.Summary.

PEAP & EAP-TTLS 1.EAP-TLS Drawbacks 2.PEAP 3.EAP-TTLS 4.EAP-TTLS – Full Example 5.Security Issues 6.PEAP vs. EAP-TTLS 7.Other EAP methods 8.Summary.
Doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE 802.11 David Halasz, Stuart Norman, Glen.

Doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE David Halasz, Stuart Norman, Glen.
What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.

What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.
無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – 802.11b  Security Mechanisms in 802.11b  Security Problems in 802.11b  Solutions for 802.11b.

無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – b  Security Mechanisms in b  Security Problems in b  Solutions for b.
1 Role of Authorization in Wireless Network Security Pasi Eronen Jari Arkko November 3, 2004 This document has been produced partially in the context of.

1 Role of Authorization in Wireless Network Security Pasi Eronen Jari Arkko November 3, 2004 This document has been produced partially in the context of.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
WLAN Security Examining EAP and 802.1x. 802.1x works at Layer 2 to authentication and authorize devices on wireless access points.

WLAN Security Examining EAP and 802.1x x works at Layer 2 to authentication and authorize devices on wireless access points.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Ariel Eizenberg arielez@cs.huji.ac.il PPP Security Features Ariel Eizenberg arielez@cs.huji.ac.il.

Ariel Eizenberg PPP Security Features Ariel Eizenberg
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
By Alvin Tse.  FCC – Federal Communications Commission   IETF – Internet Engineering Task Force   IEEE –

By Alvin Tse.  FCC – Federal Communications Commission   IETF – Internet Engineering Task Force   IEEE –
Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.

Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.
Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,

Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,

Similar presentations

Ads by Google