Wireless Security and Accounting with 802.1x by 3u8736Qa


									Wireless Security and
  Accounting with


• Background

• Why 802.1X?

• What is 802.1X?

• Implementing 802.1X at UTD

• The future of 802.1X and network security

• Student housing apartments comprise the largest apartment
  complex in D/FW Metroplex – 1200 units, 67 buildings

• Peak usage of almost 1000 simultaneous users

• Student housing security provided by SSID cloaking, WEP,
  and Bluesocket gateway doing web authentication

• Campus security provided by WEP, SSID cloaking, and
  MAC address registration
          The Criteria

• Client availability and ease of use

• Scalable and robust

• Ease of integration with existing security and identity

• Low cost

• And, of course, the best security possible
             802.1X Meets the Challenge

• Client availability and ease of use
    – Most OSes now come with 802.1X clients, more added frequently
    – No more requirement for SSID cloaking and MAC registration

• Scalable and robust
    – As scalable as your APs, no extra density calculations

• Ease of integration with existing security and identity systems
    – Most RADIUS implementations integrate with LDAP and SQL

• Low cost
    – Only required purchase of two servers and a commercial certificate

• Provides exceptional accounting information
           The Best Overall Security

• Authenticates users in a variety of methods

• Robust, dynamically keyed encryption

• Pushes the security perimeter to the absolute entry point of
  the network by securing connections at the AP

   – Protects authenticated clients from unauthenticated clients

   – Mutual authentication

   – Mitigates connection hijacking
           What is 802.1X?

• Port Access Authentication
   – Originally designed for authenticating ports on wired LANs
   – Port traffic, except for 802.1X, blocked until successful authentication

• Three Components
   – Supplicant (client)
   – Authenticator (switch, AP, other NAS, preferably RADIUS capable)
   – Authentication Server (sometimes part of Authenticator, otherwise
     RADIUS server)

• Utilizes the Extensible Authentication Protocol (EAP)
   – As such, it is sometimes known as EAPoL (EAP over LAN)
   – RADIUS server must be EAP capable
          802.1X Meets Wireless

• Associations (wireless clients) become virtual “ports”

• Frequent reauthentications reset key information and insure
  no session hijacking has occured

• EAPoL Key frame used to provide dynamic encryption

• Now used as the basis for enterprise authentication in WPA
  and WPA2 (802.11i)
          EAP Demystified

• Originally designed for PPP authentication

• Authentication framework

   – Authenticators only need to recognize a few well defined messages
      • Request/Response
      • Success/Failure

   – EAP subtypes allow for new types of authentication to be added
     without requiring upgrades to the Authenticators

   – Only Supplicants and Authentication Servers need to implement
     details of new EAP types
         EAP Types

  – Does NOT provide for dynamic encryption
  – User authenticated by password
  – Network NOT authenticated to user (no mutual authentication)

  – Provides for dynamic encryption
  – User and network mutually authenticated using certificates

  – Provides for dynamic encryption
  – Network authenticated using certificate
  – Client authentication tunneled inside of EAP-TLS
          UTD Chooses PEAP

• Specifically PEAP-MSCHAPv2

• Native to Windows XP and above (available from Microsoft
  for Windows 2000 in SP4)

• Also implemented in most other supplicants (Open1X,
  MacOS X 10.3, etc)

• Allows clients to authenticate with familiar username and

• Does not require helpdesk intervention to set up connection
          Hardware Details

• 802.1X Capable Access Points
   – UTD currently uses Proxim APs
   – Almost any enterprise-class AP

• Two RADIUS Servers
   – Provides for failover
   – Not required to be beefy
      • RADIUS is a lightweight service, even with TLS sessions and frequent
      • Low-end Dell PowerEdge servers
          Software Details

• Fedora Core OS

  – Provides policy enforcement and accounting backend for RADIUS
  – Holds special case users that do not exist in LDAP tree

  – Ties in with LDAP and SQL to form authentication, authorization, and
    accounting (AAA) framework for wireless LAN
          PEAP Certificate

• Certificate required for network authentication

• Certificate must contain the TLS Web Server Authentication
  Extended Key Usage Attribute
   – Required by Microsoft supplicant
   – OID .
   – Exists in commercial web server SSL certificates

• Commercial certificate obtained from VeriSign
   – No need for “roll-your-own” CA
   – Help desk not required to load CA certificate on user machines

• Password hashes in LDAP tree incompatible with

• New ntPassword attribute added to LDAP schema to hold
  NTLMv2 hashed password

   – Attribute ONLY accessible to RADIUS LDAP profile

   – Web account management system updated to populate ntPassword
     attribute when password change occurs
            Rollout Timeline

• Six months before rollout
   – Web account management system updated to load NT hashed
   – RADIUS servers configured and tested
• Two weeks before rollout
   – Notification posted to students of change
   – Web pages with instructions for setting up 802.1X in various OSes
   – Printed versions of instructions provided at help desk and apartment
     complex leasing office
• Rollout
   – Campus router interface created for wireless LAN (previously
     handled by Bluesocket gateway)
   – DHCP updated - new address space, unknown clients allowed
   – APs reconfigured to require 802.1X authentication
          Recent Additions

• Homegrown FreeRADIUS module for blocking virus infected
   – Blocks machines based on RADIUS Calling-Station-Id attribute
     (MAC Address)
   – Fed automatically from IDS
   – Blocking at “perimeter” extremely useful here

• Windows Domain Machine Authentication
   – Domain member machines must be able to authenticate as a
     machine for domain user credentials to be processed
   – FreeRADIUS proxies Windows machine authentications to a
     Microsoft IAS RADIUS server
   – FreeRADIUS still controls connection policy
          Where do we go from here?

• Rollout to our main campus

• Use of accounting data for detailed usage reports

• More policy management using dynamically assigned

• Authenticated guest access using temporary credentials

• 802.1X for public wired switchports?

• VoFi phones on the near horizon
          Federated Wireless Network

• I2 SALSA-NetAuth Group
• Working to enable institutional members to authenticate to
  networks (wireless/wired) at other institutions using their
  home credentials.
• Enable roaming between HiEd, K-12, government, industry
• Employs 802.1X and RADIUS peering

• Biweekly Conference Calls
   – Thursday 11am-12pm: Feb 24, Mar 10
   – 866-411-0013, 0184827
• salsa-fwna @ internet2 list
   – “subscribe salsa-fwna” to sympa @ internet2

• UTD 802.1X Client Setup Instructions
   – http://www.utdallas.edu/ir/cats/network/wlan/8021x/

• EAP Capable RADIUS Servers
   –   FreeRADIUS http://www.freeradius.org/
   –   Microsoft IAS http://www.microsoft.com/ias/
   –   Steel Belted RADIUS http://www.funk.com/
   –   Radiator http://www.open.com.au/radiator/

• Federated Wireless NetAuth (FWNA) Internet2 Group
   – http://security.internet2.edu/fwna/

To top