Wireless Security and Accounting with 802.1X
Dec 31, 2015
Wireless Security and Accounting with
802.1X
IntroductionIntroduction
• Background
• Why 802.1X?
• What is 802.1X?
• Implementing 802.1X at UTD
• The future of 802.1X and network security
BackgroundBackground
• Student housing apartments comprise the largest apartment complex in D/FW Metroplex – 1200 units, 67 buildings
• Peak usage of almost 1000 simultaneous users
• Student housing security provided by SSID cloaking, WEP, and Bluesocket gateway doing web authentication
• Campus security provided by WEP, SSID cloaking, and MAC address registration
The CriteriaThe Criteria
• Client availability and ease of use
• Scalable and robust
• Ease of integration with existing security and identity systems
• Low cost
• And, of course, the best security possible
802.1X Meets the Challenge802.1X Meets the Challenge
• Client availability and ease of use– Most OSes now come with 802.1X clients, more added frequently
– No more requirement for SSID cloaking and MAC registration
• Scalable and robust– As scalable as your APs, no extra density calculations
• Ease of integration with existing security and identity systems– Most RADIUS implementations integrate with LDAP and SQL
• Low cost– Only required purchase of two servers and a commercial certificate
• Provides exceptional accounting information
The Best Overall SecurityThe Best Overall Security
• Authenticates users in a variety of methods
• Robust, dynamically keyed encryption
• Pushes the security perimeter to the absolute entry point of the network by securing connections at the AP
– Protects authenticated clients from unauthenticated clients
– Mutual authentication
– Mitigates connection hijacking
What is 802.1X?What is 802.1X?
• Port Access Authentication– Originally designed for authenticating ports on wired LANs
– Port traffic, except for 802.1X, blocked until successful authentication
• Three Components– Supplicant (client)
– Authenticator (switch, AP, other NAS, preferably RADIUS capable)
– Authentication Server (sometimes part of Authenticator, otherwise RADIUS server)
• Utilizes the Extensible Authentication Protocol (EAP)– As such, it is sometimes known as EAPoL (EAP over LAN)
– RADIUS server must be EAP capable
802.1X Meets Wireless802.1X Meets Wireless
• Associations (wireless clients) become virtual “ports”
• Frequent reauthentications reset key information and insure no session hijacking has occured
• EAPoL Key frame used to provide dynamic encryption
• Now used as the basis for enterprise authentication in WPA and WPA2 (802.11i)
EAP DemystifiedEAP Demystified
• Originally designed for PPP authentication
• Authentication framework
– Authenticators only need to recognize a few well defined messages• Request/Response
• Success/Failure
– EAP subtypes allow for new types of authentication to be added without requiring upgrades to the Authenticators
– Only Supplicants and Authentication Servers need to implement details of new EAP types
EAP TypesEAP Types
• EAP-MD5– Does NOT provide for dynamic encryption– User authenticated by password– Network NOT authenticated to user (no mutual authentication)
• EAP-TLS– Provides for dynamic encryption– User and network mutually authenticated using certificates
• EAP-TTLS and PEAP– Provides for dynamic encryption– Network authenticated using certificate– Client authentication tunneled inside of EAP-TLS
UTD Chooses PEAPUTD Chooses PEAP
• Specifically PEAP-MSCHAPv2
• Native to Windows XP and above (available from Microsoft for Windows 2000 in SP4)
• Also implemented in most other supplicants (Open1X, MacOS X 10.3, etc)
• Allows clients to authenticate with familiar username and password
• Does not require helpdesk intervention to set up connection
Hardware DetailsHardware Details
• 802.1X Capable Access Points– UTD currently uses Proxim APs
– Almost any enterprise-class AP
• Two RADIUS Servers– Provides for failover
– Not required to be beefy• RADIUS is a lightweight service, even with TLS sessions and frequent
reauthentications
• Low-end Dell PowerEdge servers
Software DetailsSoftware Details
• Fedora Core OS
• MySQL– Provides policy enforcement and accounting backend for RADIUS
– Holds special case users that do not exist in LDAP tree
• FreeRADIUS– Ties in with LDAP and SQL to form authentication, authorization, and
accounting (AAA) framework for wireless LAN
PEAP CertificatePEAP Certificate
• Certificate required for network authentication
• Certificate must contain the TLS Web Server Authentication Extended Key Usage Attribute– Required by Microsoft supplicant
– OID .1.3.6.1.5.5.7.3.1
– Exists in commercial web server SSL certificates
• Commercial certificate obtained from VeriSign– No need for “roll-your-own” CA
– Help desk not required to load CA certificate on user machines
MSCHAPv2MSCHAPv2
• Password hashes in LDAP tree incompatible with MSCHAPv2
• New ntPassword attribute added to LDAP schema to hold NTLMv2 hashed password
– Attribute ONLY accessible to RADIUS LDAP profile
– Web account management system updated to populate ntPassword attribute when password change occurs
Rollout TimelineRollout Timeline
• Six months before rollout– Web account management system updated to load NT hashed
password
– RADIUS servers configured and tested
• Two weeks before rollout– Notification posted to students of change
– Web pages with instructions for setting up 802.1X in various OSes provided
– Printed versions of instructions provided at help desk and apartment complex leasing office
• Rollout– Campus router interface created for wireless LAN (previously
handled by Bluesocket gateway)
– DHCP updated - new address space, unknown clients allowed
– APs reconfigured to require 802.1X authentication
Recent AdditionsRecent Additions
• Homegrown FreeRADIUS module for blocking virus infected machines– Blocks machines based on RADIUS Calling-Station-Id attribute
(MAC Address)
– Fed automatically from IDS
– Blocking at “perimeter” extremely useful here
• Windows Domain Machine Authentication– Domain member machines must be able to authenticate as a
machine for domain user credentials to be processed
– FreeRADIUS proxies Windows machine authentications to a Microsoft IAS RADIUS server
– FreeRADIUS still controls connection policy
Where do we go from here?Where do we go from here?
• Rollout to our main campus
• Use of accounting data for detailed usage reports
• More policy management using dynamically assigned VLANs
• Authenticated guest access using temporary credentials
• 802.1X for public wired switchports?
• VoFi phones on the near horizon
Federated Wireless Network AuthenticationFederated Wireless Network Authentication
• I2 SALSA-NetAuth Group
• Working to enable institutional members to authenticate to networks (wireless/wired) at other institutions using their home credentials.
• Enable roaming between HiEd, K-12, government, industry
• Employs 802.1X and RADIUS peering
• Biweekly Conference Calls– Thursday 11am-12pm: Feb 24, Mar 10
– 866-411-0013, 0184827
• salsa-fwna @ internet2 list– “subscribe salsa-fwna” to sympa @ internet2
ResourcesResources
• UTD 802.1X Client Setup Instructions– http://www.utdallas.edu/ir/cats/network/wlan/8021x/
• EAP Capable RADIUS Servers– FreeRADIUS http://www.freeradius.org/
– Microsoft IAS http://www.microsoft.com/ias/
– Steel Belted RADIUS http://www.funk.com/
– Radiator http://www.open.com.au/radiator/
• Federated Wireless NetAuth (FWNA) Internet2 Group– http://security.internet2.edu/fwna/