PKI Network AuthenticationDartmouth Applications

Robert Brentrup

Educause/Dartmouth PKI Summit

July 27 , 2005

Next Phase Applications

• Hardware Key Storage (USB Tokens)

• Application and OS Sign-on with Tokens

• Document Signatures– Acrobat, Office, XML (NIH)

• Secure Mail and List Server

• Wireless Network Authentication

• Grids

Network Auth Technologies

• Wireless and Wired• 802.1x/EAP

• TLS and TTLS• or LEAP, PEAP, MS-CHAP etc.

• WEP, WPA - 802.1x• VPN

– IPSEC standard, using Cisco proprietary• Cisco password authentication is vulnerable,• use client certificates to be secure

VPN Objectives

• Secure network connections for distant office and travellers– some from home use too, local IP address

• Secure some legacy applications with closed subnets– server firewall rejects connections not from Private

subnet addresses– Use PKI “High Assurance” certificate (token if

possible) to authenticate– Assign IP address from protected space after Radius

Authentication/Authorization

VPN Implementation

• Cisco 3000 VPN concentrators• (3000 can only look at OU in DN, so added

OU=PrivateGroupVPN to certs)

• ACL check implemented by Radius server• Members of ACL maintained with

“AuthAdmin” application• Configure protected subnets on concentrator• Two redundant Radius servers for reliability

– running FreeRadius 0.9.2

AuthAdmin

• Each private VPN subnet intended for members of a specific group

• Existing examples– Human Resources– Dean of Students Office– International Students Office– Student Health Services

• Individual in the group authorized to maintain group membership, add and delete

• Group membership stored in LDAP directory– Web interface for group admin

AuthAdmin UI

• (screen shot)

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Network Authentication Objectives

• Implement additional protection for campus network services

• Limit outside use of network

• Protect campus users from malicious behavior of others

• Eliminate possible eavesdropping

Network Authentication Implementation

• Deploy 802.1x/EAP-TLS on APs and switches• Traffic is encrypted between user and AP/switch• Clients are authenticated with PKI certificates

– in our case locally issued

• No Passwords are exchanged (no credentials to steal)

EAP-TLS Implementation

• Configure Radius– AP clients, users, EAP-TLS module– Certificate for Radius server– Provide Root certificates of trusted CAs to

EAP-TLS module

• Dartmouth self-signed certificates automatically accepted

• Tested APs from Cisco and Aruba

Client Software

• Supplicants built into Win 2000 SP4, XP SP1-2, MacOS 10.3+– other supplicants available for these platforms

• Supplicants available for Linux, Win98 and MacOS 9 (some from vendors)

Issues

• Windows:– no password on Keys

– no luck with tokens yet

– set advanced options for server certificate validation

– Certificates with UID in DN fail

• Win XP SP1 had some issues with SSID and cert selection, improved in SP2

• Mac KeyChain: early versions confused by more than one key with same "name"

Greenpass Objectives

• System developed to support Guest Authorization in an 802.1x EAP-TLS environment– Also useful for insiders that forgot their token

• User only needs 802.1x capable machine and web browser, no additional software

• Guest Introduces Public Key to Greenpass Authorization System

• Host signs authorization for Guest Access using SPKI certificate delegation features

• Guest then has access to controlled internal network until time limit expires

Greenpass Implementation

• Use Router, AP and switch capable of VLANs to create limited use network

• Recently implemented automatic VLAN switching by Radius

• Modifications to FreeRadius needed• Greenpass servers run on Linux• Delegation tool is written in Java• Available as Open Source

– www.dartmouth.edu/~pkilab/greenpass

Guest Unauthorized

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Guest Introduction

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Guest Fingerprint

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Authorized Delegator

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Select Guest

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Guest Lookup

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Delegation Tool

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Delegation Complete

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Guest Authorized

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Authorized User

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.