Wireless Security and Accounting with

802.1X

IntroductionIntroduction

• Background

• Why 802.1X?

• What is 802.1X?

• Implementing 802.1X at UTD

• The future of 802.1X and network security

BackgroundBackground

• Student housing apartments comprise the largest apartment complex in D/FW Metroplex – 1200 units, 67 buildings

• Peak usage of almost 1000 simultaneous users

• Student housing security provided by SSID cloaking, WEP, and Bluesocket gateway doing web authentication

• Campus security provided by WEP, SSID cloaking, and MAC address registration

The CriteriaThe Criteria

• Client availability and ease of use

• Scalable and robust

• Ease of integration with existing security and identity systems

• Low cost

• And, of course, the best security possible

802.1X Meets the Challenge802.1X Meets the Challenge

• Client availability and ease of use– Most OSes now come with 802.1X clients, more added frequently

– No more requirement for SSID cloaking and MAC registration

• Scalable and robust– As scalable as your APs, no extra density calculations

• Ease of integration with existing security and identity systems– Most RADIUS implementations integrate with LDAP and SQL

• Low cost– Only required purchase of two servers and a commercial certificate

• Provides exceptional accounting information

The Best Overall SecurityThe Best Overall Security

• Authenticates users in a variety of methods

• Robust, dynamically keyed encryption

• Pushes the security perimeter to the absolute entry point of the network by securing connections at the AP

– Protects authenticated clients from unauthenticated clients

– Mutual authentication

– Mitigates connection hijacking

What is 802.1X?What is 802.1X?

• Port Access Authentication– Originally designed for authenticating ports on wired LANs

– Port traffic, except for 802.1X, blocked until successful authentication

• Three Components– Supplicant (client)

– Authenticator (switch, AP, other NAS, preferably RADIUS capable)

– Authentication Server (sometimes part of Authenticator, otherwise RADIUS server)

• Utilizes the Extensible Authentication Protocol (EAP)– As such, it is sometimes known as EAPoL (EAP over LAN)

– RADIUS server must be EAP capable

802.1X Meets Wireless802.1X Meets Wireless

• Associations (wireless clients) become virtual “ports”

• Frequent reauthentications reset key information and insure no session hijacking has occured

• EAPoL Key frame used to provide dynamic encryption

• Now used as the basis for enterprise authentication in WPA and WPA2 (802.11i)

EAP DemystifiedEAP Demystified

• Originally designed for PPP authentication

• Authentication framework

– Authenticators only need to recognize a few well defined messages• Request/Response

• Success/Failure

– EAP subtypes allow for new types of authentication to be added without requiring upgrades to the Authenticators

– Only Supplicants and Authentication Servers need to implement details of new EAP types

EAP TypesEAP Types

• EAP-MD5– Does NOT provide for dynamic encryption– User authenticated by password– Network NOT authenticated to user (no mutual authentication)

• EAP-TLS– Provides for dynamic encryption– User and network mutually authenticated using certificates

• EAP-TTLS and PEAP– Provides for dynamic encryption– Network authenticated using certificate– Client authentication tunneled inside of EAP-TLS

UTD Chooses PEAPUTD Chooses PEAP

• Specifically PEAP-MSCHAPv2

• Native to Windows XP and above (available from Microsoft for Windows 2000 in SP4)

• Also implemented in most other supplicants (Open1X, MacOS X 10.3, etc)

• Allows clients to authenticate with familiar username and password

• Does not require helpdesk intervention to set up connection

Hardware DetailsHardware Details

• 802.1X Capable Access Points– UTD currently uses Proxim APs

– Almost any enterprise-class AP

• Two RADIUS Servers– Provides for failover

– Not required to be beefy• RADIUS is a lightweight service, even with TLS sessions and frequent

reauthentications

• Low-end Dell PowerEdge servers

Software DetailsSoftware Details

• Fedora Core OS

• MySQL– Provides policy enforcement and accounting backend for RADIUS

– Holds special case users that do not exist in LDAP tree

• FreeRADIUS– Ties in with LDAP and SQL to form authentication, authorization, and

accounting (AAA) framework for wireless LAN

PEAP CertificatePEAP Certificate

• Certificate required for network authentication

• Certificate must contain the TLS Web Server Authentication Extended Key Usage Attribute– Required by Microsoft supplicant

– OID .1.3.6.1.5.5.7.3.1

– Exists in commercial web server SSL certificates

• Commercial certificate obtained from VeriSign– No need for “roll-your-own” CA

– Help desk not required to load CA certificate on user machines

MSCHAPv2MSCHAPv2

• Password hashes in LDAP tree incompatible with MSCHAPv2

• New ntPassword attribute added to LDAP schema to hold NTLMv2 hashed password

– Attribute ONLY accessible to RADIUS LDAP profile

– Web account management system updated to populate ntPassword attribute when password change occurs

Rollout TimelineRollout Timeline

• Six months before rollout– Web account management system updated to load NT hashed

password

– RADIUS servers configured and tested

• Two weeks before rollout– Notification posted to students of change

– Web pages with instructions for setting up 802.1X in various OSes provided

– Printed versions of instructions provided at help desk and apartment complex leasing office

• Rollout– Campus router interface created for wireless LAN (previously

handled by Bluesocket gateway)

– DHCP updated - new address space, unknown clients allowed

– APs reconfigured to require 802.1X authentication

Recent AdditionsRecent Additions

• Homegrown FreeRADIUS module for blocking virus infected machines– Blocks machines based on RADIUS Calling-Station-Id attribute

(MAC Address)

– Fed automatically from IDS

– Blocking at “perimeter” extremely useful here

• Windows Domain Machine Authentication– Domain member machines must be able to authenticate as a

machine for domain user credentials to be processed

– FreeRADIUS proxies Windows machine authentications to a Microsoft IAS RADIUS server

– FreeRADIUS still controls connection policy

Where do we go from here?Where do we go from here?

• Rollout to our main campus

• Use of accounting data for detailed usage reports

• More policy management using dynamically assigned VLANs

• Authenticated guest access using temporary credentials

• 802.1X for public wired switchports?

• VoFi phones on the near horizon

Federated Wireless Network AuthenticationFederated Wireless Network Authentication

• I2 SALSA-NetAuth Group

• Working to enable institutional members to authenticate to networks (wireless/wired) at other institutions using their home credentials.

• Enable roaming between HiEd, K-12, government, industry

• Employs 802.1X and RADIUS peering

• Biweekly Conference Calls– Thursday 11am-12pm: Feb 24, Mar 10

– 866-411-0013, 0184827

• salsa-fwna @ internet2 list– “subscribe salsa-fwna” to sympa @ internet2

ResourcesResources

• UTD 802.1X Client Setup Instructions– http://www.utdallas.edu/ir/cats/network/wlan/8021x/

• EAP Capable RADIUS Servers– FreeRADIUS http://www.freeradius.org/

– Microsoft IAS http://www.microsoft.com/ias/

– Steel Belted RADIUS http://www.funk.com/

– Radiator http://www.open.com.au/radiator/

• Federated Wireless NetAuth (FWNA) Internet2 Group– http://security.internet2.edu/fwna/