Wireless Security with
802.1X
Copyright 2005 Michael Griego
This work is the intellectual property of the author.
Permission is granted for this material to be shared
for non-commercial, educational purposes, provided
that this copyright statement appears on the reproduced
materials and notice is given that the copying is by
permission of the author. To disseminate otherwise or to
republish requires written permission from the author.
1
Background
• Student housing apartments comprise one of the largest
apartment complexes in the D/FW Metroplex –
approximately 1200 units, 67 buildings
• Peak usage of around 1000 simultaneous users
• Student housing security provided by SSID cloaking, WEP,
and Bluesocket gateway doing web authentication
• Campus security provided by WEP, SSID cloaking, and
MAC address registration
2
The Criteria
• Client availability and ease of use
• Scalable and robust
• Ease of integration with existing security and identity
systems
• Low cost
• And, of course, the best security possible
3
802.1X Meets the Challenge
• Client availability and ease of use
– Most OSes now come with 802.1X clients, more added frequently
– No more requirement for SSID cloaking and MAC registration
• Scalable and robust
– As scalable as your APs, no extra density calculations
• Ease of integration with existing security and identity systems
– Most RADIUS implementations integrate with LDAP and SQL
• Low cost
– Only required purchase of two servers and a commercial certificate
• Provides exceptional accounting information
4
The Best Overall Security
• Authenticates users in a variety of methods (EAP types)
• Robust, dynamically keyed encryption
• Pushes the security perimeter to the absolute entry point of
the network by securing connections at the AP
– Protects authenticated clients from unauthenticated clients
– Mutual authentication
– Mitigates connection hijacking
5
What is 802.1X?
• Port Access Authentication
– Originally designed for authenticating ports on wired LANs
– Port traffic, except for 802.1X, blocked until successful authentication
• Three Components
– Supplicant (client)
– Authenticator (switch, AP, other NAS, preferably RADIUS capable)
– Authentication Server (sometimes part of Authenticator, otherwise
RADIUS server)
• Utilizes the Extensible Authentication Protocol (EAP)
– As such, it is sometimes known as EAPoL (EAP over LAN)
– RADIUS server must be EAP capable
6
802.1X Meets Wireless
• Associations (wireless clients) become virtual “ports”
• Frequent reauthentications reset key information and insure
no session hijacking has occurred
• EAPoL Key frame used to provide dynamic encryption
• Now used as the basis for enterprise authentication in WPA
and WPA2 (802.11i)
7
EAP Demystified
• Originally designed for PPP authentication
• Authentication framework
– Authenticators only need to recognize a few well defined messages
• Request/Response
• Success/Failure
– EAP subtypes allow for new types of authentication to be added
without requiring upgrades to the Authenticators
– Only Supplicants and Authentication Servers need to implement
details of new EAP types
8
EAP Types
• EAP-MD5
– Does NOT provide for dynamic encryption
– User authenticated by password
– Network NOT authenticated to user (no mutual authentication)
• EAP-TLS
– Provides for dynamic encryption
– User and network mutually authenticated using certificates
• EAP-TTLS and PEAP
– Provides for dynamic encryption
– Network authenticated using certificate
– Client authentication tunneled inside of EAP-TLS
9
UTD Chooses PEAP
• Specifically PEAP-MSCHAPv2
• Native to Windows XP and above (available from Microsoft
for Windows 2000 in SP4)
• Also implemented in most other supplicants (Open1X,
MacOS X 10.3, etc)
• Allows clients to authenticate with familiar username and
password
• Does not absolutely require helpdesk intervention to set up
connection
10
Hardware Details
• 802.1X Capable Access Points
– UTD currently uses Proxim APs
– Almost any enterprise-class AP
• Two RADIUS Servers
– Provides for failover
– Not required to be beefy
• RADIUS is a lightweight service, even with TLS sessions and frequent
reauthentications
• Low-end Dell PowerEdge servers
11
Software Details
• Fedora Core OS
• MySQL
– Provides policy enforcement and accounting backend for RADIUS
– Holds special case users that do not exist in LDAP tree
• FreeRADIUS
– Ties in with LDAP and SQL to form authentication, authorization, and
accounting (AAA) framework for wireless LAN
12
PEAP Certificate
• Certificate required for network authentication
• Certificate must contain the TLS Web Server Authentication
Extended Key Usage Attribute
– Required by Microsoft supplicant
– OID .1.3.6.1.5.5.7.3.1
– Exists in commercial web server SSL certificates
• Commercial certificate obtained from VeriSign
– No need for “roll-your-own” CA
– Help desk not required to load CA certificate on user machines
13
MSCHAPv2
• Password hashes in LDAP tree incompatible with
MSCHAPv2
• New ntPassword attribute added to LDAP schema to hold
NTLMv2 hashed password
– Attribute ONLY accessible to RADIUS LDAP profile
– Web account management system updated to populate ntPassword
attribute when password change occurs
14
Rollout Timeline
• Six months before rollout
– Web account management system updated to load NT hashed
password
– RADIUS servers configured and tested
• Two weeks before rollout
– Notification posted to students of change
– Web pages with instructions for setting up 802.1X in various OSes
provided
– Printed versions of instructions provided at help desk and apartment
complex leasing office
• Rollout
– Campus router interface created for wireless LAN (previously
handled by Bluesocket gateway)
– DHCP updated - new address space, unknown clients allowed
– APs reconfigured to require 802.1X authentication
15
Recent Additions
• Homegrown FreeRADIUS module for blocking virus infected
machines
– Blocks machines based on RADIUS Calling-Station-Id attribute
(MAC Address)
– Fed automatically from IDS
– Blocking at “perimeter” extremely useful here
• Windows Domain Machine Authentication
– Domain member machines must be able to authenticate as a
machine for domain user credentials to be processed
– FreeRADIUS proxies Windows machine authentications to a
Microsoft IAS RADIUS server
– FreeRADIUS still controls connection policy
16
Where do we go from here?
• Rollout to our main campus
• Use of accounting data for detailed usage reports
• More policy management using dynamically assigned VLANs
• Authenticated guest access using temporary credentials
• 802.1X for public wired switch ports
• VoFi phones on the near horizon
• Federated Wireless Network Authentication http://security.internet2.edu/fwna/
17