18 - Understanding Wireless Client Authentication

Question 1

What are the wireless authentication methods?

Answer 1

•	WPA2 Authentication modes
o	Enterprise mode – 802.1x
	Individual authentication
	Authenticates managed devices and known users
	Corporate use
o	Personal mode – Pre shared key
	Common authentication
	Often authenticates devices, not user
	SOHO use
•	Web authentication
o	Web auth
	802.1x incapable devices
	802.1x backup authentication
	Guest user access

Question 2

___ authentication uses symmetric encryption, meaning that the same algorithm and key that are used to encrypt the credentials are used, in reverse, to decrypt the message. With __, a common password is configured on both sides. Symmetric key encoding is relatively simple; however, it is not recommended for strong user authentication because it is not very resistant to a key attack.

Answer 2

PSK

Question 3

One issue is that with PSK authentication, is that that if the password is saved on the wireless client, the process does not authenticate the person who makes the connection but rather the __. For this reason, storing personal passwords on laptop or desktop computers is considered dangerous. Unless authentication requires the user to enter credentials, the __, not the user, is being authenticated.

Answer 3

device

Question 4

An 802.11 complaint WLAN client will use __ authentication by default. __ auth uses no keys. __ auth operates at L1/L2 and does not offer end-to-end security

Answer 4

open

Question 5

With open auth, the client devices have only authenticated itself as a 802.11 capable device. There is no encryption, per-packet auth, or message integrity check. Additional security measures should be added such as ___.

Answer 5

802.1x

Question 6

The 802.1X protocol defines port-based access control. The protocol defines three roles:

Answer 6

• Supplicant – the machine that wants to access the network
• Authenticator – the point of access (switch, or AP, or WLC). The authenticator is the point of entrance to the network
• Authentication server – a machine, somewhere in the network, that keeps a list of conditions by which access is granted or refused

Question 7

The __ connects to the authenticator. At this point, the port on the authenticator is connected from a physical standpoint, however the 802.1x process has not authorised the port, and no frames are passed from the port on __ to the switching fabric. To be allowed to send and receive traffic, the __ needs to send a form of authentication: an ID. If the __does not send an ID, the port remains unauthorised.

Answer 7

supplicant

Question 8

___ is the service framework that is needed to support large-scale, public key-based technologies. ___ provides a scalable and manageable way to implement strong encryption by using digital certificates.

Answer 8

Public key infrastructure (PKI)

Question 9

How is PKI used? What is the process?

Answer 9

• Certificate Authorities (CA) generate digital certificates for users (clients) and servers that are used to validate user and server identities
• Clients request a user certificate from a CA and use the cert to authenticate to the server using 802.1X auth (like EAP-TLS or EAP-FAST)
• Servers request a server cert from the CA, which is used by the client to validate the authenticity of the server. A server can also use a self-signed cert in which it acts as its own CA
• Cisco WLCs that are used as the auth server use preinstalled server certs or can request a server cert from a CA

Question 10

How does Asymmetric Encryption work?

Answer 10

• With asymmetric encryption, a user generates two keys
• A public key and a private key
• Keys are built on a mathematical algorithm, so they work in pairs
• What is encrypted by key 1 can be decrypted only by key 2 and vice versa

Question 11

With __, the identity of the sender is not protected. When a user sends his encrypted credentials to the server, the server receives the credentials, decrypts it, and reads the senders name and assumes that the credentials belong to that user. However, this cannot be guaranteed because the public key that belongs to the server can be given to anyone.

Answer 11

asymmetric encryption

Question 12

To enhance security, a process known as __ a message is used. This validates the sender by using the servers public key to further encrypt a message, and if the server is able to decrypt the message using their private key, they know that the message was sent by that sender.

Answer 12

digital signing

Question 13

__ proves to the server that the public key that it has for a sender, is actually their public key. Someone else could have created a pair of keys, labelled one as the public key that belongs to someone else and sent it to the server. If the server answers this type of message, then the attacker will be able to read the answer.

Answer 13

Nothing

Question 14

An authority known as a ___ takes the public key that belongs to the sender, adds text that contains their name, the validity duration, and a hash that contains a signed message that is encrypted with a private key that belongs to the authority. A public key to which a trusted 3rd party __ has signed in this manner is called a __.

Answer 14

Certificate Authority (CA), CA, certificate

Question 15

In an enterprise environment, a __ is a server that can be implemented in various forms. Because the __ is well known, its public key is implemented in the operating system of most computers.

Answer 15

CA

Question 16

Having installed certificates that are signed by the same CA, the sender and the sever are now ready to authenticate each other as follows:

Answer 16

• The sender and server exchange certs. The CA is no longer involved
• Each party verifies the digital signature on the cert by hashing the plaintext portion of the cert, decrypted the digital signature using the CA public key, and comparing the results. If the results match, then the cert if verified as being signed by a trusted third part. The verification by the CA that the sender is the sender and the server is the server will be accepted.

Question 17

__ is a general protocol for authentication that also supports multiple auth methods such as token cards, Kerberos, one-time passwords, certificates, public key authentication, and smart cards.

Answer 17

EAP

Question 18

__ does not specify which type of authentication to use, it simply defines the authentication steps and headers. __ separates the authentication itself from the authentication process. As such, you can use __ with almost any time of authentication and several layers of consecutive authentications can occur with the same __ framework.

Answer 18

EAP

Question 19

EAP defines 4 message types:

Answer 19

• Request
• Response
• Success
• Failure

Question 20

There are approx. 40 different types of EAP, some of the most common types are:

Answer 20

• EAP-TLS
• PEAP
• EAP-FAST
• EAP-SIM, for GSM
• EAP-AKA, for UMTS

Question 21

In wireless networks, all EAP protocols rely on:

Answer 21

• 802.1x to block data access to the network

* EAP to carry the authentication exchange between the client, the user or device, and the auth server.

Question 22

The type of EAP that is configured must match the configuration on the ___.

Answer 22

auth server

Question 23

802.1x and EAP address authentication but not __. 802.1x and EAP can be used with or without __. For 802.1x and EAP authentication, all packets must be relayed between the client and the authentication server. The content of the EAP messages is of no importance to the controller and AP, which simply relay the information.

Answer 23

encryption

Question 24

EAP does not necessarily imply __. EAP is another protocol that defines typical headers and steps in the authentication process. EAP can be used to prove an identity when the port is not blocked through __. Both protocols have specific roles but work well in combination.

Answer 24

802.1X

Question 25

The auth server functionality in the EAP process can be provided by the following:

Answer 25

• Locally by the Cisco WLC (referred to as EAP)
o Local EAP can use either local user database or LDAP database to authenticate user
o Also can be a backup for RADIUS auth
• Globally by a RADIUS server
o Cisco ISE
o Microsoft server that is configured for RADIUS
o And RADIUS compliant server

Question 26

Name the EAP authentication type:
o Very secure
o Requires client certs to be installed on each wifi workstation
o Requires a PKI infrastructure with extra administrative expertise

Answer 26

EAP-TLS

Question 27

Name the EAP authentication type:
o Secure and only requires server-side certificates
o More manageable PKI or no PKI

Answer 27

PEAP

Question 28

Name the EAP authentication type:
o Secure solution for enterprise that cannot enforce a strong password policy and do not want to deploy certificates for authentication

Answer 28

EAP-FAST

Question 29

Name the EAP authentication type:
o Addresses certificate issue by tunnelling TLS
o Eliminates the need for a cert on the client

Answer 29

EAP-TTLS

Question 30

Name the EAP authentication type:
o Longest history
o Previously Cisco proprietary, Cisco has licenced __to other vendors
o Strong password policy should be enforced
o Not recommend form of EAP in the enterprise

Answer 30

LEAP

Question 31

__is a process which allows users, typically guest, to authenticate to the network through a web portal, via a web browser.

Answer 31

Web Auth

Question 32

What are the three basic areas that must be defined for web authentication?

Answer 32

Where guest path isolation is defined in the network
o Local WLC
o Auto-anchor

Where web portal pages are provisioned
o Local pages on WLC
o Remote pages on external web server

Where users are defined
o Local guest user account on WLC
o Centralised guest on RADIUS auth server