7. WLAN Authentication & Roaming Flashcards
What are the three parties of the 802.1x - Network Layer Access Control
- Supplicant (client device/sw on it)
- Authenticator - network device (ethernet switch or WAP)
- Authentication server - host running sw supporting RADIUS & EAP Protocols
What are the stages of authentication for 802.1x - Network Layer Access Control
- Initialisation
- Initiation
- Negotiation
- Authentication
802.1x - Network Layer Access Control
Initialisation
New supplicant detected
Port on the switch (authenticator) is enabled to ‘unauthorised’ state where only 802.1x traffic is allowed
Other traffic; IP, TCP, UDP is dropped
802.1x - Network Layer Access Control
Initiation
Authenticator periodically transmits EAP-Request Identity frames to a special Layer 2 address on the local network segment. Supplicant listens on this address and when it receives EAP-Request Id frame, responds with EAP-Response Identity frame containing user ID. Authenticator encapsulates the ID response in a RADIUS Access-Request packet & fwds to authentication server. Supplicant can also initiate or restart auth by sending EAPOL-Start frame to authenticator…
EAP
Extensible Authentication Protocol
Authentication framework, it only defines message formats
EAP over LANs (EAPOL) from host to AP
EAP over RADIUS from AP to Auth Server
802.1x - Network Layer Access Control
Negotiation
Authentication server sends a reply to authenticator, containing an EAP Request, specifying the EAP Method (Type of EAP based authentication it wants the supplicant to perform).
The authenticator encapsulates the EAP Request in an EAPOL frame and sends to supplicant, who can start using the requested EAP method or do NAK (Negative Acknowledgement) and respond with the EAP Method it is willing to perform.
802.1x - Network Layer Access Control
Authentication
In authentication server and supplicant agree on EAP Method, requests & responses are sent btwn them, translated by the authenticator, till server responds with an EAP Success or EAP Failure. If ok, authenticator sets post to authorised state and normal traffic ok,. When supplicant logs off, authenticator sets port to unauthorised again
802.1x - Network Layer Access Control
Advantages
- Prevents local abuse within the hotspot (controls access to Layer 2)
- No IP address used/consumed till device authenticates
- Supports periodic re-authentication
- Provides encryption of traffic
(WPA2 enterprise mode) - Credentials can be cached
- Supports IPv6 access control as its Layer 2
802.1x - Network Layer Access Control
Disadvantages
- Requires special supplicant software
- RADIUS server must support EAP
- A more complex solution for users to deploy, understand and troubleshoot
(but once configured properly, simple to use)
WPA2 standard of the wifi 802.11i
specifies security mechanisms for wireless networks
Deprecates the broken WEP with
Wi-Fi Protected Access or Robust Security Network
Uses Advanced Encyption Standard (AES) block cipher
WEP
Wired Equivalent Privacy
WPA2
Wi-Fi Protected Access
2002
Minimum 802.11i support required
Temporal Key Integrity Protocol (TKIP) encryption
WPA ‘personal’
Uses pre-shared key
- strong if passphrase strong
- possible traffic injection vulnerability due to TKIP flaw
WPA2
Has all the mandatory 802.11i support
- includes Advanced Encryption Standard (AES) which is recommended in place of TKIP
WPA/WPA2 ‘Enterprise’
Used with 802.1X port based authentication
Home network vs campus network
Avoid WEP
Prefer use of WPA2 PSK, use AES if available
Can use shared key as don’t need to distinguish users
For campus network;
cant use shared key for the whole campus - need authentication
also to allow users to roam btwn diff unis to go to confs and get WLAN using their home credentials
Not to have to get a username/password on a piece of paper
IEEE 802.11
IEEE 802.11 is a set of media access control (MAC) and physical layer (PHY) specifications for implementing wireless local area network (WLAN) computer communication in the 2.4, 3.6, 5 and 60 GHz frequency bands.
IEEE 802.11i
Revision of 802.11 to specify more advanced security standards - developed to replace WEP
Implemented in Wi-Fi Protected Access standards WPA & WPA2
RADIUS
Remote Authentication User Dial-in Service
-for exchanging user authentication requests & responses btwn devices eg wireless access point & auth server
-Access Request
-Access Reject or Access Accept
Originally used for dialup, now in other scenarios
Can work within single realm, can refer a RADIUS Access Request to another RADIUS server
Realms and referrals
RADIUS realm usually defined by a domain name
Identify users by their local identifier within a realm - ord1c08
RADIUS server may pass a client request to a server in another RADIUS realm
May use ‘shared secret’ encryption between servers
Authentication / Authorisation
Granting authorisation based on specific user attributes
- attributes may be stored in the authentication server (Active Directory or LDAP)
- users may also be blocked from access for various reasons
Different access can be granted based on user attributes
RADIUS supports options in the Access Accept response
(eg which VLAN (IP Subnet) to place a device in)
Can place staff and students in different IP subnets with different firewall or QoS policies
Can place a device in a quarantine network
Web redirection
Forces and HTTP client on a network to see a special web page for authentication purposes before allowing access to network
Used at commercial hotspots
User device gets local IP access/address via DHCP
Web direction operation
User runs web client
- Network access controller (usually the gateway connecting the WLAN to the external network) detects an http request
- Controller redirects user’s browser to an authentication page
- Credentials passed by RADIUS to the authentication back end / server
- If successful, access controller opens external network access (based on the site’s policy) for the user
Web redirect advantages
May authenticate using different methods
- username/password
- scratch card
- SMS etc
Only requires a web browser on the client (easy for users)
Commercial and free/open source systems readily available (Uni uses Bluesocket)
Web redirect disadvantages
Web challenge server could be spoofed
Device may still be able to connect to the local WLAN, even if it cant get outside of it
- local hosts vulnerable to attacker
- eg trusting DHCP responses not to be spoofed
May have to re-enter credentials each time
As yet no commercial products support IPv6
Web-redirect or 802.1X
Both can work for a single campus
When considering the balance of best secrity wit hthe best potential to support roaming, the 802.1X wins;
- Secures access to Layer 2
- Part of WPA2 Enterprise model
- Supports IPv6 implicitly
- Avoids unnecessary IPv4 address consumption
- Can readily cache credentials if desired
- Can integrate with RADIUS for referrals to other realms
Roaming infrastructure with RADIUS
Janet (UK NREN - National Research and Education Network) worked with european NRENs on a design for a scalable roaming
Rather than NREN to NREN pairing & exchanging shared secrets individually btwn all pairs of Organisational RADIUS Proxies which is not scalable - proposed;
National Radius Proxy (NRP)
NRP
National Radius Proxy
Each sire refers non-local RADIUS requests to the NRP
- every campus site only peers with the NRP, not every other ORP
- NRP forwards RADIUS traffic between sites
Thus JRS established - JRS - it mandats the use of 802.1X ( and not web-redirect)
EDUROAM
Federation formed through RADIUS infrastructure; NRENs roaming extended to european, australian, canadian and US networks
