Authentication and Security: IEEE 802.1x and protocols EAP based

Similar documents
Authentication and Security: IEEE 802.1x and protocols EAP based

Wireless LAN Security. Gabriel Clothier

Network Security 1. Module 7 Configure Trust and Identity at Layer 2

Exam Questions CWSP-205

FAQ on Cisco Aironet Wireless Security

N_Max Wireless USB Adapter

PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

Configuring a VAP on the WAP351, WAP131, and WAP371

Configuring the Client Adapter through the Windows XP Operating System

Csci388. Wireless and Mobile Security Access Control: 802.1X, EAP, and RADIUS. Importance of Access Control. WEP Weakness. Wi-Fi and IEEE 802.

Cisco Exam Questions and Answers (PDF) Cisco Exam Questions BrainDumps

Wireless-N Business Notebook Adapter

CUA-854 Wireless-G Long Range USB Adapter with Antenna. User s Guide

802.1x. ACSAC 2002 Las Vegas

Securing Your Wireless LAN

Exam HP2-Z32 Implementing HP MSM Wireless Networks Version: 7.1 [ Total Questions: 115 ]

Security in IEEE Networks

Designing AirPort Extreme n Networks

Configuring the Client Adapter through Windows CE.NET

802.1x Port Based Authentication

Standard For IIUM Wireless Networking

GHz g. Wireless A+G. User Guide. Notebook Adapter. Dual-Band. Dual-Band WPC55AG a. A Division of Cisco Systems, Inc.

Configuring the Client Adapter through the Windows XP Operating System

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

The following chart provides the breakdown of exam as to the weight of each section of the exam.

b/g/n 1T1R Wireless USB Adapter. User s Manual

Network. NEC Portable Projector NP905/NP901W WPA Setting Guide. Security WPA. Supported Authentication Method WPA-PSK WPA-EAP WPA2-PSK WPA2-EAP

TopGlobal MB8000 Hotspots Solution

802.1X: Deployment Experiences and Obstacles to Widespread Adoption

Procedure: You can find the problem sheet on the Desktop of the lab PCs.

Connecting Devices to the PSD-BYOD Network

Cisco Exam Questions & Answers

A Division of Cisco Systems, Inc. GHz g. Wireless-G. USB Network Adapter. User Guide WIRELESS WUSB54G. Model No.

COPYRIGHTED MATERIAL. Contents

Securing Wireless LANs with Certificate Services

Appendix E Wireless Networking Basics

Cisco Exactexams Questions & Answers

Seamless Yet Secure -Hotspot Roaming

How to connect to Wi-Fi

ClearPass QuickConnect 2.0

Zebra Mobile Printer, Zebra Setup Utility, Cisco ACS, Cisco Controller PEAP and WPA-PEAP

NCR. Wi-Fi Setup Assistant. User guide

NWD271N. User s Guide. WLAN n USB Adapter. Version /2008 Edition 1

WDT3250 RF Setup Guide

Configuring a Wireless LAN Connection

WLAN Connection Manual SPP-R410. Mobile Printer Rev

Configure Network Access Manager

Software Manual Net Configuration Tool Rev. 4.05

Wireless LAN Profile Setup

Configuring Authentication Types

Designing AirPort Networks

Configuring 802.1X Settings on the WAP351

Configuring FlexConnect Groups

Agile Controller-Campus V100R002C10. Permission Control Technical White Paper. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

Access Connections 5.1 for Windows Vista: User Guide

Network Systems. Bibliography. Outline. General principles about Radius server. Radius Protocol

Package Content IEEE g Wireless LAN USB Adapter... x 1 Product CD-ROM.x 1

Wireless-N. User Guide. USB Network Adapter WUSB300N WIRELESS. Model No.

Configuring the Client Adapter

NWD2705. User s Guide. Quick Start Guide. Dual-Band Wireless N450 USB Adapter. Version 1.00 Edition 1, 09/2012

ECHONET Lite SPECIFICATION. ECHONET Lite System Design Guidelines 2011 (2012) ECHONET CONSORTIUM ALL RIGHTS RESERVED

Zebra Setup Utility, Zebra Mobile Printer, Microsoft IAS, Cisco Access Point, PEAP and WPA-PEAP

Designing AirPort Networks

Cisco Exam Questions & Answers

AirPort Networks for Windows. For Windows XP and Windows 2000

Using PEAP and WPA PEAP Authentication Security on a Zebra Wireless Tabletop Printer

IEEE a/b/g Wireless USB 2.0 Adapter. User s Manual Version: 1.2

Securing a Wireless LAN

Zebra Setup Utility, Zebra Mobile Printer, Microsoft NPS, Cisco Access Point, PEAP and WPA-PEAP

Product Brief: SDC-EC25N n ExpressCard Card with Integrated Antenna

Software Manual Net Configuration Tool Rev. 4.03

Cisco Unified IP Phone Installation

Using the Cisco Unified Wireless IP Phone 7921G Web Pages

simplifying... Wireless Access

11g Long Range Wireless Cardbus Adapter. User s Manual Version: 1.3

Connect to eduroam WiFi

ENHANCING PUBLIC WIFI SECURITY

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Add a Wireless Network to an Existing Wired Network using a Wireless Access Point (WAP)

TestsDumps. Latest Test Dumps for IT Exam Certification

Exam : PW Title : Certified wireless security professional(cwsp) Version : DEMO

Chapter 24 Wireless Network Security

Chapter 1 Describing Regulatory Compliance

Wireless technology Principles of Security

Protected EAP (PEAP) Application Note

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]

Configuring Local EAP

Zebra Setup Utility, Zebra Mobile Printer, Microsoft NPS, Cisco Controller, PEAP and WPA-PEAP

Configuring FlexConnect Groups

SE-WL-PCI-03-11G PCI CARD DRIVERS INSTALLATION. Table of Contents

AmbiCom WL11-SD Wireless LAN SD Card. User Manual

11B/G Wireless Mini PCI Adapter WL533MAM User s Manual

Product Brief: SDC-PE15N n PCIe Module with Antenna Connectors

WPA - Setup for the Wireless Printers

Configuring a WLAN for Static WEP

11n Wireless USB Adapter

Internet Access: Wireless WVU.Encrypted Network Connecting a Windows 7 Device

A Division of Cisco Systems, Inc. GHz g. Wireless-G. PCI Adapter with SRX 400. User Guide WIRELESS WMP54GX4. Model No.

Cisco Questions & Answers

Configuring WLANs CHAPTER

Transcription:

Authentication and Security: IEEE 802.1x and protocols EAP based Pietro Nicoletti Piero[at]studioreti.it 802-1-X-EAP-Eng - 1 P. Nicoletti: see note pag. 2

Copyright note These slides are protected by copyright and international treaties. The title and the copyrights concerning the slides (inclusive, but non only, every image, photograph, animation, video, audio, music and text) are the author s (see Page 1) property. The slides can be copied and used by research institutes, schools and universities affiliated to the Ministry of Public Instruction and the Ministry of University and Scientific Research and Technology, for institutional purpose, not for profit. In this case there is not requested any authorization. Any other complete or partial use or reproduction (inclusive, but not only, reproduction on discs, networks and printers) is forbidden without written authorization of the author in advance. The information contained in these slides are believed correct at the moment of publication. They are supplied only for didactic purpose and not to be used for installation-projects, products, networks etc. However, there might be changes without notice. The authors are not responsible for the content of the slides. In any case there can not be declared conformity with the information contained in these slides. In any case this note of copyright may never be removed and must be written also in case of partial use. 802-1-X-EAP-Eng - 2 P. Nicoletti: see note pag. 2

Radius R.A.D.I.U.S.:Remote Authentication Dial-In User Service protocol is used to exchange authentication message from Client and Server The client is responsible for passing user information to designated RADIUS servers, and then acting on the response which is returned RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning all configuration information necessary for the client to deliver service to the user RADIUS protocol has been used in the past by Internet Service Providers to authenticate users connected via Dial-Up line to the Access Server 802-1-X-EAP-Eng - 3 P. Nicoletti: see note pag. 2

IEEE 802.1x Define a Port Base Network Access Control functions Use physical access characteristics of IEEE 802 LAN infrastructures in order to provide a means of authenticating and authorizing devices attached to a LAN port that has point-to-point connection characteristics (Dial-Up), and of preventing access to that port in cases where the authentication and authorization process fails Can be implemented on Switch and Wireless Access Point 802-1-X-EAP-Eng - 4 P. Nicoletti: see note pag. 2

802.1x main elements Authenticator: is an entity at one end of a point-to-point LAN segment that requires to authenticate the entity attached to the other end of that link Authentication Server: is an entity that provides an Authentication Service to an Authenticator. This service determines, from the credentials provided by the Supplicant, whether the Supplicant is authorized to access the services provided by the Authenticator 802-1-X-EAP-Eng - 5 P. Nicoletti: see note pag. 2

802.1x main elements Supplicant: is an entity at one end of a point-to-point LAN segment that is being authenticated by an Authenticator attached to the other end of that link can also an entity that want to be associated and authenticated in a Wireless LAN environment through Access Point 802-1-X-EAP-Eng - 6 P. Nicoletti: see note pag. 2

802.1x function and protocols used to authenticate supplicant April 2007 Protocol used for communication between Autenticator and Authenticator Server: EAP (Extensible Authentication Protocol) over RADIUS protocol RADIUS is a Layer 7 protocol (application layer) Protocol used for communication between Supplicant and Authenticator EAPOL that means EAP Over LAN Is a Layer 2 Protocol because the supplicant may not have an IP address until is authenticated and has been received the IP address by DHCP Server 802-1-X-EAP-Eng - 7 P. Nicoletti: see note pag. 2

802.1x Authentication Model PC 802.1x Functions (Supplicant) EAPOL (layer 2) Access Point (Authenticator) EAP over RADIUS (layer 7) RADIUS Authentication Server Communications for Authentication 802-1-X-EAP-Eng - 8 P. Nicoletti: see note pag. 2

EAP Authentication method Microsoft Cisco Authentication Layer TLS EAP SIM TTLS PEAP EAP-FAST LEAP EAP Layers EAP EAPOL MAC Layer 802.3 802.11 802-1-X-EAP-Eng - 9 P. Nicoletti: see note pag. 2

LEAP (Lightweight Extensible Authentication Protocol) EAP-Cisco Wireless Authentication protocol based on username e password sent via MS-CHAP without the digital certificates Easy and fast to configure because don t need the certificates management Limits: Need interface drivers that support LEAP 802-1-X-EAP-Eng - 10 P. Nicoletti: see note pag. 2

EAP-TLS Mutual Authentication (client and server) Based on Digital Certificates for Server and Client The server have the CA (Certification Authority) and the Server Certificate The Client have the CA (Certification Authority) and the Client Certificate Is necessary to generate the CA Certificate, The Server Certificate and the Clients Certificates (one ore more) The data sent during authentication process are exchanged in a secure encrypted tunnel 802-1-X-EAP-Eng - 11 P. Nicoletti: see note pag. 2

EAP-TTLS Similar EAP-TLS Only CA and Server Certificate are necessary The client authentication is based on: CA Certificate and specific client Authentication based on: Username/Password CHAP, MSCHAPv2, MD5 802-1-X-EAP-Eng - 12 P. Nicoletti: see note pag. 2

Protected Extensible Authentication Protocol (PEAP) April 2007 Based on EAP-TTLS Authentication Method: Phase 1: establish a secure tunnel through EAP-TTLS authentication Phase 2: realize the supplicant authentication based on EAP protocol plus other specific information of PEAP Only CA and Server Certificate are necessary The client is authenticated via: CA Certificate and Username/Password MSCHAPv2 802-1-X-EAP-Eng - 13 P. Nicoletti: see note pag. 2

WPA (WiFi Protected Access) WPA is a standard-based security solution from the WiFi Alliance that addresses the vulnerabilities in native WLANs WPA provides enhanced data protection and access control for WLAN systems. WPA addresses all known Wired Equivalent Privacy (WEP) vulnerabilities in the original IEEE 802.11 security implementation and brings an immediate security solution to WLAN networks in both enterprise and small office, home office (SOHO) environments. Use Pre Shared Key (WPA-PSK) for Authentication e Data Encryption WPA-PSK may be in Hexadecimal format or ASCI format (also known as Pass Phrase) 802-1-X-EAP-Eng - 14 P. Nicoletti: see note pag. 2

WPA2 / 802.11i WPA 2 is the next generation of Wi-Fi security. WPA 2 is the Wi-Fi Alliance interoperable implementation of the ratified IEEE 802.11i standard WPA 2 implements the National Institute of Standards and Technology (NIST)-recommended Advanced Encryption Standard (AES) encryption algorithm with the use of Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) AES Counter Mode is a block cipher that encrypts 128-bit blocks of data at a time with a 128-bit encryption key. 802-1-X-EAP-Eng - 15 P. Nicoletti: see note pag. 2

WPA2 / 802.11i: Server Radius or PSK Normally WPA2 use RADIUS Server for Authentication and Encryption Key Generation Can even work with Pre Shared Key (PSK) witch can long up to 256 bits (64 Hexadecimal digit) Same PSK used on AP and Clients pass-phrase can be use instead of hexadecimal number sequence the standard suggest to use a pass-phrase with minimum 20 characters for security 802-1-X-EAP-Eng - 16 P. Nicoletti: see note pag. 2

Authentication Systems Compare 802-1-X-EAP-Eng - 17 P. Nicoletti: see note pag. 2

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback