Cross-organisational roaming on wireless LANs based on the 802.1X framework Author:

Similar documents
PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

Exam HP2-Z32 Implementing HP MSM Wireless Networks Version: 7.1 [ Total Questions: 115 ]

802.1x. ACSAC 2002 Las Vegas

Securing Wireless LANs with Certificate Services

ilight/gigapop eduroam Discussion Campus Network Engineering

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

Authentication and Security: IEEE 802.1x and protocols EAP based

Cisco Exam Questions and Answers (PDF) Cisco Exam Questions BrainDumps

Wireless LAN Security. Gabriel Clothier

Port-based authentication with IEEE Standard 802.1x. William J. Meador

Network Access Flows APPENDIXB

802.1X: Background, Theory & Implementation

Implementing X Security Solutions for Wired and Wireless Networks

education federation CUC 2005, Dubrovnik High-quality Internet for higher education and research

The following chart provides the breakdown of exam as to the weight of each section of the exam.

802.1x Port Based Authentication

Preliminary selection for inter-nren roaming. Version: 1.0

Csci388. Wireless and Mobile Security Access Control: 802.1X, EAP, and RADIUS. Importance of Access Control. WEP Weakness. Wi-Fi and IEEE 802.

Network Security 1. Module 7 Configure Trust and Identity at Layer 2

IEEE 802.1X workshop. Networkshop 34, 4 April Josh Howlett, JRS Technical Support, University of Bristol. Copyright JNT Association

IEEE 802.1x, RADIUS AND DYNAMIC VLAN ASSIGNMENT

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

Securing Your Wireless LAN

Your wireless network

Agile Controller-Campus V100R002C10. Permission Control Technical White Paper. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

Using PEAP and WPA PEAP Authentication Security on a Zebra Wireless Tabletop Printer

Chapter 4 Configuring 802.1X Port Security

FAQ on Cisco Aironet Wireless Security

802.1X: Deployment Experiences and Obstacles to Widespread Adoption

TestsDumps. Latest Test Dumps for IT Exam Certification

Exam Questions CWSP-205

What is Eavedropping?

Exam : PW Title : Certified wireless security professional(cwsp) Version : DEMO

Security in IEEE Networks

Radiator. EAP-SIM and EAP- AKA Support

Seamless Yet Secure -Hotspot Roaming

Wireless Integration Overview

Radiator. EAP-SIM and EAP- AKA Support

Mobile WiMAX Security

Standard For IIUM Wireless Networking

Appendix E Wireless Networking Basics

TERENA Technical Report. TF-Mobility. Inter-NREN roaming. Final Report. James Sankar UKERNA Klaas Wierenga - SURFnet

Securing Wireless Networks by By Joe Klemencic Mon. Apr

Cisco Exam Securing Wireless Enterprise Networks Version: 7.0 [ Total Questions: 53 ]

Vendor: Cisco. Exam Code: Exam Name: Implementing Advanced Cisco Unified Wireless Security (IAUWS) v2.0. Version: Demo

Configuring 802.1X Settings on the WAP351

TopGlobal MB8000 Hotspots Solution

Protected EAP (PEAP) Application Note

Authentication and Security: IEEE 802.1x and protocols EAP based

New Windows build with WLAN access

COPYRIGHTED MATERIAL. Contents

RADIUS Configuration Note WINS : Wireless Interoperability & Network Solutions

Configuring Authentication Types

Cisco Wireless LAN Controller Module

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

ENHANCING PUBLIC WIFI SECURITY

Attacking Networks. Joshua Wright LightReading LIVE! October 1, 2003

WLAN Security. Dr. Siwaruk Siwamogsatham. ThaiCERT, NECTEC

Aruba PEAP-GTC Supplicant Plug-In Guide

MCSA Guide to Networking with Windows Server 2016, Exam

Layered Access Control-Six Defenses That Work. Joel M Snyder Senior Partner Opus One, Inc.

1100 Dexter Avenue N Seattle, WA NetMotion Mobility Architecture A Look Under the Hood

Selection of an EAP Authentication Method for a WLAN

Configuring L2TP over IPsec

Configuring the WMIC for the First Time

Mobility Workshop TERENA, Amsterdam March 06, Meeting report by: Licia FLORIO, TERENA March 12, Participants List

Aerohive Private PSK. solution brief

Configuring Funk RADIUS to Authenticate Cisco Wireless Clients With LEAP

Deliverable DJ Inter-NREN roaming technical specification document

b/g/n 1T1R Wireless USB Adapter. User s Manual

DumpsFree. DumpsFree provide high-quality Dumps VCE & dumps demo free download

Pulse Policy Secure X Network Access Control (NAC) White Paper

CENTRAL AUTHENTICATION USING RADIUS AND 802.1X

Configuring the Client Adapter through Windows CE.NET

Rhodes University Wireless Network

Exam HP2-Z33 HP Unified Wired-Wireless Networks and BYOD Version: 6.2 [ Total Questions: 65 ]

WL 5011s g Wireless Network Adapter Client Utility User Guide

A Secure Wireless LAN Access Technique for Home Network

Summary. Deployment Guide: Configuring the Cisco Wireless Security Suite 1 OL

Wireless LANs Designing, Deploying, Managing and Securing an Enterprise Wireless Network

Ju-A A Lee and Jae-Hyun Kim

Wireless# Guide to Wireless Communications. Objectives

Wireless Domain Services FAQ

Cisco EXAM Implementing Cisco Unified Wireless Networking Essentials (IUWNE) Buy Full Product.

Layer 2 authentication on VoIP phones (802.1x)

802.1x Configuration. FSOS 802.1X Configuration

Interworking Evaluation of current security mechanisms and lacks in wireless and Bluetooth networks ...

Using EAP-TTLS and WPA EAP-TTLS Authentication Security on a Wireless Zebra Tabletop Printer

802.1X: Port-Based Authentication Standard for Network Access Control (NAC)

Selected Network Security Technologies

Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide

TABLE OF CONTENTS CHAPTER TITLE PAGE

Wireless technology Principles of Security

Cisco Securing Cisco Wireless Enterprise Networks (WISECURE) Download Full Version :

Information Technology Policy Board Members. SUBJECT: Update to County WAN/LAN Wireless Standards

Configuring the Client Adapter through the Windows XP Operating System

Network Systems. Bibliography. Outline. General principles about Radius server. Radius Protocol

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]

Wireless Networking (hosted at

P ART 3. Configuring the Infrastructure

Transcription:

Cross-organisational roaming on wireless LANs based on the 802.1X framework Author: Klaas Wierenga SURFnet bv P.O. Box 19035 3501 DA Utrecht The Netherlands e-mail: Klaas.Wierenga@SURFnet.nl Keywords: Mobility, authentication, 802.1X, Wireless LAN Abstract: Introduction Most institutions within the SURFnet constituency are deploying or have concrete plans to deploy wireless LAN (WLAN) services for their students and employees. At the same time there is an increasing awareness of the risks involved in deploying these kinds of services. SURFnet, in turn, has the ambition to provide an infrastructure for crossinstitutional (both nationally and internationally) roaming for wireless networks. This has led to a project at the University of Twente in which a secure solution for access to WLANs has been developed. It builds on the 802.1X standard for port based authentication for wired and wireless networks and allows for guest access to the WLAN. These activities are carried out in conjunction with the nationwide wireless testbed in the Freeband project and within the TERENA Taskforce on mobility. Requirements In order to select the best possible solution the following requirements were formulated: Identify users uniquely at the edge of the network. Session (identity) takeover is impossible Easy to install and use for the end-user Per-institution user subscription management

Low maintenance Easy to use for guests The home institution of a guest performs the authentication Use various authentication-mechanisms Support for common operating systems The solution is vendor independent Guaranteed interworking with the existing RADIUS based infrastructure SURFnet deploys for dial-in and ADSL access Traffic separation (for instance based on VLAN assignment) support Please note that these requirements reflect the fact that the resource to protect is the access to the network, not the data streams that ensue. The latter should be implemented as an end-to-end secure path from the device to the home network, for instance using a secure tunnel at the application layer. For the same reason encryption of the wireless path has not high priority. Various solutions There are a number of solutions for providing a wireless access infrastructure. The following have been investigated prior to selecting 802.1X: open network access, WEPbased, MAC-based, VPN-gateway and web-gateway based. They were dropped for reasons of low security or bad scalability. IEEE 802.1X The IEEE 802.1X standard for port based authentication is a layer 2 solution between client and wireless access point or switch. In the 802.1X framework authentication information is carried using the Extensible Authentication Protocol (EAP, RFC 2284), a protocol tha t enables the use of several authentication methods, currently MD5, TLS, TTLS, MS-CHAPv2, PEAP and SIM-card based. The communication between client and access point is encrypted using dynamic keys and uses a RADIUS backend, thereby making it both secure and scalable. The disadvantage of this solution is the relative novelty and the fact that (currently) client software is necessary on most platforms. Based on the possibility for secure guest access, scalability and the fact that 802.1X is also deployed in a number of wired pilots in the SURFnet constituency this solution was selected to pursue. The pilot The figure below shows the protocol stack of the 802.1X framework. Please note that on top of EAP the desired authentication method needs to be selected. Since username/password is considered to be weak authentication, the choice was between TLS (Transport Layer Security), TTLS (Tunneled Transport Layer Security) en PEAP (Protected EAP). At the time of selection PEAP, the protocol proposed by

Cisco and Microsoft, was not yet available. For this reason TLS and TTLS were chosen. Additional tests were done with authentication based on one time passwords sent by SMS, in combination with TTLS. TLS and TTLS both set up a TLS connection between client and access point, TLS using both client and server certificates, TTLS only server certificates. MD5 TLS TTLS PEAP MS-CHAPv2 Mobac- TTLS EAP 802.1X PPP 802.11 At the backend the existing RADIUS infrastructure of SURFnet has been used. The complete infrastructure looks as follows: Supplicant (client) Authenticator (access point) RADIUS server Institution A DB RADIUS server Institution B DB Internet Central RADIUS Proxy server When a user connects to the network he provides his credentials to the authenticator (the access point) that verifies this using the RADIUS backend. If the user is properly authenticated the access point lets the user traffic through. In case of guest use the RADIUS proxying mechanism makes sure that the EAP encapsulated credentials get transported towards the home RADIUS server, whether it is located nationally or internationally, where the user gets authenticated against the user database.

Results Clients In order for the client (supplicant in 802.1X terminology) to use 802.1X based authentication, the client OS needs to support EAP and the required authentication method. For the pilot EAP-TLS and EAP-TTLS were selected. TTLS because it doesn t require a PKI with end-user certificates and TLS for the case where such a PKI does exist. Currently the windows XP operating system supports EAP and TLS. For earlier windows versions EAP support is announced. In the project a TTLS module developed for SURFnet was distributed. Apart from this module there exist commercial clients that include both an EAP and TTLS or TLS stack. In the pilot Funk and Meetinghouse clients have been tested. For Apple systems commercial clients exist and for various Unix flavors there are public domain implementations. Access Points Most modern Access Points support 802.1X authentication or have announced this. In the pilot products from Cisco (350 and 1200) and Orinoco (AP2000) have been tested successfully. RADIUS servers The intermediate RADIUS server must be able to handle EAP messages and the final RADIUS server must also support the requested authentication method. In the pilot Radiator 3.3.1 was used. In cooperation with the creator of Radiator some bugs in the EAP implementation have been resolved.. Other RADIUS servers that support TTLS and TLS include Meetinghouse, FUNK Steel-Belted and FreeRADIUS (the latter just TLS). Switches In the project VLAN assignment at the University of Twente HP switches based on the provided credentials was successfully demonstrated. Usability One of the design criteria was the ease of use for the end-users. The pilot has shown that, once the user has installed the 802.1X client, use of the wireless network is handled seamless and transparent. In fact, it was found that there need to be stronger visual clues as to the nature of the connection, secure or insecure. The installation of the client-software is a bottleneck.the fact that Cisco and Microsoft have announced native PEAP-support promises ease of use for a large percentage of the users and suggests moving from TTLS to PEAP.

Security Security of Wireless LANs is a hot item. The ongoing stories about wardriving, WEPkey cracking and man-in-the-middle attacks have given a lot of system operators cold feet. The pilot shows that as long as a strong EAP capable protocol is used 802.1X provides a framework that gives a sufficient level of security for the intended purpose, i.e. access control to the network. For data integrity or privacy issues a number of wireless security extensions (WPA, TKIP, 802.11i etc.) have been proposed, that also build on the 802.1X framework. Conclusion The piloted solution is both scalable and seamless. With the proper EAP authentication protocol the solution is also secure for the intended purpose. SURFnet will require use of 802.1X authentication in the nation-wide wireless testbed that will be established in the Freeband project, thus stimulating the use of this technology instead of less secure (webbased) or less scalable (VPN) solutions. Apart from providing institutions a sufficiently secure and easy to deploy solution the large added benefit of this solution is the ease in deploying a nationally and even internationally solution for inter-institutional roaming. Acknowledgements: This abstract is based on information provided by the participants in the project: Sander Smit of the University of Twente, Tom Rixom of Alfa&Ariss and Erik Dobbelsteijn of SURFnet Innovation Management. Vitae: Klaas Wierenga has worked for 7 years at SURFnet. In his capacity as Innovation Manager he is responsible for a number of projects in the wireless and mobility area. He participates in the TERENA taskforce on mobility. References: More information about the project, including links to external sources of information can be found at the SURFnet 802.1X page: http://www.surfnet.nl/innovatie/wlan/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback