Implementing X Security Solutions for Wired and Wireless Networks

Similar documents
Implementing 802.1X Security Solutions for Wired and Wireless Networks. Jim Geier

Network Access Flows APPENDIXB

COPYRIGHTED MATERIAL. Contents

Network Security 1. Module 7 Configure Trust and Identity at Layer 2

802.1x Port Based Authentication

Table of Contents. 4 System Guard Configuration 4-1 System Guard Overview 4-1 Guard Against IP Attacks 4-1 Guard Against TCN Attacks 4-1

Table of Contents. Why doesn t the phone pass 802.1X authentication?... 16

802.1X: Background, Theory & Implementation

IEEE 802.1X workshop. Networkshop 34, 4 April Josh Howlett, JRS Technical Support, University of Bristol. Copyright JNT Association

Port-based authentication with IEEE Standard 802.1x. William J. Meador

Protected EAP (PEAP) Application Note

TABLE OF CONTENTS CHAPTER TITLE PAGE

Selected Network Security Technologies

About 802.1X... 3 Yealink IP Phones Compatible with 802.1X... 3 Configuring 802.1X Settings... 5 Configuring 802.1X using configuration files...

Authentication and Security: IEEE 802.1x and protocols EAP based

Index. Numerics. Index 1

TestsDumps. Latest Test Dumps for IT Exam Certification

Wireless technology Principles of Security

Wireless LAN Security. Gabriel Clothier

Chapter 4 Configuring 802.1X Port Security

Implementing Cisco Unified Wireless Networking Essentials Volume 1

Htek IP Phones 802.1x Guide

Operation Manual Security. Table of Contents

Exam Questions CWSP-205

Csci388. Wireless and Mobile Security Access Control: 802.1X, EAP, and RADIUS. Importance of Access Control. WEP Weakness. Wi-Fi and IEEE 802.

802.1x Configuration. FSOS 802.1X Configuration

Operation Manual 802.1x. Table of Contents

Htek 802.1X Authentication

Configuring Authentication Types

Table of Contents X Configuration 1-1

With 802.1X port-based authentication, the devices in the network have specific roles.

The table below lists the protocols supported by Yealink SIP IP phones with different versions.

PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

ITCertMaster. Safe, simple and fast. 100% Pass guarantee! IT Certification Guaranteed, The Easy Way!

Numerics. Index 1. SSH See SSH. connection inactivity time 2-3 console, for configuring authorized IP managers 11-5 DES 6-3, 7-3

Cross-organisational roaming on wireless LANs based on the 802.1X framework Author:

Numerics INDEX. 2.4-GHz WMIC, contrasted with 4.9-GHz WMIC g 3-6, x authentication 4-13

Configuring the Client Adapter through Windows CE.NET

CompTIA Network+ Study Guide. Second Edition. John Wiley & Sons, Inc. WILEY

Exam : PW Title : Certified wireless security professional(cwsp) Version : DEMO

Configuring IEEE 802.1x Port-Based Authentication

Configuring IEEE 802.1x Port-Based Authentication

802.1X Authentication Services Configuration Guide, Cisco IOS Release 15SY

TopGlobal MB8000 Hotspots Solution

Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX Series Switch

Exam HP2-Z32 Implementing HP MSM Wireless Networks Version: 7.1 [ Total Questions: 115 ]

FAQ on Cisco Aironet Wireless Security

Junos Pulse Access Control Service

Configuring IEEE 802.1x Port-Based Authentication

802.11a g Dual Band Wireless Access Point. User s Manual

ENHANCING PUBLIC WIFI SECURITY

Figure 35: Active Directory Screen 6. Select the Group Policy tab, choose Default Domain Policy then click Edit.

Configuring the Client Adapter through the Windows XP Operating System

With 802.1X port-based authentication, the devices in the network have specific roles.

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

802.1x. ACSAC 2002 Las Vegas

Appendix E Wireless Networking Basics

Cisco Implementing Cisco Unified Wireless Voice Networks (IUWVN)

Cisco EXAM Implementing Cisco Unified Wireless Networking Essentials (IUWNE) Buy Full Product.

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Vendor: Cisco. Exam Code: Exam Name: Implementing Advanced Cisco Unified Wireless Security (IAUWS) v2.0. Version: Demo

Configuring the Client Adapter through the Windows XP Operating System

Advanced Security and Mobile Networks

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

Configuring 802.1X. Finding Feature Information. Information About 802.1X

Controlled/uncontrolled port and port authorization status

Technical White Paper for Huawei 802.1X

Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN

Configuring a Wireless LAN Connection

802.1x Configuration. Page 1 of 11

Authentication and Security: IEEE 802.1x and protocols EAP based

Configuring the WMIC for the First Time

Viewing Status and Statistics

Table of Contents X Configuration 1-1

b/g/n 1T1R Wireless USB Adapter. User s Manual

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

ClearPass QuickConnect 2.0

Configuring the Client Adapter

Outdoor High Power b/g/n Wireless USB Adapter USER MANUAL 4.0

Configuring IEEE 802.1X Port-Based Authentication

Summary. Deployment Guide: Configuring the Cisco Wireless Security Suite 1 OL

Configuring Port-Based and Client-Based Access Control (802.1X)

COPYRIGHTED MATERIAL. Con t e n t s. Chapter 1 Introduction to Networking 1. Chapter 2 Overview of Networking Components 21.

Configuring the Access Point/Bridge for the First Time

accounting (SSID configuration mode) through encryption mode wep accounting (SSID configuration mode) through

Authentication, Authorization, and Accounting Configuration Guide, Cisco IOS Release 15M&T

Network Systems. Bibliography. Outline. General principles about Radius server. Radius Protocol

CCIE Wireless v3.1 Workbook Volume 1

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]

CUA-854 Wireless-G Long Range USB Adapter with Antenna. User s Guide

CCIE Wireless v3 Workbook Volume 1

Juniper Exam JN0-314 Junos Pulse Access Control, Specialist (JNCIS-AC) Version: 7.0 [ Total Questions: 222 ]

ECHONET Lite SPECIFICATION. ECHONET Lite System Design Guidelines 2011 (2012) ECHONET CONSORTIUM ALL RIGHTS RESERVED

11n Wireless USB Adapter

Security Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 9300 Switches)

Nortel Ethernet Routing Switch 5000 Series Configuration Security. Release: 6.1 Document Revision:

Configuring 802.1X Port-Based Authentication

Configure Network Access Manager

Wireless Terms. Uses a Chipping Sequence to Provide Reliable Higher Speed Data Communications Than FHSS

Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide

Transcription:

Implementing 802.1 X Security Solutions for Wired and Wireless Networks Jim Geier WILEY Wiley Publishing, Inc.

Contents Introduction xxi Part I Concepts 1 Chapter 1 Network Architecture Concepts 3 Computer Network Defined 3 Network Components 4 Client Devices 5 Servers 5 Network Hardware 7 Switches and Hubs 7 Routers 8 Access Points 9 Network Interface Cards 10 Media 12 Metallic Wire 12 Optical Fiber 13 Air 14 Network Types 14 Personal Area Networks 14 Local Area Networks 16 Metropolitan Area Networks 18 Optical Fiber Infrastructure 18 Wi-Fi Mesh 18 WiMAX 19 Wide Area Networks 20 Logical Network Architecture 20 IEEE 802 Standards 22 XI

xii Contents Wireless Impairments 23 Roaming Delays 23 Coverage Holes 25 RF Interference 28 Addressing 29 IEEE 802.11 Multicasting 30 Setting the DTIM Interval 30 Chapter 2 Port-Based Authentication Concepts 33 802.1X Port-Based Authentication Terminology 33 Authentication Benefits 36 Primary Components 38 Supplicant 39 Authenticator 39 Authentication Server 39 A Simple Analogy: Getting the Protocols Straight 40 Port-Based Authentication Operation 42 A Simple Analogy Understanding the Overall System 42 Supplicant to Authentication Server: EAP-Methods 44 Supplicant to Authenticator: 802.1X / EAPOL 45 Authenticator to Authentication Server: RADIUS 49 A Historical Perspective 51 Part II Standards and Protocols 53 Chapter 3 EAPOL Protocol 55 EAPOL Recap 55 EAPOL Encapsulation 56 EAPOL Packet Structure 57 Version Field 57 Type Field 58 Length Field 58 Packet Body Field 59 EAPOL Packet Types 59 EAP-Packet 59 EAPOL-Start 59 EAPOL-Logoff 60 EAPOL-Key 60 Descriptor Type Field 61 Descriptor Body Field for RC4 61 EAPOL-Encapsulated-ASF-Alert 62 EAP Packet Structure 63 EAP Code Field 63 EAP Identifier Field 63 EAP Length Field 64 EAP Data Field 64

Contents xiii EAP Packet Types 64 EAP-Request 65 EAP-Response 65 EAP Request/Response Types 65 EAP-Success 66 EAP-Failure 67 802.3 Frame Structure 67 802.11 Frame Structure 69 Chapter 4 RADIUS Protocols 71 RADIUS Recap 71 RADIUS Packet Structure 72 Code Field 73 Identifier Field 73 Length Field 74 Authenticator Field 74 Request Authenticator 75 Response Authenticator 75 Attributes Field 76 RADIUS Packet Types 76 RADIUS Access-Request 76 RADIUS Access-Challenge 77 RADIUS Access-Accept 77 RADIUS Access-Reject 78 RADIUS Accounting-Request 78 RADIUS Accounting-Response 79 RADIUS Attributes 79 RADIUS Attributes Format 79 Type Field 80 Length Field 82 Value Field 82 EAP-Message Attribute 82 Message-Authenticator Attribute 83 Password-Retry Attribute 84 User-Name Attribute 85 User-Password Attribute 85 NAS-IP-Address Attribute 86 NAS-Port Attribute 86 Service-Type Attribute 87 Vendor-Specific Attribute 88 Vendor-ID Field 89 String Field 89 Session-Timeout Attribute 89 Idle-Timeout Attribute 89 Termination-Action Attribute 90

xiv Contents Authentication Server Selection Considerations 90 Attributes 91 EAP-Methods 91 Chapter 5 EAP-Methods Protocol 93 EAP-Methods Recap 93 EAP-Method Encapsulation 94 EAP-Method Packet Structure 95 EAP-Method Type Field 95 EAP-Method Data Field 96 Original EAP-Method Types 98 Identity 99 Notification 100 Legacy NAK 101 Expanded NAK 103 MD5-Challenge 105 Value-Size Field 106 Value Field 106 Name Field 106 One-Time Password 106 Generic Token Card 107 Expanded Types 107 Vendor-ID Field 108 Vendor-Type Field 108 Experimental 108 Additional EAP-Method Types 109 EAP-TLS 109 EAP-TTLS 111 PEAP 112 LEAP 112 EAP-FAST 113 EAP-SIM 113 Wi-Fi Alliance Certification 113 EAP-Method Selection Considerations 114 Security Policies 114 Existing Security Infrastructure 114 Client Devices 114 Part III Implementation 117 Chapter 6 Configuring Supplicants 119 Supplicant Recap 119 Choosing Supplicants 120 Windows Authentication Client 121 SecureW2 121 Juniper Odyssey Access Client 121

Contents xv Chapter 7 wpa_supplicant OpenlX Common Supplicant Configuration Parameters 802.1X Activation Configuring Windows XP 802. IX Wi-Fi Clients Configuring Windows XP 802.1X Ethernet Clients Configuring Client Radios Configuration Update Approaches Distributed Update Approach Centralized Update Approach Client Radio Settings IP Address Wireless Network Connection Properties Transmit Power Data Rate Wireless Modes Ad Hoc Channel Power Management Protection Mechanisms Configuring Authenticators Authenticator Recap Choosing Authenticators 802.1X Support Authentication Server Support Miscellaneous Features Common Authenticator Configuration Parameters 802.1X Activation RADnJS Server Identification Local Authentication Server Configuration Enable the Local Authentication Server Identify Authorized Access Points Identify Authorized Users Guest VLAN Configuration Port Activation Forced-Unauthorized Forced-Authorized Auto VLAN Identification Multiple MAC Address Support Retry Number Retry Timeout Value Quiet Period Value Re-authentication Activation Re-authentication Period Value 122 123 123 123 123 127 129 129 129 130 130 131 134 134 135 136 138 139 140 143 143 145 145 146 148 148 149 149 150 150 151 151 152 153 153 154 154 156 156 157 157 158 158 158

xvi Contents Configuring Wireless Access Points 159 IP Address 159 SSID 160 Radio Settings 161 Transmit Power 161 RF Channel 163 Data Rates 164 Preamble 165 Beacon Period 165 Fragmentation 165 Authenticator Management 167 Authenticator Administrative Interface 167 Terminal Connection 167 Web Browser Interface 168 SNMP 169 Administrator Access Control 169 Authenticator MIB 169 Chapter 8 Configuring Authentication Servers 171 Authentication Server Recap 171 Choosing RADIUS Servers 172 Commercial RADIUS Servers 172 Open-Source RADIUS Servers 173 Outsourcing RADIUS Functionality 173 Installing RADIUS Software 174 Review Release Notes 174 Establish a Server 175 System Requirements 175 Physical Location 175 Verify Network Connections 176 Configure Administrator Account Access 176 Security Tips 182 Install the Software 183 Common RADIUS Configuration Parameters 184 Accessing RADIUS Configuration 184 Configuring RADIUS Clients and Users 186 Configuring RADIUS Clients 186 Configuring RADIUS Users 187 Configuring User Profiles 188 Authentication Methods 188 Native User Authentication 188 Pass-Through Authentication 189 Proxy RADIUS Authentication 189 Concurrent Connections 189 Shared Secret 190 Replication 191

Contents xvii Chapter 9 Troubleshooting 193 Troubleshooting Approaches 193 Gather Information 194 Find the Root Problem (and Fix It) 195 Test Tools 195 Viewing System Configuration 195 Viewing System Statistics 196 Debugging Processes 197 Viewing Wireless Communications 197 Signal Tester 197 Spectrum Analyzer 199 Packet Analyzer 199 Network Connectivity Issues 200 Network Interface Problems 200 Faulty Client Cards 201 Wireless Coverage Holes 202 RF Interference 203 Infrastructure Problems 203 Supplicant Issues 204 Missing Supplicant 204 Missing Supplicant Behavior 205 Peripheral Devices 206 Hubs 207 Bad Credentials 209 Bad Credentials Behavior 210 Incorrect EAP-Method 211 Authenticator Issues 212 No 802.1X Support 212 802.1X Not Enabled 212 RADIUS Server Address Incorrect 212 EAP-Method Not Supported 213 Authentication Server Issues 213 Missing Authentication Server 213 Missing Authentication Server Behavior 213 Verifying the Authentication Server 215 Guest Access Issues 215 Local Visitor Problems 215 Visitor with No Supplicant 216 Visitor with Active Supplicant 216 Visitor with Active Supplicant Behavior 217 Remote Visitor Problems 219 Appendix RFC 3748: Extensible Authentication Protocol (EAP) 221 Extensible Authentication Protocol (EAP) 221 Abstract 222 Table of Contents 222

xviii Contents 1. Introduction 224 1.1. Specification of Requirements 224 1.2. Terminology 224 1.3. Applicability 226 2. Extensible Authentication Protocol (EAP) 227 2.1. Support for Sequences 229 2.2. EAP Multiplexing Model 229 2.3. Pass-Through Behavior 231 2.4. Peer-to-Peer Operation 232 3. Lower Layer Behavior 234 3.1. Lower Layer Requirements 234 3.2. EAP Usage Within PPP 236 3.2.1. PPP Configuration Option Format 237 3.3. EAP Usage Within IEEE 802 237 3.4. Lower Layer Indications 237 4. EAP Packet Format 238 4.1. Request and Response 239 4.2. Success and Failure 241 4.3. Retransmission Behavior 243 5. Initial EAP Request/Response Types 244 5.1. Identity 245 5.2. Notification 247 5.3. Nak 248 5.3.1. Legacy Nak 248 5.3.2. Expanded Nak 250 5.4. MD5-Challenge 252 5.5. One-Time Password (OTP) 253 5.6. Generic Token Card (GTC) 254 5.7. Expanded Types 255 5.8. Experimental 257 6. IANA Considerations 257 6.1. Packet Codes 258 6.2. Method Types 258 7. Security Considerations 258 7.1. Threat Model 258 7.2. Security Claims 259 7.2.1. Security Claims Terminology for EAP Methods 261 7.3. Identity Protection 262 7.4. Man-in-the-Middle Attacks 263 7.5. Packet Modification Attacks 263 7.6. Dictionary Attacks 264 7.7. Connection to an Untrusted Network 265 7.8. Negotiation Attacks 265 7.9. Implementation Idiosyncrasies 265 7.10. Key Derivation 266

7.11. Weak Ciphersuites 7.12. Link Layer 7.13. Separation of Authenticator and Backend Authentication Server 7.14. Cleartext Passwords 7.15. Channel Binding 7.16. Protected Result Indications 8. Acknowledgements 9. References 9.1. Normative References 9.2. Informative References Appendix A. Changes from RFC 2284 Authors' Addresses Full Copyright Statement Intellectual Property Acknowledgement 268 268 269 270 270 271 273 273 273 274 276 278 279 280 280 Glossary 281 Index

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback