Implementing 802.1 X Security Solutions for Wired and Wireless Networks Jim Geier WILEY Wiley Publishing, Inc.
Contents Introduction xxi Part I Concepts 1 Chapter 1 Network Architecture Concepts 3 Computer Network Defined 3 Network Components 4 Client Devices 5 Servers 5 Network Hardware 7 Switches and Hubs 7 Routers 8 Access Points 9 Network Interface Cards 10 Media 12 Metallic Wire 12 Optical Fiber 13 Air 14 Network Types 14 Personal Area Networks 14 Local Area Networks 16 Metropolitan Area Networks 18 Optical Fiber Infrastructure 18 Wi-Fi Mesh 18 WiMAX 19 Wide Area Networks 20 Logical Network Architecture 20 IEEE 802 Standards 22 XI
xii Contents Wireless Impairments 23 Roaming Delays 23 Coverage Holes 25 RF Interference 28 Addressing 29 IEEE 802.11 Multicasting 30 Setting the DTIM Interval 30 Chapter 2 Port-Based Authentication Concepts 33 802.1X Port-Based Authentication Terminology 33 Authentication Benefits 36 Primary Components 38 Supplicant 39 Authenticator 39 Authentication Server 39 A Simple Analogy: Getting the Protocols Straight 40 Port-Based Authentication Operation 42 A Simple Analogy Understanding the Overall System 42 Supplicant to Authentication Server: EAP-Methods 44 Supplicant to Authenticator: 802.1X / EAPOL 45 Authenticator to Authentication Server: RADIUS 49 A Historical Perspective 51 Part II Standards and Protocols 53 Chapter 3 EAPOL Protocol 55 EAPOL Recap 55 EAPOL Encapsulation 56 EAPOL Packet Structure 57 Version Field 57 Type Field 58 Length Field 58 Packet Body Field 59 EAPOL Packet Types 59 EAP-Packet 59 EAPOL-Start 59 EAPOL-Logoff 60 EAPOL-Key 60 Descriptor Type Field 61 Descriptor Body Field for RC4 61 EAPOL-Encapsulated-ASF-Alert 62 EAP Packet Structure 63 EAP Code Field 63 EAP Identifier Field 63 EAP Length Field 64 EAP Data Field 64
Contents xiii EAP Packet Types 64 EAP-Request 65 EAP-Response 65 EAP Request/Response Types 65 EAP-Success 66 EAP-Failure 67 802.3 Frame Structure 67 802.11 Frame Structure 69 Chapter 4 RADIUS Protocols 71 RADIUS Recap 71 RADIUS Packet Structure 72 Code Field 73 Identifier Field 73 Length Field 74 Authenticator Field 74 Request Authenticator 75 Response Authenticator 75 Attributes Field 76 RADIUS Packet Types 76 RADIUS Access-Request 76 RADIUS Access-Challenge 77 RADIUS Access-Accept 77 RADIUS Access-Reject 78 RADIUS Accounting-Request 78 RADIUS Accounting-Response 79 RADIUS Attributes 79 RADIUS Attributes Format 79 Type Field 80 Length Field 82 Value Field 82 EAP-Message Attribute 82 Message-Authenticator Attribute 83 Password-Retry Attribute 84 User-Name Attribute 85 User-Password Attribute 85 NAS-IP-Address Attribute 86 NAS-Port Attribute 86 Service-Type Attribute 87 Vendor-Specific Attribute 88 Vendor-ID Field 89 String Field 89 Session-Timeout Attribute 89 Idle-Timeout Attribute 89 Termination-Action Attribute 90
xiv Contents Authentication Server Selection Considerations 90 Attributes 91 EAP-Methods 91 Chapter 5 EAP-Methods Protocol 93 EAP-Methods Recap 93 EAP-Method Encapsulation 94 EAP-Method Packet Structure 95 EAP-Method Type Field 95 EAP-Method Data Field 96 Original EAP-Method Types 98 Identity 99 Notification 100 Legacy NAK 101 Expanded NAK 103 MD5-Challenge 105 Value-Size Field 106 Value Field 106 Name Field 106 One-Time Password 106 Generic Token Card 107 Expanded Types 107 Vendor-ID Field 108 Vendor-Type Field 108 Experimental 108 Additional EAP-Method Types 109 EAP-TLS 109 EAP-TTLS 111 PEAP 112 LEAP 112 EAP-FAST 113 EAP-SIM 113 Wi-Fi Alliance Certification 113 EAP-Method Selection Considerations 114 Security Policies 114 Existing Security Infrastructure 114 Client Devices 114 Part III Implementation 117 Chapter 6 Configuring Supplicants 119 Supplicant Recap 119 Choosing Supplicants 120 Windows Authentication Client 121 SecureW2 121 Juniper Odyssey Access Client 121
Contents xv Chapter 7 wpa_supplicant OpenlX Common Supplicant Configuration Parameters 802.1X Activation Configuring Windows XP 802. IX Wi-Fi Clients Configuring Windows XP 802.1X Ethernet Clients Configuring Client Radios Configuration Update Approaches Distributed Update Approach Centralized Update Approach Client Radio Settings IP Address Wireless Network Connection Properties Transmit Power Data Rate Wireless Modes Ad Hoc Channel Power Management Protection Mechanisms Configuring Authenticators Authenticator Recap Choosing Authenticators 802.1X Support Authentication Server Support Miscellaneous Features Common Authenticator Configuration Parameters 802.1X Activation RADnJS Server Identification Local Authentication Server Configuration Enable the Local Authentication Server Identify Authorized Access Points Identify Authorized Users Guest VLAN Configuration Port Activation Forced-Unauthorized Forced-Authorized Auto VLAN Identification Multiple MAC Address Support Retry Number Retry Timeout Value Quiet Period Value Re-authentication Activation Re-authentication Period Value 122 123 123 123 123 127 129 129 129 130 130 131 134 134 135 136 138 139 140 143 143 145 145 146 148 148 149 149 150 150 151 151 152 153 153 154 154 156 156 157 157 158 158 158
xvi Contents Configuring Wireless Access Points 159 IP Address 159 SSID 160 Radio Settings 161 Transmit Power 161 RF Channel 163 Data Rates 164 Preamble 165 Beacon Period 165 Fragmentation 165 Authenticator Management 167 Authenticator Administrative Interface 167 Terminal Connection 167 Web Browser Interface 168 SNMP 169 Administrator Access Control 169 Authenticator MIB 169 Chapter 8 Configuring Authentication Servers 171 Authentication Server Recap 171 Choosing RADIUS Servers 172 Commercial RADIUS Servers 172 Open-Source RADIUS Servers 173 Outsourcing RADIUS Functionality 173 Installing RADIUS Software 174 Review Release Notes 174 Establish a Server 175 System Requirements 175 Physical Location 175 Verify Network Connections 176 Configure Administrator Account Access 176 Security Tips 182 Install the Software 183 Common RADIUS Configuration Parameters 184 Accessing RADIUS Configuration 184 Configuring RADIUS Clients and Users 186 Configuring RADIUS Clients 186 Configuring RADIUS Users 187 Configuring User Profiles 188 Authentication Methods 188 Native User Authentication 188 Pass-Through Authentication 189 Proxy RADIUS Authentication 189 Concurrent Connections 189 Shared Secret 190 Replication 191
Contents xvii Chapter 9 Troubleshooting 193 Troubleshooting Approaches 193 Gather Information 194 Find the Root Problem (and Fix It) 195 Test Tools 195 Viewing System Configuration 195 Viewing System Statistics 196 Debugging Processes 197 Viewing Wireless Communications 197 Signal Tester 197 Spectrum Analyzer 199 Packet Analyzer 199 Network Connectivity Issues 200 Network Interface Problems 200 Faulty Client Cards 201 Wireless Coverage Holes 202 RF Interference 203 Infrastructure Problems 203 Supplicant Issues 204 Missing Supplicant 204 Missing Supplicant Behavior 205 Peripheral Devices 206 Hubs 207 Bad Credentials 209 Bad Credentials Behavior 210 Incorrect EAP-Method 211 Authenticator Issues 212 No 802.1X Support 212 802.1X Not Enabled 212 RADIUS Server Address Incorrect 212 EAP-Method Not Supported 213 Authentication Server Issues 213 Missing Authentication Server 213 Missing Authentication Server Behavior 213 Verifying the Authentication Server 215 Guest Access Issues 215 Local Visitor Problems 215 Visitor with No Supplicant 216 Visitor with Active Supplicant 216 Visitor with Active Supplicant Behavior 217 Remote Visitor Problems 219 Appendix RFC 3748: Extensible Authentication Protocol (EAP) 221 Extensible Authentication Protocol (EAP) 221 Abstract 222 Table of Contents 222
xviii Contents 1. Introduction 224 1.1. Specification of Requirements 224 1.2. Terminology 224 1.3. Applicability 226 2. Extensible Authentication Protocol (EAP) 227 2.1. Support for Sequences 229 2.2. EAP Multiplexing Model 229 2.3. Pass-Through Behavior 231 2.4. Peer-to-Peer Operation 232 3. Lower Layer Behavior 234 3.1. Lower Layer Requirements 234 3.2. EAP Usage Within PPP 236 3.2.1. PPP Configuration Option Format 237 3.3. EAP Usage Within IEEE 802 237 3.4. Lower Layer Indications 237 4. EAP Packet Format 238 4.1. Request and Response 239 4.2. Success and Failure 241 4.3. Retransmission Behavior 243 5. Initial EAP Request/Response Types 244 5.1. Identity 245 5.2. Notification 247 5.3. Nak 248 5.3.1. Legacy Nak 248 5.3.2. Expanded Nak 250 5.4. MD5-Challenge 252 5.5. One-Time Password (OTP) 253 5.6. Generic Token Card (GTC) 254 5.7. Expanded Types 255 5.8. Experimental 257 6. IANA Considerations 257 6.1. Packet Codes 258 6.2. Method Types 258 7. Security Considerations 258 7.1. Threat Model 258 7.2. Security Claims 259 7.2.1. Security Claims Terminology for EAP Methods 261 7.3. Identity Protection 262 7.4. Man-in-the-Middle Attacks 263 7.5. Packet Modification Attacks 263 7.6. Dictionary Attacks 264 7.7. Connection to an Untrusted Network 265 7.8. Negotiation Attacks 265 7.9. Implementation Idiosyncrasies 265 7.10. Key Derivation 266
7.11. Weak Ciphersuites 7.12. Link Layer 7.13. Separation of Authenticator and Backend Authentication Server 7.14. Cleartext Passwords 7.15. Channel Binding 7.16. Protected Result Indications 8. Acknowledgements 9. References 9.1. Normative References 9.2. Informative References Appendix A. Changes from RFC 2284 Authors' Addresses Full Copyright Statement Intellectual Property Acknowledgement 268 268 269 270 270 271 273 273 273 274 276 278 279 280 280 Glossary 281 Index