DOCSLIB.ORG

Migrating Your LAN to IEEE 802.1X

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Migrating Your LAN to IEEE 802.1X Migrating Your LAN to IEEE 802.1X Gaweł Mikołajczyk [email protected] Consulting Systems Engineer, Emerging Markets East CCIE #24987, CISSP-ISSAP Session Objectives At the end of the session, you should understand: • How 802.1X works • The benefits of deploying 802.1X • How to configure and deploy 802.1X using Cisco switches, ACS 5.1 and various supplicants. • How to integrate existing technologies such as IP telephony, guest access, PXE, etc • The value and application of deployment scenarios • How to make this work when you get back to your lab You should also: • Provide us with feedback! Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 2 Identity and Authentication Overview Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Why Identity Is Important Who are you? 1 802.1X (or supplementary method) Keep the authenticates the user Outsiders Out Where can you go? Keep the 2 Based on authentication, user is Insiders placed in correct VLAN Honest What service level to you receive? Personalize 3 The user can be given per-user the Network services (ACLs today, more to come) What are you doing? Increase 4 The user‘s identity and location can Network be used for tracking and accounting Visibility Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 4 IEEE 802.1X: The Foundation of Identity EAP over LAN RADIUS R A (EAPoL) D I U S Supplicant Authenticator (802.1X Client) (e.g. Switch, Authentication Access Point) Server IEEE 802.1 working group standard Provides port-based access control using authentication Enforcement via MAC- Defines encapsulation for based filtering and port- Extensible Authentication state monitoring Protocol (EAP) over IEEE 802 media— ―EAPoL‖ Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 5 Default Port State without 802.1X No Authentication Required No visibility No Access Control ? ? USER Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 6 Default Security with 802.1X Before Authentication No visibility (yet) Strict Access Control One Physical Port ->Two Virtual ports Uncontrolled port (EAPoL only) Controlled port (everything else) ? ? interface fastEthernet 3/48 authentication port-control auto dot1x pae authenticator USER ALL traffic except EAPoL is dropped Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 7 Default Security with 802.1X After Authentication User/Device is Known Identity-based Access Control • Single MAC per port Looks the same as without 802.1X interface fastEthernet 3/48 authentication port-control auto dot1x pae authenticator ? Having read your mind Sally, Authenticated User: Sally that is true, unless you apply Authenticated Machine: XP-ssales-45 an authorization, access is wide open. We can restrict access via dynamic VLAN assignment or downloadable ACLs Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 8 Identity and Authentication 802.1X, EAP, and RADIUS Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 A Closer Look at 802.1X Supplicant Authentication Server Authenticator SSC Layer 2 Point-to-Point Layer 3 Link EAPoL Start Port Unauthorized EAP ID-Request EAP ID-Response RADIUS Access-Request [AVP: EAP-Response: Alice] RADIUS Access-Challenge EAP-Request:PEAP [AVP: EAP-Request PEAP] Multiple Challenge- EAP-Response: PEAP Request RADIUS Access-Request Exchanges [AVP: EAP-Response: PEAP] Possible RADIUS Access-Accept [AVP: EAP Success] EAP Success [AVP: VLAN 10, dACL-nnn] Port Authorized EAPoL Logoff Port Unauthorized Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 10 What Does EAP Do? . Establishes and manages connection . Allows authentication by encapsulating various types of authentication exchanges • Actual authentication exchanges are called EAP Methods . Provides a flexible link layer security framework • Can run over any link layer (PPP, 802, etc.) . Defined by RFC 3748 EAP Payload EAP Payload R RADIUS A D 802.1X Header UDP I U Ethernet Header IP Header S Supplicant Authenticator Authentication Server Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 11 EAP Authentication Methods • MD5: uses MD5 based challenge-response for authentication Challenge- • LEAP: username/password authentication response-based • EAP-MSCHAPv2: username/password MSCHAPv2 challenge- response authentication Cryptographic- • EAP-TLS: x.509 v3 PKI certificates and the TLS mechanism for based authentication • PEAP: encapsulates other EAP types in an encrypted tunnel Tunneling • EAP-TTLS: encapsulates other EAP types in an encrypted tunnel methods • EAP-FAST: designed to not require client certificates • EAP-GTC: generic token and OTP authentication Other • EAP-SIM : SIM-based authentication Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 12 Tunneling Methods . Some EAP methods setup an encrypted tunnel and pass credentials through the tunnel . Anonymous outer identity - Provides the ability to completely obfuscate the user‘s credentials SSC / ACS – Yes Windows Native / IAS - No . Some EAP methods require an EAP method inside the tunnel (PEAP and FAST) . Some EAP methods do not require an EAP method inside the tunnel (TTLS) – used with legacy RADIUS Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 13 EAP Protocols: Feature Support EAP-TLS PEAP EAP-FAST Single Sign-on Yes Yes Yes Login Scripts (Active Directory) Yes Yes Yes Password Expiration (AD) N/A Yes Yes SSC, XP, Win7 SSC, XP, Win7 SSC, Win7 and Client and OS Availability and Others and Others Others MS DB Support Yes Yes Yes LDAP DB Support Yes Yes Yes OTP Support No Yes Yes Off-line Dictionary Attacks No No No Server Certificates Required Yes Yes No Client Certificates Required Yes No No Computing Impact High Medium Low Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 14 Factors that Drive EAP Method Use as many methods as needed depending on devices Enterprise • Certificate Authority deployment may drive EAP type • Two factor authentication may require EAP-TLS security policy • Security vs. Convenience Trade-offs • Windows supports EAP-TLS, PEAP w/EAP- MSCHAPv2, PEAP w/EAP-TLS Client support • 3rd party supplicants support a large variety of EAP types, but not all Authentication • RADIUS servers support a large variety of EAP types, server support but not all • PEAP w/EAP-MSCHAPv2 can only be used with authentication stores that store passwords in Identity store MSCHAPv2 format • Not every identity store supports all the EAP types Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 15 Identity & Authentication: Who (or What) Authenticates? Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 Problem Statement . Who should the network authenticate ? A user using a device A device Both the user and the device . Device boot process and network connectivity assumption Boot without using network resource - Standalone Boot from the network – Xterm, NetPC, PXE Boot and use network resources – networked Network File System Managed devices : Connection to LDAP, Active Directory Device health check : Patch level checker, Central AV system Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 17 Example: Network Assumption Microsoft Windows Certificate Auto Enrollment Kernel Loading Time Synchronization Windows HAL Loading Dynamic DNS Update Device Driver Loading GINA Power On Kerberos Auth Inherent Assumption of (User Account) Network Connectivity Obtain Network Address Earliest Network (Static, DHCP) Connectivity with Determine Site and DC User Auth Only (DNS, LDAP) User GPOs Loading (Async) Establish Secure GPO based Logon Channel to AD Script Execution (SMB) (LDAP, SMB) Kerberos Authentication GPO based Startup (Machine Account) Script Execution Computer GPOs Loading (Async) Components that depend on Components broken with network connectivity 802.1X user authentication only Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 18 802.1X Device and User authentication . User authentication ONLY Possible when no dependency of the device used regarding network resources Can run user script to access network resources post login. Be careful, this can breaks Microsoft group and system policies . Device authentication ONLY Mandatory as soon as exist dependency of Network resources Authorization is link to the device; not the user using the device . Device and User Authorization is highly flexible Advanced features needed on supplicants Synchronization needed with others applications & process on the client PC : DHCP, DNS, NFS, etc.. Switches contexts when going from one to the other Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 19 MICROSOFT Windows Example User and Device Authentication User Authentication Setup Load Apply Windows 802.1X Power Secure Update Present NDIS DHCP Computer Domain User Up Channel GPOs GINA Drivers GPOs Auth to DC Auth * No Connectivity to Domain Controller Until User Logs In Machine Authentication Setup Load 802.1X Apply Windows Power Secure Update Present NDIS Machine DHCP ComputerCompute Domain Up Channel GPOs GINA drivers Auth rGPOs GPOs Auth to DC * 802.1X Early in Boot Process User + Machine Authentication Setup Load 802.1X Apply Power Secure Update Present Windows 802.1X NDIS Machine DHCP Computer DHCP Up Channel
Load more

Recommended publications
  • Secure Device Bootstrapping with the Nimble out of Band Authentication Protocol
    Raghavendra Mudugodu Seetarama Secure Device Bootstrapping with the Nimble Out of Band Authentication Protocol School of Electrical Engineering Thesis submitted for examination for the degree of Master of Science in Technology. Espoo 14.05.2017 Thesis supervisor: Prof. Tuomas Aura Thesis advisor: Mohit Sethi, D.Sc. (Tech.) aalto university abstract of the school of electrical engineering master’s thesis Author: Raghavendra Mudugodu Seetarama Title: Secure Device Bootstrapping with the Nimble Out of Band Authentication Protocol Date: 14.05.2017 Language: English Number of pages: 8+63 Department of Computer Science Professorship: Secure Systems Code: S-55 Supervisor: Prof. Tuomas Aura Advisor: Mohit Sethi, D.Sc. (Tech.) The smart personal and business appliances which form the Internet of Things are expected to become ubiquitous and to make our daily life more convenient. Most of these devices are connected though wireless networks to cloud-based online ser- vices. However, such devices may be vulnerable to various attacks which could compromise the users’ security and privacy and even cause physical harm. There- fore, securing the network connection for the devices is of utmost importance. In order to secure the network connections, the devices need to be configured with the necessary keys and other connection parameters. There is not yet any widely adopted generic solution for this secure bootstrapping. One proposed solution is out-of-band (OOB) authentication with a protocol called EAP-NOOB, which is a new method for the EAP and IEEE 802.1X authentication framework. The goal of this thesis is to build a prototype of the EAP-NOOB protocol and deploy the prototype to test it with the real-world scenarios.
    [Show full text]
  • Why Wireless? What Makes Wireless Networks Different a Network by Any Other Name
    802.11® Wireless Networks The Definitive Guide By Matthew Gast ............................................... Publisher: O'Reilly Pub Date: April 2005 ISBN: 0-596-10052-3 Pages: 656 Table of Contents | Index As we all know by now, wireless networks offer many advantages over fixed (or wired) networks. Foremost on that list is mobility, since going wireless frees you from the tether of an Ethernet cable at a desk. But that's just the tip of the cable-free iceberg. Wireless networks are also more flexible, faster and easier for you to use, and more affordable to deploy and maintain. The de facto standard for wireless networking is the 802.11 protocol, which includes Wi-Fi (the wireless standard known as 802.11b) and its faster cousin, 802.11g. With easy-to-install 802.11 network hardware available everywhere you turn, the choice seems simple, and many people dive into wireless computing with less thought and planning than they'd give to a wired network. But it's wise to be familiar with both the capabilities and risks associated with the 802.11 protocols. And 802.11 Wireless Networks: The Definitive Guide, 2nd Edition is the perfect place to start. This updated edition covers everything you'll ever need to know about wireless technology. Designed with the system administrator or serious home user in mind, it's a no-nonsense guide for setting up 802.11 on Windows and Linux. Among the wide range of topics covered are discussions on: deployment considerations network monitoring and performance tuning wireless security issues how to use and select access points network monitoring essentials wireless card configuration security issues unique to wireless networks With wireless technology, the advantages to its users are indeed plentiful.
    [Show full text]
  • Radiator EAP-SIM Support
    June 16, 2016 Radiator EAP-SIM, EAP-AKA Radiator and EAP-AKA’ Support Copyright (C) 2003-2016 Open System Consultants Pty. Ltd. White paper discussing EAP-SIM, EAP-AKA and EAP-AKA’ authentication support for Radiator. For Radiator SIM support version 2.0 1.0 Introduction This document describes the EAP-SIM, EAP-AKA and EAP-AKA’ authentication stan- dard for Wireless LANs, and outlines the support for EAP-SIM, EAP-AKA and EAP- AKA’ authentication available with Radiator, the full source Radius server from Open System Consultants (www.open.com.au/radiator). Note: See the separate Radiator 3GPP AAA Server white paper for more information about using Radiator as a 3GPP AAA Server. Radius is the de-facto standard protocol for authenticating users and for recording accounting information for wireless and wired LANs. See RFCs 2865 and 2866 for more details on the Radius protocol. EAP is the Extensible Authentication Protocol, which can be used to create new types of authentication protocols for Radius. See RFCs 3748 and 2869 for more details on EAP authentication for Radius. These new types of authentication are commonly used in Wireless LAN systems. EAP-SIM is an EAP authentication protocol, designed for use with existing GSM mobile telephone authentication systems and SIMs (Subscriber Identity Modules) for mobile phones. The EAP-SIM standard allows Wireless LAN users to authenticate access to a Wireless LAN network using a mobile phone SIM card. EAP-AKA is an EAP authentication protocol, designed for use with 3GPP authentica- tion system and USIM (Universal Subscriber Identity Modules) cards for mobile phones.
    [Show full text]
  • Understanding WPA Supplicant
    Understanding WPA Supplicant Chaitanya Ganoo 08-03-2009 Introduction • Q: What is WPA Supplicant? • It is the IEEE 802.1X/WPA component in the client stations. • Q: What is wpa_supplicant? • It is an implementation of the WPA Supplicant component from the HostAP project. • Runs on Linux, BSD, MAC OS X and Windows. • In nature, it is a daemon program and acts as the backend component controlling wireless connection (in the client). • Q: What are the alternatives to wpa_supplicant? • XSupplicant from the Open1X project. • Microsoft Windows XP+ and Mac OS X have built-in pre-compiled supplicants. • Aegis (now CSSC- Cisco Secure Services Client) by Cisco. • Odyssey by Juniper networks. • SecureW2 by SecureW2 Introduction The bigger picture: • HostAP project aims to transform linux boxes into clients, Access Points and Authentication Servers supporting IEEE 802.11i • Code written by Jouni Malinen. 1. hostAP Linux driver for Conexant (formerly Intersil) Prism chipsets. 2. wpa_supplicant runs on clients which can typically be laptop computers or embedded systems. 3. Hostapd is a user space daemon for APs and Authentication Servers. Functionality Q: What does wpa_supplicant exactly do? 1. Requests kernel driver to scan neighboring BSSes. 2. Selects a BSS based on its configuration. 3. Request kernel driver to associate with the chosen BSS. 4. If WPA -PSK : Uses PSK as MSK. 5. If WPA-Enterprise: Integrated IEEE 802.1X Supplicant completes EAP authentication with the Authentication server (proxied by the Authenticator) and through this MSK is received form the IEEE 802.1X supplicant. 6. Now wpa_supplicant completes 4–Way Handshake and Group Key Handshake with the authenticator.
    [Show full text]
  • Non-Binary Authentication: Supplicant
    Non-binary Authentication: Supplicant HENGCHONG ZHANG KTH Information and Communication Technology Master of Science Thesis Stockholm, Sweden 2009 COS/CCS 2009-01 Non-binary Authentication: Supplicant Hengchong Zhang [email protected] Supervisor and Examiner: Professor Gerald Q. Maguire Jr. Master of Science Thesis Department of Communication Systems School of Information and Communication Technology Royal Institute of Technology (KTH) Stockholm, Sweden February 24th, 2009 Abstract There are a number of authentication methods for wireless local area networks. The IEEE 802.1x standard is one such method. This standard specifies a port-based access control protocol. There are three entities involved: a supplicant (a device that wishes to have network access and perhaps other services), an Access Point (AP) or other port to which access is to be controlled, and an Authentication Server (AS). The goal of this project was to design, implement, and evaluate a prototype of a non-binary alternative to IEEE 802.1x authentication. This report focuses on the supplicant. Specifically it describes the design, implementation, and evaluation of a supplicant program to test and stress the authenticator, in order to evaluate a non-binary authentication process. Following, a brief introduction is given to the problem that is to be solved, a number of existing IEEE 802.1x supplicants are described and compared. Following this, a number of potential non-binary authentication processes are analyzed. The ability of a supplicant to send and receive packets before and after authentication is also examined. Based upon our implementation and evaluation of a supplicant and an emulation of the non-binary authentication process, we conclude that non-binary authentication is both feasible and valuable.
    [Show full text]
  • The SU1X 802.1X Configuration Deployment Tool
    Published on Jisc community (https://community.jisc.ac.uk) Home > Network and technology service docs > eduroam > Info for sys admins and implementers > The SU1X 802.1X Configuration Deployment Tool The SU1X 802.1X Configuration Deployment Tool The SU1X 802.1X Configuration Deployment Tool Configuring Windows supplicant software is not technically a difficult task, even with the additional complication of including details about an institutional RADIUS server certificate or certificate distribution. However users are generally students and staff who don’t have much knowledge about or interest in wireless networks or login mechanisms. For such users, configuring devices properly for use on 802.1X networks can be difficult. Due to the nature of the many different configuration options, step by step instruction guides, even with screen- shots, can be quite daunting for the average user who does not wish to know about wireless ciphers; username including realm; domain blank; roaming identity; authentication type: EAP TTLS/PAP, EAP TTLS/MSCHAP, PEAP/MSCHAPv2; RADIUS server certificate validation; RADIUS server name. A major step has now been taken towards solving at least this latter problem of wide scale deployment of 802.1X configuration on Windows devices. Janet is pleased to have supported the development of the open source SU1X 802.1X Configuration Deployment Tool developed by Gareth Ayres at Swansea University in association with Loughborough University. The SU1X Tool is now for available for general use by network managers and can be freely downloaded, complete with comprehensive documentation. [1] The zip file contains a package including: two executables su1x-setup.exe and getprofile.exe; readme file; User Guide; Case Study.
    [Show full text]
  • 802.1X Port-Based Authentication HOWTO 1
    802.1X Port-Based Authentication HOWTO 1 802.1X Port-Based Authentication HOWTO Lars Strand 2004-08-18 Revision History Revision 1.0 2004-10-18 Revised by: LKS Initial Release, reviewed by TLDP. Revision 0.2b 2004-10-13 Revised by: LKS Various updates. Thanks to Rick Moen for language Lars Strand 2 review. Revision 0.0 2004-07-23 Revised by: LKS Initial draft. This document describes the software and procedures to set up and use IEEE 802.1X Port-Based Network Access Control using Xsupplicant as Supplicant with FreeRADIUS as a back-end Authentication Server. ----- Table of Contents 1. Introduction 1.1. What is 802.1X? 1.2. What is 802.11i? 1.3. What is EAP? 1.4. EAP authentication methods 1.5. What is RADIUS? 2. Obtaining Certificates 3. Authentication Server: Setting up FreeRADIUS 3.1. Installing FreeRADIUS 3.2. Configuring FreeRADIUS 4. Supplicant: Setting up Xsupplicant 4.1. Installing Xsupplicant Lars Strand 3 4.2. Configuring Xsupplicant 5. Authenticator: Setting up the Authenticator (Access Point) 5.1. Access Point 5.2. Linux Authenticator 6. Testbed 6.1. Testcase 6.2. Running some tests 7. Note about driver support and Xsupplicant 8. FAQ 9. Useful Resources 10. Copyright, acknowledgments and miscellaneous 10.1. Copyright and License 10.2. How this document was produced 10.3. Feedback 10.4. Acknowledgments A. GNU Free Documentation License A.1. PREAMBLE A.2. APPLICABILITY AND DEFINITIONS Lars Strand 4 A.3. VERBATIM COPYING A.4. COPYING IN QUANTITY A.5. MODIFICATIONS A.6. COMBINING DOCUMENTS A.7. COLLECTIONS OF DOCUMENTS A.8.
    [Show full text]
  • 802.1X Port-Based Authentication HOWTO
    802.1X Port−Based Authentication HOWTO Lars Strand <lars strand (at) gnist org> 2004−08−18 Revision History Revision 1.0 2004−10−18 Revised by: LKS Initial Release, reviewed by TLDP. Revision 0.2b 2004−10−13 Revised by: LKS Various updates. Thanks to Rick Moen <rick (at) linuxmafia com> for language review. Revision 0.0 2004−07−23 Revised by: LKS Initial draft. This document describes the software and procedures to set up and use IEEE 802.1X Port−Based Network Access Control using Xsupplicant as Supplicant with FreeRADIUS as a back−end Authentication Server. 802.1X Port−Based Authentication HOWTO Table of Contents 1. Introduction.....................................................................................................................................................1 1.1. What is 802.1X?................................................................................................................................1 1.2. What is 802.11i?...............................................................................................................................3 1.2.1. WEP.........................................................................................................................................3 1.2.2. 802.11i.....................................................................................................................................3 1.2.3. Key Management....................................................................................................................3 1.2.4. TSN (WPA) / RSN (WPA2)...................................................................................................5
    [Show full text]
  • Session Hijacking Attacks in Wireless Local Area Networks
    Calhoun: The NPS Institutional Archive Theses and Dissertations Thesis Collection 2004-03 Session hijacking attacks in wireless local area networks Onder, Hulusi Monterey, California. Naval Postgraduate School http://hdl.handle.net/10945/1641 MONTEREY, CALIFORNIA THESIS SESSION HIJACKING ATTACKS IN WIRELESS LOCAL AREA NETWORKS by Hulusi ONDER March 2004 Thesis Advisor: Geoffrey XIE Second Reader: John GIBSON Approved for public release; distribution is unlimited THIS PAGE INTENTIONALLY LEFT BLANK REPORT DOCUMENTATION PAGE Form Approved OMB No. 0704-0188 Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instruction, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188) Washington DC 20503. 1. AGENCY USE ONLY 2. REPORT DATE 3. REPORT TYPE AND DATES COVERED March 2004 Master’s Thesis 4. TITLE AND SUBTITLE: Session Hijacking attacks in Wireless Local Area 5. FUNDING NUMBERS Networks 6. AUTHOR Hulusi ONDER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING Naval Postgraduate School ORGANIZATION REPORT Monterey, CA 93943-5000 NUMBER 9. SPONSORING /MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSORING/MONITORING AGENCY REPORT NUMBER 11. SUPPLEMENTARY NOTES The views expressed in this thesis are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S.
    [Show full text]
  • Korisničko Uputstvo Za Instalaciju I Podešavanje Securew2 Programa
    Korisničko uputstvo za instalaciju i podešavanje securew2 programa za pristup eduroam servisu Termin supplicant se koristi u IEEE 802.1X standardu. U širem značenju, ovaj termin predstavlja entitet (korisnik ili uređaj) koji zahteva da bude autentifikovan u datom sistemu. U praksi, supplicant je program koji je instaliran na korisnikovom računaru. Korisniku je potreban supplicant program kako bi na siguran način pristupio datim mrežnim resursima i uz pomoć neophodnih podataka (npr. korisničkog imena i lozinke) izvršio proces autentifikacije. Supplicant program je u većini slučajeva neophodan, jer standardne distribucije operativnih sistema nemaju podršku za korišćenje protokola koji omogućavaju visok stepen zaštite pri komunikaciji. Supplicant programi koji su danas najviše u upotrebi su: SecureW2 (napravljen od strane SecuereW2 organizacije), Aegis (Cisco), Odyssey (Juniper Networks), wpa_supplicant i Xsupplicant. SecureW2 U ovom dokument biće opisan rad sa SecureW2 programom koji trenutno pruža podršku samo za Windows platformu (Windows XP Service Pack 2 (minimum), Windows Vista, Windows 7 i Windows Mobile). SecureW2 EapSuite je projekat koji dodaje EAP (Extensible Authentication Protocol ) metode na Windows platformu. Sigurnost korišćenja EAP metoda sastoji se u stvaranju TLS (Transport Layer Security ) tunela između korisnika i servera koji vrši autentifikaciju. Dati tunel se stvara pre slanja korisnikovih identifikacionih podataka (korisničko ime i lozinka), čime se postiže zaštita poslatih identifikacionih podataka. Takođe je moguće i verifikovati autentifikacioni server na osnovu datih sertifikata. Trenutno, EAP Suite podržava sledeće protokole: EAP-TTLS, EAP-GTC, EAP-PEAP (verzije 0 i 1) i EAP-SIM. Za AMRES korisnike, obezbeđena je verzija Securew2 programa sa određenim predefinisanim parametrima specifičnim za AMRES eduroam servis. Ova verzija programa se može preuzeti na adresi www.eduroam.ac.rs/downloads/SecureW2_AMRES.exe .
    [Show full text]
  • Mobile Ad-Hoc Wireless Access in Academia (MAWAA) Project
    Mobile Ad-Hoc Wireless Access in Academia (MAWAA) Project Towards Seamless Wireless Mobility for UK Academic Networks Project Summary Report 3: Deployment Experience Editor: Dr T J Chown School of Electronics and Computer Science, University of Southampton, Southampton, SO17 1BJ, United Kingdom [email protected] Version 1.0 30 June 2004 The MAWAA project was funded by the Joint Information Systems Committee (JISC) Mobile Ad-Hoc Wireless Access in Academia (MAWAA) Report 3: Deployment Experience Contents 1 INTRODUCTION ...................................................................................................3 1.1 MAWAA PROJECT REPORTS............................................................................... 3 1.2 DEPLOYMENT EXPERIENCE................................................................................. 3 2 CHOICE OF DEPLOYMENT TECHNOLOGY.....................................................4 2.1 ORIGINAL SYSTEM ............................................................................................. 4 2.2 WLAN TECHNOLOGY DISCUSSION ...................................................................... 4 2.2.1 Simplicity...................................................................................................4 2.2.2 Cost...........................................................................................................5 2.2.3 Roaming support ........................................................................................6 2.2.4 IPv6 support...............................................................................................6
    [Show full text]
  • IEEE 802.1X Implementation at Janet-Connected Organisations
    Published on Jisc community (https://community.jisc.ac.uk) Home > Advisory services > Wireless Technology Advisory Service > Guides > IEEE 802.1X implementation at Janet- connected organisations IEEE 802.1X implementation at Janet- connected organisations IEEE 802.1X implementation at Janet-connected organisations 022 (04/08) This document was produced to share knowledge, experience and current developments surrounding campus 802.1X implementation within the JANET community. Readers are assumed to have a basic knowledge of networking concepts and preventive security awareness. A companion technical guide Security Matters is available [1]. Scope and Audience Providing network access within large organisations is at best challenging and at worst near impossible. Users want the ability to be able to start up their operating system and have instantaneous network access. However this is usually in conflict with the organisational need to prevent unauthorised access to the network and also to provide accountability of users actions. An IEEE standard 802.1X [2] see provides a mechanism for network port access control and manages the process of authenticating and authorising attached devices by extending the EAP protocol over the network. Network access ports can take various forms such as: a network socket, switch port, or wireless access point. EAP (Extensible Authentication Protocol) is a powerful tool in the network administrator’s tool box for providing flexible network access through authentication, authorisation and accounting. EAP is an authentication framework which provides multiple methods for authentication (Aboba, Blunk, Vollbrecht, Carlson, & Levkowetz, 2004 [3]). Through the use of 802.1X and 802.11i, EAP can be used to provide enterprise network access control (NAC) for both wireless and wired networks.
    [Show full text]