2008_WiFi Authentication and Roaming Authentication

Click here to load reader

  • date post

    03-Oct-2014
  • Category

    Documents

  • view

    54
  • download

    5

Embed Size (px)

Transcript of 2008_WiFi Authentication and Roaming Authentication

Wi-Fi Authentication DemystifiedTutorial1 4 5 6 8 9 14 11 10 7 2 3

12 15 16

13

14

17

18

19 20 21 22

23 24 25 26

27

Across2. EAPoverLAN 6. Conveysdatabetweenpoints 8. Pipediameter 9. Numberof802.11anonoverlappingchannels 11.Receive/sendradiosignal 13.ExtensibleAuthentication Protocol 15.Endofthelinkthatresponds 7 Amountofdatasentina 1 . giventime 18.Managesaddressingand protocolinformation 1 109Hz 2 2 2.OnlyWi-FiPowerPlay 2 4.SupersedesWEPfor802.11 2 6.Contiguousfrequencies 2 . 7 Oppositeoftransmitter

Down1. Highestperformingaccess device 3. Packetrequestinginformation 4. Xirruslanguage 5. Circuitrytointerpretand execute 7 Pathforsignals . 1 0.Fragmentofdata 1 2.Specificationimplementing TKIPandAES 1 4.EndoflinkinitiatingEAP authentication 1 5.Typeofmediumin802.11 1 6.Numberof802.11b/gnonoverlappingchannels 1 9.One-millioncyclespersecond 2 0.Rateatwhicharepeating eventoccurs 2 3.Standardforport-based accesscontrol 2 5.Instituteofengineers

Wi-Fi Authentication DemystifiedContentsIntroduction.............................................................................3 TheHistoryofAuthentication....................................................4 . AuthenticationFramework.........................................................5 WirelessInfrastructure .............................................................7 . RoamingandAuthentication .....................................................9 . Recommendations.................................................................10 . LeadingArchitecture...............................................................11 AboutXirrus ..........................................................................11 .

2

2008Xirrus,Inc.AllRightsReserved.

TutorialIntroductionAuthenticationisacriticalpartofanynetworksecuritypolicy.Authenticationvalidatestheidentityofauser or device, which is an important point as most people only look at authentication as authenticating the client.Whenusingamutualauthenticationscheme,notonlyistheclientauthenticated,butsoisthenetwork itself.Thisprocessallowsthefirstdevicetoauthenticatethesecondandtheseconddevicetoauthenticate the first. Initial wireless authentication used a wireless encryption method, known as WEP to provide the authentication.Theideabeingthatifbothsideshadacommonencryptionkeyitwouldserveasawayto provideproperauthentication.However,WEPwascrackedandasaresultitwasnolongerconsideredtobe sufficientasanauthenticationorencryptionmethod. TheoverallgoalofWi-Fiauthenticationistoensurethatanauthorizeddevicedoesnotconnecttounauthorized access devices, such as a rogue AP Rogue APs are unauthorized devices that have been detected in a . network.Roguescanbeeitherbenign,suchasneighboringAPsornewlyaddeddevicesorathreatwhen addedtothenetworkformaliciousreasons.TheserogueAPscancreatenumerousissuesforthenetwork, forexample: 1. Anattackcalledman-in-the-middlecanoccurinwhichtherogueinsertthemselvesbetweenauthorized devicesandcollectinformationandcredentialsfromtheuserandthenetwork. 2. Anattackcalledreplay-attackinwhichavaliddatatransmissionismaliciouslyorfraudulentlyrepeated or delayed by the attacker. These attacks can be designed to steal information or effect the normal operation,suchasadenialofserviceattack.

Typical Wi-Fi InfrastructureIn a typical Wi-Fi infrastructure, stations associate to an Access Point. The Access Point is the Authenticator and interfaces with the Authentication Server to validate the stations identity and then allow access to the network. Ethernet Switch Router Authentication Server

Authenticator

Authenticator

Wireless Stations (Supplicant)

2008Xirrus,Inc.AllRightsReserved.

3

Forthesereasonsandmorenotlisted,ithelpstohidetheusersidentityfrombeingexposedfromasnifferor othertypeofeavesdropperonthenetwork.Thereareadditionalbenefitstoauthentication,suchasencryption keymanagement,whichautomaticallyexpiresuserpasswordsandforcesthemtochangecredentials,like usernameandpasswordonaregularbasis.Authenticationiscriticalforprotectingcorporateandpersonal information, scaling and managing large groups of users at multiple locations normally requires the use of dynamic authentication process. In addition to just authorizing access to the network it also provides accounting and auditing information of every connection occurring in the network. All of this is extremely importantinprovingcompliancewithregulationssuchasHIPPAandPCI.ManyformsofAuthenticationalso allowforextendedcontroloverend-useraccess,suchastime-of-dayorrestrictedguest-accesspolicies.

The History of AuthenticationMostpeoplearefamiliarwithRADIUS,whichstandsforRemoteAuthenticationDial-InUserServiceandhas beenaroundsincethedaysofdial-upnetworkaccess.TheRADIUSserversitsonthewirednetworkand completes the process of authentication. The RADIUS service has three components: The authentication server,suchasMicrosoftsIAS.TheRADIUSclient,inthewirelessworldthisistheAPortheWLANSwitchand theSupplicant.ThesupplicantistheWi-Ficlienttobeauthenticated.Thesupplicantforwardsauthentication informationtotheRADIUSclient,whichinturnsforwardsthisinformationtotheRADIUSserver.Theserverwill authorizeordenyaccesstothenetwork.InadditiontheRADIUSservermayreturnconfigurationinformation totheAP ,suchasplacingtheWi-FiuserinaspecificVLAN.

RADIUSRADIUS (RFC 2138) defines the backend authentication process between the Authenticator and Authentication Server. RADIUS Attributes carry specific authentication, authorization, information and configuration detail for the Access request and response types.Code Identifier (1 Byte) (1 Byte) Length (2 Bytes) Authenticator (16 Bytes) Attribute 1

...

Attribute ...N

Value Description 0 Access-Request 2 Access-Accept 3 Access-Reject 4 Accounting-Request 5 Accounting-Response 11 Access-Challenge 12 Status-Server (experimental) 13 Status-Client (experimental) 255 Reserved

Authenticator Field contains challenge text and MD5 hashed responses (passwords)

Example Attributes include: User Name (Type Field = 1) Password (Type Field = 2) Items such as which VLAN the user is to be assigned to or what wireless user group policies to use can be defined by the use of Vendor Specific Attributes (VSAs) (Type Field = 26).

Type (1 Byte) Length Values= (1 Byte)1 to 63

Value (1 or more Bytes)

Attribute Field

ARADIUSservercanalsoaccessthingslikeanactivedirectoryserviceorotherdirectoryserviceontheback end of the network to enforce policies. This allows RADIUS to be implemented without having to recreate accountinformationthatmayalreadyexistinanotherdirectory.

4

2008Xirrus,Inc.AllRightsReserved.

In1999,the802.11standardwasadoptedwhichcontainedacoupleofmethodsforbasicauthentication.One wascalledopenauthenticationwhichwasnotreallyauthenticationatall.Openauthenticationbasically allowsWi-Fiassociationtoall802.11compliantdevices.AsecondmethodwasWEPandstoodforWired EquivalentPrivacy.Thisformofauthentication,knownassharedkeyWEPauthenticationallowedashared WEPkeytobeusedforauthenticatinguserstoaccessthenetwork.InMay2001,anIEEETaskGroupknown as802.11ibeganworkonnewenhancedsecuritystandardsfor802.11.ByAugust2001,WEPwascracked creatingalargesecuritybreachandadverselyimpactingtheadoptionofWi-Fiintheenterprise.Atthispoint WEPbecameknownasWeakEncryptionProtocol. NeedingimprovedsecurityandnotbeingabletowaitforthedevelopingIEEEstandard,theWi-FiAlliance announcedinOctober2002anewsecuritystandardcalledWPA,whichstandsforWi-FiProtectedAccess. Itwasasecurity enhancementbasedontheworkbeing done by theIEEE802.11iTask Group. WPAwas quicklyputinplacetocorrecttheproblemswithWEP .Thiswasaccomplishedviatheimplementationofan authenticationframeworkandstrongerencryptionmodes,andthe802.11iaddendumwasfinallyratified.

Authentication FrameworkTherewerethreebasicbuildingblocksthatledupto802.11i.First,therewasEAP ,whichstandsforExtensible Authentication Protocol. EAP is a framework for authentication, allowing for a number of authentication methodstobeused.

EAP/EAPOL Frame FormatEAPOL (EAP Over LAN) is used by 802.1X to encapsulate the EAP protocol. The EAP protocol defines a number of methods for authentication. EAPOL PacketDestination MAC (6 Bytes) Source MAC (6 Bytes) Ethertype Protocol Packet Body Length Code Version Type (2 Bytes) (1 Byte) (1 Byte) (2 Bytes) 0x888e 1 # of Bytes Packet BodyValue 0 1 2 3 4 Description EAP Packet EAPOL Start EAPOL Logoff EAPOL Key EAPOL Alert

Value 1 2 3 4

Description Request Response Success Failure

Length Type ID Code Bytes) (1 Byte) (1 Byte) (2of Bytes (1 Byte) #

Data

EAP Packet

Value 1 2 3 4

Description Identity 5 One Time Password 6 Generic Token Card Notification 13 TLS NAK MD5 Challenge

2008Xirrus,Inc.AllRightsReserved.

5

Oneofthosemethodsis802.1x,aportlevelauthenticationmethodoriginallydesignedforwirednetworks. 802.1x,EAP ,andadditionalencryptionmodesTKIPandAESwereallcomponentsofthe802.11istandard.

802.11i Security802.11i is the official security standard for 802.11 Wireless LANs as ratified by the IEEE in 2004. Its operation consists of 4 primary phases to establish secure communications. Phase 2 and portion of Phase 3 are addressed in this poster; Phase 4 and a portion of Phase 3 are addressed in the companion Wi-Fi Encryption poster. Station Authenticator Security Discovery/Negotiation 802.1X Authentication Key Management Data Confidentiality and Integrity RADIUS Key Distribution Authentication Server

Phase 1 Phase 2 Phase 3 Phase 4

Additionally, mutual authentication and key exchange processes were added to the standard. All these additions allowed the authentication process to scale and also provided for dynamic key creation and updating,providingfasterclientauthenticationan