Real-world 802.1X Deployment Challenges

50 %
50 %
Information about Real-world 802.1X Deployment Challenges

Published on March 19, 2014

Author: AirheadsSocial

Source: slideshare.net

Description

Airheads Conference 2014

Real-world 802.1X Deployment Challenges Tim Cappalli March, 2014

2 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf About Me • Mobility Engineer, Brandeis University • Wireless Infrastructure • AAA / Role-based Access Control – wired, wireless and remote networks @tcappy0707

• 6,000 students • 1,300 full time staff • Smallest VHR university • 2,200 access points (mix 11n/11ac) • 5 mobility controllers • 320 edge switches, 92 stacks • AAA: ClearPass Policy Manager • eduroam

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 4 #AirheadsConf Agenda What is EAP? Common EAP Flavors The Good and The Bad Client Support Challenges at Brandeis Open Discussion – What challenges do you face?

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 5 #AirheadsConf 802.1x

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 6 #AirheadsConf 802.1X IEEE STANDARD

7 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf POLL PEAP? TLS? TTLS? WHAT ARE YOU USING?

8 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf What is EAP? • Extensible Authentication Protocol – 802.1X defines EAPOL – Designed for Ethernet, adapted to 802.11 Arran Cudbard-Bell

9 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf EAP Transaction Client AuthenticationServer Request Identity Response Identity (anonymous) Response Identity TLS Start Certificate Client Key exchange Cert. verification Request credentials Response credentials Success EAPOL RADIUS Authenticator EAPOL Start

10 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf EAP FLAVORS

11 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Common EAP Flavors • PEAP (Protected EAP) – Uses a digital certificate on the network side – Password or certificate on the client side – Most common: PEAPv0/EAP-MSCHAPv2 • EAP-TLS (EAP with Transport Layer Security) – Uses a certificate on the network side – Uses a certificate on the client side • TTLS (Tunneled Transport Layer Security) – Uses a certificate on the network side – Password, token, or certificate on the client side – Tunneled Diameter (CHAP, PAP), EAP

12 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf THE GOOD AND THE BAD

13 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf EAP-TLS: The Good • Device or User credential – Revoke device access instead of user • Currently the strongest authentication method • Most widely supported • Extremely difficult to crack a 2048-bit RSA key

14 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf EAP-TLS: The Bad • Certificate distribution – Enrollment or onboard process – Can be an administrative burden without proper tools • User familiarity – Most users have no concept of a certificate – Username and password is the “standard” • Renewals – Notifying users to renew before expiration • Changing certificate chain – Not just “accept new certificate” for users

15 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf PEAP: The Good • Username / password is familiar to users • Users can “just get on” w/ valid credentials • Second most widely supported • Easy integration with AD (“free” NPS)

16 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf PEAP: The Bad • Device credential on Windows AD-joined devices • Passwords are weak! – Users won’t remember a truly secure password • Password expiration – How do you handle AD password expiration for non-AD Windows machines? • Client must be configured correctly • Not so easy with LDAP & Novell – Limited PEAPv1/EAP-GTC native client support

17 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf EAP-GTC vs EAP-MSCHAPv2 • EAP-GTC – Cleartext, NT hash, MD5 hash, salted MD5 hash – SHA1 hash, Slated SHA1 hash, UNIX crypt • EAP-MSCHAPv2 – Cleartext, NT hash, LM hash

18 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Server Certificate • Make sure CA correspondence goes to more than one person! • Nightmares for wireless only devices: – Server certificate expiration – New chain – New server name • Push out new profiles/GPOs ahead of time!

19 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf CLIENT SUPPORT

20 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Native Client Support EAP-PEAP EAP-TLS EAP-TTLS Windows 8 YES YES YES Windows 7 / Vista / XP YES YES NO Mac OS X YES YES YES Linux YES** YES YES iOS YES YES YES* Android YES** YES YES Chrome OS YES** YES YES** Windows Phone 8.1 YES YES (rumored) UNK Windows Phone 7/8 YES NO** NO BlackBerry 10 YES YES YES BlackBerry 7 YES YES YES

21 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Native Client Support EAP-PEAP EAP-TLS EAP-TTLS XBOX 360 NO NO NO XBOX One MAYBE MAYBE MAYBE PlayStation 3 & 4 NO NO NO Nintendo Wii / Wii U NO NO NO

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 22 #AirheadsConf

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 23 #AirheadsConf

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 24 #AirheadsConf

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 25 #AirheadsConf

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 26 #AirheadsConf

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 27 #AirheadsConf

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 28 #AirheadsConf

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 29 #AirheadsConf

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 30 #AirheadsConf

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 31 #AirheadsConf

32 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf MiTM HospiNET radius1.hospital.org Verisign HospiNET VALIDATE SERVER CERT Disabled wireless.hospital.org Self-signed

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 33 #AirheadsConf

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 34 #AirheadsConf COURTESY: LEE BADMAN, SYRACUSE UNIVERSITY

35 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf WHAT’S BRANDEIS DOING?

36 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf What’s Brandeis Doing? • Training support staff – Explaining the different networks – Giving access to troubleshooting tools • Empowering* users – Making it interactive – Making it user friendly • Planning for some type of onboarding • Exploring EAP-TLS – Using network and systems group as PoC for access to secure management networks *attempting

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 37 #AirheadsConf

38 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf What’s Brandeis Doing? 3/5/1410/3/133/15/13

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 39 #AirheadsConf Know the audience

40 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf When in doubt, run __________ • Ensure support staff understand the value of client configuration tools • Utilize a configuration utility – Teaching help desk, “When in doubt, run QuickConnect” • Utilize driver detection tools – Intel Driver Update Utility

41 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf OPEN DISCUSSION

42 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Good Reads • Simply put: How does certificate-based authentication work? (Network World, 3/10/14, Aaron Woland) • Cryptography Decrypted (Amazon)

43

44 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Thank You #AirheadsConf

#airheadsconf presentations

Add a comment

Related pages

Wired 802.1X Deployment Guide - Cisco - Cisco Systems, Inc

Wired 802.1X Deployment Guide ... and Protected EAP-Microsoft Challenge Handshake ... • 802.1X Deployment Scenarios Configuration Guide ...
Read more

Challenges for wide scale 802.1x deployment

Challenges for wide scale 802.1x deployment James J J Hooper March 2010 802.1x architecture • Securely controlled access ... • An 802.1x SSID ...
Read more

Challenges for wide scale 802.1x deployment - Pipeline

Title: Challenges for wide scale 802.1x deployment Speaker: James Hooper, University of Bristol Date: 30th March 2010 Location: University of Manchester
Read more

Deploying Wired 802

Learn the benefits of deploying 802.1X ... Default 802.1x Challenge ... 802.1X Deployment Case Study 1
Read more

Windows 7 Deployment under 802.1x Wired LAN Authentication

Windows 7 Deployment under 802.1x Wired LAN Authentication Question by: A1opus On ... But in our case, there is 802.1x for wired LAN authentication.
Read more

Beacons in Retail: Challenges in real world deployment ...

Beacons in Retail: Challenges in real world deployment Sharat ... These are challenges that any retailer who decides to deploy beacons in his/her store ...
Read more

TechNet Webcast: Windows Server 2008: Lessons Learned in a ...

... Lessons Learned in a Real-World ... deployment. We cover topics including 802.1x and ... challenges encountered during the deployment, ...
Read more

802.1X Authenticated Wired Access Deployment Guide

This guide describes how to deploy IEEE 802.1X authenticated wired access using 802.1X ... Challenge Handshake ... deployment requires one or more 802.1X ...
Read more