Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
Implementing 802.1 X Security Solutions for
Wired and Wireless Networks
Jim Geier
WILEY
Wiley Publishing, Inc.
Contents
Introduction xxi
Part I Concepts 1
Chapter 1 Network Architecture Concepts 3 Computer Network Defined 3 Network Components 4
Client Devices 5 Servers 5 Network Hardware 7
Switches and Hubs 7 Routers 8 Access Points 9 Network Interface Cards 10
Media 12 Metallic Wire 12 Optical Fiber 13 Air 14
Network Types 14 Personal Area Networks 14 Local Area Networks 16 Metropolitan Area Networks 18
Optical Fiber Infrastructure 18 Wi-Fi Mesh 18 WiMAX 19
Wide Area Networks 20 Logical Network Architecture 20 IEEE 802 Standards 22
XI
xii Contents
Wireless Impairments 23 Roaming Delays 23 Coverage Holes 25 RF Interference 28
Addressing 29 IEEE 802.11 Multicasting 30 Setting the DTIM Interval 30
Chapter 2 Port-Based Authentication Concepts 33 802.1X Port-Based Authentication Terminology 33 Authentication Benefits 36 Primary Components 38
Supplicant 39 Authenticator 39 Authentication Server 39 A Simple Analogy: Getting the Protocols Straight 40
Port-Based Authentication Operation 42 A Simple Analogy—Understanding the Overall System 42 Supplicant to Authentication Server: EAP-Methods 44 Supplicant to Authenticator: 802.1X / EAPOL 45 Authenticator to Authentication Server: RADIUS 49
A Historical Perspective 51
Part II Standards and Protocols 53
Chapter 3 EAPOL Protocol 55 EAPOL Recap 55 EAPOL Encapsulation 56 EAPOL Packet Structure 57
Version Field 57 Type Field 58 Length Field 58 Packet Body Field 59
EAPOL Packet Types 59 EAP-Packet 59 EAPOL-Start 59 EAPOL-Logoff 60 EAPOL-Key 60
Descriptor Type Field 61 Descriptor Body Field for RC4 61
EAPOL-Encapsulated-ASF-Alert 62 EAP Packet Structure 63
EAP Code Field 63 EAP Identifier Field 63 EAP Length Field 64 EAP Data Field 64
Contents xiii
EAP Packet Types 64 EAP-Request 65 EAP-Response 65 EAP Request/Response Types 65 EAP-Success 66 EAP-Failure 67
802.3 Frame Structure 67 802.11 Frame Structure 69
Chapter 4 RADIUS Protocols 71 RADIUS Recap 71 RADIUS Packet Structure 72
Code Field 73 Identifier Field 73 Length Field 74 Authenticator Field 74
Request Authenticator 75 Response Authenticator 75
Attributes Field 76 RADIUS Packet Types 76
RADIUS Access-Request 76 RADIUS Access-Challenge 77 RADIUS Access-Accept 77 RADIUS Access-Reject 78 RADIUS Accounting-Request 78 RADIUS Accounting-Response 79
RADIUS Attributes 79 RADIUS Attributes Format 79
Type Field 80 Length Field 82 Value Field 82
EAP-Message Attribute 82 Message-Authenticator Attribute 83 Password-Retry Attribute 84 User-Name Attribute 85 User-Password Attribute 85 NAS-IP-Address Attribute 86 NAS-Port Attribute 86 Service-Type Attribute 87 Vendor-Specific Attribute 88
Vendor-ID Field 89 String Field 89
Session-Timeout Attribute 89 Idle-Timeout Attribute 89 Termination-Action Attribute 90
xiv Contents
Authentication Server Selection Considerations 90 Attributes 91 EAP-Methods 91
Chapter 5 EAP-Methods Protocol 93 EAP-Methods Recap 93 EAP-Method Encapsulation 94 EAP-Method Packet Structure 95
EAP-Method Type Field 95 EAP-Method Data Field 96
Original EAP-Method Types 98 Identity 99 Notification 100 Legacy NAK 101 Expanded NAK 103 MD5-Challenge 105
Value-Size Field 106 Value Field 106 Name Field 106
One-Time Password 106 Generic Token Card 107 Expanded Types 107
Vendor-ID Field 108 Vendor-Type Field 108
Experimental 108 Additional EAP-Method Types 109
EAP-TLS 109 EAP-TTLS 111 PEAP 112 LEAP 112 EAP-FAST 113 EAP-SIM 113
Wi-Fi Alliance Certification 113 EAP-Method Selection Considerations 114
Security Policies 114 Existing Security Infrastructure 114 Client Devices 114
Part III Implementation 117
Chapter 6 Configuring Supplicants 119 Supplicant Recap 119 Choosing Supplicants 120
Windows Authentication Client 121 SecureW2 121 Juniper Odyssey Access Client 121
Contents xv
wpa_supplicant OpenlX
Common Supplicant Configuration Parameters 802.1X Activation
Configuring Windows XP 802. IX Wi-Fi Clients Configuring Windows XP 802.1X Ethernet Clients
Configuring Client Radios Configuration Update Approaches
Distributed Update Approach Centralized Update Approach
Client Radio Settings IP Address Wireless Network Connection Properties Transmit Power Data Rate Wireless Modes Ad Hoc Channel Power Management Protection Mechanisms
Chapter 7 Configuring Authenticators Authenticator Recap Choosing Authenticators
802.1X Support Authentication Server Support Miscellaneous Features
Common Authenticator Configuration Parameters 802.1X Activation RADnJS Server Identification Local Authentication Server Configuration
Enable the Local Authentication Server Identify Authorized Access Points Identify Authorized Users
Guest VLAN Configuration Port Activation
Forced-Unauthorized Forced-Authorized Auto
VLAN Identification Multiple MAC Address Support Retry Number Retry Timeout Value Quiet Period Value Re-authentication Activation Re-authentication Period Value
122 123 123 123 123 127 129 129 129 130 130 131 134 134 135 136 138 139 140
143 143 145 145 146 148 148 149 149 150 150 151 151 152 153 153 154 154 156 156 157 157 158 158 158
xvi Contents
Configuring Wireless Access Points 159 IP Address 159 SSID 160 Radio Settings 161
Transmit Power 161 RF Channel 163 Data Rates 164 Preamble 165
Beacon Period 165 Fragmentation 165
Authenticator Management 167 Authenticator Administrative Interface 167
Terminal Connection 167 Web Browser Interface 168 SNMP 169
Administrator Access Control 169 Authenticator MIB 169
Chapter 8 Configuring Authentication Servers 171 Authentication Server Recap 171 Choosing RADIUS Servers 172
Commercial RADIUS Servers 172 Open-Source RADIUS Servers 173 Outsourcing RADIUS Functionality 173
Installing RADIUS Software 174 Review Release Notes 174 Establish a Server 175
System Requirements 175 Physical Location 175 Verify Network Connections 176 Configure Administrator Account Access 176 Security Tips 182
Install the Software 183 Common RADIUS Configuration Parameters 184
Accessing RADIUS Configuration 184 Configuring RADIUS Clients and Users 186
Configuring RADIUS Clients 186 Configuring RADIUS Users 187 Configuring User Profiles 188
Authentication Methods 188 Native User Authentication 188 Pass-Through Authentication 189 Proxy RADIUS Authentication 189
Concurrent Connections 189 Shared Secret 190 Replication 191
Contents xvii
Chapter 9 Troubleshooting 193 Troubleshooting Approaches 193
Gather Information 194 Find the Root Problem (and Fix It) 195
Test Tools 195 Viewing System Configuration 195 Viewing System Statistics 196 Debugging Processes 197 Viewing Wireless Communications 197 Signal Tester 197 Spectrum Analyzer 199 Packet Analyzer 199
Network Connectivity Issues 200 Network Interface Problems 200
Faulty Client Cards 201 Wireless Coverage Holes 202 RF Interference 203
Infrastructure Problems 203 Supplicant Issues 204
Missing Supplicant 204 Missing Supplicant Behavior 205 Peripheral Devices 206 Hubs 207
Bad Credentials 209 Bad Credentials Behavior 210
Incorrect EAP-Method 211 Authenticator Issues 212
No 802.1X Support 212 802.1X Not Enabled 212 RADIUS Server Address Incorrect 212 EAP-Method Not Supported 213
Authentication Server Issues 213 Missing Authentication Server 213
Missing Authentication Server Behavior 213 Verifying the Authentication Server 215
Guest Access Issues 215 Local Visitor Problems 215
Visitor with No Supplicant 216 Visitor with Active Supplicant 216 Visitor with Active Supplicant Behavior 217
Remote Visitor Problems 219
Appendix RFC 3748: Extensible Authentication Protocol (EAP) 221 Extensible Authentication Protocol (EAP) 221
Abstract 222 Table of Contents 222
xviii Contents
1. Introduction 224 1.1. Specification of Requirements 224 1.2. Terminology 224 1.3. Applicability 226
2. Extensible Authentication Protocol (EAP) 227 2.1. Support for Sequences 229 2.2. EAP Multiplexing Model 229 2.3. Pass-Through Behavior 231 2.4. Peer-to-Peer Operation 232
3. Lower Layer Behavior 234 3.1. Lower Layer Requirements 234 3.2. EAP Usage Within PPP 236
3.2.1. PPP Configuration Option Format 237 3.3. EAP Usage Within IEEE 802 237 3.4. Lower Layer Indications 237
4. EAP Packet Format 238 4.1. Request and Response 239 4.2. Success and Failure 241 4.3. Retransmission Behavior 243
5. Initial EAP Request/Response Types 244 5.1. Identity 245 5.2. Notification 247 5.3. Nak 248
5.3.1. Legacy Nak 248 5.3.2. Expanded Nak 250
5.4. MD5-Challenge 252 5.5. One-Time Password (OTP) 253 5.6. Generic Token Card (GTC) 254 5.7. Expanded Types 255 5.8. Experimental 257
6. IANA Considerations 257 6.1. Packet Codes 258 6.2. Method Types 258
7. Security Considerations 258 7.1. Threat Model 258 7.2. Security Claims 259
7.2.1. Security Claims Terminology for EAP Methods 261 7.3. Identity Protection 262 7.4. Man-in-the-Middle Attacks 263 7.5. Packet Modification Attacks 263 7.6. Dictionary Attacks 264 7.7. Connection to an Untrusted Network 265 7.8. Negotiation Attacks 265 7.9. Implementation Idiosyncrasies 265 7.10. Key Derivation 266
7.11. Weak Ciphersuites 7.12. Link Layer 7.13. Separation of Authenticator and Backend
Authentication Server 7.14. Cleartext Passwords 7.15. Channel Binding 7.16. Protected Result Indications
8. Acknowledgements 9. References
9.1. Normative References 9.2. Informative References
Appendix A. Changes from RFC 2284 Authors' Addresses
Full Copyright Statement Intellectual Property Acknowledgement
268 268
269 270 270 271 273 273 273 274 276 278 279 280 280
Glossary 281
Index