Implementing 802.1 X Security Solutions for

Wired and Wireless Networks

Jim Geier

WILEY

Wiley Publishing, Inc.

Contents

Introduction xxi

Part I Concepts 1

Chapter 1 Network Architecture Concepts 3 Computer Network Defined 3 Network Components 4

Client Devices 5 Servers 5 Network Hardware 7

Switches and Hubs 7 Routers 8 Access Points 9 Network Interface Cards 10

Media 12 Metallic Wire 12 Optical Fiber 13 Air 14

Network Types 14 Personal Area Networks 14 Local Area Networks 16 Metropolitan Area Networks 18

Optical Fiber Infrastructure 18 Wi-Fi Mesh 18 WiMAX 19

Wide Area Networks 20 Logical Network Architecture 20 IEEE 802 Standards 22

XI

xii Contents

Wireless Impairments 23 Roaming Delays 23 Coverage Holes 25 RF Interference 28

Addressing 29 IEEE 802.11 Multicasting 30 Setting the DTIM Interval 30

Chapter 2 Port-Based Authentication Concepts 33 802.1X Port-Based Authentication Terminology 33 Authentication Benefits 36 Primary Components 38

Supplicant 39 Authenticator 39 Authentication Server 39 A Simple Analogy: Getting the Protocols Straight 40

Port-Based Authentication Operation 42 A Simple Analogy—Understanding the Overall System 42 Supplicant to Authentication Server: EAP-Methods 44 Supplicant to Authenticator: 802.1X / EAPOL 45 Authenticator to Authentication Server: RADIUS 49

A Historical Perspective 51

Part II Standards and Protocols 53

Chapter 3 EAPOL Protocol 55 EAPOL Recap 55 EAPOL Encapsulation 56 EAPOL Packet Structure 57

Version Field 57 Type Field 58 Length Field 58 Packet Body Field 59

EAPOL Packet Types 59 EAP-Packet 59 EAPOL-Start 59 EAPOL-Logoff 60 EAPOL-Key 60

Descriptor Type Field 61 Descriptor Body Field for RC4 61

EAPOL-Encapsulated-ASF-Alert 62 EAP Packet Structure 63

EAP Code Field 63 EAP Identifier Field 63 EAP Length Field 64 EAP Data Field 64

Contents xiii

EAP Packet Types 64 EAP-Request 65 EAP-Response 65 EAP Request/Response Types 65 EAP-Success 66 EAP-Failure 67

802.3 Frame Structure 67 802.11 Frame Structure 69

Chapter 4 RADIUS Protocols 71 RADIUS Recap 71 RADIUS Packet Structure 72

Code Field 73 Identifier Field 73 Length Field 74 Authenticator Field 74

Request Authenticator 75 Response Authenticator 75

Attributes Field 76 RADIUS Packet Types 76

RADIUS Access-Request 76 RADIUS Access-Challenge 77 RADIUS Access-Accept 77 RADIUS Access-Reject 78 RADIUS Accounting-Request 78 RADIUS Accounting-Response 79

RADIUS Attributes 79 RADIUS Attributes Format 79

Type Field 80 Length Field 82 Value Field 82

EAP-Message Attribute 82 Message-Authenticator Attribute 83 Password-Retry Attribute 84 User-Name Attribute 85 User-Password Attribute 85 NAS-IP-Address Attribute 86 NAS-Port Attribute 86 Service-Type Attribute 87 Vendor-Specific Attribute 88

Vendor-ID Field 89 String Field 89

Session-Timeout Attribute 89 Idle-Timeout Attribute 89 Termination-Action Attribute 90

xiv Contents

Authentication Server Selection Considerations 90 Attributes 91 EAP-Methods 91

Chapter 5 EAP-Methods Protocol 93 EAP-Methods Recap 93 EAP-Method Encapsulation 94 EAP-Method Packet Structure 95

EAP-Method Type Field 95 EAP-Method Data Field 96

Original EAP-Method Types 98 Identity 99 Notification 100 Legacy NAK 101 Expanded NAK 103 MD5-Challenge 105

Value-Size Field 106 Value Field 106 Name Field 106

One-Time Password 106 Generic Token Card 107 Expanded Types 107

Vendor-ID Field 108 Vendor-Type Field 108

Experimental 108 Additional EAP-Method Types 109

EAP-TLS 109 EAP-TTLS 111 PEAP 112 LEAP 112 EAP-FAST 113 EAP-SIM 113

Wi-Fi Alliance Certification 113 EAP-Method Selection Considerations 114

Security Policies 114 Existing Security Infrastructure 114 Client Devices 114

Part III Implementation 117

Chapter 6 Configuring Supplicants 119 Supplicant Recap 119 Choosing Supplicants 120

Windows Authentication Client 121 SecureW2 121 Juniper Odyssey Access Client 121

Contents xv

wpa_supplicant OpenlX

Common Supplicant Configuration Parameters 802.1X Activation

Configuring Windows XP 802. IX Wi-Fi Clients Configuring Windows XP 802.1X Ethernet Clients

Configuring Client Radios Configuration Update Approaches

Distributed Update Approach Centralized Update Approach

Client Radio Settings IP Address Wireless Network Connection Properties Transmit Power Data Rate Wireless Modes Ad Hoc Channel Power Management Protection Mechanisms

Chapter 7 Configuring Authenticators Authenticator Recap Choosing Authenticators

802.1X Support Authentication Server Support Miscellaneous Features

Common Authenticator Configuration Parameters 802.1X Activation RADnJS Server Identification Local Authentication Server Configuration

Enable the Local Authentication Server Identify Authorized Access Points Identify Authorized Users

Guest VLAN Configuration Port Activation

Forced-Unauthorized Forced-Authorized Auto

VLAN Identification Multiple MAC Address Support Retry Number Retry Timeout Value Quiet Period Value Re-authentication Activation Re-authentication Period Value

122 123 123 123 123 127 129 129 129 130 130 131 134 134 135 136 138 139 140

143 143 145 145 146 148 148 149 149 150 150 151 151 152 153 153 154 154 156 156 157 157 158 158 158

xvi Contents

Configuring Wireless Access Points 159 IP Address 159 SSID 160 Radio Settings 161

Transmit Power 161 RF Channel 163 Data Rates 164 Preamble 165

Beacon Period 165 Fragmentation 165

Authenticator Management 167 Authenticator Administrative Interface 167

Terminal Connection 167 Web Browser Interface 168 SNMP 169

Administrator Access Control 169 Authenticator MIB 169

Chapter 8 Configuring Authentication Servers 171 Authentication Server Recap 171 Choosing RADIUS Servers 172

Commercial RADIUS Servers 172 Open-Source RADIUS Servers 173 Outsourcing RADIUS Functionality 173

Installing RADIUS Software 174 Review Release Notes 174 Establish a Server 175

System Requirements 175 Physical Location 175 Verify Network Connections 176 Configure Administrator Account Access 176 Security Tips 182

Install the Software 183 Common RADIUS Configuration Parameters 184

Accessing RADIUS Configuration 184 Configuring RADIUS Clients and Users 186

Configuring RADIUS Clients 186 Configuring RADIUS Users 187 Configuring User Profiles 188

Authentication Methods 188 Native User Authentication 188 Pass-Through Authentication 189 Proxy RADIUS Authentication 189

Concurrent Connections 189 Shared Secret 190 Replication 191

Contents xvii

Chapter 9 Troubleshooting 193 Troubleshooting Approaches 193

Gather Information 194 Find the Root Problem (and Fix It) 195

Test Tools 195 Viewing System Configuration 195 Viewing System Statistics 196 Debugging Processes 197 Viewing Wireless Communications 197 Signal Tester 197 Spectrum Analyzer 199 Packet Analyzer 199

Network Connectivity Issues 200 Network Interface Problems 200

Faulty Client Cards 201 Wireless Coverage Holes 202 RF Interference 203

Infrastructure Problems 203 Supplicant Issues 204

Missing Supplicant 204 Missing Supplicant Behavior 205 Peripheral Devices 206 Hubs 207

Bad Credentials 209 Bad Credentials Behavior 210

Incorrect EAP-Method 211 Authenticator Issues 212

No 802.1X Support 212 802.1X Not Enabled 212 RADIUS Server Address Incorrect 212 EAP-Method Not Supported 213

Authentication Server Issues 213 Missing Authentication Server 213

Missing Authentication Server Behavior 213 Verifying the Authentication Server 215

Guest Access Issues 215 Local Visitor Problems 215

Visitor with No Supplicant 216 Visitor with Active Supplicant 216 Visitor with Active Supplicant Behavior 217

Remote Visitor Problems 219

Appendix RFC 3748: Extensible Authentication Protocol (EAP) 221 Extensible Authentication Protocol (EAP) 221

Abstract 222 Table of Contents 222

xviii Contents

1. Introduction 224 1.1. Specification of Requirements 224 1.2. Terminology 224 1.3. Applicability 226

2. Extensible Authentication Protocol (EAP) 227 2.1. Support for Sequences 229 2.2. EAP Multiplexing Model 229 2.3. Pass-Through Behavior 231 2.4. Peer-to-Peer Operation 232

3. Lower Layer Behavior 234 3.1. Lower Layer Requirements 234 3.2. EAP Usage Within PPP 236

3.2.1. PPP Configuration Option Format 237 3.3. EAP Usage Within IEEE 802 237 3.4. Lower Layer Indications 237

4. EAP Packet Format 238 4.1. Request and Response 239 4.2. Success and Failure 241 4.3. Retransmission Behavior 243

5. Initial EAP Request/Response Types 244 5.1. Identity 245 5.2. Notification 247 5.3. Nak 248

5.3.1. Legacy Nak 248 5.3.2. Expanded Nak 250

5.4. MD5-Challenge 252 5.5. One-Time Password (OTP) 253 5.6. Generic Token Card (GTC) 254 5.7. Expanded Types 255 5.8. Experimental 257

6. IANA Considerations 257 6.1. Packet Codes 258 6.2. Method Types 258

7. Security Considerations 258 7.1. Threat Model 258 7.2. Security Claims 259

7.2.1. Security Claims Terminology for EAP Methods 261 7.3. Identity Protection 262 7.4. Man-in-the-Middle Attacks 263 7.5. Packet Modification Attacks 263 7.6. Dictionary Attacks 264 7.7. Connection to an Untrusted Network 265 7.8. Negotiation Attacks 265 7.9. Implementation Idiosyncrasies 265 7.10. Key Derivation 266

7.11. Weak Ciphersuites 7.12. Link Layer 7.13. Separation of Authenticator and Backend

Authentication Server 7.14. Cleartext Passwords 7.15. Channel Binding 7.16. Protected Result Indications

8. Acknowledgements 9. References

9.1. Normative References 9.2. Informative References

Appendix A. Changes from RFC 2284 Authors' Addresses

Full Copyright Statement Intellectual Property Acknowledgement

268 268

269 270 270 271 273 273 273 274 276 278 279 280 280

Glossary 281

Index