1 / 89

WLAN Security

WLAN Security. Examining EAP and 802.1x. 802.1x works at Layer 2 to authentication and authorize devices on wireless access points . IEEE 802.1x. It is used for certain closed wireless access points . 802.1x Authentication.

aman
Download Presentation

WLAN Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WLAN Security Examining EAP and 802.1x

  2. 802.1x works at Layer 2 to authentication and authorize devices on wireless access points.

  3. IEEE 802.1x • It is used for certain closedwireless access points.

  4. 802.1x Authentication • A wireless node must be authenticated before it can gain access to other LAN resources

  5. It does assume a point-to-point model. • Then PPP can serve for this point-to-point model.

  6. What is PPP and what does it have to do with wireless security? • Most people are familiar with PPP, the point-to-point protocol. It’s most commonly used for dial-up Internet access. • PPP is also used by some ISPs for DSL and cable modem authentication, in the form of PPPoE (PPP over Ethernet).

  7. What is PPP and what does it have to do with wireless security? • By any measure, PPP is a very successful protocol. • In practice, PPP has gone far beyond its original use as a dial-up access method as it's now used all over the Internet.

  8. What is PPP and what does it have to do with wireless security? • Although PPP has many parts that make it useful in different networking environments, the part that we care about in this demonstration is the authentication piece.

  9. What is PPP and what does it have to do with wireless security? • Before anything at Layer 3 (like IP) is established, PPP goes through an authentication phase at Layer 2. • With dial-up Internet access, that’s the username and password.

  10. What is PPP and what does it have to do with wireless security? • PPP authentication is used to identify the user at the other end of the PPP line before giving them access. • By authenticating at layer 2, you are independent of upperlayer protocol (such as IP).

  11. What is PPP and what does it have to do with wireless security? • And you can make decisions on how to handle layer 3 protocols, such as IP, based on the authentication information. • For example, depending on what authentication information you provide, you might get a particular IP address.

  12. PPP General Frame Format

  13. 802.1x Terminology 802.1x does introduce some terminology that we need to get used to. An authenticator helps authenticate what you connect to it. It does this via the authentication server. The supplicant is what is being authenticated. See the following diagram if that's unclear.

  14. 802.1x Terminology

  15. 802.1x Terminology • The Port Access Entity (PAE) is what executes the algorithms and follows the protocol(s). • Each of the three items above has a PAE, but the PAE software does do different things on each of the three.

  16. How did EAP get into the picture? • As PPP use grew, people quickly found its limitations, both in flexibility and in level of security, in the authentication methods, such as PAP.

  17. How did EAP get into the picture? • Most corporate networks want to do more than simple usernames and passwords for secure access. • So a new authentication protocol, called the Extensible Authentication Protocol (EAP) was designed.

  18. What is EAP

  19. EAP • Extensible Authentication Protocol is a universal authentication framework frequently used in wireless networks and Point-to-Point connections. • It is defined by RFC 3748.

  20. EAP and WPA • WPA and WPA2 standard has officially adopted five EAP types as its official authentication mechanisms.

  21. EAP is a way for a supplicant to authenticate, usually against a back-end RADIUS server. • EAP comes from the dial access world and PPP. 

  22. There is a RFC for how RADIUS should support EAP between authenticator and authentication server, RFC 3579. • EAP was first defined in the IETF RFC 2284.

  23. The EAP TLS variant is defined in RFC 2716. • The following figure shows the EAP format. • Note that when 802.1x is the transport, all this fits into the 802.1x payload field, with EAPOL packet type set to 0 (EAP packet).

  24. The EAPOL frame format

  25. EAP is a way for a supplicant to authenticate, usually against a back-end RADIUS server. • EAP comes from the dial access world and PPP. 

  26. There is an RFC for how RADIUS should support EAP between authenticator and authentication server, RFC 3579.

  27. EAP was first defined in the IETF RFC 2284. • The EAP TLS variant is defined in RFC 2716.

  28. The following figure shows the EAP format. • Note that when 802.1x is the transport, all this fits into the 802.1x payload field, with EAPOL packet type set to 0 (EAP packet).

  29. EAP format • The code field indicates the type of EAPpacket as follows: (1) Request, (2) Response, (3) Success, (4) Failure

  30. The ID is one byte for matching requests and responses. • Length is the byte count including the code, ID, length and data fields.  • The data field format varies depending on the code field.

  31. Types 3 and 4, Success and Failure are easy to describe: they have no data field (0 bytes). • Types 1 and 2 share a format. It boils down to a type code (one byte) then the data for that type. 

  32. Here's what that makes the EAP packet look like:

  33. The original RFC defines several types of EAP authentication. They are:1 Identity2 Notification3 Nak (response only)4 MD5-Challenge5 One-Time Password (OTP) (RFC 1938)6 Generic Token Card 13 TLS (RFC 2716 adds TLS)

  34. The RFC's contain some great diagrams showing the sequence of messages for the above EAP variants.

  35. The IEEE  802.1x standard goes through all this for EAP-OTP in a couple of different scenarios (supplicant initiated exchange, authenticator initiated, etc.).

  36. How did EAP get into the picture? • EAP sits inside PPP’s authentication protocol. • It provides a generalized framework for all sorts of authentication methods.

  37. EAP Message • Exactly one EAP packet is encapsulated in the Information field of a PPPData Link Layer frame and building a PPP EAP Message. • Where the protocol field indicates type hex C227 (PPP EAP).

  38. How did EAP get into the picture? • By pulling EAP out (destacando) into a separate protocol, it then has the option of re-use in other environments - like 802.1X.

  39. How did EAP get into the picture? • EAP is supposed to head off (desviar) proprietary authentication systems and let everything from passwords to challenge-response tokens and PKI certificates work smoothly.

  40. How did EAP get into the picture? • With a standardized EAP, interoperability and compatibility across authentication methods becomes simpler.

  41. How did EAP get into the picture? • Only the client and the authentication server have to be coordinated. • By supporting EAP authentication, a RAS server (in wireless this is the AP) gets out of the business of actively participating in the authentication dialog ...

  42. How did EAP get into the picture? • For example, when you dial a remote access server (RAS) and use EAP as part of your PPP connection, the RAS doesn’t need to know any of the details about your authentication system.

  43. How did EAP get into the picture? • ... ... and just re-packages EAP packets to hand off to a RADIUS server to make the actual authentication decision.

  44. How 802.1x Works

  45. The 802.1x access control works on unaggregated physical ports  at OSI Layer 2. It allows or denies access. • The access control it exerts can govern bidirectional or inbound traffic.

  46. On LAN media, 802.1x needs some way to communicate between the Supplicant and the Authenticator. This happens directly at Layer 2. • The protocol used is EAPOL, which stands for EAP encapsulation over LANs. 

  47. EAP is a separate protocol (or family of  protocols) for authentication. • Let's take a look at the EAPOL frame format. It is shown in the following figure:

  48. the EAPOL frame format

  49. The packet type is as follows: • 0 EAP Packet1 EAPOL Start2 EAPOL Logoff3 EAPOL Key4 EAPOL Encapsulated Alert

  50. The key packet  type is used for  EAP variants that allow an encryption key. • The packet body is then a Key Descriptor, with specified fields. We'll skip the details.

More Related