802 1x in windows
Download
1 / 32

802.1X in Windows - PowerPoint PPT Presentation

802.1X in Windows Tom Rixom Alfa & Ariss Overview 802.1X/EAP 802.1X in Windows Tunneled Authentication Certificates in Windows WIFI Client in Windows (WZC) Configuration examples Questions? 802.1X/EAP Port Based Network Access Control Authenticated/Unauthenticated Port

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha

Download Presentation

802.1X in Windows

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


802 1x in windows l.jpg
802.1X in Windows

Tom Rixom

Alfa & Ariss


Overview l.jpg
Overview

  • 802.1X/EAP

  • 802.1X in Windows

  • Tunneled Authentication

  • Certificates in Windows

  • WIFI Client in Windows (WZC)

  • Configuration examples

  • Questions?


802 1x eap l.jpg
802.1X/EAP

  • Port Based Network Access Control

  • Authenticated/Unauthenticated Port

  • Supplicant/Authenticator/Authentication Server

  • Uses EAP (Extensible Authentication Protocol)

  • Allows authentication based on user credentials



802 1x client l.jpg
802.1X Client

  • 802.1X Protocol Driver (EAPOL Driver)

    • Handles all EAPOL communication

    • Extracts EAP messages from EAPOL which can be read by applications

    • Inserts EAP messages into EAPOL that applications wish to send

  • 802.1X Client Application

    • Uses Driver to send and receive EAP messages

    • Handles EAP messages accordingly


802 1x client in windows l.jpg
802.1X Client in Windows

  • Implements 802.1X Driver (NDIS) and Application

  • Uses Microsoft EAP API to handle the EAP communication

  • Controls user interaction (Balloon)

  • User/Computer context


Eap in windows l.jpg
EAP in Windows

  • Microsoft EAP API

  • An EAP Module is “Microsoft DLL” that implements Microsoft EAP API

  • 802.1X Client calls modules using EAP API to handle authentication

  • Other example is the Microsoft VPN Client


Eap modules l.jpg
EAP Modules

  • EAP-MD5 (Built-in)

    • Username/password

  • EAP-TLS (Built-in)

    • Client/server certificates (PKI)

  • EAP-MSCHAPV2 (Built-in)

    • Username/password (Windows credentials)

  • Protected EAP (PEAP) (Built-in)

    • Server certificate

    • Tunneled EAP Authentication

    • EAP-MD5,EAP-MSCHAPV2, EAP-…

  • EAP-TTLS

    • Server certificate

    • Tunneled Diameter Authentication

    • Diameter (PAP/CHAP/…), EAP


Tunneled authentication ttls peap l.jpg
Tunneled Authentication (TTLS/PEAP)

  • Uses TLS tunnel to protect data

    • The TLS tunnel is established using the Server certificate automatically authenticating the server and preventing

      man-in-the-middle attacks

  • Allows use of dynamic session keys for line encryption


Slide10 l.jpg
PEAP?

  • PEAP

    • Version 1, 2

    • Supported by Cisco, Apple OS X Panther

    • http://www.ietf.org/internet-drafts/draft-josefsson-pppext-eap-tls-eap-07.txt

  • Microsoft PEAP (Windows XP SP1)

    • Version 0

      • No headers

    • Implemented by Microsoft PEAP module

    • http://www.ietf.org/internet-drafts/draft-kamath-pppext-peapv0-00.txt


Certificates in windows l.jpg
Certificates in Windows

  • PEAP (Built-in) and SecureW2 use the windows certificate trust

  • Certificate (Chain) of Authentication server must be installed on local computer

  • Certificate stores:

    • User

      • Each user has own user store in which the user can install certificates and build certificate trusts

      • Certificates visible only to the store owner (User)

    • System

      • Only Administrators and system applications can install certificates in system store

      • Certificates can be used by all applications and users


Wifi client in windows wireless zero config wzc l.jpg
WIFI Client in WindowsWireless Zero Config (WZC)

  • Generic interface for configuring wireless connections

  • Compatibility

    • Wireless Ethernet Driver must be compatible with WZC to enable 802.1X

  • Windows XP

    • WPA

  • Windows Mobile Pocket PC 2003

  • Windows 2000 requires 3rd Party WIFI Client



802 1x wifi scenario l.jpg
802.1X WIFI Scenario

  • The WIFI Client associates with the Access Point (SSID)

  • The Access Point requires 802.1X and sets the Clients “port” to the “Unauthenticated” state.

  • The Access Point then starts EAPOL communication by sending the EAPOL-Identity message to the Client

  • The 802.1X Client picks up the EAPOL communication and calls the appropriate EAP module to handle the EAP authentication

  • After successful authentication the EAP RADIUS Server and Client generate the MPPE keys (based on the TLS tunnel)

  • The RADIUS Server sends the MPPE keys (with the Access Accept) to the Access Point

  • The Access Point sets the Clients “port” to the “Authenticated state” allowing the client to communicate with the Intranet

  • The Access Point then uses the MPPE keys to encode a WEP key in an EAPOL key message

  • The Access Point sends the EAPOL key to the Client

  • The Client decodes the WEP key in the EAPOL key message using the MPPE keys it generated and sets the WEP key

  • WIFI Client takes over to setup rest of the connection (DHCP)


Configuration example 1 eap ttls securew2 windows xp wireless step 1 l.jpg
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 1

  • Connection properties


Configuration example 1 eap ttls securew2 windows xp wireless step 116 l.jpg
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 1

  • Connection properties


Configuration example 1 eap ttls securew2 windows xp wireless step 2 l.jpg
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 2

  • Wireless Networks


Configuration example 1 eap ttls securew2 windows xp wireless step 218 l.jpg
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 2

  • Wireless Networks


Configuration example 1 eap ttls securew2 windows xp wireless step 3 l.jpg
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 3

  • Wireless Networks properties


Configuration example 1 eap ttls securew2 windows xp wireless step 320 l.jpg
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 3

  • Wireless Networks properties


Configuration example 1 eap ttls securew2 windows xp wireless step 4 l.jpg
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 4

  • Wireless Networks properties (Authentication)


Configuration example 1 eap ttls securew2 windows xp wireless step 422 l.jpg
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 4

  • Wireless Networks properties (Authentication)


Configuration example 1 eap ttls securew2 windows xp wireless step 5 l.jpg
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 5

  • SecureW2 properties


Configuration example 2 peap wired windows 2k step 1 l.jpg
Configuration example #2PEAP (Wired, Windows 2K) Step 1

  • Start Wireless Configuration service


Configuration example 2 peap wired windows 2k step 125 l.jpg
Configuration example #2PEAP (Wired, Windows 2K) Step 1

  • Start Wireless Configuration service


Configuration example 2 peap wired windows 2k step 2 l.jpg
Configuration example #2PEAP (Wired, Windows 2K) Step 2

  • Connection properties


Configuration example 2 peap wired windows 2k step 227 l.jpg
Configuration example #2PEAP (Wired, Windows 2K) Step 2

  • Connection properties


Configuration example 2 peap wired windows 2k step 3 l.jpg
Configuration example #2PEAP (Wired, Windows 2K) Step 3

  • Authentication properties


Configuration example 2 peap wired windows 2k step 329 l.jpg
Configuration example #2PEAP (Wired, Windows 2K) Step 3

  • Authentication properties


Configuration example 2 peap wired windows 2k step 4 l.jpg
Configuration example #2PEAP (Wired, Windows 2K) Step 4

  • PEAP properties


Configuration example 2 peap wired windows 2k step 431 l.jpg
Configuration example #2PEAP (Wired, Windows 2K) Step 4

  • Configure 3rd Party WIFI Client

    • Some client support dynamic WEP keys

    • Other clients not supporting dynamic WEP keys can be tricked: “Fake WEP Key”



ad
  • Login