802.1X in Windows - PowerPoint PPT Presentation

issac
802 1x in windows l.
Skip this Video
Loading SlideShow in 5 Seconds..
802.1X in Windows PowerPoint Presentation
Download Presentation
802.1X in Windows

play fullscreen
1 / 32
Download Presentation
802.1X in Windows
819 Views
Download Presentation

802.1X in Windows

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. 802.1X in Windows Tom Rixom Alfa & Ariss

  2. Overview • 802.1X/EAP • 802.1X in Windows • Tunneled Authentication • Certificates in Windows • WIFI Client in Windows (WZC) • Configuration examples • Questions?

  3. 802.1X/EAP • Port Based Network Access Control • Authenticated/Unauthenticated Port • Supplicant/Authenticator/Authentication Server • Uses EAP (Extensible Authentication Protocol) • Allows authentication based on user credentials

  4. EAP over LAN(EAPOL)

  5. 802.1X Client • 802.1X Protocol Driver (EAPOL Driver) • Handles all EAPOL communication • Extracts EAP messages from EAPOL which can be read by applications • Inserts EAP messages into EAPOL that applications wish to send • 802.1X Client Application • Uses Driver to send and receive EAP messages • Handles EAP messages accordingly

  6. 802.1X Client in Windows • Implements 802.1X Driver (NDIS) and Application • Uses Microsoft EAP API to handle the EAP communication • Controls user interaction (Balloon) • User/Computer context

  7. EAP in Windows • Microsoft EAP API • An EAP Module is “Microsoft DLL” that implements Microsoft EAP API • 802.1X Client calls modules using EAP API to handle authentication • Other example is the Microsoft VPN Client

  8. EAP Modules • EAP-MD5 (Built-in) • Username/password • EAP-TLS (Built-in) • Client/server certificates (PKI) • EAP-MSCHAPV2 (Built-in) • Username/password (Windows credentials) • Protected EAP (PEAP) (Built-in) • Server certificate • Tunneled EAP Authentication • EAP-MD5,EAP-MSCHAPV2, EAP-… • EAP-TTLS • Server certificate • Tunneled Diameter Authentication • Diameter (PAP/CHAP/…), EAP

  9. Tunneled Authentication (TTLS/PEAP) • Uses TLS tunnel to protect data • The TLS tunnel is established using the Server certificate automatically authenticating the server and preventing man-in-the-middle attacks • Allows use of dynamic session keys for line encryption

  10. PEAP? • PEAP • Version 1, 2 • Supported by Cisco, Apple OS X Panther • http://www.ietf.org/internet-drafts/draft-josefsson-pppext-eap-tls-eap-07.txt • Microsoft PEAP (Windows XP SP1) • Version 0 • No headers • Implemented by Microsoft PEAP module • http://www.ietf.org/internet-drafts/draft-kamath-pppext-peapv0-00.txt

  11. Certificates in Windows • PEAP (Built-in) and SecureW2 use the windows certificate trust • Certificate (Chain) of Authentication server must be installed on local computer • Certificate stores: • User • Each user has own user store in which the user can install certificates and build certificate trusts • Certificates visible only to the store owner (User) • System • Only Administrators and system applications can install certificates in system store • Certificates can be used by all applications and users

  12. WIFI Client in WindowsWireless Zero Config (WZC) • Generic interface for configuring wireless connections • Compatibility • Wireless Ethernet Driver must be compatible with WZC to enable 802.1X • Windows XP • WPA • Windows Mobile Pocket PC 2003 • Windows 2000 requires 3rd Party WIFI Client

  13. EAPOL Key

  14. 802.1X WIFI Scenario • The WIFI Client associates with the Access Point (SSID) • The Access Point requires 802.1X and sets the Clients “port” to the “Unauthenticated” state. • The Access Point then starts EAPOL communication by sending the EAPOL-Identity message to the Client • The 802.1X Client picks up the EAPOL communication and calls the appropriate EAP module to handle the EAP authentication • After successful authentication the EAP RADIUS Server and Client generate the MPPE keys (based on the TLS tunnel) • The RADIUS Server sends the MPPE keys (with the Access Accept) to the Access Point • The Access Point sets the Clients “port” to the “Authenticated state” allowing the client to communicate with the Intranet • The Access Point then uses the MPPE keys to encode a WEP key in an EAPOL key message • The Access Point sends the EAPOL key to the Client • The Client decodes the WEP key in the EAPOL key message using the MPPE keys it generated and sets the WEP key • WIFI Client takes over to setup rest of the connection (DHCP)

  15. Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 1 • Connection properties

  16. Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 1 • Connection properties

  17. Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 2 • Wireless Networks

  18. Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 2 • Wireless Networks

  19. Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 3 • Wireless Networks properties

  20. Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 3 • Wireless Networks properties

  21. Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 4 • Wireless Networks properties (Authentication)

  22. Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 4 • Wireless Networks properties (Authentication)

  23. Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 5 • SecureW2 properties

  24. Configuration example #2PEAP (Wired, Windows 2K) Step 1 • Start Wireless Configuration service

  25. Configuration example #2PEAP (Wired, Windows 2K) Step 1 • Start Wireless Configuration service

  26. Configuration example #2PEAP (Wired, Windows 2K) Step 2 • Connection properties

  27. Configuration example #2PEAP (Wired, Windows 2K) Step 2 • Connection properties

  28. Configuration example #2PEAP (Wired, Windows 2K) Step 3 • Authentication properties

  29. Configuration example #2PEAP (Wired, Windows 2K) Step 3 • Authentication properties

  30. Configuration example #2PEAP (Wired, Windows 2K) Step 4 • PEAP properties

  31. Configuration example #2PEAP (Wired, Windows 2K) Step 4 • Configure 3rd Party WIFI Client • Some client support dynamic WEP keys • Other clients not supporting dynamic WEP keys can be tricked: “Fake WEP Key”

  32. Questions? • …