802 1x in windows l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
802.1X in Windows PowerPoint Presentation
Download Presentation
802.1X in Windows

Loading in 2 Seconds...

play fullscreen
1 / 32

802.1X in Windows - PowerPoint PPT Presentation


  • 797 Views
  • Uploaded on

802.1X in Windows Tom Rixom Alfa & Ariss Overview 802.1X/EAP 802.1X in Windows Tunneled Authentication Certificates in Windows WIFI Client in Windows (WZC) Configuration examples Questions? 802.1X/EAP Port Based Network Access Control Authenticated/Unauthenticated Port

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '802.1X in Windows' - issac


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
802 1x in windows

802.1X in Windows

Tom Rixom

Alfa & Ariss

overview
Overview
  • 802.1X/EAP
  • 802.1X in Windows
  • Tunneled Authentication
  • Certificates in Windows
  • WIFI Client in Windows (WZC)
  • Configuration examples
  • Questions?
802 1x eap
802.1X/EAP
  • Port Based Network Access Control
  • Authenticated/Unauthenticated Port
  • Supplicant/Authenticator/Authentication Server
  • Uses EAP (Extensible Authentication Protocol)
  • Allows authentication based on user credentials
802 1x client
802.1X Client
  • 802.1X Protocol Driver (EAPOL Driver)
    • Handles all EAPOL communication
    • Extracts EAP messages from EAPOL which can be read by applications
    • Inserts EAP messages into EAPOL that applications wish to send
  • 802.1X Client Application
    • Uses Driver to send and receive EAP messages
    • Handles EAP messages accordingly
802 1x client in windows
802.1X Client in Windows
  • Implements 802.1X Driver (NDIS) and Application
  • Uses Microsoft EAP API to handle the EAP communication
  • Controls user interaction (Balloon)
  • User/Computer context
eap in windows
EAP in Windows
  • Microsoft EAP API
  • An EAP Module is “Microsoft DLL” that implements Microsoft EAP API
  • 802.1X Client calls modules using EAP API to handle authentication
  • Other example is the Microsoft VPN Client
eap modules
EAP Modules
  • EAP-MD5 (Built-in)
    • Username/password
  • EAP-TLS (Built-in)
    • Client/server certificates (PKI)
  • EAP-MSCHAPV2 (Built-in)
    • Username/password (Windows credentials)
  • Protected EAP (PEAP) (Built-in)
    • Server certificate
    • Tunneled EAP Authentication
    • EAP-MD5,EAP-MSCHAPV2, EAP-…
  • EAP-TTLS
    • Server certificate
    • Tunneled Diameter Authentication
    • Diameter (PAP/CHAP/…), EAP
tunneled authentication ttls peap
Tunneled Authentication (TTLS/PEAP)
  • Uses TLS tunnel to protect data
    • The TLS tunnel is established using the Server certificate automatically authenticating the server and preventing

man-in-the-middle attacks

  • Allows use of dynamic session keys for line encryption
slide10
PEAP?
  • PEAP
    • Version 1, 2
    • Supported by Cisco, Apple OS X Panther
    • http://www.ietf.org/internet-drafts/draft-josefsson-pppext-eap-tls-eap-07.txt
  • Microsoft PEAP (Windows XP SP1)
    • Version 0
      • No headers
    • Implemented by Microsoft PEAP module
    • http://www.ietf.org/internet-drafts/draft-kamath-pppext-peapv0-00.txt
certificates in windows
Certificates in Windows
  • PEAP (Built-in) and SecureW2 use the windows certificate trust
  • Certificate (Chain) of Authentication server must be installed on local computer
  • Certificate stores:
    • User
      • Each user has own user store in which the user can install certificates and build certificate trusts
      • Certificates visible only to the store owner (User)
    • System
      • Only Administrators and system applications can install certificates in system store
      • Certificates can be used by all applications and users
wifi client in windows wireless zero config wzc
WIFI Client in WindowsWireless Zero Config (WZC)
  • Generic interface for configuring wireless connections
  • Compatibility
    • Wireless Ethernet Driver must be compatible with WZC to enable 802.1X
  • Windows XP
    • WPA
  • Windows Mobile Pocket PC 2003
  • Windows 2000 requires 3rd Party WIFI Client
802 1x wifi scenario
802.1X WIFI Scenario
  • The WIFI Client associates with the Access Point (SSID)
  • The Access Point requires 802.1X and sets the Clients “port” to the “Unauthenticated” state.
  • The Access Point then starts EAPOL communication by sending the EAPOL-Identity message to the Client
  • The 802.1X Client picks up the EAPOL communication and calls the appropriate EAP module to handle the EAP authentication
  • After successful authentication the EAP RADIUS Server and Client generate the MPPE keys (based on the TLS tunnel)
  • The RADIUS Server sends the MPPE keys (with the Access Accept) to the Access Point
  • The Access Point sets the Clients “port” to the “Authenticated state” allowing the client to communicate with the Intranet
  • The Access Point then uses the MPPE keys to encode a WEP key in an EAPOL key message
  • The Access Point sends the EAPOL key to the Client
  • The Client decodes the WEP key in the EAPOL key message using the MPPE keys it generated and sets the WEP key
  • WIFI Client takes over to setup rest of the connection (DHCP)
configuration example 1 eap ttls securew2 windows xp wireless step 1
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 1
  • Connection properties
configuration example 1 eap ttls securew2 windows xp wireless step 116
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 1
  • Connection properties
configuration example 1 eap ttls securew2 windows xp wireless step 3
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 3
  • Wireless Networks properties
configuration example 1 eap ttls securew2 windows xp wireless step 320
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 3
  • Wireless Networks properties
configuration example 1 eap ttls securew2 windows xp wireless step 4
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 4
  • Wireless Networks properties (Authentication)
configuration example 1 eap ttls securew2 windows xp wireless step 422
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 4
  • Wireless Networks properties (Authentication)
configuration example 1 eap ttls securew2 windows xp wireless step 5
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 5
  • SecureW2 properties
configuration example 2 peap wired windows 2k step 431
Configuration example #2PEAP (Wired, Windows 2K) Step 4
  • Configure 3rd Party WIFI Client
    • Some client support dynamic WEP keys
    • Other clients not supporting dynamic WEP keys can be tricked: “Fake WEP Key”