Date post: | 22-Dec-2015 |
Category: |
Documents |
Upload: | gervase-lloyd |
View: | 227 times |
Download: | 0 times |
802.1X in Windows
Tom Rixom
Alfa & Ariss
Overview
• 802.1X/EAP• 802.1X in Windows• Tunneled Authentication• Certificates in Windows• WIFI Client in Windows (WZC)• Configuration examples• Questions?
802.1X/EAP
• Port Based Network Access Control• Authenticated/Unauthenticated Port• Supplicant/Authenticator/Authentication Server• Uses EAP (Extensible Authentication Protocol)• Allows authentication based on user credentials
Authenticator
UnAuthenticated
(EAP)
Authenticated
Supplicant
Authentication Server
Intranet
EAP over LAN(EAPOL)
Authenticator(802.1X Switch/AP)
Intranet`
Supplicant(802.1X Client)
EAPOL EAP RADIUS
EAP RADIUS
converted to
EAPOL
Authentication Server(EAP RADIUS Server)
802.1X Client
• 802.1X Protocol Driver (EAPOL Driver) – Handles all EAPOL communication– Extracts EAP messages from EAPOL which can be read by applications– Inserts EAP messages into EAPOL that applications wish to send
• 802.1X Client Application– Uses Driver to send and receive EAP messages– Handles EAP messages accordingly
EAPOLEAP Protocol Stack
802.1XProtocol Driver
802.1XApplication
802.1X Client in Windows
• Implements 802.1X Driver (NDIS) and Application
• Uses Microsoft EAP API to handle the EAP communication
• Controls user interaction (Balloon)
• User/Computer context
EAPOL
EAP over LAN“EAP-MD5”
Microsoft EAP API
“EAP-MD5”
EAP-MD5 Module
802.1X Client
EAP in Windows
• Microsoft EAP API
• An EAP Module is “Microsoft DLL” that implements Microsoft EAP API
• 802.1X Client calls modules using EAP API to handle authentication
• Other example is the Microsoft VPN Client
EAP-MD5 Module
EAP-TLS Module
PEAP Module
EAP-TTLS ModuleSecureW2
RASGetIdentity(…)….
RASMakeMessage(…)….
Microsoft EAP API
EAP Modules
• EAP-MD5 (Built-in)– Username/password
• EAP-TLS (Built-in)– Client/server certificates (PKI)
• EAP-MSCHAPV2 (Built-in)– Username/password (Windows credentials)
• Protected EAP (PEAP) (Built-in)– Server certificate– Tunneled EAP Authentication– EAP-MD5,EAP-MSCHAPV2, EAP-…
• EAP-TTLS– Server certificate– Tunneled Diameter Authentication– Diameter (PAP/CHAP/…), EAP
Tunneled Authentication (TTLS/PEAP)
• Uses TLS tunnel to protect data– The TLS tunnel is established using the Server certificate
automatically authenticating the server and preventing man-in-the-middle attacks
• Allows use of dynamic session keys for line encryption
`
802.1X Client EAP RADIUS Server
TLS tunnel
User authentication
Protected by TunnelServer authentication
PEAP?
• PEAP– Version 1, 2
– Supported by Cisco, Apple OS X Panther
– http://www.ietf.org/internet-drafts/draft-josefsson-pppext-eap-tls-eap-07.txt
• Microsoft PEAP (Windows XP SP1)– Version 0
• No headers
– Implemented by Microsoft PEAP module
– http://www.ietf.org/internet-drafts/draft-kamath-pppext-peapv0-00.txt
Certificates in Windows
• PEAP (Built-in) and SecureW2 use the windows certificate trust• Certificate (Chain) of Authentication server must be installed on
local computer• Certificate stores:
– User
• Each user has own user store in which the user can install certificates and build certificate trusts
• Certificates visible only to the store owner (User)
– System
• Only Administrators and system applications can install certificates in system store
• Certificates can be used by all applications and users
WIFI Client in WindowsWireless Zero Config (WZC)
• Generic interface for configuring wireless connections• Compatibility
– Wireless Ethernet Driver must be compatible with WZC to enable 802.1X
• Windows XP– WPA
• Windows Mobile Pocket PC 2003• Windows 2000 requires 3rd Party WIFI Client
EAPOL Key
Wireless Net
802.1X AP
Intranet`
WIFI Client802.1X Client
EAP RADIUS Server
Generate MPPE Keys
Decode EAPOL key using MPPE keyRetreive WEP Key
Set WEP Key
Generate MPPE Keys
Send to Access Point
MPPE Keys
(Encoded using RADIUS shared secret)
Generate WEP key
Encode WEP Key using MPPE Keysin EAPOL Key
Set WEP Key
EAPOL Key
802.1X WIFI Scenario• The WIFI Client associates with the Access Point (SSID)• The Access Point requires 802.1X and sets the Clients “port” to the “Unauthenticated”
state.• The Access Point then starts EAPOL communication by sending the EAPOL-Identity
message to the Client• The 802.1X Client picks up the EAPOL communication and calls the appropriate EAP
module to handle the EAP authentication• After successful authentication the EAP RADIUS Server and Client generate the MPPE
keys (based on the TLS tunnel)• The RADIUS Server sends the MPPE keys (with the Access Accept) to the Access Point• The Access Point sets the Clients “port” to the “Authenticated state” allowing the client to
communicate with the Intranet• The Access Point then uses the MPPE keys to encode a WEP key in an EAPOL key
message• The Access Point sends the EAPOL key to the Client• The Client decodes the WEP key in the EAPOL key message using the MPPE keys it
generated and sets the WEP key• WIFI Client takes over to setup rest of the connection (DHCP)
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 1
• Connection properties
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 1
• Connection properties
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 2
• Wireless Networks
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 2
• Wireless Networks
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 3
• Wireless Networks properties
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 3
• Wireless Networks properties
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 4
• Wireless Networks properties (Authentication)
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 4
• Wireless Networks properties (Authentication)
Configuration example #1EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 5
• SecureW2 properties
Configuration example #2PEAP (Wired, Windows 2K) Step 1
• Start Wireless Configuration service
Configuration example #2PEAP (Wired, Windows 2K) Step 1
• Start Wireless Configuration service
Configuration example #2PEAP (Wired, Windows 2K) Step 2
• Connection properties
Configuration example #2PEAP (Wired, Windows 2K) Step 2
• Connection properties
Configuration example #2PEAP (Wired, Windows 2K) Step 3
• Authentication properties
Configuration example #2PEAP (Wired, Windows 2K) Step 3
• Authentication properties
Configuration example #2PEAP (Wired, Windows 2K) Step 4
• PEAP properties
Configuration example #2PEAP (Wired, Windows 2K) Step 4
• Configure 3rd Party WIFI Client– Some client support dynamic WEP keys– Other clients not supporting dynamic WEP
keys can be tricked: “Fake WEP Key”
Questions?
• …