real-world 802.1x deployment challenges
TRANSCRIPT
![Page 1: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/1.jpg)
Real-world 802.1X Deployment Challenges
Tim Cappalli
March, 2014
![Page 2: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/2.jpg)
2CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
About Me
• Mobility Engineer, Brandeis University
• Wireless Infrastructure
• AAA / Role-based Access Control
– wired, wireless and remote networks@tcappy0707
![Page 3: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/3.jpg)
• 6,000 students
• 1,300 full time staff
• Smallest VHR university
• 2,200 access points (mix 11n/11ac)
• 5 mobility controllers
• 320 edge switches, 92 stacks
• AAA: ClearPass Policy Manager
• eduroam
![Page 4: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/4.jpg)
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved4 #AirheadsConf
Agenda
What is EAP?
Common EAP Flavors
The Good and The Bad
Client Support
Challenges at Brandeis
Open Discussion – What challenges do you face?
![Page 5: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/5.jpg)
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved5 #AirheadsConf
802.1x
![Page 6: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/6.jpg)
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved6 #AirheadsConf
802.1XIEEE STANDARD
![Page 7: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/7.jpg)
7CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
POLL
PEAP? TLS? TTLS?
WHAT ARE YOU USING?
![Page 8: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/8.jpg)
8CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
What is EAP?
• Extensible Authentication Protocol
– 802.1X defines EAPOL
– Designed for Ethernet, adapted to 802.11
Arran Cudbard-Bell
![Page 9: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/9.jpg)
9CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
EAP Transaction
Clie
nt
Auth
entic
atio
n S
erv
er
Request Identity
Response Identity (anonymous) Response Identity
TLS Start
CertificateClient Key exchange
Cert. verification
Request credentials
Response credentials
Success
EAPOL RADIUS
Auth
entic
ato
r
EAPOL Start
![Page 10: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/10.jpg)
10CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
EAP FLAVORS
![Page 11: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/11.jpg)
11CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Common EAP Flavors
• PEAP (Protected EAP)
– Uses a digital certificate on the network side
– Password or certificate on the client side
– Most common: PEAPv0/EAP-MSCHAPv2
• EAP-TLS (EAP with Transport Layer Security)
– Uses a certificate on the network side
– Uses a certificate on the client side
• TTLS (Tunneled Transport Layer Security)
– Uses a certificate on the network side
– Password, token, or certificate on the client side
– Tunneled Diameter (CHAP, PAP), EAP
![Page 12: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/12.jpg)
12CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
THE GOOD AND THE BAD
![Page 13: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/13.jpg)
13CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
EAP-TLS: The Good
• Device or User credential
– Revoke device access instead of user
• Currently the strongest authentication method
• Most widely supported
• Extremely difficult to crack a 2048-bit RSA key
![Page 14: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/14.jpg)
14CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
EAP-TLS: The Bad
• Certificate distribution
– Enrollment or onboard process
– Can be an administrative burden without proper tools
• User familiarity
– Most users have no concept of a certificate
– Username and password is the “standard”
• Renewals
– Notifying users to renew before expiration
• Changing certificate chain
– Not just “accept new certificate” for users
![Page 15: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/15.jpg)
15CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
PEAP: The Good
• Username / password is familiar to users
• Users can “just get on” w/ valid credentials
• Second most widely supported
• Easy integration with AD (“free” NPS)
![Page 16: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/16.jpg)
16CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
PEAP: The Bad
• Device credential on Windows AD-joined devices
• Passwords are weak!
– Users won’t remember a truly secure password
• Password expiration
– How do you handle AD password expiration for non-AD
Windows machines?
• Client must be configured correctly
• Not so easy with LDAP & Novell
– Limited PEAPv1/EAP-GTC native client support
![Page 17: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/17.jpg)
17CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
EAP-GTC vs EAP-MSCHAPv2
• EAP-GTC
– Cleartext, NT hash, MD5 hash, salted MD5 hash
– SHA1 hash, Slated SHA1 hash, UNIX crypt
• EAP-MSCHAPv2
– Cleartext, NT hash, LM hash
![Page 18: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/18.jpg)
18CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Server Certificate
• Make sure CA correspondence goes to more
than one person!
• Nightmares for wireless only devices:
– Server certificate expiration
– New chain
– New server name
• Push out new profiles/GPOs ahead of time!
![Page 19: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/19.jpg)
19CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
CLIENT SUPPORT
![Page 20: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/20.jpg)
20CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Native Client Support
EAP-PEAP EAP-TLS EAP-TTLS
Windows 8 YES YES YES
Windows 7 / Vista / XP YES YES NO
Mac OS X YES YES YES
Linux YES** YES YES
iOS YES YES YES*
Android YES** YES YES
Chrome OS YES** YES YES**
Windows Phone 8.1 YES YES (rumored) UNK
Windows Phone 7/8 YES NO** NO
BlackBerry 10 YES YES YES
BlackBerry 7 YES YES YES
![Page 21: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/21.jpg)
21CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Native Client Support
EAP-PEAP EAP-TLS EAP-TTLS
XBOX 360 NO NO NO
XBOX One MAYBE MAYBE MAYBE
PlayStation 3 & 4 NO NO NO
Nintendo Wii / Wii U NO NO NO
![Page 22: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/22.jpg)
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved22 #AirheadsConf
![Page 23: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/23.jpg)
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved23 #AirheadsConf
![Page 24: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/24.jpg)
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved24 #AirheadsConf
![Page 25: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/25.jpg)
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved25 #AirheadsConf
![Page 26: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/26.jpg)
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved26 #AirheadsConf
![Page 27: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/27.jpg)
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved27 #AirheadsConf
![Page 28: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/28.jpg)
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved28 #AirheadsConf
![Page 29: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/29.jpg)
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved29 #AirheadsConf
![Page 30: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/30.jpg)
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved30 #AirheadsConf
![Page 31: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/31.jpg)
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved31 #AirheadsConf
![Page 32: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/32.jpg)
32CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
MiTM
HospiNET
radius1.hospital.org
Verisign
HospiNET
VALIDATE SERVER CERT
Disabled
wireless.hospital.org
Self-signed
![Page 33: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/33.jpg)
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved33 #AirheadsConf
![Page 34: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/34.jpg)
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved34 #AirheadsConf
COURTESY: LEE BADMAN, SYRACUSE UNIVERSITY
![Page 35: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/35.jpg)
35CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
WHAT’S BRANDEIS DOING?
![Page 36: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/36.jpg)
36CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
What’s Brandeis Doing?
• Training support staff
– Explaining the different networks
– Giving access to troubleshooting tools
• Empowering* users
– Making it interactive
– Making it user friendly
• Planning for some type of onboarding
• Exploring EAP-TLS
– Using network and systems group as PoC for access to
secure management networks
*attempting
![Page 37: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/37.jpg)
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved37 #AirheadsConf
![Page 38: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/38.jpg)
38CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
What’s Brandeis Doing?
3/5/1410/3/133/15/13
![Page 39: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/39.jpg)
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved39 #AirheadsConf
Know the audience
![Page 40: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/40.jpg)
40CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
When in doubt, run __________
• Ensure support staff understand the value of
client configuration tools
• Utilize a configuration utility
– Teaching help desk, “When in doubt, run QuickConnect”
• Utilize driver detection tools
– Intel Driver Update Utility
![Page 41: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/41.jpg)
41CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
OPEN DISCUSSION
![Page 42: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/42.jpg)
42CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Good Reads
• Simply put: How does certificate-based authentication
work? (Network World, 3/10/14, Aaron Woland)
• Cryptography Decrypted (Amazon)
![Page 43: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/43.jpg)
43
![Page 44: Real-world 802.1X Deployment Challenges](https://reader033.vdocument.in/reader033/viewer/2022042503/55a6018f1a28abdb498b4711/html5/thumbnails/44.jpg)
44CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
Thank You
#AirheadsConf