www.swan.ac.uk/lis. wireless authentication & 802.1x by gareth ayres
TRANSCRIPT
www.swan.ac.uk/lis
www.swan.ac.uk/lis
Wireless Authentication & 802.1X
By Gareth Ayres
www.swan.ac.uk/lis
Agenda
1.0 Swansea’s Current Wireless System
2.0 Requirements of new 802.1X System
3.0 Overview of new 801.1X Technologies
4.0 Design of New 802.1X Wireless System
5.0 802.1X Downfall's (So far)
6.0 Future Plans
www.swan.ac.uk/lis
1.0 The Current Wireless System
•Home made Wireless solution comprising of:
– 700 Cisco Aironet AP’s
– 12 Cisco WDS & 1 WLSE
– 10 RoamNodes
– 1 DNAC (Dirty Network Access Controller)
– Radius & IAS
1.0 The Current Wireless System
Wireless Network
Campus Firewall
DNACPROXY
RADIUS
TO THE INTERNET
Halls
Student Village
Campus
RoamNode Servers
www.swan.ac.uk/lis
1.1 RoamNodes
•Developed by Bristol University
•250 users per RoamNode
•Works by:
– First establishes a PPPoE connection
– Then creates a PPTP VPN tunnel and gets a internet ip
address
www.swan.ac.uk/lis
1.2 RoamNode Tunnel
PPTP (137.44.190.X) PPPoE (10.x.x.x)
Access Point RoamNodePC
802.11G (192.168.x.x)
RoamNode Tunnel
To Internet
www.swan.ac.uk/lis
1.3 Downfalls of Current System
• Bottleneck Issues
• Load Balancing
• Single point of failure
• Maximum Capacity
• Complicated Logging
• Complicated end user configuration
• Difficult User Management
www.swan.ac.uk/lis
1.4 Statistics from Current System
24 Hours (Wednesday 16th May)
Weekly (8th May – 16th)
www.swan.ac.uk/lis
1.4 Statistics from Current System
Yearly (2006-2007)
www.swan.ac.uk/lis
2.0 Requirements of New System
• Remove any bottlenecks
• Remove Capacity limits
• Better Logging
• Better Administration facilities
• Easy End User Configuration
• Segregation of Users
• Improved Security
www.swan.ac.uk/lis
3.0 Overview of 802.1X Technolgies
•802.1x
•EAP
•EAPOW
•PEAP - Protected Extensible Authentication Protocol
– Cisco, Microsoft and RSA
– Credentails + Server Cert
– TLS tunnel
– EAP-MSCHAPv2
www.swan.ac.uk/lis
3.0 Overview of 802.1X Technolgies
•WPA - Wi-Fi Protected Access (WPA)
– Replaces WEP technology
– WPA = RC4 Stream cipher and TKIP
– WPA2 = 802.11i = AES based algorithm CCMP
The use of all the above technologies and protocols is widely
referred to as a 802.1X based Wireless System.
www.swan.ac.uk/lis
4.0 Design of 802.1X Wireless System
New and Old system will run together.
Each system will run on a separate SSID:
•UNIROAM - SSID of the current RoamNode system and will be broadcast and open (no encryption).
•EDUROAM – SSID of the new 802.1x system. It will also be broadcast but will be encrypted with WPA(1&2).(JRS).
4.0 Design of 802.1X Wireless System
Wireless Network
Campus Firewall
DNAC
PROXY
RADIUS
TO THE INTERNET
Halls
Student Village
Campus
RoamNode Servers
RADIUS (802.1X)
SUWNAC (MySQL)
802.1X Firewall/Gateway
802.1x Traffic Only
RoamNode Traffic only
Shared Traffic
4.1 802.1X Tunnel
PEAP (EAP-TLS,MSChapV2)
RADIUS (AS)APSupplicant
IAS (Swansea)
IAS (Brynmill)
SUWNAC(MySQL)
MySQL Lookup àß ’Returns ‘ProxyTo’
Ch
ec
k C
ert
(T
LS
)A
uth
en
tic
ate
Us
er
Ch
ec
k C
ert
(T
LS
)A
uth
en
tic
ate
Us
er
X.509 Certificate
X.509 Certificate
EAPOW (802.1X)
802.11g Authentication
To Internet
802.11i (WPA2(AES/TKIP))
802.1X Tunnel
802.11g - Wi-Fi Association to EduroamEAP – Extensible Authentication ProtocolEAPOW – EAP over WirelessPEAP – Protected EAPTLS – Transport Layer SecurityMSChapV2 – Microsoft Challenge Handshake version 2IAS – Microsoft Internet Authentication ServiceX.509 – ITU Public Key Certificate
4.2 802.1X VLANs
Supplicant AP (Eduroam)
DNAC
802.1x Firewall/Gateway
Campus Firewall
WPA2
802.1X VLANS Banned (661)
Virus (660)
Admin (656)
Guest (657)
Staff (662,663)
Student (654,664,665)
Unreg (659)
1
1
4.3 802.1X VLAN allocation
AP RADIUS MySQL IASEAP Request SQL Lookup Username=199641
ProxyTo = Brynmill
MSCHAPv2 Authenticate 199641 on Active Directory
User and Password OK
SQL Lookup VLAN for 199641
VLAN = 664
Acounting Info (199641,664,date,ap)User Valid, VLAN = 664
www.swan.ac.uk/lis
5.0 802.1X Downfalls
•Supplicant Support
•Hardware Support
•Reactive not Preventative
www.swan.ac.uk/lis
6.0 Future Plans
•Develop a reactive traffic monitor
•NAC Product Integration (Preventative)
•Possibly integrate into campus wide wired network