1 / 24

PKI Network Authentication Dartmouth Applications

PKI Network Authentication Dartmouth Applications. Robert Brentrup Educause/Dartmouth PKI Summit July 27 , 2005. Next Phase Applications. Hardware Key Storage (USB Tokens) Application and OS Sign-on with Tokens Document Signatures Acrobat, Office, XML (NIH) Secure Mail and List Server

emurray
Télécharger la présentation

PKI Network Authentication Dartmouth Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PKI Network AuthenticationDartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27 , 2005

  2. Next Phase Applications • Hardware Key Storage (USB Tokens) • Application and OS Sign-on with Tokens • Document Signatures • Acrobat, Office, XML (NIH) • Secure Mail and List Server • Wireless Network Authentication • Grids

  3. Network Auth Technologies • Wireless and Wired • 802.1x/EAP • TLS and TTLS • or LEAP, PEAP, MS-CHAP etc. • WEP, WPA - 802.1x • VPN • IPSEC standard, using Cisco proprietary • Cisco password authentication is vulnerable, • use client certificates to be secure

  4. VPN Objectives • Secure network connections for distant office and travellers • some from home use too, local IP address • Secure some legacy applications with closed subnets • server firewall rejects connections not from Private subnet addresses • Use PKI “High Assurance” certificate (token if possible) to authenticate • Assign IP address from protected space after Radius Authentication/Authorization

  5. VPN Implementation • Cisco 3000 VPN concentrators • (3000 can only look at OU in DN, so added OU=PrivateGroupVPN to certs) • ACL check implemented by Radius server • Members of ACL maintained with “AuthAdmin” application • Configure protected subnets on concentrator • Two redundant Radius servers for reliability • running FreeRadius 0.9.2

  6. AuthAdmin • Each private VPN subnet intended for members of a specific group • Existing examples • Human Resources • Dean of Students Office • International Students Office • Student Health Services • Individual in the group authorized to maintain group membership, add and delete • Group membership stored in LDAP directory • Web interface for group admin

  7. AuthAdmin UI • (screen shot)

  8. Network Authentication Objectives • Implement additional protection for campus network services • Limit outside use of network • Protect campus users from malicious behavior of others • Eliminate possible eavesdropping

  9. Network Authentication Implementation • Deploy 802.1x/EAP-TLS on APs and switches • Traffic is encrypted between user and AP/switch • Clients are authenticated with PKI certificates • in our case locally issued • No Passwords are exchanged (no credentials to steal)

  10. EAP-TLS Implementation • Configure Radius • AP clients, users, EAP-TLS module • Certificate for Radius server • Provide Root certificates of trusted CAs to EAP-TLS module • Dartmouth self-signed certificates automatically accepted • Tested APs from Cisco and Aruba

  11. Client Software • Supplicants built into Win 2000 SP4, XP SP1-2, MacOS 10.3+ • other supplicants available for these platforms • Supplicants available for Linux, Win98 and MacOS 9 (some from vendors)

  12. Issues • Windows: • no password on Keys • no luck with tokens yet • set advanced options for server certificate validation • Certificates with UID in DN fail • Win XP SP1 had some issues with SSID and cert selection, improved in SP2 • Mac KeyChain: early versions confused by more than one key with same "name"

  13. Greenpass Objectives • System developed to support Guest Authorization in an 802.1x EAP-TLS environment • Also useful for insiders that forgot their token • User only needs 802.1x capable machine and web browser, no additional software • Guest Introduces Public Key to Greenpass Authorization System • Host signs authorization for Guest Access using SPKI certificate delegation features • Guest then has access to controlled internal network until time limit expires

  14. Greenpass Implementation • Use Router, AP and switch capable of VLANs to create limited use network • Recently implemented automatic VLAN switching by Radius • Modifications to FreeRadius needed • Greenpass servers run on Linux • Delegation tool is written in Java • Available as Open Source • www.dartmouth.edu/~pkilab/greenpass

  15. Guest Unauthorized

  16. Guest Introduction

  17. Guest Fingerprint

  18. Authorized Delegator

  19. Select Guest

  20. Guest Lookup

  21. Delegation Tool

  22. Delegation Complete

  23. Guest Authorized

  24. Authorized User

More Related