1 / 11

802.1X

802.1X. Terry Simons Formerly of The University of Utah. University of Utah Background . 28,000+ student campus EAP-TTLS 802.1X movement was “grass roots” Proof of concept Wireless Whitepaper RADIUS “Mesh” (More of a star topology) “Give to get” mentality

Télécharger la présentation

802.1X

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 802.1X Terry Simons Formerly of The University of Utah

  2. University of Utah Background • 28,000+ student campus • EAP-TTLS • 802.1X movement was “grass roots” • Proof of concept • Wireless Whitepaper • RADIUS “Mesh” (More of a star topology) • “Give to get” mentality • Initial Deployment on May 19, 2003 • Campus Radiator Site License • Initial Campus Meetinghouse Site License • Mac OS X 10.2.x, Win98se/Me/2k/XP/PPC 2002/2003 • Now prefer SecureW2 TTLS WZC Plugin • Chris Hessing is lead developer of Open1x

  3. 802.1X Problem Areas • Certificate Validation • Windows Zero Config/GINA • The Supplicant Debacle • EAP Type Selection • Encryption

  4. Certificate Validation • No real CRL Support • Deployment Difficulty • Mitigated in part by “smart installers” • Mac OS X is too “easy to use” • I am a Mac user. :-} • Man in the Middle Attacks • Public Certificate Authorities • Mac OS X becomes vulnerable

  5. Windows Zero Config/GINA • Users expect it, especially in higher ed. • AEGIS and Funk take over WZC/GINA • Users complain loudly • Helpdesk gets swamped • GINA: “What did you do to my computer?!” • Not so bad with current Meetinghouse releases • Migration to SecureW2 fixed both issues.

  6. The Supplicant Debacle • Vendors bundle OEM’d Supplicants • Which quite often do not work properly • IBM Thinkpad/Intel Centrino TTLS Problems • Usually based on Meetinghouse • Same crunchy WZC problems • Same bad aftertaste • Most setup programs are self-extractable • Use a zip utility to extract only the driver

  7. EAP Type Selection • TLS, TTLS, or PEAP • Provisions for keying material • TLS if an existing PKI is in place • Arguably the “most secure” EAP type • TTLS for “strongly encrypted” backends • U of U uses Kerberos • PEAP for Active Directory shops

  8. Encryption • CCMP is the “best” security currently • Doesn’t work with Mac OS X • TKIP is the next best thing. • Watch out for “mixed mode” problems • TKIP “Unicast” and WEP “Multicast” keys • Specifically a problem with Mac OS X • Apple is aware of the problem. • Dynamic WEP for “Legacy” devices • Or use multiple SSIDs and run parallel security models.

  9. Ending Comments • It’s possible to allow multiple EAP types • Works well in Federated environments • Vendor skepticism is encouraged • Helpdesk Feedback Loop

  10. Q&A

  11. Resources • http://wireless.utah.edu/global/support/WirelessWhitepaper-v1.03.pdf • http://wireless.utah.edu/global/support/radius_mesh/RADIUS_Mesh_Long.pdf • http://www.open1x.org/ • http://www.open.com.au/radiator/ • http://www.securew2.com/

More Related