120 likes | 179 Vues
802.1X. Terry Simons Formerly of The University of Utah. University of Utah Background . 28,000+ student campus EAP-TTLS 802.1X movement was “grass roots” Proof of concept Wireless Whitepaper RADIUS “Mesh” (More of a star topology) “Give to get” mentality
E N D
802.1X Terry Simons Formerly of The University of Utah
University of Utah Background • 28,000+ student campus • EAP-TTLS • 802.1X movement was “grass roots” • Proof of concept • Wireless Whitepaper • RADIUS “Mesh” (More of a star topology) • “Give to get” mentality • Initial Deployment on May 19, 2003 • Campus Radiator Site License • Initial Campus Meetinghouse Site License • Mac OS X 10.2.x, Win98se/Me/2k/XP/PPC 2002/2003 • Now prefer SecureW2 TTLS WZC Plugin • Chris Hessing is lead developer of Open1x
802.1X Problem Areas • Certificate Validation • Windows Zero Config/GINA • The Supplicant Debacle • EAP Type Selection • Encryption
Certificate Validation • No real CRL Support • Deployment Difficulty • Mitigated in part by “smart installers” • Mac OS X is too “easy to use” • I am a Mac user. :-} • Man in the Middle Attacks • Public Certificate Authorities • Mac OS X becomes vulnerable
Windows Zero Config/GINA • Users expect it, especially in higher ed. • AEGIS and Funk take over WZC/GINA • Users complain loudly • Helpdesk gets swamped • GINA: “What did you do to my computer?!” • Not so bad with current Meetinghouse releases • Migration to SecureW2 fixed both issues.
The Supplicant Debacle • Vendors bundle OEM’d Supplicants • Which quite often do not work properly • IBM Thinkpad/Intel Centrino TTLS Problems • Usually based on Meetinghouse • Same crunchy WZC problems • Same bad aftertaste • Most setup programs are self-extractable • Use a zip utility to extract only the driver
EAP Type Selection • TLS, TTLS, or PEAP • Provisions for keying material • TLS if an existing PKI is in place • Arguably the “most secure” EAP type • TTLS for “strongly encrypted” backends • U of U uses Kerberos • PEAP for Active Directory shops
Encryption • CCMP is the “best” security currently • Doesn’t work with Mac OS X • TKIP is the next best thing. • Watch out for “mixed mode” problems • TKIP “Unicast” and WEP “Multicast” keys • Specifically a problem with Mac OS X • Apple is aware of the problem. • Dynamic WEP for “Legacy” devices • Or use multiple SSIDs and run parallel security models.
Ending Comments • It’s possible to allow multiple EAP types • Works well in Federated environments • Vendor skepticism is encouraged • Helpdesk Feedback Loop
Resources • http://wireless.utah.edu/global/support/WirelessWhitepaper-v1.03.pdf • http://wireless.utah.edu/global/support/radius_mesh/RADIUS_Mesh_Long.pdf • http://www.open1x.org/ • http://www.open.com.au/radiator/ • http://www.securew2.com/