19
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-1 WLAN Security Describing EAP Authentication s

Iuwne10 S04 L04

Embed Size (px)

Citation preview

Page 1: Iuwne10 S04 L04

© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-1

WLAN Security

Describing EAP Authentications

Page 2: Iuwne10 S04 L04

© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-2

Symmetric Keys

Page 3: Iuwne10 S04 L04

© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-3

Asymmetric Keys

Page 4: Iuwne10 S04 L04

© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-4

Digital Signature

Page 5: Iuwne10 S04 L04

© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-5

Trusted Third Party

Page 6: Iuwne10 S04 L04

© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-6

Certificates

Page 7: Iuwne10 S04 L04

© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-7

PKI

John Bartenhagen
Q2Dev: In labels for arrows, "signature" and "verifcation" (twice) should be capitalized.-EDIT.
Page 8: Iuwne10 S04 L04

© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-8

EAP-TLS

Client support Windows 2000, XP, Vista and Windows CE (natively supported) Linux, Mac AirPort Extreme Each client requires a user certificate

Infrastructure requirements EAP-TLS-supported RADIUS server RADIUS server requires a server certificate Certificate Authority server (PKI Infrastructure)

Certificate management Both client and RADIUS server certificates to be managed

Page 9: Iuwne10 S04 L04

© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-9

EAP-TLS (Cont.)

John Bartenhagen
Q2Dev: In text block at the end of the top arrow ("AP Blocks all Requests..."), both "all" and "until" should be capitalized.In text at bottom right, "used" should be capitalized.-EDIT.
Page 10: Iuwne10 S04 L04

© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-10

EAP-FAST

Considered in three phases: Protected Access Credentials (PAC) is generated in phase zero

(Dynamic PAC provisioning)− Unique shared credential used to mutually authenticate client

and server− Associated with a specific user-ID and an Authority ID− Removes the need for PKI

A secure tunnel is established in phase one Client is authenticated via the secure tunnel in phase two

Page 11: Iuwne10 S04 L04

© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-11

PAC Creation

PAC consists of PAC-Key PAC-Opaque PAC-Info

Server Generates a PAC-KeyPAC-Opaque and PAC-Info

The PAC-Opaque contains PAC-Key Client user identity (I-ID) Key lifetime

PAC-Opaque is encryptedwith Master-Key

PAC-Info containsthe Authority Identity (A-ID)

John Bartenhagen
Q2Dev: In "Client user identity," the L in client should be lowercase. -EDIT.
Page 12: Iuwne10 S04 L04

© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-12

PAC Exchange

John Bartenhagen
Q2Dev: In top center text, "it's" should not have an apostrophe. -EDIT.
Page 13: Iuwne10 S04 L04

© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-13

EAP-FAST Authentication

John Bartenhagen
Q2Dev:In text block at the end of the top arrow ("AP Blocks all Requests..."), both "all" and "until" should be capitalized.In blue text blocks, "Server Side" and "Client Side" should be hyphenated.At bottom right "WPA or CCKM Key Management used" shouild be "WPA or Cisco Centralized Key Management Used".-EDIT.
Page 14: Iuwne10 S04 L04

© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-14

PEAP

Hybrid authentication method− Server side authentication with TLS− Client side authentication with EAP authentication types

EAP-GTC EAP-MSCHAPv2

Clients do not require certificates RADIUS server requires a server certificate

− RADIUS server self-issuing certificate capability− Purchase a server certificate per-server from public PKI entity− Setup a simple PKI server to issue server certificates

Allows for one-way authentication types to be used− One-time passwords− Proxy to LDAP, Unix, Microsoft NT and Active Directory, Kerberos

Page 15: Iuwne10 S04 L04

© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-15

PEAP Authentication

John Bartenhagen
Q2Dev:In text block at the end of the top arrow ("AP Blocks all Requests..."), both "all" and "until" should be capitalized.In blue text blocks, "Server Side" and "Client Side" should be hyphenated.In text at bottom right, "used" should be capitalized.-EDIT.
Page 16: Iuwne10 S04 L04

© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-16

LEAP

Cisco WLAN security solution User authentication via user ID and password Single login using Windows NT/2000 Active Directory Dynamic WEP keys and mutual authentication

− Key integrity protocol/message integrity recommended Simplified deployment and administration Supports multiple operating systems

− Windows, Mac OS, Windows CE, DOS, and Linux Strong password policy recommended

Page 17: Iuwne10 S04 L04

© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-17

LEAP Authentication

John Bartenhagen
Q2Dev: In top right callout, "Point" should be lowercase. -EDIT.
Page 18: Iuwne10 S04 L04

© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-18

Summary

Certificates are public keys; they allow both authentication and encryption.

EAP-TLS is an authentication mechanism built upon certificate exchange.

EAP-FAST aims at providing the same level of security without certificates.

PEAP requires a certificate on the server but not on the client. There are many other EAP types, such as Cisco LEAP.

Page 19: Iuwne10 S04 L04

© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-19