Introduction
Adam Worthington – Network
Consultant
Wireless LAN – Why?
Flexible network access for your
users?
Guest internet access?
VoWIP?
Available Wireless LAN
Technologies
802.11b
First widely adopted commercially
available 802.11 wireless technology
Data rates up to 11mbps.
Operates in 2.4Ghz waveband
3 non-overlapping channels
802.11g
Backward compatible with 802.11b
Data rates up to 54Mbps
Operates in 2.4Ghz waveband
3 non-overlapping channels
802.11a
Least adopted of the three standards in
the UK
Data rates up to 54Mbps
Operates in the cleaner 5Ghz
waveband
8 non-overlapping channels
Worst signal propagation
802.11: Emerging Standards
802.11e - Enhancements: QoS,
including packet bursting
WLAN Solution: What Should
It Provide
A Wireless LAN Solution Should:
Authenticate devices/users
Encrypt data
Ensure data integrity
Allow guest access
Plan and manage RF coverage
Detect ad hoc or rogue users
Identify rogue APs
Protect against and locate the source of DoS and
man-in-the-middle attacks
Different Wireless Solution
Types
Standalone (FAT) AP
Appliance/VPN Solution
Standalone AP
Cisco, 3com, Proxim
Good, Flexible Feature Set
Highest Management Overhead
Worst physical security
Requires additional management
Appliance/VPN Solution
Vernier/HP, Cisco
Central security management
Excellent IP layer security
Good physical security
Limited support for
Broadcast/Multicast/non-IP
No concept of RF. Channel, power and layer 2
security must be managed on AP, possibly
Wireless LAN
Switch/Controller Solution
Cisco, Trapeze/3com, Aruba
Central security and RF management
Excellent wireless security
Good physical security
Best RF control e.g. dynamic power and
channel allocation
Support for advanced wireless technologies
e.g. RFID
WLAN Security: Levels of
protection
Authentication
Data Origin Protection
Data Integrity Protection
Confidentiality
802.11i: Security For The Air
IEEE 802.11i (WPA2) defines a
new type of wireless network
called a robust security network
(RSN).
Strong authentication: 802.1x
802.1x Authentication
Supplicant
Authenticator
802.1x and EAP
Originally defined for use with PPP
Truly Extensible, does not force
users into certain types of
802.1x: Initial Connection
Client
AP
Client scans the air looking for a
network
Client joins one of the networks and
performs open-system
Authentication
Client sends association request
Access Point sends client
association ID
Start 802.1x authentication (EAP
over LAN, Start)
Access Point queries “who are
you?”
EAP: Which Type?
EAP-TLS
PEAP/MS-CHAPv2
EAP-TTLS
PEAP Stage 1: TLS Handshake
Hi I’m Adam, here’s my Network Access Identity (NAI, includes my username, my random number and a list of cryptographic algorithms I support).
Okay, here’s my random number. I’ve looked at your list and we’ll use 128-bit RC4 encryption and MD5 message integrity checking. I’ll also send you my certificate.
AP
RADIUS
Server
Client
AP forwards Radius Access Request with NAI
Okay, I’ve checked your certificate and you’re authenticated. Now I’ll generate and send you the pre-master secret encrypted with your public key. With this we can each derive keying material to be used to encrypt this TLS session.
Got it. I’ll decrypt the pre-master secret with my private key. I’ll derive the keying material. It’s the same as your keying material. Now we can bidirectionally encrypt and integrity check the session.
PEAP Stage 2: MS-CHAPv2
Authentication
Okay, I’ll use my password and a hash function to create a response to your challenge. I’ve also got a
challenge for you.
Who are you?
AP
RADIUS
Server
Client
I’m happy with your response to my challenge, here’s a response to your challenge.
I’m happy with your response to my challenge, AP, let’s talk.
I’ve told you once……I’m Adam.
Okay, I’m RADIUS1. We’ll use MS-CHAPv2 for authentication, here’s a challenge for you.
RADIUS server sends the access point a RADIUS accept message including any configured
authorisation attributes (VLAN ID etc.)
