20050215-8021x-Simons

Download Report

Transcript 20050215-8021x-Simons 

802.1X
Terry Simons
Formerly of The University of Utah
University of Utah Background
• 28,000+ student campus
• EAP-TTLS
• 802.1X movement was “grass roots”
– Proof of concept
– Wireless Whitepaper
• RADIUS “Mesh” (More of a star topology)
– “Give to get” mentality
• Initial Deployment on May 19, 2003
• Campus Radiator Site License
• Initial Campus Meetinghouse Site License
– Mac OS X 10.2.x, Win98se/Me/2k/XP/PPC 2002/2003
• Now prefer SecureW2 TTLS WZC Plugin
• Chris Hessing is lead developer of Open1x
802.1X Problem Areas
•
•
•
•
•
Certificate Validation
Windows Zero Config/GINA
The Supplicant Debacle
EAP Type Selection
Encryption
Certificate Validation
• No real CRL Support
• Deployment Difficulty
– Mitigated in part by “smart installers”
• Mac OS X is too “easy to use”
– I am a Mac user. :-}
• Man in the Middle Attacks
• Public Certificate Authorities
– Mac OS X becomes vulnerable
Windows Zero Config/GINA
• Users expect it, especially in higher ed.
• AEGIS and Funk take over WZC/GINA
– Users complain loudly
• Helpdesk gets swamped
– GINA: “What did you do to my computer?!”
• Not so bad with current Meetinghouse releases
• Migration to SecureW2 fixed both issues.
The Supplicant Debacle
• Vendors bundle OEM’d Supplicants
– Which quite often do not work properly
• IBM Thinkpad/Intel Centrino TTLS Problems
– Usually based on Meetinghouse
– Same crunchy WZC problems
– Same bad aftertaste
• Most setup programs are self-extractable
– Use a zip utility to extract only the driver
EAP Type Selection
• TLS, TTLS, or PEAP
– Provisions for keying material
• TLS if an existing PKI is in place
– Arguably the “most secure” EAP type
• TTLS for “strongly encrypted” backends
– U of U uses Kerberos
• PEAP for Active Directory shops
Encryption
• CCMP is the “best” security currently
– Doesn’t work with Mac OS X
• TKIP is the next best thing.
– Watch out for “mixed mode” problems
• TKIP “Unicast” and WEP “Multicast” keys
• Specifically a problem with Mac OS X
– Apple is aware of the problem.
• Dynamic WEP for “Legacy” devices
• Or use multiple SSIDs and run parallel security
models.
Ending Comments
• It’s possible to allow multiple EAP types
– Works well in Federated environments
• Vendor skepticism is encouraged
• Helpdesk Feedback Loop
Q&A
Resources
•
•
•
•
•
http://wireless.utah.edu/global/support/WirelessWhitepaper-v1.03.pdf
http://wireless.utah.edu/global/support/radius_mesh/RADIUS_Mesh_Long.pdf
http://www.open1x.org/
http://www.open.com.au/radiator/
http://www.securew2.com/