Here in PPTX - Gareth Ayres . com
Download
Report
Transcript Here in PPTX - Gareth Ayres . com
www.swan.ac.uk/lis
Wireless Authentication & 802.1X
By Gareth Ayres
www.swan.ac.uk/lis
Agenda
1.0 Swansea’s Current Wireless System
2.0 Requirements of new 802.1X System
3.0 Overview of new 801.1X Technologies
4.0 Design of New 802.1X Wireless System
5.0 802.1X Downfall's (So far)
6.0 Future Plans
www.swan.ac.uk/lis
1.0 The Current Wireless System
•Home made Wireless solution comprising of:
– 700 Cisco Aironet AP’s
– 12 Cisco WDS & 1 WLSE
– 10 RoamNodes
– 1 DNAC (Dirty Network Access Controller)
– Radius & IAS
www.swan.ac.uk/lis
1.0 The Current Wireless System
RoamNode Servers
Campus
RADIUS
Student Village
Halls
Wireless Network
DNAC
PROXY
TO THE INTERNET
Campus Firewall
1.1 RoamNodes
•Developed by Bristol University
•250 users per RoamNode
•Works by:
– First establishes a PPPoE connection
– Then creates a PPTP VPN tunnel and gets a internet ip
address
www.swan.ac.uk/lis
1.2 RoamNode Tunnel
RoamNode Tunnel
To Internet
802.11G (192.168.x.x)
PPTP (137.44.190.X)
PPPoE (10.x.x.x)
PC
Access Point
RoamNode
www.swan.ac.uk/lis
1.3 Downfalls of Current System
•
Bottleneck Issues
•
Load Balancing
•
Single point of failure
•
Maximum Capacity
•
Complicated Logging
•
Complicated end user configuration
•
Difficult User Management
www.swan.ac.uk/lis
1.4 Statistics from Current System
24 Hours (Wednesday 16th May)
Weekly (8th May – 16th)
www.swan.ac.uk/lis
1.4 Statistics from Current System
Yearly (2006-2007)
www.swan.ac.uk/lis
2.0 Requirements of New System
• Remove any bottlenecks
• Remove Capacity limits
• Better Logging
• Better Administration facilities
• Easy End User Configuration
• Segregation of Users
• Improved Security
www.swan.ac.uk/lis
3.0 Overview of 802.1X Technolgies
•802.1x
•EAP
•EAPOW
•PEAP - Protected Extensible Authentication Protocol
– Cisco, Microsoft and RSA
– Credentails + Server Cert
– TLS tunnel
– EAP-MSCHAPv2
www.swan.ac.uk/lis
3.0 Overview of 802.1X Technolgies
•WPA - Wi-Fi Protected Access (WPA)
– Replaces WEP technology
– WPA = RC4 Stream cipher and TKIP
– WPA2 = 802.11i = AES based algorithm CCMP
The use of all the above technologies and protocols is widely
referred to as a 802.1X based Wireless System.
www.swan.ac.uk/lis
4.0 Design of 802.1X Wireless System
New and Old system will run together.
Each system will run on a separate SSID:
•UNIROAM - SSID of the current RoamNode system and will
be broadcast and open (no encryption).
•EDUROAM – SSID of the new 802.1x system. It will also be
broadcast but will be encrypted with WPA(1&2).(JRS).
www.swan.ac.uk/lis
4.0 Design of 802.1X Wireless System
RoamNode
Servers
Campus
Student
Village
RADIUS
Wireless Network
Halls
802.1X Firewall/Gateway
RADIUS (802.1X)
DNAC
PROXY
802.1x Traffic Only
SUWNAC (MySQL)
RoamNode Traffic only
Shared Traffic
TO THE
INTERNET
Campus Firewall
4.1 802.1X Tunnel
802.1X Tunnel
To Internet
802.11i (WPA2(AES/TKIP))
MySQL Lookup à
ß’Returns ‘ProxyTo’
802.11g Authentication
Supplicant
AP
PEAP (EAP-TLS,MSChapV2)
802.11g - Wi-Fi Association to Eduroam
EAP – Extensible Authentication Protocol
EAPOW – EAP over Wireless
PEAP – Protected EAP
TLS – Transport Layer Security
MSChapV2 – Microsoft Challenge Handshake version 2
IAS – Microsoft Internet Authentication Service
X.509 – ITU Public Key Certificate
RADIUS (AS)
Check Cert (TLS)
Authenticate User
EAPOW (802.1X)
X.509
Certificate
Check Cert (TLS)
Authenticate User
IAS (Swansea)
IAS (Brynmill)
SUWNAC
(MySQL)
X.509
Certificate
4.2 802.1X VLANs
802.1X VLANS
Banned (661)
1
Virus (660)
DNAC
WPA2
Supplicant
Campus Firewall
AP (Eduroam)
Unreg (659)
Admin (656)
Guest (657)
Staff (662,663)
1
Student (654,664,665)
802.1x Firewall/Gateway
4.3 802.1X VLAN allocation
AP
EAP Request
RADIUS
SQL Lookup Username=199641
MySQL
ProxyTo = Brynmill
MSCHAPv2 Authenticate 199641 on Active Directory
User and Password OK
SQL Lookup VLAN for 199641
VLAN = 664
User Valid, VLAN = 664
Acounting Info (199641,664,date,ap)
IAS
5.0 802.1X Downfalls
•Supplicant Support
•Hardware Support
•Reactive not Preventative
www.swan.ac.uk/lis
6.0 Future Plans
•Develop a reactive traffic monitor
•NAC Product Integration (Preventative)
•Possibly integrate into campus wide wired network
www.swan.ac.uk/lis
Thank You
Gareth Ayres BSc (Hons) MIET
[email protected]
www.swan.ac.uk/lis