Module 6: Viewing and Editing

Configuration: 802.1X Secure

Employee WLAN
Copyright 2008 Aruba Networks, Inc. All rights reserved

V1.0 7-08
 Module Overview
Security Overview
SSID

MAC Filter

Captive Portal

802.1X

802.1X Employee WLAN profiles

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-2

 Security Overview
Wireless security standards and protocols fall into
3 categories
Encryption
Ensures privacy of data transmitted through the air
Can be done at Layer 2 (WEP, TKIP, AES) or Layer 3 (VPN)
Authentication
Ensures that only authorized users with proper credentials are allowed
to use the network
Authentication methods include EAP, captive portal, VPN
Access Control
Provides a policy enforcement structure to control the traffic of
authorized users, including networks, bandwidth, time of day, and
protocols

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-3

 Authentication Overview
Information Security has 3 goals:
Confidentiality
Integrity
Availability
Authentication assists with confidentiality and
integrity
Ensures you are who you say you are
Necessary for both client and network/server

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-4

 Authentication Methods (continued)
Aruba supports a variety of authentication methods.

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-5

 Authentication Methods (continued)

Authentication methods are used by the Aruba

controller to assign a role to a user
A users role defines what resources that user can
access

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-6

 Authentication Methods
SSID
MAC
Captive Portal
VPN (will not be discussed in this course)
802.1X
EAP

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-7

 SSID Authentication
A user can be authenticated simply by associating
with a given SSID
A policy is created such that anyone associating
with a given SSID is granted certain permissions
Weak encryption offerings (WEP), and high
administrative overhead (creating a separate SSID
for each user group) make SSID a poor choice

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-8

 SSID Authentication Configuration

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-9

 MAC Authentication
A users MAC address can be used to establish
Identity
However, MAC addresses can be spoofed by an
attacker
Useful for devices that cannot run authentication
software (handheld scanners, printers, etc)

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-10

 MAC Auth Methods
There are 2 different mechanisms for performing
MAC Authentication
MAC Auth Profile
User Derivation Rules

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-11

 MAC Auth Profile

Format sent to server

None: aabbccddeeff
Dash: aa-bb-cc-dd-ee-ff
Colon: aa:bb:cc:dd:ee:ff

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-12

 Specify Authentication Server

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-13

 User Derivation Rules

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-14

 User Derivation Rules (continued)

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-15

 Internal Database

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-16

 Captive Portal
Web-based authentication method (SSL)
Enabled by default
Typically found in Public Hotspots, Universities
User associates (open or static WEP), receives IP
address.
Launches web browser, forced to authentication
web page
May authenticate against internal or external
server
After successful authentication, Role assigned

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-17

 802.1X
Standard protocol for authenticating user *prior*
to granting access to L2 media
Utilizes EAP (Extensible Authentication Protocol)
Evolved from PPP, used for wired network authentication -
unencrypted
Several types of Wireless EAP
Cisco LEAP
EAP-TLS
PEAP
EAP-TTLS
These sub-types intended for use on untrusted networks
such as wireless

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-18

 802.1X Definitions
Supplicant: client station
Authenticator: Aruba controller
Authentication Server: RADIUS Server

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-19

 EAP Overview
1. Supplicant communicates with authentication
server through the authenticator
2. Authenticator reformats 802.1X to RADIUS and
forwards to Authentication Server
3. EAP exchange happens between supplicant and
authentication server
4. On success, server delivers EAP Success via
RADIUS message
5. Details often hidden from authenticator
6. The Aruba controller is EAP agnostic

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-20

 EAP Exchange

EAP Exchange
(Controller used as pass-through doesnt have to know EAP type)

Trusted
Network
802.11 a/b/g
Secured Link

Aruba
Client Controller Authentication
Server

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-21

 802.1X Process

802.1X Access Control Sequence of events

Request Identity

Authentication Server
Response Identity (anonymous) Response Identity

Authenticator
PEAP Start
Client

Certificate
Client Key exchange
Cert. verification
Request credentials

Response credentials
Success

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-22

 EAP Flavors
LEAP
Cisco proprietary
Dynamic WEP
Has been broken. Not recommended for current deployment

EAP-TLS (EAP with Transport Layer Security)

RFC 2716 - based on SSL
Uses both client and server certificates
Provides for mutual authentication
Supported by Windows 2000, XP, 3rd party clients

EAP-PEAP
Based on TLS
Hides EAP exchange
Requires both server and client authentication
Developed by Microsoft, Cisco and RSA Security
Evolved into MS-PEAP and EAP-GTC

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-23

 EAP Flavors (continued)
EAP-FAST
Primarily Cisco
Uses a PSK in phase 0 to obtain a PAC file (similar to a certificate, PAC is
used as credentials on network)
Subject to man in the middle attacks; poor Windows AD integration

EAP-TTLS
Similar to PEAP, but allows for any EAP authentication protocol
Requires 3rd party client
Developed by Funk Software

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-24

 Configuring an SSID to Use dot1X
1. Configure the external auth-server or Configure Auth Server
internal-db.
2. Create a server group and assign the Create a server group
configured auth-server to it.
3. Create a dot1x profile and configure the
Configure dot1x profile
required dot1x parameters (EAP-Offload,
Key rotation, re-auth, etc.).
Configure AAA profile
4. Create a AAA profile and assign the dot1x
profile and dot1x server-groups created in
Steps 2 and 3. Create an SSID profile
5. Create an SSID profile and configure the
required opmode to use with dot1x, SSID Create and configure
name and other parameters. Virtual AP profile
6. Create a Virtual AP profile and assign the
AAA and SSID profiles previously created Assign the SSID profile
to Virtual AP profile
to it.
7. Assign the Virtual AP to an AP Group/AP Assign VAP to
Name. AP-Group/Name

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-25

 802.1X Configuration

Select Profile and provision 802.1X

parameters. Remember to set server
group too.

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-26

 WEP
Wired Equivalent Privacy
Based on RC4 stream cipher
Part of 1997 802.11 specification
WEP was defeated in 2000
Keys made up of 24-bit Initialization Vector (IV)
and either a 40-bit or 104-bit key
Usually statically configured on both AP and client
Makes key rotations difficult
Can be dynamically assigned through 802.1X - LEAP

Currently, Static WEP + VPN is a popular model

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-27

 WEP (continued)
Static WEP vulnerabilities include:
No privacy between users - same keys
Weak IVs lead to linear key discovery
No authentication mechanism
Vulnerable to Man-in-the-Middle/replay attacks

Dynamic WEP an improvement

Keys generated by authentication server through 802.1X -
unique to each user
Keys rotated periodically
Keys still able to be attacked directly, just takes longer

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-28

 WPA/TKIP
WPA (Wi-Fi Protected Access) is an industry-
sponsored interim security standard
Subset of 802.11i RSN (Robust Secure Network)
Dramatic improvement over WEP
WPA consists of 2 parts:
802.1X Authentication
TKIP encryption (Temporal Key Integrity Protocol)
TKIP
Provides per-packet key mixing, strong MIC (Message
Integrity Check), extended IV, and a re-keying mechanism
Based on RC4 - only requires a software upgrade for most
devices
Can use a Pre-Shared Key (PSK) or dynamic keys through
802.1X (recommended)

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-29

 WPA Disadvantages
Major drawbacks of WPA include:
Backwards-compatibility limits crypto operations
Encryption is still ultimately based on RC4, as is WEP/TKIP
Not FIPS-certified or approved for US government use

WPA designed as an interim solution before 802.11i

Not compatible with pure 802.11i/RSN (Robust Secure
Network) environments

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-30

 802.11i/Wi-Fi Protected Access 2.0
Amendment to the original 802.11 standard
Specifies security mechanisms for wireless
networks (Wi-Fi)
Major 802.11i components include
802.1X for authentication
RSN for keeping track of associations
AES-based CCMP encryption
Four-way authentication handshake

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-31

 Encryption for 802.1X/802.11i

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-32

 WLAN Security Recommendations
Use WPA2 wherever possible
Leverage firewall policies to protect networks from
unauthorized use (especially legacy WEP networks)
In all-Windows environments: use EAP-PEAP (server
2000/2003 supports RADIUS with the IAS module)
In all Windows rollouts with existing PKI: TLS is an option for
greater security
Migrate to full 802.11i as drivers and equipment allow
Always validate server certificate to prevent man in the
middle attacks
Use Aruba EAP Offload for greater scalability in EAP-PEAP
and EAP-TLS deployments

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-33

 Profiles
Profiles are a powerful tool that allow
administrators increased flexibility over other
configuration methods
All aspects of the configuration have been
abstracted into profiles which are then applied to
individual APs or (more commonly) to AP Groups

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-34

 AP Group and Profiles
AP Group

Wireless LAN RF Management AP QoS IDS

Virtual AP a/g Radio

System Profile VoIP
Properties Settings

SSID RF
Ethernet a/g Management
Optimizations
AAA
Regulatory
Virtual AP
Properties
SNMP
SSID

AAA

6-35
Copyright 2008 Aruba Networks, Inc. All rights reserved
 Profiles (cont.)

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-36

 Apply Profiles to AP Group

Copyright 2008 Aruba Networks, Inc. All rights reserved 6-37

 Lab 6: Viewing and Editing
802.1X WLAN Configuration

Copyright 2008 Aruba Networks, Inc. All rights reserved

V1.0 - 8-08