18. Understanding Wireless Client Authentication
Does Web Auth require 802.1X credentials?
no
What authentication will 802.11-compliant WLAN clients use by default?
open authentication
In EAP-TLS what is the name of the common value generated by client and server from the exchanged certificates and randomly generated numbers after authentication?
session key or master key
What are the characteristics of local web portal with external authentication operation?
-A guest associates to a local controller, and a local session is created. -The guest receives web login pages from the local WLC. -The guest enters credentials that are forwarded to authentication server (Cisco ISE) for authentication. -The authentication server returns confirmation (assuming credentials are valid). -Guest traffic is routed to the Internet, and the WLC provides path isolation.
In enterprise WLAN, PKI is used how? (CA does what? clients authenticate how? servers authenticate how? WLCs do what?
-Certificate Authorities (CAs) generate digital certificates for users (clients) and servers that are used to validate user and server identities. -Clients request a user certificate from a CA and use the certificate to authenticate to the server using IEEE 802.1X authentication (like using EAP-TLS or EAP-FAST, for example). -Servers request a server certificate from the CA, which is used by the client to validate the authenticity of the server. A server can also use a self-signed certificate in which it acts as its own CA. -Cisco Wireless LAN Controllers (WLCs) that are used as the authentication server use preinstalled server certificates or can request a server certificate from a CA.
Describe EAP-FAST
-EAP-FAST is a secure solution for enterprises that cannot enforce a strong password policy and do not want to deploy certificates for authentication.
Describe EAP-TTLS
-EAP-TTLS addresses the certificate issue by tunneling TLS, and thus eliminating the need for a certificate on the client side. -This approach is often the preferred option. -EAP-TTLS is a proprietary standard, originally developed by Funk Software but now owned by Juniper Networks. -Juniper primarily promotes TTLS and there is a charge for supplicant and authentication server software.
What types of servers can provide EAP server functionality as a global RADIUS server?
-ISE -Microsoft server configured for RADIUS-NPS -any RADIUS compliant server
Describe LEAP
-LEAP has the longest history, and while previously Cisco proprietary, Cisco has licensed LEAP to other vendors. -A strong password policy should be enforced when LEAP is used for authentication to prevent dictionary attacks. -LEAP is not a recommended form of EAP in the enterprise.
What are the three parts of PAC?
-PAC key -PAC-opaque -PAC-info
Describe PEAP
-Protected Extensible Authentication Protocol (PEAP) is secure and requires only server-side certificates. -Therefore, you can use a more manageable PKI or no PKI. -Cisco and Microsoft support PEAP and it is available at no additional cost from Microsoft.
Describe an EAP request. Where is sent to/from? What does the type field indicate? How are responses and requests linked?
-The authenticator sends the request packet to the supplicant. -Each request has a Type field that indicates what is being requested. -A sequence number allows the authenticator and the peer to match an EAP response to each EAP request.
What is the order of EAP-TLS authentication process?
-The client sends its identity, user or machine name -The authentication server sends its certificate, which proves its identity and provides the client with a means of sending back encrypted frames. -The client answers with its own certificate. -The client and server use public and private keys to create an encrypted tunnel to generate a session key to encrypt the data.
Describe an EAP response. Where is sent to/from? What does the type field indicate? How are responses and requests linked?
-The supplicant sends the response packet to the authenticator and uses a sequence number to match the initiating EAP request. -The type of EAP response generally matches the EAP request, unless the response is a NAK.
Describe WPA2 enterprise mode. What authentication? RADIUS environment? Scale?
-Uses IEEE 802.1X and EAP authentication; each user or device is individually authenticated. -Incorporates RADIUS authentication server for authentication and key management. -Used by enterprise-class networks.
Describe WPA2 personal mode. What authentication? RADIUS environment? Scale?
-Uses WPA2-PSK (Pre-Shared Key) authentication; a common key is statically configured on the client and the AP. -Designed for environments where there is no RADIUS authentication server. -Local access control -Provides inadequate security for an Enterprise wireless network; if attackers break the WPA2 PSK, then they can access all device data.
Describe EAP-TLS
-While very secure, EAP-TLS requires client certificates to be installed on each Wi-Fi workstation. -This approach requires a PKI infrastructure with extra administrative expertise and time in addition maintaining the WLAN itself.
Describe a PAC key
-client uses this 32-octet key to establish the Phase 1 EAP-FAST tunnel -this key maps as the TLS premaster secret -the AAA server randomly generates the PAC key
What are keys characteristics of 802.1X keys?
-dynamic -session based -unique to each individual device being authenticated
Describe Web Auth. What kinds of users does it authenticate?
-for 802.1x-incapable devices -for 802.1x-backup authentication -for guest user access
What three basic areas must be defined for web authentication?
-from where the guest path isolation is defined in the network -from where the web portal pages are provisioned -from where users are defined
What does the certificate authority issue?
-issues public and private keys to clients and servers
What does a WLC provide with local web authentication?
-maps SSIDs to a dedicated VLAN -web authentication splash pages -local user guest accounts
What does the anchor WLC provide in Local Web Authentication with Auto-Anchor? (two things)
-provisions web authentication splash pages -maintains local user guest accounts
What three roles does 802.1x define?
-supplicant -authenticator -authentication server
What type of device can an 802.1X authenticator be?
-switch in a wired network -AP or a WLC in a wireless network
what does a WLC with web authentication define about local guest user accounts?
-username/password -SSID that is allowed for the account (associated VLAN) -lifetime of the account
Describe PAC-Opaque
-variable length field -sent during Phase 1 EAP-FAST tunnel creation -can only be interpreted by the AAA server to recover info to validate client identity and authentication
Describe PAC-Info
-variable-length field -provides the A-ID or PAC issuer -can also convey the PAC-key lifetime
What WebAuth option types are available when setting up WebAuth Authentication?
-webauth -authbypass -webconsent
What are the characteristics of auto-anchor operation?
-when a guest associates to a local controller, a local session is created -the per-SSID session is created via tunnel to the auto-anchor WLC -packets from the client are encrypted and sent to the auto-anchor WLC via the tunnel -auto-anchor WLC de-encapsulates the client packets and delivers them to the wired network
What are the steps in a PSK authentication?
1. Client: sends authentication request 2. AP: sends cleartext challenge phrase 3. Client: sends encrypted response 4. AP: (if it could decrypt the client's response) sends authentication to client 5. Client: authenticates, makes association request 6. AP: sends association response 7. Client: now able to send encrypted data over virtual port
What are the steps in the PAC exchange process?
1. When an EAP-FAST session is initiated, the server sends its A-ID in an EAP-FAST start packet to the client. 2. The client uses the A-ID to choose the PAC to use for this session. 3. The client sends the PAC-Opaque field from the appropriate PAC to the server. 4. The server uses the master key to decrypt the PAC-Opaque field and retrieve the PAC key, I-ID, and PAC lifetime. 5. Now the server and the client have the PAC key, which is used as a shared secret to establish a TLS tunnel.
What are the steps in certificate enrollment?
1. client forward certificate request that contains public key and identity info 2. CA admin confirms submission and public key 3. CA admin signs and issues certificate 4.client retrieves certificate or SCEP automatically retrieves it
What are the steps in retrieving a CA certificate?
1. clients request CA certificates that contains the CA public key 2. once client receives CA certificate, verify the certificate with public key 3. client contacts CA admin to verify public key and serial number of certificate
How can the EAP authentication server functionality be provided? (2 ways)
1. locally by a Cisco WLC 2. globally by a RADIUS server
What are the steps to create a PAC?
1.A server A-ID maintains a local key (master key), which only the server knows. 2. When a client identity, sometimes referred to as the I-ID, requests a PAC from the server, the server generates a randomly unique PAC key and PAC-Opaque field for this client. 3. The PAC-Opaque field contains the randomly generated PAC key, along with other information such as the I-ID and key lifetime. 4. The PAC-Opaque field is encrypted with the master key. 5. A PAC-Info field, which contains the A-ID, is also created.
How many keys do users generate in asymmetric encryption?
2 keys; 1 public and 2 private
How many WLCs are required for local web authentication with auto-anchor?
2; the local WLC tunnels client traffic, and the anchor WLC provides path isolation
What authentication framework does EAP-FAST use?
802.1X
What authentication protocol does EAP use?
802.1X
What are the characteristics of the centralized web authentication operation?
A guest associates to a local controller, and a local session is created. The guest is redirected to Cisco ISE. Cisco ISE provides web portal pages and guest authentication. Guest traffic is routed to the Internet.
In open authentication, are passwords and authentication keys shared or specific per device?
All clients use the same password in shared key authentication.
What is auto-anchor mobility?
Auto-Anchor mobility (also called guest tunneling) is a feature of mobility to restrict a WLAN to a single subnet, regardless of a client entry point into the network.
What are the most common types of EAP?
EAP-TLS PEAP EAP-FAST EAP-SIM, for GSM EAP-AKA, for UMTS
What is a drawback of EAP-TLS for wireless client authentication?
Each client (user) must have his or her own certificate that is personally issued and installed on his or her machine. Maintenance of the CA (which is part of a PKI) might be a barrier to EAP-TLS deployment for some customers.
What is EAP-TLS?
Extensible authentication protocol - transport layer security; it is a method of applying digital certificates to both client and server.
What is EAP?
Extinsible Authentication protocol; EAP is a general protocol for authentication that also supports multiple authentication methods. EAP does not specify which type of authentication to use; it simply defines the authentication steps and headers.
T/F: an 802.1X supplicant can send data over the port to the authenticator before sending its ID.
False; if the supplicant that is attached to the network does not send an ID, then the port remains unauthorized. In this state, the port cannot pass any user traffic.
What dilemma does Web Auth solve?
Guest access
Does 802.1X authenticate clients individually or simultaneously?
Individually
What is good practice when creating your WLAN ID?
It is good practice to have this number match the VLAN number
What is an advantage of EAP-FAST?
It provides a way to ensure as much security as EAP-TLS but without the need to manage certificates on the client or server side.
With open authentication, what does the client have to authenticate?
Itself, it authenticates itself as an 802.11-capable device
At what layers does open authentication operate?
L1 and L2
What protocol can devices like printers and cameras that don't support authentication use in order to access the netword?
MAC Authentication Bypass (MAB)
Does open authentication offer end-to-end security?
No
Does open authentication use keys?
No
Is symmetric encoding recommended for strong user authentication?
No because it is not resistant to a key attack
What is the role of PAC in EAP-FAST?
PAC (Protected Access Credential) is associated with a specific client username and a server A-ID, and therefore, removes the need for a PKI and digital certificates.
What does PAC remove the need for? Why?
PAC is associated with a specific client username and a server A-ID, and therefore, removes the need for a PKI and digital certificates.
What are the phases of EAP-FAST?
Phase 0: PAC Creation Phase 1: PAC Exchange Phase 3: Authentication
Describe PKI.
Public Key Infrastructure is a way to implement strong encryption using digital certificates; it manages keys and identity information for the parts of the network that participate in secure communication.
What type of server is usually the 802.1X authentication server?
RADIUS
What are the four EAP message types?
Request Response Success Failure
Define the three 802.1x roles
Supplicant: The machine (typically a PC or wireless client) that wants to access the network. Authenticator: The point of access (a switch, an AP, or a WLC). The authenticator is the point of entrance to the network. Authentication server: A machine, somewhere in the network, that keeps a list of conditions by which access is granted or refused.
What type of security does 802.1X provide?
The 802.1X protocol defines port-based access control.
Describe Phase 1 of EAP-FAST
The AAA server and the end user, or client, use PAC to authenticate each other and establish a secure tunnel. A process similar to TLS is used to verify the identity of the AAA server and to establish a secure tunnel between the client and AAA server. PAC replaces the digital certificate that is used in EAP-TLS and eliminates the need for a PKI to manage the certificates.
Describe Phase 0 of EAP-FAST
The PAC (some unique share credential) needs to be installed on the client. It can be done manually or via a trusted connection where the client is authenticated using another method (for example, certificate-based [TLS] or password-based [MS-CHAP v2]).
Describe Phase 2 of EAP-FAST
The RADIUS server authenticates the user credentials with another EAP, which is protected by the tunnel that is created in Phase 1. The common means of authentication are password and GTCs.
Who sends an EAP success or failure packet?
The authenticator sends success or failure packets to the supplicant when authentication occurs or fails
What is digital signing?
The idea that because only the client's keys can decrypt its own content, if that key can decrypt content it must have come from the client. User encrypts message with their public key, then re-encrypts with the server's public key. The server decrypts with its private key but can't read it. When decrypting with the user's key works, it knows that the content came from that user.
Where does EAP-FAST generate credentials? perform authentication?
The same server on which authentication occurs also generates a unique shared credential that is used to mutually authenticate client and server, called Protected Access Credential (PAC).
What keys do clients and server exchange with eachother?
They will exchange their public keys with eachother
How many WLCs are required for local web portal with external authentication?
This model works with just the local WLC and authentication server, however, an Auto-Anchor WLC can optionally be used for path isolation.
T/F: traffic from the wired network to the client goes through the same tunnel that a guest associates to the auto-anchor WLC?
True; Traffic from the wired network to the client goes through the same tunnel.
Why WEP no longer commonly used?
WEP (wired equivalent privacy) has been deprecated because -hackers can easily obtain the challenge phrase and encrypted response -key management does not scale to enterprise
What is the current implementation of the 802.11i security standard?
WPA2
What does WPA2 enterprise mode dictate about EAP?
WPA2 Enterprise mode dictates that the authentication phase is done using a supported EAP type: EAP-TLS, PEAP, EAP-FAST, EAP-GTC, EAP-SIM, and EAP-AKA. Other EAP types might be allowed but are not officially supported and must be a vendor-specific option.
Are 802.1X keys unique or shared?
While authenticating each other through 802.1X, the client and RADIUS servers derive an individual key, which is unique for this device and this session
Is it recommended to use WPS?
Wi-Fi Protected Setup is not recommended for use because there are many known weaknesses and attacks against it.
What two solutions emerged as a solution to the weaker Wired Equivalent Privacy standard?
Wi-Fi protected Access (WPA) and its successor WPA2
What is a certificate?
a public key that a certificate authority has encrypted with a private key that contains a signed message with a user's identity, validity duration, and hash
What type of key does PSK use?
common, not private per user
With central web authentication where are the tasks of provisioning web login pages and maintaining guest user accounts performed?
done by a central server such as ISE