1 © 2000, cisco systems, inc. cisco company confidential - do not distributese meeting – november...
TRANSCRIPT
![Page 1: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/1.jpg)
1© 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000
Security for Next Security for Next Generation Wireless Generation Wireless
LANsLANsWNBU Technical MarketingWNBU Technical Marketing
![Page 2: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/2.jpg)
2350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
AgendaAgenda
• Recap – WEP/SSIDs/authentication
• Deployment issues with 802.11 today
• 802.1X for 802.11
• Deployment of new security feature-set
• Standards update/Pointers
• Questions ?
![Page 3: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/3.jpg)
3350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
AgendaAgenda
Recap – WEP/SSIDs/authenticationSSIDs in 802.11
Association
Open Authentication
Shared-key Authentication
WEP/RC4 in 802.11
WEP encrypted frames
![Page 4: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/4.jpg)
4350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
Past Security MethodsPast Security Methods
• SSID (Service Set Identifier)Commonly used feature in Wireless LANs which provides a rudimentary level of security.
Serves to logically segment the users and Access Points that form part of a Wireless subsystem.
May be advertised or manually pre-configured at the station.
![Page 5: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/5.jpg)
5350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
RECAP - SSIDs in 802.11RECAP - SSIDs in 802.11
S S S I D f o r A P S S I D f o r A P S S I D f o r A P
S S I D f o r A P
S S I D f o r C l i e n t
![Page 6: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/6.jpg)
6350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
SSID problemSSID problem
• 32 ASCII character string
• Under 802.11, any client with a ‘NULL’ string will associate to any AP regardless of SSID setting on AP
• This is NOT a security feature!
![Page 7: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/7.jpg)
7350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
RECAP- Association With 802.11RECAP- Association With 802.11
Client (user machine)
Access Point
Probe requeston 11 channels; may include (broadcast) SSID
Probe responseincluding info not in spec, such as # clients, % load
AP selectionbased on strength and
quality of signal
Wired Ethernet LAN
Access Point
![Page 8: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/8.jpg)
8350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
RECAP - Open Authentication RECAP - Open Authentication With 802.11With 802.11
ClientAP
Authentication request
Open Authentication
Authentication response
Open or Shared needs to be setup identically on both the Access Point and Client
![Page 9: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/9.jpg)
9350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
RECAP - WEP/RC4 in 802.11RECAP - WEP/RC4 in 802.11
![Page 10: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/10.jpg)
10350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
RECAP – WEP Encrypted FramesRECAP – WEP Encrypted Frames
IV MSDU ICV
Encrypted
0-2304 4
Initialization Vector Pad Key ID
2624
Octets
Bits
![Page 11: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/11.jpg)
11350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
RECAP - Shared-key RECAP - Shared-key Authentication With 802.11Authentication With 802.11
Open or Shared needs to be setup identically on both the Access Point and Client
ClientAP
Authentication request
Shared-Key Authentication
Challenge text packet
Authentication response
Encrypted challenge text packet
![Page 12: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/12.jpg)
12350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
AgendaAgenda
• Recap – WEP/SSIDs/authentication
• Deployment issues with 802.11 today
• 802.1X for 802.11
• Deployment of new security feature-set
• Standards Update/Pointers
• Questions ?
![Page 13: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/13.jpg)
13350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
Deployment issues with 802.11 todayDeployment issues with 802.11 today
• Lack of integrated User administration Integration with existing user administration tools required (RADIUS, LDAP-based directories)
Identification via User-Name easier to administer than MAC address identification
Usage accounting and auditing desirable
• Lack of Key management solutionStatic keys difficult to manage on clients, access points
Proprietary key management solutions require separate user databases
![Page 14: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/14.jpg)
14350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
802.11 Security Issues802.11 Security Issues
• User loses wireless NIC, doesn’t report itWithout user authentication, Intranet now accessible by attackers
Without centralized accounting and auditing, no means to detect unusual activity
Users who don’t log on for periods of time
Users who transfer too much data, stay on too long
Multiple simultaneous logins
Logins from the “wrong” machine account
With global keys, large scale re-keying required
![Page 15: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/15.jpg)
15350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
Comparison First-generation 802.11 Comparison First-generation 802.11 Security IssuesSecurity Issues
Vulnerability802.11 w/per
Packet IV
Addition of keyed Integrity
check3DES instead of
WEP/ RC4802.11 w/MICKerb + DES
Impersonation Vulnerable Vulnerable Vulnerable Fixed
NIC theft Vulnerable Vulnerable Vulnerable Fixed
Brute force attack (40/56 bit key) Vulnerable Vulnerable Fixed Vulnerable
Packet spoofing Vulnerable Fixed Vulnerable Fixed
Rogue Access Points Vulnerable Vulnerable Vulnerable Fixed
Disassociation spoofing Vulnerable Fixed Vulnerable Fixed
Passive monitoring Vulnerable Vulnerable Vulnerable Vulnerable
Global keying issues Vulnerable Vulnerable Vulnerable Fixed
Pre-computed dictionary attack Implementation Implementation Implementation Vulnerable
Offline dictionary attack Vulnerable Vulnerable Vulnerable Vulnerable
![Page 16: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/16.jpg)
16350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
AgendaAgenda
• Recap – WEP/SSIDs/authentication
• Deployment issues with 802.11 today
• 802.1X for 802.11
• Deployment of new security feature-set
• Standards Update/Pointers
• Questions ?
![Page 17: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/17.jpg)
17350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
What Is 802.1X ?What Is 802.1X ?
• IEEE Standard in progress
• Port Based Network Access Control
![Page 18: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/18.jpg)
18350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
General Description General Description IEEE 802.1X TerminologyIEEE 802.1X Terminology
AuthenticatorAuthenticator(e.g. Switch, (e.g. Switch,
Access Point)Access Point)
SupplicantSupplicant
Enterprise NetworkEnterprise NetworkSemi-Public Network /Semi-Public Network /Enterprise EdgeEnterprise Edge
AuthenticationAuthenticationServerServer
RADIUS
EAP Over Wireless (EAPOW)
EAP Over Wireless (EAPOW)
EAP Over RADIUS
EAP Over RADIUS
PAEPAE
PAEPAE
Controlled port
Uncontrolled port
EAP Over LAN (EAPOL)
EAP Over LAN (EAPOL)
![Page 19: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/19.jpg)
19350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
IEEE 802.1X Conversation IEEE 802.1X Conversation
EthernetLaptop computer
802.1X Authenticator/Bridge
Radius Server
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity
EAP-Request
Radius-Access-Request
Radius-Access-Challenge
EAP-Response (cred) Radius-Access-Request
EAP-Success
Access blockedPort connect
Radius-Access-Accept
Access allowed
RADIUSEAPOL
![Page 20: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/20.jpg)
20350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
IEEE 802.1X Over 802.11IEEE 802.1X Over 802.11
Ethernet
Access Point
Radius Server
EAPOL-Start
EAP-Request/IdentityEAP-Response/Identity
EAP-Request
Radius-Access-Request
Radius-Access-Challenge
EAP-Response (cred) Radius-Access-Request
EAP-Success
Access blockedAssociation
Radius-Access-Accept
RADIUSEAPOW
Laptop computer
Wireless
802.11802.11 Associate
Access allowed
EAPOW-Key (WEP)
![Page 21: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/21.jpg)
21350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
802.1X Packet exchange802.1X Packet exchange
Start
Authenticate
Finish
![Page 22: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/22.jpg)
22350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
802.1X Packet Exchange 802.1X Packet Exchange Start -1 Start -1
EAPOL-Start
• Defined in IEEE 802.1X draft
• Purpose: Start the authentication process. EAP supplicant is ready for authenticator.
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity Radius-Access-Request
![Page 23: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/23.jpg)
23350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
802.1X Packet Exchange 802.1X Packet Exchange Start -2 Start -2
EAP-Request/Identity
• EAP-Packet defined in 802.1X draft.
• EAP-Request/Identity defined in RFC2284.
• Purpose: Start the authentication process. Authenticator asks for supplicants Identity.
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity Radius-Access-Request
![Page 24: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/24.jpg)
24350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
802.1X Packet Exchange 802.1X Packet Exchange Start -3 Start -3
EAP-Response/Identity
• EAP-Packet defined in 802.1X draft.
• EAP-Response/Identity defined in RFC2284.
• Purpose: Supplicant delivers its Identity. AP uses this to send the Radius-Access-Request.
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity Radius-Access-Request
![Page 25: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/25.jpg)
25350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
802.1X Packet Exchange 802.1X Packet Exchange Authenticate Authenticate
EAP-Request
EAP-Response Radius-Access-Request
Radius-Access-Challenge
Authenticate sequence varies per authentication method
Radius-Access-Request
![Page 26: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/26.jpg)
26350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
802.1X Packet Exchange 802.1X Packet Exchange Authenticate Authenticate
• Draft-ietf-radius-ext-07 describes encapsulating EAP in the radius protocol.
• Transport Level Security (TLS) described in RFC2246
• EAP-TLS described in RFC2716
EAP-Request
EAP-Response Radius-Access-Request
Radius-Access-Challenge
Radius-Access-Request
![Page 27: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/27.jpg)
27350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
802.1X Packet Exchange 802.1X Packet Exchange Finish -1 Finish -1
Radius-Access-Accept
• Contains MS-MPPE-Send-Key attribute per RFC2548.
• This WEP session key has already been delivered/derived by the supplicant in the authentication phase. It is delivered here to the AP.
EAP-Success Radius-Access-Accept
EAPOW-Key
![Page 28: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/28.jpg)
28350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
802.1X Packet Exchange 802.1X Packet Exchange Finish -2 Finish -2
EAP-Success
• Defined in IEEE 802.1X draft.
• Supplicant could turn WEP on (timing).
EAP-Success Radius-Access-Accept
EAPOW-Key
![Page 29: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/29.jpg)
29350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
802.1X Packet Exchange 802.1X Packet Exchange Finish -3 Finish -3
EAPOW-Key
• Defined in IEEE 802.1X draft 5.
• Broadcast WEP key to the supplicant.EAPOW-Key gets sent without WEP since timing is not certain. The WEP broadcast keys are encrypted with the session key via software.
EAP-Success Radius-Access-Accept
EAPOW-Key
Supplicant & Authenticator start using the WEP session key.
![Page 30: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/30.jpg)
30350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
Advantages of 802.1X for 802.11Advantages of 802.1X for 802.11
• Open, extensible and standards based.Enables interoperable user identification, centralized authentication, key management.
Leverages existing standards: EAP (extensible authentication protocol), RADIUS.
Compatible with existing roaming technologies, enabling use in hotels and public places.
• User-based identification.
• Dynamic key management.
• Centralized user administration.Support for RADIUS (RFC 2138, 2139) enables centralized authentication, authorization and accounting.
RADIUS/EAP (draft-ietf-radius-ext-07.txt) enables encapsulation of EAP packets within RADIUS.
![Page 31: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/31.jpg)
31350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
Advantages of 802.1X for 802.11 - Advantages of 802.1X for 802.11 - continuedcontinued
• Extensible authentication supportEAP designed to allow additional authentication methods to be deployed with no changes to the access point or client NIC
RFC 2284 includes support for password authentication (EAP-MD5), One-Time Passwords (OTP)
Windows 2000 supports smartcard authentication (RFC 2716) and Security Dynamics
![Page 32: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/32.jpg)
32350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
AgendaAgenda
• Recap – WEP/SSIDs/authentication
• Deployment issues with 802.11 today
• 802.1X for 802.11
• Deployment case study with new security features
• Standards Update
• Questions ?
![Page 33: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/33.jpg)
33350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
Cisco Security FrameworkCisco Security Framework
EAPLayer
MethodLayerTLSTLSTLS
MediaLayer
NDIS
APIs
EAP
APIs
PPPPPP 802.3802.3 802.3802.3 802.11
LEAPLEAPGSS_APIGSS_APIGSS_API
VPNVPNVPN
802.1X802.1X
Backend AAA infrastructure
CS-ACS2000 2.6, Third party EAP-Radius, Kerberos ...
Backend AAA infrastructureBackend AAA infrastructure
CS-ACS2000 2.6, Third party EAP-Radius, CS-ACS2000 2.6, Third party EAP-Radius, Kerberos Kerberos ......
IKEIKEIKE
EAPLayer
NDIS
APIs
EAP
MethodLayer
EAP
LEAP
MediaLayer
APIs
802.11
![Page 34: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/34.jpg)
34350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
Why LEAP ?Why LEAP ?
• Cisco Lightweight EAP (LEAP) Authentication type• No native EAP support currently available on legacy
operating systems
• EAP-MD5 does not do mutual authentication
• EAP-TLS (certificates/PKI) too intense for security baseline feature-set
• Quick support on multitude of host systems
• Lightweight implementation reduces support requirements on host systems
• Need support in backend for delivery of session key to access points to speak WEP with client
![Page 35: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/35.jpg)
35350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
Cisco LEAP deploymentCisco LEAP deployment
Ethernet
EAP Access Point
LEAPRadius ServerLaptop computer with
LEAP supplicant
Wireless
Network Logon• Win 95/98• Win NT• Win 2K• Win CE• MacOS• Linux
BackbonBackbonee
Driver for OS x• LEAP Authentication support• Dynamic WEP key support• Capable of speaking EAP
Radius • Cisco Secure ACS 2.6• Authentication database• Can use Windows user database
Radius DLL• LEAP Authentication support• MS-MPPE-Send-key support• EAP extensions for Radius
EAP Authenticator• EAP-LEAP today• EAP-TLS soon• …..
Client/SupplicantClient/Supplicant AuthenticatorAuthenticator Backend/Radius serverBackend/Radius server
![Page 36: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/36.jpg)
36350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
LEAP Client / Supplicant Support LEAP Client / Supplicant Support
Integrated Wireless and Microsoft Network Logon
![Page 37: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/37.jpg)
37350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
EAP Support in Access Point EAP Support in Access Point
![Page 38: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/38.jpg)
38350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
LEAP Support in Radius Server -1 LEAP Support in Radius Server -1
Configuring the Configuring the user databaseuser database
![Page 39: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/39.jpg)
39350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
LEAP Support in Radius Server -2 LEAP Support in Radius Server -2
Configuring the Configuring the NAS/APNAS/AP
Same shared secret as that configured for
access point
Radius (Cisco Aironet) For EAP supported
Access Point
![Page 40: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/40.jpg)
40350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
What Does the Radius Server What Does the Radius Server Perform? Cont.Perform? Cont.
• Authentication
• Generates dynamic session key
• Sends session key to access point
![Page 41: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/41.jpg)
41350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
What Does the AP Perform? Cont.What Does the AP Perform? Cont.
• On successful authentication,
Send broadcast WEP key to client.
Maintain clients WEP key.
Start running WEP with client.
Distribute pre-auth.
![Page 42: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/42.jpg)
42350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
Future EAP Client Work ?Future EAP Client Work ?
• Microsoft placing 802.11 EAP Native supplicant in,
Win2K, WinCE
• What about other Microsoft OS’s?
Win9x/WinNT (need LEAP)
• What about other OS’s?
Linux, MacOS (need LEAP)
![Page 43: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/43.jpg)
43350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
Future Backend Work ?Future Backend Work ?
• Support for Kerberos
• Promote EAP authentication types on backend servers
• Integrate with SSGs .. etc
![Page 44: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/44.jpg)
44350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
What About Edge Devices Support What About Edge Devices Support for 802.1X Authenticator ? for 802.1X Authenticator ?
• ELoB Switches.
Catalyst 6k/5k/4k ...
• DSBU Switches.
Catalyst 29xx/35xx ...
![Page 45: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/45.jpg)
45350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
AgendaAgenda
• Recap – WEP/SSIDs/authentication
• Deployment issues with 802.11 today
• 802.1X for 802.11
• Deployment of new security feature-set
• Standards Update/Pointers
• Questions ?
![Page 46: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/46.jpg)
46350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
Standards UpdateStandards Update
• 802.1X Current StatusDraft 8 : http://www.manta.ieee.org/groups/802/1/pages/802.1x.html
Scheduled for letter ballot, January 2001
• 802.11 SecurityTG e (Task Group E) Working on security and QoS extensions to the MAC 802.11 layer
TG-e Security sub-group chair : Dave Halasz (Cisco- Aironet Engineering)
Joint multi-vendor 802.1X for 802.11 proposal accepted as baseline security document.
![Page 47: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/47.jpg)
47350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
PointersPointers
• Whitepaper : Security for Next Generation Wireless LANs v1.1
http://wwwin.cisco.com/cmc/cc/pd/witc/ao340ap/prodlit/wlanw_in.msw
• IEEE 802.1X
http://grouper.ieee.org/groups/802/1/pages/802.1x.html
• RADIUS
http://www.ietf.org/rfc/rfc2138.txt
http://www.ietf.org/rfc/rfc2139.txt
http://www.ietf.org/rfc/rfc2548.txt
http://www.ietf.org/internet-drafts/draft-ietf-radius-radius-v2-06.txt
http://www.ietf.org/internet-drafts/draft-ietf-radius-accounting-v2-05.txt
http://www.ietf.org/internet-drafts/draft-ietf-radius-ext-07.txt
http://www.ietf.org/internet-drafts/draft-ietf-radius-tunnel-auth-09.txt
http://www.ietf.org/internet-drafts/draft-ietf-radius-tunnel-acct-05.txt
• EAP
http://www.ietf.org/rfc/rfc2284.txt
http://www.ietf.org/rfc/rfc2716.txt
![Page 48: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/48.jpg)
48350 Security Update 1/2001 Cisco Company Confidential - Do not distribute
AgendaAgenda
• Recap 1st-generation security for 802.11 WLANs
• Deployment issues with 802.11 today
• 802.1X for 802.11
• Standards Update
• Questions ?
![Page 49: 1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d985503460f94a83008/html5/thumbnails/49.jpg)
49Presentation_ID © 2000, Cisco Systems, Inc.