802.1x terry simons formerly of the university of utah
TRANSCRIPT
802.1X
Terry Simons
Formerly of The University of Utah
University of Utah Background
• 28,000+ student campus• EAP-TTLS• 802.1X movement was “grass roots”
– Proof of concept– Wireless Whitepaper
• RADIUS “Mesh” (More of a star topology)– “Give to get” mentality
• Initial Deployment on May 19, 2003• Campus Radiator Site License• Initial Campus Meetinghouse Site License
– Mac OS X 10.2.x, Win98se/Me/2k/XP/PPC 2002/2003• Now prefer SecureW2 TTLS WZC Plugin• Chris Hessing is lead developer of Open1x
802.1X Problem Areas
• Certificate Validation
• Windows Zero Config/GINA
• The Supplicant Debacle
• EAP Type Selection
• Encryption
Certificate Validation
• No real CRL Support
• Deployment Difficulty– Mitigated in part by “smart installers”
• Mac OS X is too “easy to use”– I am a Mac user. :-}
• Man in the Middle Attacks
• Public Certificate Authorities– Mac OS X becomes vulnerable
Windows Zero Config/GINA
• Users expect it, especially in higher ed.
• AEGIS and Funk take over WZC/GINA– Users complain loudly
• Helpdesk gets swamped
– GINA: “What did you do to my computer?!”• Not so bad with current Meetinghouse releases
• Migration to SecureW2 fixed both issues.
The Supplicant Debacle
• Vendors bundle OEM’d Supplicants– Which quite often do not work properly
• IBM Thinkpad/Intel Centrino TTLS Problems
– Usually based on Meetinghouse– Same crunchy WZC problems– Same bad aftertaste
• Most setup programs are self-extractable– Use a zip utility to extract only the driver
EAP Type Selection
• TLS, TTLS, or PEAP– Provisions for keying material
• TLS if an existing PKI is in place– Arguably the “most secure” EAP type
• TTLS for “strongly encrypted” backends– U of U uses Kerberos
• PEAP for Active Directory shops
Encryption
• CCMP is the “best” security currently– Doesn’t work with Mac OS X
• TKIP is the next best thing.– Watch out for “mixed mode” problems
• TKIP “Unicast” and WEP “Multicast” keys• Specifically a problem with Mac OS X
– Apple is aware of the problem.
• Dynamic WEP for “Legacy” devices• Or use multiple SSIDs and run parallel security
models.
Ending Comments
• It’s possible to allow multiple EAP types– Works well in Federated environments
• Vendor skepticism is encouraged
• Helpdesk Feedback Loop
Q&A
Resources• http://wireless.utah.edu/global/support/WirelessWhitepaper-v1.03.pdf• http://wireless.utah.edu/global/support/radius_mesh/RADIUS_Mesh_Long.pdf• http://www.open1x.org/• http://www.open.com.au/radiator/• http://www.securew2.com/