Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Network Authentication with PKI EDUCAUSE/Dartmouth PKI Summit July 27, 2005 Jim Jokl University of Virginia.

Published byMarcia Turner Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Network Authentication with PKI EDUCAUSE/Dartmouth PKI Summit July 27, 2005 Jim Jokl University of Virginia."— Presentation transcript:

1 1 Network Authentication with PKI EDUCAUSE/Dartmouth PKI Summit July 27, 2005 Jim Jokl University of Virginia

2 2 Background: UVa Wireless LAN Project  Deploy campus-wide Wireless LAN (WLAN) Initial focus on student areas Later emphasis on faculty/staff areas  Support multiple applications Focus on standard applications: Email, Web, login, file transfer, etc Don’t focus on applications such as video  Provide security Wireless really is different in this regard

3 3 UVa WLAN Summary  Access Point summary as of July 2005 796 access points in database with approximately 704 operational ~250 older Cisco 352 802.11b (11 Mbps @ 2.4 GHz) units Remainder are modern Cisco 1100/1200 series access points  802.11 G/B (11-45 Mbps @ 2.4 GHz)  802.11 A (45 Mbps @ 5 GHz)  Still need to install A/G radios in some of the 1200s  Wireless security system Would have liked strong authentication and encryption for all WLAN access, however ……

4 4 Wireless Security Have to support “other” devices

5 5 Initial Wireless Security System  MAC address validation Users register the hardware address of their wireless adapter Provisions for anyone affiliated with the university to register cards for guests Supports “random” devices  Secured wireless via Cisco LEAP Password-based authentication Dynamic symmetric cipher keys Had expected this technology to be widely implemented by vendors

6 6 EAP-based Authentication Process Radius Servers UVa Network Access Point User

7 7 Authentication Transition  Combination of LEAP and MAC registration was OK for a couple of years  However LEAP never became mainstream and generally required a Cisco wireless card and software installation We had anticipated native LEAP support with Windows XP Final straw was a reported security vulnerability with the LEAP protocol

8 8 Wireless LAN Access Control EAP- MD5 LEAPEAP-TLSEAP- TTLS PEAP Server Authentic ation NonePassword Hash Public Key Supplicant Authentica tion Password Hash Public Key CHAP, PAP, MS-CHAP(v2), EAP Any EAP, like EAP-MS- CHAPv2 or Public Key Dynamic Key Delivery NoYes Security Risks Identity exposed, Dictionary attack, MitM attack, Session hijacking Identity exposed, Dictionary attack Identity exposed MitM attack Source: wi-fiplanet.com

9 9 Background: UVa Standard Assurance CA (PKI-Lite)  On-line Web CA  Uses existing account information to validate user request  Computing ID, password, and some some database info checked  Certificate and chain automatically installed or PKCS-12  ~20k active certificates now

10 10 UVa EAP-TLS Wireless Authentication  User verifies the Radius server’s identity using PKI  The Radius server verifies the user’s identity using PKI  An LDAP-based authorization step happens  Association is allowed and dynamic session crypto keys are exchanged User Access Point Radius Server LDAP AuthZ

11 11 OS Support for EAP-TLS  Operating System Support Windows XP, Windows 2000 SP-4* MacOS (10.3.3) 3 rd party software available  Very easy to use No account management, passwords, etc Login to your workstation and secure wireless just works AuthZ step will make it easier to keep hacked machines off of the WLAN

12 12 EAP-TLS and the Microsoft Clients  Microsoft field in certificate for AuthN Subject Alt Name / Other Name / Principal Name  OID 1.3.6.1.4.1.311.20.2.3 If not present, uses CN  Uniqueness issues for many CAs Easy to add to certificate profile  Impact on the PKI-Lite certificate profiles Agreed to add this extension to EE cert profile

13 13 Summary: Supported wireless “accounts” at UVa  EAP-TLS – our main wireless network Leverage PKI for user authentication on WinXP and MacOS 10.3 Dynamic session encryption keys  MAC Address restricted network Provides access control and limited authentication Especially useful for devices with limited functionality Now integrated with our main NetReg MAC address registration system  Guest MAC Access control and identification of UVa sponsor

14 14 UVa WLAN Authentication Transition  Transitioned to new authentication summer 2004 Added an EAP-TLS VLAN, removed LEAP  EAP-TLS is the authentication used on the broadcast SSID Main EAP-TLS issues encountered  Old drivers for user’s wireless cards  A few users still had certificates without Microsoft attribute  Macintosh a little harder since no Safari integration for certificate download and installation Retained a legacy MAC registration-only VLAN  For special devices that don’t support EAP-TLS  Non-broadcast SSID Transition completed by end of summer  Few hard problems encountered Will add EAP-TLS VLAN for access to UVa “More Secure” network once more AuthZ work is completed

15 15 Authentication on the UVa WLAN

16 16 Background: University of Virginia PKI  Project Goal Enable PKI support in a wide range of applications  Deploy two campus CAs to support two types of PKI-enabled applications Standard Assurance CA  For better security on common applications  Improve ease of use on some applications  Identity proofing marginally stronger than used with simple passwords High Assurance CA  For new applications requiring high security  Uses hardware tokens only - 2-factor authentication  Strong identity validation before certificate is issued

17 17 UVaAnywhere VPN Service  Our first PKI application  Certificate AuthN  Encrypted path to UVa network edge  On-campus IP address  Cisco 3000 concentrators  Adding LDAP AuthZ  IPSec and Cisco VPN client is only supported mechanism Internet Connections UVaNet UVaAnywhere Concentrators

18 18 UVaAnywhere-Lite  Just added new SSL VPN service For web applications only Uses existing Cisco 3000 concentrators PKI for authentication Uses LDAP for authorization Web VPN provides convenient pop-up box for navigation  Customized with library and department pages that point to their web resources

19 19 Remote Access to the More Secure Network Certificate AuthN and LDAP AuthZ Firewall VPN SMTP Relay LPR Relay “Less Secure” Network Level 1 “More Secure” Network Level 2 LDAP AuthZ

20 20 VPN PKI 2-factor Authentication with LDAP Authorization VPN Concentrators Firewall LDAP AuthZ Servers Oracle ERP S1 S2 S3 Sn Hospital Net INOUT Main Campus Network OUT IN

21 21 Oracle Special Services (ERP) 2-factor Cert AuthN and LDAP AuthZ Main UVa Network S4S4 S2S2 S3S3 SnSn VPN Concentrators Firewalls LDAP AuthZ Servers INOUT Normal User OSS User S1S1

22 22 Some References  UVa Wireless LAN site http://www.itc.virginia.edu/wireless/  UVa PKI Site http://www.itc.virginia.edu/desktop/pki/  UVa VPN Sites http://www.itc.virginia.edu/desktop/vpn http://www.itc.virginia.edu/vpn/webvpn  HEPKI-TAG PKI-Lite http://middleware.internet2.edu/hepki-tag/

Download ppt "1 Network Authentication with PKI EDUCAUSE/Dartmouth PKI Summit July 27, 2005 Jim Jokl University of Virginia."

Similar presentations

Inter WISP WLAN roaming

Inter WISP WLAN roaming
Authentication.

Authentication.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.

1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.

Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Some Common Campus PKI Applications January 2004 CSG Meeting Jim Jokl.

Some Common Campus PKI Applications January 2004 CSG Meeting Jim Jokl.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Wireless Security with 802.1X Copyright 2005 Michael Griego This work is the intellectual property of the author. Permission is granted for this material.

Wireless Security with 802.1X Copyright 2005 Michael Griego This work is the intellectual property of the author. Permission is granted for this material.
PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security

PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security
Wireless Security and Accounting with 802.1X. Introduction Background Why 802.1X? What is 802.1X? Implementing 802.1X at UTD The future of 802.1X and.

Wireless Security and Accounting with 802.1X. Introduction Background Why 802.1X? What is 802.1X? Implementing 802.1X at UTD The future of 802.1X and.
CAMP - June 4-6, 2003 1 Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin 2003. This work is the intellectual property of the authors.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
Fermilab VPN Service What is a VPN ?.

Fermilab VPN Service What is a VPN ?.
1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.

1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.

Similar presentations

Ads by Google