Doc.: IEEE 802.11-01/252 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 Issues with the 802.1X State Machine IEEE 802.1X Revision PAR Bernard Aboba.

Slides:



Advertisements
Similar presentations
Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Advertisements

Doc.: IEEE /553r0 Submission September 2001 Tim Moore, Bernard Aboba/Microsoft Authenticated Fast Handoff IEEE Tgi Tim Moore Bernard Aboba.
Doc.:IEEE /540ar0 Submission November 2001 Albert Young, Bob OHara Slide 1 A Re-Key Proposal Albert Young 3Com Corporation Santa Clara, CA
Doc.: IEEE /1263r0 Submission November 2008 Dan Harkins, Aruba NetworksSlide 1 A Modest Proposal…. Date: Authors:
Doc.: IEEE /087 Submission May, 2000 Steven Gray, NOKIA Jyri Rinnemaa, Jouni Mikkonen Nokia Slide 1.
IEEE i: A Retrospective Bernard Aboba Microsoft March 2004.
802.1AF - directions define requirements to find and create connections in terms of Discovery - Authentication - Enable 1.Discover of what can be done.
Doc.: IEEE frfh Submission July 2004 Jon Edney, NokiaSlide 1 What is an ESS? Jon Edney, Nokia.
IEEE P802 Handoff ECSG Submission July 2003 Bernard Aboba, Microsoft Detection of Network Attachment (DNA) and Handoff ECSG Bernard Aboba Microsoft July.
Doc.:IEEE /1523r4 Submission November 2011 Access Delay Reduction for FILS: Network Discovery & Access congestion Improvements Slide 1 Authors:
Submission doc.: IEEE /1326r1 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Early Key Generation by ECDH and PKC Date:
Doc.: IEEE /039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE System Submitted to IEEE
Doc.: IEEE /0836r2 Submission July 2008 Dan Harkins, Aruba NetworksSlide 1 Changes to SAE State Machine Date: Authors:
Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.
Submission doc.: IEEE /0789r3 NameAffiliationsAddressPhone George Cherian Santosh Abraham Jouni Malinen Qualcomm 5775 Morehouse Dr, San Diego,
Doc.: IEEE /0093r2 Submission NameAffiliationsAddressPhone Hitoshi MORIOKAAllied Telesis R&D Center Tenjin, Chuo-ku, Fukuoka
Doc.: IEEE /095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.
Doc.: IEEE /689r0 Submission November 2002 Dan Harkins, Trapeze Networks.Slide 1 Re-authentication when Roaming Dan Harkins.
Doc.: IEEE /1160 Submission NameAffiliationsAddressPhone George CherianQualcomm 5775 Morehouse Dr, San Diego, CA, USA
Doc.: IEEE /1160r1 Submission NameAffiliationsAddressPhone George CherianQualcomm 5775 Morehouse Dr, San Diego, CA, USA +1
Submission doc.: IEEE /1167r0 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data IE Date: Authors: NameAffiliationsAddressPhone .
Doc.: IEEE /688r0 Submission September 2003 Stephen McCann, Siemens Roke ManorSlide 1 Interworking Update II Stephen McCann, Siemens Roke Manor.
Doc.: IEEE /243r0 Submission March 2002 James Kempf, DoCoMo LabsSlide and IP James Kempf Seamoby WG Co-chair DoCoMo Labs USA
Doc.:IEEE /0439r0 March 2012 Switching between DCF and PP-MAC Date: Slide 1 Authors:
Doc.: IEEE /253 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 WEP2 Security Analysis Bernard Aboba Microsoft.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 1 IEEE u Overview Klaas Wierenga TF-Mobility Loughborough, May 7, 2009.
Doc.: IEEE /0018r0 Submission January 2010 Alexander Tolpin, Intel CorporationSlide 1 4 –Way Handshake Synchronization Issue Date:
Doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE David Halasz, Stuart Norman, Glen.
Wireless Design for Voice Last Update Copyright 2011 Kenneth M. Chipps Ph.D.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
Marwan Al-Namari Week 10. RTS: Ready-to-Send. CTS: Clear-to- Send. ACK: Acknowledgment.NAV: network allocation vector (channel access, expected time to.
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—3-1 Wireless LANs Understanding WLAN Security.
BY MOHAMMED ALQAHTANI (802.11) Security. What is ? IEEE is a set of standards carrying out WLAN computer communication in frequency bands.
Doc.: IEEE /0377r1 Submission March 2004 Areg Alimian CMC, Bernard Aboba MicrosoftSlide 1 Analysis of Roaming Techniques Areg Alimian Communication.
Network Infrastructure Configuration for MAB Port Configuration Interface fastethernet 0/1 description Trustsec:802.1X+MAB+MultiAuth switchport access.
EAP Key Framework Draft-ietf-eap-keying-01.txt IETF 58 Minneapolis, MN Bernard Aboba Microsoft.
Doc.: IEEE /0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 1 Clarifying the Behavior of PMK Caching Date: Authors:
Doc.: IEEE /035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 1 IEEE 802.1X For Wireless LANs Bernard Aboba, Tim Moore, Microsoft.
An Empirical Analysis of the IEEE MAC Layer Handoff Process Arunesh Mishra Minho Shin William Arbaugh University of Maryland,College Park,MD.
Doc.: IEEE /0638r0 Submission May 2004 Bernard Aboba, MicrosoftSlide 1 Network Selection Bernard Aboba Microsoft
Doc.: IEEE /562r1 Submission November 2001 Tim Moore, Bernard Aboba/Microsoft Authenticated Fast Handoff IEEE Tgi Tim Moore Bernard Aboba.
Doc.: IEEE r Submission November 2004 Bob Beach, Symbol TechnologiesSlide 1 Fast Roaming Using Multiple Concurrent Associations Bob.
Lecture 24 Wireless Network Security
802.1X & EAP State Machines (found at: Jim Burns Paul Congdon Nick Petroni John Vollbrecht.
Doc.: IEEE /610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and key interactions Tim Moore.
Doc.: IEEE /1281r1 Submission NameAffiliationsAddressPhone Robert Sun;Huawei Technologies Co., Ltd. Suite 400, 303 Terry Fox Drive, Kanata,
Doc.: r Submission March 2006 AllSlide 1 A method to refresh the keys hierarchy periodically Notice: This document has been prepared to.
Wireless security Wi–Fi (802.11) Security
Doc.: IEEE /610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and key interactions Tim Moore.
Doc.: IEEE /230r0 Submission Robert Moskowitz, Trusecure/ICSALabsSlide 1 March 2002 Proxied Preauthorized Roaming Robert Moskowitz Trusecure Corporation.
Doc.: IEEE /251 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 Secure Roaming IEEE TgF Bernard Aboba Tim Moore Microsoft.
Doc.: IEEE /1426r00 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi- tech District,
Doc.: IEEE k Submission July 2004 Bernard Aboba, MicrosoftSlide 1 IEEE k Security: A Conceptual Model Bernard Aboba Microsoft.
Doc.: IEEE /1426r02 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi-tech District,
Doc.: IEEE /484r0 Submission NameAffiliationsAddressPhone George Cherian Santosh Abraham Qualcomm 5775 Morehouse Dr, San Diego, CA, USA +1.
Doc.: IEEE /1299r0 Submission Dec 2009 Allan Thomson, Cisco SystemsSlide 1 BSS Transition Improvements Date: xx Authors:
Doc.: IEEE /0269r1 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi-tech District, Chengdu,
Doc.: IEEE /0103r0 Submission January 2004 Jesse Walker, Intel CorporationSlide 1 Some LB 62 Motions January 14, 2003.
Robust Security Network (RSN) Service of IEEE
Open issues with PANA Protocol
Some LB 62 Motions January 13, 2003 January 2004
Proposed SFD Text for ai Link Setup Procedure
802.1X and key interactions Tim Moore November 2001
MAC Address Hijacking Problem
BSS Transition Improvements
July 2002 Threat Model Tim Moore Tim Moore, Microsoft.
Secure Roaming IEEE Tgi Bernard Aboba Tim Moore Microsoft
A Joint Proposal for Security
Sept 2003 PMK “sharing” Tim Moore Tim Moore, Microsoft.
Pre-Authentication with 802.1X
Presentation transcript:

doc.: IEEE /252 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 Issues with the 802.1X State Machine IEEE 802.1X Revision PAR Bernard Aboba Microsoft (excerpted from IEEE /252)

doc.: IEEE /252 Submission May 2001 Bernard Aboba, MicrosoftSlide 2 Goals To describe issues with IEEE 802.1X state machine and roaming To recommend a solution

doc.: IEEE /252 Submission May 2001 Bernard Aboba, MicrosoftSlide 3 Roaming Requirements Enterprise –User is identified by user-name (NAI), not IP or MAC address –Security is not compromised –Roaming needs to be available for all potential 802.1X authentication methods –Desirable for user to be able to keep the same IP address when roaming, if possible –MUST be able to roam without reauthentication if desired –MUST be able to roam without dropping traffic in case of reauthentication Hot Spot –User is identified by user-name (NAI), not IP or MAC address –Security is not compromised –Roaming should be fast Going back to the home authentication server may cause substantial delays (~ seconds)

doc.: IEEE /252 Submission May 2001 Bernard Aboba, MicrosoftSlide 4 Context Transfer & IEEE 802.1X State Machine Goal –User context can move to new AP without reauthentication, if desired May wish to enable delayed reauthentication on roam Process –Client reassociates to new AP –New AP validates reassociate, attempts context transfer from old AP Context transfer succeeds: AP sends EAP-Success to client Context transfer fails: re-associate treated as an associate Requirements –Successful reassociate has same result as if new AP authenticated successfully to backend authentication server –Unsuccessful reassociate has same result as an associate –Authentication for reassociate, disassociate, beacon messages Issues –No 802.1X event or state corresponding to associate or successful re-associate!

doc.: IEEE /252 Submission May 2001 Bernard Aboba, MicrosoftSlide 5 Additions to Backend Authentication State Machine (Figure 8-12) Goal –Successful re-associate has same result as if new AP authenticated to backend authentication server Successful reassociate equivalent to: –Setting aSuccess=TRUE; aWhile=serverTimeout; reqCount=0; currentId=0; rxResp=aFail=FALSE; authTimeout=FALSE; aReq=FALSE –Transition to SUCCESS state Causes canned Success message to be sent Unsuccessful reassociate equivalent to associate: –Set authAbort=TRUE –Transition to INITIALIZE state Authentication starts again

doc.: IEEE /252 Submission May 2001 Bernard Aboba, MicrosoftSlide 6 Additions to Authenticator PAE State Machine (Figure 8-8) Goal –Successful re-associate has same result as if new AP authenticated to backend authentication server Unsuccessful reassociate equivalent to: –Set portEnabled=TRUE; currentId=1; portMode=Auto; portStatus=Unauthorized; eapLogff=FALSE; reAuthCount=0; –Transition to CONNECTING state Successful reassociate with no-reauth == TRUE equivalent to: –Set portMode=Auto; eapLogoff=FALSE; reAuthCount=1; currentId=1; portStatus=Unauthorized; eapStart=FALSE; reAuthenticate=FALSE; authSuccess=TRUE; authFail=FALSE; authTimeout=FALSE; portEnabled=TRUE; –Transition to AUTHENTICATED Successful reassociate with no-reauth == FALSE equivalent to: –Set portMode=Auto; currentId = 2; eapLogoff=FALSE; reAuthCount=0; portStatus=Authorized; portEnabled=TRUE; reAuthenticate=TRUE; –Transition to CONNECTING

doc.: IEEE /252 Submission May 2001 Bernard Aboba, MicrosoftSlide 7 Additions to Supplicant PAE State Machine (Figure 8-14) Goal –Successful reassociate has same result as if supplicant successfully authenticated to authenticator Sequence of events for successful reassociate –Supplicant in AUTHENTICATED state –Reassociate request sent by Supplicant –Success sent by Authenticator –Supplicant remains in AUTHENTICATED state Sequence of events for unsuccessful reassociate –Supplicant in AUTHENTICATED state –Reassociate request sent by Supplicant –EAP-Request/Identity sent by Authenticator –On EAP-Request/Identity, supplicant transitions to ACQUIRED state