Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.swan.ac.uk/lis. Easy 802.1X Onboarding with EAPConfig files and Supplicant Configuration Automatic Discovery (SCAD) Gareth Ayres (Speaker) Stefan.

Published byCaitlin Hicks Modified over 8 years ago

Similar presentations

Presentation on theme: "Www.swan.ac.uk/lis. Easy 802.1X Onboarding with EAPConfig files and Supplicant Configuration Automatic Discovery (SCAD) Gareth Ayres (Speaker) Stefan."— Presentation transcript:

1 www.swan.ac.uk/lis

2 Easy 802.1X Onboarding with EAPConfig files and Supplicant Configuration Automatic Discovery (SCAD) Gareth Ayres (Speaker) Stefan Winter, RESTENA TNC 2015

3 www.swan.ac.uk/lis About the Authors Gareth Ayres (me) Wireless Network Officer, Swansea University PhD Student (part-time) Author of SU1X, eduroamCAT Android App Stefan Winter RESTENA SENSE R&D Lead

4 www.swan.ac.uk/lis Introduction – Key Terms I know I don’t need this slide here, but just in case… eduroam – (education roaming) is the secure, world-wide roaming access service developed for the international research and education community. Wi-Fi – Wireless LAN based on any 802.11 standard Supplicant– Software on a device that authenticates to a 802.1x network EAP - Extensible Authentication Protocol – Framework for auth

5 www.swan.ac.uk/lis The Onboarding Problem 802.1X networks very successfull eduroam is a great example of this Requirements on connected devices: 1.Supplicant Configuration 2.Certificate(s) 3.Credentials (private key or user/pass)

6 www.swan.ac.uk/lis The Onboarding Problem If fully configured, then devices are secure. BUT can connect without a fully configured supplicant! 1.Supplicant Configuration –Server Name checks not mandatory 2.Certificate(s) –CA Cert not mandatory MITM attacks possible without these settings

7 www.swan.ac.uk/lis The Onboarding Problem Managed devices typically OK, as provisioned correctly. BYOD not so good: 1.Burden on users to fully configure supplicant 2.Complicated for users 3.Some devices don’t even make it possible via GUI

8 www.swan.ac.uk/lis The Onboarding Problem Supplicant configuration tools fixing this: 1.CAT (Configuration Assistant Tool) FREE 2.CloudPath XpressConnect $$$ 3.SecureW2 $$$ 4.Apple MobileConfig files FREE 5.SU1X Free

9 www.swan.ac.uk/lis eduroamCAT for Android eduroam CAT: Configuration Assistance Tool Users can download customised configuration tools Contains IdP’s setting, certificates etc Problem: Android Play Store Delivery model Custom apps can not run on Android by default Forced to use Play Store, but don’t want thousands of similar apps One eduroam CAT app needed, that can be customised for each IdP

10 www.swan.ac.uk/lis App Delivery Model Solution Solution: EAPConfig files Standard way of passing EAP configuration details around XML format can be detected by the app, which digests it. IETF Internet Draft, proposed by SENSE EAP-Config Contains: –IdP information –Authentication Methods (Certificates etc) –Helpdesk / Support Information

11 www.swan.ac.uk/lis Example EAPConfig 25... = bouncer.swan.ac.uk radauth.swan.ac.uk radauth2.swan.ac.uk

12 www.swan.ac.uk/lis Example EAPConfig anonymous@swansea.ac.uk 26

13 www.swan.ac.uk/lis Example EAPConfig Swansea University Eduroam @ Swansea -3.978525300000001 51.610126 You must agree to abide by the University Computer Regulations and… wirelessSupport@swansea.ac.uk http://swis.swansea.ac.uk 00441792295060

14 www.swan.ac.uk/lis

15

16 Configuration Discovery Problem https://www.flickr.com/photos/the-wanderers-eye/4494147652/in/photostream/https://www.flickr.com/photos/the-wanderers-eye/4494147652/in/photostream/ Creative Commons Licence 1.User needs internet access. 2.Need App for that 3.Need internet to get App 4.App needs EAPConfig 5.Need internet to get EAPConfig What comes first, the chicken (internet) or the egg (secure access)

17 www.swan.ac.uk/lis Solution: SCAD SCAD : Supplicant Configuration Automatic Discovery 1.Assuming user has the app installed: A.Make repositories like play accessible from setup networks? B.Assume limited use of 3G/4G acceptable to get App

18 www.swan.ac.uk/lis Solution: SCAD SCAD : Supplicant Configuration Automatic Discovery Three potential automatic discovery techniques: 1.DNS Lookup 2.Realm Lookup 3.Location Awareness

19 www.swan.ac.uk/lis SCAD: DNS Lookup DNS Lookup Method 1.Assumption: Connected to setup network of home site 2.Local Domain Name discoverable? (Android argh) 3.Prepend SCAD to DOMAIN: scad.swansea.ac.uk\scad.eap-config

20 www.swan.ac.uk/lis SCAD: Realm Lookup Ream Lookup Method: 1.Ask users to enter username (e.g user@swansea.ac.uk) 2.Take realm part 3.Prepend scad and perform lookup: scad.swansea.ac.uk/scad.eap-config

21 www.swan.ac.uk/lis SCAD: Location Awareness Location Awareness Method: 1.Most BYOD devices are location aware 2.Tablets / Phones (Android) know location 3.GeoIP a possibility too (HTML5) 4.Requires a known DB of EAPConfigs to search 5.cat.eduroam.org is a great example of this

22

23 www.swan.ac.uk/lis Android example with eduroamCAT Location Awareness discovery code started and in SVN But don’t want to implement too much until certain good idea? Maybe available as alpha for people to try soon? Using CAT API works well.

24

25 www.swan.ac.uk/lis SCAD Security Considerations Security Considerations: 1.Malicious fake EAPConfig discovery 1.Connect users to fake networks? 2.Should be spotted by checking EAPConfig before installing it 3.Signing EAPConfig files like MobileConfigs 4.No credentials in EAP-Config? 2.Accidental discovery of wrong EAPConfig 1.Branding can help users avoid this

26 www.swan.ac.uk/lis Future Work SCAD needed? Worth defining better? Other OS support for SCAD? Other apps? SU1X soon… Apple has MobileCOnfig which is good Because iOS does not allow WIFI API But SCAD maybe to discover MobileConfig?

27 www.swan.ac.uk/lis End Questions? Gareth Ayres g.j.ayres@swansea.ac.uk Stefan Winter stefan.winter@restena.lu

Download ppt "Www.swan.ac.uk/lis. Easy 802.1X Onboarding with EAPConfig files and Supplicant Configuration Automatic Discovery (SCAD) Gareth Ayres (Speaker) Stefan."

Similar presentations

RadSec – A better RADIUS protocol

RadSec – A better RADIUS protocol
Web Visualization Technology Horner APG Ver 1.0.

Web Visualization Technology Horner APG Ver 1.0.
Meraki Mobile Device Management

Meraki Mobile Device Management
Ellucian Mobile: Don’t text and drive, kids!

Ellucian Mobile: Don’t text and drive, kids!
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference 2006 9 th November, 2006.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.

Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.
Swansea: When eduroam doesn't fit By Gareth Ayres Gregynog Colloquium Conf 2011.

Swansea: When eduroam doesn't fit By Gareth Ayres Gregynog Colloquium Conf 2011.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
On the Feasibility of Large-Scale Infections of iOS Devices

On the Feasibility of Large-Scale Infections of iOS Devices
Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.

Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 MSE MSAP Functional Specifications Presenter Name: Patrick Nicholson.

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 MSE MSAP Functional Specifications Presenter Name: Patrick Nicholson.
SSL From Your Smartphone Support for Android Smartphones www.sharetech.com.twwww.sharetech.com.tw / www.higuard.comwww.higuard.com.

SSL From Your Smartphone Support for Android Smartphones /
APACHE SERVER By Innovationframes.com »

APACHE SERVER By Innovationframes.com »
CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd. WLAN Infrastructure Monitoring and Supplicants Workshop on Wireless Belgrade -

CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd. WLAN Infrastructure Monitoring and Supplicants Workshop on Wireless Belgrade -
Using RADIUS Within the Framework of the School Environment Ed Register Consultant April 6, 2011.

Using RADIUS Within the Framework of the School Environment Ed Register Consultant April 6, 2011.
CONNECTION SETTINGS FOR USE WITH THE MOTION COMPUTING MODEL-F5 TABLET COMPUTER AKA: SIMON October 8, 2011 (And other useful information.)

CONNECTION SETTINGS FOR USE WITH THE MOTION COMPUTING MODEL-F5 TABLET COMPUTER AKA: SIMON October 8, 2011 (And other useful information.)
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Presentation By Deepak Katta

Presentation By Deepak Katta
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
Cosc 5/4730 Sign, convert, and install Android files on Blackberry Playbook.

Cosc 5/4730 Sign, convert, and install Android files on Blackberry Playbook.

Similar presentations

Ads by Google