Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE 802.11 David Halasz, Stuart Norman, Glen.

Published byElwin Williams Modified over 9 years ago

Similar presentations

Presentation on theme: "Doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE 802.11 David Halasz, Stuart Norman, Glen."— Presentation transcript:

1 doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE 802.11 David Halasz, Stuart Norman, Glen Zorn, Cisco Systems, Inc. Bernard Aboba, Tim Moore, Microsoft

2 doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 2 Outline Introduction, Goals Description –Authentication Transport –Authentication Implementation –Informational –Proposed changes to 802.11 Summary

3 doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 3 Introduction Follow up to document 00/035 IEEE 802.1X, Port based Network Access Control IETF RFC 2284, PPP Extensible Authentication Protocol (EAP)

4 doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 4 Goals Extensible system Modular Authentication done at higher layer protocol Session encryption at IEEE 802.11 layer Promote multi-vendor interoperability Minimize changes to IEEE 802.11

5 doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 5 Goals cont. System should apply to different PHY’s. –System should scale to Ethernet, dial-up, etc. –System should fit in to existing systems Ability to add new authentication methods easily (without changing 802.11) –e.g. EAP authentication type can change with no change to station, driver or AP

6 doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 6 Description IEEE 802.1X mutually authenticatable supplicant resides above IEEE 802.11 layer IEEE 802.1X authenticator resides in AP Authenticator resides in AP –e.g. 802.1X authenticator and Radius client Authentication server gets strongly authenticated to the client. –e.g. Radius server

7 doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 7 Description Allow for different authentication types –TLS RFC2716 –Kerberos draft-aboba-pppext-eapgss-01.txt –Others can be added

8 doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 8 Description cont. 802.11 to 802.1X adaptation layer SupplicantAuthenticator Supplicant 1...N1...N One IEEE 802.11 physical port becomes 1 to N virtual IEEE 802.1X ports.

9 doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 9 Description cont. IEEE 802.1X Terminology Controlled port Uncontrolled port SupplicantAuthentication ServerAuthenticator Pieces of the system.

10 doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 10 Description cont. Normal Data Authentication traffic Wireless laptopAuthentication ServerAccess Point 802.1X trafficAuthentication traffic Wireless client assoc. at 802.11 layer. Data blocked by AP. Access Point blocks everything except 802.1X to authentication traffic. Authentication traffic is allowed to flow. Access point encapsulates 802.1X traffic into authentication server traffic and vice versa.

11 doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 11 Description cont. Normal Data Authentication traffic Wireless laptop Authentication ServerAccess Point 802.1X trafficAuthentication traffic Wireless client mutually authenticates with Authentication Server Access Point blocks everything except 802.1X to authentication traffic. In the authentication process the supplicant securely obtains a WEP key. The authentication server also sends the WEP key in the success packet to the AP. AP uses the WEP key to send the broadcast WEP key.

12 doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 12 Description cont. Normal Data Authentication traffic Wireless laptopAuthentication ServerAccess Point 802.1X trafficAuthentication traffic Wireless client and AP use WEP key. AP allows traffic to flow. After successful EAP authentication, the Access Point allows all traffic to the Wireless laptop. The Wireless laptop sets the WEP keys through the MLME interface. (e.g. NIC driver)

13 doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 13 Description cont. Wireless laptopRadius Server New EAP authentication types gets added in Supplicant and Authentication Server Station and AP are aware of the authentication transport. But, they are unaware of the authentication type. Therefore, new authentication types can be added without modifying the station or the AP. Authentication points

14 doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 14 Description cont. Wireless laptopAuthentication Server New EAP authentication type benefits everybody Vendor A AP Vendor B AP Vendor C Switch

15 doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 15 Description cont. Dynamic Key Distribution Key gets delivered to the supplicant depending on the EAP authentication type (e.g. EAP-TLS) Per client session key gets delivered to the authenticator. (e.g. via MS-MPPE-Send- Key attribute: RFC 2548)

16 doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 16 Description cont. Broadcast Key Distribution Broadcast key(s) gets securely delivered to the station via IEEE 802.1X EAPOL-Key. Dynamic session key is used to encrypt the broadcast key. Authentication server timer gets configured to re-authenticate/re-key the client.

17 doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 17 Implementation outline Informational –IEEE 802.11 layer –Supplicant –Supplicant to station MLME (NIC driver) –Station –AP authenticator –Authentication server

18 doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 18 Implementation outline cont. IEEE 802.11 proposed changes –Encrypted/Non-encrypted changes –WEP data formats

19 doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 19 Implementation: 802.11 layer Initial client authentication –Open authentication used, since dynamically derived WEP key not yet available –After 802.1X authentication and setting dynamic key, run with WEP –AP needs to be able to support a mixture of WEP/non-802.1X and non-WEP/802.1X data –Station needs to be able to run WEP/non- 802.1X and non-WEP/802.1X

20 doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 20 Implementation: Supplicant Supplicant, that mutually authenticates with authentication server, resides at higher layer than IEEE 802.11 Create modular interface to port easily Station is unaware of EAP authentication type

21 doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 21 Implementation: Station MLME (e.g. NIC driver) Indication of roam to different AP to supplicant Ability of supplicant to set the keys

22 doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 22 Implementation: Station MLME interface to set the keys –e.g. NIC driver ability to set the keys. 802.1X packets sent without WEP non-802.1X packets sent with WEP

23 doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 23 Implementation: AP Authenticator Communicates with station via IEEE 802.1X Communicates with Authentication server –e.g. Radius client in AP Encapsulate EAP in Authentication server traffic. –e.g. RADIUS attributes AP is unaware of EAP authentication type

24 doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 24 Implementation: Authentication Server EAP support can be added to Authentication server –e.g. EAP and RADIUS defined by RFC’s EAP easily extensible to different EAP authentication types

25 doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 25 Implementation: Current 802.11 Privacy capability From 7.3.1.4 Capability Information APs set the Privacy subfield to 1 within transmitted Beacon, Probe Response, Association Response and Reassociation Response Management frames if WEP encryption is required for all Data Type frames exchanged within the BSS. If WEP encryption is not required, the Privacy subfield is set to 0. STAs within an Independent BSS set the Privacy subfield to 1 in transmitted Beacon or Probe Response Management frames if WEP encryption is required for for all Data Type frames exchanged within the IBSS. If WEP encryption is not required the Privacy subfield is set to 0.

26 doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 26 Implementation: Proposed change to 802.11 Privacy capability Addition to 7.3.1.4 Capability Information STAs set the Privacy subfield to 1 in transmitted Probe Request and Association Request Management frames if WEP encryption is required for all Data Type frames exchanged. If WEP encryption is optional the Privacy subfield is set to 0.

27 doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 27 Implementation: 802.11 proposed change Broadcast/Multicast data in mixed 802.1X cell run with WEP. If run broadcast without WEP, then encrypted traffic open to attack.

28 doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 28 Implementation: 802.11 proposed change WEP data formats should be expanded upon. Refer to the following paper, –00/037 Proposal for Enhanced Encryption, Duncan Kitchen, Jesse Walker This should be followed up in the standard. This will allow for implementation in hardware.

29 doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 29 Summary This proposal will promote multi-vendor interoperability by making authentication an upper layer function. Authentication should reside at an upper layer where knowledge of the user is available. EAP authentication types can be created with no changes to the IEEE 802.11 specification. Changes to the IEEE 802.11 specification should be made to allow for mixed WEP cells and for more secure WEP data packets.

Download ppt "Doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE 802.11 David Halasz, Stuart Norman, Glen."

Similar presentations

Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.

Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.
Doc.: IEEE 802.11-00/037 Submission March 2000 Duncan Kitchin, Jesse Walker, Intel NIDSlide 1 Proposal for Enhanced Encryption Duncan Kitchin Jesse Walker.

Doc.: IEEE /037 Submission March 2000 Duncan Kitchin, Jesse Walker, Intel NIDSlide 1 Proposal for Enhanced Encryption Duncan Kitchin Jesse Walker.
Doc.: IEEE 802.11-03/173r1 Submission Byoung-Jo Kim, AT&T March 2003 Slide 1 Coexistence of Legacy & RSN STAs in Public WLAN Byoung-Jo “J” Kim AT&T Labs-Research.

Doc.: IEEE /173r1 Submission Byoung-Jo Kim, AT&T March 2003 Slide 1 Coexistence of Legacy & RSN STAs in Public WLAN Byoung-Jo “J” Kim AT&T Labs-Research.
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,

WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,
Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.
CCNA Exploration Semester 3 Modified by Profs. Ward and Cappellino

CCNA Exploration Semester 3 Modified by Profs. Ward and Cappellino
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
Marwan Al-Namari Week 10. RTS: Ready-to-Send. CTS: Clear-to- Send. ACK: Acknowledgment.NAV: network allocation vector (channel access, expected time to.

Marwan Al-Namari Week 10. RTS: Ready-to-Send. CTS: Clear-to- Send. ACK: Acknowledgment.NAV: network allocation vector (channel access, expected time to.
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—3-1 Wireless LANs Understanding WLAN Security.

© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—3-1 Wireless LANs Understanding WLAN Security.
1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs.

1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs.
Demonstration of Wireless Insecurities Presented by: Jason Wylie, CISM, CISSP.

Demonstration of Wireless Insecurities Presented by: Jason Wylie, CISM, CISSP.
1 Wireless LAN Security Kim W. Tracy NEIU, University Computing

1 Wireless LAN Security Kim W. Tracy NEIU, University Computing
Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University

Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University

Similar presentations

Ads by Google