Presentation is loading. Please wait.

Presentation is loading. Please wait.

802.1X in Windows Tom Rixom Alfa & Ariss. Overview 802.1X/EAP 802.1X in Windows Tunneled Authentication Certificates in Windows WIFI Client in Windows.

Published byGervase Lloyd Modified over 8 years ago

Similar presentations

Presentation on theme: "802.1X in Windows Tom Rixom Alfa & Ariss. Overview 802.1X/EAP 802.1X in Windows Tunneled Authentication Certificates in Windows WIFI Client in Windows."— Presentation transcript:

1 802.1X in Windows Tom Rixom Alfa & Ariss

2 Overview 802.1X/EAP 802.1X in Windows Tunneled Authentication Certificates in Windows WIFI Client in Windows (WZC) Configuration examples Questions?

3 802.1X/EAP Port Based Network Access Control Authenticated/Unauthenticated Port Supplicant/Authenticator/Authentication Server Uses EAP (Extensible Authentication Protocol) Allows authentication based on user credentials

4 EAP over LAN(EAPOL)

5 802.1X Client 802.1X Protocol Driver (EAPOL Driver) –Handles all EAPOL communication –Extracts EAP messages from EAPOL which can be read by applications –Inserts EAP messages into EAPOL that applications wish to send 802.1X Client Application –Uses Driver to send and receive EAP messages –Handles EAP messages accordingly

6 802.1X Client in Windows Implements 802.1X Driver (NDIS) and Application Uses Microsoft EAP API to handle the EAP communication Controls user interaction (Balloon) User/Computer context

7 EAP in Windows Microsoft EAP API An EAP Module is “Microsoft DLL” that implements Microsoft EAP API 802.1X Client calls modules using EAP API to handle authentication Other example is the Microsoft VPN Client

8 EAP Modules EAP-MD5 (Built-in) –Username/password EAP-TLS (Built-in) –Client/server certificates (PKI) EAP-MSCHAPV2 (Built-in) –Username/password (Windows credentials) Protected EAP (PEAP) (Built-in) –Server certificate –Tunneled EAP Authentication –EAP-MD5,EAP-MSCHAPV2, EAP-… EAP-TTLS –Server certificate –Tunneled Diameter Authentication –Diameter (PAP/CHAP/…), EAP

9 Tunneled Authentication (TTLS/PEAP) Uses TLS tunnel to protect data –The TLS tunnel is established using the Server certificate automatically authenticating the server and preventing man-in-the-middle attacks Allows use of dynamic session keys for line encryption

10 PEAP? PEAP –Version 1, 2 –Supported by Cisco, Apple OS X Panther –http://www.ietf.org/internet-drafts/draft-josefsson-pppext-eap-tls- eap-07.txt Microsoft PEAP (Windows XP SP1) –Version 0 No headers –Implemented by Microsoft PEAP module –http://www.ietf.org/internet-drafts/draft-kamath-pppext-peapv0- 00.txt

11 Certificates in Windows PEAP (Built-in) and SecureW2 use the windows certificate trust Certificate (Chain) of Authentication server must be installed on local computer Certificate stores: –User Each user has own user store in which the user can install certificates and build certificate trusts Certificates visible only to the store owner (User) –System Only Administrators and system applications can install certificates in system store Certificates can be used by all applications and users

12 WIFI Client in Windows Wireless Zero Config (WZC) Generic interface for configuring wireless connections Compatibility –Wireless Ethernet Driver must be compatible with WZC to enable 802.1X Windows XP –WPA Windows Mobile Pocket PC 2003 Windows 2000 requires 3 rd Party WIFI Client

13 EAPOL Key

14 802.1X WIFI Scenario The WIFI Client associates with the Access Point (SSID) The Access Point requires 802.1X and sets the Clients “port” to the “Unauthenticated” state. The Access Point then starts EAPOL communication by sending the EAPOL-Identity message to the Client The 802.1X Client picks up the EAPOL communication and calls the appropriate EAP module to handle the EAP authentication After successful authentication the EAP RADIUS Server and Client generate the MPPE keys (based on the TLS tunnel) The RADIUS Server sends the MPPE keys (with the Access Accept) to the Access Point The Access Point sets the Clients “port” to the “Authenticated state” allowing the client to communicate with the Intranet The Access Point then uses the MPPE keys to encode a WEP key in an EAPOL key message The Access Point sends the EAPOL key to the Client The Client decodes the WEP key in the EAPOL key message using the MPPE keys it generated and sets the WEP key WIFI Client takes over to setup rest of the connection (DHCP)

15 Configuration example #1 EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 1 Connection properties

16 Configuration example #1 EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 1 Connection properties

17 Configuration example #1 EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 2 Wireless Networks

18 Configuration example #1 EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 2 Wireless Networks

19 Configuration example #1 EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 3 Wireless Networks properties

20 Configuration example #1 EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 3 Wireless Networks properties

21 Configuration example #1 EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 4 Wireless Networks properties (Authentication)

22 Configuration example #1 EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 4 Wireless Networks properties (Authentication)

23 Configuration example #1 EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 5 SecureW2 properties

24 Configuration example #2 PEAP (Wired, Windows 2K) Step 1 Start Wireless Configuration service

25 Configuration example #2 PEAP (Wired, Windows 2K) Step 1 Start Wireless Configuration service

26 Configuration example #2 PEAP (Wired, Windows 2K) Step 2 Connection properties

27 Configuration example #2 PEAP (Wired, Windows 2K) Step 2 Connection properties

28 Configuration example #2 PEAP (Wired, Windows 2K) Step 3 Authentication properties

29 Configuration example #2 PEAP (Wired, Windows 2K) Step 3 Authentication properties

30 Configuration example #2 PEAP (Wired, Windows 2K) Step 4 PEAP properties

31 Configuration example #2 PEAP (Wired, Windows 2K) Step 4 Configure 3 rd Party WIFI Client –Some client support dynamic WEP keys –Other clients not supporting dynamic WEP keys can be tricked: “Fake WEP Key”

32 Questions? …

Download ppt "802.1X in Windows Tom Rixom Alfa & Ariss. Overview 802.1X/EAP 802.1X in Windows Tunneled Authentication Certificates in Windows WIFI Client in Windows."

Similar presentations

Authentication.

Authentication.
Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Agenda Introduction Network Access Protection platform architecture

Agenda Introduction Network Access Protection platform architecture
無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – 802.11b  Security Mechanisms in 802.11b  Security Problems in 802.11b  Solutions for 802.11b.

無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – b  Security Mechanisms in b  Security Problems in b  Solutions for b.
Implementing Security for Wireless Networks Presenter Name Job Title Company.

Implementing Security for Wireless Networks Presenter Name Job Title Company.
Network Access and 802.1X Klaas Wierenga SURFnet

Network Access and 802.1X Klaas Wierenga SURFnet
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Mobile Mobile OS and Application Team: Kwok Tak Chi Law Tsz Hin So Ting Wai.

Mobile Mobile OS and Application Team: Kwok Tak Chi Law Tsz Hin So Ting Wai.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Wireless Security without a VPN! Stirling Goetz, Microsoft Consulting Services.

Wireless Security without a VPN! Stirling Goetz, Microsoft Consulting Services.
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
Protected Extensible Authentication Protocol

Protected Extensible Authentication Protocol
Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP 802.3802.5802.11 802.1x EAP API.

Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP x EAP API.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,

WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,
Chapter 8: Configuring Network Connectivity. Installing Network Adapters Network adapter cards connect a computer to a network. Installation –Plug and.

Chapter 8: Configuring Network Connectivity. Installing Network Adapters Network adapter cards connect a computer to a network. Installation –Plug and.

Similar presentations

Ads by Google