1. PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005

2. Next Phase Applications Hardware Key Storage (USB Tokens) Application and OS Sign-on with Tokens Document Signatures –Acrobat, Office, XML (NIH) Secure Mail and List Server Wireless Network Authentication Grids

3. Network Auth Technologies Wireless and Wired 802.1x/EAP TLS and TTLS or LEAP, PEAP, MS-CHAP etc. WEP, WPA - 802.1x VPN –IPSEC standard, using Cisco proprietary Cisco password authentication is vulnerable, use client certificates to be secure

4. VPN Objectives Secure network connections for distant office and travellers –some from home use too, local IP address Secure some legacy applications with closed subnets –server firewall rejects connections not from Private subnet addresses –Use PKI “High Assurance” certificate (token if possible) to authenticate –Assign IP address from protected space after Radius Authentication/Authorization

5. VPN Implementation Cisco 3000 VPN concentrators (3000 can only look at OU in DN, so added OU=PrivateGroupVPN to certs) ACL check implemented by Radius server Members of ACL maintained with “AuthAdmin” application Configure protected subnets on concentrator Two redundant Radius servers for reliability – running FreeRadius 0.9.2

6. AuthAdmin Each private VPN subnet intended for members of a specific group Existing examples –Human Resources –Dean of Students Office –International Students Office –Student Health Services Individual in the group authorized to maintain group membership, add and delete Group membership stored in LDAP directory –Web interface for group admin

7. AuthAdmin UI (screen shot)

8. Network Authentication Objectives Implement additional protection for campus network services Limit outside use of network Protect campus users from malicious behavior of others Eliminate possible eavesdropping

9. Network Authentication Implementation Deploy 802.1x/EAP-TLS on APs and switches Traffic is encrypted between user and AP/switch Clients are authenticated with PKI certificates –in our case locally issued No Passwords are exchanged (no credentials to steal)

10. EAP-TLS Implementation Configure Radius –AP clients, users, EAP-TLS module –Certificate for Radius server –Provide Root certificates of trusted CAs to EAP-TLS module Dartmouth self-signed certificates automatically accepted Tested APs from Cisco and Aruba

11. Client Software Supplicants built into Win 2000 SP4, XP SP1-2, MacOS 10.3+ –other supplicants available for these platforms Supplicants available for Linux, Win98 and MacOS 9 (some from vendors)

12. Issues Windows: –no password on Keys –no luck with tokens yet –set advanced options for server certificate validation –Certificates with UID in DN fail Win XP SP1 had some issues with SSID and cert selection, improved in SP2 Mac KeyChain: early versions confused by more than one key with same "name"

13. Greenpass Objectives System developed to support Guest Authorization in an 802.1x EAP-TLS environment –Also useful for insiders that forgot their token User only needs 802.1x capable machine and web browser, no additional software Guest Introduces Public Key to Greenpass Authorization System Host signs authorization for Guest Access using SPKI certificate delegation features Guest then has access to controlled internal network until time limit expires

14. Greenpass Implementation Use Router, AP and switch capable of VLANs to create limited use network Recently implemented automatic VLAN switching by Radius Modifications to FreeRadius needed Greenpass servers run on Linux Delegation tool is written in Java Available as Open Source –www.dartmouth.edu/~pkilab/greenpass

15. Guest Unauthorized

16. Guest Introduction

17. Guest Fingerprint

18. Authorized Delegator

19. Select Guest

20. Guest Lookup

21. Delegation Tool

22. Delegation Complete

23. Guest Authorized

24. Authorized User