Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE 802.11-02/516r0-I Submission September 2002 Robert Moskowitz, ICSALabsSlide 1 RADIUS Client Kickstart Robert Moskowitz, ICSALabs John Vollbrecht,

Published byPatrick Holden Modified over 10 years ago

Similar presentations

Presentation on theme: "Doc.: IEEE 802.11-02/516r0-I Submission September 2002 Robert Moskowitz, ICSALabsSlide 1 RADIUS Client Kickstart Robert Moskowitz, ICSALabs John Vollbrecht,"— Presentation transcript:

1 doc.: IEEE 802.11-02/516r0-I Submission September 2002 Robert Moskowitz, ICSALabsSlide 1 RADIUS Client Kickstart Robert Moskowitz, ICSALabs John Vollbrecht, Interlink Networks

2 doc.: IEEE 802.11-02/516r0-I Submission September 2002 Robert Moskowitz, ICSALabsSlide 2 Houston, we have a problem IEEE 802.1X RADIUS Usage Guidelines –IEEE Std 802.1X-2001 enables authenticated access to IEEE 802 media, including Ethernet, Token Ring, and IEEE 802.11 wireless LANs. Although RADIUS support is optional within IEEE Std 802.1X-2001, it is expected that most IEEE Std 802.1X-2001 Authenticators will function as RADIUS clients. RFC 2865 Sec 3 –A RADIUS server MUST use the source IP address of the RADIUS UDP packet to decide which shared secret to use, so that RADIUS requests can be proxied.

3 doc.: IEEE 802.11-02/516r0-I Submission September 2002 Robert Moskowitz, ICSALabsSlide 3 Stated Simply When an AP that supports 802.1x authentication is connected to the net it must be configured with: –the IP address or DNS name of its RADIUS server. –It must also have a shared secret with the RADIUS Server which is typically hand configured. –Finally, the AP must be registered with the DNS server, or assigned a permanent IP address. –This name or address must also configured in the RADIUS Server.

4 doc.: IEEE 802.11-02/516r0-I Submission September 2002 Robert Moskowitz, ICSALabsSlide 4 What is wrong with this picture? Setting up the RADIUS Client shared secret –The secret (password shared between the client and the RADIUS server) SHOULD be at least as large and unguessable as a well-chosen password. It is preferred that the secret be at least 16 octets. This is to ensure a sufficiently large range for the secret to provide protection against exhaustive search attacks. The secret MUST NOT be empty (length 0) since this would allow packets to be trivially forged. This is done manually on the RADIUS Client and Server

5 doc.: IEEE 802.11-02/516r0-I Submission September 2002 Robert Moskowitz, ICSALabsSlide 5 More Wrongness The IP address of the AP MUST be fixed –No DHCP, or use MAC controlled DHCP Same IP address always assigned to a given MAC –Or APs DNS name available DYNDNS required? No mechanism to easily rekey MANY RADIUS Clients Only the single AP with built-in RADIUS will NOT be challenged

6 doc.: IEEE 802.11-02/516r0-I Submission September 2002 Robert Moskowitz, ICSALabsSlide 6 How to fix this Kickstart a Master Secret between the AP and RADIUS Server using a guarded (e.g. SKIP) Diffie-Hellman exchange. RFC 2786 is the model –Diffie-Hellman USM Key -- SNMPv3 Key ignition –Secret is bound to APs name, i.e. BSSID AP Boot Registration –Master Secret used to establish a Boot secret bound to the APs IP address This is the RADIUS Client Shared Secret This can also plumb the 802.11f RADIUS keys

7 doc.: IEEE 802.11-02/516r0-I Submission September 2002 Robert Moskowitz, ICSALabsSlide 7 How to fix this Master Secret Change using Diffie-Hellman for Perfect Forward Secrecy –See RFC 2786 -- Key Changes –A Key Change forces a Boot Registration

8 doc.: IEEE 802.11-02/516r0-I Submission September 2002 Robert Moskowitz, ICSALabsSlide 8 Benefits No User configuration on APs –No user interface on APs Manageability of RADIUS Client secrets Support for DHCP address assignment for APs

9 doc.: IEEE 802.11-02/516r0-I Submission September 2002 Robert Moskowitz, ICSALabsSlide 9 General Approach Proposal Kickstart design using Diffie-Hellman over SNMPv2 –Controlled by MIBs (e.g. only possible in factory state) AP Boot Registration using keywrapping over RADIUS without RADIUS authentication Secret Change using Diffie-Hellman with old Diffie-Hellman (like SKIP PFS) over SNMPv2

10 doc.: IEEE 802.11-02/516r0-I Submission September 2002 Robert Moskowitz, ICSALabsSlide 10 Where will work get done IETF –Individual(s) submission -- No RADIUS workgroup Looking for community of interest Referenced by 802.1x Annex D

Download ppt "Doc.: IEEE 802.11-02/516r0-I Submission September 2002 Robert Moskowitz, ICSALabsSlide 1 RADIUS Client Kickstart Robert Moskowitz, ICSALabs John Vollbrecht,"

Similar presentations

RadSec – A better RADIUS protocol

RadSec – A better RADIUS protocol
Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Doc.: IEEE 802.11-98/178 Submission July 2000 A. Prasad, A. Raji Lucent TechnologiesSlide 1 A Proposal for IEEE 802.11e Security IEEE 802.11 Task Group.

Doc.: IEEE /178 Submission July 2000 A. Prasad, A. Raji Lucent TechnologiesSlide 1 A Proposal for IEEE e Security IEEE Task Group.
Doc.:IEEE 802.11-01/636r0 Submission November 2001 Dmitri Varsanofiev Slide 1 A Simple Rekeying Proposal Dmitri Varsanofiev Resonext Communications San.

Doc.:IEEE /636r0 Submission November 2001 Dmitri Varsanofiev Slide 1 A Simple Rekeying Proposal Dmitri Varsanofiev Resonext Communications San.
Doc.: IEEE 802.11-00/087 Submission May, 2000 Steven Gray, NOKIA Jyri Rinnemaa, Jouni Mikkonen Nokia Slide 1.

Doc.: IEEE /087 Submission May, 2000 Steven Gray, NOKIA Jyri Rinnemaa, Jouni Mikkonen Nokia Slide 1.
Submission Page 1 August 2002 doc.: IEEE 802.11-02/503r0 Daryl Kaiser, Cisco Systems Radio Measurement: A Candidate Approach Daryl Kaiser (Cisco Systems)

Submission Page 1 August 2002 doc.: IEEE /503r0 Daryl Kaiser, Cisco Systems Radio Measurement: A Candidate Approach Daryl Kaiser (Cisco Systems)
1 Needham-Schroeder Key Descriptor 11/12/2002 Needham-Schroeder Key Descriptor Robert G. Moskowitz ICSAlabs IEEE 802 Plenary Meeting Kauai, Nov 12, 2002.

1 Needham-Schroeder Key Descriptor 11/12/2002 Needham-Schroeder Key Descriptor Robert G. Moskowitz ICSAlabs IEEE 802 Plenary Meeting Kauai, Nov 12, 2002.
Submission doc.: IEEE 802.11-11/1326r1 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Early Key Generation by ECDH and PKC Date: 2011-09-22.

Submission doc.: IEEE /1326r1 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Early Key Generation by ECDH and PKC Date:
Doc.: IEEE 802.11-01/039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE802.11 System Submitted to IEEE802.11.

Doc.: IEEE /039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE System Submitted to IEEE
Doc.: IEEE 802.15-10-0412-06-wng0 Submission June 2010 Robert Moskowitz (ICSAlabs/VzB)Slide 1 Project: IEEE P802.15 Working Group for Wireless Personal.

Doc.: IEEE wng0 Submission June 2010 Robert Moskowitz (ICSAlabs/VzB)Slide 1 Project: IEEE P Working Group for Wireless Personal.
Submission doc.: IEEE 802.11-12/0789r3 NameAffiliationsAddressPhoneemail George Cherian Santosh Abraham Jouni Malinen Qualcomm 5775 Morehouse Dr, San Diego,

Submission doc.: IEEE /0789r3 NameAffiliationsAddressPhone George Cherian Santosh Abraham Jouni Malinen Qualcomm 5775 Morehouse Dr, San Diego,
Doc.: IEEE 802.11-14/0093r2 Submission NameAffiliationsAddressPhoneemail Hitoshi MORIOKAAllied Telesis R&D Center 2-14-38 Tenjin, Chuo-ku, Fukuoka 810-0001.

Doc.: IEEE /0093r2 Submission NameAffiliationsAddressPhone Hitoshi MORIOKAAllied Telesis R&D Center Tenjin, Chuo-ku, Fukuoka
Doc.: IEEE 802.11-03/095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.

Doc.: IEEE /095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.
Doc.: IEEE 802.11-02/689r0 Submission November 2002 Dan Harkins, Trapeze Networks.Slide 1 Re-authentication when Roaming Dan Harkins.

Doc.: IEEE /689r0 Submission November 2002 Dan Harkins, Trapeze Networks.Slide 1 Re-authentication when Roaming Dan Harkins.
Doc.: IEEE 802.11-10/1125r0 Submission September 2010 Marc Emmelmann, Fraunhofer FOKUSSlide 1 How does the (new) Fast Initial Link Set- Up PAR address.

Doc.: IEEE /1125r0 Submission September 2010 Marc Emmelmann, Fraunhofer FOKUSSlide 1 How does the (new) Fast Initial Link Set- Up PAR address.
Submission doc.: IEEE 802.11-11/1167r0 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data IE Date: 2011-08-16 Authors: NameAffiliationsAddressPhoneemail.

Submission doc.: IEEE /1167r0 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data IE Date: Authors: NameAffiliationsAddressPhone .
Submission doc.: IEEE 802.11-11/1124r0 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Example of IP address assignment using Generic Upper.

Submission doc.: IEEE /1124r0 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Example of IP address assignment using Generic Upper.
Doc.: IEEE 802.11-11/0756r0 Submission May 2011 Robert Moskowitz, VerizonSlide 1 IP Address Assignment in FIA Date: 2011-05-10 Authors: NameCompanyAddressPhoneemail.

Doc.: IEEE /0756r0 Submission May 2011 Robert Moskowitz, VerizonSlide 1 IP Address Assignment in FIA Date: Authors: NameCompanyAddressPhone .
Doc.: IEEE 802.11-02/243r0 Submission March 2002 James Kempf, DoCoMo LabsSlide 1 802.11 and IP James Kempf Seamoby WG Co-chair DoCoMo Labs USA

Doc.: IEEE /243r0 Submission March 2002 James Kempf, DoCoMo LabsSlide and IP James Kempf Seamoby WG Co-chair DoCoMo Labs USA
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)

Similar presentations

Ads by Google