www.swan.ac.uk/lis

www.swan.ac.uk/lis

Wireless Authentication & 802.1X

By Gareth Ayres

www.swan.ac.uk/lis

Agenda

1.0 Swansea’s Current Wireless System

2.0 Requirements of new 802.1X System

3.0 Overview of new 801.1X Technologies

4.0 Design of New 802.1X Wireless System

5.0 802.1X Downfall's (So far)

6.0 Future Plans

www.swan.ac.uk/lis

1.0 The Current Wireless System

•Home made Wireless solution comprising of:

– 700 Cisco Aironet AP’s

– 12 Cisco WDS & 1 WLSE

– 10 RoamNodes

– 1 DNAC (Dirty Network Access Controller)

– Radius & IAS

1.0 The Current Wireless System

Wireless Network

Campus Firewall

DNACPROXY

RADIUS

TO THE INTERNET

Halls

Student Village

Campus

RoamNode Servers

www.swan.ac.uk/lis

1.1 RoamNodes

•Developed by Bristol University

•250 users per RoamNode

•Works by:

– First establishes a PPPoE connection

– Then creates a PPTP VPN tunnel and gets a internet ip

address

www.swan.ac.uk/lis

1.2 RoamNode Tunnel

PPTP (137.44.190.X) PPPoE (10.x.x.x)

Access Point RoamNodePC

802.11G (192.168.x.x)

RoamNode Tunnel

To Internet

www.swan.ac.uk/lis

1.3 Downfalls of Current System

• Bottleneck Issues

• Load Balancing

• Single point of failure

• Maximum Capacity

• Complicated Logging

• Complicated end user configuration

• Difficult User Management

www.swan.ac.uk/lis

1.4 Statistics from Current System

24 Hours (Wednesday 16th May)

Weekly (8th May – 16th)

www.swan.ac.uk/lis

1.4 Statistics from Current System

Yearly (2006-2007)

www.swan.ac.uk/lis

2.0 Requirements of New System

• Remove any bottlenecks

• Remove Capacity limits

• Better Logging

• Better Administration facilities

• Easy End User Configuration

• Segregation of Users

• Improved Security

www.swan.ac.uk/lis

3.0 Overview of 802.1X Technolgies

•802.1x

•EAP

•EAPOW

•PEAP - Protected Extensible Authentication Protocol

– Cisco, Microsoft and RSA

– Credentails + Server Cert

– TLS tunnel

– EAP-MSCHAPv2

www.swan.ac.uk/lis

3.0 Overview of 802.1X Technolgies

•WPA - Wi-Fi Protected Access (WPA)

– Replaces WEP technology

– WPA = RC4 Stream cipher and TKIP

– WPA2 = 802.11i = AES based algorithm CCMP

The use of all the above technologies and protocols is widely

referred to as a 802.1X based Wireless System.

www.swan.ac.uk/lis

4.0 Design of 802.1X Wireless System

New and Old system will run together.

Each system will run on a separate SSID:

•UNIROAM - SSID of the current RoamNode system and will be broadcast and open (no encryption).

•EDUROAM – SSID of the new 802.1x system. It will also be broadcast but will be encrypted with WPA(1&2).(JRS).

4.0 Design of 802.1X Wireless System

Wireless Network

Campus Firewall

DNAC

PROXY

RADIUS

TO THE INTERNET

Halls

Student Village

Campus

RoamNode Servers

RADIUS (802.1X)

SUWNAC (MySQL)

802.1X Firewall/Gateway

802.1x Traffic Only

RoamNode Traffic only

Shared Traffic

4.1 802.1X Tunnel

PEAP (EAP-TLS,MSChapV2)

RADIUS (AS)APSupplicant

IAS (Swansea)

IAS (Brynmill)

SUWNAC(MySQL)

MySQL Lookup àß ’Returns ‘ProxyTo’

Ch

ec

k C

ert

(T

LS

)A

uth

en

tic

ate

Us

er

Ch

ec

k C

ert

(T

LS

)A

uth

en

tic

ate

Us

er

X.509 Certificate

X.509 Certificate

EAPOW (802.1X)

802.11g Authentication

To Internet

802.11i (WPA2(AES/TKIP))

802.1X Tunnel

802.11g - Wi-Fi Association to EduroamEAP – Extensible Authentication ProtocolEAPOW – EAP over WirelessPEAP – Protected EAPTLS – Transport Layer SecurityMSChapV2 – Microsoft Challenge Handshake version 2IAS – Microsoft Internet Authentication ServiceX.509 – ITU Public Key Certificate

4.2 802.1X VLANs

Supplicant AP (Eduroam)

DNAC

802.1x Firewall/Gateway

Campus Firewall

WPA2

802.1X VLANS Banned (661)

Virus (660)

Admin (656)

Guest (657)

Staff (662,663)

Student (654,664,665)

Unreg (659)

1

1

4.3 802.1X VLAN allocation

AP RADIUS MySQL IASEAP Request SQL Lookup Username=199641

ProxyTo = Brynmill

MSCHAPv2 Authenticate 199641 on Active Directory

User and Password OK

SQL Lookup VLAN for 199641

VLAN = 664

Acounting Info (199641,664,date,ap)User Valid, VLAN = 664

www.swan.ac.uk/lis

5.0 802.1X Downfalls

•Supplicant Support

•Hardware Support

•Reactive not Preventative

www.swan.ac.uk/lis

6.0 Future Plans

•Develop a reactive traffic monitor

•NAC Product Integration (Preventative)

•Possibly integrate into campus wide wired network

www.swan.ac.uk/lis

Thank You

Gareth Ayres BSc (Hons) MIET

g.j.ayres@swansea.ac.uk