802.1X

1
802.1X

• Terry Simons
• Formerly of The University of Utah

2
University of Utah Background

• 28,000 student campus
• EAP-TTLS
• 802.1X movement was grass roots
• Proof of concept
• Wireless Whitepaper
• RADIUS Mesh (More of a star topology)
• Give to get mentality
• Initial Deployment on May 19, 2003
• Campus Radiator Site License
• Initial Campus Meetinghouse Site License
• Mac OS X 10.2.x, Win98se/Me/2k/XP/PPC 2002/2003
• Now prefer SecureW2 TTLS WZC Plugin
• Chris Hessing is lead developer of Open1x

3
802.1X Problem Areas

• Certificate Validation
• Windows Zero Config/GINA
• The Supplicant Debacle
• EAP Type Selection
• Encryption

4
Certificate Validation

• No real CRL Support
• Deployment Difficulty
• Mitigated in part by smart installers
• Mac OS X is too easy to use
• I am a Mac user. -
• Man in the Middle Attacks
• Public Certificate Authorities
• Mac OS X becomes vulnerable

5
Windows Zero Config/GINA

• Users expect it, especially in higher ed.
• AEGIS and Funk take over WZC/GINA
• Users complain loudly
• Helpdesk gets swamped
• GINA What did you do to my computer?!
• Not so bad with current Meetinghouse releases
• Migration to SecureW2 fixed both issues.

6
The Supplicant Debacle

• Vendors bundle OEMd Supplicants
• Which quite often do not work properly
• IBM Thinkpad/Intel Centrino TTLS Problems
• Usually based on Meetinghouse
• Same crunchy WZC problems
• Same bad aftertaste
• Most setup programs are self-extractable
• Use a zip utility to extract only the driver

7
EAP Type Selection

• TLS, TTLS, or PEAP
• Provisions for keying material
• TLS if an existing PKI is in place
• Arguably the most secure EAP type
• TTLS for strongly encrypted backends
• U of U uses Kerberos
• PEAP for Active Directory shops

8
Encryption

• CCMP is the best security currently
• Doesnt work with Mac OS X
• TKIP is the next best thing.
• Watch out for mixed mode problems
• TKIP Unicast and WEP Multicast keys
• Specifically a problem with Mac OS X
• Apple is aware of the problem.
• Dynamic WEP for Legacy devices
• Or use multiple SSIDs and run parallel security
  models.

9
Ending Comments

• Its possible to allow multiple EAP types
• Works well in Federated environments
• Vendor skepticism is encouraged
• Helpdesk Feedback Loop

10
QA
11
Resources

• http//wireless.utah.edu/global/support/WirelessWh
  itepaper-v1.03.pdf
• http//wireless.utah.edu/global/support/radius_mes
  h/RADIUS_Mesh_Long.pdf
• http//www.open1x.org/
• http//www.open.com.au/radiator/
• http//www.securew2.com/