Western Data Com
Western Data Com
Western Data Com
■ * bundled as part of
Windows
Six-Steps for Wireless Security
■ Enable 128-bit session ■ Require use of VPN to
encryption access critical
■ Configure RADIUS resources
server authentication ■ Restrict LAN access
■ Force 30-minute rights by role
periodic authentication ■ Implement two-factor
for all users authentication scheme
■ * Source using access tokens
Computerworld
Equipment Manufacturer’s Fault
■ All 802.11b equipment shipped with
WEP security options “turned off” for
ease of installation
■ 80 bit key was used for ease of export
■ Hardware assist required for ease of
encryption but adds cost and design time
■ AES and 128 bit keys to WEP helps
■ Add IPSec hardware to 802.11 products
General Description
IEEE 802.1X Terminology
Semi-Public Network / Enterprise Network
Enterprise Edge R
A
D
I
DIUS U
rRA
Ove S
EAP
) Authentication
A POL ) Server
W
LAN (E EAPO PAE
r s (
P Ove ireles
E A er W Authenticator
O v
EAP (e.g. Switch,
Access Point)
PAE
Uncontrolled Port
Supplicant
Controlled Port
IEEE 802.1X Over 802.11
Wireless
Access Radius
Point Server
Laptop Ethernet
Computer Association
Access Blocked
802.11 Associate 802.11 Radius
EAPOL-Start EAPOW
EAP-Request/Identity
EAP-Response/Identity Radius-Access-Request
Radius-Access-Challenge
EAP-Request
EAP-Success Radius-Access-Accept
EAPOW-Key (WEP)
Access Allowed
Introductions to MS-CHAPS
■ Challenge Handshake
■ Authentication Protocol
■ Challenge Handshake
■ Authentication depends on a
secret known only to authenticator and
client
Challenge Message
Start
■ Client responds with a calculated value
using a “one way hash” function
■ This value is derived from a known
secrets list
Authentication Granted/Denied