Introducing 802.1x: Implement Wireless Scalability
Introducing 802.1x: Implement Wireless Scalability
Introducing 802.1x: Implement Wireless Scalability
Introducing 802.1x
The Need for WLAN
Security
The Need for WLAN Security
• Encryption:
– Temporal Key Integrity Protocol and Message Integrity Check
– Wi-Fi Protected Access (WPA)—TKIP encryption
– WPA2—Advanced Encryption Standard (AES)
• Authentication:
– 802.1x and Extensible Authentication Protocol (EAP) protocols
– User, token, machine credentials
– Dynamic encryption key generation
– IEEE 802.11i
Encryption—TKIP and MIC
• Specified in 802.11i
• 128-bit block cipher—cryptographically more robust
than RC4
• Part of WPA2
• Requires new radio cards on clients and access points
because more CPU power is required
802.1x Overview
802.1x Authentication Overview
• Client support:
– Windows 98-XP, Windows CE, Macintosh OS 9.X or 10.X, and Linux Kernel 2.2 or 2.4
– Cisco Compatible Extensions Clients (CCXv1)
• RADIUS server:
– Cisco Secure ACS and Cisco Access Registrar
– Meetinghouse Aegis
– Interlink Merit
• Microsoft domain or Active Directory (optional) for back-end authentication (must be
Microsoft format database)
• Device support:
– Cisco autonomous access points and bridges
– Cisco lightweight access points and WLAN controllers
– Cisco Unified Wireless IP Phone 7920 (VoIP) handset
Cisco LEAP Authentication
EAP-FAST
EAP-FAST: Flexible Authentication via
Secure Tunneling
• Client support:
– Windows 2000, XP, and Windows CE (natively supported)
– Non-Windows platforms: Third-party supplicants (Meetinghouse)
– User certificate required for each client
• Infrastructure requirements:
– EAP-TLS supported RADIUS server
• Cisco Secure ACS, Cisco Access Registrar, Microsoft IAS, Aegis, Interlink
– RADIUS server requires a server certificate
– Certificate authority server (PKI)
• Certificate management:
– Both client and RADIUS server certificates to be managed
EAP-TLS Authentication
EAP-PEAP
EAP-PEAP
• 802.11i:
– Ratified in June 2004
– Standardizes:
• 802.1x for authentication
• AES encryption—Facilitates U.S. government FIPS 140-2 compliance
• Key management
• WPA2:
– Supplement to WPA “version 1”—Wi-Fi Alliance interoperable implementation
of 802.11i
– Provides for AES encryption to be used
– Proactive Key Caching
– Third-party testing and certification for WLAN device compatibility
Wireless Intrusion Detection Systems
WPA WPA2
Enterprise mode Authentication: Authentication:
(business, IEEE 802.1x/EAP IEEE 802.1x/EAP
education, Encryption: Encryption:
government) TKIP/MIC AES-CCMP
Personal mode Authentication: Authentication:
(SOHO, PSK PSK
home/personal) Encryption: Encryption:
TKIP/MIC AES-CCMP
WPA2 Issues