802.1X

Terry Simons

Formerly of The University of Utah

University of Utah Background

28,000+ student campus

EAP-TTLS

802.1X movement was “grass roots”

Proof of concept

Wireless Whitepaper

RADIUS “Mesh” (More of a star topology)

“Give to get” mentality

Initial Deployment on May 19, 2003

Campus Radiator Site License

Initial Campus Meetinghouse Site License

Mac OS X 10.2.x, Win98se/Me/2k/XP/PPC 2002/2003

Now prefer SecureW2 TTLS WZC Plugin

Chris Hessing is lead developer of Open1x

802.1X Problem Areas

Certificate Validation

Windows Zero Config/GINA

The Supplicant Debacle

EAP Type Selection

Encryption

Certificate Validation

No real CRL Support

Deployment Difficulty

Mitigated in part by “smart installers”

Mac OS X is too “easy to use”

I am a Mac user. :-}

Man in the Middle Attacks

Public Certificate Authorities

Mac OS X becomes vulnerable

Windows Zero Config/GINA

Users expect it, especially in higher ed.

AEGIS and Funk take over WZC/GINA

Users complain loudly

Helpdesk gets swamped

GINA: “What did you do to my computer?!”

Not so bad with current Meetinghouse releases

Migration to SecureW2 fixed both issues.

The Supplicant Debacle

Vendors bundle OEM’d Supplicants

Which quite often do not work properly

IBM Thinkpad/Intel Centrino TTLS Problems

Usually based on Meetinghouse

Same crunchy WZC problems

Same bad aftertaste

Most setup programs are self-extractable

Use a zip utility to extract only the driver

EAP Type Selection

TLS, TTLS, or PEAP

Provisions for keying material

TLS if an existing PKI is in place

Arguably the “most secure” EAP type

TTLS for “strongly encrypted” backends

U of U uses Kerberos

PEAP for Active Directory shops

Encryption

CCMP is the “best” security currently

Doesn’t work with Mac OS X

TKIP is the next best thing.

Watch out for “mixed mode” problems

TKIP “Unicast” and WEP “Multicast” keys

Specifically a problem with Mac OS X

Apple is aware of the problem.

Dynamic WEP for “Legacy” devices

Or use multiple SSIDs and run parallel security models.

Ending Comments

It’s possible to allow multiple EAP types

Works well in Federated environments

Vendor skepticism is encouraged

Helpdesk Feedback Loop

Q&A

Resources

http://wireless.utah.edu/global/support/WirelessWhitepaper-v1.03.pdf

http://wireless.utah.edu/global/support/radius_mesh/RADIUS_Mesh_Long.pdf

http://www.open1x.org/

http://www.open.com.au/radiator/

http://www.securew2.com/


	28,000+ student campus
	EAP-TTLS
	802.1X movement was “grass roots”
		Proof of concept
		Wireless Whitepaper
	RADIUS “Mesh” (More of a star topology)
		“Give to get” mentality
	Initial Deployment on May 19, 2003
	Campus Radiator Site License
	Initial Campus Meetinghouse Site License
		Mac OS X 10.2.x, Win98se/Me/2k/XP/PPC 2002/2003
	Now prefer SecureW2 TTLS WZC Plugin
	Chris Hessing is lead developer of Open1x


	Certificate Validation
	Windows Zero Config/GINA
	The Supplicant Debacle
	EAP Type Selection
	Encryption


	No real CRL Support
	Deployment Difficulty
		Mitigated in part by “smart installers”
	Mac OS X is too “easy to use”
		I am a Mac user. :-}
	Man in the Middle Attacks
	Public Certificate Authorities
		Mac OS X becomes vulnerable


Users expect it, especially in higher ed.
AEGIS and Funk take over WZC/GINA
	Users complain loudly
		Helpdesk gets swamped
	GINA: “What did you do to my computer?!”
		Not so bad with current Meetinghouse releases
Migration to SecureW2 fixed both issues.


Vendors bundle OEM’d Supplicants
	Which quite often do not work properly
		IBM Thinkpad/Intel Centrino TTLS Problems
	Usually based on Meetinghouse
	Same crunchy WZC problems
	Same bad aftertaste
Most setup programs are self-extractable
	Use a zip utility to extract only the driver


	TLS, TTLS, or PEAP
		Provisions for keying material
	TLS if an existing PKI is in place
		Arguably the “most secure” EAP type
	TTLS for “strongly encrypted” backends
		U of U uses Kerberos
	PEAP for Active Directory shops


CCMP is the “best” security currently
	Doesn’t work with Mac OS X
TKIP is the next best thing.
	Watch out for “mixed mode” problems
		TKIP “Unicast” and WEP “Multicast” keys
		Specifically a problem with Mac OS X
			Apple is aware of the problem.
Dynamic WEP for “Legacy” devices
Or use multiple SSIDs and run parallel security models.


	It’s possible to allow multiple EAP types
		Works well in Federated environments
	Vendor skepticism is encouraged
	Helpdesk Feedback Loop


	http://wireless.utah.edu/global/support/WirelessWhitepaper-v1.03.pdf
	http://wireless.utah.edu/global/support/radius_mesh/RADIUS_Mesh_Long.pdf
	http://www.open1x.org/
	http://www.open.com.au/radiator/
	http://www.securew2.com/