SlideShare une entreprise Scribd logo

Ali shahbazi khojasteh dot1X

Télécharger en tant que PPT, PDF
Ali Shahbazi Khojasteh
Ali Shahbazi Khojasteh

- 802.1X provides authentication of devices connected to a wireless access point or wired network switch port. It uses EAP (Extensible Authentication Protocol) for authentication. - EAP sits inside PPP and provides a generalized framework for different authentication methods, allowing compatibility across methods. It transports authentication information between a supplicant and authentication server. - 802.1X defines the encapsulation of EAP within EAPOL frames to allow communication between the supplicant and authenticator at layer 2. The authenticator passes EAP packets to a backend RADIUS server for authentication.

Ingénierie
1  sur  90
Dot1X & EAP By Ali Shahbazi
• 802.1x works at Layer 2 to authentication and authorize devices on wireless access points.
IEEE 802.1x • It is used for certain closed wireless access points.
802.1x Authentication • A wireless node must be authenticated before it can gain access to other LAN resources
• It does assume a point-to-point model. • Then PPP can serve for this point-to-point model. 802.1x Authentication
What is PPP and what does it have to do with wireless security? • Most people are familiar with PPP, the point-to-point protocol. It’s most commonly used for dial-up Internet access. • PPP is also used by some ISPs for DSL and cable modem authentication, in the form of PPPoE (PPP over Ethernet).
What is PPP and what does it have to do with wireless security? • By any measure, PPP is a very successful protocol. • In practice, PPP has gone far beyond its original use as a dial-up access method as it's now used all over the Internet.
What is PPP and what does it have to do with wireless security? • Although PPP has many parts that make it useful in different networking environments, the part that we care about in this demonstration is the authentication piece.
What is PPP and what does it have to do with wireless security? • Before anything at Layer 3 (like IP) is established, PPP goes through an authentication phase at Layer 2. • With dial-up Internet access, that’s the username and password.
What is PPP and what does it have to do with wireless security? • PPP authentication is used to identify the user at the other end of the PPP line before giving them access. • By authenticating at layer 2, you are independent of upperlayer protocol (such as IP).
What is PPP and what does it have to do with wireless security? • And you can make decisions on how to handle layer 3 protocols, such as IP, based on the authentication information. • For example, depending on what authentication information you provide, you might get a particular IP address.
PPP General Frame Format
802.1x Terminology • 802.1x does introduce some terminology that we need to get used to. • An authenticator helps authenticate what you connect to it. It does this via the authentication server. • The supplicant is what is being authenticated. See the following diagram if that's unclear.
802.1x Terminology
802.1x Terminology • The Port Access Entity (PAE) is what executes the algorithms and follows the protocol(s). • Each of the three items above has a PAE, but the PAE software does do different things on each of the three.
How did EAP get into the picture? • As PPP use grew, people quickly found its limitations, both in flexibility and in level of security, in the authentication methods, such as PAP.
How did EAP get into the picture? • Most corporate networks want to do more than simple usernames and passwords for secure access. • So a new authentication protocol, called the Extensible Authentication Protocol (EAP) was designed.
What is EAP
EAP • Extensible Authentication Protocol is a universal authentication framework frequently used in wireless networks and Point-to-Point connections. • It is defined by RFC 3748.
EAP and WPA • WPA and WPA2 standard has officially adopted five EAP types as its official authentication mechanisms.
• EAP is a way for a supplicant to authenticate, usually against a back-end RADIUS server. • EAP comes from the dial access world and PPP.  EAP and WPA
• There is a RFC for how RADIUS should support EAP between authenticator and authentication server, RFC 3579. • EAP was first defined in the IETF RFC 2284. EAP and WPA
• The EAP TLS variant is defined in RFC 2716. • The following figure shows the EAP format. • Note that when 802.1x is the transport, all this fits into the 802.1x payload field, with EAPOL packet type set to 0 (EAP packet). EAP and WPA
The EAPOL frame format
• EAP is a way for a supplicant to authenticate, usually against a back-end RADIUS server. • EAP comes from the dial access world and PPP.  EAP and WPA
• There is an RFC for how RADIUS should support EAP between authenticator and authentication server, RFC 3579. EAP and WPA
• EAP was first defined in the IETF RFC 2284. • The EAP TLS variant is defined in RFC 2716. EAP and WPA
• The following figure shows the EAP format. • Note that when 802.1x is the transport, all this fits into the 802.1x payload field, with EAPOL packet type set to 0 (EAP packet). EAP and WPA
EAP format • The code field indicates the type of EAP packet as follows: (1) Request, (2) Response, (3) Success, (4) Failure
• The ID is one byte for matching requests and responses. • Length is the byte count including the code, ID, length and data fields.  • The data field format varies depending on the code field. EAP format
• Types 3 and 4, Success and Failure are easy to describe: they have no data field (0 bytes). • Types 1 and 2 share a format. It boils down to a type code (one byte) then the data for that type.  EAP format
• Here's what that makes the EAP packet look like: EAP format
• The original RFC defines several types of EAP authentication. They are: 1 Identity 2 Notification 3 Nak (response only) 4 MD5-Challenge 5 One-Time Password (OTP) (RFC 1938) 6 Generic Token Card 13 TLS (RFC 2716 adds TLS) EAP format
• The RFC's contain some great diagrams showing the sequence of messages for the above EAP variants. EAP format
• The IEEE  802.1x standard goes through all this for EAP-OTP in a couple of different scenarios (supplicant initiated exchange, authenticator initiated, etc.). EAP format
How did EAP get into the picture? • EAP sits inside PPP’s authentication protocol. • It provides a generalized framework for all sorts of authentication methods.
EAP Message • Exactly one EAP packet is encapsulated in the Information field of a PPP Data Link Layer frame and building a PPP EAP Message. • Where the protocol field indicates type hex C227 (PPP EAP).
How did EAP get into the picture? • By pulling EAP out (destacando) into a separate protocol, it then has the option of re-use in other environments - like 802.1X.
How did EAP get into the picture? • EAP is supposed to head off (desviar) proprietary authentication systems and let everything from passwords to challenge-response tokens and PKI certificates work smoothly.
How did EAP get into the picture? • With a standardized EAP, interoperability and compatibility across authentication methods becomes simpler.
How did EAP get into the picture? • Only the client and the authentication server have to be coordinated. • By supporting EAP authentication, a RAS server (in wireless this is the AP) gets out of the business of actively participating in the authentication dialog ...
How did EAP get into the picture? • For example, when you dial a remote access server (RAS) and use EAP as part of your PPP connection, the RAS doesn’t need to know any of the details about your authentication system.
How did EAP get into the picture? • ... ... and just re-packages EAP packets to hand off to a RADIUS server to make the actual authentication decision.
How 802.1x Works
• The 802.1x access control works on unaggregated physical ports  at OSI Layer 2. It allows or denies access. • The access control it exerts can govern bidirectional or inbound traffic. How 802.1x Works
• On LAN media, 802.1x needs some way to communicate between the Supplicant and the Authenticator. This happens directly at Layer 2. • The protocol used is EAPOL, which stands for EAP encapsulation over LANs.  How 802.1x Works
• EAP is a separate protocol (or family of  protocols) for authentication. • Let's take a look at the EAPOL frame format. It is shown in the following figure: How 802.1x Works
The EAPOL frame format
• The packet type is as follows: • 0 EAP Packet 1 EAPOL Start 2 EAPOL Logoff 3 EAPOL Key 4 EAPOL Encapsulated Alert The EAPOL frame format
• The key packet  type is used for  EAP variants that allow an encryption key. • The packet body is then a Key Descriptor, with specified fields. We'll skip the details. The EAPOL frame format
• The Alert EAP packet type allows for things (like SNMP) to be sent through a port where the authentication resulted in an unauthorized state. The EAPOL frame format
• The standard notes  that use in a shared environment is  highly insecure unless the supplicant to authenticator traffic is a secure association, i.e. encrypted. The EAPOL frame format
• The authenticator then uses a standard protocol, usually RADIUS, to relay information to and from the authentication server. The EAPOL frame format
• The following figure shows how the protocol works. • It basically provides a L2 wrapper to transport EAP information between supplicant and authenticator.  The EAPOL frame format
• Note that the EAPOL-Start message is only used if the supplicant initiates the exchange. • The authenticator can notice link status has changed, and just jump right in with the EAP exchange. The EAPOL frame format
• It may seem a little silly, having a big diagram with only a couple of arrows in it. I hope that this emphasizes the key point here. The EAPOL frame format
• The double arrow goes further since we'll see that the authenticator re-encapsulates the EAP information, typically within RADIUS, and passes it through to the authentication server. The EAPOL frame format
IEEE 802.1 • IEEE 802.1 is a working group of the IEEE 802 project of the IEEE. It is concerned with: • 802 LAN/MAN architecture • internetworking among 802 LANs, MANs and other wide area networks, • 802 Link Security (This is not wireless), • 802 overall network management, and • protocol layers above the MAC & LLC layers.
What Is 802.1x? • IEEE 802.1x is an IEEE standard for port-based Network Access Control which extends the 802.1. • it is part of the IEEE 802.1 group of protocols. • It provides authentication to devices attached to a LAN port, establishing a point-to-point connection or preventing access from that port if authentication fails.
• The standard 802.1x is an IEEE standard for Port- Based Network Access Control.  What Is 802.1x?
IEEE 802.1x - a port based authentication protocol
• From the introduction to the 802.1x standard document, with some omissions: What Is 802.1x?
• "Port-based network access control makes use of the physical access characteristics of IEEE 802 LAN infrastructures in order to provide a means of authenticating and authorizing devices attached to a LAN port [...], What Is 802.1x?
• and of preventing access to that port in cases in which the authentication and authorization process fails. [...] What Is 802.1x?
• Examples of ports in which the use of authentication can be desirable include the Ports of MAC Bridges, [...] , • and associations between stations and access points in IEEE 802.11 Wireless LANs." What Is 802.1x?
• That is, 802.1x and EAPOL just exist as a way to transport EAP information between Supplicant and Authenticator. What Is 802.1x?
How This All Works
• The RFC's contain some diagrams showing the sequence of messages for the above EAP variants. How This All Works
• The IEEE  802.1x standard goes through all this for EAP-OTP in a couple of different scenarios (supplicant initiated exchange, authenticator initiated, etc.). How This All Works
• This fills in the big EAP arrow in the above diagram to show the full sequence of messages. • The following figure shows my version of the sequence of messages for EAP-OTP (One Time Password). How This All Works
Medium to large Enterprise WLAN Security
EAP • Extensible Authentication Protocol is a universal authentication framework frequently used in wireless networks and Point-to-Point connections. • It is defined by RFC 3748.
• Although the EAP protocol is not limited to wireless LANs and can be used for wired LAN authentication, it is most often used in wireless LANs. EAP
WPA • WPA and WPA2 standard has officially adopted five EAP types as its official authentication mechanisms.
• EAP is an authentication framework, not a specific authentication mechanism. It only defines message formats. WPA
• The EAP provides some common functions and a negotiation of the desired authentication mechanism. • Such mechanisms are called EAP authentication methods. WPA
• Each protocol that uses EAP defines a way to encapsulate that protocol's messages within the EAP messages. • In the case of 802.1x, this encapsulation is called EAPOL, "EAP over LANs". WPA
Level 3: Medium to large Enterprise WLAN security • EAP-TLS could be the recommended authentication method for this security level.  • EAP-TLS have the same server and client side digital certificate requirements.
• To implement EAP-TLS, not only does the server require a Digital Certificate but the users as well.  Level 3: Medium to large Enterprise WLAN security
• This means you will need Certificate Authority to issue a proper Server Digital Certificate on a pair of dedicated RADIUS servers and not just a Self Signed Certificate on a makeshift RADIUS Server.  Level 3: Medium to large Enterprise WLAN security
• For this security level, the proper PKI best practices should be followed.  • There should be at least a single dedicated PKI Root Certificate Authority, but preferably it should at least be a 2 or 3 tier PKI design. Level 3: Medium to large Enterprise WLAN security
• A two tier chain for a medium Enterprise organization would have an offline Root Certificate Authority and an online Issuing Certificate Authority.  Level 3: Medium to large Enterprise WLAN security
• The reason for this is that if a Certificate Authority is ever compromised, you can revoke it and create a new one ... • ... from the higher offline Certificate Authorities without having to start your PKI deployment from scratch.  Level 3: Medium to large Enterprise WLAN security
• Building a PKI from scratch because of a compromised Certificate Authority would be completely unacceptable in a large scale environment. Level 3: Medium to large Enterprise WLAN security
• A large Enterprise should implement the three tier design with offline Root Certificate Authority, offline subordinate Certificate Authority, and online Issuing Certificate Authority. Level 3: Medium to large Enterprise WLAN security
• Methods defined in IETF RFCs include: • EAP-MD5, • EAP-OTP, • EAP-GTC, • EAP-TLS or EAP-TTLS, • EAP-IKEv2, • EAP-SIM, • EAP-AKA Level 3: Medium to large Enterprise WLAN security
• Some commonly used methods capable of operating in wireless networks include: • EAP-TLS, • EAP-TTLS • Requirements for EAP methods used in wireless LAN authentication are described in RFC 4017. Level 3: Medium to large Enterprise WLAN security
THANKS

Recommandé

At8000 s configurando_8021x
At8000 s configurando_8021xAt8000 s configurando_8021x
At8000 s configurando_8021xNetPlus
 
Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authenticationdkaya
 
802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for SeacoastSithideth Banavong
 
802.1x authentication
802.1x authentication802.1x authentication
802.1x authenticationXiaoqi Zhao
 
802.1x
802.1x802.1x
802.1xakruthi k
 
802.1x
802.1x802.1x
802.1xAlp isik
 
Ieee 802.1 x
Ieee 802.1 xIeee 802.1 x
Ieee 802.1 xMohamed Gamel
 
802.1x Authentication Standard
802.1x Authentication Standard802.1x Authentication Standard
802.1x Authentication StandardDan Miller
 

Recommandé

At8000 s configurando_8021x
At8000 s configurando_8021xAt8000 s configurando_8021x
At8000 s configurando_8021xNetPlus
 
Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authenticationdkaya
 
802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for SeacoastSithideth Banavong
 
802.1x authentication
802.1x authentication802.1x authentication
802.1x authenticationXiaoqi Zhao
 
802.1x
802.1x802.1x
802.1xakruthi k
 
802.1x
802.1x802.1x
802.1xAlp isik
 
Ieee 802.1 x
Ieee 802.1 xIeee 802.1 x
Ieee 802.1 xMohamed Gamel
 
802.1x Authentication Standard
802.1x Authentication Standard802.1x Authentication Standard
802.1x Authentication StandardDan Miller
 
radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)rinnocente
 
IEEE 802.1 x
IEEE 802.1 xIEEE 802.1 x
IEEE 802.1 xAnwesh Dixit
 
IEEE 802.1X and Axis’ Implementation
IEEE 802.1X and Axis’ ImplementationIEEE 802.1X and Axis’ Implementation
IEEE 802.1X and Axis’ ImplementationAxis Communications
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS ProtocolsPeter R. Egli
 
PIW ISE best practices
PIW ISE best practicesPIW ISE best practices
PIW ISE best practicesSergey Kucherenko
 
Palo Alto Networks authentication
Palo Alto Networks authenticationPalo Alto Networks authentication
Palo Alto Networks authenticationAlberto Rivai
 
User id installation and configuration
User id installation and configurationUser id installation and configuration
User id installation and configurationAlberto Rivai
 
Transparent proxy - SIP - 2014 - NCC LAB
Transparent proxy - SIP - 2014 - NCC LABTransparent proxy - SIP - 2014 - NCC LAB
Transparent proxy - SIP - 2014 - NCC LABBenith T
 
Remote access service
Remote access serviceRemote access service
Remote access serviceApoorw Pandey
 
Radius Protocol
Radius ProtocolRadius Protocol
Radius ProtocolNetwax Lab
 
Remote Web Desk
Remote Web DeskRemote Web Desk
Remote Web DeskSatish Chandra
 
ClearPass Insight 6.3 User Guide
ClearPass Insight 6.3 User GuideClearPass Insight 6.3 User Guide
ClearPass Insight 6.3 User GuideAruba, a Hewlett Packard Enterprise company
 
Seminar 2 ppt
Seminar 2 pptSeminar 2 ppt
Seminar 2 pptsathya5691
 
Client server chat application
Client server chat applicationClient server chat application
Client server chat applicationPiyush Rawat
 
EMEA Airheads- Manage Devices at Branch Office (BOC)
EMEA Airheads- Manage Devices at Branch Office (BOC)EMEA Airheads- Manage Devices at Branch Office (BOC)
EMEA Airheads- Manage Devices at Branch Office (BOC)Aruba, a Hewlett Packard Enterprise company
 
Implementing Cisco AAA
Implementing Cisco AAAImplementing Cisco AAA
Implementing Cisco AAAdkaya
 
Routing host certificates in eduroam/govroam
Routing host certificates in eduroam/govroamRouting host certificates in eduroam/govroam
Routing host certificates in eduroam/govroamKarri Huhtanen
 
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...VMworld
 
A review of network concepts base on CISCO by Ali Shahbazi
A review of network concepts base on CISCO by Ali ShahbaziA review of network concepts base on CISCO by Ali Shahbazi
A review of network concepts base on CISCO by Ali ShahbaziAli Shahbazi Khojasteh
 
OPEX reduction in telecom industry
OPEX reduction in telecom industryOPEX reduction in telecom industry
OPEX reduction in telecom industryAli Shahbazi Khojasteh
 
xstream_network
xstream_networkxstream_network
xstream_networkAli Shahbazi Khojasteh
 
Detect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksDetect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksImperva
 

Contenu connexe

Tendances

radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)rinnocente
 
IEEE 802.1X and Axis’ Implementation
IEEE 802.1X and Axis’ ImplementationIEEE 802.1X and Axis’ Implementation
IEEE 802.1X and Axis’ ImplementationAxis Communications
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS ProtocolsPeter R. Egli
 
Palo Alto Networks authentication
Palo Alto Networks authenticationPalo Alto Networks authentication
Palo Alto Networks authenticationAlberto Rivai
 
User id installation and configuration
User id installation and configurationUser id installation and configuration
User id installation and configurationAlberto Rivai
 
Transparent proxy - SIP - 2014 - NCC LAB
Transparent proxy - SIP - 2014 - NCC LABTransparent proxy - SIP - 2014 - NCC LAB
Transparent proxy - SIP - 2014 - NCC LABBenith T
 
Remote access service
Remote access serviceRemote access service
Remote access serviceApoorw Pandey
 
Radius Protocol
Radius ProtocolRadius Protocol
Radius ProtocolNetwax Lab
 
Client server chat application
Client server chat applicationClient server chat application
Client server chat applicationPiyush Rawat
 
Implementing Cisco AAA
Implementing Cisco AAAImplementing Cisco AAA
Implementing Cisco AAAdkaya
 
Routing host certificates in eduroam/govroam
Routing host certificates in eduroam/govroamRouting host certificates in eduroam/govroam
Routing host certificates in eduroam/govroamKarri Huhtanen
 
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...VMworld
 

Tendances (18)

radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)
 
IEEE 802.1 x
IEEE 802.1 xIEEE 802.1 x
IEEE 802.1 x
 
IEEE 802.1X and Axis’ Implementation
IEEE 802.1X and Axis’ ImplementationIEEE 802.1X and Axis’ Implementation
IEEE 802.1X and Axis’ Implementation
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS Protocols
 
PIW ISE best practices
PIW ISE best practicesPIW ISE best practices
PIW ISE best practices
 
Palo Alto Networks authentication
Palo Alto Networks authenticationPalo Alto Networks authentication
Palo Alto Networks authentication
 
User id installation and configuration
User id installation and configurationUser id installation and configuration
User id installation and configuration
 
Transparent proxy - SIP - 2014 - NCC LAB
Transparent proxy - SIP - 2014 - NCC LABTransparent proxy - SIP - 2014 - NCC LAB
Transparent proxy - SIP - 2014 - NCC LAB
 
Remote access service
Remote access serviceRemote access service
Remote access service
 
Radius Protocol
Radius ProtocolRadius Protocol
Radius Protocol
 
Remote Web Desk
Remote Web DeskRemote Web Desk
Remote Web Desk
 
ClearPass Insight 6.3 User Guide
ClearPass Insight 6.3 User GuideClearPass Insight 6.3 User Guide
ClearPass Insight 6.3 User Guide
 
Seminar 2 ppt
Seminar 2 pptSeminar 2 ppt
Seminar 2 ppt
 
Client server chat application
Client server chat applicationClient server chat application
Client server chat application
 
EMEA Airheads- Manage Devices at Branch Office (BOC)
EMEA Airheads- Manage Devices at Branch Office (BOC)EMEA Airheads- Manage Devices at Branch Office (BOC)
EMEA Airheads- Manage Devices at Branch Office (BOC)
 
Implementing Cisco AAA
Implementing Cisco AAAImplementing Cisco AAA
Implementing Cisco AAA
 
Routing host certificates in eduroam/govroam
Routing host certificates in eduroam/govroamRouting host certificates in eduroam/govroam
Routing host certificates in eduroam/govroam
 
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...
 

En vedette

A review of network concepts base on CISCO by Ali Shahbazi
A review of network concepts base on CISCO by Ali ShahbaziA review of network concepts base on CISCO by Ali Shahbazi
A review of network concepts base on CISCO by Ali ShahbaziAli Shahbazi Khojasteh
 
Detect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksDetect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksImperva
 
Why Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t EnoughWhy Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t EnoughImperva
 
Protect Your Data and Apps in the Public Cloud
Protect Your Data and Apps in the Public CloudProtect Your Data and Apps in the Public Cloud
Protect Your Data and Apps in the Public CloudImperva
 
More Databases. More Hackers. More Audits.
More Databases. More Hackers. More Audits.More Databases. More Hackers. More Audits.
More Databases. More Hackers. More Audits.Imperva
 
Hackers, Cyber Crime and Espionage
Hackers, Cyber Crime and EspionageHackers, Cyber Crime and Espionage
Hackers, Cyber Crime and EspionageImperva
 
FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not MarketingArrowECS_CZ
 
Gartner MQ for Web App Firewall Webinar
Gartner MQ for Web App Firewall WebinarGartner MQ for Web App Firewall Webinar
Gartner MQ for Web App Firewall WebinarImperva
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationImperva
 
Cisco IPv6 Tutorial
Cisco IPv6 TutorialCisco IPv6 Tutorial
Cisco IPv6 Tutorialkriz5
 
Building Healthier Communities: TEDMED 2016
Building Healthier Communities: TEDMED 2016Building Healthier Communities: TEDMED 2016
Building Healthier Communities: TEDMED 2016Luminary Labs
 
Osi layer (kel.5 x tkj-3)
Osi layer (kel.5 x tkj-3)Osi layer (kel.5 x tkj-3)
Osi layer (kel.5 x tkj-3)Lili's World
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerLuminary Labs
 

En vedette (17)

A review of network concepts base on CISCO by Ali Shahbazi
A review of network concepts base on CISCO by Ali ShahbaziA review of network concepts base on CISCO by Ali Shahbazi
A review of network concepts base on CISCO by Ali Shahbazi
 
OPEX reduction in telecom industry
OPEX reduction in telecom industryOPEX reduction in telecom industry
OPEX reduction in telecom industry
 
xstream_network
xstream_networkxstream_network
xstream_network
 
Detect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksDetect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted Attacks
 
Why Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t EnoughWhy Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t Enough
 
Protect Your Data and Apps in the Public Cloud
Protect Your Data and Apps in the Public CloudProtect Your Data and Apps in the Public Cloud
Protect Your Data and Apps in the Public Cloud
 
More Databases. More Hackers. More Audits.
More Databases. More Hackers. More Audits.More Databases. More Hackers. More Audits.
More Databases. More Hackers. More Audits.
 
Hackers, Cyber Crime and Espionage
Hackers, Cyber Crime and EspionageHackers, Cyber Crime and Espionage
Hackers, Cyber Crime and Espionage
 
FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not
 
Gartner MQ for Web App Firewall Webinar
Gartner MQ for Web App Firewall WebinarGartner MQ for Web App Firewall Webinar
Gartner MQ for Web App Firewall Webinar
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
 
Cisco IPv6 Tutorial
Cisco IPv6 TutorialCisco IPv6 Tutorial
Cisco IPv6 Tutorial
 
Building Healthier Communities: TEDMED 2016
Building Healthier Communities: TEDMED 2016Building Healthier Communities: TEDMED 2016
Building Healthier Communities: TEDMED 2016
 
computer network OSI layer
computer network OSI layercomputer network OSI layer
computer network OSI layer
 
Ipv4 vs Ipv6 comparison
Ipv4 vs Ipv6 comparisonIpv4 vs Ipv6 comparison
Ipv4 vs Ipv6 comparison
 
Osi layer (kel.5 x tkj-3)
Osi layer (kel.5 x tkj-3)Osi layer (kel.5 x tkj-3)
Osi layer (kel.5 x tkj-3)
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI Explainer
 

Similaire à Ali shahbazi khojasteh dot1X

Protocols and the TCP/IP Protocol Suite
Protocols and the TCP/IP Protocol SuiteProtocols and the TCP/IP Protocol Suite
Protocols and the TCP/IP Protocol SuiteAtharaw Deshmukh
 
Networking- OSI Layer Protocol Functions
Networking- OSI Layer Protocol FunctionsNetworking- OSI Layer Protocol Functions
Networking- OSI Layer Protocol FunctionsGayathri Kesavan
 
NETWORK MANAGEMENT - 2015
NETWORK MANAGEMENT - 2015NETWORK MANAGEMENT - 2015
NETWORK MANAGEMENT - 2015Ammad khan
 
Mphasis Digital POV - Emerging Open Standard Protocol stack for IoT
Mphasis Digital POV - Emerging Open Standard Protocol stack for IoTMphasis Digital POV - Emerging Open Standard Protocol stack for IoT
Mphasis Digital POV - Emerging Open Standard Protocol stack for IoTAniruddha Chakrabarti
 
Final_IoT_Protocol Stack.pptx
Final_IoT_Protocol Stack.pptxFinal_IoT_Protocol Stack.pptx
Final_IoT_Protocol Stack.pptxjainam bhavsar
 
Wireshark - Basics
Wireshark - BasicsWireshark - Basics
Wireshark - BasicsYoram Orzach
 
TCPIP SLIDES.ppt
TCPIP SLIDES.pptTCPIP SLIDES.ppt
TCPIP SLIDES.pptaymenshykh
 
Ajp notes-chapter-04
Ajp notes-chapter-04Ajp notes-chapter-04
Ajp notes-chapter-04Ankit Dubey
 
Cisco WLAN - Chapter. 02 : Part 1 – 802.11 MAC and Cisco Client Adapters
Cisco WLAN - Chapter. 02 : Part 1 – 802.11 MAC and Cisco Client AdaptersCisco WLAN - Chapter. 02 : Part 1 – 802.11 MAC and Cisco Client Adapters
Cisco WLAN - Chapter. 02 : Part 1 – 802.11 MAC and Cisco Client AdaptersYaser Rahmati
 
Ch4 Protocols.pptx
Ch4 Protocols.pptxCh4 Protocols.pptx
Ch4 Protocols.pptxazmerawAnna1
 
Network and distributed systems
Network and distributed systemsNetwork and distributed systems
Network and distributed systemsSri Prasanna
 
IP Signal Distribution
IP Signal DistributionIP Signal Distribution
IP Signal DistributionrAVe [PUBS]
 

Similaire à Ali shahbazi khojasteh dot1X (20)

Bhargava Presentation.ppt
Bhargava Presentation.pptBhargava Presentation.ppt
Bhargava Presentation.ppt
 
Bhargava Presentation.ppt
Bhargava Presentation.pptBhargava Presentation.ppt
Bhargava Presentation.ppt
 
Protocols and the TCP/IP Protocol Suite
Protocols and the TCP/IP Protocol SuiteProtocols and the TCP/IP Protocol Suite
Protocols and the TCP/IP Protocol Suite
 
Networking- OSI Layer Protocol Functions
Networking- OSI Layer Protocol FunctionsNetworking- OSI Layer Protocol Functions
Networking- OSI Layer Protocol Functions
 
Module 1 slides
Module 1 slidesModule 1 slides
Module 1 slides
 
clg_assgn.pptx
clg_assgn.pptxclg_assgn.pptx
clg_assgn.pptx
 
NETWORK MANAGEMENT - 2015
NETWORK MANAGEMENT - 2015NETWORK MANAGEMENT - 2015
NETWORK MANAGEMENT - 2015
 
Mphasis Digital POV - Emerging Open Standard Protocol stack for IoT
Mphasis Digital POV - Emerging Open Standard Protocol stack for IoTMphasis Digital POV - Emerging Open Standard Protocol stack for IoT
Mphasis Digital POV - Emerging Open Standard Protocol stack for IoT
 
Network management
Network managementNetwork management
Network management
 
Final_IoT_Protocol Stack.pptx
Final_IoT_Protocol Stack.pptxFinal_IoT_Protocol Stack.pptx
Final_IoT_Protocol Stack.pptx
 
PPPOE.pptx
PPPOE.pptxPPPOE.pptx
PPPOE.pptx
 
WLAN and IP security
WLAN and IP securityWLAN and IP security
WLAN and IP security
 
Wireshark - Basics
Wireshark - BasicsWireshark - Basics
Wireshark - Basics
 
TCPIP SLIDES.ppt
TCPIP SLIDES.pptTCPIP SLIDES.ppt
TCPIP SLIDES.ppt
 
Ajp notes-chapter-04
Ajp notes-chapter-04Ajp notes-chapter-04
Ajp notes-chapter-04
 
Cisco WLAN - Chapter. 02 : Part 1 – 802.11 MAC and Cisco Client Adapters
Cisco WLAN - Chapter. 02 : Part 1 – 802.11 MAC and Cisco Client AdaptersCisco WLAN - Chapter. 02 : Part 1 – 802.11 MAC and Cisco Client Adapters
Cisco WLAN - Chapter. 02 : Part 1 – 802.11 MAC and Cisco Client Adapters
 
Tcp/Ip Model
Tcp/Ip ModelTcp/Ip Model
Tcp/Ip Model
 
Ch4 Protocols.pptx
Ch4 Protocols.pptxCh4 Protocols.pptx
Ch4 Protocols.pptx
 
Network and distributed systems
Network and distributed systemsNetwork and distributed systems
Network and distributed systems
 
IP Signal Distribution
IP Signal DistributionIP Signal Distribution
IP Signal Distribution
 

Dernier

Main Memory Management in Operating System
Main Memory Management in Operating SystemMain Memory Management in Operating System
Main Memory Management in Operating SystemRashmi Bhat
 
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHTEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHSneha Padhiar
 
Energy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptxEnergy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptxsiddharthjain2303
 
Immutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfImmutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfDrew Moseley
 
11. Properties of Liquid Fuels in Energy Engineering.pdf
11. Properties of Liquid Fuels in Energy Engineering.pdf11. Properties of Liquid Fuels in Energy Engineering.pdf
11. Properties of Liquid Fuels in Energy Engineering.pdfHafizMudaserAhmad
 
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENT
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENTFUNCTIONAL AND NON FUNCTIONAL REQUIREMENT
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENTSneha Padhiar
 
Research Methodology for Engineering pdf
Research Methodology for Engineering pdfResearch Methodology for Engineering pdf
Research Methodology for Engineering pdfCaalaaAbdulkerim
 
Prach: A Feature-Rich Platform Empowering the Autism Community
Prach: A Feature-Rich Platform Empowering the Autism CommunityPrach: A Feature-Rich Platform Empowering the Autism Community
Prach: A Feature-Rich Platform Empowering the Autism Communityprachaibot
 
Katarzyna Lipka-Sidor - BIM School Course
Katarzyna Lipka-Sidor - BIM School CourseKatarzyna Lipka-Sidor - BIM School Course
Katarzyna Lipka-Sidor - BIM School Coursebim.edu.pl
 
『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书
『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书
『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书rnrncn29
 
Turn leadership mistakes into a better future.pptx
Turn leadership mistakes into a better future.pptxTurn leadership mistakes into a better future.pptx
Turn leadership mistakes into a better future.pptxStephen Sitton
 
Mine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptxMine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptxRomil Mishra
 
"Exploring the Essential Functions and Design Considerations of Spillways in ...
"Exploring the Essential Functions and Design Considerations of Spillways in ..."Exploring the Essential Functions and Design Considerations of Spillways in ...
"Exploring the Essential Functions and Design Considerations of Spillways in ...Erbil Polytechnic University
 
KCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitosKCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitosVictor Morales
 
Paper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdf
Paper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdfPaper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdf
Paper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdfNainaShrivastava14
 
Virtual memory management in Operating System
Virtual memory management in Operating SystemVirtual memory management in Operating System
Virtual memory management in Operating SystemRashmi Bhat
 
Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________Romil Mishra
 
High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMS
High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMSHigh Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMS
High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMSsandhya757531
 
signals in triangulation .. ...Surveying
signals in triangulation .. ...Surveyingsignals in triangulation .. ...Surveying
signals in triangulation .. ...Surveyingsapna80328
 

Dernier (20)

Main Memory Management in Operating System
Main Memory Management in Operating SystemMain Memory Management in Operating System
Main Memory Management in Operating System
 
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHTEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
 
Energy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptxEnergy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptx
 
Immutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfImmutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdf
 
11. Properties of Liquid Fuels in Energy Engineering.pdf
11. Properties of Liquid Fuels in Energy Engineering.pdf11. Properties of Liquid Fuels in Energy Engineering.pdf
11. Properties of Liquid Fuels in Energy Engineering.pdf
 
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENT
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENTFUNCTIONAL AND NON FUNCTIONAL REQUIREMENT
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENT
 
Research Methodology for Engineering pdf
Research Methodology for Engineering pdfResearch Methodology for Engineering pdf
Research Methodology for Engineering pdf
 
Prach: A Feature-Rich Platform Empowering the Autism Community
Prach: A Feature-Rich Platform Empowering the Autism CommunityPrach: A Feature-Rich Platform Empowering the Autism Community
Prach: A Feature-Rich Platform Empowering the Autism Community
 
Katarzyna Lipka-Sidor - BIM School Course
Katarzyna Lipka-Sidor - BIM School CourseKatarzyna Lipka-Sidor - BIM School Course
Katarzyna Lipka-Sidor - BIM School Course
 
『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书
『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书
『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书
 
Turn leadership mistakes into a better future.pptx
Turn leadership mistakes into a better future.pptxTurn leadership mistakes into a better future.pptx
Turn leadership mistakes into a better future.pptx
 
Mine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptxMine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptx
 
"Exploring the Essential Functions and Design Considerations of Spillways in ...
"Exploring the Essential Functions and Design Considerations of Spillways in ..."Exploring the Essential Functions and Design Considerations of Spillways in ...
"Exploring the Essential Functions and Design Considerations of Spillways in ...
 
KCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitosKCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitos
 
Paper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdf
Paper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdfPaper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdf
Paper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdf
 
Virtual memory management in Operating System
Virtual memory management in Operating SystemVirtual memory management in Operating System
Virtual memory management in Operating System
 
Designing pile caps according to ACI 318-19.pptx
Designing pile caps according to ACI 318-19.pptxDesigning pile caps according to ACI 318-19.pptx
Designing pile caps according to ACI 318-19.pptx
 
Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________
 
High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMS
High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMSHigh Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMS
High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMS
 
signals in triangulation .. ...Surveying
signals in triangulation .. ...Surveyingsignals in triangulation .. ...Surveying
signals in triangulation .. ...Surveying
 

Ali shahbazi khojasteh dot1X

  • 2. • 802.1x works at Layer 2 to authentication and authorize devices on wireless access points.
  • 3. IEEE 802.1x • It is used for certain closed wireless access points.
  • 4. 802.1x Authentication • A wireless node must be authenticated before it can gain access to other LAN resources
  • 5. • It does assume a point-to-point model. • Then PPP can serve for this point-to-point model. 802.1x Authentication
  • 6. What is PPP and what does it have to do with wireless security? • Most people are familiar with PPP, the point-to-point protocol. It’s most commonly used for dial-up Internet access. • PPP is also used by some ISPs for DSL and cable modem authentication, in the form of PPPoE (PPP over Ethernet).
  • 7. What is PPP and what does it have to do with wireless security? • By any measure, PPP is a very successful protocol. • In practice, PPP has gone far beyond its original use as a dial-up access method as it's now used all over the Internet.
  • 8. What is PPP and what does it have to do with wireless security? • Although PPP has many parts that make it useful in different networking environments, the part that we care about in this demonstration is the authentication piece.
  • 9. What is PPP and what does it have to do with wireless security? • Before anything at Layer 3 (like IP) is established, PPP goes through an authentication phase at Layer 2. • With dial-up Internet access, that’s the username and password.
  • 10. What is PPP and what does it have to do with wireless security? • PPP authentication is used to identify the user at the other end of the PPP line before giving them access. • By authenticating at layer 2, you are independent of upperlayer protocol (such as IP).
  • 11. What is PPP and what does it have to do with wireless security? • And you can make decisions on how to handle layer 3 protocols, such as IP, based on the authentication information. • For example, depending on what authentication information you provide, you might get a particular IP address.
  • 13. 802.1x Terminology • 802.1x does introduce some terminology that we need to get used to. • An authenticator helps authenticate what you connect to it. It does this via the authentication server. • The supplicant is what is being authenticated. See the following diagram if that's unclear.
  • 15. 802.1x Terminology • The Port Access Entity (PAE) is what executes the algorithms and follows the protocol(s). • Each of the three items above has a PAE, but the PAE software does do different things on each of the three.
  • 16. How did EAP get into the picture? • As PPP use grew, people quickly found its limitations, both in flexibility and in level of security, in the authentication methods, such as PAP.
  • 17. How did EAP get into the picture? • Most corporate networks want to do more than simple usernames and passwords for secure access. • So a new authentication protocol, called the Extensible Authentication Protocol (EAP) was designed.
  • 19. EAP • Extensible Authentication Protocol is a universal authentication framework frequently used in wireless networks and Point-to-Point connections. • It is defined by RFC 3748.
  • 20. EAP and WPA • WPA and WPA2 standard has officially adopted five EAP types as its official authentication mechanisms.
  • 21. • EAP is a way for a supplicant to authenticate, usually against a back-end RADIUS server. • EAP comes from the dial access world and PPP.  EAP and WPA
  • 22. • There is a RFC for how RADIUS should support EAP between authenticator and authentication server, RFC 3579. • EAP was first defined in the IETF RFC 2284. EAP and WPA
  • 23. • The EAP TLS variant is defined in RFC 2716. • The following figure shows the EAP format. • Note that when 802.1x is the transport, all this fits into the 802.1x payload field, with EAPOL packet type set to 0 (EAP packet). EAP and WPA
  • 24. The EAPOL frame format
  • 25. • EAP is a way for a supplicant to authenticate, usually against a back-end RADIUS server. • EAP comes from the dial access world and PPP.  EAP and WPA
  • 26. • There is an RFC for how RADIUS should support EAP between authenticator and authentication server, RFC 3579. EAP and WPA
  • 27. • EAP was first defined in the IETF RFC 2284. • The EAP TLS variant is defined in RFC 2716. EAP and WPA
  • 28. • The following figure shows the EAP format. • Note that when 802.1x is the transport, all this fits into the 802.1x payload field, with EAPOL packet type set to 0 (EAP packet). EAP and WPA
  • 29. EAP format • The code field indicates the type of EAP packet as follows: (1) Request, (2) Response, (3) Success, (4) Failure
  • 30. • The ID is one byte for matching requests and responses. • Length is the byte count including the code, ID, length and data fields.  • The data field format varies depending on the code field. EAP format
  • 31. • Types 3 and 4, Success and Failure are easy to describe: they have no data field (0 bytes). • Types 1 and 2 share a format. It boils down to a type code (one byte) then the data for that type.  EAP format
  • 32. • Here's what that makes the EAP packet look like: EAP format
  • 33. • The original RFC defines several types of EAP authentication. They are: 1 Identity 2 Notification 3 Nak (response only) 4 MD5-Challenge 5 One-Time Password (OTP) (RFC 1938) 6 Generic Token Card 13 TLS (RFC 2716 adds TLS) EAP format
  • 34. • The RFC's contain some great diagrams showing the sequence of messages for the above EAP variants. EAP format
  • 35. • The IEEE  802.1x standard goes through all this for EAP-OTP in a couple of different scenarios (supplicant initiated exchange, authenticator initiated, etc.). EAP format
  • 36. How did EAP get into the picture? • EAP sits inside PPP’s authentication protocol. • It provides a generalized framework for all sorts of authentication methods.
  • 37. EAP Message • Exactly one EAP packet is encapsulated in the Information field of a PPP Data Link Layer frame and building a PPP EAP Message. • Where the protocol field indicates type hex C227 (PPP EAP).
  • 38. How did EAP get into the picture? • By pulling EAP out (destacando) into a separate protocol, it then has the option of re-use in other environments - like 802.1X.
  • 39. How did EAP get into the picture? • EAP is supposed to head off (desviar) proprietary authentication systems and let everything from passwords to challenge-response tokens and PKI certificates work smoothly.
  • 40. How did EAP get into the picture? • With a standardized EAP, interoperability and compatibility across authentication methods becomes simpler.
  • 41. How did EAP get into the picture? • Only the client and the authentication server have to be coordinated. • By supporting EAP authentication, a RAS server (in wireless this is the AP) gets out of the business of actively participating in the authentication dialog ...
  • 42. How did EAP get into the picture? • For example, when you dial a remote access server (RAS) and use EAP as part of your PPP connection, the RAS doesn’t need to know any of the details about your authentication system.
  • 43. How did EAP get into the picture? • ... ... and just re-packages EAP packets to hand off to a RADIUS server to make the actual authentication decision.
  • 45. • The 802.1x access control works on unaggregated physical ports  at OSI Layer 2. It allows or denies access. • The access control it exerts can govern bidirectional or inbound traffic. How 802.1x Works
  • 46. • On LAN media, 802.1x needs some way to communicate between the Supplicant and the Authenticator. This happens directly at Layer 2. • The protocol used is EAPOL, which stands for EAP encapsulation over LANs.  How 802.1x Works
  • 47. • EAP is a separate protocol (or family of  protocols) for authentication. • Let's take a look at the EAPOL frame format. It is shown in the following figure: How 802.1x Works
  • 48. The EAPOL frame format
  • 49. • The packet type is as follows: • 0 EAP Packet 1 EAPOL Start 2 EAPOL Logoff 3 EAPOL Key 4 EAPOL Encapsulated Alert The EAPOL frame format
  • 50. • The key packet  type is used for  EAP variants that allow an encryption key. • The packet body is then a Key Descriptor, with specified fields. We'll skip the details. The EAPOL frame format
  • 51. • The Alert EAP packet type allows for things (like SNMP) to be sent through a port where the authentication resulted in an unauthorized state. The EAPOL frame format
  • 52. • The standard notes  that use in a shared environment is  highly insecure unless the supplicant to authenticator traffic is a secure association, i.e. encrypted. The EAPOL frame format
  • 53. • The authenticator then uses a standard protocol, usually RADIUS, to relay information to and from the authentication server. The EAPOL frame format
  • 54. • The following figure shows how the protocol works. • It basically provides a L2 wrapper to transport EAP information between supplicant and authenticator.  The EAPOL frame format
  • 55.
  • 56. • Note that the EAPOL-Start message is only used if the supplicant initiates the exchange. • The authenticator can notice link status has changed, and just jump right in with the EAP exchange. The EAPOL frame format
  • 57. • It may seem a little silly, having a big diagram with only a couple of arrows in it. I hope that this emphasizes the key point here. The EAPOL frame format
  • 58. • The double arrow goes further since we'll see that the authenticator re-encapsulates the EAP information, typically within RADIUS, and passes it through to the authentication server. The EAPOL frame format
  • 59. IEEE 802.1 • IEEE 802.1 is a working group of the IEEE 802 project of the IEEE. It is concerned with: • 802 LAN/MAN architecture • internetworking among 802 LANs, MANs and other wide area networks, • 802 Link Security (This is not wireless), • 802 overall network management, and • protocol layers above the MAC & LLC layers.
  • 60. What Is 802.1x? • IEEE 802.1x is an IEEE standard for port-based Network Access Control which extends the 802.1. • it is part of the IEEE 802.1 group of protocols. • It provides authentication to devices attached to a LAN port, establishing a point-to-point connection or preventing access from that port if authentication fails.
  • 61. • The standard 802.1x is an IEEE standard for Port- Based Network Access Control.  What Is 802.1x?
  • 62. IEEE 802.1x - a port based authentication protocol
  • 63. • From the introduction to the 802.1x standard document, with some omissions: What Is 802.1x?
  • 64. • "Port-based network access control makes use of the physical access characteristics of IEEE 802 LAN infrastructures in order to provide a means of authenticating and authorizing devices attached to a LAN port [...], What Is 802.1x?
  • 65. • and of preventing access to that port in cases in which the authentication and authorization process fails. [...] What Is 802.1x?
  • 66. • Examples of ports in which the use of authentication can be desirable include the Ports of MAC Bridges, [...] , • and associations between stations and access points in IEEE 802.11 Wireless LANs." What Is 802.1x?
  • 67. • That is, 802.1x and EAPOL just exist as a way to transport EAP information between Supplicant and Authenticator. What Is 802.1x?
  • 68. How This All Works
  • 69. • The RFC's contain some diagrams showing the sequence of messages for the above EAP variants. How This All Works
  • 70. • The IEEE  802.1x standard goes through all this for EAP-OTP in a couple of different scenarios (supplicant initiated exchange, authenticator initiated, etc.). How This All Works
  • 71. • This fills in the big EAP arrow in the above diagram to show the full sequence of messages. • The following figure shows my version of the sequence of messages for EAP-OTP (One Time Password). How This All Works
  • 72.
  • 74. EAP • Extensible Authentication Protocol is a universal authentication framework frequently used in wireless networks and Point-to-Point connections. • It is defined by RFC 3748.
  • 75. • Although the EAP protocol is not limited to wireless LANs and can be used for wired LAN authentication, it is most often used in wireless LANs. EAP
  • 76. WPA • WPA and WPA2 standard has officially adopted five EAP types as its official authentication mechanisms.
  • 77. • EAP is an authentication framework, not a specific authentication mechanism. It only defines message formats. WPA
  • 78. • The EAP provides some common functions and a negotiation of the desired authentication mechanism. • Such mechanisms are called EAP authentication methods. WPA
  • 79. • Each protocol that uses EAP defines a way to encapsulate that protocol's messages within the EAP messages. • In the case of 802.1x, this encapsulation is called EAPOL, "EAP over LANs". WPA
  • 80. Level 3: Medium to large Enterprise WLAN security • EAP-TLS could be the recommended authentication method for this security level.  • EAP-TLS have the same server and client side digital certificate requirements.
  • 81. • To implement EAP-TLS, not only does the server require a Digital Certificate but the users as well.  Level 3: Medium to large Enterprise WLAN security
  • 82. • This means you will need Certificate Authority to issue a proper Server Digital Certificate on a pair of dedicated RADIUS servers and not just a Self Signed Certificate on a makeshift RADIUS Server.  Level 3: Medium to large Enterprise WLAN security
  • 83. • For this security level, the proper PKI best practices should be followed.  • There should be at least a single dedicated PKI Root Certificate Authority, but preferably it should at least be a 2 or 3 tier PKI design. Level 3: Medium to large Enterprise WLAN security
  • 84. • A two tier chain for a medium Enterprise organization would have an offline Root Certificate Authority and an online Issuing Certificate Authority.  Level 3: Medium to large Enterprise WLAN security
  • 85. • The reason for this is that if a Certificate Authority is ever compromised, you can revoke it and create a new one ... • ... from the higher offline Certificate Authorities without having to start your PKI deployment from scratch.  Level 3: Medium to large Enterprise WLAN security
  • 86. • Building a PKI from scratch because of a compromised Certificate Authority would be completely unacceptable in a large scale environment. Level 3: Medium to large Enterprise WLAN security
  • 87. • A large Enterprise should implement the three tier design with offline Root Certificate Authority, offline subordinate Certificate Authority, and online Issuing Certificate Authority. Level 3: Medium to large Enterprise WLAN security
  • 88. • Methods defined in IETF RFCs include: • EAP-MD5, • EAP-OTP, • EAP-GTC, • EAP-TLS or EAP-TTLS, • EAP-IKEv2, • EAP-SIM, • EAP-AKA Level 3: Medium to large Enterprise WLAN security
  • 89. • Some commonly used methods capable of operating in wireless networks include: • EAP-TLS, • EAP-TTLS • Requirements for EAP methods used in wireless LAN authentication are described in RFC 4017. Level 3: Medium to large Enterprise WLAN security