CWNP CWSP – Module 04 – 802.11 Authentication Methods Part 2

4. Authentication

A recap on authentication and I’m not going to repeat or belabor the same points. We talked about something, you know, usernames and passwords. I talked about smart cards that have the ability to again authenticate who you are. But there are a couple of other options. One of the first ones I’ll skip down a little bit is a onetime password. A onetime password is supposed to be pretty secure. As an example, if I wanted to to sign up a new computer in active directory, I might be given a one time password so I can sign that computer up, but then I can’t use that password again to sign up other computers. So that adds to still authentication and something that’s not reusable. Digital certificates, I want to talk a little bit about those and draw out a little bit of a diagram if you’re not familiar with the idea of a digital certificate, because we can see some good uses for this, especially when we start getting into things like EAP and we talk about transport, layer security. I kind of talked about the secure socket layer, the SSL, which used just one certificate. But it is a method of third party trust.

And generally here’s the idea and remember, this is a high level overview. I’m not going to take you down through the entire process. But we usually have this third party system that two sides agree to trust. We call it a certificate authority. And the idea is that you as a user or as a computer can apply for a certificate. And when you apply, hopefully the certificate authority does its job to vet your information, to make sure that your name, your IP address, computer name, username, all of that to make sure it’s legitimate. And then they are going to issue a certificate and that certificate is what you can present as a way of proving who you are.

Now remember, I talked a little bit about certificates in a different section where it also a part of what they give us is a public and private key that we can use for a variety of different encryption or key exchanges. Let’s say also there’s a server over here, I use the example of a bank. And so again, they would apply for a certificate and they would get one back. Again, verifying the name of the bank, would verify the IP addresses, the website URL, and has its public and private keys. Now, if I want to make a connection to that bank, one of the first things I said is that bank is going to send me back its certificate. And that certificate did two things. Remember, it gave me the authentication of who they are and it gave me their public key. Now you might ask how do I know that they didn’t make a fake certificate? Well, let’s again just kind of throw out a little bit of information of what happens. So when we see these certificates that’s supposed to be like a little award tag, first place award or something. Anyway, like I said, it’s going to have the name, the web address. I mean, it depends on the type of certificate, IP address. It’s going to have all of this data that hopefully was verified. And what the certificate authority is going to do is it’s going to take that information and put it in a hash. And the purpose again of hashing is to say that if any of that information is at all different or it all has been changed, then the hash will be demonstrably different. It’ll be easy to tell. But then again, what’s to say that some hacker couldn’t fill out a certificate and hash the information to make it look right. So the certificate authority, when it creates that, uses its private key to encrypt that hash.

And so when you present it to me, I’m going to use the certificate authority’s public key, because remember, asymmetric public and private keys to decrypt that hash. So I decrypt the hash and then I rehash this data and see if it’s equal to what I decrypted. And so if it was a fake one, whatever I decrypted with the certificate authorities, public key would not match on the hash. And you’d get one of those big error messages right on your browser that says we can’t verify this certificate. And so that’s how we go through that process of having that third party trust. Now, one of the differences, and when we get into transport layer security, the TLS, is that both the user and the server would issue or send their certificates. Because really, if you think about it, with banks we use Https, which is the secure socket layer, the SSL, and it’s just the bank that proves who they are. But the bank doesn’t have any way of authenticating the user connecting unless the user uses their username and password. But we already know how that’s weak because somebody could steal it from us. So even if somebody knew the username and password and we demanded they have a certificate, then we’re getting back into multifactor authentication. So here’s the example of third party trust, and I hope that this makes sense. In the United States, every state has the ability to issue driver’s licenses. All right, so those of you who are familiar with geography, maybe you recognize my state that I just drew, and I think I did a pretty darn good job. I live right over there in Boise, Idaho.

And don’t worry, you won’t find me in the phone book. I don’t think I’ve had a landline for 15 years. Anyway, in my state, I have to submit to get either an identity card or a driver’s license. So let’s say I get a driver’s license and on my driver’s license, right, it’s got my picture of my beautiful smiling face. It tells all my identification and clearly across the top it says who issued it. In this case, it says the state of Idaho. So let’s say I go into a business and want to buy an age restricted product. Well, unfortunately, I’m so old that nobody ever cards me.

But if they did card me, I would present this driver’s license to that person to be able to verify that I was of age to buy whatever the product was. And as long as that clerk believes or trusts this third party, the state of Idaho, to have done their job to correctly identify me and to put on my birth date and all that sort of stuff, then I get that age related product. So that’s the concept of a third party issuer. And that’s kind of the idea of what that certificate authority does for us.

Okay, we can also do machine authentication. I hope you didn’t mind, by the way, that we went through a little bit more about digital certificates just because I think it’s a good solution for a lot of authentication. The machine can also contain a certificate that it can present on its own in 802 one x. When we get to that portion, we’ll see that the machine can also provide credentials to be able to authenticate it as a allowed machine. And the weakest thing we could do is a pre shared key where we basically know what the password is and we type it in, or we have to find a way to distribute it to everybody and then realize that again, if we ever decide to change the keys, that it takes a lot of work, but that is another method of authentication.

5. Authorization

Now, Authorization, the next part, like I said, is what you’re allowed to do. It’s your permissions. It could be something as simple if you think about Authorizations. If we had now, this might not be the best picture, but that’s supposed to be like a folder in your Windows drive and then you have all these pictures of documents and we assign permissions to who can open these files or who can look into these folders. And that’s a part of what Authorization is designed to do. At the same time, if I’m over here and I’m connecting to your access point and I’m a guest as a guest, that access point, like I said before, could segment me onto a VLAN that might allow me only access to the Internet, but would ban me from the local area network. Again, a type of security or permissions, which is Authorization.

And that’s what we’re really getting at. And then I talked already about my story with the printer. So some of your authentication servers well, we haven’t got into those authentication servers can help you. An example would be Radius, maybe 802 one x would be better suited to say it could work with Radius or another type of authentication server which is Tackax or Tackax Plus. And what’s kind of cool is, depending on the situation, we use that server not only to authenticate who you are, but we also use those servers if they are capable. Not every Radius server can do this, Tacax can. But it doesn’t mean that it works with every access point, but they can actually, with each connection, with each setup, make the decision about things like what VLAN you can connect to or what resource. In fact, if you were managing the access point through the command line, as administrator, we could even use the radius or tack act server to make sure that you even though you can log into the actual access points, command line or Web GUI that everything you try to do is actually verified with these servers to make sure you have permission to do those types of things.

And so that’s the one picture that’s missing, of course, is that somewhere we have an authentication server. And we’re going to get much more in detail when we get into EEP. But again, I log in, right, I get challenged for who I am. And we call the access point the Authenticator, and I’m the supplicant, the one who’s asking to get in there. And then the credentials are sent hopefully securely in a tunnel to this Radius or Tacax server, which then can say yes or no as to whether or not I provided the proper credentials.

And that Radius server could actually connect to an active directory server or some other, what we call X 500 compliant LDAP type of server, rather than having to have local accounts stored on each server. And so that’s kind of a bigger picture of what the authentication can do for us. But like I said then, as I issue commands or as I log in, if I log in successfully as guest, this server would return, like I said, the VLAN, let’s say VLAN ten. That takes me only to the Internet. So in a way, it’s authorizing me about what I can do. Bye.

6. Accounting

Lastly of triple A is the accounting. And like I said, it’s keeping track of what you did. And you know, I got to tell you, this is the biggest part that people forget to do. So again, if I got my access point and you’re logging in associating with the access point, that access point at minimum should keep track of logs about who is actually logged in and authenticated, especially if maybe somebody failed. If I’ve got this rogue over here who’s trying to break in and get an association with your access point and that fails, we should have a log of that as well. Now, the best thing that we should do and it’s absolutely important for logging information and I just got to say it the least we should do is send this to some sort of a database storage server that we often call a syslog server so that you, as the administrator, can hopefully at least minimum daily check into that server and see what’s going on.

Now remember, I also said that we could log to what we often call a wireless LAN controller. And that wireless land controller not only is going to take care of keeping track of logs, but it can also look for potential problems, interfaces that went down, access points that went down. And it can generate alerts, maybe through email, so that it can tell the administrator about the problem that’s just occurred. And then there’s also these things that we call sims. So remember, my goal here is to be vendor neutral. So I’m not talking about any one solution for these. But the purpose of a SIM is not only to get the logs from something like an access point, but even, let’s say a back end server. Let’s say you’ve got a back end email server and it can send you logs about who’s logged in or errors that are occurring. You can have routers, you could have switches and they can send all of this in.

Maybe you have somebody coming in through a firewall. We use a picture of a firewall with an arrow that hits that wall here’s. What’s beautiful about this is that the SIM can say, okay, I just saw a logger user coming in through the firewall. I’m going to log that. And then I saw that that user maybe was attacking my email server and the email server sending me those notifications.

And if you as an individual administrator had to look at all of these machines one at a time to look at the logs, you might not correlate that information, but this thing can correlate for you and let you know about signs of attacks. It can tell you about growing problems. So it can send problem alerts. And then you don’t necessarily have to do something on a daily basis. You’re going to get some proactive. And that’s the biggest thing about accounting. I just have to use it in big letters. It lets you be proactive when it comes to security rather than what unfortunately many security people do is they wait till something fails and then it becomes reactive. I like to call it a post mortem type of analysis and that was almost too late. So I can’t say enough about accounting, but it is important that you look at it.

Radius, the remote access dialin user service that was one of the servers that we just talked about, does very good when it comes to logging. I’d still go with something that can correlate though and tacax as well. Another server that can do a very good or Tacax plus that can do very good at being able to keep that information for you and remember the things that it’s going to give you, right as a list with every transaction. So when we look at that log and what it’s built out of, we see that it’s going to usually have like a username.

It might tell you which Radius server or accounting server session information, the session ID information it will give to you and you can turn more on and more off depending on the access points, connectivity. Hey, we can look at input and output as a matter of bandwidth utilization so we can see who are the heavy users, heavy speakers, or if not bandwidth, then the number of packets. It can tell us which port they’re connecting to, it can tell us the IP address and it just goes on and on and on. A lot of what we call the TLVS, the type, length and value of what we want to keep track of and a lot of it, like I said, does depend on what the logging server is capable of doing as well as the device that is creating the logs and sending it to you.