CWNP CWSP – Module 04 – 802.11 Authentication Methods Part 3

7. 802.1X

One of the pieces that we’re going to see with WPA Two enterprise is this port based authentication. Now, I know it sounds weird to say port based when we’re talking about wireless. I think I mentioned before that the IEEE specification of 802 one whatever is all about Bridging. And so this really was for Bridging and switching solutions to be able to authenticate a user or a machine when it connects to a switch port. The idea being that if I walk into your office and I see an empty jack in the wall, I plug my laptop in. If you weren’t using this kind of authentication here, then what would happen is your DHCP server would probably give me an IP address, a gateway, a DNS server, and I could probably start roaming throughout your entire network because there’s nothing there to not only authenticate that I’m a valid machine, but even to help control the authorization, I could start trying to hack.

Well, it’s the same idea when we look at an access point. I mean, if you think about it, the access point is eventually connected to a switch. And while I’m at it, I’m going to draw another server over here that we’ll talk about in a second. And so in a way, this user, when they want to make the association request, rather than just have that open, right, rather than just allow anybody to connect in there, we’re actually going to do 802 one X, but we’ll implement it on the access point so that we can go through the process of again, not just letting anybody who wants to do an association connect. Unless you want them to do that. And that’s kind of the main goal.

So that’s the framework anyway, that we’re going to go through here. And there are three different pieces to this framework the Supplicant, the Authenticator, and the authentication server. The Supplicant is basically the machine that’s trying to make the association. It could be the device itself, or it could be a user prompted to be authenticated. It could be the software that’s used to make the wireless LAN connection. If you think back in the early days of Windows, they started doing this wireless zero connection tool where it would automatically pop up, tell you about all the available WiFi networks and help you with making the connection. It could be the software and the operating system, or it could be part of the firmware in today’s world, right, we’re doing all these tablets, hopefully that looks like an iPad. And so it could be firmware. It could be software in the macOS or the iOS, whatever the case is, it’s going to act as a Supplicant.

And we’ll talk about some of the different types of credentials that could be used, some that we’ve already talked about, but just to make sure that we have that clear setting. Now, for the most part, the wireless access point is going to be considered the authenticator. What’s important to remember is the authenticator is the in between device. The one that when you make your association request, sends a challenge and asks you the question, you know, who are you? Can you prove to me who you are? And it’s usually the access point that asks that question. And then the access point is going to have to connect to an external server to do the authentication. And so they call it the authentication server. And I think I’ve already talked a bit about some of the different ones. Like I said, it could be radius. Now, radius by itself is not considered as secure.

It uses what we call the user datagram protocol, which is not connection oriented. So if things don’t work, we usually have to wait for a time out before we might move on to a different server. It only hashes the password. Everything else is kept in clear text. Tacax is a little more secure. It uses TCP, so it is connection oriented. We can get Acknowledgments or if we have a lack of acknowledgement, we know nobody’s there, rather than just guessing and it encrypts all of the communications. And in fact, we’re going to take this a step further when we start talking about the use of the extensible authentication protocol here.

Soon as far as even better methods of sending these credentials. Or it could be an LDAP server. Like I said, Microsoft has Active Directory. Novel has, I think, what they call the eDirectory. I put LDAP because that’s the generic name for all of those different services. It’s kind of been defined by what they call an X 500 standard for how we can search through this hierarchical database for users. But in any event, the goal of the authentication server then, like I said, is to return a yes or no as to whether or not the credentials, the username and password were correct and that they could be actually authenticated. And as I said, some of these servers can also provide authorization. Like I said, maybe helping with the segmentation of networks. It’s just a matter of what your goal is as far as the overall authentication process.

8. Supplicant Credentials

Now the Supplicant, remember, is generally the machine that’s trying to connect into that access point. And you’re probably getting tired of watching my really cool Visio pictures as I’m drawing these. So we’re focusing on the Supplicant, the one that’s trying to make an association and is going to go through some authentication. A lot of these authentication options I’ve already talked about. I think I gave some very good explanations. So I’ll kind of go through through them quickly but also talk about some of the ones that we didn’t quite talk about as far as some of the other options that are available to us. So the first one, username and password like I said, is a part of something, you know, one of the factors of authentication and I think I really just crushed the explanation of how that works and some of the weaknesses and how that’s the worst of all the options that we have. Then I drew an outstanding picture of digital certificates, at least I think I did one where we went through and talked about the certificate authority and that third party trust and what the certificates have in them. And remember, those certificates, I’ll just rewrite it down, could be per user, it could be one that’s installed on the actual machine or device that’s connecting or any other hardware that might need to make an association with the access point. I guess you’d put that back in the definition of machine.

So that goes to the, what do we say, the something that you have and like I said, a third party trust. Now another certificate like Credential that we are going to talk about when we get into different versions of EAP or EEP is what we call the pack, which is the protected access credentials. Again, it’s very much like the certificates. Again, it’s still kind of on the X 509 standard of what a certificate should look at. It was designed to be easier to deploy, easier to renew as far as again being able to have a third party trust. Now another one that I guess I didn’t put in here that I did make mention of already before is the onetime password and the one time password is again something that’s not supposed to be reused.

It could be issued to an authorized user, perhaps of a computer so that they can make the association for that one time and then they’re done. You might even see that at like a hotel where you get a password for the time that you’re there staying and then you’re connected hopefully securely. And then the next day you’d have to get another one if you wanted to do that. Or it could be again for guest access or however you want to do that. Another one that is kind of similar to that one time password kind of comes into these security tokens or things like RSA made something a while ago called the Secure ID I mean, it’s still around, just owned by a different company.

But what this did is it had kind of an asynchronous or synchronous type of authentication mechanism. It goes to the something you have again. And what would happen is, let’s say you make connections to whatever server, you make connections to the access point, whatever the case may be that it might challenge you with a one time password and it might be just a series of numbers that you type into this device. And then when you type in this random set of numbers it gives you, your device would have a response that you would then type in and then that response would be that one time password that went and matched up with this.

So almost in a way generating a key based on some output, another one of these. And that was an asynchronous type of security ID. The synchronous one was more where we had the hope that your token device was on the same time as the access point. Because what would happen is like every 30 seconds for the synchronous one, every 30 seconds, the display number on that token generator would change as long as both the access point and your device thought it was the same time of day. Time zones don’t count, but you know what I’m getting at? Same time, same time server, then you just enter that number in and it would only be good for those 30 seconds and as long as you’re synchronized in time. So again, something you have type of an option.

USB devices usually like a USB token is again, something we could actually use as a single factor. Authentication, not that popular because as a separate example, people used to want to do encryption and encrypt their hard drives and that’s great. And they would store the key to decrypt on the USB device and then they would put the USB device in the same case that they’re carrying the laptop. I mean, what good did it do you if you left the key with the lock? But nonetheless, it was another type of device that would store unique user information and could be used to be inserted in some devices to prove who you are. So that was another one that we had. So matching authentication and pre shared key. I think we’ve done pretty good about talking of those proximity badges. A proximity badge would be something you carry and usually you have some sort of little, I don’t know, call it a necklace or something and your card is sitting here and you usually have to put it within close proximity to the device so it can be read. Some of that is like the RFID tags things that you’re not going to see a whole lot of, I don’t think in the wireless world, but certainly might be in some of the higher or more government sensitive types of deployments where they want to be very careful about security and actually pay all the extra money and work to set that up. And then finally, I think we talked about biometrics. That’s the something you are.

And like I said, we talked about things like the fingerprint, palm print, voice recognition, all of those things. Iris or retina scans, they do different things, by the way, as far as what they’re looking at. Lots, lots of different devices. Usually the problem that we have with biometrics is that depending on the device and how it’s set up, you could get too many false positives. That means that somebody who wasn’t supposed to be recognized gets recognized, which is bad. Or you could have false negatives, and the false negative would be the person is legitimate, but for whatever reason, their fingerprint or whatever isn’t working. So there is usually kind of a chart where we would look at these at these and find out, you know, where a device was and, you know, the chances of it causing us problems again, came back to money and sensitivity and all sorts of cool things like that. But those are all possibilities for the supplicate. And remember, all of this is about proving who you are. Authentication.