CWNP CWSP – Module 04 – 802.11 Authentication Methods Part 4

9. Authentication Server Credentials

Now one of the things we haven’t talked a lot about was the authentication server and whether it’s Radius Takiax, Active Directory, whatever the case may be. Remember that what it does is it validates, basically trying to validate. So it validates the authentication server, but technically we’re saying it validates the user, I would say on the authentication server. Now what’s important though is if you think about it and this is the authentication server, so we already said that the access point is the authenticator, which means it is not verifying. It’s the one that sends a challenge to the Supplicant for their username passwords or whatever it is, and then sends that information to this authentication server to verify who you are.

Now remember I said that you could have a local database of users that you defined individually on this server or this server could reach out to something like Active Directory. Microsoft loves to draw triangles for Active Directory so that’s why I do that as a centralized. The nice thing about using something like Active Directory, of course, is that our users can still have a single sign on capability so they can use the account they use for everything else. But the problem that we have is what if, and this could certainly happen if you have somebody that’s internal to your network and is doing bad things, they could try to intercept the traffic that’s going to the authentication server and falsely authenticate people who shouldn’t be there. They would try to pretend that they are the valid Radius or Tag act server or whatever the case may be.

And a lot of times we call that a man in the middle type of an attack. And so one of the things we need to know is that we have to have credentials that the Radius server is expecting and that the access point is providing so that the person running in the middle would have to basically kind of guess at this password. Now, one of the things we could do and we’re going to see this with again the variety of EAP protocols, but right now we’re not getting into that depth. We’re using some of these older technologies to try to explain it here to you. But we could create what’s called a transport layer security or TLS tunnel.

And remember that that tunnel is where both the access point authenticates with its own certificate and the database server. The Radius Server authentication server will identify itself with its own certificate, which this hacker in the middle would not be able to forge. Now some of this of the TLS is very involved in the extensible authentication protocol and it’s one of the stronger methods because not only are we creating the tunnel, when we say tunnel, we’re also talking about encrypting the traffic.

So it is an encrypted tunnel. But it does depend that we have a route certificate authority that both sides are trusting to be able to issue those certificates and I’m not going to get into the should you create your own or should you use a public for profit certificate authority. That’s a decision you’ll make with your corporation or your enterprise will make there. But what’s important is that both sides trust that particular server. And if somebody does try to create that fake certificate, that’s where you always get those big pop ups depending on what version of web browser you’re using. But you still get certificate error messages and it’s always telling you best practice is not to accept the certificate but unfortunately some of our users accept certificates anyway.

The good news is the access point is not a user. So if it’s not trustable and the database is not a user so if that’s not trustable, then they’re just going to drop them automatically. One of the most basic methods of doing this verification process of the external authentication server is what they call shared secret. Often they just call it a key and the key is just a word, like a pre shared key that both sides have. But to also be fair, we also have to verify the IP address. So it’s going to be like the IP address and this secret that we’ve typed in and it’s kind of like knocking on the door of some of the shadier places in town that are up to legal activity. In a way. It’s asking what’s the password through that little slider that they open up so they can see out the door.

That’s what it reminds me of because again, it’s not a guarantee that that’s going to be encrypted but that’s another option. We have some older technologies here as well. Like now get this, this is a joke. This is not what it really stands for. But one of them I call is the poor authentication protocol. It’s actually the password authentication protocol or PAP. And the reason I don’t like it is that it works on a challenge, right? So again you’re going to have this trying to connect to your Radius server and the Radius server is going to issue a challenge. And that challenge is where you’re going to respond with your password username whatever you set up here. And it’s all done in clear text. That’s why I call it poor, but that is an option.

And then there’s the challenge handshake authentication protocol or Chap. Chap is a little more secure because instead of using clear text it operates pretty much the same way. But instead of clear text it at least hashes the password. Plus it might add salt. What was salt? I said earlier that was that reasonably random number or sometimes called a nonce. And the nonce is a part of the challenge.

So what we would do basically is you would take the password that you’ve supplied and add to it the nonce and then take that in combination and hash it. And the reason for that is that hashes can be reversed very easily depending on the type of hashing, especially in chat. It’s just not that secure. All right, let me clarify that. Hashing is a one way process. I’ve heard some people say, as an example, hashing is like dropping a glass on the ground and watch it shatter. It’s very easy to do in one direction and very hard to reverse. And so you would think, okay, well that sounds like it’s not a big deal.

Well, here’s what happens, is that out in this world, people have been making what they call precomputed hash tables. They’ve had the names given to them by a lot of different names. They were commonly called rainbow tables. And what they would do is they would take and have a computer program create every possible password of any length and then hash that password. Because what happens then is if I intercept your hash, I would look in this column of hashes to find which hash it matches. And once I know what hash it matches, then I know what the password was that created it. So that makes it easy to reverse. But now if we’re adding this nonce to it, then whatever hash you look up isn’t really going to be the original password.

And so that’s why sometimes they call it adding salt. I think a lot of Linux machines called it that. So it just makes it a little more secure. And it is sent to the nons. It’s sent in clear text. So then of course, the server is going to take its list of passwords that you created in its database, add the knots to each one of those, hash them, and see if the hashes match. And if they do, then it says, okay, then we’re good. Now, Microsoft improved that process with what they call the Microsoft Challenge Authentication protocol, or Ms. Chap. It pretty much operates the same way, but it uses a better hashing algorithm. And again, it’s sending the credentials at least as a hash.

10. EAP

Well, now we’re going to introduce this concept of EEP, and I like the way we use that or pronounce it. The extensible authentication protocol has been around for a long time. It was originally designed as a common method that no matter what you chose to use for the Supplicant, if you wanted to use username and passwords, you wanted to use smart cards, biometrics, whatever the case is. It was a method that the Supplicant could encapsulate and secure the transmission of information to the authenticator. And the Authenticator could use that to encapsulate and encrypt its information to the authentication server. And that’s what it was designed to do. So it didn’t care what you were using. What AEP really was designed to do was to secure the communications.

So it is a layer two protocol because if you think about what we’re doing here at the WiFi area, you haven’t associated yet, right? That’s part of what we’re doing. So we are using radio frequency. And so that’s why we call it a layer two protocol. We don’t necessarily need to know the IP address of what’s being used. And I hope at least I’ve talked a little bit about the idea behind this, that it is very flexible. Now, there are some versions of EEP that are proprietary.

As an example, Cisco for a while was using what they called the lightweight extensible authentication protocol. So people were calling it Leap. But that also meant that you could only use it with Cisco products. In fact, we’re going to go through kind of a list of some of these different protocols so you understand kind of as a comparison of what’s going on. Okay, so if you think about again, then what we’re doing is we have something very flexible that we’re communicating over layer two. And we generally consider that doing EEP over the land. So you might see it as this thing called EEP all or EEP over land.

And I’m going to try to take you through some of the more complicated ones or at least one of the more ones that we see. And I’m going to diagram here for a second the basic flow of EEP over the land and the messages. So first of all, everything we do is basically a packet epALL has. It’s basically the encapsulation of the frame, encapsulated in the extensible authentication protocol. And that’s just generally what we call every single one of those frames, regardless of what that frame is containing. Now, when we first start and if you think about it, it’s the Supplicant up here that’s going to start usually. So we’re going to have an eball start message. It is an optional frame, but it was designed because, like I said, very rarely does the access point reach out to the clients to ask them to join. It’s usually the client reaching out to the authenticator.

And so I’m just going to say that that’s probably the client that’s doing that as a part of this. Now, at some point we’re going to send a message that we’re logging off. So that’s a way of ending or terminating the EEP session and shutting down the virtual ports. The bad thing about this is some hackers might try to emulate that as a denial of service. Now, we’re also going to talk about keying. We have a frame called the eball key that is used to create or exchange these dynamic keys.

Now, what is going to be important is that you kind of understand the basics of the process, usually what we will describe as a four way handshake to be able to make that process work and you’ll see some better options. And then we also have what’s called the Epaul encapsulated ASF alert, which is basically a frame to send alerts. Alerts might be like sending an SNMP trap. Maybe I want to send to a network manager server a message that have a virtual port or that somebody is just associated with us over the EEP protocol. And again, that goes back to the accounting or the logging process.