CWNP CWSP – Module 04 – 802.11 Authentication Methods

1. 802.11 Authentication Methods

This module is going to talk about the different types of authentication methods that we can use with 8211. So we’ll start with, again, an overview of what authentication is all about and then we’ll get into the concept of these AAA servers. Then we’ll also look at portbased authentication, the eight one X. We’ll talk about the ways in which the Supplicant well, we’ll talk about what a Supplicant is too, but Supplicant credentials, the authentication server credentials, uses of things like shared secrets. We’ll look at some of the legacy authentication protocols, and then we’re going to talk a lot about the extensible authentication protocol or EEP, and a lot of the different flavors, some of the legacy flavors and some of the proprietary flavors and some of the ones that we currently use in most of our enterprises.

2. WLAN Authentication Overview

So I think I mentioned before that authentication is really just the verification of an identity and that’s an important aspect because an identity can be a lot of different things. Most notably, we’re used to using usernames and passwords but that’s just one piece of what could be the identity. But even if it was username and password, we still have to have some sort of server that verifies that you have the right combination of username and password so that we can say yes indeed, you appear to be the person that you are and we’re going to take a look at a number of these. So that username and password, well, there are several factors, I should say, and your best bet is to use what we call a multifactor type of authentication. That means using two or maybe all three of these types of options to make a system more secure. When it comes to somebody trying to spoof a user, the first one I just mentioned was the username and password and that’s usually the one that we call the something you know, because that is something you know.

The weakness though is that, and I’m going to say it here, it’s also the weakest type of authentication because it’s not hard for a good hacker to maybe socially engineer. Social engineering, by the way, is a way in which we convince somebody to send us or give us their password, tell us their password, eavesdropping on the password. 50% of all of our hacks come from social engineering. And I can give you a couple of stories just to kind of give you the idea. As an example, I was in this store trying to buy a new cellular phone or get an upgrade or whatever the case may be, but the computer was down and if you could see me, you would see me making the air quotes when I said the computer was down. So they had to call in a technician to try to get this computer back online to the network. And I’m sitting there still shopping for phones, knowing I can’t buy anything.

And the technician shows up and sits in front of the computer and then asks the person that’s working there, a person, by the way, who’s a sales associate, but was not the manager. And they asked out loud for everybody in the store to hear. They said, what is your manager’s password? So I thought that was kind of a questionable thing. If you’re not the manager, you shouldn’t know the manager’s password. But she did and she yelled across the room, not only yelled out what the password was, but how to remember the password. Apparently it was the last name of his favorite basketball player plus the player’s uniform number. So how easy was that for me to be able to get this information? As another example, I heard at an airline, ever since 911, we were very careful with airlines. My bag got lost. The lady was trying to look it up but couldn’t log in. Got on a walkie talkie, a clear text, voice communication, asked for the password. I’m not going to tell you which airline it was or the password, but it was the same username, same password. All of these are just bad, bad, bad things that show you why something you know is the weakest form of using the types of authentication. Now the something you have is better. That’s where the something you have and you’re going to see a list here as an example, like a smart card or when I go to military organizations, they all have to have a CAC card.

They have to insert the card into the laptop or into a card reader before they can even use their username and password. So even if the username and password is compromised, you would still need to have this physical card to be able to be fully authenticated. That would be an example of multifactor. The other one is something you are and that gets us into the realm of biometrics. And I’m not going to take us down a big road of biometrics, but not every system is perfect, whether it’s an iris or retina scan or whether it’s fingerprint, palm print, voice recognition, whatever the case is, it’s something about you that hopefully can’t be imitated. I mean, I’m sure you’ve all watched lots of gory movies where they compromise that system and there’s nothing that says you can’t have all three factors involved to be able to gain access into a particular facility. Now, the next thing I want to write down here is what’s the weakest link of all of these factors? And let me give you again another story. Hopefully you like the story so you get a good idea before I do that.

Well, I’ll give you the answer, I’ll give you the solution. But I was working at this company. Again, I’m not going to tell you which company it was. It was in the southern part of the middle of the country and they are a multinational company, by the way. They have offices all over the world. And I was there for a specific job to work with some specific equipment. And I was bored at lunch and they had given me a guest card. So I had a magnetic card, which could also be, again, something you might think of as something you have to be able to have access. But it didn’t have a picture or name or anything on it. It was just a visitor card. Anyway, I’m walking down this hallway in the basement because I was bored and actually I was going to try to see if I could figure out where the network operation center was.

And so I get to this down this hallway. So you can imagine if this is the wall of the hallway and there were doors to all these different places and all the doors had labels, except for the one door that had a little window in it. That’s always a telltale sign that somebody once learned in security that they said, hey, if you want to protect things that are important, don’t put a label on the door so nobody knows what it is. But again, if you put labels on all these other doors anyway, so it made me think that was a network operating center. I looked inside that little window and I saw that they had a hallway that went to another door. And on that door they had a password box where you had to know the password basically to put that in there. And to get through this first door. Of course, they had the magnetic card reader. Mine didn’t work on there.

And in front of that door was a little podium that was a fingerprint scanner. So we had it all. You needed to have a magnetic card to get in here first. You had to have biometrics to get past there, and you had to have a password to get past this entry. And so I’m standing in here looking right I’m just right here looking through that little window to see what’s down that hallway, thinking it was the network operation center. By the way, it turns out I was right. But nonetheless, some guy came up behind me and scared me because I was like, wow, I’m too busy snooping in the window. You’re not supposed to surprise me. Asked what I was doing, I said, I’m here to do this job. I’m a visitor. I thought I’d see the network operations center. So whether I had permission or not, he used his magnetic card. Let me piggy back in. He used his fingerprints to get through that door and then typed in the combination and then let me into the network operation center.

Now, that might have been a security problem, I don’t know. But what was the weakest link? The weakest link is us, the people. So even though they went through all of that work to be able to keep that secure facility, the weakest link is us. And so I’m just going to throw it out here now as a good security concern is that we should train everybody about awareness of security issues so we don’t have those types of problems. That would have also gone well with the person at the cellular phone company, would have worked well for the airline at the baggage claim. Awareness is key. When we come up with all of these great plans for authentication.

3. AAA

The concept of AAA is not the driving or automotive club. It’s what we use for all of this process. And I just went on for quite a while about the authentication, proving your identity. Now, once we know who you are and remember, this is important just because you can authenticate or your employees can’t authenticate doesn’t mean you’re safe. This is not security. This is proving who somebody is. If that user was a disgruntled employee and they wanted to destroy your files, and they could authenticate, they could destroy your files, whether it was purposeful or accidental.

So then we have the authorization, which is basically what you can do. So again, I’ll put in another personal story. I was working for a reseller of equipment. We call them a bar. And they had this. And this, by the way, was a long, long time ago. They had just bought this color laser printer. And let me just tell you, this is when color laser first came out. I mean, so this thing was expensive. The toner was expensive. And they had given me an account so I could do authentication to get onto the network. And again, I was, I guess, bored at lunch. So I was cruising around to see what I could do, my authorization, what I was allowed to do, and I realized that I had access to this beautiful color laser printer.

And so I said, hey, I’ve got some holiday cards I need to print. They didn’t give me an acceptable terms of use policy, so I printed about 50 of these cards so that I could mail them out to family and friends and all that sort of stuff. But then they did something that was right. They turned on accounting. Accounting or auditing is keeping track of what you do.

And so the next day, they asked me the question, said, did you use our new color laser printer? And I said, I sure did. I printed out a bunch of holiday cards. And I said, well, you’re not supposed to do that. And I said, well, then you should have told me. I mean, you gave me permission to use it, authorization. But they had kept track of who was using it auditing. And I said, Besides, I’ll send you a card. Okay? They thought it was funny. And then the next day, I got an acceptable use about the printer. So all of those are important when it comes up to the way in which we handle the security. So authentication, again, proving who you are, the authorization, what you’re allowed to do, and then the fact that we do accounting, auditing, logging, whatever word you want to do. And that’s keeping track of the actions of the people that authenticate. So we know what’s going on in our network.