Karri Huhtanen, profile picture
Uploaded byKarri Huhtanen
501 views

EAP-TLS

The document discusses the complexities of deploying EAP-TLS for secure authentication in networks, emphasizing the need for proper configuration of a RADIUS server, certificates, and an authorization database. It outlines the challenges faced in managing client certificates and stresses the importance of testing in real environments to ensure successful implementation. Additionally, it suggests careful vendor selection for support in the design and deployment process.

Embed presentation

Download to read offline
EAP-TLS KARRI HUHTANEN RADIATOR SOFTWARE OY
EAP-TLS is easy … … for RADIUS server. At the minimum one needs only to configure RADIUS server certificate and the CA certificate for client certificate verification. … to configure improperly. Understanding how certificates, certificate revocation, root and intermediate CAs, PKI etc works requires significant effort. Designing and deploying working model requires even more. … only when one does not need to care about the client certificates, their configuration, provisioning and management.
Deploying EAP-TLS never start or settle requirements because of a product, solution or technology start with defining and designing policies (validity, expiry times, authorisation, usage …) PKI (hierarchy: CAs, intermediate CAs, certificate usage …) configuration management certificate provisioning certificate requirements (roaming, use, technology …) … but do pilot /trials simultaneously to learn and to see how things do (or do not) work or scale with real users and infrastructure
Start with simple trial … Try self-signed CA, manually created client certificates first (or Radiator’s certificates directory) eduroam managed IdP as a service for roaming EAP-TLS tests Verify first that your underlying network and especially firewalls and their rules work when using EAP-TLS Firewalls filtering UDP fragments and especially *BSD firewalls (scrub setting) can cause problems. Federation Level RADIUS IdP/SP RADIUS Wi-Fi network (controller) Client devices
Add basic automatic certificate validation… a separate Certificate Authority (CA) capable of providing certificate revocation lists (CRLs) or function as a Online Certificate Status Protocol (OCSP) server is needed several open source CAs/PKIs available: easypki, dogtag, ejbca … with this setup one can ensure that when certificates expire, they do not work for authentication anymore automating the certificate validity check is essential for using certificate authentication Federation Level RADIUS IdP/SP RADIUS Wi-Fi network (controller) Certificate Authority (CA) OCSP reqs. CRLs, delta- CRLs Certificates
Add connection to authorisation database… Authorisation database can be Active Directory, LDAP, SQL with additional information about the client certificate. CA, CRLs and OCSP can be sometimes replaced by client certificate check against the authorisation database. Authorisation database can contain additional information such as VLAN assignments, account active/locked etc. How flexible/complex/simple the authorisation checks can be depends on the IdP RADIUS product. Federation Level RADIUS IdP RADIUS Wi-Fi network (controller) Certificate Authority (CA) OCSP reqs. CRLs, delta- CRLs Certificates LDAP, SQL, etc. IdP Authorisation Database (AD, LDAP, SQL)
Deploy certificate management service… Properly distributing and configuring certificates in the end user devices is difficult. For managed devices (Windows domain/ Intune) or for Apple devices it is easier, but Android/Linux devices are hard. Currently there seems to be no better approach than to have an app in the device talking to a service. One commercial option is SecureW2. Certificate signing requests created in the actual device are even harder. IdP RADIUS Wi-Fi network (controller) Certificate Management Service OCSP reqs. CRLs, delta- CRLs Certificates LDAP, SQL, etc. IdP Authorisation Database (AD, LDAP, SQL) Certificate (signing) requests Certificate request authorisation requests
… and you are done… sort of … maybe … If everything presented before works for you, it’s brilliant … and you are brilliant. Unfortunately any organisation who does not have the first step right will break your organisation’s users’ roaming. Sometimes even the packet filters / firewalls in front of federation level RADIUS servers need configuration adjustments. Deploying certificate based authentication requires design, competence and support from infrastructure and service vendors — choose wisely, select vendors and solutions, for which you can get support for design, deployment and production.
Questions? Find this presentation and more from: https://blog.radiatorsoftware.com/ https://slideshare.net/radiatorsoftware/ https://slideshare.net/khuhtanen/ https://twitter.com/OSCRadiator Extended presentation coming to JISC govroam stakeholders’ meeting (15th of October 2019 in Manchester, United Kingdom) and to the Internet locations above.

More Related Content

PDF
W23 - Advanced Performance Tactics for WebSphere Performance
byHendrik van Run
 
PPTX
Cisco Identity Services Engine (ISE)
byAnwesh Dixit
 
PPTX
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
byDharmalingam Ganesan
 
PPTX
Introduction+to+Kubernetes-Details-D.pptx
bySantoshPandey160
 
PPTX
VLAN _SLAN and VSAN.pptx
byVenneladonthireddy1
 
PPTX
Microsoft Azure Networking Basics
bySai Kishore Naidu
 
ODP
Bcache and Aerospike
byAnshu Prateek
 
PDF
HHM-2833: Where is My Message?: Using IBM MQ Tools to Work Out What Applicati...
byMatt Leming
 
W23 - Advanced Performance Tactics for WebSphere Performance
byHendrik van Run
 
Cisco Identity Services Engine (ISE)
byAnwesh Dixit
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
byDharmalingam Ganesan
 
Introduction+to+Kubernetes-Details-D.pptx
bySantoshPandey160
 
VLAN _SLAN and VSAN.pptx
byVenneladonthireddy1
 
Microsoft Azure Networking Basics
bySai Kishore Naidu
 
Bcache and Aerospike
byAnshu Prateek
 
HHM-2833: Where is My Message?: Using IBM MQ Tools to Work Out What Applicati...
byMatt Leming
 

What's hot

PDF
Maximizing SD-WAN Architecture with Service Chaining - VeloCloud
byVeloCloud Networks, Inc.
 
PDF
Ch 9: Embedded Operating Systems: The Hidden Threat
bySam Bowne
 
PDF
L2 Attacks.pdf
byvinaykumar947680
 
PDF
Putting Firepower Into The Next Generation Firewall
byCisco Canada
 
PDF
Azure DDoS Protection Standard
byarnaudlh
 
PPTX
SD-WAN plus cloud security
byZscaler
 
PDF
Networking in Docker
byKnoldus Inc.
 
PPTX
Network Security Nmap N Nessus
byUtkarsh Verma
 
PPTX
Chapter 7 - Wireless Network Security.pptx
byAmanuelZewdie4
 
PDF
Dns tunnelling its all in the name
bySecurity BSides London
 
PPTX
Ssh
byRaghu nath
 
PPTX
What is security testing and why it is so important?
byONE BCG
 
PDF
An Introduction to Kubernetes
byImesh Gunaratne
 
PDF
Monitoring in CloudStack
byShapeBlue
 
PPTX
What is Penetration Testing?
bybtpsec
 
PPTX
VMworld 2017 Core Storage
byCormac Hogan
 
PPT
ACTIVE-DIRECTORY.ppt
bymwti2
 
PPTX
Introduction to ELK
byYuHsuan Chen
 
PPTX
Ansible module development 101
byyfauser
 
PDF
Create a spectrum analysis ap group
byAruba, a Hewlett Packard Enterprise company
 
Maximizing SD-WAN Architecture with Service Chaining - VeloCloud
byVeloCloud Networks, Inc.
 
Ch 9: Embedded Operating Systems: The Hidden Threat
bySam Bowne
 
L2 Attacks.pdf
byvinaykumar947680
 
Putting Firepower Into The Next Generation Firewall
byCisco Canada
 
Azure DDoS Protection Standard
byarnaudlh
 
SD-WAN plus cloud security
byZscaler
 
Networking in Docker
byKnoldus Inc.
 
Network Security Nmap N Nessus
byUtkarsh Verma
 
Chapter 7 - Wireless Network Security.pptx
byAmanuelZewdie4
 
Dns tunnelling its all in the name
bySecurity BSides London
 
Ssh
byRaghu nath
 
What is security testing and why it is so important?
byONE BCG
 
An Introduction to Kubernetes
byImesh Gunaratne
 
Monitoring in CloudStack
byShapeBlue
 
What is Penetration Testing?
bybtpsec
 
VMworld 2017 Core Storage
byCormac Hogan
 
ACTIVE-DIRECTORY.ppt
bymwti2
 
Introduction to ELK
byYuHsuan Chen
 
Ansible module development 101
byyfauser
 
Create a spectrum analysis ap group
byAruba, a Hewlett Packard Enterprise company
 

Similar to EAP-TLS

PDF
EAP-TLS (extended version)
byKarri Huhtanen
 
PDF
RADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure
byKarri Huhtanen
 
PDF
RADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure
byRadiator Software
 
PDF
TLS and Certificates
byKarri Huhtanen
 
PDF
Routing host certificates in eduroam/govroam
byKarri Huhtanen
 
PDF
Security issues in RADIUS based Wi-Fi AAA
byKarri Huhtanen
 
PPTX
Access Management with Aruba ClearPass
byAruba, a Hewlett Packard Enterprise company
 
PDF
Attacking and Securing WPA Enterprise Networks
byNortheast Ohio Information Security Forum
 
PPTX
EC PKI Training on-prem and cloud-based PKI
byParnashreeSaha
 
PDF
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
byDevOps.com
 
PDF
ClearPass Overview and Best Practices.pdf
bykennethbawaw
 
PPTX
WiFi Hotspot Password
byMaryam Namira
 
PDF
Wireless Security Architecture Designing and Maintaining Secure Wireless for ...
byortiqbrowny82
 
PDF
RADIUS and LDAP - pfSense Hangout August 2015
byNetgate
 
PPTX
Canarie CAF-eduroam Technical Workshop
byChris Phillips
 
PDF
Cert0101 HPE6-A42 & HPE6-A70.pdf
byAllen Kuo
 
PPTX
Automating the cip compliance test lab
byChuck Reynolds
 
PPT
talk
byJohn Hines
 
PDF
Certification
byRIPE NCC
 
PPT
Computer Security Test
bykhant14
 
EAP-TLS (extended version)
byKarri Huhtanen
 
RADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure
byKarri Huhtanen
 
RADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure
byRadiator Software
 
TLS and Certificates
byKarri Huhtanen
 
Routing host certificates in eduroam/govroam
byKarri Huhtanen
 
Security issues in RADIUS based Wi-Fi AAA
byKarri Huhtanen
 
Access Management with Aruba ClearPass
byAruba, a Hewlett Packard Enterprise company
 
Attacking and Securing WPA Enterprise Networks
byNortheast Ohio Information Security Forum
 
EC PKI Training on-prem and cloud-based PKI
byParnashreeSaha
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
byDevOps.com
 
ClearPass Overview and Best Practices.pdf
bykennethbawaw
 
WiFi Hotspot Password
byMaryam Namira
 
Wireless Security Architecture Designing and Maintaining Secure Wireless for ...
byortiqbrowny82
 
RADIUS and LDAP - pfSense Hangout August 2015
byNetgate
 
Canarie CAF-eduroam Technical Workshop
byChris Phillips
 
Cert0101 HPE6-A42 & HPE6-A70.pdf
byAllen Kuo
 
Automating the cip compliance test lab
byChuck Reynolds
 
talk
byJohn Hines
 
Certification
byRIPE NCC
 
Computer Security Test
bykhant14
 

More from Karri Huhtanen

PDF
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
byKarri Huhtanen
 
PDF
Wi-Fi Roaming Security and Privacy
byKarri Huhtanen
 
PDF
What is Network Function Virtualisation (NFV)?
byKarri Huhtanen
 
PDF
Fault-tolerant, distrbuted AAA architecture supporting connectivity disruption
byKarri Huhtanen
 
PDF
What is Network Function Virtualisation (NFV)?
byKarri Huhtanen
 
PDF
SIM Authentication Architectures and Interfaces
byKarri Huhtanen
 
PDF
OpenRoaming and CapPort
byKarri Huhtanen
 
PDF
Beyond eduroam: Combining eduroam, (5G) SIM authentication and OpenRoaming
byKarri Huhtanen
 
PDF
OpenRoaming -- Wi-Fi Roaming for All
byKarri Huhtanen
 
PDF
Using NoSQL databases to store RADIUS and Syslog data
byKarri Huhtanen
 
PDF
Open WiFi or Broken WiFi?
byKarri Huhtanen
 
PDF
eduroam diagnostics in NTLR, IdPs and SPs
byKarri Huhtanen
 
PDF
Adding OpenRoaming to existing IdP and roaming federation service
byKarri Huhtanen
 
PDF
Cloud Based Identity Management
byKarri Huhtanen
 
PDF
Connecting the Dots: Integrating RADIUS to Network Measurement and Monitoring
byKarri Huhtanen
 
PDF
Suomen eduroam-juuripalvelun uudistukset
byKarri Huhtanen
 
PDF
Building secure, privacy aware, quality Wi-Fi coverage via cooperation
byKarri Huhtanen
 
PDF
Building city and nationwide Wi-Fi coverage via cooperation
byKarri Huhtanen
 
PDF
Cooperative labs, testbeds and networks
byKarri Huhtanen
 
PDF
Privacy and traceability in Wi-Fi networks
byKarri Huhtanen
 
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
byKarri Huhtanen
 
Wi-Fi Roaming Security and Privacy
byKarri Huhtanen
 
What is Network Function Virtualisation (NFV)?
byKarri Huhtanen
 
Fault-tolerant, distrbuted AAA architecture supporting connectivity disruption
byKarri Huhtanen
 
What is Network Function Virtualisation (NFV)?
byKarri Huhtanen
 
SIM Authentication Architectures and Interfaces
byKarri Huhtanen
 
OpenRoaming and CapPort
byKarri Huhtanen
 
Beyond eduroam: Combining eduroam, (5G) SIM authentication and OpenRoaming
byKarri Huhtanen
 
OpenRoaming -- Wi-Fi Roaming for All
byKarri Huhtanen
 
Using NoSQL databases to store RADIUS and Syslog data
byKarri Huhtanen
 
Open WiFi or Broken WiFi?
byKarri Huhtanen
 
eduroam diagnostics in NTLR, IdPs and SPs
byKarri Huhtanen
 
Adding OpenRoaming to existing IdP and roaming federation service
byKarri Huhtanen
 
Cloud Based Identity Management
byKarri Huhtanen
 
Connecting the Dots: Integrating RADIUS to Network Measurement and Monitoring
byKarri Huhtanen
 
Suomen eduroam-juuripalvelun uudistukset
byKarri Huhtanen
 
Building secure, privacy aware, quality Wi-Fi coverage via cooperation
byKarri Huhtanen
 
Building city and nationwide Wi-Fi coverage via cooperation
byKarri Huhtanen
 
Cooperative labs, testbeds and networks
byKarri Huhtanen
 
Privacy and traceability in Wi-Fi networks
byKarri Huhtanen
 

Recently uploaded

PDF
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
December Patch Tuesday
byIvanti
 
PPT
software-security-intro in information security.ppt
byismaeelsahib032
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PPTX
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PPTX
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
December Patch Tuesday
byIvanti
 
software-security-intro in information security.ppt
byismaeelsahib032
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 

EAP-TLS

  • 1.
  • 2.
    EAP-TLS is easy… … for RADIUS server. At the minimum one needs only to configure RADIUS server certificate and the CA certificate for client certificate verification. … to configure improperly. Understanding how certificates, certificate revocation, root and intermediate CAs, PKI etc works requires significant effort. Designing and deploying working model requires even more. … only when one does not need to care about the client certificates, their configuration, provisioning and management.
  • 3.
    Deploying EAP-TLS never startor settle requirements because of a product, solution or technology start with defining and designing policies (validity, expiry times, authorisation, usage …) PKI (hierarchy: CAs, intermediate CAs, certificate usage …) configuration management certificate provisioning certificate requirements (roaming, use, technology …) … but do pilot /trials simultaneously to learn and to see how things do (or do not) work or scale with real users and infrastructure
  • 4.
    Start with simpletrial … Try self-signed CA, manually created client certificates first (or Radiator’s certificates directory) eduroam managed IdP as a service for roaming EAP-TLS tests Verify first that your underlying network and especially firewalls and their rules work when using EAP-TLS Firewalls filtering UDP fragments and especially *BSD firewalls (scrub setting) can cause problems. Federation Level RADIUS IdP/SP RADIUS Wi-Fi network (controller) Client devices
  • 5.
    Add basic automaticcertificate validation… a separate Certificate Authority (CA) capable of providing certificate revocation lists (CRLs) or function as a Online Certificate Status Protocol (OCSP) server is needed several open source CAs/PKIs available: easypki, dogtag, ejbca … with this setup one can ensure that when certificates expire, they do not work for authentication anymore automating the certificate validity check is essential for using certificate authentication Federation Level RADIUS IdP/SP RADIUS Wi-Fi network (controller) Certificate Authority (CA) OCSP reqs. CRLs, delta- CRLs Certificates
  • 6.
    Add connection toauthorisation database… Authorisation database can be Active Directory, LDAP, SQL with additional information about the client certificate. CA, CRLs and OCSP can be sometimes replaced by client certificate check against the authorisation database. Authorisation database can contain additional information such as VLAN assignments, account active/locked etc. How flexible/complex/simple the authorisation checks can be depends on the IdP RADIUS product. Federation Level RADIUS IdP RADIUS Wi-Fi network (controller) Certificate Authority (CA) OCSP reqs. CRLs, delta- CRLs Certificates LDAP, SQL, etc. IdP Authorisation Database (AD, LDAP, SQL)
  • 7.
    Deploy certificate managementservice… Properly distributing and configuring certificates in the end user devices is difficult. For managed devices (Windows domain/ Intune) or for Apple devices it is easier, but Android/Linux devices are hard. Currently there seems to be no better approach than to have an app in the device talking to a service. One commercial option is SecureW2. Certificate signing requests created in the actual device are even harder. IdP RADIUS Wi-Fi network (controller) Certificate Management Service OCSP reqs. CRLs, delta- CRLs Certificates LDAP, SQL, etc. IdP Authorisation Database (AD, LDAP, SQL) Certificate (signing) requests Certificate request authorisation requests
  • 8.
    … and youare done… sort of … maybe … If everything presented before works for you, it’s brilliant … and you are brilliant. Unfortunately any organisation who does not have the first step right will break your organisation’s users’ roaming. Sometimes even the packet filters / firewalls in front of federation level RADIUS servers need configuration adjustments. Deploying certificate based authentication requires design, competence and support from infrastructure and service vendors — choose wisely, select vendors and solutions, for which you can get support for design, deployment and production.
  • 9.
    Questions? Find this presentationand more from: https://blog.radiatorsoftware.com/ https://slideshare.net/radiatorsoftware/ https://slideshare.net/khuhtanen/ https://twitter.com/OSCRadiator Extended presentation coming to JISC govroam stakeholders’ meeting (15th of October 2019 in Manchester, United Kingdom) and to the Internet locations above.