Aruba, a Hewlett Packard Enterprise company, profile picture
Uploaded byAruba, a Hewlett Packard Enterprise company
PPTX, PDF8,629 views

Real-world 802.1X Deployment Challenges

Tim Cappalli of Brandeis University presented on real-world challenges of deploying 802.1X authentication across wired and wireless networks. He discussed common EAP authentication methods like PEAP, EAP-TLS, and TTLS, noting their advantages and disadvantages. Cappalli also outlined challenges Brandeis faces including training support staff, empowering users, and planning for device onboarding. He explained steps Brandeis is taking like exploring EAP-TLS and utilizing client configuration tools to address these challenges.

Embed presentation

Downloaded 415 times
Real-world 802.1X Deployment Challenges Tim Cappalli March, 2014
2 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf About Me • Mobility Engineer, Brandeis University • Wireless Infrastructure • AAA / Role-based Access Control – wired, wireless and remote networks @tcappy0707
• 6,000 students • 1,300 full time staff • Smallest VHR university • 2,200 access points (mix 11n/11ac) • 5 mobility controllers • 320 edge switches, 92 stacks • AAA: ClearPass Policy Manager • eduroam
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 4 #AirheadsConf Agenda What is EAP? Common EAP Flavors The Good and The Bad Client Support Challenges at Brandeis Open Discussion – What challenges do you face?
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 5 #AirheadsConf 802.1x
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 6 #AirheadsConf 802.1X IEEE STANDARD
7 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf POLL PEAP? TLS? TTLS? WHAT ARE YOU USING?
8 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf What is EAP? • Extensible Authentication Protocol – 802.1X defines EAPOL – Designed for Ethernet, adapted to 802.11 Arran Cudbard-Bell
9 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf EAP Transaction Client AuthenticationServer Request Identity Response Identity (anonymous) Response Identity TLS Start Certificate Client Key exchange Cert. verification Request credentials Response credentials Success EAPOL RADIUS Authenticator EAPOL Start
10 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf EAP FLAVORS
11 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Common EAP Flavors • PEAP (Protected EAP) – Uses a digital certificate on the network side – Password or certificate on the client side – Most common: PEAPv0/EAP-MSCHAPv2 • EAP-TLS (EAP with Transport Layer Security) – Uses a certificate on the network side – Uses a certificate on the client side • TTLS (Tunneled Transport Layer Security) – Uses a certificate on the network side – Password, token, or certificate on the client side – Tunneled Diameter (CHAP, PAP), EAP
12 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf THE GOOD AND THE BAD
13 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf EAP-TLS: The Good • Device or User credential – Revoke device access instead of user • Currently the strongest authentication method • Most widely supported • Extremely difficult to crack a 2048-bit RSA key
14 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf EAP-TLS: The Bad • Certificate distribution – Enrollment or onboard process – Can be an administrative burden without proper tools • User familiarity – Most users have no concept of a certificate – Username and password is the “standard” • Renewals – Notifying users to renew before expiration • Changing certificate chain – Not just “accept new certificate” for users
15 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf PEAP: The Good • Username / password is familiar to users • Users can “just get on” w/ valid credentials • Second most widely supported • Easy integration with AD (“free” NPS)
16 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf PEAP: The Bad • Device credential on Windows AD-joined devices • Passwords are weak! – Users won’t remember a truly secure password • Password expiration – How do you handle AD password expiration for non-AD Windows machines? • Client must be configured correctly • Not so easy with LDAP & Novell – Limited PEAPv1/EAP-GTC native client support
17 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf EAP-GTC vs EAP-MSCHAPv2 • EAP-GTC – Cleartext, NT hash, MD5 hash, salted MD5 hash – SHA1 hash, Slated SHA1 hash, UNIX crypt • EAP-MSCHAPv2 – Cleartext, NT hash, LM hash
18 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Server Certificate • Make sure CA correspondence goes to more than one person! • Nightmares for wireless only devices: – Server certificate expiration – New chain – New server name • Push out new profiles/GPOs ahead of time!
19 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf CLIENT SUPPORT
20 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Native Client Support EAP-PEAP EAP-TLS EAP-TTLS Windows 8 YES YES YES Windows 7 / Vista / XP YES YES NO Mac OS X YES YES YES Linux YES** YES YES iOS YES YES YES* Android YES** YES YES Chrome OS YES** YES YES** Windows Phone 8.1 YES YES (rumored) UNK Windows Phone 7/8 YES NO** NO BlackBerry 10 YES YES YES BlackBerry 7 YES YES YES
21 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Native Client Support EAP-PEAP EAP-TLS EAP-TTLS XBOX 360 NO NO NO XBOX One MAYBE MAYBE MAYBE PlayStation 3 & 4 NO NO NO Nintendo Wii / Wii U NO NO NO
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 22 #AirheadsConf
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 23 #AirheadsConf
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 24 #AirheadsConf
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 25 #AirheadsConf
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 26 #AirheadsConf
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 27 #AirheadsConf
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 28 #AirheadsConf
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 29 #AirheadsConf
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 30 #AirheadsConf
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 31 #AirheadsConf
32 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf MiTM HospiNET radius1.hospital.org Verisign HospiNET VALIDATE SERVER CERT Disabled wireless.hospital.org Self-signed
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 33 #AirheadsConf
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 34 #AirheadsConf COURTESY: LEE BADMAN, SYRACUSE UNIVERSITY
35 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf WHAT’S BRANDEIS DOING?
36 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf What’s Brandeis Doing? • Training support staff – Explaining the different networks – Giving access to troubleshooting tools • Empowering* users – Making it interactive – Making it user friendly • Planning for some type of onboarding • Exploring EAP-TLS – Using network and systems group as PoC for access to secure management networks *attempting
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 37 #AirheadsConf
38 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf What’s Brandeis Doing? 3/5/1410/3/133/15/13
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 39 #AirheadsConf Know the audience
40 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf When in doubt, run __________ • Ensure support staff understand the value of client configuration tools • Utilize a configuration utility – Teaching help desk, “When in doubt, run QuickConnect” • Utilize driver detection tools – Intel Driver Update Utility
41 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf OPEN DISCUSSION
42 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Good Reads • Simply put: How does certificate-based authentication work? (Network World, 3/10/14, Aaron Woland) • Cryptography Decrypted (Amazon)
43
44 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Thank You #AirheadsConf

More Related Content

PPTX
Advanced RF Design & Troubleshooting
byAruba, a Hewlett Packard Enterprise company
 
PDF
Advanced rf troubleshooting_peter lane
byAruba, a Hewlett Packard Enterprise company
 
PDF
Aruba Mobility Controllers
byAruba, a Hewlett Packard Enterprise company
 
PDF
Guest Access with ArubaOS
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads - Aruba Remote Access Point (RAP) Troubleshooting
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Airheads Tech Talks: Advanced Clustering in AOS 8.x
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Adapting to evolving user, security, and business needs with aruba clear pass
byAruba, a Hewlett Packard Enterprise company
 
PDF
EMEA Airheads- Troubleshooting 802.1x issues
byAruba, a Hewlett Packard Enterprise company
 
Advanced RF Design & Troubleshooting
byAruba, a Hewlett Packard Enterprise company
 
Advanced rf troubleshooting_peter lane
byAruba, a Hewlett Packard Enterprise company
 
Aruba Mobility Controllers
byAruba, a Hewlett Packard Enterprise company
 
Guest Access with ArubaOS
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads - Aruba Remote Access Point (RAP) Troubleshooting
byAruba, a Hewlett Packard Enterprise company
 
Airheads Tech Talks: Advanced Clustering in AOS 8.x
byAruba, a Hewlett Packard Enterprise company
 
Adapting to evolving user, security, and business needs with aruba clear pass
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Troubleshooting 802.1x issues
byAruba, a Hewlett Packard Enterprise company
 

What's hot

PDF
6 understanding aruba rf issues
byVenudhanraj
 
PPTX
Aruba WLANs 101 and design fundamentals
byAruba, a Hewlett Packard Enterprise company
 
PDF
Managing and Optimizing RF Spectrum for Aruba WLANs
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Roaming behavior and Client Troubleshooting
byAruba, a Hewlett Packard Enterprise company
 
PDF
Aruba clearpass ebook_chpt1_final
byAruba, a Hewlett Packard Enterprise company
 
PPTX
ClearPass design scenarios that solve the toughest security policy requirements
byAruba, a Hewlett Packard Enterprise company
 
PDF
Optimizing Aruba WLANs for Roaming Devices
byAruba, a Hewlett Packard Enterprise company
 
PDF
EMEA Airheads- Aruba Instant AP- VPN Troubleshooting
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Large scale, distributed access management deployment with aruba clear pass
byAruba, a Hewlett Packard Enterprise company
 
PDF
EMEA Airheads- ArubaOS - Understanding Control-Plane-Security
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads How licensing works in Aruba OS 8.x
byAruba, a Hewlett Packard Enterprise company
 
PDF
Campus Redundancy Models
byAruba, a Hewlett Packard Enterprise company
 
PDF
Useful cli commands v1
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads ClearPass guest with MAC- caching using Time Source
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads- Manage Devices at Branch Office (BOC)
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads - AP Discovery Logic and AP Deployment
byAruba, a Hewlett Packard Enterprise company
 
PDF
Aruba wireless and clear pass 6 integration guide v1.3
byAruba, a Hewlett Packard Enterprise company
 
PDF
Aruba Mobility Controller 7200 Installation Guide
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads- ArubaOS - Cluster Manager
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Airheads Tech Talks: Cloud Guest SSID on Aruba Central
byAruba, a Hewlett Packard Enterprise company
 
6 understanding aruba rf issues
byVenudhanraj
 
Aruba WLANs 101 and design fundamentals
byAruba, a Hewlett Packard Enterprise company
 
Managing and Optimizing RF Spectrum for Aruba WLANs
byAruba, a Hewlett Packard Enterprise company
 
Roaming behavior and Client Troubleshooting
byAruba, a Hewlett Packard Enterprise company
 
Aruba clearpass ebook_chpt1_final
byAruba, a Hewlett Packard Enterprise company
 
ClearPass design scenarios that solve the toughest security policy requirements
byAruba, a Hewlett Packard Enterprise company
 
Optimizing Aruba WLANs for Roaming Devices
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Aruba Instant AP- VPN Troubleshooting
byAruba, a Hewlett Packard Enterprise company
 
Large scale, distributed access management deployment with aruba clear pass
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- ArubaOS - Understanding Control-Plane-Security
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads How licensing works in Aruba OS 8.x
byAruba, a Hewlett Packard Enterprise company
 
Campus Redundancy Models
byAruba, a Hewlett Packard Enterprise company
 
Useful cli commands v1
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads ClearPass guest with MAC- caching using Time Source
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Manage Devices at Branch Office (BOC)
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads - AP Discovery Logic and AP Deployment
byAruba, a Hewlett Packard Enterprise company
 
Aruba wireless and clear pass 6 integration guide v1.3
byAruba, a Hewlett Packard Enterprise company
 
Aruba Mobility Controller 7200 Installation Guide
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- ArubaOS - Cluster Manager
byAruba, a Hewlett Packard Enterprise company
 
Airheads Tech Talks: Cloud Guest SSID on Aruba Central
byAruba, a Hewlett Packard Enterprise company
 

Viewers also liked

PDF
Aruba ClearPass Guest 6.3 User Guide
byAruba, a Hewlett Packard Enterprise company
 
PPT
Implementing 802.1x Authentication
bydkaya
 
PPTX
802.1x
byakruthi k
 
PDF
Identity Services Engine Overview and Update
byCisco Canada
 
PDF
Demystifying TrustSec, Identity, NAC and ISE
byCisco Canada
 
PDF
ISE-802.1X-MAB
byEmerson Barros Rivas
 
PDF
IEEE 802.1X and Axis’ Implementation
byAxis Communications
 
PDF
Attacking and Securing WPA Enterprise Networks
byNortheast Ohio Information Security Forum
 
PPTX
Aos & cppm integration & testing document for eap tls & eap peap
byJulia Ostrowski
 
PPTX
802.1x authentication
byXiaoqi Zhao
 
PDF
RF Matching Guidelines for WIFI
bycriterion123
 
PDF
802.1x Implementation Plan for Seacoast
bySithideth Banavong
 
PPTX
VMworld 2015: Networking Virtual SAN's Backbone
byVMworld
 
PPT
802.1x
byAlp isik
 
PPTX
VMworld 2015: vSphere Distributed Switch 6 –Technical Deep Dive
byVMworld
 
PPTX
802.1x Authentication Standard
byDan Miller
 
PPTX
VMworld 2015: Building a Business Case for Virtual SAN
byVMworld
 
PDF
Ieee 802.1 x
bySwapnil Kapate
 
PPTX
VMworld 2015: Explaining Advanced Virtual Volumes Configurations
byVMworld
 
PDF
ACSR Clear Pass Policy Manager
byAli Badr
 
Aruba ClearPass Guest 6.3 User Guide
byAruba, a Hewlett Packard Enterprise company
 
Implementing 802.1x Authentication
bydkaya
 
802.1x
byakruthi k
 
Identity Services Engine Overview and Update
byCisco Canada
 
Demystifying TrustSec, Identity, NAC and ISE
byCisco Canada
 
ISE-802.1X-MAB
byEmerson Barros Rivas
 
IEEE 802.1X and Axis’ Implementation
byAxis Communications
 
Attacking and Securing WPA Enterprise Networks
byNortheast Ohio Information Security Forum
 
Aos & cppm integration & testing document for eap tls & eap peap
byJulia Ostrowski
 
802.1x authentication
byXiaoqi Zhao
 
RF Matching Guidelines for WIFI
bycriterion123
 
802.1x Implementation Plan for Seacoast
bySithideth Banavong
 
VMworld 2015: Networking Virtual SAN's Backbone
byVMworld
 
802.1x
byAlp isik
 
VMworld 2015: vSphere Distributed Switch 6 –Technical Deep Dive
byVMworld
 
802.1x Authentication Standard
byDan Miller
 
VMworld 2015: Building a Business Case for Virtual SAN
byVMworld
 
Ieee 802.1 x
bySwapnil Kapate
 
VMworld 2015: Explaining Advanced Virtual Volumes Configurations
byVMworld
 
ACSR Clear Pass Policy Manager
byAli Badr
 

Similar to Real-world 802.1X Deployment Challenges

PDF
Clear pass policy manager advanced_ashwath murthy
byAruba, a Hewlett Packard Enterprise company
 
PPT
Access Management with Aruba ClearPass
byAruba, a Hewlett Packard Enterprise company
 
PDF
BYOD with ClearPass
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Advanced Aruba ClearPass Workshop
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Advanced ClearPass Workshop
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Aos & cppm integration configuration & testing document for eap tls & eap ...
byAbilash Soundararajan
 
PPTX
Advanced Access Management with Aruba ClearPass #AirheadsConf Italy
byAruba, a Hewlett Packard Enterprise company
 
PDF
Building an aruba proof of concept lab javier urtubia
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Shanghai Breakout: Access Management with Aruba ClearPass
byAruba, a Hewlett Packard Enterprise company
 
PDF
Security advanced rich langston_jon green
byAruba, a Hewlett Packard Enterprise company
 
PDF
Security intermediate practical cryptography_certs_and 802.1_x_rich langston...
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Secure Enterprise Mobility
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Shanghai Breakout: Wireless LAN Security Fundamentals
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Wireless LAN Security Fundamentals #AirheadsConf Italy
byAruba, a Hewlett Packard Enterprise company
 
PDF
ARUBA - Remote Branch-networking-fundamentals-2014
byMarcello Marchesini
 
PDF
Breakout - Airheads Macau 2013 - ClearPass Access Management Basics
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Remote & Branch Networking Fundamentals #AirheadsConf Italy
byAruba, a Hewlett Packard Enterprise company
 
PDF
2012 ah apj wlan security fundamentals
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Adaptive Trust Security
byAruba, a Hewlett Packard Enterprise company
 
PDF
2012 ah vegas wlan security fundamentals
byAruba, a Hewlett Packard Enterprise company
 
Clear pass policy manager advanced_ashwath murthy
byAruba, a Hewlett Packard Enterprise company
 
Access Management with Aruba ClearPass
byAruba, a Hewlett Packard Enterprise company
 
BYOD with ClearPass
byAruba, a Hewlett Packard Enterprise company
 
Advanced Aruba ClearPass Workshop
byAruba, a Hewlett Packard Enterprise company
 
Advanced ClearPass Workshop
byAruba, a Hewlett Packard Enterprise company
 
Aos & cppm integration configuration & testing document for eap tls & eap ...
byAbilash Soundararajan
 
Advanced Access Management with Aruba ClearPass #AirheadsConf Italy
byAruba, a Hewlett Packard Enterprise company
 
Building an aruba proof of concept lab javier urtubia
byAruba, a Hewlett Packard Enterprise company
 
Shanghai Breakout: Access Management with Aruba ClearPass
byAruba, a Hewlett Packard Enterprise company
 
Security advanced rich langston_jon green
byAruba, a Hewlett Packard Enterprise company
 
Security intermediate practical cryptography_certs_and 802.1_x_rich langston...
byAruba, a Hewlett Packard Enterprise company
 
Secure Enterprise Mobility
byAruba, a Hewlett Packard Enterprise company
 
Shanghai Breakout: Wireless LAN Security Fundamentals
byAruba, a Hewlett Packard Enterprise company
 
Wireless LAN Security Fundamentals #AirheadsConf Italy
byAruba, a Hewlett Packard Enterprise company
 
ARUBA - Remote Branch-networking-fundamentals-2014
byMarcello Marchesini
 
Breakout - Airheads Macau 2013 - ClearPass Access Management Basics
byAruba, a Hewlett Packard Enterprise company
 
Remote & Branch Networking Fundamentals #AirheadsConf Italy
byAruba, a Hewlett Packard Enterprise company
 
2012 ah apj wlan security fundamentals
byAruba, a Hewlett Packard Enterprise company
 
Adaptive Trust Security
byAruba, a Hewlett Packard Enterprise company
 
2012 ah vegas wlan security fundamentals
byAruba, a Hewlett Packard Enterprise company
 

More from Aruba, a Hewlett Packard Enterprise company

PPTX
EMEA Airheads - Multi zone ap and centralized image upgrade
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads- Aruba Central with Instant AP
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads - What does AirMatch do differently?v2
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads- Layer-3 Redundancy for Mobility Master - ArubaOS 8.x
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads- LACP and distributed LACP – ArubaOS Switch
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads_ Advance Aruba Central
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Airheads Meetups- High density WLAN
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads- Getting Started with the ClearPass REST API – CPPM
byAruba, a Hewlett Packard Enterprise company
 
PPT
Bringing up Aruba Mobility Master, Managed Device & Access Point
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Airheads Tech Talks: Understanding ClearPass OnGuard Agents
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads- Aruba 8.x Architecture overview & UI Navigation
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads- Virtual Switching Framework- Aruba OS Switch
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.x
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads- AirGroup profiling changes across 8.1 & 8.2 – ArubaOS 8.x
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Introduction to AirWave 10
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads - Configuring different APIs in Aruba 8.x
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EMEA Airheads- Switch stacking_ ArubaOS Switch
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Airheads Meetups: 8400 Presentation
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Airheads Meetups- Avans Hogeschool goes Aruba
byAruba, a Hewlett Packard Enterprise company
 
PPTX
Airheads Meetups: Ekahau Presentation
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads - Multi zone ap and centralized image upgrade
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Aruba Central with Instant AP
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads - What does AirMatch do differently?v2
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Layer-3 Redundancy for Mobility Master - ArubaOS 8.x
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- LACP and distributed LACP – ArubaOS Switch
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads_ Advance Aruba Central
byAruba, a Hewlett Packard Enterprise company
 
Airheads Meetups- High density WLAN
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Getting Started with the ClearPass REST API – CPPM
byAruba, a Hewlett Packard Enterprise company
 
Bringing up Aruba Mobility Master, Managed Device & Access Point
byAruba, a Hewlett Packard Enterprise company
 
Airheads Tech Talks: Understanding ClearPass OnGuard Agents
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Aruba 8.x Architecture overview & UI Navigation
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Virtual Switching Framework- Aruba OS Switch
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.x
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- AirGroup profiling changes across 8.1 & 8.2 – ArubaOS 8.x
byAruba, a Hewlett Packard Enterprise company
 
Introduction to AirWave 10
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads - Configuring different APIs in Aruba 8.x
byAruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Switch stacking_ ArubaOS Switch
byAruba, a Hewlett Packard Enterprise company
 
Airheads Meetups: 8400 Presentation
byAruba, a Hewlett Packard Enterprise company
 
Airheads Meetups- Avans Hogeschool goes Aruba
byAruba, a Hewlett Packard Enterprise company
 
Airheads Meetups: Ekahau Presentation
byAruba, a Hewlett Packard Enterprise company
 

Real-world 802.1X Deployment Challenges

  • 1.
    Real-world 802.1X DeploymentChallenges Tim Cappalli March, 2014
  • 2.
    2 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf About Me • Mobility Engineer, Brandeis University • Wireless Infrastructure • AAA / Role-based Access Control – wired, wireless and remote networks @tcappy0707
  • 3.
    • 6,000 students •1,300 full time staff • Smallest VHR university • 2,200 access points (mix 11n/11ac) • 5 mobility controllers • 320 edge switches, 92 stacks • AAA: ClearPass Policy Manager • eduroam
  • 4.
    CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved 4 #AirheadsConf Agenda What is EAP? Common EAP Flavors The Good and The Bad Client Support Challenges at Brandeis Open Discussion – What challenges do you face?
  • 5.
    CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved 5 #AirheadsConf 802.1x
  • 6.
    CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved 6 #AirheadsConf 802.1X IEEE STANDARD
  • 7.
    7 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf POLL PEAP? TLS? TTLS? WHAT ARE YOU USING?
  • 8.
    8 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf What is EAP? • Extensible Authentication Protocol – 802.1X defines EAPOL – Designed for Ethernet, adapted to 802.11 Arran Cudbard-Bell
  • 9.
    9 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf EAP Transaction Client AuthenticationServer Request Identity Response Identity (anonymous) Response Identity TLS Start Certificate Client Key exchange Cert. verification Request credentials Response credentials Success EAPOL RADIUS Authenticator EAPOL Start
  • 10.
    10 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf EAP FLAVORS
  • 11.
    11 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf Common EAP Flavors • PEAP (Protected EAP) – Uses a digital certificate on the network side – Password or certificate on the client side – Most common: PEAPv0/EAP-MSCHAPv2 • EAP-TLS (EAP with Transport Layer Security) – Uses a certificate on the network side – Uses a certificate on the client side • TTLS (Tunneled Transport Layer Security) – Uses a certificate on the network side – Password, token, or certificate on the client side – Tunneled Diameter (CHAP, PAP), EAP
  • 12.
    12 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf THE GOOD AND THE BAD
  • 13.
    13 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf EAP-TLS: The Good • Device or User credential – Revoke device access instead of user • Currently the strongest authentication method • Most widely supported • Extremely difficult to crack a 2048-bit RSA key
  • 14.
    14 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf EAP-TLS: The Bad • Certificate distribution – Enrollment or onboard process – Can be an administrative burden without proper tools • User familiarity – Most users have no concept of a certificate – Username and password is the “standard” • Renewals – Notifying users to renew before expiration • Changing certificate chain – Not just “accept new certificate” for users
  • 15.
    15 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf PEAP: The Good • Username / password is familiar to users • Users can “just get on” w/ valid credentials • Second most widely supported • Easy integration with AD (“free” NPS)
  • 16.
    16 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf PEAP: The Bad • Device credential on Windows AD-joined devices • Passwords are weak! – Users won’t remember a truly secure password • Password expiration – How do you handle AD password expiration for non-AD Windows machines? • Client must be configured correctly • Not so easy with LDAP & Novell – Limited PEAPv1/EAP-GTC native client support
  • 17.
    17 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf EAP-GTC vs EAP-MSCHAPv2 • EAP-GTC – Cleartext, NT hash, MD5 hash, salted MD5 hash – SHA1 hash, Slated SHA1 hash, UNIX crypt • EAP-MSCHAPv2 – Cleartext, NT hash, LM hash
  • 18.
    18 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf Server Certificate • Make sure CA correspondence goes to more than one person! • Nightmares for wireless only devices: – Server certificate expiration – New chain – New server name • Push out new profiles/GPOs ahead of time!
  • 19.
    19 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf CLIENT SUPPORT
  • 20.
    20 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf Native Client Support EAP-PEAP EAP-TLS EAP-TTLS Windows 8 YES YES YES Windows 7 / Vista / XP YES YES NO Mac OS X YES YES YES Linux YES** YES YES iOS YES YES YES* Android YES** YES YES Chrome OS YES** YES YES** Windows Phone 8.1 YES YES (rumored) UNK Windows Phone 7/8 YES NO** NO BlackBerry 10 YES YES YES BlackBerry 7 YES YES YES
  • 21.
    21 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf Native Client Support EAP-PEAP EAP-TLS EAP-TTLS XBOX 360 NO NO NO XBOX One MAYBE MAYBE MAYBE PlayStation 3 & 4 NO NO NO Nintendo Wii / Wii U NO NO NO
  • 22.
    CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved 22 #AirheadsConf
  • 23.
    CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved 23 #AirheadsConf
  • 24.
    CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved 24 #AirheadsConf
  • 25.
    CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved 25 #AirheadsConf
  • 26.
    CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved 26 #AirheadsConf
  • 27.
    CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved 27 #AirheadsConf
  • 28.
    CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved 28 #AirheadsConf
  • 29.
    CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved 29 #AirheadsConf
  • 30.
    CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved 30 #AirheadsConf
  • 31.
    CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved 31 #AirheadsConf
  • 32.
    32 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf MiTM HospiNET radius1.hospital.org Verisign HospiNET VALIDATE SERVER CERT Disabled wireless.hospital.org Self-signed
  • 33.
    CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved 33 #AirheadsConf
  • 34.
    CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved 34 #AirheadsConf COURTESY: LEE BADMAN, SYRACUSE UNIVERSITY
  • 35.
    35 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf WHAT’S BRANDEIS DOING?
  • 36.
    36 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf What’s Brandeis Doing? • Training support staff – Explaining the different networks – Giving access to troubleshooting tools • Empowering* users – Making it interactive – Making it user friendly • Planning for some type of onboarding • Exploring EAP-TLS – Using network and systems group as PoC for access to secure management networks *attempting
  • 37.
    CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved 37 #AirheadsConf
  • 38.
    38 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf What’s Brandeis Doing? 3/5/1410/3/133/15/13
  • 39.
    CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved 39 #AirheadsConf Know the audience
  • 40.
    40 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf When in doubt, run __________ • Ensure support staff understand the value of client configuration tools • Utilize a configuration utility – Teaching help desk, “When in doubt, run QuickConnect” • Utilize driver detection tools – Intel Driver Update Utility
  • 41.
    41 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf OPEN DISCUSSION
  • 42.
    42 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved #AirheadsConf Good Reads • Simply put: How does certificate-based authentication work? (Network World, 3/10/14, Aaron Woland) • Cryptography Decrypted (Amazon)
  • 43.
  • 44.
    44 CONFIDENTIAL © Copyright 2014.Aruba Networks, Inc. All rights reserved Thank You #AirheadsConf