802.1X in Windows.


114 views
Uploaded on:
Category: Funny / Jokes
Description
802.1X in Windows Tom Rixom Alfa and Ariss Diagram 802.1X/EAP 802.1X in Windows Burrowed Confirmation Endorsements in Windows WIFI Customer in Windows (WZC) Setup illustrations Inquiries? 802.1X/EAP Port Based System Access Control Confirmed/Unauthenticated Port
Transcripts
Slide 1

802.1X in Windows Tom Rixom Alfa & Ariss

Slide 2

Overview 802.1X/EAP 802.1X in Windows Tunneled Authentication Certificates in Windows WIFI Client in Windows (WZC) Configuration cases Questions?

Slide 3

802.1X/EAP Port Based Network Access Control Authenticated/Unauthenticated Port Supplicant/Authenticator/Authentication Server Uses EAP (Extensible Authentication Protocol) Allows verification in light of client accreditations

Slide 4

EAP over LAN(EAPOL)

Slide 5

802.1X Client 802.1X Protocol Driver (EAPOL Driver) Handles all EAPOL correspondence Extracts EAP messages from EAPOL which can be perused by applications Inserts EAP messages into EAPOL that applications wish to send 802.1X Client Application Uses Driver to send and get EAP messages Handles EAP messages in like manner

Slide 6

802.1X Client in Windows Implements 802.1X Driver (NDIS) and Application Uses Microsoft EAP API to handle the EAP correspondence Controls client cooperation (Balloon) User/Computer setting

Slide 7

EAP in Windows Microsoft EAP API An EAP Module is “Microsoft DLL” that actualizes Microsoft EAP API 802.1X Client calls modules utilizing EAP API to handle validation Other illustration is the Microsoft VPN Client

Slide 8

EAP Modules EAP-MD5 (Built-in) Username/secret key EAP-TLS (Built-in) Client/server declarations (PKI) EAP-MSCHAPV2 (Built-in) Username/watchword (Windows qualifications) Protected EAP (PEAP) (Built-in) Server testament Tunneled EAP Authentication EAP-MD5,EAP-MSCHAPV2, EAP-… EAP-TTLS Server endorsement Tunneled Diameter Authentication Diameter (PAP/CHAP/…), EAP

Slide 9

Tunneled Authentication (TTLS/PEAP) Uses TLS passage to ensure information The TLS passage is set up utilizing the Server authentication naturally confirming the server and averting man-in-the-center assaults Allows utilization of element session keys for line encryption

Slide 10

PEAP? PEAP Version 1, 2 Supported by Cisco, Apple OS X Panther http://www.ietf.org/web drafts/draft-josefsson-pppext-eap-tls-eap-07.txt Microsoft PEAP (Windows XP SP1) Version 0 No headers Implemented by Microsoft PEAP module http://www.ietf.org/web drafts/draft-kamath-pppext-peapv0-00.txt

Slide 11

Certificates in Windows PEAP (Built-in) and SecureW2 utilize the windows endorsement trust Certificate (Chain) of Authentication server must be introduced on nearby PC Certificate stores: User Each client has own client store in which the client can introduce declarations and assemble testament trusts Certificates unmistakable just to the store proprietor (User) System Only Administrators and framework applications can introduce testaments in framework store Certificates can be utilized by all applications and clients

Slide 12

WIFI Client in Windows Wireless Zero Config (WZC) Generic interface for arranging remote associations Compatibility Wireless Ethernet Driver must be perfect with WZC to empower 802.1X Windows XP WPA Windows Mobile Pocket PC 2003 Windows 2000 obliges 3 rd Party WIFI Client

Slide 13

EAPOL Key

Slide 14

802.1X WIFI Scenario The WIFI Client partners with the Access Point (SSID) The Access Point obliges 802.1X and sets the Clients “port” to the “Unauthenticated” state. The Access Point then begins EAPOL correspondence by sending the EAPOL-Identity message to the Client The 802.1X Client gets the EAPOL correspondence and calls the suitable EAP module to handle the EAP validation After fruitful confirmation the EAP RADIUS Server and Client produce the MPPE keys (in light of the TLS burrow) The RADIUS Server sends the MPPE keys (with the Access Accept) to the Access Point The Access Point sets the Clients “port” to the “Authenticated state” permitting the customer to speak with the Intranet The Access Point then uses the MPPE keys to encode a WEP key in an EAPOL key message The Access Point sends the EAPOL key to the Client The Client unravels the WEP key in the EAPOL key message utilizing the MPPE keys it created and sets the WEP key WIFI Client assumes control to setup rest of the association (DHCP)

Slide 15

Configuration illustration #1 EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 1 Connection properties

Slide 16

Configuration case #1 EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 1 Connection properties

Slide 17

Configuration case #1 EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 2 Wireless Networks

Slide 18

Configuration case #1 EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 2 Wireless Networks

Slide 19

Configuration case #1 EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 3 Wireless Networks properties

Slide 20

Configuration sample #1 EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 3 Wireless Networks properties

Slide 21

Configuration case #1 EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 4 Wireless Networks properties (Authentication)

Slide 22

Configuration case #1 EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 4 Wireless Networks properties (Authentication)

Slide 23

Configuration case #1 EAP-TTLS/SecureW2 (Windows XP, Wireless) Step 5 SecureW2 properties

Slide 24

Configuration case #2 PEAP (Wired, Windows 2K) Step 1 Start Wireless Configuration administration

Slide 25

Configuration case #2 PEAP (Wired, Windows 2K) Step 1 Start Wireless Configuration administration

Slide 26

Configuration case #2 PEAP (Wired, Windows 2K) Step 2 Connection properties

Slide 27

Configuration case #2 PEAP (Wired, Windows 2K) Step 2 Connection properties

Slide 28

Configuration case #2 PEAP (Wired, Windows 2K) Step 3 Authentication properties

Slide 29

Configuration case #2 PEAP (Wired, Windows 2K) Step 3 Authentication properties

Slide 30

Configuration case #2 PEAP (Wired, Windows 2K) Step 4 PEAP properties

Slide 31

Configuration case #2 PEAP (Wired, Windows 2K) Step 4 Configure 3 rd Party WIFI Client Some customer bolster dynamic WEP keys Other customers not supporting element WEP keys can be deceived: “Fake WEP Key”

Recommended
View more...