The following excerpt is from Chapter 4 of the free e-book "The tips and tricks guide to securing Windows Server 2003" written by Roberta Bragg and available at Realtimepublishers.com. Click for the complete book
Add 802.1x technology
802.1x is currently a draft standard. In an 802.1x network, a network access server (NAS) requires authentication before allowing access to the network. The standard uses RADIUS as the mechanism for providing authentication. Current implementations include Windows .NET server and use certificates (either smart card based user/computer certificates or local certificates on the client computer). In essence, 802.1x places the responsibility for firewalling the access point on the access point itself.
The standard also describes approved authentication protocols and the implementation of approved data encryption processes that address the weaknesses of WEP. Two choices for authentication are Extensible Authentication Protocol (EAP) and Protected Extensible Authentication Protocol (PEAP). Windows .NET server provides support for both.
EAP is described in Request for Comments (RFC) 2284. It was designed to support multiple authentication methods including smart cards, Kerberos, public key, one-time passwords and other methodologies not yet in existence. The goal of EAP was to offer the ability to provide different authentication methods without having to re-program the NAS. The NAS, which sits between the clients and a back-end authentication server, can simply act as a pass-through and does not need to understand multiple authentication methods or even specific implementations of them. The NAS simply needs to understand EAP, then let the client and the authentication server do the work. The original specification was developed for use with remote access servers such as RADIUS, with which clients typically connected to the network through dial-up or Internet connections.
EAPOL, or extensible authentication over LANs, is the adoption of this protocol to wireless network interfaces to traditional LANs. EAPOL is diagrammed in Figure 4.17.
Figure 4.17: Steps in EAPOL.
As Figure 4.17 shows, the NAS, a switch (or, in our case, WAP) provides a point of entry for the user. The switch detects a client and sends the EAPOL Request-ID message to the client. The client responds with an EAPOL Response-ID that includes authentication information. The NAS encapsulates the Response-ID in a remote authentication dial-in user service request packet and forwards it to a RADIUS server. (The NAS acts as a relay of messages from the client using EAPOL and to the RADIUS server using RADIUS packets.) The RADIUS server responds with accept or deny packets that include encapsulated EAP success or failure packets. (RADIUS on a .NET network will use Active Directory -- AD). The access server forwards to the client. If authentication is successful, the port on the access server is open and the user authenticated.
PEAP is essentially EAP wrapped in Transport Layer Security (TLS—a technology similar to SSL). Additional modifications also support improved security. In fact, it is being developed to address weaknesses in the EAP standard. Three improvements exist:
- Because EAP is wrapped in TLS, the EAP session between the back-end authentication server and the client is encrypted and the integrity is protected in a TLS channel. Mutual authentication between the back-end sever and the EAP client is required. EAP did not require mutual authentication and was felt to expose too much information about the process -- information that would make it easier for an intruder to mount an attack. Now, no EAP conversation occurs until the TLS session is established and all EAP communication is encrypted.
- TLS provides built-in support session resumption and management of fragmentation and reassembly -- two networking issues with EAP. Because EAP doesn't include these capabilities, each authentication method has to provide them, thus resulting in a duplication of effort as well as an additional exposure to denial of service or vulnerabilities due to poor code.
- TLS provides support for key exchange and the development of key hierarchy for the generation of authentication and encryption keys. To work with EAP, each authentication method had to do so. These techniques are complex and difficult to get correct. Requiring each implementer and authentication method provides too many opportunities for poor mechanisms and increased vulnerability.
Click for the next excerpt in this series: Windows .NET Server wireless network (IEEE 802.11) policies.
Click for the book excerpt series or visit Realtimepublishers.com to obtain the complete book.