1

Network Authentication with

PKI

EDUCAUSE/Dartmouth PKI SummitJuly 27, 2005

Jim Jokl University of Virginia

2

Background: UVa Wireless LAN Project

Deploy campus-wide Wireless LAN (WLAN) Initial focus on student areas Later emphasis on faculty/staff areas

Support multiple applications Focus on standard applications: Email, Web,

login, file transfer, etc Don’t focus on applications such as video

Provide security Wireless really is different in this regard

3

UVa WLAN Summary Access Point summary as of July 2005

796 access points in database with approximately 704 operational

~250 older Cisco 352 802.11b (11 Mbps @ 2.4 GHz) units

Remainder are modern Cisco 1100/1200 series access points

802.11 G/B (11-45 Mbps @ 2.4 GHz) 802.11 A (45 Mbps @ 5 GHz) Still need to install A/G radios in some of the 1200s

Wireless security system Would have liked strong authentication and

encryption for all WLAN access, however ……

4

Wireless SecurityHave to support “other”

devices

5

Initial Wireless Security System

MAC address validation Users register the hardware address of their

wireless adapter Provisions for anyone affiliated with the

university to register cards for guests Supports “random” devices

Secured wireless via Cisco LEAP Password-based authentication Dynamic symmetric cipher keys Had expected this technology to be widely

implemented by vendors

6

EAP-based Authentication Process

Radius Servers

UVa Network

Access Point

Access Point

User User

7

Authentication Transition Combination of LEAP and MAC

registration was OK for a couple of years However

LEAP never became mainstream and generally required a Cisco wireless card and software installation

We had anticipated native LEAP support with Windows XP

Final straw was a reported security vulnerability with the LEAP protocol

8

Wireless LAN Access Control

EAP-MD5

LEAP EAP-TLS EAP-TTLS

PEAP

Server Authentication

None Password Hash

Public Key

Public Key

Public Key

Supplicant Authentication

Password Hash

Password Hash

Public Key

CHAP, PAP, MS-CHAP(v2),

EAP

Any EAP, like EAP-MS-

CHAPv2 or Public Key

Dynamic Key Delivery

No Yes Yes Yes Yes

Security Risks

Identity exposed, Dictionary

attack, MitM attack, Session

hijacking

Identity exposed, Dictionary

attack

Identity exposed

MitM attack

MitM attack

Source: wi-fiplanet.com

9

Background: UVa Standard Assurance CA (PKI-Lite)

On-line Web CA Uses existing account

information to validate user request

Computing ID, password, and some some database info checked

Certificate and chain automatically installed or PKCS-12

~20k active certificates now

10

UVa EAP-TLS Wireless Authentication

User verifies the Radius server’s identity using PKI

The Radius server verifies the user’s identity using PKI

An LDAP-based authorization step happens

Association is allowed and dynamic session crypto keys are exchanged

User

Access Point

Radius Server

LDAP AuthZ

11

OS Support for EAP-TLS Operating System Support

Windows XP, Windows 2000 SP-4* MacOS (10.3.3) 3rd party software available

Very easy to use No account management, passwords, etc Login to your workstation and secure

wireless just works AuthZ step will make it easier to keep

hacked machines off of the WLAN

12

EAP-TLS and the Microsoft Clients Microsoft field in certificate for AuthN

Subject Alt Name / Other Name / Principal Name

OID 1.3.6.1.4.1.311.20.2.3 If not present, uses CN

Uniqueness issues for many CAs Easy to add to certificate profile

Impact on the PKI-Lite certificate profiles Agreed to add this extension to EE cert profile

13

Summary: Supportedwireless “accounts” at UVa

EAP-TLS – our main wireless network Leverage PKI for user authentication on WinXP and

MacOS 10.3 Dynamic session encryption keys

MAC Address restricted network Provides access control and limited authentication Especially useful for devices with limited functionality Now integrated with our main NetReg MAC address

registration system Guest

MAC Access control and identification of UVa sponsor

14

UVa WLAN Authentication Transition

Transitioned to new authentication summer 2004 Added an EAP-TLS VLAN, removed LEAP

EAP-TLS is the authentication used on the broadcast SSID Main EAP-TLS issues encountered

Old drivers for user’s wireless cards A few users still had certificates without Microsoft attribute Macintosh a little harder since no Safari integration for

certificate download and installation Retained a legacy MAC registration-only VLAN

For special devices that don’t support EAP-TLS Non-broadcast SSID

Transition completed by end of summer Few hard problems encountered

Will add EAP-TLS VLAN for access to UVa “More Secure” network once more AuthZ work is completed

15

Authentication on the UVa WLAN

Unique Users (EAP-TLS) or Devices (MAC Addr) Authenticating to the UVa WLAN

0

2000

4000

6000

8000

10000

12000

All March April May June July

Month in 2005

Uni

que

Use

rs o

r D

evic

es p

er m

onth

"MAC Addr"

"EAP-TLS"

16

Background: University of Virginia PKI

Project Goal Enable PKI support in a wide range of applications

Deploy two campus CAs to support two types of PKI-enabled applications Standard Assurance CA

For better security on common applications Improve ease of use on some applications Identity proofing marginally stronger than used with

simple passwords High Assurance CA

For new applications requiring high security Uses hardware tokens only - 2-factor authentication Strong identity validation before certificate is issued

17

UVaAnywhere VPN Service Our first PKI application Certificate AuthN Encrypted path to UVa

network edge On-campus IP address Cisco 3000 concentrators Adding LDAP AuthZ IPSec and Cisco VPN

client is only supported mechanism

Internet Connections

UVaNet

UVaAnywhere Concentrators

18

UVaAnywhere-Lite Just added new SSL VPN service

For web applications only Uses existing Cisco 3000 concentrators PKI for authentication Uses LDAP for authorization

Web VPN provides convenient pop-up box for navigation

Customized with library and department pages that point to their web resources

19

Remote Access to the More Secure Network Certificate AuthN and LDAP

AuthZ

Firewall

VPN

SMTP Relay

LPR Relay

“LessSecure”Network

Level 1

“MoreSecure”Network

Level 2

LDAP AuthZ

20

VPN PKI 2-factor Authentication with LDAP Authorization

VPN Concentrators

Firewall

Firewall

LDAP AuthZ Servers

Oracle ERP

S1

S2

S3

Sn

Hospital Net

INOUT

Main Campus Network

OUT

IN

21

Oracle Special Services (ERP)2-factor Cert AuthN and LDAP

AuthZ

Main UVa

Network

S4

S2

S3

Sn

VPN Concentrators

Firewalls

LDAP AuthZ Servers

INOUTNormal User

OSS User

S1

22

Some References UVa Wireless LAN site

http://www.itc.virginia.edu/wireless/ UVa PKI Site

http://www.itc.virginia.edu/desktop/pki/ UVa VPN Sites

http://www.itc.virginia.edu/desktop/vpn http://www.itc.virginia.edu/vpn/webvpn

HEPKI-TAG PKI-Lite http://middleware.internet2.edu/hepki-tag/