Upload File

doc.: ieee 802.11-01/252 submission may 2001 bernard aboba, microsoftslide 1 issues with the 802.1x...

  • Home
  • Documents
  • Doc.: IEEE 802.11-01/252 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 Issues with the 802.1X State Machine IEEE 802.1X Revision PAR Bernard Aboba
7
May 2001 Bernard Aboba, Microsoft Slide 1 doc.: IEEE 802.11- 01/252 Submission Issues with the 802.1X State Machine IEEE 802.1X Revision PAR Bernard Aboba Microsoft (excerpted from IEEE 802.11- 01/252)

Upload: victoria-houston

Post on 27-Mar-2015

213 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Doc.: IEEE 802.11-01/252 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 Issues with the 802.1X State Machine IEEE 802.1X Revision PAR Bernard Aboba

May 2001

Bernard Aboba, MicrosoftSlide 1

doc.: IEEE 802.11-01/252

Submission

Issues with the 802.1X State Machine

IEEE 802.1X Revision PARBernard Aboba

Microsoft(excerpted from IEEE 802.11-01/252)

Page 2: Doc.: IEEE 802.11-01/252 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 Issues with the 802.1X State Machine IEEE 802.1X Revision PAR Bernard Aboba

May 2001

Bernard Aboba, MicrosoftSlide 2

doc.: IEEE 802.11-01/252

Submission

Goals

• To describe issues with IEEE 802.1X state machine and 802.11 roaming

• To recommend a solution

Page 3: Doc.: IEEE 802.11-01/252 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 Issues with the 802.1X State Machine IEEE 802.1X Revision PAR Bernard Aboba

May 2001

Bernard Aboba, MicrosoftSlide 3

doc.: IEEE 802.11-01/252

Submission

Roaming Requirements• Enterprise

– User is identified by user-name (NAI), not IP or MAC address– Security is not compromised– Roaming needs to be available for all potential 802.1X authentication

methods– Desirable for user to be able to keep the same IP address when roaming, if

possible– MUST be able to roam without reauthentication if desired– MUST be able to roam without dropping traffic in case of reauthentication

• “Hot Spot”– User is identified by user-name (NAI), not IP or MAC address– Security is not compromised– Roaming should be fast

• Going back to the home authentication server may cause substantial delays (~ seconds)

Page 4: Doc.: IEEE 802.11-01/252 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 Issues with the 802.1X State Machine IEEE 802.1X Revision PAR Bernard Aboba

May 2001

Bernard Aboba, MicrosoftSlide 4

doc.: IEEE 802.11-01/252

Submission

Context Transfer & IEEE 802.1X State Machine

• Goal– User context can move to new AP without reauthentication, if desired

• May wish to enable delayed reauthentication on roam

• Process– Client reassociates to new AP– New AP validates reassociate, attempts context transfer from old AP

• Context transfer succeeds: AP sends EAP-Success to client• Context transfer fails: re-associate treated as an associate

• Requirements– Successful reassociate has same result as if new AP authenticated successfully to

backend authentication server– Unsuccessful reassociate has same result as an associate– Authentication for reassociate, disassociate, beacon messages

• Issues– No 802.1X event or state corresponding to associate or successful re-associate!

Page 5: Doc.: IEEE 802.11-01/252 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 Issues with the 802.1X State Machine IEEE 802.1X Revision PAR Bernard Aboba

May 2001

Bernard Aboba, MicrosoftSlide 5

doc.: IEEE 802.11-01/252

Submission

Additions to Backend Authentication State Machine (Figure 8-12)

• Goal– Successful re-associate has same result as if new AP authenticated to

backend authentication server

• Successful reassociate equivalent to: – Setting aSuccess=TRUE; aWhile=serverTimeout; reqCount=0;

currentId=0; rxResp=aFail=FALSE; authTimeout=FALSE; aReq=FALSE

– Transition to SUCCESS state• Causes canned Success message to be sent

• Unsuccessful reassociate equivalent to associate:– Set authAbort=TRUE

– Transition to INITIALIZE state• Authentication starts again

Page 6: Doc.: IEEE 802.11-01/252 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 Issues with the 802.1X State Machine IEEE 802.1X Revision PAR Bernard Aboba

May 2001

Bernard Aboba, MicrosoftSlide 6

doc.: IEEE 802.11-01/252

Submission

Additions to Authenticator PAE State Machine (Figure 8-8)• Goal

– Successful re-associate has same result as if new AP authenticated to backend authentication server

• Unsuccessful reassociate equivalent to:– Set portEnabled=TRUE; currentId=1; portMode=Auto; portStatus=Unauthorized;

eapLogff=FALSE; reAuthCount=0; – Transition to CONNECTING state

• Successful reassociate with no-reauth == TRUE equivalent to: – Set portMode=Auto; eapLogoff=FALSE; reAuthCount=1; currentId=1;

portStatus=Unauthorized; eapStart=FALSE; reAuthenticate=FALSE; authSuccess=TRUE; authFail=FALSE; authTimeout=FALSE; portEnabled=TRUE;

– Transition to AUTHENTICATED

• Successful reassociate with no-reauth == FALSE equivalent to:– Set portMode=Auto; currentId = 2; eapLogoff=FALSE; reAuthCount=0;

portStatus=Authorized; portEnabled=TRUE; reAuthenticate=TRUE;– Transition to CONNECTING

Page 7: Doc.: IEEE 802.11-01/252 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 Issues with the 802.1X State Machine IEEE 802.1X Revision PAR Bernard Aboba

May 2001

Bernard Aboba, MicrosoftSlide 7

doc.: IEEE 802.11-01/252

Submission

Additions to Supplicant PAE State Machine (Figure 8-14)

• Goal– Successful reassociate has same result as if supplicant successfully authenticated

to authenticator

• Sequence of events for successful reassociate– Supplicant in AUTHENTICATED state– Reassociate request sent by Supplicant– Success sent by Authenticator– Supplicant remains in AUTHENTICATED state

• Sequence of events for unsuccessful reassociate– Supplicant in AUTHENTICATED state– Reassociate request sent by Supplicant– EAP-Request/Identity sent by Authenticator– On EAP-Request/Identity, supplicant transitions to ACQUIRED state


Configuring 802.1X Port-Based Authentication · OL-28737-01 Chapter 41 Configuring 802.1X Port-Based Authentication About 802.1X Port-Based Authentication Authentication Initiation

Deploying Wired 802.1X

Doc.: IEEE 802.1aa-02/XXX Submission March 2002 Bernard Aboba, MicrosoftSlide 1 EAP Update Bernard Aboba Microsoft

Implementing 802.1x Authentication

Configuring IEEE 802.1x Port-Based Authentication · Configuring IEEE 802.1x Port-Based ... † 802.1x Authentication with Per-User ACLs, ... and the authentication server, requesting

Wireless LANs: The 802.1X Revolution Slide 1 Internet World Wireless West, December 2001 Wireless LANs: The 802.1X Revolution Dr. Bernard Aboba Network

July 16, 2003AAA WG, IETF 571 EAP Keying Framework Draft-aboba-pppext-key-problem-07.txt aboba/IETF57/EAP/ EAP WG IETF 57 Vienna,

S3700-24T4F 802.1x Configuration Commands | FS-Fiberstoreimg-en.fs.com/file/user_manual/s3700-24t4f-switch-802.1x-cli-reference-guide.pdfS3700-24T4F 802.1x Configuration CLI Reference

Doc.: IEEE 802.11-02/104r0 Submission January 2002 Bernard Aboba/Microsoft EAP Keying Overview Bernard Aboba Microsoft

ORTC Walk Through IETF 88 Robin Raymond, Hookflash Bernard Aboba, Microsoft Adalberto Foresti, Microsoft Open Technologies, Inc. ORCA – Object-RTC API

802.1x Wired Authentication - University of Miami · University of Miami Information Technology 802.1x wired authentication setup Page 1 802.1x wired configuration What? In the instance

IEEE 802.1X VLAN Assignment - cisco.com · IEEE 802.1X VLAN Assignment ... Table 1: Feature Information for IEEE 802.1X VLAN Assignment Feature Name Releases Feature Information TheIEEE802.1XVLAN

802.1X Port Security - Arista Networks · 802.1X Port Security Description Chapter 14: 802.1X Port Security 14.2 802.1X Port Security Description 802.1X port security controls can

0-9 802.1X 802.1X-REV

Yealink Technical White Paper 802.1X Authentication 802.1X...Yealink Technical White Paper 802.1X Authentication 7 Parameters Permitted Values Default Description: Configures the user

How to Enable 802.1X

Configuring Port-Based Access Control (802.1X)whp-aus1.cold.extweb.hp.com/pub/networking/...8-4 Configuring Port-Based Access Control (802.1X) Overview Local authentication of 802.1X

802.1x Wireless Peap Ias

IEEE Std 802.1X-2010

Doc.: IEEE 802.11-00/034 Submission March 2000 Dan Simon, Bernard Aboba, Tim Moore, Microsoft IEEE 802.11 Security and 802.1X Dan Simon, Bernard Aboba,

802.11 security Courtesy of William Arbaugh with Univ. of Maryland Jesse Walker with Intel Gunter Schafer with TU Berlin Bernard Aboba with Microsoft

Configuração NAC 802.1x TodosOsDispositivos

IEEE 802.1X VLAN Assignment - Cisco · IEEE 802.1X VLAN Assignment Feature Information for IEEE 802.1X VLAN Assignment 802.1X Authentication Services Configuration Guide, Cisco IOS

Workshop CCNA Security - Typepad · 2019. 11. 9. · Security Using 802.1X Port-Based Authentication 802.1X Message Exchange 802.1X Roles. 802.1X Port Authorization State Command

Configuring Port-Based Access Control (802.1X)whp-aus2.cold.extweb.hp.com/pub/networking/software/Security-Oct... · 8-7 Configuring Port-Based Access Control (802.1X) How 802.1X

802.1x Implementation

802.1x Configuration Commands - 飞速(FS) · 802.1x Configuration Commands auto Enables 802.1x protocol authentication method force-authorized Disables 802.1X on the interface and

802.1X, EAP and RADIUS

802.1X in Windows Tom Rixom Alfa & Ariss. Overview 802.1X/EAP 802.1X in Windows Tunneled Authentication Certificates in Windows WIFI Client in Windows

NAP 802.1x StepByStep(1)

INDUSTRIALISATION « 802.1X » CONFIG : 802.1X – PEAP – …

Per-User ACL Support for 802.1X/MAB/Webauth Users · 802.1X/MAB/WebauthUsers 802.1X Authentication Services Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

Key Management 802.1X

Network Access and 802.1X

802.1x Authentication Standard