wlan infrastructure monitoring and supplicants
DESCRIPTION
WLAN Infrastructure Monitoring and Supplicants. Workshop on Wireless Belgrade - 12.09.2011 Wenche Backman-Kamila. Agenda. Supplicants in general Windows7 (manual & automatic config ) Network manager and w pa_supplicant Mac WindowsXP Monitoring Fixed part Wireless part. - PowerPoint PPT PresentationTRANSCRIPT
CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd.
WLAN Infrastructure Monitoring and Supplicants
Workshop on Wireless Belgrade - 12.09.2011
Wenche Backman-Kamila
Agenda
• Supplicants in general– Windows7 (manual & automatic config)– Network manager and wpa_supplicant– Mac– WindowsXP
• Monitoring– Fixed part – Wireless part
SUPPLICANTS
Why supplicants?
• eduroam based on 802.1x– 802.1x requires supplicants
• LOTS of different supplicants out there– all OSes have their own– iPhone, Android, Nokia etc. have their own– All differ but basic features are the same
• The bright side: Configure only ONCE– In web authentication credentials repeated
Supplicant details
• Basic features– Define EAP-method
• Supported methods depend on supplicant
– Define certificate and server name• If self-signed certificate, no server name required
– Define encryption: WPA2-AES , WPA-TKIP– Define user name and password
• User name including @organisation.rs• Anonymous identity might be supported
Supplicant best practices
• About certificates in PEAP and TTLS– If self-signed certificate
• Distribute it securely to your users
– If public CA• Ensure that the CA and the server name has
been defined in the supplicant
– If you use TLS you don’t have to worry about these recommendations
• Anonymous identity
Supplicants and supported EAP methods
PEAP-MSCHAPv2
TTLS-MSCHAPv2
TTLS-PAP TLS
Windows XP/Vista/7 x x
Network manager & wpa_supplicant
x x x x
Mac x x x x
Windows7 manually 1/3
Windows7 manually 2/3
Windows7 manually 3/3
Windows7 – automatically 1/2• Installer creates XML
file– XML file used to
configure settings
• User only inputs credentials– requires admin rights
• Installer created with NSIS
• Win7 and Vista
Windows7 – automatically 2/2
Network manager/ wpa_supplicant
Mac supplicant 1/3
Mac supplicant 2/3
Mac supplicant 3/3
WinXP
• Configuration video available at http://cbt.geant2.net/repository/eduroam_supplicants/setting_up_eduroam_supplicants.html
MONITORING
Monitoring
Monitoring methods for authenticationRadius authentication• radtest
– standard command
• Input– Credentials
– Server name and shared secret
• does not require a radius server for monitoring purposes
• doesn’t test EAP auth
EAP authentication• eapol_test
– included in wpa_supplicant
• Additional input compared to radtest– Supported EAP methods
(outer and inner)
– Certificate
• Requires a radius server to carry out testing
• Imitates supplicant auth
More on eapol_test• http://deployingradius.com/scripts/eapol_test• eapol_test
– c peap-mschapv2.conf– a <radius_server> – s <secret> – M 22:44:66:00:00:00– A <monitor_server>
• check_eapauth• rad_eap_test (http://www.eduroam.cz/rad_eap_test/)
Monitoring authentication at campus• Create username and password for
montoring purposes• Monitoring server
– radtest– and/or eapol_test
• And additionally– ping latency, packet loss and opening of SSH
connections
Monitoring at federation level• Monitoring hierarchy
– With credentials from each organisation
– Results on web– Based on eapol_test– E.g. Checks every 10th
minute if OK– If problems every 3rd minute
Monitoring the air interface
• Commercial products can be divided into three groups: – Products based on data from access points to
the controllers– Products based on site survey– Solutions covering both the fixed LAN network
and the air interface
Access point and controller data• Cisco’s WCS
– Control and monitorseveral controllers
– Air interface data• Signal strength and
noise levels
• Channel allocation
• Transmit power
• AirWave’s Wireless Management Suite– multivendor environments
Site survey for monitoring purposes• Lots of alternatives
– Motorola’s AirDefense Mobile and SiteScanner
– Airmagnet’s WiFi and VoFi Analyzers– WildPackets’s OmniPeek– Wireshark– Wi-Spy
Both LAN and air interface• Active measures
– Attach– Authentication– DHCP-server– HTTP and FTP upload
and download– VoIP-test with MOS
• Passive measures– Signal strength and
SNR
7signal’s Sapphire
Monitoring at campuses in Finland• Access points are
monitored– All known APs
connected to controller– APs correctly
configured– Radios on– Users per AP
• Means for AP monitoring– SSH skript– perl– Airwave
References and contact info• Main reference
– WLAN infrastructure BPD• http://www.terena.org/campus-bp/bpd.html
• Other references– Monitoring and ensuring WLAN performance
• http://www.terena.org/campus-bp/reports.html