Are You Using 802.1X?

WirelessMan asks "I work for a certain university in the US, and our IT department has just deployed IEEE 802.1x authentication for our wireless network. One of the benefits is that all users' sessions are encrypted using tumbling WEP keys. One of the (major) drawbacks is the 'newness' of 1x. As far as I can tell (Google, etc) there aren't a whole lot of places out there who have taken the plunge. Google it, or check out this brief description. Does the Slashdot community have any experience with 1x?"

"Here's our story: we're using Windows 2003 servers (for IAS) and PEAP/MSCHAPv2. We're not offering support for Windows clients prior to 2000 (even though clients do exist for 98/ME,etc). Windows 2000 supposedly has builtin support after SP3, but on June 10, Microsoft released a WEP patch that breaks 1x! (At least for our implementation...) Windows XP SP1 works in most cases, but certain onboard-wireless chipsets (Intel) don't work, regardless of OS. I heard that staff struggled with and finally successfully installed a 3rd party client for RedHat 9, and I'm told there's also a client for Mac OS 10.2.

As far as I can tell, the network guys did their homework--I promise--but this deployment is beginning to look like a disaster! Do you have any wisdom to share about how to pull victory from the clutches of shameful defeat? I realize my question is rather broad and vague ... but I'm really interested to see what discussion comes up. Thanks!"

Uhm, YES

First post

But yes, we use it, have been for quite some time - about November of last year - works great, and is pretty good - requires RADIUS or Active Directory/IAS.

Get SP4 for W2K

[mike300zx]

Get SP4 which gets the .1x support back.

Re:Answer

[bethane]

While 1x provides nice features it is rather unstable right now, we have tried using it at home, not really for any practical reason but just for geeky fun and we had a hard time getting Linux clients to talk to our Win2003 server. I ended up scrapping the whole idea.

-- a fan whore, look at my journal for hot sex

yes, the security it provides is worth it

[puneetb]

not using even WEP is simply asking for trouble, using basic WEP (pre-shared keys) is a little better, but its still vulnerable and has the hassles of key management (each time you change the keys you need to update all clients). 802.1x is the way to go.

There is some support on OSes for 802.1x (Windows XP has it built it for some authentication methods, for Windows 2000 you can download it from the Microsoft website, for Linux and BSD use xsupplicant (http://www.open1x.org).

One important consideration is what 'EAP method' you use for security. 802.1x is a framework for security and you can tie-in different methods within this framework for doing the actual authentication and key generation.

If you use EAP-TLS then there is can be a problem of configuring certificates on client machines, though its pretty secure once setup. You can use the cisco proprietary LEAP with Cisco AP's and clients or go for a solution based on PEAP or EAP-TTLS.

LEAP only requires you to have a user-name/password type of setup and can be easily tied to existing authentication infrastructure (Eg: the windows network in your LAB). PEAP and EAP-TTLS need only a username and password if you use MS-CHAPV2 or some such method, though you still need valid server-side certificates.

Puneet

Re:yes, the security it provides is worth it

Thats not exactly correct. A rogue AP/RADIUS server running on a linux system could send an all 000 hash to the client, the client then combines that hash and the NTLM password hash via MD% then sends them back accross the wireless network in the clear.

At the end of the day, LEAP has a huge problem with dictionary type attacks. Even without a rogue access point, you know the "AP hash" and the combined hash, it would be a simple matter to modify an off the shelf password cracker into cracking the LEAP passwords.

It comes down to this, which is worse you picking a good WEP key and changing it with TKIP. Or trusting all your users will pick secure passwords?

802.1x works

[Merlisk]

I used it on my last contract. 802.1x with WindowsXP SP1 works just fine. We used PEAP and Microsoft's IIS server for RADIUS authentication.

We wanted PEAP since it doesn't require manual certificates.

It took a lot of tweaking on the server, a small bit on the AP, but the client settings were just what you'd expect them to be.

I didn't try it with OS X (even though I used a Powerbook on the job). Take a look at http://www.mtghouse.com/

Per the message boards I've read, their client should work just fine.

tried it but didnt like it

[senergy]

using dlink's new firmware for the 900ap+ which supposedly supports 1x and funk softwares radius server and winxp sp1 i thought i would give it all a try...lets just say its not as easy as i would have expected. and in my experience, if its not easy to impliment then people wont use it. let alone how picky you have to be with OS's,clients,hardware that will actually support it.

802.1x Rolled Out at Baylor University

[adambrock]

We just rolled out 802.1x at Baylor University this week. Where are you located? I know they are also rolling out at Memphis.edu and Kstate.edu in the fall. E-mail me if I can be of any help...

We just finished rolling out EAP-TLS on a Win2k...

[Sikmaz]

Outside of the Access-points we used all pre-existing equipment. We already had a Enterprise Root Cert Authority setup on our Root Win2k DC. We then created a cert for wireless access. We deployed the cert by using policies and used IAS to authenticate the users against a remote access policy that verified users group memberships.

For Hardware we used Cisco 1100's and Zyair B1000's (Http://www.zyxel.com). The B1000's have a beta firmware to support EAP-TLS and cost less than $100 bucks!

We only allow Win2k and Windows XP clients to use wireless, setting up the few win98 clients we have is too much of a pain!

With Windows XP Service Pack1 the user will get a prompt that says there is a wireless network available. Included in that is a check box to use 802.1x authentication and since the default is Certificates all the user does is click connect and they are on!

If you have clients other than windows clients you can still use the win2k cert server, just have then download the cert via the web manager. IT will be http://certservername/certsrv. Works great.

Re:I guess you learn something every day.

[VAXman]

You're thinking of "802.11x" which generally means any of 802.11b, 802.11a, or 802.11g (wireless protocols). "802.1x" is a security protocol, not a wireless protocol per se. Very confusing, I know...

Mac OS 10.2 still struggles

[riclewis]

In my experience (taking my iBook to work) the Aegis client for mac is less than perfect. It has some issues in handling the dynamic WEP keys. Xsupplicant seems fairly immature, and I haven't yet been able to get it to compile on my mac.

My impression is that this is a much needed, but still nubile technology. I wouldn't be surprised to see stronger support flourish in the 'alternate' (non-MSFT) OSes within the next year or so. Microsoft seems to be a bit ahead of the game on this one.

No WEP, Yes IPSec.

[dietlein]

I don't know about you who use WEP, but please STOP.

It is BROKEN.

Use IPSec. There are many tutorials for using IPSec in tunnel mode as a replacement for WEP. Google it. I wrote the 3rd or 4th one down - it isn't that hard, guys. Please don't use WEP, it really isn't smart.

Re:No WEP, Yes IPSec.

[metatruk]

IPSec is great and all, but there are a few disadvantages to using it:

1) It doesn't work on many platforms such as pre OS X 10.2, pre Win2k, or many "stock" Linux installs. (Linux requires a kernel patch, though this will change with kernel 2.6)

2) It is difficult for users to configure. There's no GUI in OS X to configure it, and setting it up in Windows involves installing some extra stuff from MS to make it work.

3) Implementation compatbility? I don't know how much of this is still an issue, but I imagine that it comes up...

4) Ethernet layer security. There's still no security that would prevent people from having access to the ethernet layer. The point of WEP was to prevent people without the key from joining the network. Controlling access to the ethernet layer is important for security because anyone with access (Which would be the case with WEP turned off) can still do nasty things like flood the network with broadcast traffic, send unsolicited arp replies to the router to DoS different machines, etc...

in short, IPSec requires too much configuration on the client end. Unless you can put together a nifty script for each platform that needs to use the network, it will be too difficult for most users to configure.

Re:No WEP, Yes IPSec.

[pedrow]

Well, with cool tools like airjack, even your nice ipsec encrypted traffic over open non-wepped wireless link is susceptible to getting DOSed. All you have to do is send a broadcast disassociation packet to knock everyone off the AP. 802.1x or other rotating WEP key schemes will make things like airsnort largely useless in that there won't be enough 'interesting' traffic(initialization vectors) to make the WEP key fall out. WEP not smart? perhaps. But it's better than leaving it open. ipsec will protect the data, but not the transport.

Re:No WEP, Yes IPSec.

[theLOUDroom]

Use IPSec. There are many tutorials for using IPSec in tunnel mode as a replacement for WEP. Google it. I wrote the 3rd or 4th one down - it isn't that hard, guys. Please don't use WEP, it really isn't smart.

Actually, the smart thing to do is to use both.

"You use WEP?!"

Well duh, that keeps unautorized users off your network. Yeah it's crackable, but IPSec does nothing for lower-layer security. IPSec was designed for a different purpose than WEP If you want a secure network, use both.

This isnt new

[engineerjeremy]

802.1x authentication is not a new concept. It was developed many years ago for incorporation into the HP ProCurve product line for port based authentication. The good thing about 802.1x is that at least it does provide some encryption from the authenticator to the radius server. So its either this of captive portal, which is implemented into hotspot controllers to provide authentication via redirection of http requests to a website that requests user/password pairs authenticated off a radius server. Pick your tool, something needs to be done.

Re:IPSec

[Zebra_X]

The IPSec tunnel is established between the two computers communicating. There would be no reason for the AP to do any processing other than what it already does - moving packets.

Re:Universities and such

[mplex]

You also can't broadcast the universities data to the world. It's definately a balance, but there are solutions that can work without being too restrictive. We use Funk software's Odyssey server at our University, and it supports a wide range of authentication types(TLS, TTLS, LEAP, PEAP). We have managed to get 98% of our users online without any trouble. Cisco hardware works fine on most OS's (Linux, BSD, pocketpc). There is also an open source TLS authentication method, but that involves issueing client certificates.

Like I said before, there has to be some balance between security and academic freedom, but there must be some sort of security policy in any large wireless network. I think what the industry really needs is a standard rather than 5 or more different solutions with marginal advantages over one another. Then we can work on getting that standard supported everywhere (PEAP I hope). Until then, wireless security will always be hit or miss or none at all.

University of Utah - 802.1x Campus Standard

[galimore]

Hi,

I work at the University of Utah. We're currently rolling out 802.1x.

My building has already rolled out 802.1x on about 36 access points. We've been running for over a month and a half.

We've got a lot of people interested in what we're doing. We're using a decentralized model that allows us to let various departments use their user accounts everywhere else on campus (that is using 802.1x).

Check out our whitepaper for more information:

http://utahgeeks.sourceforge.net/projects/Wireless Whitepaper.pdf

The paper covers various issues. Keep in mind that the paper is not quite done yet, but it does have a lot of useful information.

We're officially supporting Mac OS X, Windows 98, Windows 2k, and Windows XP. We're not officially supporting Linux, but my boss and I are lead developers on the open1x project (http://open1x.sourceforge.net).

It has Linux and Mac OS X support. We support TTLS, TLS, PEAP (in CVS), MD5, and we're going to be implementing EAP_AKA pretty soon.

If you're interested in the specifics please check out some of our support pages:

http://www.laptop.lib.utah.edu/global/support/inde x.html

The biggest problem has been support for various cards on Windows. The support link above lists the cards we've tested.

We're currently only supporting Airport on Mac OS X due to the lack of a public API from Apple. (Please let apple know that you want a public wireless API so we can support more cards... ;)

We're using a campus site license of the Meetinghouse supplicant for Mac OS X, and Windows. We're using Radiator, a perl based (VERY NICE!) radius server. It's 802.1x implementation rocks.

More info on Radiator: http://www.open.com.au

802.1x is becoming the University of Utah campus standard. All future wireless purchases made with student task force moneys will be required to be 802.1x compatible.

Please let us know if you have any questions regarding our setup.

Re:Should I be using 802.1x?

[galimore]

You're a little bit confused about how 802.1x ties into everything...

a) 802.1x was designed for port based access, not wireless. It was adapted for wireless. The keying method is WEP. The encryption tunnel for authentication happens VERY quickly. very little overhead.

b) 802.1x allows you to know WHO is on your network. Do you really want to have an open wide public network that some terrorist could potentially get on to talk to his buddies anonymously... not me... ;)

c) Once again... the encryption for the authentication happens very quickly. We're talking miniscule amounts of time. The keying on the card is WEP, but the keys can be per-user, and can rotate at a specified interval. If you're using WEP at all your keys should be rotating no less than every 10 minutes, otherwise it would be very easy to crack.

d) 802.1x *IS* using SSL for its encryption... besides the fact that that portion only happens for authentication... as I said before WEP is used on the cards.

802.11i will provide per-packet keying, which is when you should really start to worry about the overhead...

Re:Universities and such

[galimore]

Um... 802.1x *IS* an IEEE standard... people just need to start implementing it correctly... ;)

Also, not only is there a TLS open source standard... the open1x project (http://www.open1x.org) has a TTLS release, and PEAP in CVS.

PEAP is a horrid ripoff of TTLS in my opinion.

P.S. The FUNK guys wrote the TTLS RFC. ;)

M$ and Cisco wrote the PEAP RFC, but neither of them follow it, or each other.

Northwestern University Setup

[PhoenixK7]

At NU the IT department has deployed hotspots at a variety of locations. The campus cafe, parts of the student center, certain locations in the dorms, libraries, as well as other locations provide wireless access.

WEP is not used to secure the network. Instead they're using VPN to provide authentication as well as secure/encrypted connections. Nothing beyond the VPN server and other clients of the AP are accessible without connecting to VPN. As an added benefit VPN allows off-campus users to use the NU mail relays, and other things that are restricted the university subnets.

Check it out:

http://www.tss.northwestern.edu/wireless/

http://www.tss.northwestern.edu/vpn/

Re:IPSec

[shokk]

What we've done is placed a small firewall just outside our main firewall on the same ISP subnet. All clients must use the same VPN software they use when traveling to then access the network through the main firewall. Rules in place on the small firewall only allow authenticated traffic hubbed through the main firewall and nothing else. So you don't even get a free ride on Internet access if you break into the network. 802.1x is definitely next and we may or may not keep the IPSec.

Re:Another Question...

Funny thing, the only way I got the freakin' AEGIS client to work was to read the directions. I thought I knew Linux, but the AEGIS guys know it better ... or something.

So the moral of the story is, read the directions (and don't bother using the RedHat 'neat' utility with AEGIS -- they don't like each other).

Re:802.1x vs. WPA

802.1X gives you an authentication mechanism, and a way of automatically distributing WEP keys.

WPA is an "early release" snapshot of 802.11i. It requires the 802.1X access control mechanisms and a souped-up version of 802.1X key management. Whether WPA requires EAP-based (RADIUS-based) authentication or a manually-entered key depends on how you configure it.

Plenty of experience

[flikx]

I have had plenty of experience with 802.1x installed at a major american university (which may be the same university the article submitter works at).

Thanks to the 802.1x deployment, I have zero wireless networking capability under FreeBSD. Ah, that takes me back to my freshmen year of 1996.

Yippee... hooray... hooray...

[theendlessnow]

... another deployment of WPA!!

Protect the upper layers not below 3

Hack layer two... yippee! yippee!

Since WEP 40/128 provide NO security at the high layer... people feel they're getting something
with WPA (most won't run the required auth/radius server though.. so it's even worse).

Layer 2 is still open. You'll have to wait until next year when the 11i crew comes out with something.

As for a resource, use Dr. Arbaugh's new book on the subject.
http://www.amasin.com/-/0321136209/Real- 802-11-Sec urity/

...well.. it's not out yet apparently... anyway, google for Arbaugh.

Re:I guess you learn something every day.

[galimore]

802.1x is not related to speed... it's an authentication mechanism.

802.1x works with 802.11a, 802.11b, 802.11g, and standard wireless networks.

802.1x does not replace wireless, it complements it.

Re:Universities and such

[galimore]

The security of my students is more important than the one or two people that can not access the network.

We are supporting Mac OS X users.
We are supporting Windows users.
We don't support Linux, but we are writing the client. :P

We have gone out of our way to make this work as best possible for our students, and we would rather them be secure than have them using an unsecure wireless network.

Take a look at our list of supported cards before you start badmouthing our efforts:

http://www.laptop.lib.utah.edu/cgi-bin/dot1x/dot 1x Compatibility.pl

Like I said in another post... if the vendor doesn't support their card, why should we?

802.1x not working on a standard WIFI card means that they are doing something wrong.

802.1x functionality does *NOT* need anything special in the driver. It simply needs the driver writers to not do stupid things, like disallow currently undefined ethertypes.

The client takes care of the 802.1x authentication.

You don't like the client, tough... don't use the network.

We want you to be secure, because we *DO* actually care.

Re:Purdue's Solution

[afidel]

802.11(a,b,g) can be made secure by 802.1X today and by 802.11i going forward. 802.1X sidesteps the weaknesses of WEP by only using keys for a short duration (typically ten or fewer minutes) and using different keys per user. This keeps the amount of data transmitted using any given key low enough that the weakness of WEP becomes moot because there is insufficient data for the key to be weakened (the origional paper talked about gigs of data which would take many many hours to collect even on a near saturated .11b link). In addition 802.1X implements TKIP which is basically per packet hashing to thwart playback or insertion techniques. Basically 802.1X is Cisco's LEAP opened up and standardized for the whole industry. For the most secure of installations Cisco still recommends using VPN over wireless, but then they also recommend it for wired networks in some situations =)

Re:Purdue's Solution

Yeah, I am anonymous, just too lazy to register on a forum that I rarely have time to read....

802.1X is NOT derived from LEAP. LEAP is derived from draft 8 of 802.1X (Draft 11 became the standard). And LEAP is also Cisco's proprietary EAP method that runs just fine over standard 802.1X thank you.

For the long haul, LEAP is weak and attackable. I think AKA will be our on secret based EAP method that is safe to use. A secret within a tunnel (PEAP/MSCHAPv2 for example) is open to man in the middle attacks (controlable through strict policy enforcement on the clients).

Also LEAP requires specific code in the AP that MOST vendors cannot get a license for.

Thus it is PEAP/MSCHAPv2 for most out there, but look toward AKA soon if you want a secret-based approach without any public key costs.

Re:802.1x Has Been Cracked

[lizrd]

The only credible attack in that paper was a DOS attack. A properly configured system would be able to avoid the man in the middle and session hijacking attacks described there. DOS probably isn't a really huge problem with low power wireless since it will be pretty easy to locate the attacker.

Here are all links you need:

[BigBadDude]

finding access-points:
http://www.kismetwireless.net/
ht tp://www.netstumbler.com/

why WEP sucks:
http://www.drizzle.com/~aboba/IEEE/rc4_ksa proc.pdf
http://www.80211-planet.com/tutorials/article.ph p/ 1368661

breaking WEP:
http://airsnort.shmoo.com/
http://sourcefor ge.net/projects/wepcrack

"war-walking" in offices etc.
http://www.pocketwarrior.org/

(of course, the 13yr old sc^H^H überhacker may not have a driving licence, so warwalking is coolerthan wardriving)

after reading the documents above, I suggest you take down you WLAN, dissconnect from the internet and lock in your computer in a safe :)

[note that I didn't use the world "SNIFFER", I dont want to get sued by NAI].

Southern Polytechnic's Solution

[ronsko]

We started acquiring the elements of our 1x deployment over a year ago, and things have really come a long way. We have been testing since February and have been live for about 2 months. We are using 1x on both wired and wireless connections.

We are running Funk Software's Steel Belted RADIUS (SBR) on Solaris for 1x authentication requests using TTLS. SBR verifies user credentials on the back end against our OpenLDAP server. We also return the group membership of the validated user with each login so the RAS can implement individual firewalls (at the user's point of access!) based on each users' credentials (aka User Personalized Networking). This is essential for supporting large numbers of open-access ports (i.e. dorms, Library, Student Center, labs...)

We use Enterasys equipment exclusively, including their R2 access points for wireless. We use their Netsight Atlas Policy Manager software to enforce UPN policies.

We have an academic site license for the Meeting House Aegis 1x client. This has worked brilliantly with 2000/XP and MacOS. Linux support has been shaky (it's beta) but we have had success with Open1x in that application. The problem with the Mac is that it doesn't come preconfigured with any certificate authorities under OpenSSL, so we have had to add one manually to each station.

The only problems we have had is a small bug in SBR that caused it to periodically lose contact with LDAP (fixed in SBR 4.0.4) and some quirky early versions of the Aegis clients (fixed). Meeting House has also just released (beta) an enterprise-deployment option that allows us to distribute a preconfigured client. Funk's client is worth looking at also, but it is very pricey.

My sugestions: plan well, test a LOT, and stay the HECK away from any of the MS garbage -- your life will be MUCH simpler!

I have installed and use 802.11

[PsYcOBoRg]

here is what i found out. it works great, once configured correctly. but only if those laptops, and desktops are as clients. as servers distributing the wifi, there are pains with it still.

a more imporntant note: make sure you enable security if you have any access points or wifi Peer to peer. and password protect any and all shares.

taking my laptop for a grive using net stumbler, i found 70 802.11 access points. UNSECURED points were 67. 3 were secured.

all the unsecured points, were wide open to me. i was able to scan ips, views shared folders, obtain files from the exposed machines. and i had access to thier internet.

and they apparantly are still cluless that i gained access to thier systems.

of all the exposed systems 4 were T1 lines. the rest were broadban access points. now, im not including coffee shops that provide free 802.11 access. that is nice too. but secure your connections, unless you dont mind people accessing your personal information.

my rating of wifi at this point in time is 4. out of 5 stars. and it is stable. in most cases.