Specifications

ManualsBrandsCisco ManualsComputer equipmentCisco Access Registrar 4.2

Cisco Systems, Inc.

Page 1 of 42

White Paper

Extensible Authentication Protocol Transport Layer Security

Deployment Guide for Wireless LAN Networks

1 Scope

This document discusses the Extensible

Authentication Protocol Transport Layer

Security(EAP-TLS)authenticationprotocol

deployment in wireless networks. It

introduces the EAP-TLS architecture and

then discusses deployment issues. An

example enterprise rollout for EAP-TLS is

discussed in the section “Validation Lab”

(Section 6).

2 Background

In September 1999, the IEEE approved

the 802.11b (2.4-gigahertz [GHz] range,

11-Mbpsthroughput)and802.11a(5-GHz

range, 54-Mbps throughput) extensions.

Since then, adoption of wireless LAN

(WLAN) solutions in vertical (retail,

education, health care, transportation,

and so on) and horizontal markets has

accelerated. As standardized by the

IEEE, security for 802.11 networks can be

simpliﬁed into two main components:

authentication and encryption. The

implementation of these components

has been proven insecure and has been

extensively documented by the security

community.

An alternative WLAN security approach

focuses on developing a framework for

providing centralized authentication and

dynamic key distribution. A proposal

jointly submitted to the IEEE by Cisco

Systems, Microsoft, and other

organizations introduced an end-to-end

framework using 802.1X and the EAP to

providethisenhancedfunctionality.Central

to this proposal are two main elements:

• EAP allows wireless client adapters,

which may support different

authentication types, to communicate

with different back-end servers such as

Remote Access Dial-In User Service

(RADIUS)

• IEEE802.1X,astandard for port-based

network access control

To support all popular operating systems,

Ciscoemployeesdesignedandimplemented

Lightweight Extensible Authentication

Protocol(LEAP)—anetwork-EAPprotocol

based on 802.1x authentication

framework—on Cisco Aironet

WLAN

products and solutions. Microsoft’s latest

operating system, Windows XP, provides

support for 802.1x (speciﬁcally EAP-TLS

andEAPMessageDigest5[MD5]).Thus,a

varietyof EAPauthenticationprotocols can

be used to authenticate users in today’s

WLAN networks. Figure 2-1 illustrates the

mixed EAP protocol deployment in a

WLAN network:

Summary of content (42 pages)

PAGE 1
White Paper Extensible Authentication Protocol Transport Layer Security Deployment Guide for Wireless LAN Networks 1 Scope dynamic key distribution. A proposal This document discusses the Extensible jointly submitted to the IEEE by Cisco Authentication Protocol Transport Layer Systems, Microsoft, and other Security (EAP-TLS) authentication protocol organizations introduced an end-to-end deployment in wireless networks. It framework using 802.
PAGE 2
Figure 2-1 Mixed 802.
PAGE 3
This document focuses on EAP-TLS authentication protocol rollout in WLAN networks. Section 3 further introduces the reader to the EAP/802.1x architecture. Section 4 discusses Public Key Infrastructure (PKI) and EAP-TLS authentication protocol. In Section 5, EAP-TLS deployment criteria are examined in detail. Section 6 provides details about the Validation Lab that was built to illustrate an example EAP-TLS rollout in a WLAN network. Section 7 provides EAP-TLS troubleshooting tips.
PAGE 4
Introduction to PKI and EAP-TLS EAP-TLS (RFC 2716) is using the TLS protocol (RFC 2246), which is the Internet Engineering Task Force’s (IETF’s) latest version of the Secure Socket Layer (SSL) protocol. TLS provides a way to use certificates for both user and server authentication and for dynamic session key generation. EAP-TLS uses concepts of PKI. The following section introduces PKI and the concepts of certificates, certificate authorization, and validating user identity.
PAGE 5
A PKI should include at least five components, described in Table 4-2. Table 4-2 PKI Components Registration authority A registration authority provides an interface to all the security management activities that require global coordination to provide a comprehensive and consistent view of security configuration.
PAGE 6
During the registration process, an end entity makes itself known to a certification authority through a registration authority before that certification authority issues a certificate. The end entity provides its name and other attributes to be included in its public key certificate(s) and the certification authority (or the registration authority, or both) verifies the correctness of the provided information.
PAGE 7
the private key (Amazon.com) is able to decrypt the message. Using this method, a user can validate that Amazon is a legitimate key holder for a given digital certificate. However, trusting that someone is in possession of a digital certificate only provides a name/key-pair binding. 4.1.2.2 Second Element of Trust: Certification Authority The second element of trust in PKI is the involvement of the certification authority server. Continuing our Amazon.
PAGE 8
As opposed to the one-way, or server-side, authentication discussed in the Amazon.com example, EAP-TLS performs mutual SSL authentication. This requires both the supplicant (the end user’s machine) and the authentication server (the RADIUS server) to have a certificate. In mutual authentication, each side is required to prove its identity to the other using its certificate and its private key. The procedure is the same explained in the Amazon example, but for both sides. 4.2.
PAGE 9
Figure 4-3 illustrates the details of EAP-TLS exchange. The figure shows that, as part of the EAP request, the RADIUS server provides its certificate to the client and requests the client’s certificate. The client validates the server certificate and responds with an EAP response message containing its certificate and also starts the negotiation for cryptographic specifications (cipher and compression algorithms).
PAGE 10
4.2.2.2 Server Trusting Client This part will help you understand the concept of AAA server trust model. Specific configuration information is given in Section 6 of this document. To support EAP-TLS, the AAA server (for example, Cisco Secure ACS) must have a certificate. Either a public certification authority or a private certification authority can be used to issue the AAA server certificate.
PAGE 11
Figure 4-4 Session Key Derivation in EAP-TLS Authentication Client Random (per connection) Pre-Master Secret (per session) Server Random (per connection) PRF Master Secret (per session) PRF Write MAC Client/Server (per connection) IV Client/Server (per connection) Write Secret Client/Server (per connection) 5 EAP-TLS Deployment in a WLAN Environment This section details the system components that are required to roll out EAP-TLS in an enterprise network.
PAGE 12
5.2 Certificate Requirements This section discusses the certificate requirements on both the client and the AAA server sides. 5.2.1 Client Certificate Requirements For a client (using Windows XP professional, for example) to authenticate using EAP-TLS, the client must obtain a personal client certificate. This certificate must meet several requirements: Figure 5-1 Client Certificate and the Enhanced Key Usage Field • The certificate has to be installed when the requested user is logged in to the machine.
PAGE 13
Figure 5-2 Client Certificate: Subject/cn Field Figure 5-3 Client Certificate 2: Subject/cn Field Cisco Systems, Inc. All contents are Copyright © 1992–2002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
PAGE 14
• The client must have the corresponding private key. To verify that the private key exists, view the general section of the certificate and verify that you see the following message: “You have a private key that corresponds to this certificate” (Figure 5-4). • When viewing the certificate, you have to verify that the following statement appears: “This certificate is intended to: Guarantee your identity to a remote computer” (Figure 5-4).
PAGE 15
Figure 5-5 Server Authentication Certificate 5.3 Mixed EAP Protocol Deployments The Cisco Aironet access point passes through any EAP authentication type presented to it by a client. It is up to the authentication server (RADIUS server) to accept or reject the authentication type and respond accordingly. In the situation of EAP-TLS, the AAA/RADIUS server must be able to reject the presented authentication type and respond with the desired type.
PAGE 16
You can calculate the load on ACS by applying this formula: (session length)/(number of connections). Using a value of 25 connections per access point and a 10-minute (600-second) session timeout to force WEP rekeying, you get 600/25 = 24 seconds/connection, which translates into 1 transaction every 24 seconds, or 1/24 (0.042) transactions per second. Table 5-1 below shows the transaction requirements for ACS based on the number of fully loaded access points being supported by a single ACS system.
PAGE 17
Figure 5-6 Network Topology Enterprise Network Enterprise Network Remote Office RADIUS Server You must also consider backup authentication. You may use a system that is dedicated as the RADIUS secondary. Or you may have two synchronized systems that each support a different network segment but provide mutual backup if one fails. Refer to the documentation for the RADIUS server in use for database replication and the use of external databases. Cisco Systems, Inc.
PAGE 18
6 Validation Lab The authors built a Validation Lab to configure and test EAP-TLS deployment in an enterprise network scenario. Figure 6-1 illustrates the Validation Lab setup: Figure 6-1 Validation Lab Cisco Aironet 350 Access-2 Distribution-2 Windows 2000 Server Active Directory + DHCP + DNS Server Core-2 Leap Client Cisco Secure ACS 3.
PAGE 19
6.1 System Components Following are descriptions and prerequisites for the Validation Lab components: • Cisco Aironet access point—Minimum access point firmware of 11.06 for 802.1x Draft 10, recommended 11.10T or the latest version. • Cisco Secure ACS v3.0—Cisco Secure ACS provides the AAA server functionality in a wireless/wired LAN network; Version 3.0 provides support for LEAP, EAP-TLS, and EAP MD5 authentication (802.1x) protocols.
PAGE 20
Refer to Appendix A for instructions on how to configure the Microsoft certification authority server. Following is the procedure used to obtain a server certificate from a Microsoft certification authority server: 1. On the local ACS machine, point the browser at the Microsoft certification authority server as follows: http://IP-address-of-Root-CA/certsrv. 2. Log in as the Administrator. 3. Choose “Request a certificate” and click Next. 4. Choose “Advanced request” and click Next. 5.
PAGE 21
Figure 6-3 illustrates steps 3 and 4 for obtaining the server certificate from a Microsoft certification authority server. As shown in the figure, an advanced request form is used to submit a certificate request to the certification authority server. Figure 6-3 Steps 3 and 4 for Server Certificate Installation Figure 6-4 illustrates the configuration required on the advanced certificate request form to obtain the server certificate.
PAGE 22
Figure 6-4 Step 5 for Server Certificate Installation Figure 6-5 shows the steps required to install the server certificate onto the ACS local machine store. Figure 6-5 Steps 6 and 7 for Server Certificate Installation After you have completed these steps, a server certificate will be installed on the ACS’s local machine store. Server certificate verification: The server certificate obtained should match the criteria specified in Section 5.
PAGE 23
6.2.2 System Configuration Parameters on ACS After obtaining the ACS server certificate from the enterprise root certification authority server, the following steps were used to configure the ACS for EAP-TLS (and LEAP) authentication: 1. On the ACS menu, choose System Configuration >> ACS Certificate Setup. 2. Under ACS Certificate Setup, choose “Use existing certificate” and then the “Specify certificate from storage” option.
PAGE 24
Figure 6-6 ACS System Configuration Parameters Figure 6-7 shows the required configuration for server certificate setup. As shown in the figure, the name of the certificate that was installed on the ACS local machine store (as discussed in Section 6.2.1) is specified under the option “Use certificate from storage.” Figure 6-7 Cisco Secure ACS System Configuration: ACS Certificate Setup Options Cisco Systems, Inc. All contents are Copyright © 1992–2002 Cisco Systems, Inc. All rights reserved.
PAGE 25
Figure 6-8 shows the global authentication setup under system administration. After enabling EAP-TLS authentication, click the “Submit+Restart” button for the changes to take effect. Figure 6-8 Cisco Secure ACS Server System Configuration: Global Authentication Setup 6.2.3 Cisco Secure ACS Network-Access-Server Type Configuration When adding the Cisco Aironet access point as a network access server to the ACS, several “Authenticate Using” options (that is, network-access-server types) are available.
PAGE 26
Figure 6-9 ACS >> Network Configuration >> AP>> “NAS type” 6.3 Cisco Aironet Access Point Configuration As stated in sections 3 and 4, the access point can be configured to be a network access server for the 802.1x authentication process. The access point is capable of “understanding” and translating from 802.1x to RADIUS protocol (to communicate with the AAA server). However, the access point is not “aware” of the type of 802.
PAGE 27
2. Click Setup and then Security. On the Security Setup page, click Authentication Server link (as shown in Figure 6-11). Figure 6-11 Security Setup Page 3. On the “Authentication Configuration” page (see Figure 6-12): a. Choose “DRAFT 10” for 802.1x Protocol Version. b. Configure the AAA server (ACS server) information as follows: i. Enter the ACS IP address. ii. Enter 1645 or 1812 (default) for port number. iii. Enter the shared secret between the ACS and the access point (also configured in ACS). iv.
PAGE 28
Figure 6-12 Authentication Configuration Page on the Cisco Aironet AP 4. Go back to the Security Setup page and click “Radio Data Encryption (WEP)” link (as shown in Figure 6-13). Figure 6-13 Security Setup Page on the Cisco Aironet AP 5. On the AP Radio Data Encryption page (see Figure 6-14): Cisco Systems, Inc. All contents are Copyright © 1992–2002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
PAGE 29
a. Choose “Full Encryption” as Use of Data encryption by Station. b. For enabling EAP-TLS authentication (also enables EAP MD5): i. Check Open in “Accept Authentication Type.” ii. Check “Require EAP” (only under open authentication). c. For enabling LEAP authentication, select the “Network-EAP” option. d. Set WEP Key 1 for Broadcast Key (in 11.10T and later releases, you can also enable broadcast key rotation). e. Click Apply.
PAGE 30
In the Validation Lab, a Web browser on the Windows XP client and a wired connection to the network were used to obtain a client certificate from the private root certification authority server. The following procedure was used to obtain the client certificate from a Microsoft certification authority server: 1. Using a Web browser on the client, point the browser to the certification authority server as follows: http:// IP-address-of-Root-CA/certsrv. 2.
PAGE 31
1. Using Microsoft Internet Explorer, choose Tools >> Internet Options >> Content >> Certificates; a certificate with the name of the logged-in user ID/username should be present (as shown in Figure 6-16). Figure 6-16 Microsoft Internet Explorer: Client Certificate Verification 2. Double-click the certificate and verify the following (as stated in Section 5.2.1): a.
PAGE 32
Figure 6-17 Client Certificate Verification: “General” Section Figure 6-18 Client Certificate Verification: “Details” Section Cisco Systems, Inc. All contents are Copyright © 1992–2002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
PAGE 33
Figure 6-19 Client Certificate Verification: “Details” Section, EKU Field Figure 6-20 Client Certificate Verification: “Certification Path” Section Cisco Systems, Inc. All contents are Copyright © 1992–2002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
PAGE 34
6.4.2 Microsoft Windows XP Wireless Networking Configuration The Microsoft XP client wireless LAN networking should be configured to enable EAP-TLS authentication to the WLAN network. The following procedure was used to configure the XP machine: 1. In Microsoft XP >> Control Panel >> Network Connections configuration: Double-click the Wireless Network connection. 1. In “Authentication” section, configure the following options: a. Select “Enable network access control using IEEE 802.1x” (see Figure 6-21). b.
PAGE 35
Figure 6-22 EAP-Type (Smart Card or Other Certificate) Properties Figure 6-23 Wireless Network Connection Properties Cisco Systems, Inc. All contents are Copyright © 1992–2002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
PAGE 36
Figure 6-24 Wireless Networks Properties Configuration At the end of above configuration steps, Microsoft XP clients should be able to authenticate to the enterprise WLAN using EAP-TLS. 6 Troubleshooting Tips for EAP-TLS A modular troubleshooting approach is recommended for EAP-TLS. As discussed earlier in this document, three major components of EAP-TLS are EAP-TLS client, network access server (the access point), and the AAA server.
PAGE 37
6. Verify the configuration of the AAA server (ACS configuration is specified in Section 6.2). If the EAP-TLS clients and the AAA server(s) did not use the same root certification authority, then verify that the whole chain of certification authority servers’ certificates have been installed on the AAA server. The same applies if the certificate was obtained from a subcertification authority. 7.
PAGE 38
Figure 7-3 Invalid Certificate: Invalid Certification Authority Figure 7-4 Invalid Certificate: Cannot Verify Root Certification Authority Cisco Systems, Inc. All contents are Copyright © 1992–2002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
PAGE 39
8 Appendix A—Microsoft Windows 2000 Certificate Services Setup This appendix provides the procedure used to configure the Microsoft Windows 2000 Server certification authority services in the Validation Lab. Please refer to Microsoft Windows 2000 Server documentation for further help. Click Add/Remove Programs in the Control Panel and then choose the Add/Remove Windows Components option.
PAGE 40
To use the AAA server (Windows-based) and the certification authority certificates: 1. Copy the server certificate, private key file, and the certification authority certificate to the AAA server machine. 2. Install the server certificate and the private key. 3. Install the certification authority server certificate onto the AAA server. 4. Create user accounts for eaptls1, eaptls2, and eaptls3 on the internal AAA server database.
PAGE 41
After submitting, you should see the following (no need to restart ACS before you configure the certification authority and enable EAP-TLS): Figure 9-2 Step 2: Certification Authority Server Certificate Installation Details of the installed certification authority can be seen in the right side of the screen as shown in Figure 9-3 (you do not need to restart ACS before you enable EAP-TLS): Cisco Systems, Inc. All contents are Copyright © 1992–2002 Cisco Systems, Inc. All rights reserved.
PAGE 42
Figure 9-3 Certification Authority Detail Display As the final step, enable EAP-TLS in the ACS “Global Authentication Setup” and submit and restart the ACS. (Refer to sections 6.2.2 and 6.2.3 for more Details.) Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 European Headquarters Cisco Systems Europe 11 Rue Camille Desmoulins 92782 Issy-les-Moulineaux Cedex 9 France www-europe.cisco.