342 CCNA Wireless Official Exam Certification Guide EAP-TLS Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) is a commonly used EAP method for wireless networks. In EAP-TLS, a certificate must be installed on both the authentication server and the supplicant. For this reason, it is considered one of the most secure methods available. This would require both client and server key pairs to be generated first and then signed by a CA server. The communication used by EAP-TLS is similar to SSL encryption; however, TLS is considered the successor to SSL. EAP-TLS establishes an encrypted tunnel in which a user certificate is sent inside it. Note: EAP-TLS is defined in RFC 2716. Figure 17-12 shows the process of EAP-TLS. As you can see, the process begins with an EAP Start message. Next, the AP requests the client’s identity. The client responds with its identity, and this is sent via EAP over RA- DIUS to the authentication server. The authentication server sends its certificate, and the client sends its certificate, thus proving their identity to each other. Next, symmetric ses- sion keys (also called master session keys) are created. The authentication server sends the EAP Start Request Identity Identity Identity Server Sends Its Cert Client Sends Its Cert Client Sends Its Cert Server Sends Its Cert AP or Controller Master Key Sent to Encryption Between Client and AP Using WEP or WPA/WPA2 Symmetric Session Keys Generated Authentication Server Authenticator Client Figure 17-12 EAP-TLS Process Key Topi c 20_1587202115_ch17.qxpI 9/29/08 2:43 PM Page 342 Chapter 17: Securing the Wireless Network 343 master session key to the AP or controller to be used for either WEP or WPA/WPA2 en- cryption between the AP and the client. You configure EAP-TLS in the same location as WEP by selecting 802.1x in the Layer 2 security drop-down (refer to Figure 17-6). The EAP method is between the server and the client, so the AP really doesn’t care. You sim- ply select 802.1x. EAP-FAST Extensible Authentication Protocol-Flexible Authentication via Secure Tunnel (EAP- FAST) is a protocol that was developed by Cisco Systems. Its purpose was to address weaknesses in Lightweight Extensible Authentication Protocol (LEAP), another Cisco-de- veloped EAP method. The concept of EAP-FAST is similar to EAP-TLS; however, EAP- FAST does not use PKI. Instead, EAP-FAST uses a strong shared secret key called a Protected Access Credential (PAC) that is unique on every client. EAP-FAST negotiation happens in two phases, phase 1 and phase 2, but it is during phase 0 that the PAC is provisioned. After the PAC has been distributed, phase 1 can happen. In phase 1, the AAA server and the client establish a TLS tunnel after authenti- cating each other using the PAC. After phase 1 establishes the secure TLS tunnel, phase 2 authenticates the user to the AAA server using another EAP method, with either pass- words or generic token cards. Figure 17-13 shows the details of EAP-FAST negotiation using generic token card authen- tication for the user. EAP-FAST negotiation occurs as follows: 1. The client sends an EAPoL start to the AP. 2. The AP, which is the authenticator, sends back an EAP Identity Request Message. 3. The client sends a response to the authenticator. It is forwarded to the authentication server (AAA server) in a RADIUS packet. 4. The authentication server sends an EAP-FAST start message that includes an Author- ity ID (A-ID). 5. The client sends a PAC based on the received A-ID. The client also sends a PAC Opaque reply to the server. The PAC Opaque is a variable-length field that can be in- terpreted only by the authentication server. The PAC Opaque is used to validate the client’s credentials. 6. The authentication server decrypts the PAC Opaque using a master key that was used to derive the PAC key. The authentication server sends an EAP-TLS Server hello along with the Cipher Trust Protocol Set . 7. If the keys match, a TLS tunnel is established, with the client sending a confirmation. 8. The server sends an identity request inside the TLS tunnel using a protocol such as Extensible Authentication Protocol-Generic Token Card (EAP-GTC). 9. The client sends an authentication response. 10. The server sends a Pass or Fail message. The Pass message indicates that the client is successfully authenticated. 20_1587202115_ch17.qxpI 9/29/08 2:43 PM Page 343 344 CCNA Wireless Official Exam Certification Guide Identity Request Pass/Fail Authentication Response (EAP-GTC) TLS Tunnel EAP Start EAP Request Identity EAP Response Identity EAP-FAST Start (AID) PAC Opaque PAC Opaque Cipher Trust Protocol Set EAP Request Challenge (AID) Confirm Cipher Trust Protocol Set Authentication Server (AAA Server) Authenticator Client Figure 17-13 EAP-FAST Negotiation PEAP As you’ve seen with EAP-TLS, certificates are required on both the client and the server. With EAP-FAST, no certificates are required; rather, the PAC takes care of things. With Protected EAP (PEAP), only a server-side certificate is used. This server-side certificate is used to create a tunnel, and then the real authentication takes place inside. The PEAP method was jointly developed by Cisco Systems, Microsoft, and RSA. PEAP uses Mi- crosoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) or Generic Token Card (GTC) to authenticate the user inside an encrypted tunnel. To authenticate to Microsoft Windows Active Directory, you would use MS-CHAPv2. Figure 17-14 shows the PEAP process. In PEAP, the following occurs: 1. The client sends an EAPoL start, and the authenticator returns a request for identity. This is similar to the other EAP methods. 2. The client returns its identity, and it is forwarded to the AAA server. 3. The AAA server sends a server certificate and begins establishing a TLS tunnel. 4. The client returns a premaster secret. Key Topi c 20_1587202115_ch17.qxpI 9/29/08 2:43 PM Page 344 Chapter 17: Securing the Wireless Network 345 Identity Request/Response EAP MSCHAPv2 Challenge EAP MSCHAPv2 Response EAP Success/Fail This Is Where the User Enters Credentials Protected Tunnel Tunnel Established Start Request Identity Identity Server Cert (EAP-TLS) Pre-Master Secret Authentication Server (ACS) Authenticator Client Figure 17-14 PEAP Process 5. The tunnel is established. 6. The AAA server sends an identity request to the client. 7. The AAA client sends an identity response. 8. The server sends an EAP-MS-CHAPv2 challenge. 9. The client enters credentials into a popup, and that is sent back as an EAP-MS- CHAPv2 response. 10. The server returns a pass or fail. If it’s a pass, the user can send traffic. LEAP Lightweight Extensible Authentication Protocol (LEAP) gets honorable mention here mainly because it is a Cisco EAP method that is still seen in 802.11b networks. LEAP is vulnerable to an offline exploit, and you should avoid it if possible. LEAP uses a propri- etary algorithm to create the initial session key. Authentication and Encryption Now that you understand some of the methods used to authenticate users, it’s time to ex- plore some encryption methods. The beginning of this chapter discussed WEP. The prob- lem with WEP is that it can be broken easily. Therefore, other methods have been established in an effort to provide more strength in encryption. In the following sections, you will learn about Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2). Key Topi c 20_1587202115_ch17.qxpI 9/29/08 2:43 PM Page 345 346 CCNA Wireless Official Exam Certification Guide WPA Overview WPA was introduced in 2003 by the Wi-Fi Alliance as a replacement for WEP. WPA uses Temporal Key Integrity Protocol (TKIP) to automatically change the keys. TKIP still uses RC4; it just improves how it’s done. This is a major improvement over static WEP. WPA can optionally support Advanced Encryption Standard (AES), but it’s not mandatory. WPA is based on 802.11i draft version 3. WEP uses RC4 encryption, which is very weak. The better alternative was to use AES encryption, but that would have required an equip- ment upgrade. To avoid an equipment upgrade, WPA was developed to use TKIP and a larger IV than WEP. This would make it more difficult to guess the keys while not requir- ing new hardware. Instead, you could simply perform a firmware upgrade in most cases. WPA offers two authentication modes: ■ Enterprise mode: Enterprise mode WPA requires an authentication server. RADIUS is used for authentication and key distribution, and TKIP is used with the option of AES available as well. ■ Personal mode: Personal mode WPA uses preshared keys, making it the weaker op- tion, but the one that is most likely to be seen in a home environment. Figure 17-15 shows the process of WPA authentication. At the beginning of negotiations, the client and AP must agree on security capabilities. After the two agree on the same level of security, the 802.1x process starts. This is the standard 802.1x process, as outlined previously. After successful 802.1x authentication, the authentication server derives a master key and sends it to the AP. The same key is de- rived from the client. Now the client and the AP have the same Pairwise Master Key (PMK) , which will last for the duration of the session. Security Capability Discovery 802.1x Authentication 4-Way Handshake for Key 802.1x Key Management RADIUS Key Distribution 2-Way Group Key Handshake Authentication Server Authenticator Client Figure 17-15 WPA Authentication Key Topi c 20_1587202115_ch17.qxpI 9/29/08 2:43 PM Page 346 Chapter 17: Securing the Wireless Network 347 Next, a four-way handshake occurs (see Figure 17-16), in which the client and authentica- tor communicate and a new key called a Pairwise Transient Key (PTK) is derived. This key confirms the PMK between the two, establishes a temporal key to be used for message encryption, authenticates the negotiated parameters, and creates keying material for the next phase, called the two-way group key handshake. When the two-way group key handshake occurs, the client and authenticator negotiate the Group Transient Key (GTK) , which is used to decrypt broadcast and multicast trans- missions. In Figure 17-16, you can see that the AP first generates a random number and sends it to the client. The client then uses a common passphrase along with this random number to derive a key that is used to encrypt data to the AP. The client then sends its own random number to the AP, along with a Message Integrity Code (MIC) , which is used to ensure that the data is not tampered with. The AP generates a key used to encrypt unicast traffic to the client. To validate, the AP sends the random number again, encrypted using the de- rived key. A final message is sent, indicating that the temporal key (TK) is in place on both sides. The two-way handshake that exchanges the group key involves the generation of a Group Master Key (GMK) , usually by way of a random number. After the AP generates the GMK, it generates a group random number. This is used to generate a Group Temporal Key (GTK) . The GTK provides a group key and a MIC. This key changes when it times out or when a client leaves the network. ToconfigureWPA,settheLayer2securitymethodbychoosing WWLLAANNss >> EEddiitt .Then select the Security tab and choose WWPPAA++WWPPAA22 from the drop-down, as shown in Figure 17-17. To allow WPA, ensure that TKIP is selected. This is automatically done for you when you select the WWPPAA PPoolliiccyy check box. WPA2 Overview WPA2, as its name implies, is the second attempt at WPA. WPA was not designed to be just a firmware upgrade; instead, you might need new hardware to use it. The reason for Random Number Random Number Resend Random Number Derive PT K Derive PTK Install PTKInstall PTK PTK Done Authenticator Client Figure 17-16 WPA Four-Way Handshake 20_1587202115_ch17.qxpI 9/29/08 2:43 PM Page 347 348 CCNA Wireless Official Exam Certification Guide Figure 17-17 Configuring a WPA Policy the more-capable hardware requirement is that WPA2 was designed to use AES encryp- tion. WPA was designed based on the 802.11a draft but was released in 2003, whereas 802.11i was released in 2004. By the time 802.11i was ratified, it had added more support for 802.1x methods and AES/CCMP for encryption. The Wi-Fi Alliance then released WPA2 to be compatible with the 802.11i standard. It was mentioned that AES is used for encryption. Advanced Encryption Standard-Cipher Block Chaining Message Authentication Code Protocol (AES/CCMP) still uses the IV and MIC, but the IV increases after each block of cipher. Comparing WPA to WPA2, you can see that ■ WPA mandates TKIP, and AES is optional. ■ WPA2 mandates AES and doesn’t allow TKIP. ■ WPA allows AES in its general form. ■ WPA2 only allows the AES/CCMP variant. ■ With WPA2, key management allows keys to be cached to allow for faster connec- tions. To configure WPA2, from the WWLLAANNss >> EEddiitt page, select the WWPPAA22 PPoolliiccyy option. Then select either AAEESS and TTKKIIPP or just AAEESS as the default value, as shown in Figure 17-18. Then select the authentication key management option; the choices are 802.1x, CCKM, PSK, and 802.1X+CCKM. 20_1587202115_ch17.qxpI 9/29/08 2:43 PM Page 348 Chapter 17: Securing the Wireless Network 349 Figure 17-18 Configuring a WPA2 Policy Key Topi c 20_1587202115_ch17.qxpI 9/29/08 2:43 PM Page 349 350 CCNA Wireless Official Exam Certification Guide Table 17-2 Key Topics for Chapter 17 Key Topic Item Description Page Number Figure 17-1 Client MFP in action 333 Figure 17-2 Configuring MFP 333 Paragraph from the section “Pre- shared Key Authentication with Wired Equivalent Privacy” Steps describing the WEP process 334 Figure 17-5 Configuring WEP 337 Figure 17-12 The EAP-TLS process 342 Figure 17-13 The EAP-FAST process 344 Figure 17-14 The PEAP process 345 Figure 17-15 The WPA process 346 Figure 17-18 Configuring WPA2 policy 349 Exam Preparation Tasks Review All the Key Topics Review the most important topics from this chapter, denoted with the Key Topic icon. Table 17-2 lists these key topics and the page number where each one can be found. Complete the Tables and Lists from Memory Print a copy of Appendix B, “Memory Tables” (found on the CD) or at least the section for this chapter, and complete the tables and lists from memory. Appendix C, “Memory Tables Answer Key,” also on the CD, includes completed tables and lists to check your work. 20_1587202115_ch17.qxpI 9/29/08 2:43 PM Page 350 Chapter 17: Securing the Wireless Network 351 Definition of Key Terms Define the following key terms from this chapter, and check your answers in the glossary: Management Frame Protection (MFP), Infrastructure MFP, Message Integrity Check (MIC), Frame Check Sequence (FCS), Client MFP, Initialization Vector (IV), supplicant, authentication server, authenticator, Extensible Authentication Protocol (EAP), Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), Extensible Authentication Protocol-Flexible Authentication via Secure Tunnel (EAP-FAST), Protected EAP (PEAP), Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2), Generic Token Card (GTC), Lightweight Extensible Authentication Protocol (LEAP), Wi-Fi Protected Access (WPA), Wi-Fi Protected Access 2 (WPA2), Temporal Key In- tegrity Protocol (TKIP), Advanced Encryption Standard (AES), Pairwise Master Key (PMK), Pairwise Transient Key (PTK), Group Transient Key (GTK), Message Integrity Code (MIC), Group Master Key (GMK), Group Temporal Key (GTK) References Infrastructure Management Frame Protection (MFP) with WLC and LAP Configuration Example: http://tinyurl.com/5zbe2o 20_1587202115_ch17.qxpI 9/29/08 2:43 PM Page 351 . 342 CCNA Wireless Official Exam Certification Guide EAP-TLS Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) is a commonly used EAP method for wireless networks Securing the Wireless Network 349 Figure 17-18 Configuring a WPA2 Policy Key Topi c 20_1587202115_ch17.qxpI 9/29/08 2:43 PM Page 349 350 CCNA Wireless Official Exam Certification Guide Table. 2 (WPA2). Key Topi c 20_1587202115_ch17.qxpI 9/29/08 2:43 PM Page 345 346 CCNA Wireless Official Exam Certification Guide WPA Overview WPA was introduced in 2003 by the Wi-Fi Alliance as a replacement