Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

WLAN Infrastructure Monitoring and Supplicants

advertisement 
WLAN Infrastructure
Monitoring and Supplicants
Workshop on Wireless
Belgrade - 12.09.2011
Wenche Backman-Kamila
CSC – Tieteen tietotekniikan keskus Oy
CSC – IT Center for Science Ltd.
Agenda
• Supplicants in general
– Windows7 (manual & automatic config)
– Network manager and wpa_supplicant
– Mac
– WindowsXP
• Monitoring
– Fixed part
– Wireless part
SUPPLICANTS
Why supplicants?
• eduroam based on 802.1x
– 802.1x requires supplicants
• LOTS of different supplicants out there
– all OSes have their own
– iPhone, Android, Nokia etc. have their own
– All differ but basic features are the same
• The bright side: Configure only ONCE
– In web authentication credentials repeated
Supplicant details
• Basic features
– Define EAP-method
• Supported methods depend on supplicant
– Define certificate and server name
• If self-signed certificate, no server name required
– Define encryption: WPA2-AES , WPA-TKIP
– Define user name and password
• User name including @organisation.rs
• Anonymous identity might be supported
Supplicant best practices
• About certificates in PEAP and TTLS
– If self-signed certificate
• Distribute it securely to your users
– If public CA
• Ensure that the CA and the server name has
been defined in the supplicant
– If you use TLS you don’t have to worry about
these recommendations
• Anonymous identity
Supplicants and supported
EAP methods
PEAPMSCHAPv2
TTLSMSCHAPv2
TTLS-PAP
TLS
Windows XP/Vista/7
x
x
Network manager &
wpa_supplicant
x
x
x
x
Mac
x
x
x
x
Windows7 manually 1/3
Windows7 manually 2/3
Windows7 manually 3/3
Windows7 – automatically
1/2
• Installer creates XML
file
– XML file used to
configure settings
• User only inputs
credentials
– requires admin rights
• Installer created with
NSIS
• Win7 and Vista
Windows7 – automatically
2/2
Network manager/
wpa_supplicant
Mac supplicant 1/3
Mac supplicant 2/3
Mac supplicant 3/3
WinXP
• Configuration video available at
http://cbt.geant2.net/repository/
eduroam_supplicants/setting_up_eduroam_
supplicants.html
MONITORING
Monitoring
Monitoring methods for
authentication
Radius authentication
• radtest
– standard command
• Input
– Credentials
– Server name and shared
secret
EAP authentication
• eapol_test
– included in wpa_supplicant
• Additional input compared
to radtest
– Supported EAP methods
(outer and inner)
– Certificate
• does not require a radius
server for monitoring
purposes
• Requires a radius server to
carry out testing
• doesn’t test EAP auth
• Imitates supplicant auth
More on eapol_test
• http://deployingradius.
com/scripts/eapol_test
• eapol_test
– c peap-mschapv2.conf
– a <radius_server>
– s <secret>
– M 22:44:66:00:00:00
– A <monitor_server>
• check_eapauth
• rad_eap_test (http://www.eduroam.cz/rad_eap_test/)
Monitoring authentication at
campus
• Create username and password for
montoring purposes
• Monitoring server
– radtest
– and/or eapol_test
• And additionally
– ping latency, packet loss and opening of SSH
connections
Monitoring at federation
level
• Monitoring hierarchy
– With credentials from each
organisation
– Results on web
– Based on eapol_test
– E.g. Checks every 10th
minute if OK
– If problems every 3rd minute
Monitoring the air interface
• Commercial products can be divided into
three groups:
– Products based on data from access points to
the controllers
– Products based on site survey
– Solutions covering both the fixed LAN network
and the air interface
Access point and controller
data
• Cisco’s WCS
– Control and monitor
several controllers
– Air interface data
• Signal strength and
noise levels
• Channel allocation
• Transmit power
• AirWave’s Wireless Management Suite
– multivendor environments
Site survey for monitoring
purposes
• Lots of alternatives
– Motorola’s AirDefense Mobile and
SiteScanner
– Airmagnet’s WiFi and VoFi Analyzers
– WildPackets’s OmniPeek
– Wireshark
– Wi-Spy
Both LAN and air interface
• Active measures
– Attach
– Authentication
– DHCP-server
– HTTP and FTP upload
and download
– VoIP-test with MOS
• Passive measures
– Signal strength and
SNR
7signal’s Sapphire
Monitoring at campuses in
Finland
• Access points are
monitored
– All known APs
connected to controller
– APs correctly
configured
– Radios on
– Users per AP
• Means for AP
monitoring
– SSH skript
– perl
– Airwave
References and contact
info
• Main reference
– WLAN infrastructure BPD
• http://www.terena.org/campus-bp/bpd.html
• Other references
– Monitoring and ensuring WLAN performance
• http://www.terena.org/campus-bp/reports.html
• Wenche.Backman-Kamila@csc.fi
Related documents
Rashan Hibbert. cst assingment 1
Rashan Hibbert. cst assingment 1
Exercise
Exercise
IEEE 802.1X fact-sheet IEEE 802.1X is the standard protocol for port
IEEE 802.1X fact-sheet IEEE 802.1X is the standard protocol for port
通用学术英语-Orientation
通用学术英语-Orientation
Chapter 11 HW
Chapter 11 HW
802.11i Authentication and Key Management (AKM)
802.11i Authentication and Key Management (AKM)
The Role of Organizational Development in an EAP Setting
The Role of Organizational Development in an EAP Setting
Speech-to-Text Technology on Windows 7
Speech-to-Text Technology on Windows 7
NZQA: Assessment resource materials level 3 & 4 - ESOL
NZQA: Assessment resource materials level 3 & 4 - ESOL
Pontefract (34/35 / QP/PP: 34) Maandag 20 April 2015
Pontefract (34/35 / QP/PP: 34) Maandag 20 April 2015
RRM Security Requirement Assessment
RRM Security Requirement Assessment
Hostapd_Configuration - Yeungnam Univ. Adavanced Networking
Hostapd_Configuration - Yeungnam Univ. Adavanced Networking
Download
advertisement