Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Installing Template Theme Files

Method of
identifying mobile
devices
Srinivas Tenneti
Motivation for the problem
 Enterprises want to deploy context
aware access control method.
Device?
Device
Who?
When?
Where?
Where
Who
EMPLOYEE
How?
How
Wi-Fi
At work
CONTRACTOR
At home
Mobile
3G/4G
 Context aware access control is to grant
policy to different resources based on
their type, location, identity, and the
operating system or applications running
on the endpoint devices.
 Traditional network access control
methods relied on giving access mainly
based on whether the device complied
with the policy or not.
 Identifying the device and the user is
very critical for deploying context aware
access control method.
GUEST
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
2
Network Access High Level Diagram
Data Center/Service Block
Remote Worker
WAN
ACS
Linksys AP
ACS
ISR 3945
MDM
MSE 3300
6K or 7K
Wireless
End points
6K
Active
Directory
CA Server
4K
ISE
RSA Auth
Mgr
4500
3750-X
3560-X
AP 1142
TECHSEC-2010
14657_05_2008_c1
AP 1142
AP 1142
Wireless End Points
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
3
Password based authentication
Bob
Alice
I want to talk
password
password
Ok, what is your username
Here is my user name
Respond to the challenge K
Here is response = MD5(K)
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
4
Certificate only on the server
Bob
Alice
I want to talk, My Id is “Alice”
Ok, This is my certificate
I_d request
I_d response
challenge request
challenge response
Challenge request
Challenge response
Establish encrypted tunnel
 The server Bob only presents its certificate.
 The Secure tunnel is established by Bob without really knowing
who Alice is.
 An attacker can waste the resources on the Bob by challenging with
different IDs.
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
5
Certificates deployed on both Alice and Bob
Bob
Alice
I want to talk, Here is my certificate
Ok, This is my certificate
Authenticate each other
 Both Alice and Bob authenticate each other using Digital Certificates.
 Digital certificates once deployed can be used for wired variety of
applications. For example, SSL, IPSec, 802.1x, DNSSec, and so on..
 This provides high level of trust but Bob does not know with what device
Alice is connecting with.
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
6
 Biometrics – voice, facial. The constraint is mainly on deploying
on large number of endpoints, and the user’s reluctance to use
bio-metrics.
 Software or hardware tokens : This is based on symmetric
cryptography. The problem is with deploying on large number of
endpoints and it is still not able to identify the device the user is
connecting with.
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
7
Solution to the problem
 Both the endpoints and the servers must use digital
certificates.
 The digital certificate must contain both the user information
coupled with device specific information.
 When the user presents the certificate the authentication
server can authenticate the user, and also authorize based
on the device specific information.
 The device specific information used is UDID.
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
8
Properties of this solution
 Mutual authentication.
 Identification of the device and the user.
 Provide different access scenarios based on the device
type.
 If a user leaves or if it is compromised then the user and the
device can be removed from the group.
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
9
Components involved in this solution
 PKI, digital certificates and enrollment of digital certificates.
 802.1x protocol
 EAP authentication methods.
 Radius protocol.
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
10
Extensible Authentication Protocol (EAP)
 Transports arbitrary authentication information in the
form of EAP payloads
–Establishes and manages connections; allows authentication by
encapsulating various types of authentication exchanges
 It is not an authentication mechanism itself
–Actual authentication mechanisms are called EAP Methods
 EAP provides a flexible link layer security framework
–Simple encapsulation protocol -- no dependency on IP
–Few link layer assumptions
•Can run over any link layer (PPP, 802, etc.)
•Assumes no reordering, can run over lossy or lossless media
 Defined by RFC 3748
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
11
EAPOL Frame Format
DST MAC SRC MAC
Protocol Version
1 Byte
Type
Packet Type
1 Byte
Data
Packet Length
2 Byte
Packet Type
FCS
Packet Body
N Byte
Packet Description
Both the Supplicant and the Authenticator Send this Packet
EAP Packet (0)
Used During Authentication and Contains EAP Method Information
Required to Complete the Authentication Process
EAPOL Start (1)
Sent by Supplicant When It Starts Authentication Process
EAPOL Logoff (2)
Sent by Supplicant When It Wants to
Terminate the 802.1X Session
EAPOL Key (3)
Sent by Switch to the Supplicant and Contains
a Key Used During TLS Authentication
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
12
How Is RADIUS Used Here?
 RADIUS acts as the transport for EAP, from the authenticator (switch) to
the authentication server (RADIUS server)
 RFC for how RADIUS should support EAP between authenticator and
authentication server—RFC 3579
IP Header
UDP Header RADIUS Header
EAP Payload
 RADIUS is also used to carry policy instructions (authorization)
back to the authenticator in the form of AV pairs
IP Header
UDP Header RADIUS Header
EAP Payload
AV Pairs
 Usage guideline for 802.1X authenticators use of RADIUS - RFC 3580
 AV Pairs : Attribute-Values Pairs.
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
13
CertificationRequestInfo ::= SEQUENCE {
version
INTEGER { v1(0) } (v1,...),
subject
Name,
subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }},
attributes
[0] Attributes{{ CRIAttributes }}
}
SubjectPublicKeyInfo { ALGORITHM : IOSet} ::= SEQUENCE {
algorithm
AlgorithmIdentifier
{{IOSet}},
subjectPublicKey
BIT STRING
}
PKInfoAlgorithms ALGORITHM ::= {
... -- add any locally defined algorithms here -- }
Attributes { ATTRIBUTE:IOSet } ::= SET OF Attribute{{ IOSet }}
Subject name that could
be name, IP address,
mac-address
CRIAttributes ATTRIBUTE ::= {
... -- add any locally defined attributes here -- }
Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE {
type
ATTRIBUTE.&id({IOSet}),
values
SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type})
}
CertificationRequest ::= SIGNED { EncodedCertificationRequestInfo }
(CONSTRAINED BY { -- Verify or sign encoded CertificationRequestInfo - })
EncodedCertificationRequestInfo ::= TYPEIDENTIFIER.&Type(CertificationRequestInfo)
SIGNED { ToBeSigned } ::= SEQUENCE {
toBeSigned ToBeSigned,
algorithm
AlgorithmIdentifier { {SignatureAlgorithms} },
signature
BIT STRING
}
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
Signs the request
with private key
14
SCEP enrollment process
endpoint
SCEP Server
SCEP client
CA server
Generate
private key
x.509 request
scep request
pkcs#10
x.509 cert
Generate cert
send the certificate
send the certificate
store the cert
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
15
Enrolling Certs on Mobile devices
CA server
Campus
SCEP Proxy
Internet
Mobile device
Mobile device
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
16
802.1X Port Access Control Model
Identity Store/Management
•
•
•
•
Authenticator
• Switch
• Router
• WLAN AP
MS Active Directory
LDAP
NDS
ODBC
Layer 3
Layer 2
Request for Service
(Connectivity)
Backend Authentication
Support
Supplicant
Authentication Server
• Desktop/laptop
• IP phone
• WLAN AP
• Switch
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
Identity Store
Integration
• IAS / NPS
• ACS
• Any IETF RADIUS server
Cisco Public
17
802.1X Protocols
Supplicant
Authentication Server
Authenticator
Layer 3
Layer 2
RADIUS
EAP
EAP over LAN
(EAPoL)
TECHSEC-2010
14657_05_2008_c1
StoreDependent
EAP over WLAN
(EAPoW)
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
18
High level exchange
802.1X
SSC
Port Unauthorized
EAPOL-Start
Actual authentication
is between client and
auth server using EAP.
The switch is an EAP
conduit, but aware of
what’s going on
EAP-Identity-Request
EAP-Identity-Response
EAP—Method
Dependent
EAP-Auth Exchange
Auth Exchange w/AAA Server
Auth Success & Policy Instructions
EAP-Success
Port Authorized
EAPOL-Logoff
Port Unauthorized
802.1X
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
RADIUS
Cisco Public
19
RADIUS
Server
EAP-TLS Authentication
SSC
Certificate
Authority
Authenticator
Client
Start
Request Identity
Encrypted
Exchange
Identity
Identity
Server Certificate
Server Certificate
Client Certificate
Client Certificate
Random Session Keys Generated
Broadcast Key
Key Length
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
AP Sends Client
Broadcast key, Encrypted
with Session Key
Only for
wireless
today; wired
in 802.1X-rev
20
CN=mike
CN=UDID
Check if both CNs’ match
2
1
campus
CA server
3
Authentication
server
The Mobile device joins the wireless network using EAP-TLS
The Mobile device presents the certificate
Authentication Server looks up the CN (eg mike) against the CA server. If successful authenticates
The device.
Authentication Server checks the UDID of the device against the authorization policy. If successful
Then the device is authorized in the network.
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
21
Removing a user from the group
 ISE periodically pulls the CRL information from the CA
server.
 When a user needs to be removed then certificate
pertaining to the user is revoked.
 ISE would check the CRL list and deny the access to
the user if the user is found in the CRL list.
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
22
EAP request
Start request from the
device
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
23
Switch request identity from the device
Request
identity
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
24
Host responds with iden
Username =
toby1
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
25
Switch ask the client certificate
Start EAPTLS
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
26
Server initiates the SSL session
ssl session
starts
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
27
Server sends the certificate to the client
Server sends
the certificate
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
28
Endpoint sends certificate
Client sends
certificate
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
29
access-req
username
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
30
radius accept
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
31
Encrypted
handshake
message
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
32
 The remote endpoint is forced to reveal its identity without
knowing the identity of the server.
 The SSL Server Hello Done message is long 2546 bytes, in test
scenario, which is delivered in 3 EAP fragments.
 802.1x for wired users does not support encryption.
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
33
• Pairing Based Handshake (PBH) can be used to prevent the
identity of the client when initiating the request.
• The IDA of the user can be combination of ( UDID + MAC + Serial
number of the device).
• The Wireless LAN controller or the access layer switch can
directly authenticate the user instead of passing it to the radius
server.
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
34
 Identity of the device and the user is very critical in building a
strong authentication.
 The existing methods of bio-metrics or one time passwords are
difficult to deploy for large number of end points.
 Digital certificates with the device information can identify the
device and the user.
 Digital certificates can solve the problem today but in future
different pairing based handshakes can make the authentication
more efficient.
TECHSEC-2010
14657_05_2008_c1
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Public
35
Related documents
WWW+Internet+networking - Edulink
WWW+Internet+networking - Edulink
10_2_1_2 Worksheet - Answer Security Policy Questions
10_2_1_2 Worksheet - Answer Security Policy Questions
DOCX - Christopher Polanish
DOCX - Christopher Polanish
Cisco 2611 Router
Cisco 2611 Router
Download