CISCO CCNP ONT EXAM STUDY NOTES: 802.1x, Encryption and Authentication - EAP-FAST

Tuesday, 15 April 2008

802.1x, Encryption and Authentication - EAP-FAST

Extensible Authentication Protocol - Flexible Authentication via Secure Tunnelling (EAP-FAST) developed by Cisco, submitted to IETF.

+ LEAP uses strong passwords, but LEAP-FAST supports single sign-on for Windows
+ Doesn't use certificates
+ Supported on Windows
+ Full support for 802.1x, AES, 802.11i and TKIP
+ Supports WPA/2 authenticated key management on Win2k/XP
+ Supports roaming and centralised key management CCKM using Wireless Domain Services
+ Supports password expiration/change

PHASE0 (provision PAC) - client dynamically provisioned a Protected Access Credential (PAC) via a secure tunnel
PHASE1 (establish secure tunnel) - Client and AAA server such as ACS authenticate each other and establish secure tunnel
PHASE2 (client authentication) - Client sends it's credentials to the radius server, the radius server authenticates and establishes a client authorisation policy.

A wireless client can only transmit EAP until authenticated by AAA, client sends EAP over LAN (EAPOL) start frame to the AP, the AP sends a request/identify to the client. The client sends it's network identifier NAI to the AP, which the AP sends to the radius server.

The client and server perform mutual authentication (phase 1/2) and the RADIUS server sends a session key to the AP in a success packet. The client/server then negotiate a session key, the client and AP use the key during the session. When the session completes an EAPOL logoff packet is sent to the AP.

No comments:

Subscribe to: Post Comments (Atom)

KEY POINTS - WLAN Management

Unified Wireless Network Elements:
Client Devices: PC/Phones Cisco Compatible Extensions
Mobility Platform: Indoor or outdoor access points, autonomous or lightweight (communicating with LWAPP)
Network Unification: Wireless LAN Controllers (WLC) RF/configuration management, IPS
World-class Network Management: Wireless Control System (WCS) for LWAP, WLSE for autonomous, design/control/monitoring.

Autonomous AP: individual configuration, independant, management via WLSE and WDS

Lightweight AP: Configuration via WLC, dependant on WLC, management via WCS.

WLSE: for autonomous APs, supports 2500 APs, bulk configuration changes, wireless IDS, simple AP deployment, RF visibility, RF management. Self healing, auto re-site survey.

WLSE Express: for SME, 100 devices only, includes AAA, IDS, auto/manual setup modes.

WCS: Solution for LWAP, IDS, config/RF management, 50 controllers, 1500 APs. Initial CLI config, then HTTPS interface, SNMP v.1/2/3 for communication with controllers, windows/linux OS,
WCS base: informs of AP client is associated to
WCS location: RF finger printing, accurate to 10m,
WCS location + 2700 appliance: real-time tracking of thousands of clients, inventory management, historical info.

Clients tracked using LWAP, RSSI info sent to controller, then to location appliance using SNMP. Rogue AP location, alarms, and shut down.

KEY POINTS - Wireless Encryption and Security

Wireless Security Issues:
- Reliance on SSID as a security feature
- Vulnerable to rogue APs
- Reliance on MAC address filters

WEP:
- WEP keys hard to distribute
- WEP vulnerable to dictionary attacks
- WEP keys can be easily cracked

WPA:
Wifi Alliance, uses 802.1x or PSK, TKIP encryption and MIC for message intergrity, Initialisation Vector Space Expansion for per-packet keying. Issues include reliance on RC4, software update, DOS attacks shutting down SSID

WPA2 (802.11i):
Wifi Alliance, interoperable with 802.11i, encryption using AES, 802.1x authentication, proactive key caching, IDS (detect rogue APs, manage RF interference, enforce security)

WPA/WPA2 Features:
Enterprise or personal mode, both support PSK, or 802.1x/EAP. WPA uses TKIP/MIC encryption, WPA2 uses AES/CCMP encryption. Hardware upgrade may be required, RADIUS server must support EAP.

Features of 801.1x/EAP:
- Use of centralised AAA thru RADIUS
- Both client and server authenticated
- Use of mutliple encryption almorithms (AES/TKIP/WPA/WEP)
- Dynamic WEP keys
- Roaming

LEAP: Cisco, single login, roaming, multiple OS

EAP-FAST: IETF, single login, roaming with WDS, multiple OS, passwd expiry and change, support for 802.11i/x, TKIP, AES

EAP-TLS: IETF, client/server certificates, uses PKI, mutliple clients, single login

PEAP: Cisco/MS/RSA, server only certificate (PKI), authentication with EAP-MSCAPv2 (supports single login) for MS user databased, or EAP-GTC for generic databases such as LDAP

KEY POINTS - Congestion Avoidance

Tail Drops:
When software buffer is full
Congestion avoidance aims to minimise tail-drop
Effects of tail-drop are TCP Global Syncronisation, TCP Starvation.

TCP Global Syncronisation:
Packets from multiple flows are dropped, window size fluctuates

TCP Starvation:
- UDP traffic which doesn't utilise windowing fills up buffers when TCP window size is small.

RED: Packets dropped at random before queue is full, only effective on TCP, configure high/low threshold and MDP.

WRED:Distinguishes between priority of traffic based on IPP/DSCP

CBWRED: Profiling of traffic based on class-maps, rather than enabling at interface level. Do not apply on LLQ.

Traffic Shaping: Slow down rate of traffic by buffering, only in outbound direction, responds to network conditions/signals, detection using class-maps.

Traffic Policing: Drops packets to ensure specific traffic rate, appliable in/outbound, able to remark traffic, detection using class-maps

Payload Compression: IOS supports stacker/predictor/MPPC. Compresses data in frames, enabled link-by-link

Header Compression: Doesn't compress payload, enabled link-by-link, removes headers on all packets in a flow after initial packet. Calculates hash.

Fragmentation/Interleaving: Prevents small low-delay packets from being queued behind large low priority packets.

KEY POINTS - Congestion Management & Queuing

FIFO (First In First Out): Single queue, no configuration, no priority, adequate on high bandwith links, VoIP may be stuck behind bulk data. Default on interfaces larger than E1.

PQ (Priority Queuing): Four queues, configuration with access-lists, traffic assigned to priority queues, no lower priority packets sent until higher priority queues empty.

RR (Round Robin): Multiple queues, no priority, one packet processed in each queue, large packets could potentially starve other queues

WRR (Weighted Round Robin): Same as RR but it is possible to weight queues, Custom Queuing is a form of WRR, where by specific number of bytes can be processed before moving to next queue

WFQ (Weighted Fair Queuing): Default on interfaces smaller than E1. Method used by LLQ/CBWFQ. Flows identified using number of features, queue created for each traffic flow.
-'Agressive Dropping' -any packets that exceed threshold dropped, unless the destination queue is empy
-'Early Dropping' - Each queue has Congestion Discard Threshold, packets exceeding will be dropped on a per-queue basis, exception is if queue has a packet with higher seq. number, this packet would be dropped instead.
-WFQ is configured using 'fair-queue' command

CBWFQ (Class Based Weighted Fair Queuing): Uses same principle as WFQ but uses flexible class-maps to identify flows. Queues created on a class-map basis, up to 64 queues. Default class always exists, packets not matching user-defined maps will fall into default. Default class can use FIFO or WFQ. No strict priority queuing possible for delay sensitive packets.

LLQ (Low Latency Queuing): Based on CBWFQ, but has additional ability to create strict priority queuing for delay sensitive packets. 'Priority priority_value' command used to define a class-map as strict priority queue. Important to police SPQ to prevent starvation of other queues.

KEY POINTS - QoS Classification and Marking

Layer2
Ethernet 802.1q, VLAN tag priority, 802.1p field, 3bits
Frame-relay DE discard eligable, on or off
ATM CPE, candidate for drops, on or off
MPLS EXP field, three significant bits from ToS, or manually specified

Layer3
ToS field in IP header, 8 bytes
ToS field containing: IPP old, unsophisticated only 3 bits
ToS field containing: DSCP new, sophisticated 6bits
DSCP/IPP backwards compatible
DSCP Assured forwarding (AF), 4 equal queues, 3 drop levels, guaranteed service
DSCP Expidited forwarding (EF), 1 queue, low delay/jitter

KEY POINTS - Cisco VoIP Implementation

Analogue Interfaces: FXO (PSTN/CO Switch), FXS (phone/modem/fax), E&M (PSTN-PSTN).

Digital Interfaces: PRI (e1 -30 channels/t1 -23 channels)/BRI (2 channels)

Analogue to digital conversion:
1. Sampling - capture and record voice
2. Quantization - assign 8bit numeric value based on voltage
3. Encoding - represent numeric values as binary
4. Compress - reduce bit rate (often less samples/sec)

Pulse Code Modulation (PCM):
8000 samples/sec * 8bit binary value based on voltage = bit rate 640000bits/sec (64Kb/sec). Uncompressed digital voice, can be transmitted in a single e1 channel.

cRTP - RTP header compression: beneficial on links less than 2mb/sec.

Fragmentation: Prevents small VoIP packets being queued behind large data packets. Reduces MTU to set size for all packets.

VAD: Prevents voice packets being transmitted during silence, substantial savings.