SlideShare a Scribd company logo

EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods - Networkshop44

Download as PPT, PDF
Jisc
Jisc

EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods

Education
1 of 28
ENHANCEMENTS IN FREERADIUS 3.0.0- 3.2.0 EAP-TLS THE ROLLS-ROYCE OF EAP METHODS NWS
We are the FreeRADIUS experts.
INTRODUCTION WHATIS FREERADIUS ▸ The world's most widely deployed Open Source RADIUS server. ▸ Glues AAA services to backends e.g. 802.1X/EAP to Active Directory. ▸ Routes AAA authentication sessions between members of federations like Eduroam. ▸ Adds intelligence to dumb protocols, using flexible policies. http://freeradius.surge.sh
INTRODUCTION WHOAMI ▸ Arran Cudbard-Bell (@arr2036) ▸ FreeRADIUS Core Developer ▸ Mercenary at Network RADIUS ▸ Director RM-RF LTD ▸ IETF Note Taker (RADEXT) ▸ Janet 802.1X SIG member
INTRODUCTION TOPICS ▸ PEAP - The Ford Pinto of EAP methods. ▸ EAP-TLS - The Rolls-Royce of EAP methods. ▸ What's new in v3.0.x/v3.2.0.
PART 1
PEAP - THE FORD PINTO OF EAP METHODS WHY IS PEAP INSECURE? ▸ MSCHAPv2 is broken, must be wrapped in TLS. ▸ TLS only protects data if peer is not evil. ▸ Ensuring peer is not evil requires a trust relationship. ▸ Trust relationship during bootstrap requires PKI savvy users. ▸ Users are not PKI savvy.
PEAP - THE FORD PINTO OF EAP METHODS NOT NEWS ▸ Presented at Defcon 20 (2012) by David Hulton. ▸ 16 byte MD4 hash is as good as Cleartext for MSCHAPv2 (only thing the server knows). ▸ We know the ChallengeHash, need to guess the 3 * 7 bytes NT HASH fragments used as DES keys. ▸ That's a 2138 bit keyspace! Eeek! ▸ Wait... 21 != 16 (the other five are zeros)... so that's only two DES keys we need to find! ▸ ...and the cipher key is the same for all DES operations, so we can brute force all keys simultaneously. ▸ Which gives us a 256 bit keyspace, which can be broken by online DES cracking services in < 24 hours. Images by Moxie Marlinspike - Divide and Conquer: Cracking MSCHAPv2 with a 100% success rate Retrieved from https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
PEAP - THE FORD PINTO OF EAP METHODS NOT JUST PEAP ▸ Anything that relies on MSCHAPv2 for confidentiality is broken e.g. LEAP ▸ Any insecure inner method that relies on TLS for confidentiality is also broken. e.g. ▸ EAP-TTLS-PAP ▸ EAP-TTLS-MSCHAPv2 ▸ EAP-TTLS-GTC ▸ PEAPv1-GTC ▸ For OSX, IOS, and Windows > 8, it's possible to request TTLS- EAP-GTC or TTLS-PAP and get the cleartext password. ▸ Attacks can be made more convincing by generating certificates on the fly, from the NAI in the identity response.
PEAP - THE FORD PINTO OF EAP METHODS FAILURE OF THE DUCK TEST ▸ Only method of authenticating wireless network is SSID (which isn't really authentication). ▸ Only method of authenticating EAP server is by presented certificate (fingerprint, CN and signing CA). ▸ Supplicants give users too much and too little power.
PEAP - THE FORD PINTO OF EAP METHODS FOXING FERRETS ON OSX EL- CAPITAN ▸ IOS/OSX supplicants prompt for User-Name/Password before negotiating the EAP method. ▸ No option to select personal certificate. ▸ No option to manually configure supplicant profiles. ▸ Only CN of certificate shown in UI (can expand to see full details) ▸ Trivial to click past certificate verification dialogues, but you at least need to be able to change trust preferences. ▸ When TTLS is requested, supplicant will send EAP-Identity and trigger EAP negotiation, allowing negotiation of EAP-GTC. ▸ Unless network/supplicant settings were defined by a profile, cached credentials will be re-used on networks with the same name, but presenting a different cert.
PEAP - THE FORD PINTO OF EAP METHODS WAYLAYING WEASELS ON WINDOWS 10 ▸ For unknown networks Windows 10 supplicants auto discover WPA-Enterprise, and prompt for User-Name/Password even before negotiating the EAP method. ▸ No way to see certificate CN or issuer, only available detail is fingerprint. ▸ When TTLS is requested, supplicant will perform EAP-TTLS-PAP by default. Can't negotiate EAP unless explicitly configured. ▸ Does allow manual configuration of supplicant, but exceedingly well hidden.
PEAP - THE FORD PINTO OF EAP METHODS PREVENTING MISIDENTIFICATION OF WATERFOWL ▸ Eduroam sites ▸ Transition to EAP-TLS (please?). ▸ Consider deploying Eduroam CAT or similar. ▸ Adopt HotSpot 2.0 R2. Register interest in OSU (Online Signup Server) certs provided by central authority (GÉ ANT/Jisc). ▸ Pre/post-flight checks (verify supplicants behave correctly). ▸ OS/supplicant vendors ▸ Should never involve users in PKI validity checks. ▸ Failing that - Cert fingerprint MUST be consistent when re-using cached credentials for AD-Hoc 802.1X profiles. ▸ IETF/standards bodies ▸ Define strongly worded guidelines for supplicant implementors (http://geant3plus.archive.geant.net/Resources/Open_Call_deliverables/Documents/SENSE_fin al_report.pdf)
EAP-TLS - THE ROLLS-ROYCE OF EAP METHODS WHY MOVE TO EAP-TLS? ▸ Extremely secure - Reduces chance of user's credentials being exposed. ▸ Efficient - Almost half the round trips compared to PEAP. ▸ Robust - No need to query external oracle (AD, LDAP, SQL) for authenticating users. ▸ Scales horizontally. ▸ Well supported - Windows, OSX, IOS, Android, Even HP printers (and better supported in future with over the air certificate deployment). ▸ Should allow for proper 2FA (in future). Linux (wpa_supplicant) already supports client certs for PEAP/TTLS. Feature request made to Microsoft. ▸ PEAP-EAP-TLS allows for identity privacy (and SoH).
EAP-TLS - THE ROLLS-ROYCE OF EAP METHODS EAP-TLS PKI WHAT ARE THE OPTIONS? ▸ Two established commercial solutions for managing client PKI ▸ Cloudpath ▸ Clearpass (FreeRADIUS FTW!) ▸ EST (Enrolment Over Secure Transport) RFC 7030 - Fairly simple to integrate, but only reference implementations available. ▸ SCEP (Secure Certificate Enrolment Protocol) now revived as https://tools.ietf.org/html/draft-gutmann-scep-02. ▸ Many implementations OpenSCEP, EJCBA and Dogtag most well known. ▸ Good support from Apple (iOS/OSX) they provide full reference code for Ruby based SCEP server. ▸ Eduroam CAT - Local PKI (as in local to the CAT server) on roadmap, considering RFC 7030/SCEP support.
PART 2
ENHANCEMENTS IN FREERADIUS 3.0.0-3.2.0 WHATS NEW V3.0.X 1. RADSEC (RADIUS over TLS) + DTLS. 2. Password change support (MSCHAPv2). 3. Connection pools and connection pool sharing. 4. Proper regular expressions (libpcre) + Pre-Compilation + named captures groups + 32 numbered capture groups for all regex flavours. 5. Tests, tests and more tests (Policy language, modules etc...). 6. COLOURS (Colourised log output for errors/warnings/info). 7. IP address comparisons e.g. "<cidr>127.0.0.1 < 12.0.0.0/24". 8. 64Bit Integers and IP prefix types. 9. SNMP Traps 10. Multivalued comparisons e.g. if (&Groups[*] == &User-Name) shinyhead:freeradius-server-fork arr2036$ make test UNIT-TEST base.dict UNIT-TEST rfc.txt UNIT-TEST errors.txt UNIT-TEST extended.txt UNIT-TEST lucent.txt UNIT-TEST wimax.txt UNIT-TEST escape.txt UNIT-TEST condition.txt UNIT-TEST xlat.txt UNIT-TEST vendor.txt UNIT-TEST dhcp.txt ... EAPOL_TEST gtc EAPOL_TEST leap EAPOL_TEST md5 EAPOL_TEST mschapv2 EAPOL_TEST peap-client-mschapv2 EAPOL_TEST peap-eap-gtc EAPOL_TEST peap-mschapv2 EAPOL_TEST pwd EAPOL_TEST tls EAPOL_TEST ttls-chap EAPOL_TEST ttls-client-eap-mschapv2 EAPOL_TEST ttls-client-eap-tls EAPOL_TEST ttls-eap-gtc EAPOL_TEST ttls-eap-mschapv2 EAPOL_TEST ttls-mschapv2 EAPOL_TEST ttls-pap
ENHANCEMENTS IN FREERADIUS 3.0.0-3.2.0 WHATS NEW V3.0.X CONT... 11. LDAP Group caching. 12. LDAP Dynamic clients. 13. REST API client. 14. Arbitrary client attributes. 15. SHA2 support. 16. Significantly improved detail reader performance (200%). 17. Shared cache support (currently memcached, Redis). 18. Startup checks for xlat and unlang syntax. 19. Pre-compilation of regular expressions 20. Functional user specific debugging (0) ldap : Waiting for search result... (0) ldap : User object found at DN "cn=test.example,ou=staff,ou=people,o=freeradius" (0) ldap : No cacheable group memberships found in user object (0) ldap : expand: '(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))' -> '(&(objectClass=groupOfNames) (member=cn3dtest.example2cou3dstaff2cou3dpeople2co3dfreeradius))' (0) ldap : expand: 'ou=groups,ou=role,o=freeradius' -> 'ou=groups,ou=role,o=freeradius' (0) ldap : Performing search in 'ou=groups,ou=role,o=freeradius' with filter '(&(objectClass=groupOfNames) (member=cn3dtest.example2cou3dstaff2cou3dpeople2co3dfreeradius))' (0) ldap : Waiting for search result... (0) ldap : Added Ldap-Group with value "adminNet" to control list (0) ldap : Added Ldap-Group with value "adminSplunk" to control list (0) ldap : Added Ldap-Group with value "adminCacti" to control list (0) ldap : Added Ldap-Group with value "adminTomcat" to control list (0) ldap : Added Ldap-Group with value "adminAlumni" to control list
ENHANCEMENTS IN FREERADIUS 3.0.0-3.2.0 NEW IN V3.0.X - TRUST ROUTER ▸ Next generation trust/ introduction service developed as part of the Moonshot project (now the Assent service). ▸ Allows COIs (Communities Of Interest) to operate across multiple federations. ▸ X509v3 could technically achieve the same trust relationships. But admin would be extremely difficult. ▸ Trust router implements two services ▸ Trust router protocol - Distributes information about available IdPs (Identity providers) and the realms they serve to members of a COI. ▸ Trust path query/Temporary ID protocol. Allows service provider (SP) to retrieve a TID (Temporary ID) for communicating with IdP. ▸ TIDs allow for lower latency, higher reliability, communication between SPs and IdPs. https://wiki.moonshot.ja.net/display/Moonshot/The+Architecture+and+Protocol+Flows+of+Moonshot
ENHANCEMENTS IN FREERADIUS 3.0.0-3.2.0 NEW IN V3.0.X - TRUST ROUTER (THE FREERADIUS BIT) ▸ SP - On call to rlm_realm, on discovering an unknown realm (or realm which requires update). ▸ Queries local TR for IdP information and TID, providing DH Params (first half of DH exchange). ▸ If positive response - retrieves list of IdP servers, the DH exchange completed for each IdP (second half of DH exchange). Computes symmetric keys for each home server. ▸ Creates/Inserts new realm entry with realm->pool->home_server structures. ▸ Establishes outbound TCP connection to IdP. ▸ Performs TLS-PSK handshake, with the key identifier (unique ID for the temporary credentials), and computed PSK. ▸ IdP - On request from INADDR_ANY client ▸ Uses key identity from TLS-PSK to query TR to get previously generated PSK.
ENHANCEMENTS IN FREERADIUS 3.0.0-3.2.0 WHY IS FREERADIUS A GOOD CANDIDATE FOR TRUST ROUTER INTEGRATION? ▸ FreeRADIUS already had support for RADSEC. ▸ Fairly minor modifications needed. ▸ Pluggable architecture, easy to accommodate changes or enhancements to Trust Router. ▸ Dynamic debugging (watch live authentications). ▸ Scalable - 30,000 PPS when proxying on modest hardware.
ENHANCEMENTS IN FREERADIUS 3.0.0-3.2.0 WHATS NEW V3.2.X 1. Redis 3.0.x cluster support. 2. High performance > (10,000 alloc/s per cluster node) Redis IPv4/IPv6 allocation. 3. Significantly improved EAP debugging + Improved EAP performance 4. Certificateless EAP-TLS (like HTTPS). 5. DHCPv4 'just works' (improved auto- discovery of interface configuration). (11) } # if (!&Stripped-User-Domain || (&Stripped-User-Domain == '')) (noop) (11) if (&Stripped-User-Name == 'peap') { (11) ... (11) } (11) eap - Peer sent EAP Response (code 2) ID 3 length 13 (11) eap - Continuing tunnel setup (11) eap (ok) (11) if (EAP-Type == Identity) { (11) ... (11) } (11) } # authorize (ok) (11) Using 'Auth-Type = eap' for authenticate {...} (11) Running Auth-Type eap from file /usr/local/freeradius/etc/raddb/sites-enabled/default (11) authenticate { (11) eap - Peer sent packet with EAP method TTLS (21) (11) eap - Calling submodule eap_ttls to process data (11) eap_ttls - Authenticate (11) eap_ttls - Continuing EAP-TLS (11) eap_ttls - Got complete TLS record (7 bytes) (11) eap_ttls - [eap-tls verify] = ok (11) eap_ttls - <<< recv alert [length 2], fatal unknown_ca (11) eap_ttls - ERROR: Client sent fatal TLS alert: unknown CA (11) eap_ttls - ERROR: Verify client has copy of CA certificate, and trusts CA (11) eap_ttls - ERROR: accept: Handshake exit state "SSLv3 read client key exchange A" (11) eap_ttls - ERROR: Failed in SSL_read (11) eap_ttls - ERROR: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (11) eap_ttls - ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure (11) eap_ttls - ERROR: System call (I/O) error (-1) (11) eap_ttls - ERROR: TLS receive handshake failed during operation (11) eap_ttls - ERROR: [eap-tls process] = fail (11) eap - ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed (11) eap - Sending EAP Failure (code 4) ID 3 length 4 (11) eap (invalid) (11) } # authenticate (invalid) (11) Failed to authenticate the user (11) Using Post-Auth-Type Reject (11) Post-Auth-Type sub-section not found. Ignoring. (11) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (11) Sending delayed response (11) Sent Access-Reject Id 3 from 127.0.0.1:1812 to 127.0.0.1:63382 via lo0 length 44 (11) EAP-Message = 0x04030004 (11) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds.
ENHANCEMENTS IN FREERADIUS 3.0.0-3.2.0 WHATS NEW V3.2.X CONT... 6. Infinitely nested TLV support. 7. SNMP support (will also work over proxy chains). Translates OIDs into TLV structures in FR extended dictionary space. Calls client using Net- SNMP pass persist. 8. libwbclient support (30% performance improvement over ntlm_auth for Active Directory authentication). 9. map { } syntax to support retrieving multiple values per query from LDAP and SQL. 10. JSON parsing and simple query syntax map sql "SELECT group, reply_message FROM users WHERE user = '%{User-Name}'" { &control:Group := 'group' &reply:Reply-Message := 'reply_message' } map json "%{rest:http://www.example.org/user/%{User-Name}" { &control:Group := 'user.group' &reply:Reply-Message := 'user.message' } radsnmp (debug): read: get radsnmp (debug): read: .1.3.6.1.2.1.67.1.1.1.1.1.0 Sent Status-Server Id 3 from (null):0 to 127.0.0.1:1812 length 78 Radius-Auth-Serv-Ident = "000" FreeRADIUS-SNMP-Operation = get Message-Authenticator = 0x00 Received Access-Accept Id 3 from 127.0.0.1:1812 to 127.0.0.1:49548 via (null) length 75 Radius-Auth-Serv-Ident = "FreeRADIUS 3.1.0" FreeRADIUS-SNMP-Type = string radsnmp (debug): said: 1.3.6.1.2.1.67.1.1.1.1.1 radsnmp (debug): said: string radsnmp (debug): said: FreeRADIUS 3.1.0 radsnmp (debug): Returned 1 varbind responses
ENHANCEMENTS IN FREERADIUS 3.0.0-3.2.0 NEW IN V3.2.0 - DISTRIBUTED SESSION RESUMPTION ▸ Server side session resumption part of the TLS standard (not an extension). Not RFC 5077. ▸ Hashes MSK (Master session key) from previous session with random data from client + server to generate new MSK. ▸ Hashing cheap compared to performing full RSA calculations to generate keying material for MSK. ▸ Real wall clock saving comes from not having to exchange big certificate chains. ▸ With PEAP/TTLS, resuming a session allows you to skip the inner method (no hits on AD or LDAP).
ENHANCEMENTS IN FREERADIUS 3.0.0-3.2.0 ▸ 2 fragments per client/server certificate chain. ▸ Real world Time To Completion (TTC) assumes 50ms credential lookup (where relevant) + 40ms Round Trip Time (RTT). ▸ Session blobs 138b EAP-TTLS-PAP ▸ Session blobs 1863b EAP-TLS.
ENHANCEMENTS IN FREERADIUS 3.0.0-3.2.0 WASN'T THIS AVAILABLE BEFORE? ▸ Yes we've supported this for a while... ▸ The innovation is exporting the opaque session blob as an attribute. ▸ Couldn't be done in v2.x.x because max value length was 253 bytes. ▸ Couldn't be done usefully (between multiple servers) in v3.0.x because no shared cache module. ▸ Finally in v3.2.0 we have all the components needed to support this properly, including a new &session-state: list to simplify re-authorization.
ENHANCEMENTS IN FREERADIUS 3.0.0-3.2.0 FUTURE LOOKING STATEMENTS ▸Should become a generic platform for implementing network protocols, with re-useable and flexible policy logic. ▸Move to asynchronous I/O. ▸Process has begun - Iterative (as opposed to recursive) interpreter for unlang introduced in v3.1.x ▸Diversified protocol support ▸New internal 'proto' API introduced in v3.1.x, should allow for: ▸DHCPv6. ▸Diameter. ▸maybe ANQP (when someone creates a standard for transporting it over IP). ▸SQL statement caching. ▸Better interpreted language support.
?

Recommended

NFD9 - Dinesh Dutt, Data Center Architectures
NFD9 - Dinesh Dutt, Data Center ArchitecturesNFD9 - Dinesh Dutt, Data Center Architectures
NFD9 - Dinesh Dutt, Data Center ArchitecturesCumulus Networks
 
Deploying IPv6 in OpenStack Environments
Deploying IPv6 in OpenStack EnvironmentsDeploying IPv6 in OpenStack Environments
Deploying IPv6 in OpenStack EnvironmentsShannon McFarland
 
IPv6 strategy for deployment at ETH Switzerland
IPv6 strategy for deployment at ETH SwitzerlandIPv6 strategy for deployment at ETH Switzerland
IPv6 strategy for deployment at ETH SwitzerlandSwiss IPv6 Council
 
Morphology of Modern Data Center Networks - YaC 2013
Morphology of Modern Data Center Networks - YaC 2013Morphology of Modern Data Center Networks - YaC 2013
Morphology of Modern Data Center Networks - YaC 2013Cumulus Networks
 
OpenStack Neutron IPv6 Lessons
OpenStack Neutron IPv6 LessonsOpenStack Neutron IPv6 Lessons
OpenStack Neutron IPv6 LessonsAkihiro Motoki
 
Operationalizing BGP in the SDDC
Operationalizing BGP in the SDDCOperationalizing BGP in the SDDC
Operationalizing BGP in the SDDCCumulus Networks
 
IPv6 Adressvergabe und Adressierung
IPv6 Adressvergabe und AdressierungIPv6 Adressvergabe und Adressierung
IPv6 Adressvergabe und AdressierungSwiss IPv6 Council
 
IPv6 Security und Hacking
IPv6 Security und HackingIPv6 Security und Hacking
IPv6 Security und HackingSwiss IPv6 Council
 

Recommended

NFD9 - Dinesh Dutt, Data Center Architectures
NFD9 - Dinesh Dutt, Data Center ArchitecturesNFD9 - Dinesh Dutt, Data Center Architectures
NFD9 - Dinesh Dutt, Data Center ArchitecturesCumulus Networks
 
Deploying IPv6 in OpenStack Environments
Deploying IPv6 in OpenStack EnvironmentsDeploying IPv6 in OpenStack Environments
Deploying IPv6 in OpenStack EnvironmentsShannon McFarland
 
IPv6 strategy for deployment at ETH Switzerland
IPv6 strategy for deployment at ETH SwitzerlandIPv6 strategy for deployment at ETH Switzerland
IPv6 strategy for deployment at ETH SwitzerlandSwiss IPv6 Council
 
Morphology of Modern Data Center Networks - YaC 2013
Morphology of Modern Data Center Networks - YaC 2013Morphology of Modern Data Center Networks - YaC 2013
Morphology of Modern Data Center Networks - YaC 2013Cumulus Networks
 
OpenStack Neutron IPv6 Lessons
OpenStack Neutron IPv6 LessonsOpenStack Neutron IPv6 Lessons
OpenStack Neutron IPv6 LessonsAkihiro Motoki
 
Operationalizing BGP in the SDDC
Operationalizing BGP in the SDDCOperationalizing BGP in the SDDC
Operationalizing BGP in the SDDCCumulus Networks
 
IPv6 Adressvergabe und Adressierung
IPv6 Adressvergabe und AdressierungIPv6 Adressvergabe und Adressierung
IPv6 Adressvergabe und AdressierungSwiss IPv6 Council
 
IPv6 Security und Hacking
IPv6 Security und HackingIPv6 Security und Hacking
IPv6 Security und HackingSwiss IPv6 Council
 
Deploying IPv6 on OpenStack
Deploying IPv6 on OpenStackDeploying IPv6 on OpenStack
Deploying IPv6 on OpenStackVietnam Open Infrastructure User Group
 
Demystifying Networking Webinar Series- Routing on the Host
Demystifying Networking Webinar Series- Routing on the HostDemystifying Networking Webinar Series- Routing on the Host
Demystifying Networking Webinar Series- Routing on the HostCumulus Networks
 
Vandyke SecureCRT tips and tricks
Vandyke SecureCRT tips and tricksVandyke SecureCRT tips and tricks
Vandyke SecureCRT tips and tricksBasim Aly (JNCIP-SP, JNCIP-ENT)
 
SDN - OpenFlow + OpenVSwitch + Quantum
SDN - OpenFlow + OpenVSwitch + QuantumSDN - OpenFlow + OpenVSwitch + Quantum
SDN - OpenFlow + OpenVSwitch + QuantumThe Linux Foundation
 
IPv6 at CSCS
IPv6 at CSCSIPv6 at CSCS
IPv6 at CSCSSwiss IPv6 Council
 
Webinar: Network Automation [Tips & Tricks]
Webinar: Network Automation [Tips & Tricks]Webinar: Network Automation [Tips & Tricks]
Webinar: Network Automation [Tips & Tricks]Cumulus Networks
 
Linux networking is Awesome!
Linux networking is Awesome!Linux networking is Awesome!
Linux networking is Awesome!Cumulus Networks
 
Network Architecture for Containers
Network Architecture for ContainersNetwork Architecture for Containers
Network Architecture for ContainersCumulus Networks
 
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantImplementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantShixiong Shang
 
Cumulus Linux 2.5 Overview
Cumulus Linux 2.5 OverviewCumulus Linux 2.5 Overview
Cumulus Linux 2.5 OverviewCumulus Networks
 
Swisscom: Testing von IPv6 Security Devices
Swisscom: Testing von IPv6 Security DevicesSwisscom: Testing von IPv6 Security Devices
Swisscom: Testing von IPv6 Security DevicesSwiss IPv6 Council
 
Rapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP NetworksRapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP NetworksSkeeve Stevens
 
NTTドコモ様 導入事例 OpenStack Summit 2016 Barcelona 講演「Expanding and Deepening NTT D...
NTTドコモ様 導入事例 OpenStack Summit 2016 Barcelona 講演「Expanding and Deepening NTT D...NTTドコモ様 導入事例 OpenStack Summit 2016 Barcelona 講演「Expanding and Deepening NTT D...
NTTドコモ様 導入事例 OpenStack Summit 2016 Barcelona 講演「Expanding and Deepening NTT D...VirtualTech Japan Inc.
 
OpenStack & OVS: From Love-Hate Relationship to Match Made in Heaven - Erez C...
OpenStack & OVS: From Love-Hate Relationship to Match Made in Heaven - Erez C...OpenStack & OVS: From Love-Hate Relationship to Match Made in Heaven - Erez C...
OpenStack & OVS: From Love-Hate Relationship to Match Made in Heaven - Erez C...Cloud Native Day Tel Aviv
 
Manage your switches like servers
Manage your switches like serversManage your switches like servers
Manage your switches like serversCumulus Networks
 
Introduction to SDN and NFV
Introduction to SDN and NFVIntroduction to SDN and NFV
Introduction to SDN and NFVBasim Aly (JNCIP-SP, JNCIP-ENT)
 
Dreamhost deploying dreamcompute at scale
Dreamhost deploying dreamcompute at scaleDreamhost deploying dreamcompute at scale
Dreamhost deploying dreamcompute at scaleCumulus Networks
 
OpenStack Icehouse Over IPv6
OpenStack Icehouse Over IPv6OpenStack Icehouse Over IPv6
OpenStack Icehouse Over IPv6Shixiong Shang
 
Service Function Chaining in Openstack Neutron
Service Function Chaining in Openstack NeutronService Function Chaining in Openstack Neutron
Service Function Chaining in Openstack NeutronMichelle Holley
 
Layer-3 BFD Optimization Proposals for Enterprise and Campus Networks
Layer-3 BFD Optimization Proposals for Enterprise and Campus NetworksLayer-3 BFD Optimization Proposals for Enterprise and Campus Networks
Layer-3 BFD Optimization Proposals for Enterprise and Campus NetworksVikram G Hosakote
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Palo Alto Networks authentication
Palo Alto Networks authenticationPalo Alto Networks authentication
Palo Alto Networks authenticationAlberto Rivai
 

More Related Content

What's hot

Demystifying Networking Webinar Series- Routing on the Host
Demystifying Networking Webinar Series- Routing on the HostDemystifying Networking Webinar Series- Routing on the Host
Demystifying Networking Webinar Series- Routing on the HostCumulus Networks
 
SDN - OpenFlow + OpenVSwitch + Quantum
SDN - OpenFlow + OpenVSwitch + QuantumSDN - OpenFlow + OpenVSwitch + Quantum
SDN - OpenFlow + OpenVSwitch + QuantumThe Linux Foundation
 
Webinar: Network Automation [Tips & Tricks]
Webinar: Network Automation [Tips & Tricks]Webinar: Network Automation [Tips & Tricks]
Webinar: Network Automation [Tips & Tricks]Cumulus Networks
 
Linux networking is Awesome!
Linux networking is Awesome!Linux networking is Awesome!
Linux networking is Awesome!Cumulus Networks
 
Network Architecture for Containers
Network Architecture for ContainersNetwork Architecture for Containers
Network Architecture for ContainersCumulus Networks
 
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantImplementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantShixiong Shang
 
Cumulus Linux 2.5 Overview
Cumulus Linux 2.5 OverviewCumulus Linux 2.5 Overview
Cumulus Linux 2.5 OverviewCumulus Networks
 
Swisscom: Testing von IPv6 Security Devices
Swisscom: Testing von IPv6 Security DevicesSwisscom: Testing von IPv6 Security Devices
Swisscom: Testing von IPv6 Security DevicesSwiss IPv6 Council
 
Rapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP NetworksRapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP NetworksSkeeve Stevens
 
NTTドコモ様 導入事例 OpenStack Summit 2016 Barcelona 講演「Expanding and Deepening NTT D...
NTTドコモ様 導入事例 OpenStack Summit 2016 Barcelona 講演「Expanding and Deepening NTT D...NTTドコモ様 導入事例 OpenStack Summit 2016 Barcelona 講演「Expanding and Deepening NTT D...
NTTドコモ様 導入事例 OpenStack Summit 2016 Barcelona 講演「Expanding and Deepening NTT D...VirtualTech Japan Inc.
 
OpenStack & OVS: From Love-Hate Relationship to Match Made in Heaven - Erez C...
OpenStack & OVS: From Love-Hate Relationship to Match Made in Heaven - Erez C...OpenStack & OVS: From Love-Hate Relationship to Match Made in Heaven - Erez C...
OpenStack & OVS: From Love-Hate Relationship to Match Made in Heaven - Erez C...Cloud Native Day Tel Aviv
 
Manage your switches like servers
Manage your switches like serversManage your switches like servers
Manage your switches like serversCumulus Networks
 
Dreamhost deploying dreamcompute at scale
Dreamhost deploying dreamcompute at scaleDreamhost deploying dreamcompute at scale
Dreamhost deploying dreamcompute at scaleCumulus Networks
 
OpenStack Icehouse Over IPv6
OpenStack Icehouse Over IPv6OpenStack Icehouse Over IPv6
OpenStack Icehouse Over IPv6Shixiong Shang
 
Service Function Chaining in Openstack Neutron
Service Function Chaining in Openstack NeutronService Function Chaining in Openstack Neutron
Service Function Chaining in Openstack NeutronMichelle Holley
 
Layer-3 BFD Optimization Proposals for Enterprise and Campus Networks
Layer-3 BFD Optimization Proposals for Enterprise and Campus NetworksLayer-3 BFD Optimization Proposals for Enterprise and Campus Networks
Layer-3 BFD Optimization Proposals for Enterprise and Campus NetworksVikram G Hosakote
 

What's hot (20)

Deploying IPv6 on OpenStack
Deploying IPv6 on OpenStackDeploying IPv6 on OpenStack
Deploying IPv6 on OpenStack
 
Demystifying Networking Webinar Series- Routing on the Host
Demystifying Networking Webinar Series- Routing on the HostDemystifying Networking Webinar Series- Routing on the Host
Demystifying Networking Webinar Series- Routing on the Host
 
Vandyke SecureCRT tips and tricks
Vandyke SecureCRT tips and tricksVandyke SecureCRT tips and tricks
Vandyke SecureCRT tips and tricks
 
SDN - OpenFlow + OpenVSwitch + Quantum
SDN - OpenFlow + OpenVSwitch + QuantumSDN - OpenFlow + OpenVSwitch + Quantum
SDN - OpenFlow + OpenVSwitch + Quantum
 
IPv6 at CSCS
IPv6 at CSCSIPv6 at CSCS
IPv6 at CSCS
 
Webinar: Network Automation [Tips & Tricks]
Webinar: Network Automation [Tips & Tricks]Webinar: Network Automation [Tips & Tricks]
Webinar: Network Automation [Tips & Tricks]
 
Linux networking is Awesome!
Linux networking is Awesome!Linux networking is Awesome!
Linux networking is Awesome!
 
Network Architecture for Containers
Network Architecture for ContainersNetwork Architecture for Containers
Network Architecture for Containers
 
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantImplementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
 
Cumulus Linux 2.5 Overview
Cumulus Linux 2.5 OverviewCumulus Linux 2.5 Overview
Cumulus Linux 2.5 Overview
 
Swisscom: Testing von IPv6 Security Devices
Swisscom: Testing von IPv6 Security DevicesSwisscom: Testing von IPv6 Security Devices
Swisscom: Testing von IPv6 Security Devices
 
Rapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP NetworksRapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP Networks
 
NTTドコモ様 導入事例 OpenStack Summit 2016 Barcelona 講演「Expanding and Deepening NTT D...
NTTドコモ様 導入事例 OpenStack Summit 2016 Barcelona 講演「Expanding and Deepening NTT D...NTTドコモ様 導入事例 OpenStack Summit 2016 Barcelona 講演「Expanding and Deepening NTT D...
NTTドコモ様 導入事例 OpenStack Summit 2016 Barcelona 講演「Expanding and Deepening NTT D...
 
OpenStack & OVS: From Love-Hate Relationship to Match Made in Heaven - Erez C...
OpenStack & OVS: From Love-Hate Relationship to Match Made in Heaven - Erez C...OpenStack & OVS: From Love-Hate Relationship to Match Made in Heaven - Erez C...
OpenStack & OVS: From Love-Hate Relationship to Match Made in Heaven - Erez C...
 
Manage your switches like servers
Manage your switches like serversManage your switches like servers
Manage your switches like servers
 
Introduction to SDN and NFV
Introduction to SDN and NFVIntroduction to SDN and NFV
Introduction to SDN and NFV
 
Dreamhost deploying dreamcompute at scale
Dreamhost deploying dreamcompute at scaleDreamhost deploying dreamcompute at scale
Dreamhost deploying dreamcompute at scale
 
OpenStack Icehouse Over IPv6
OpenStack Icehouse Over IPv6OpenStack Icehouse Over IPv6
OpenStack Icehouse Over IPv6
 
Service Function Chaining in Openstack Neutron
Service Function Chaining in Openstack NeutronService Function Chaining in Openstack Neutron
Service Function Chaining in Openstack Neutron
 
Layer-3 BFD Optimization Proposals for Enterprise and Campus Networks
Layer-3 BFD Optimization Proposals for Enterprise and Campus NetworksLayer-3 BFD Optimization Proposals for Enterprise and Campus Networks
Layer-3 BFD Optimization Proposals for Enterprise and Campus Networks
 

Similar to EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods - Networkshop44

Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Palo Alto Networks authentication
Palo Alto Networks authenticationPalo Alto Networks authentication
Palo Alto Networks authenticationAlberto Rivai
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutionsNick Owen
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
 
Why Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologyWhy Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologySagi Brody
 
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes ClusterKubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes Clustersmalltown
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory EnumerationDaniel López Jiménez
 
Under the Hood 11g Identity Management
Under the Hood 11g Identity ManagementUnder the Hood 11g Identity Management
Under the Hood 11g Identity ManagementInSync Conference
 
Drupal Efficiency using open source technologies from Sun
Drupal Efficiency using open source technologies from SunDrupal Efficiency using open source technologies from Sun
Drupal Efficiency using open source technologies from Sunsmattoon
 
Automação do físico ao NetSecDevOps
Automação do físico ao NetSecDevOpsAutomação do físico ao NetSecDevOps
Automação do físico ao NetSecDevOpsRaul Leite
 
Drupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, ScalingDrupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, Scalingsmattoon
 
Why Sun for Drupal?
Why Sun for Drupal?Why Sun for Drupal?
Why Sun for Drupal?smattoon
 
Drupalcon2007 Sun
Drupalcon2007 SunDrupalcon2007 Sun
Drupalcon2007 Sunsmattoon
 
SecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPSecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPChris John Riley
 
Pentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdfPentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdffaker1842002
 
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Big Data Spain
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalabilityWim Godden
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
 

Similar to EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods - Networkshop44 (20)

Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
Palo Alto Networks authentication
Palo Alto Networks authenticationPalo Alto Networks authentication
Palo Alto Networks authentication
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutions
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
 
Why Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologyWhy Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container Technology
 
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes ClusterKubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory Enumeration
 
Under the Hood 11g Identity Management
Under the Hood 11g Identity ManagementUnder the Hood 11g Identity Management
Under the Hood 11g Identity Management
 
Drupal Efficiency using open source technologies from Sun
Drupal Efficiency using open source technologies from SunDrupal Efficiency using open source technologies from Sun
Drupal Efficiency using open source technologies from Sun
 
Automação do físico ao NetSecDevOps
Automação do físico ao NetSecDevOpsAutomação do físico ao NetSecDevOps
Automação do físico ao NetSecDevOps
 
Drupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, ScalingDrupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, Scaling
 
Why Sun for Drupal?
Why Sun for Drupal?Why Sun for Drupal?
Why Sun for Drupal?
 
Drupalcon2007 Sun
Drupalcon2007 SunDrupalcon2007 Sun
Drupalcon2007 Sun
 
Ex200
Ex200Ex200
Ex200
 
Automation day red hat ansible
Automation day red hat ansible Automation day red hat ansible
Automation day red hat ansible
 
SecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPSecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAP
 
Pentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdfPentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdf
 
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
 

More from Jisc

Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...Jisc
 
Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxJisc
 
Open Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxOpen Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxJisc
 
Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Jisc
 
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...Jisc
 
Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc
 
Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc
 
Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc
 
JISC Presentation.pptx
JISC Presentation.pptxJISC Presentation.pptx
JISC Presentation.pptxJisc
 
Community-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxCommunity-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxJisc
 
The Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxThe Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxJisc
 
Are we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxAre we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxJisc
 
JiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJisc
 
UWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxUWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxJisc
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber EssentialsJisc
 
MarkChilds.pptx
MarkChilds.pptxMarkChilds.pptx
MarkChilds.pptxJisc
 
RStrachanOct23.pptx
RStrachanOct23.pptxRStrachanOct23.pptx
RStrachanOct23.pptxJisc
 
ISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptxISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptxJisc
 
FerrellWalker.pptx
FerrellWalker.pptxFerrellWalker.pptx
FerrellWalker.pptxJisc
 

More from Jisc (20)

Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...
 
Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptx
 
Open Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxOpen Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptx
 
Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...
 
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
 
Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023
 
Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023
 
Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023
 
JISC Presentation.pptx
JISC Presentation.pptxJISC Presentation.pptx
JISC Presentation.pptx
 
Community-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxCommunity-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptx
 
The Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxThe Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptx
 
Are we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxAre we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptx
 
JiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptx
 
UWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxUWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptx
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber Essentials
 
MarkChilds.pptx
MarkChilds.pptxMarkChilds.pptx
MarkChilds.pptx
 
RStrachanOct23.pptx
RStrachanOct23.pptxRStrachanOct23.pptx
RStrachanOct23.pptx
 
ISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptxISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptx
 
FerrellWalker.pptx
FerrellWalker.pptxFerrellWalker.pptx
FerrellWalker.pptx
 

Recently uploaded

Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfchloefrazer622
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingTeacherCyreneCayanan
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 

Recently uploaded (20)

Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writing
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 

EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods - Networkshop44

  • 1. ENHANCEMENTS IN FREERADIUS 3.0.0- 3.2.0 EAP-TLS THE ROLLS-ROYCE OF EAP METHODS NWS
  • 2. We are the FreeRADIUS experts.
  • 3. INTRODUCTION WHATIS FREERADIUS ▸ The world's most widely deployed Open Source RADIUS server. ▸ Glues AAA services to backends e.g. 802.1X/EAP to Active Directory. ▸ Routes AAA authentication sessions between members of federations like Eduroam. ▸ Adds intelligence to dumb protocols, using flexible policies. http://freeradius.surge.sh
  • 4. INTRODUCTION WHOAMI ▸ Arran Cudbard-Bell (@arr2036) ▸ FreeRADIUS Core Developer ▸ Mercenary at Network RADIUS ▸ Director RM-RF LTD ▸ IETF Note Taker (RADEXT) ▸ Janet 802.1X SIG member
  • 5. INTRODUCTION TOPICS ▸ PEAP - The Ford Pinto of EAP methods. ▸ EAP-TLS - The Rolls-Royce of EAP methods. ▸ What's new in v3.0.x/v3.2.0.
  • 7. PEAP - THE FORD PINTO OF EAP METHODS WHY IS PEAP INSECURE? ▸ MSCHAPv2 is broken, must be wrapped in TLS. ▸ TLS only protects data if peer is not evil. ▸ Ensuring peer is not evil requires a trust relationship. ▸ Trust relationship during bootstrap requires PKI savvy users. ▸ Users are not PKI savvy.
  • 8. PEAP - THE FORD PINTO OF EAP METHODS NOT NEWS ▸ Presented at Defcon 20 (2012) by David Hulton. ▸ 16 byte MD4 hash is as good as Cleartext for MSCHAPv2 (only thing the server knows). ▸ We know the ChallengeHash, need to guess the 3 * 7 bytes NT HASH fragments used as DES keys. ▸ That's a 2138 bit keyspace! Eeek! ▸ Wait... 21 != 16 (the other five are zeros)... so that's only two DES keys we need to find! ▸ ...and the cipher key is the same for all DES operations, so we can brute force all keys simultaneously. ▸ Which gives us a 256 bit keyspace, which can be broken by online DES cracking services in < 24 hours. Images by Moxie Marlinspike - Divide and Conquer: Cracking MSCHAPv2 with a 100% success rate Retrieved from https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
  • 9. PEAP - THE FORD PINTO OF EAP METHODS NOT JUST PEAP ▸ Anything that relies on MSCHAPv2 for confidentiality is broken e.g. LEAP ▸ Any insecure inner method that relies on TLS for confidentiality is also broken. e.g. ▸ EAP-TTLS-PAP ▸ EAP-TTLS-MSCHAPv2 ▸ EAP-TTLS-GTC ▸ PEAPv1-GTC ▸ For OSX, IOS, and Windows > 8, it's possible to request TTLS- EAP-GTC or TTLS-PAP and get the cleartext password. ▸ Attacks can be made more convincing by generating certificates on the fly, from the NAI in the identity response.
  • 10. PEAP - THE FORD PINTO OF EAP METHODS FAILURE OF THE DUCK TEST ▸ Only method of authenticating wireless network is SSID (which isn't really authentication). ▸ Only method of authenticating EAP server is by presented certificate (fingerprint, CN and signing CA). ▸ Supplicants give users too much and too little power.
  • 11. PEAP - THE FORD PINTO OF EAP METHODS FOXING FERRETS ON OSX EL- CAPITAN ▸ IOS/OSX supplicants prompt for User-Name/Password before negotiating the EAP method. ▸ No option to select personal certificate. ▸ No option to manually configure supplicant profiles. ▸ Only CN of certificate shown in UI (can expand to see full details) ▸ Trivial to click past certificate verification dialogues, but you at least need to be able to change trust preferences. ▸ When TTLS is requested, supplicant will send EAP-Identity and trigger EAP negotiation, allowing negotiation of EAP-GTC. ▸ Unless network/supplicant settings were defined by a profile, cached credentials will be re-used on networks with the same name, but presenting a different cert.
  • 12. PEAP - THE FORD PINTO OF EAP METHODS WAYLAYING WEASELS ON WINDOWS 10 ▸ For unknown networks Windows 10 supplicants auto discover WPA-Enterprise, and prompt for User-Name/Password even before negotiating the EAP method. ▸ No way to see certificate CN or issuer, only available detail is fingerprint. ▸ When TTLS is requested, supplicant will perform EAP-TTLS-PAP by default. Can't negotiate EAP unless explicitly configured. ▸ Does allow manual configuration of supplicant, but exceedingly well hidden.
  • 13. PEAP - THE FORD PINTO OF EAP METHODS PREVENTING MISIDENTIFICATION OF WATERFOWL ▸ Eduroam sites ▸ Transition to EAP-TLS (please?). ▸ Consider deploying Eduroam CAT or similar. ▸ Adopt HotSpot 2.0 R2. Register interest in OSU (Online Signup Server) certs provided by central authority (GÉ ANT/Jisc). ▸ Pre/post-flight checks (verify supplicants behave correctly). ▸ OS/supplicant vendors ▸ Should never involve users in PKI validity checks. ▸ Failing that - Cert fingerprint MUST be consistent when re-using cached credentials for AD-Hoc 802.1X profiles. ▸ IETF/standards bodies ▸ Define strongly worded guidelines for supplicant implementors (http://geant3plus.archive.geant.net/Resources/Open_Call_deliverables/Documents/SENSE_fin al_report.pdf)
  • 14. EAP-TLS - THE ROLLS-ROYCE OF EAP METHODS WHY MOVE TO EAP-TLS? ▸ Extremely secure - Reduces chance of user's credentials being exposed. ▸ Efficient - Almost half the round trips compared to PEAP. ▸ Robust - No need to query external oracle (AD, LDAP, SQL) for authenticating users. ▸ Scales horizontally. ▸ Well supported - Windows, OSX, IOS, Android, Even HP printers (and better supported in future with over the air certificate deployment). ▸ Should allow for proper 2FA (in future). Linux (wpa_supplicant) already supports client certs for PEAP/TTLS. Feature request made to Microsoft. ▸ PEAP-EAP-TLS allows for identity privacy (and SoH).
  • 15. EAP-TLS - THE ROLLS-ROYCE OF EAP METHODS EAP-TLS PKI WHAT ARE THE OPTIONS? ▸ Two established commercial solutions for managing client PKI ▸ Cloudpath ▸ Clearpass (FreeRADIUS FTW!) ▸ EST (Enrolment Over Secure Transport) RFC 7030 - Fairly simple to integrate, but only reference implementations available. ▸ SCEP (Secure Certificate Enrolment Protocol) now revived as https://tools.ietf.org/html/draft-gutmann-scep-02. ▸ Many implementations OpenSCEP, EJCBA and Dogtag most well known. ▸ Good support from Apple (iOS/OSX) they provide full reference code for Ruby based SCEP server. ▸ Eduroam CAT - Local PKI (as in local to the CAT server) on roadmap, considering RFC 7030/SCEP support.
  • 17. ENHANCEMENTS IN FREERADIUS 3.0.0-3.2.0 WHATS NEW V3.0.X 1. RADSEC (RADIUS over TLS) + DTLS. 2. Password change support (MSCHAPv2). 3. Connection pools and connection pool sharing. 4. Proper regular expressions (libpcre) + Pre-Compilation + named captures groups + 32 numbered capture groups for all regex flavours. 5. Tests, tests and more tests (Policy language, modules etc...). 6. COLOURS (Colourised log output for errors/warnings/info). 7. IP address comparisons e.g. "<cidr>127.0.0.1 < 12.0.0.0/24". 8. 64Bit Integers and IP prefix types. 9. SNMP Traps 10. Multivalued comparisons e.g. if (&Groups[*] == &User-Name) shinyhead:freeradius-server-fork arr2036$ make test UNIT-TEST base.dict UNIT-TEST rfc.txt UNIT-TEST errors.txt UNIT-TEST extended.txt UNIT-TEST lucent.txt UNIT-TEST wimax.txt UNIT-TEST escape.txt UNIT-TEST condition.txt UNIT-TEST xlat.txt UNIT-TEST vendor.txt UNIT-TEST dhcp.txt ... EAPOL_TEST gtc EAPOL_TEST leap EAPOL_TEST md5 EAPOL_TEST mschapv2 EAPOL_TEST peap-client-mschapv2 EAPOL_TEST peap-eap-gtc EAPOL_TEST peap-mschapv2 EAPOL_TEST pwd EAPOL_TEST tls EAPOL_TEST ttls-chap EAPOL_TEST ttls-client-eap-mschapv2 EAPOL_TEST ttls-client-eap-tls EAPOL_TEST ttls-eap-gtc EAPOL_TEST ttls-eap-mschapv2 EAPOL_TEST ttls-mschapv2 EAPOL_TEST ttls-pap
  • 18. ENHANCEMENTS IN FREERADIUS 3.0.0-3.2.0 WHATS NEW V3.0.X CONT... 11. LDAP Group caching. 12. LDAP Dynamic clients. 13. REST API client. 14. Arbitrary client attributes. 15. SHA2 support. 16. Significantly improved detail reader performance (200%). 17. Shared cache support (currently memcached, Redis). 18. Startup checks for xlat and unlang syntax. 19. Pre-compilation of regular expressions 20. Functional user specific debugging (0) ldap : Waiting for search result... (0) ldap : User object found at DN "cn=test.example,ou=staff,ou=people,o=freeradius" (0) ldap : No cacheable group memberships found in user object (0) ldap : expand: '(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))' -> '(&(objectClass=groupOfNames) (member=cn3dtest.example2cou3dstaff2cou3dpeople2co3dfreeradius))' (0) ldap : expand: 'ou=groups,ou=role,o=freeradius' -> 'ou=groups,ou=role,o=freeradius' (0) ldap : Performing search in 'ou=groups,ou=role,o=freeradius' with filter '(&(objectClass=groupOfNames) (member=cn3dtest.example2cou3dstaff2cou3dpeople2co3dfreeradius))' (0) ldap : Waiting for search result... (0) ldap : Added Ldap-Group with value "adminNet" to control list (0) ldap : Added Ldap-Group with value "adminSplunk" to control list (0) ldap : Added Ldap-Group with value "adminCacti" to control list (0) ldap : Added Ldap-Group with value "adminTomcat" to control list (0) ldap : Added Ldap-Group with value "adminAlumni" to control list
  • 19. ENHANCEMENTS IN FREERADIUS 3.0.0-3.2.0 NEW IN V3.0.X - TRUST ROUTER ▸ Next generation trust/ introduction service developed as part of the Moonshot project (now the Assent service). ▸ Allows COIs (Communities Of Interest) to operate across multiple federations. ▸ X509v3 could technically achieve the same trust relationships. But admin would be extremely difficult. ▸ Trust router implements two services ▸ Trust router protocol - Distributes information about available IdPs (Identity providers) and the realms they serve to members of a COI. ▸ Trust path query/Temporary ID protocol. Allows service provider (SP) to retrieve a TID (Temporary ID) for communicating with IdP. ▸ TIDs allow for lower latency, higher reliability, communication between SPs and IdPs. https://wiki.moonshot.ja.net/display/Moonshot/The+Architecture+and+Protocol+Flows+of+Moonshot
  • 20. ENHANCEMENTS IN FREERADIUS 3.0.0-3.2.0 NEW IN V3.0.X - TRUST ROUTER (THE FREERADIUS BIT) ▸ SP - On call to rlm_realm, on discovering an unknown realm (or realm which requires update). ▸ Queries local TR for IdP information and TID, providing DH Params (first half of DH exchange). ▸ If positive response - retrieves list of IdP servers, the DH exchange completed for each IdP (second half of DH exchange). Computes symmetric keys for each home server. ▸ Creates/Inserts new realm entry with realm->pool->home_server structures. ▸ Establishes outbound TCP connection to IdP. ▸ Performs TLS-PSK handshake, with the key identifier (unique ID for the temporary credentials), and computed PSK. ▸ IdP - On request from INADDR_ANY client ▸ Uses key identity from TLS-PSK to query TR to get previously generated PSK.
  • 21. ENHANCEMENTS IN FREERADIUS 3.0.0-3.2.0 WHY IS FREERADIUS A GOOD CANDIDATE FOR TRUST ROUTER INTEGRATION? ▸ FreeRADIUS already had support for RADSEC. ▸ Fairly minor modifications needed. ▸ Pluggable architecture, easy to accommodate changes or enhancements to Trust Router. ▸ Dynamic debugging (watch live authentications). ▸ Scalable - 30,000 PPS when proxying on modest hardware.
  • 22. ENHANCEMENTS IN FREERADIUS 3.0.0-3.2.0 WHATS NEW V3.2.X 1. Redis 3.0.x cluster support. 2. High performance > (10,000 alloc/s per cluster node) Redis IPv4/IPv6 allocation. 3. Significantly improved EAP debugging + Improved EAP performance 4. Certificateless EAP-TLS (like HTTPS). 5. DHCPv4 'just works' (improved auto- discovery of interface configuration). (11) } # if (!&Stripped-User-Domain || (&Stripped-User-Domain == '')) (noop) (11) if (&Stripped-User-Name == 'peap') { (11) ... (11) } (11) eap - Peer sent EAP Response (code 2) ID 3 length 13 (11) eap - Continuing tunnel setup (11) eap (ok) (11) if (EAP-Type == Identity) { (11) ... (11) } (11) } # authorize (ok) (11) Using 'Auth-Type = eap' for authenticate {...} (11) Running Auth-Type eap from file /usr/local/freeradius/etc/raddb/sites-enabled/default (11) authenticate { (11) eap - Peer sent packet with EAP method TTLS (21) (11) eap - Calling submodule eap_ttls to process data (11) eap_ttls - Authenticate (11) eap_ttls - Continuing EAP-TLS (11) eap_ttls - Got complete TLS record (7 bytes) (11) eap_ttls - [eap-tls verify] = ok (11) eap_ttls - <<< recv alert [length 2], fatal unknown_ca (11) eap_ttls - ERROR: Client sent fatal TLS alert: unknown CA (11) eap_ttls - ERROR: Verify client has copy of CA certificate, and trusts CA (11) eap_ttls - ERROR: accept: Handshake exit state "SSLv3 read client key exchange A" (11) eap_ttls - ERROR: Failed in SSL_read (11) eap_ttls - ERROR: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (11) eap_ttls - ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure (11) eap_ttls - ERROR: System call (I/O) error (-1) (11) eap_ttls - ERROR: TLS receive handshake failed during operation (11) eap_ttls - ERROR: [eap-tls process] = fail (11) eap - ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed (11) eap - Sending EAP Failure (code 4) ID 3 length 4 (11) eap (invalid) (11) } # authenticate (invalid) (11) Failed to authenticate the user (11) Using Post-Auth-Type Reject (11) Post-Auth-Type sub-section not found. Ignoring. (11) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (11) Sending delayed response (11) Sent Access-Reject Id 3 from 127.0.0.1:1812 to 127.0.0.1:63382 via lo0 length 44 (11) EAP-Message = 0x04030004 (11) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds.
  • 23. ENHANCEMENTS IN FREERADIUS 3.0.0-3.2.0 WHATS NEW V3.2.X CONT... 6. Infinitely nested TLV support. 7. SNMP support (will also work over proxy chains). Translates OIDs into TLV structures in FR extended dictionary space. Calls client using Net- SNMP pass persist. 8. libwbclient support (30% performance improvement over ntlm_auth for Active Directory authentication). 9. map { } syntax to support retrieving multiple values per query from LDAP and SQL. 10. JSON parsing and simple query syntax map sql "SELECT group, reply_message FROM users WHERE user = '%{User-Name}'" { &control:Group := 'group' &reply:Reply-Message := 'reply_message' } map json "%{rest:http://www.example.org/user/%{User-Name}" { &control:Group := 'user.group' &reply:Reply-Message := 'user.message' } radsnmp (debug): read: get radsnmp (debug): read: .1.3.6.1.2.1.67.1.1.1.1.1.0 Sent Status-Server Id 3 from (null):0 to 127.0.0.1:1812 length 78 Radius-Auth-Serv-Ident = "000" FreeRADIUS-SNMP-Operation = get Message-Authenticator = 0x00 Received Access-Accept Id 3 from 127.0.0.1:1812 to 127.0.0.1:49548 via (null) length 75 Radius-Auth-Serv-Ident = "FreeRADIUS 3.1.0" FreeRADIUS-SNMP-Type = string radsnmp (debug): said: 1.3.6.1.2.1.67.1.1.1.1.1 radsnmp (debug): said: string radsnmp (debug): said: FreeRADIUS 3.1.0 radsnmp (debug): Returned 1 varbind responses
  • 24. ENHANCEMENTS IN FREERADIUS 3.0.0-3.2.0 NEW IN V3.2.0 - DISTRIBUTED SESSION RESUMPTION ▸ Server side session resumption part of the TLS standard (not an extension). Not RFC 5077. ▸ Hashes MSK (Master session key) from previous session with random data from client + server to generate new MSK. ▸ Hashing cheap compared to performing full RSA calculations to generate keying material for MSK. ▸ Real wall clock saving comes from not having to exchange big certificate chains. ▸ With PEAP/TTLS, resuming a session allows you to skip the inner method (no hits on AD or LDAP).
  • 25. ENHANCEMENTS IN FREERADIUS 3.0.0-3.2.0 ▸ 2 fragments per client/server certificate chain. ▸ Real world Time To Completion (TTC) assumes 50ms credential lookup (where relevant) + 40ms Round Trip Time (RTT). ▸ Session blobs 138b EAP-TTLS-PAP ▸ Session blobs 1863b EAP-TLS.
  • 26. ENHANCEMENTS IN FREERADIUS 3.0.0-3.2.0 WASN'T THIS AVAILABLE BEFORE? ▸ Yes we've supported this for a while... ▸ The innovation is exporting the opaque session blob as an attribute. ▸ Couldn't be done in v2.x.x because max value length was 253 bytes. ▸ Couldn't be done usefully (between multiple servers) in v3.0.x because no shared cache module. ▸ Finally in v3.2.0 we have all the components needed to support this properly, including a new &session-state: list to simplify re-authorization.
  • 27. ENHANCEMENTS IN FREERADIUS 3.0.0-3.2.0 FUTURE LOOKING STATEMENTS ▸Should become a generic platform for implementing network protocols, with re-useable and flexible policy logic. ▸Move to asynchronous I/O. ▸Process has begun - Iterative (as opposed to recursive) interpreter for unlang introduced in v3.1.x ▸Diversified protocol support ▸New internal 'proto' API introduced in v3.1.x, should allow for: ▸DHCPv6. ▸Diameter. ▸maybe ANQP (when someone creates a standard for transporting it over IP). ▸SQL statement caching. ▸Better interpreted language support.
  • 28. ?

Editor's Notes

  1. Security and user experience
  2. TL;DR Don&amp;apos;t need to break MD4 hash as it&amp;apos;s effectively the &amp;quot;password&amp;quot; or starting point for MSCHAPv2 on both sides. MSCHAPv2&amp;apos;s magic handwaving succeeds in reducing the complexity of breaking an MSCHAPv2 exchange down to breaking a single 56Bit DES Key. As we&amp;apos;re brute-forcing (going through all the possible keys), we check if the output is the same as the output of DES0 and then DES1 (in the same round).
  3. These methods aren&amp;apos;t insecure but &amp;quot;cracks in the foundation&amp;quot; of supplicants make the IMPLEMENTATIONS insecure. Too much in that it lets you skip security dialogue boxes Too little in that you can&amp;apos;t setup certificate authentication properly?!
  4. Verify signup process has completed by presenting incorrect cert and checking authentication failed. Demand action. HS 2.0 support will make the service *significantly* better for users. Eduroam CAT Grumpy about staff accounts being hacked? etc.. SENSE – Secure Enterprise Networks Simple &amp; Easy Created eapLab and other. Stefan Winter, Tomasz Wolniewicz Pre-Post flight check - Present wrong certificate at random intervals to check session timeout or Alert?
  5. 46% Not going to break RSA for 2048 bit certs, but users are still stupid :(
  6. Clearpass also implemented an RFC 7030 server SCEP https://tools.ietf.org/html/draft-gutmann-scep-02 - Originally abandoned because it lacked a secure method of identifying the requesting device (apparently fixed)? https://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/OTASecurity/OTASecurity.html - Google iPhone SCEP
  7. https://tools.ietf.org/html/rfc6614 TLS 1.2 PRF sorry :(
  8. Please put that diagram on the moonshot homepage... https://wiki.moonshot.ja.net/display/Moonshot/The+Architecture+and+Protocol+Flows+of+Moonshot X509v3 multiple inheritance would help! &amp;quot;A community of interest is a community of people who share a common interest or passion&amp;quot; - and want to provide Reciprocal authentication and access to services? RADIUS forwarding isn&amp;apos;t IP forwarding (which is why direct connections are better).
  9. Session ID in client means &amp;quot;I want to resume this session&amp;quot; Session ID in server (that matches) &amp;quot;lets resume this session&amp;quot; Session ID in server (doesn&amp;apos;t match) &amp;quot;can&amp;apos;t resume session&amp;quot; Session ID in server (blank) &amp;quot;don&amp;apos;t support session resumption&amp;quot; Session blobs contain client cert chain. TLS RFCs recommend validity period of 24 hours (being cautious). Nothing in RFC to prohibit &amp;quot;chained&amp;quot; session resumption. Put database in a secure location (if compromised -&amp;gt; bad things).
  10. Session-state list can store groups, Inner identities. Previously decoded. Certificate attributes.