Implementing RADIUS with Cisco LEAP

 < Day Day Up > 



The use of RADIUS servers to authenticate network users is a longstanding practice. Using RADIUS server dynamic per-user, per-session WEP keys combined with IV randomization is a fairly new practice. Another new addition is Cisco’s proprietary offering (now being used by many third-party vendors), Lightweight Extensible Authentication Protocol (LEAP).

LEAP is one of approximately 30 different variations of the Extensible Authentication Protocol (EAP). Other variants include Extensible Authentication Protocol-Message Digest Algorithm 5 (EAP-MD5), Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), Extensible Authentication Protocol-Tunneled TLS (EAP-TTLS), and Protected Extenstible Authentication Protocol (PEAP). EAP allows other security products (such as LEAP) to be used to provide additional security to Point-to-Point Protocol (PPP) links through the use of special Application Programming Interfaces (APIs) that are built into operating systems and, in the case of the Cisco Aironet hardware, hardware device firmware.

LEAP (also known as EAP-Cisco Wireless) uses dynamically generated WEP keys, 802.1x port access controls, and mutual authentication to overcome the problems inherent in WEP. 802.1x is an access control protocol that operates at the port level between any authentication method (LEAP in this case) and the rest of the network. 802.1x does not provide authentication to users; rather, it translates messages from the selected authentication method into the correct frame format being used on the network. In the case of our example, the correct frame format is 802.11, but 802.1x can also be used on 802.3 (Ethernet) and 802.5 (Token Ring) networks, to name a few. When you use 802.1x, the choice of the authentication method and key management method are controlled by the specific EAP authentication being used (LEAP in this case).

Note 

RADIUS is defined by Requests for Comments (RFC) 2865. The behavior of RADIUS with EAP authentication is defined in RFC 2869. RFC can be searched and viewed online at www.rfc-editor.org. 802.1x is defined by the IEEE in the document located at http://standards.ieee.org/getieee802/download/802.1X-2001.pdf.

LEAP creates a per-user, per-session dynamic WEP key that is tied to the network logon, thereby addressing the limitations of static WEP keys. Since authentication is performed against a back-end RADIUS database, administrative overhead is minimal after initial installation and configuration.

LEAP Features

Through the use of dynamically generated WEP keys, LEAP enhances the basic security of WEP. This feature significantly decreases the predictability of the WEP key through the use of a WEP key-cracking utility by another user. In addition, the WEP keys that are generated can be tied to the specific user session and, if desired, to the network login as well. Through the use of Cisco (or other third-party components that support LEAP) hardware from end to end, you can provide a robust and scalable security solution that silently increases network security not only by authenticating users but also by encrypting wireless network traffic without the use of a VPN tunnel. (You can, however, opt to add the additional network overhead and implement a VPN tunnel as well to further secure the communications.)

Cisco LEAP provides the following security enhancements:

  • Mutual authentication Mutual authentication is performed between the client and the RADIUS server, as well as between the AP and the

  • RADIUS server. By using mutual authentication between the components involved, you prevent the introduction of both rogue APs and RADIUS servers. Furthermore, you provide a solid authentication method to control whom can and cannot gain access to the wireless network segment (and thus the wired network behind it). All communications carried out between the AP and the RADIUS server are done using a secure channel, further reducing any possibility of eavesdropping or spoofing.

  • Secure-key derivation A preconfigured shared-secret secure key is used to construct responses to mutual authentication challenges. It is put through an irreversible one-way hash that makes recovery or replay impossible and is useful for one time only at the start of the authentication process.

  • Dynamic WEP keys Dynamic per-user, per-session, WEP keys are created to easily allow administrators to quickly move away from statically configured WEP keys, thus significantly increasing security. The single largest security vulnerability of a properly secured wireless network (using standard 802.11b security measures) is the usage of static WEP keys that are subject to discovery through special software. In addition, maintaining static WEP keys in an enterprise environment is an extremely time-consuming and error-prone process. In using LEAP, the session-specific WEP keys that are created are unique to that specific user and are not used by any other user. In addition, the broadcast WEP key (which is statically configured in the AP) is encrypted using the session key before being delivered to the client. Since each session key is unique to the user and can be tied to a network login, LEAP also completely eliminates common vulnerabilities due to lost or stolen network adapters and devices.

  • Reauthentication policies Policies can be set that force users to reauthenticate more often to the RADIUS server and thus receive fresh session keys. This can further reduce the window for network attacks as the WEP keys are rotated even more frequently.

  • Initialization vector changes The IV is incremented on a per-packet basis, so hackers cannot find a predetermined, predictable sequence to exploit. The capability to change the IV with every packet, combined with the dynamic keying and reauthentication, greatly increases security and makes it that much more difficult for an attacker to gain access to your wireless network.

Building a LEAP Solution

To put together a LEAP with RADIUS solution, you need the following components:

  • A Cisco Aironet AP that supports LEAP. Currently, this includes the 350, 1100, and 1200 models. The 350 is the oldest of the bunch and offers the least amount of configurability. The 1100 is the newest and runs IOS, offering both Command Line Interface (CLI)- and Graphical User Interface (GUI)-based management and configuration.

  • A Cisco Aironet 350 network adapter.

  • The most up-to-date network adapter driver, firmware, and Aironet Client Utility (ACU). You can download this driver using the Aironet Wireless Software Selector on the Cisco Web site at www.cisco.com/pcgi-bin/Software/WLAN/wlplanner.cgi.

  • A RADIUS server application that supports LEAP. For our purposes, we use Funk Software’s (www.funk.com) Steel Belted Radius/Enterprise Edition.

As shown in Chapter 4, our LEAP solution will look (basically) like the diagram shown in Figure 11.45.

click to expand
Figure 11.45: The Cisco LEAP and RADIUS Solution

Installing and Configuring Steel Belted RADIUS

To get started with your LEAP/RADIUS solution, you first need to install and configure the RADIUS server of your choosing. As previously stated, we’ll use Steel Belted RADIUS (SBR) for this purpose because it integrates tightly with Cisco LEAP. Perform the following steps to get SBR installed and configured for LEAP:

start sidebar
Tools and Traps…
Nothing in Life Is Perfect…

LEAP has two potential weaknesses that you need to be aware of.

The first weakness is that the EAP RADIUS packet transmitted between the AP and the RADIUS server is sent in cleartext. This packet contains the shared secret used to perform mutual authentication between these two devices. The reality of this weakness, however, is that you can mitigate its potential effects by having good network authentication policies for your wired network. Thus, an attacker would have to plug directly into a switch sitting between the AP and the RADIUS server and use a special network sniffer capable of sniffing over a switched network, such as dsniff.

The second weakness of LEAP is that the username is transmitted in cleartext between the wireless client and the AP. This opens the door to the possibility of a dictionary attack. Note that the password is encrypted using MS-CHAPv1. Your defense against a dictionary attack on your LEAP user’s passwords is to implement a solid login policy for your network. For example, if you are using Active Directory and performing network authentication against it using domain user accounts, you could require strong passwords through the Password Policy options and account lockout through the Account Lockout Policy options.

For more information on configuring Active Directory for enhanced security, see MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214) by Will Schmied (Syngress Publishing 2003, ISBN 1931836841).

end sidebar

  1. Download the SBR installation package from the Funk Web site (www.funk.com). You can download it for a 30-day trial if you are not ready to purchase it.

  2. Provide your name, your organization’s name, and your product key, as shown in Figure 11.46. Note that you can opt to exercise the 30-day trial if you desire. Click Next to continue.

    click to expand
    Figure 11.46: SBR Has a “Try It Before You Buy It” Feature

  3. Select the SBR Enterprise Edition option on the next page, and click Next to continue.

  4. Click Yes to accept the EULA.

  5. Click Next to start the setup routine.

  6. Select your installation location. Note that you will want to install both the Radius Admin Program and the Radius Server, shown in Figure 11.47. Click Next to continue.

    click to expand
    Figure 11.47: Choosing the Installation Options and Location

  7. Continue with the installation routine to complete the installation process.

  8. Ensure that the Yes, launch Radius Administrator option is selected, and click Finish. Once the installation has completed, the Admin application opens. Select the Local option and click the Connect button. If the display you see is something like that shown in Figure 11.48, you’ve successfully installed SBR.

    click to expand
    Figure 11.48: Launching the Admin Application

  9. Close the SBR Admin application to begin the configuration of SBR for LEAP.

  10. Navigate to the SBR installation directory and open the Service folder. Locate and open the eap.ini file for editing. For this example, we use native RADIUS authentication, meaning that users will be authenticating directly against the SBR RADIUS database. (You can, optionally, configure SBR for Windows domain authentication, as discussed later in this chapter.) Under the [Native-User] heading, remove the semicolon from the first three items to enable LEAP. Save and close the eap.ini file (see Figure 11.49).

    click to expand
    Figure 11.49: Configuring SBR for LEAP

  11. Restart the Steel Belted Radius service to force it to reload the eap.ini file from the Services console located in the Administrative Tools folder. Launch the SBR Admin application and connect to the local server.

  12. Click the RAS Clients option to configure SBR for the Cisco Access Point, as shown in Figure 11.50. Note that the AP is the RAS client since it is performing authentication on behalf of the wireless network client. Click the Add button to create a new client, and click OK to confirm it. Next, specify the client IP address (the IP address assigned to the AP) and the type of client (Cisco Aironet Access Point).

    click to expand
    Figure 11.50: Configuring the RAS Client Properties

  13. Click the Edit authentication shared secret button. This will enter the shared secret to be used for the AP and SBR server to authenticate each other, as shown in Figure 11.51. After entering your shared secret, click the Set button to confirm it. (Remember your shared secret; you will need it again when you configure the AP later.) Click the Save button on the RAS Clients page to confirm the client details.


    Figure 11.51: Entering the Shared Secret

  14. Click the Users option to create native users (users internal to the SBR server), as shown in Figure 11.52. Click the Add button to add a new username. After entering the username, click OK to confirm it.

    click to expand
    Figure 11.52: Creating Native Users

  15. Click the Set password button to open the Enter User Password dialog box shown in Figure 11.53. You need to leave the Allow PAP or CHAP option selected because LEAP actually makes use of an MS-CHAPv1 derivative. After setting the password, click the Set button to confirm it. Click the Save button on the Users page to confirm the user.


    Figure 11.53: Entering the User Password

  16. Click the Configuration option to set the authentication methods (and their order) to be used, as shown in Figure 11.54. Since we are using native users, ensure that the Native User option is placed first in the list. Click Save to confirm the change if required.

    click to expand
    Figure 11.54: Selecting the Authentication Methods

Configuring LEAP

Once you’ve gotten your RADIUS server installed and configured, the hard work is behind you. All that is left now is to configure LEAP on the AP and client network adapter. To configure LEAP on the AP, perform the following steps. (Note that the exact screen will vary among the 350, 1100, and 1200 APs—the end configuration is the same, however. For this discussion, a Cisco Aironet 1100 AP is used with all configurations performed via the Web interface instead of the CLI.)

  1. Log in to your AP via the Web interface.

  2. Configure your network SSID and enable EAP authentication, as shown in Figure 11.55. Save your settings to the AP after configuring them.

    click to expand
    Figure 11.55: Enabling EAP Authentication

  3. Enter a 128-bit broadcast WEP key, as shown in Figure 11.56. Save your settings to the AP after configuring them.

    click to expand
    Figure 11.56: Entering the Broadcast WEP Key

  4. Configure your RADIUS server IP address and shared-secret key information, as shown in Figure 11.57. In addition, you need to ensure that the EAP Authentication option is selected. Save your settings to the AP after configuring them. If you want to enable a reauthentication policy, you can do so from the Advanced Security - EAP Authentication page shown in Figure 11.58. The default option is Disable Reauthentication. Save your settings to the AP after configuring them.

    click to expand
    Figure 11.57: Configuring the RADIUS Server Information

    click to expand
    Figure 11.58: Configuring Reauthentication

    To enable the wireless client for LEAP, first ensure that it is using the most recent firmware and drivers. Once you’ve got the most up-to-date files, proceed as follows to get the client configured and authenticated using LEAP:

  5. Launch the Cisco Aironet Client Utility (ACU), shown in Figure 11.59. Notice that the ACU reports that the network adapter is not associated with the AP. This is normal at this point because the AP is configured to require LEAP authentication.

    click to expand
    Figure 11.59: Using the Cisco ACU

  6. Click the Profile Manager button to create a new profile, as shown in Figure 11.60. Click the Add button to enter the new profile name, and then click the OK button to begin configuring the profile.

    click to expand
    Figure 11.60: Creating a New Profile

  7. Enter the correct SSID for your network (as previously configured for the AP) on the System Parameters tab, shown in Figure 11.61.

    click to expand
    Figure 11.61: Configuring the SSID for the Profile

  8. Switch to the Network Security tab and select LEAP from the drop-down list, as shown in Figure 11.62. After selecting LEAP, click the Configure button.

    click to expand
    Figure 11.62: Configuring the Authentication Method

  9. Ensure that the Use Temporary User Name and Password option is selected with the Automatically Prompt for LEAP User Name and Password suboption on the LEAP Settings page. Remove the check mark from the Include Windows Logon Domain with User

  10. Name option because we are using Native mode authentication in this example. Click OK after making your configuration (see Figure 11.63).

    click to expand
    Figure 11.63: Configuring LEAP Options

  11. Click OK twice more and you will be prompted with the LEAP login dialog box shown in Figure 11.64. Enter your details and click OK. If you look at the SBR Admin application on the Statistics page, you can see successful and failed authentications. Notice that the statistics shown in Figure 11.65 represent clients that are being forced to reauthenticate to the RADIUS server fairly often.

    click to expand
    Figure 11.64: Logging into the Wireless Network Using LEAP

    click to expand
    Figure 11.65: Monitoring the RADIUS Server Statistics

Windows Active Directory Domain Authentication with LEAP and RADIUS

In the preceding sections, we only looked at creating native users in Steel Belted Radius. As mentioned, however, you can create AD domain users and authenticate directly against Active Directory. This offers many advantages, such as preventing dictionary attacks by enforcing account lockout policies. If you want to use domain user accounts for LEAP authentication, you need only perform the following additions and modifications to the procedures we outlined earlier in this chapter:

  1. Make modifications to the eap.ini file, as shown in Figure 11.66. Under the [NT-Domain] heading, remove the semicolon from the first three items to enable LEAP. Save and close the eap.ini file.

    click to expand
    Figure 11.66: Modifying the eap.ini File for Domain Authentication

  2. Restart the Steel Belted Radius service to force it to reload the eap.ini file from the Services console located in the Administrative Tools folder, Launch the SBR Admin application and connect to the local server. On the Configuration page, shown in Figure 11.67, ensure that the NT Domain User and NT Domain Group options are enabled and are at, or near, the top of the list. Click Save to confirm the change if required.

    click to expand
    Figure 11.67: Checking Authentication Methods

  3. Go to the Users page and add a new user, as described previously. This time, however, you will have the option to select a domain user, as shown in Figure 11.68. Select your domain user and click OK. Click Save to confirm the addition of the domain user.

    click to expand
    Figure 11.68: Adding a Domain User

  4. Open the ACU and edit the profile in use (the one you previously created). Switch to the Network Security tab and click the Configure button next to the Network Security Type drop-down (where LEAP is selected). Ensure that the Use Windows User Name and Password option is selected, as shown in Figure 11.69. In addition, ensure that a check is placed next to the Include Windows Logon Domain with User Name option.

    click to expand
    Figure 11.69: Configuring LEAP Options for Domain Authentication

  5. Click OK three times to save and exit the profile configuration.

  6. Log in to the network using LEAP and your domain user credentials.

LEAP Review

Now that you’ve had a chance to examine the workings of Cisco’s LEAP, you should see quite a few benefits to be gained through its use. LEAP, implemented with Funk Software’s Steel Belted Radius, is an ideal and very robust security solution for a wireless network of any size. By forcing users to authenticate to a back-end RADIUS server and creating per-user, per-session dynamic WEP keys, LEAP provides greatly enhanced authentication and security for your wireless network.

LEAP addresses all WEP’s vulnerabilities and is being implemented into the 802.11b standard by the Wi-Fi Alliance (www.wi-fialliance.org), which has implemented LEAP into its standards under the name of Wi-Fi Protected Access (WPA). You can read more about WPA at the Wi-Fi Alliance Web site. In addition, Cisco has licensed the LEAP technology to several third-party vendors, so you can expect to see many more LEAP-compatible devices in the near future. For example, Apple’s AirPort network adapter already supports LEAP with version 2 or better firmware.



 < Day Day Up > 



WarDriving(c) Drive, Detect, Defend(c) A Guide to Wireless Security
Special Edition Using Macromedia Studio 8
ISBN: N/A
EAN: 2147483647
Year: 2006
Pages: 125

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net