WLAN Infrastructure Monitoring and Supplicants

Report
WLAN Infrastructure
Monitoring and Supplicants
Workshop on Wireless
Belgrade - 12.09.2011
Wenche Backman-Kamila
CSC – Tieteen tietotekniikan keskus Oy
CSC – IT Center for Science Ltd.
Agenda
• Supplicants in general
– Windows7 (manual & automatic config)
– Network manager and wpa_supplicant
– Mac
– WindowsXP
• Monitoring
– Fixed part
– Wireless part
SUPPLICANTS
Why supplicants?
• eduroam based on 802.1x
– 802.1x requires supplicants
• LOTS of different supplicants out there
– all OSes have their own
– iPhone, Android, Nokia etc. have their own
– All differ but basic features are the same
• The bright side: Configure only ONCE
– In web authentication credentials repeated
Supplicant details
• Basic features
– Define EAP-method
• Supported methods depend on supplicant
– Define certificate and server name
• If self-signed certificate, no server name required
– Define encryption: WPA2-AES , WPA-TKIP
– Define user name and password
• User name including @organisation.rs
• Anonymous identity might be supported
Supplicant best practices
• About certificates in PEAP and TTLS
– If self-signed certificate
• Distribute it securely to your users
– If public CA
• Ensure that the CA and the server name has
been defined in the supplicant
– If you use TLS you don’t have to worry about
these recommendations
• Anonymous identity
Supplicants and supported
EAP methods
PEAPMSCHAPv2
TTLSMSCHAPv2
TTLS-PAP
TLS
Windows XP/Vista/7
x
x
Network manager &
wpa_supplicant
x
x
x
x
Mac
x
x
x
x
Windows7 manually 1/3
Windows7 manually 2/3
Windows7 manually 3/3
Windows7 – automatically
1/2
• Installer creates XML
file
– XML file used to
configure settings
• User only inputs
credentials
– requires admin rights
• Installer created with
NSIS
• Win7 and Vista
Windows7 – automatically
2/2
Network manager/
wpa_supplicant
Mac supplicant 1/3
Mac supplicant 2/3
Mac supplicant 3/3
WinXP
• Configuration video available at
http://cbt.geant2.net/repository/
eduroam_supplicants/setting_up_eduroam_
supplicants.html
MONITORING
Monitoring
Monitoring methods for
authentication
Radius authentication
• radtest
– standard command
• Input
– Credentials
– Server name and shared
secret
EAP authentication
• eapol_test
– included in wpa_supplicant
• Additional input compared
to radtest
– Supported EAP methods
(outer and inner)
– Certificate
• does not require a radius
server for monitoring
purposes
• Requires a radius server to
carry out testing
• doesn’t test EAP auth
• Imitates supplicant auth
More on eapol_test
• http://deployingradius.
com/scripts/eapol_test
• eapol_test
– c peap-mschapv2.conf
– a <radius_server>
– s <secret>
– M 22:44:66:00:00:00
– A <monitor_server>
• check_eapauth
• rad_eap_test (http://www.eduroam.cz/rad_eap_test/)
Monitoring authentication at
campus
• Create username and password for
montoring purposes
• Monitoring server
– radtest
– and/or eapol_test
• And additionally
– ping latency, packet loss and opening of SSH
connections
Monitoring at federation
level
• Monitoring hierarchy
– With credentials from each
organisation
– Results on web
– Based on eapol_test
– E.g. Checks every 10th
minute if OK
– If problems every 3rd minute
Monitoring the air interface
• Commercial products can be divided into
three groups:
– Products based on data from access points to
the controllers
– Products based on site survey
– Solutions covering both the fixed LAN network
and the air interface
Access point and controller
data
• Cisco’s WCS
– Control and monitor
several controllers
– Air interface data
• Signal strength and
noise levels
• Channel allocation
• Transmit power
• AirWave’s Wireless Management Suite
– multivendor environments
Site survey for monitoring
purposes
• Lots of alternatives
– Motorola’s AirDefense Mobile and
SiteScanner
– Airmagnet’s WiFi and VoFi Analyzers
– WildPackets’s OmniPeek
– Wireshark
– Wi-Spy
Both LAN and air interface
• Active measures
– Attach
– Authentication
– DHCP-server
– HTTP and FTP upload
and download
– VoIP-test with MOS
• Passive measures
– Signal strength and
SNR
7signal’s Sapphire
Monitoring at campuses in
Finland
• Access points are
monitored
– All known APs
connected to controller
– APs correctly
configured
– Radios on
– Users per AP
• Means for AP
monitoring
– SSH skript
– perl
– Airwave
References and contact
info
• Main reference
– WLAN infrastructure BPD
• http://www.terena.org/campus-bp/bpd.html
• Other references
– Monitoring and ensuring WLAN performance
• http://www.terena.org/campus-bp/reports.html
• [email protected]

similar documents