WLAN Infrastructure Monitoring and Supplicants Workshop on Wireless Belgrade - 12.09.2011

Wenche Backman-Kamila CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd.

Agenda • Supplicants in general – Windows7 (manual & automatic config) – Network manager and wpa_supplicant – Mac – WindowsXP • Monitoring – Fixed part – Wireless part

SUPPLICANTS

Why supplicants?

• eduroam based on 802.1x

– 802.1x requires supplicants • LOTS of different supplicants out there – all OSes have their own – iPhone, Android, Nokia etc. have their own – All differ but basic features are the same • The bright side: Configure only ONCE – In web authentication credentials repeated

Supplicant details • Basic features – Define EAP-method • Supported methods depend on supplicant – Define certificate and server name • If self-signed certificate, no server name required – Define encryption: WPA2-AES , WPA-TKIP – Define user name and password • User name including @organisation.rs

• Anonymous identity might be supported

Supplicant best practices • About certificates in PEAP and TTLS – If self-signed certificate • Distribute it securely to your users – If public CA • Ensure that the CA

and the server name

has been defined in the supplicant – If you use TLS you don’t have to worry about these recommendations • Anonymous identity

Supplicants and supported EAP methods

PEAP MSCHAPv2 TTLS MSCHAPv2 TTLS-PAP TLS

x Windows XP/Vista/7 x x x x Network manager & wpa_supplicant x Mac x x x x

Windows7 manually 1/3

Windows7 manually 2/3

Windows7 manually 3/3

Windows7 – automatically 1/2 • Installer creates XML file – XML file used to configure settings • User only inputs credentials – requires admin rights • Installer created with NSIS • Win7 and Vista

Windows7 – automatically 2/2

Network manager/ wpa_supplicant

Mac supplicant 1/3

Mac supplicant 2/3

Mac supplicant 3/3

WinXP • Configuration video available at http://cbt.geant2.net/repository/ eduroam_supplicants/setting_up_eduroam_ supplicants.html

MONITORING

Monitoring

Monitoring methods for authentication •

Radius authentication

radtest

– standard command • Input – Credentials – Server name and shared secret • does not require a radius server for monitoring purposes • doesn’t test EAP auth •

EAP authentication

eapol_test

– included in wpa_supplicant • Additional input compared to radtest – Supported EAP methods (outer and inner) – Certificate • Requires a radius server to carry out testing • Imitates supplicant auth

More on eapol_test • • • • http://deployingradius.

com/scripts/eapol_test

eapol_test

–

c peap-mschapv2.conf

–

a

–

s

–

M 22:44:66:00:00:00

–

A check_eapauth rad_eap_test ( http://www.eduroam.cz/rad_eap_test/ )

Monitoring authentication at campus • Create username and password for montoring purposes • Monitoring server – radtest – and/or eapol_test • And additionally – ping latency, packet loss and opening of SSH connections

Monitoring at federation level • Monitoring hierarchy – With credentials from each organisation – Results on web – Based on eapol_test – E.g. Checks every 10 th minute if OK – If problems every 3 rd minute

Monitoring the air interface • Commercial products can be divided into three groups: – Products based on data from access points to the controllers – Products based on site survey – Solutions covering both the fixed LAN network and the air interface

Access point and controller data • Cisco’s WCS – Control and monitor several controllers – Air interface data • Signal strength and noise levels • Channel allocation • Transmit power • AirWave’s Wireless Management Suite – multivendor environments

Site survey for monitoring purposes • Lots of alternatives – Motorola’s AirDefense Mobile and SiteScanner – Airmagnet’s WiFi and VoFi Analyzers – WildPackets’s OmniPeek – Wireshark – Wi-Spy

Both LAN and air interface • Active measures – Attach – Authentication – DHCP-server – HTTP and FTP upload and download – VoIP-test with MOS • Passive measures – Signal strength and SNR 7signal’s Sapphire

Monitoring at campuses in Finland • Access points are monitored • Means for AP monitoring – All known APs connected to controller – APs correctly configured – SSH skript – perl – Airwave – Radios on – Users per AP

References and contact info • Main reference – WLAN infrastructure BPD • http://www.terena.org/campus-bp/bpd.html

• Other references – Monitoring and ensuring WLAN performance • http://www.terena.org/campus-bp/reports.html

• [email protected]