Transcript WLAN Infrastructure Monitoring and Supplicants
WLAN Infrastructure Monitoring and Supplicants Workshop on Wireless Belgrade - 12.09.2011
Wenche Backman-Kamila CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd.
Agenda • Supplicants in general – Windows7 (manual & automatic config) – Network manager and wpa_supplicant – Mac – WindowsXP • Monitoring – Fixed part – Wireless part
SUPPLICANTS
Why supplicants?
• eduroam based on 802.1x
– 802.1x requires supplicants • LOTS of different supplicants out there – all OSes have their own – iPhone, Android, Nokia etc. have their own – All differ but basic features are the same • The bright side: Configure only ONCE – In web authentication credentials repeated
Supplicant details • Basic features – Define EAP-method • Supported methods depend on supplicant – Define certificate and server name • If self-signed certificate, no server name required – Define encryption: WPA2-AES , WPA-TKIP – Define user name and password • User name including @organisation.rs
• Anonymous identity might be supported
Supplicant best practices • About certificates in PEAP and TTLS – If self-signed certificate • Distribute it securely to your users – If public CA • Ensure that the CA
and the server name
has been defined in the supplicant – If you use TLS you don’t have to worry about these recommendations • Anonymous identity
Supplicants and supported EAP methods
PEAP MSCHAPv2 TTLS MSCHAPv2 TTLS-PAP TLS
x Windows XP/Vista/7 x x x x Network manager & wpa_supplicant x Mac x x x x
Windows7 manually 1/3
Windows7 manually 2/3
Windows7 manually 3/3
Windows7 – automatically 1/2 • Installer creates XML file – XML file used to configure settings • User only inputs credentials – requires admin rights • Installer created with NSIS • Win7 and Vista
Windows7 – automatically 2/2
Network manager/ wpa_supplicant
Mac supplicant 1/3
Mac supplicant 2/3
Mac supplicant 3/3
WinXP • Configuration video available at http://cbt.geant2.net/repository/ eduroam_supplicants/setting_up_eduroam_ supplicants.html
MONITORING
Monitoring
Monitoring methods for authentication •
Radius authentication
radtest
– standard command • Input – Credentials – Server name and shared secret • does not require a radius server for monitoring purposes • doesn’t test EAP auth •
EAP authentication
eapol_test
– included in wpa_supplicant • Additional input compared to radtest – Supported EAP methods (outer and inner) – Certificate • Requires a radius server to carry out testing • Imitates supplicant auth
More on eapol_test • • • • http://deployingradius.
com/scripts/eapol_test
eapol_test
–
c peap-mschapv2.conf
–
a
–
s
–
M 22:44:66:00:00:00
–
A
Monitoring authentication at campus • Create username and password for montoring purposes • Monitoring server – radtest – and/or eapol_test • And additionally – ping latency, packet loss and opening of SSH connections
Monitoring at federation level • Monitoring hierarchy – With credentials from each organisation – Results on web – Based on eapol_test – E.g. Checks every 10 th minute if OK – If problems every 3 rd minute
Monitoring the air interface • Commercial products can be divided into three groups: – Products based on data from access points to the controllers – Products based on site survey – Solutions covering both the fixed LAN network and the air interface
Access point and controller data • Cisco’s WCS – Control and monitor several controllers – Air interface data • Signal strength and noise levels • Channel allocation • Transmit power • AirWave’s Wireless Management Suite – multivendor environments
Site survey for monitoring purposes • Lots of alternatives – Motorola’s AirDefense Mobile and SiteScanner – Airmagnet’s WiFi and VoFi Analyzers – WildPackets’s OmniPeek – Wireshark – Wi-Spy
Both LAN and air interface • Active measures – Attach – Authentication – DHCP-server – HTTP and FTP upload and download – VoIP-test with MOS • Passive measures – Signal strength and SNR 7signal’s Sapphire
Monitoring at campuses in Finland • Access points are monitored • Means for AP monitoring – All known APs connected to controller – APs correctly configured – SSH skript – perl – Airwave – Radios on – Users per AP
References and contact info • Main reference – WLAN infrastructure BPD • http://www.terena.org/campus-bp/bpd.html
• Other references – Monitoring and ensuring WLAN performance • http://www.terena.org/campus-bp/reports.html