Secure Mobility in Cisco Unified WLAN Networks For Mobile Devices

Secure Mobility in Cisco Unified WLAN Networks
BRKEWN-2018 Jake Woodhams

Senior Manager/Architect, Technical Marketing July 2011
BRKEWN-2018
2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Abstract
The proliferation of Wi-Fi enabled devices creates important challenges for IT, perhaps the chief challenge being security and scalable, efficient, secure roaming. This session will cover the state-of-the-art technologies for proper authentication and encryption and fast, secure roaming. Topics include 802.11i/ WPA/WPAv2, TKIP/AES & Fast roaming with CCKM, PKC, and the emerging 802.11r standard. Different EAP types like PEAP, PEAP-GTC, EAP-TLS, EAP-TTLS, EAP-FAST will be covered in this session. The session will include best practices for implementing latest WLAN security techniques and design and deployment recommendations for device roaming. Prerequisite: A minimum of CCNA level knowledge of campus routing and switching is highly recommended. Knowledge of 802.11 WLAN fundamentals and the basics of the Cisco Unified WLAN technology are also assumed.
BRKEWN-2018
Cisco Public
Session Agenda
Anatomy of a Device Connection Anatomy of a Device Roam Design and Deployment Considerations
BRKEWN-2018
Cisco Public
Anatomy of a Device Connection
BRKEWN-2018
Cisco Public
Section Agenda
802.11 Architecture and Services Basics 802.11i Addendum EAP Types and Key Management Device Mobility Problem Statement
BRKEWN-2018
Cisco Public
802.11 Architecture Basics

BSS Basic Service Set SSID Service Set Identifier BSSID Basic Service Set Identifier STA Station (AKA Client)
BSS SSID: ASCII String BSSID: MAC Address SSID: ASCII String BSSID: MAC Address BSS
STA
BRKEWN-2018 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
STA
6

ESS Extended Service Set DS Distribution System
DS
BSS ESS
BSS
BRKEWN-2018
Cisco Public
802.11 Services
Service Description Distribution Services Implementation
STA Services
BRKEWN-2018
Cisco Public
802.11 Services
Service
Association Reassociation Disassociation
Description Distribution Services
Implementation
STA Services
BRKEWN-2018
Cisco Public
802.11 Services
Service

Used to create a logical connection between a mobile STA and an AP
Implementation
802.11
STA Services
BRKEWN-2018
Cisco Public
10
802.11 Services
Service

Used to create a logical connection between a mobile STA and an AP Similar to association service, except information about a mobile STAs previous AP may be included; used as a STA moves across an ESS
Implementation
802.11 802.11
STA Services
BRKEWN-2018
Cisco Public
11
802.11 Services
Service

Used to create a logical connection between a mobile STA and an AP Similar to association service, except information about a mobile STAs previous AP may be included; used as a STA moves across an ESS Used by AP to force mobile STA off the BSS or by mobile STA to inform AP it doesnt need service anymore
Implementation
802.11 802.11 802.11
STA Services
BRKEWN-2018
Cisco Public
12
802.11 Distribution Services

Association Service
802.11 Association Request: Can I Associate to This BSSID?
802.11 Association Response: 802.11 Association Response: Yes, You Can Associate No, You Cannot Associate to This BSSID to This BSSID
BRKEWN-2018
Cisco Public
13

Disassociation Service
802.11 Disassociation Request: You Cannot Be Associated to This BSSID Anymore 802.11 Disassociation Request: I Do Not Want to Be Associated to This BSSID Anymore
BRKEWN-2018
Cisco Public
14

Reassociation Service (Roaming Context)
802.11 Disassociation Request: I Do Not Want to Be Associated to This BSSID Anymore 802.11 Reassociation Request: Can I Reassociate to This BSSID?
802.11 Association Response: 802.11 Association Response: No, You Cannot Associate Yes, You Can Associate to ThisThis BSSID to BSSID
BRKEWN-2018
Cisco Public
15
802.11 Services
Service

Implementation
802.11 802.11 802.11
STA Services
So, What Do These Three Services Accomplish?

Whats Missing?
16
802.11 Services
Service

Implementation
802.11 802.11 802.11
STA Services
Authentication Deauthentication Privacy
Used to prove the identity of the STA and AP Used to eliminate a previously authenticated user from further use of the network Used to protect frames in transit over wireless medium
WPA/WPAv2 (802.11I), CAPWAP
BRKEWN-2018
Cisco Public
17
How STAs Connect to a WLAN Securely

STA Services
802.11 spec defines authentication, deauthentication, and privacy services, but 802.11 spec provides extremely weak (useless for 2010 requirements) mechanisms for these services:
- Authentication/Deauthentication: Shared-Key Auth - Privacy: Wired Equivalent Privacy (WEP)
802.11I addendum adds strong(er) mechanisms for implementing STA security-related services:
- Authentication/Deauthentication: PSK, 802.1X/EAP - Privacy: TKIP & CCMP
BRKEWN-2018
Cisco Public
18
WPA/WPA2
WPA
A snapshot of the 802.11I Standard Commonly used with TKIP encryption
WPA2 Authentication Mechanisms
Final version of 802.11I Commonly used with AES encryption
Personal (PSK) Home Use Enterprise (802.1X/EAP) Office Use
BRKEWN-2018
Cisco Public
19
Authentication Best Practices:

WPA2-Enterprise
Strong Authentication Extensible Authentication Protocol (EAP) Outside Methods (Protective Tunnel): PEAP EAP-FAST TLS Inside Methods (Authentication Credentials): EAP-MSCHAPv2 EAP-GTC
20
802.1X/EAP Choreography
802.1X/EAP Three Party Model
802.1X Port Blocking Instantiated: Only Authentication Transaction Related Traffic Allowed Through the AP
Keys Plumbed, 802.1X Port Blocking Removed Data Allowed Through AP

21
Distribution Services: Association/Reassociation/Disassociation
STA Services: Authentication/Deauthentication
STA Services: Privacy
BRKEWN-2018
Cisco Public
22
EAP Types: EAP-FAST
BRKEWN-2018
Cisco Public
23
EAP Types: PEAP
BRKEWN-2018
Cisco Public
24
EAP Types: EAP-TLS
BRKEWN-2018
Cisco Public
25
BRKEWN-2018
Cisco Public
26
Key Management Four-Way Handshake
BRKEWN-2018
Cisco Public
27
Key Management Pairwise Transient Key (PTK)
BRKEWN-2018
Cisco Public
28
Key Management Group Transient Key (GTK)
BRKEWN-2018
Cisco Public
29
Key Management GTK Distribution
BRKEWN-2018
Cisco Public
30
Distribution Services: Association/Reassociation/Disassociation
STA Services: Authentication/Deauthentication
STA Services: Privacy
BRKEWN-2018
Cisco Public
31
802.11 Services
Service
Association Reassociation Disassociation Distribution Integration

Used to create a logical connection between a mobile STA and an AP Similar to association service, except information about a mobile STAs previous AP may be included; used as a STA moves across an ESS Used by AP to force mobile STA off the BSS or by mobile STA to inform AP it doesnt need service anymore Service to determine how to deliver frames Service to determine how WLAN connects to other LANs
Implementation
802.11 802.11 802.11
802.11, CAPWAP
STA Services
Authentication Deauthentication
Used to prove the identity of the STA & AP Used to eliminate a previously authenticated user from further use of the network Used to protect frames in transit over wireless medium
So, What Do These Nine Services Accomplish? Privacy

Whats Missing? reliable delivery of frames Used to provide Data Delivery
WPA/WPAv2 (802.11I), CAPWAP
802.11, CAPWAP
32

ESS Extended Service Set DS Distribution System
DS
????
BSS
BSS ESS
BRKEWN-2018
Cisco Public
33
BRKEWN-2018
Cisco Public
34
Device Mobility Problem Statement:

Specification for how STAs association, authenticate, and protect data privacy defined in context of a single AP (mostly) Specifications for how STAs transition securely in an ESS hazy Specifics of DS/Integration services not well defined for Enterprise
BRKEWN-2018
Cisco Public
35
Device Mobility Problem Statement:

Wireless devices move by definition Applications require session persistence, while maintaining security and other services
Requirement: Facilitate Fast Secure Roaming for Enterprise Class Devices in an Efficient and Scalable Way
BRKEWN-2018
Cisco Public
36
Anatomy of a Device Roam
BRKEWN-2018
Cisco Public
37
Section Agenda
CUWN Architecture Review Basic Roaming Walkthrough Fast Secure Roaming Technologies
BRKEWN-2018
Cisco Public
38
CUWN Architecture Review
Real-Time 802.11/MAC Functionality: Beacon Generation Probe Response Power management/Packet buffering 802.11e/WMM scheduling, queueing MAC layer data encryption/decryption 802.11 control messages Data Encapsulation/De-Encapsulation Translational Bridging (H-REAP Local Switching) Fragmentation/De-Fragmentation
BRKEWN-2018 2011 Cisco and/or its affiliates. All rights reserved.
Non Real-Time 802.11/MAC Functionality: Assoc/Disassoc/Reassoc 802.11e/WMM resource reservation 802.1X/EAP Key management 802.11 Distribution Services 802.11 STA Services (Auth/Deauth/Privacy*) Wired/Wireless Integration Services
Cisco Public
39
802.1X/EAP Choreography Revisited
BRKEWN-2018
Cisco Public
40
Anatomy of a STA Roam

Initial Device Connection to Network
BRKEWN-2018
Cisco Public
41

Client Roam
BRKEWN-2018
Cisco Public
42

Summary of Important Points
The STA chooses when to roam Each time the STA connects to a new BSSID, it must fully reauthenticate and rekey IP Addresses get refreshed on roams (usually) How long does a roam take?
BRKEWN-2018
Cisco Public
43
How Long Does an STA Roam Take?

Time it takes for:
Client to disassociate + Probe for and select a new AP + 802.11 Association + 802.1X/EAP Authentication + Rekeying + IP address (re) acquisition
All this can be on the order of seconds Can we make this faster?
BRKEWN-2018
Cisco Public
44
How Are We Going to Make Roaming Faster? Focus on Where We Can Have the Biggest Impact
Eliminating the (re)IP address acquisition challenge Eliminating full 802.1X/EAP reauthentication
BRKEWN-2018
Cisco Public
45
Roaming: Intra-Controller
Intra-controller roam happens when a STA moves association between APs joined to the same controller Client must be reauthenticated and new security session established Controller updates client database entry with new AP and appropriate security context No IP address refresh needed
BRKEWN-2018
Cisco Public
46
Roaming: Inter-Controller
Layer 2
BRKEWN-2018
Cisco Public
47
Layer 2
L2 inter-controller roam: STA moves association between APs joined to the different controllers but client traffic bridged onto the same subnet Client must be re-authenticated and new security session established Client database entry moved to new controller WLCs must be in same mobility group or domain No IP address refresh needed Account for mobility message exchange in network design
BRKEWN-2018
Cisco Public
48
Layer 3
BRKEWN-2018
Cisco Public
49
Layer 3
L3 inter-controller roam: STA moves association between APs joined to the different controllers but client traffic bridged onto different subnets Client must be re-authenticated and new security session established Client database entry copied to new controller entry exists in both WLC client DBs Original controller tagged as the anchor, new controller tagged as the foreign WLCs must be in same mobility group or domain No IP address refresh needed Symmetric traffic path established -- asymmetric option has been eliminated as of 6.0 release Account for mobility message exchange in network design Account for asymmetric traffic path (EtherIP)
50
BRKEWN-2018
Cisco Public
51
Cisco Centralized Key Management (CCKM)

Cisco introduced CCKM in CCXv2 (pre-802.11I), so widely available, especially with application specific devices (ASDs) CCKM originally a core feature of the Structured Wireless Aware Network (SWAN) architecture CCKM ported to CUWN architecture in 3.2 release In highly controlled test environments, CCKM roam times consistently measure in the 5-8 msec range! CCKM is most widely implemented in ASDs, especially VoWLAN devices To work across WLCs, WLCs must be in the same mobility group CCX-based laptops may not fully support CCKM depends on supplicant capabilities
52
PMKID Caching
Optional component of 802.11I specification Defines a PMK Security Association (PMKSA) that gets stored by authenticator PMKSA includes:
PMKID
Lifetime PMK (32 bytes) BSSID (6 bytes) Client's MAC (6 bytes) AKM (Authentication and Key Management)
PMKID =
HMAC-SHA1-128 (PMK, PMK Name || BSSID || STA Mac)
BRKEWN-2018
Cisco Public
53
Opportunistic/Proactive Key Caching

Basic Mechanics
t: ques n Re ted to io cia ociat sass Be Asso Di 1 o e 802.1 ot Want t Anymor N ID I Do This BSS
1. WLC extracts PMKID from 802.11 (Re) CAPWAP association request 2. WLC computes the new PMKID based on the PMKSA and other information it knows (BSSID, Client Mac) 3. WLC compares the values if they match, full 802.1X/EAP authentication is skipped and the WLC & client go directly to the four-way handshake, then updates the PMKSA in the client DB 4. If they dont match, the WLC sends the STA an EAP-Identity Request to initiate the full 802.1X/EAP Authentication
BRKEWN-2018
Cisco Public
54
Proactive Key Caching

Basic Mechanics
BRKEWN-2018
Cisco Public
55
OKC/PKC
Key Data Points
Requires client/supplicant support Supported in Windows since XP SP2 Many ASDs support OKC and/or PKC Check on client support for TKIP vs. CCMP mostly CCMP only Enabled by default on WLCs with WPAv2 Requires WLCs to be in the same mobility group Important design note: pre-positioning of roaming clients consumes spots in client DB In highly controlled test environments, OKC/PKC roam times consistently measure in the 10-20 msec range!
BRKEWN-2018
Cisco Public
56
Standardization! 802.11R
802.11R is a ratified IEEE standard, based in large part on CCKM 802.11R: Fast (Basic Service Set) BSS Transition Also includes dynamic QoS capabilities No commercially available clients at this point WiFi Alliance is planning/implementing 802.11R plugfests Cisco WLCs have implemented 802.11R (unsupported) since 5.2 In highly controlled OTA test environments, 802.11R roam times are comparable to CCKM OTA times
BRKEWN-2018
Cisco Public
57
BRKEWN-2018
Cisco Public
58
Design and Deployment Considerations
BRKEWN-2018
Cisco Public
59
Section Agenda
Roaming Domains Design Considerations for Roaming Client Roaming Behavior Special Case: H-REAP Groups
BRKEWN-2018
Cisco Public
60
Roaming Domains
Mobility Group
Mobility Group cluster of up to 24 controllers (regardless of type) that create a seamless roaming domain Fast secure roaming technologies work across controllers within a roaming domain Mobility messages exchanged either unicast or multicast depending on configuration http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/ guide/c70mobil.html#wpmkr1100509
61
Roaming Domains
Mobility Domain
Mobility Domain is a seamless roaming domain of up to 3 Mobility Groups Max of 72 WLCs Seamless roaming == IP addressing is maintained Fast secure roaming does work not across Mobility Group clients crossing these boundaries will have to go through a full reauth, but will retain their IP address
http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/ guide/c70mobil.html#wpmkr1100509
62
How Long Does a Client Really Take to Roam?

Time to roam =
Client to disassociate + Probe for and select a new AP + 802.11 Association + Mobility message exchange between WLCs + Reauthentication + Rekeying + IP address (re) acquisition
Network latency will have an impact on these times consideration for controller placement With a fast secure roaming technology, roam times under 150 msecs are consistently achievable, though mileage may vary
BRKEWN-2018
Cisco Public
63
How Often Do Clients Roam?

It depends types of clients and applications Most client devices are designed to be nomadic rather than mobile, though proliferation of small form factor, smart devices will probably change this Nomadic clients usually are programmed to try to avoid roaming so set your expectations accordingly SWAG design rule of thumb: 10-20 roams per second for every 5000 clients
BRKEWN-2018
Cisco Public
64
Designing a Mobility Group/Domain

Design Considerations
Less roaming is better clients and apps are happier While clients are authenticating/roaming, WLC CPU is doing the processing not as much of a big deal for 5508 which has dedicated management/control processor L3 roaming & fast roaming clients consume client DB slots on multiple controllers consider worst case scenarios in designing roaming domain size Leverage natural roaming domain boundaries Mobility Message transport selection: multicast vs. unicast Make sure the right ports and protocols are allowed
BRKEWN-2018
Cisco Public
65
Special Case: FlexConnect Groups

Support for up to 20 FlexConnect Groups of up to 25 FlexConnect APs each APs in an FlexConnect share common configuration parameters like RADIUS servers Fast Secure Roaming via CCKM for locally switched clients is supported for all clients in an FlexConnect Group (L2 roaming only) CCKM keying material is provisioned locally allows CCKM to work in standalone mode (existing clients when AP transitioned from connected mode) * Note: FlexConnect is new branding for Hybrid REAP (H-REAP) http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/ guide/c70hreap.html#wp1133688
66
Questions?
BRKEWN-2018
Cisco Public
67
Complete Your Online Session Evaluation

Receive 25 Cisco Preferred Access points for each session evaluation you complete. Give us your feedback and you could win fabulous prizes. Points are calculated on a daily basis. Winners will be notified by email after July 22nd. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center. Don t forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.
BRKEWN-2018
Cisco Public
68
Visit the Cisco Store for Related Titles http://theciscostores.com
BRKEWN-2018
Cisco Public
69
BRKEWN-2018
Cisco Public
70
Thank you.
BRKEWN-2018
Cisco Public
71

Secure Mobility in Cisco Unified WLAN Networks For Mobile Devices

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Secure Mobility in Cisco Unified WLAN Networks For Mobile Devices

Uploaded by

Copyright:

Available Formats

Secure Mobility in Cisco Unified WLAN Networks

BRKEWN-2018 Jake Woodhams

2011 Cisco and/or its affiliates. All rights reserved.

2011 Cisco and/or its affiliates. All rights reserved.

2011 Cisco and/or its affiliates. All rights reserved.

Anatomy of a Device Connection

2011 Cisco and/or its affiliates. All rights reserved.

2011 Cisco and/or its affiliates. All rights reserved.

802.11 Architecture Basics

802.11 Architecture Basics

2011 Cisco and/or its affiliates. All rights reserved.

2011 Cisco and/or its affiliates. All rights reserved.

Description Distribution Services

2011 Cisco and/or its affiliates. All rights reserved.

Description Distribution Services

2011 Cisco and/or its affiliates. All rights reserved.

Description Distribution Services

2011 Cisco and/or its affiliates. All rights reserved.

Description Distribution Services

2011 Cisco and/or its affiliates. All rights reserved.

802.11 Distribution Services

2011 Cisco and/or its affiliates. All rights reserved.

802.11 Distribution Services

2011 Cisco and/or its affiliates. All rights reserved.

802.11 Distribution Services

2011 Cisco and/or its affiliates. All rights reserved.

Description Distribution Services

So, What Do These Three Services Accomplish?

Description Distribution Services

WPA/WPAv2 (802.11I), CAPWAP

2011 Cisco and/or its affiliates. All rights reserved.

How STAs Connect to a WLAN Securely

2011 Cisco and/or its affiliates. All rights reserved.

WPA2 Authentication Mechanisms

Final version of 802.11I Commonly used with AES encryption

Personal (PSK) Home Use Enterprise (802.1X/EAP) Office Use

2011 Cisco and/or its affiliates. All rights reserved.

Authentication Best Practices:

Keys Plumbed, 802.1X Port Blocking Removed Data Allowed Through AP

Distribution Services: Association/Reassociation/Disassociation

STA Services: Authentication/Deauthentication

STA Services: Privacy

2011 Cisco and/or its affiliates. All rights reserved.

EAP Types: EAP-FAST

2011 Cisco and/or its affiliates. All rights reserved.

EAP Types: PEAP

2011 Cisco and/or its affiliates. All rights reserved.

EAP Types: EAP-TLS

2011 Cisco and/or its affiliates. All rights reserved.

2011 Cisco and/or its affiliates. All rights reserved.

Key Management Four-Way Handshake

2011 Cisco and/or its affiliates. All rights reserved.

Key Management Pairwise Transient Key (PTK)

2011 Cisco and/or its affiliates. All rights reserved.

Key Management Group Transient Key (GTK)

2011 Cisco and/or its affiliates. All rights reserved.

Key Management GTK Distribution

2011 Cisco and/or its affiliates. All rights reserved.

Distribution Services: Association/Reassociation/Disassociation

STA Services: Authentication/Deauthentication

STA Services: Privacy

2011 Cisco and/or its affiliates. All rights reserved.

Description Distribution Services