Wireless 802.1X Fun Times

Started by deanwebb, July 09, 2015, 11:39:51 PM

Previous topic - Next topic

deanwebb

 :awesome:

Most of our laptops get on our wireless with a computer certificate. They're fine.

But some laptops and all our iDevices use a user certificate. That used to be fine, until we started to roll out a certificate that looked kinda like a user cert to the laptops and iDevices, so they got confused and hung when prompted for a certificate in the 802.1X flow of things... or every now and then, they mess up on a re-auth and randomly offer up the wrong cert and get bounced or put into a hung Access-Challenge state.

I get to talk with the PKI team in a little while... I hope they do this:  :matrix:

So that I don't have to do this:  :developers:

We shall see... :drama:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

deanwebb

And for the company of a certain size fun: I'm in the states, they're in Europe, so after my presentation to Asia, I'll catch them as they walk in, using my Lync status lights by their names to cyberstalk them.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

deanwebb

Found out that iOS 8.4 doesn't support DH groups of less than 2048 bits... now to see if that's our issue, or if it's maybe related to the new version of MDM that rolled out around the same time as our upgrade to 8.4... which also coincides with the new cert that causes contention on Windows devices - and which may or may not be causing a similar contention on iOS devices... the issue is not as simple as I thought it was in the OP.

Anyone else seeing issues where iDevices are intermittently dropping connections or hanging and not able to access the wireless for a period of time?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

hizzo3



Quote from: deanwebb on July 09, 2015, 11:41:02 PM
I'll catch them as they walk in, using my Lync status lights by their names to cyberstalk them.

Ha ha.. Glad to see I'm not the only one that stalks people on Lync... I really do hate it though when they go busy right after I message them. Its OK though... I just wait for it to go green again. I have 3 monitors and its no waste on my desktop.

deanwebb

Lync codes and their meanings:
GREY: Either the guy is totally out, lurking, or deliberately not logged on to Lync. Send email then call him on his mobile to see if he got your email.
YELLOW: He's wandered away, be it to lunch, to go to the printer, to talk with the guy in the next cube, or somewhere his computer is not. Text his mobile then call his mobile to see if he got your text.
GREEN: Fresh meat! That, or he's away from his computer and he forgot to lock it. Best to send an email asking if you can hit him up on Lync and then call his desk phone to see if he got your email. If he does not answer his desk phone, call him on his mobile.
RED: The best Lync color. It means he's in a meeting and needs a distraction. Contact him on Lync directly. :)
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

hizzo3


wintermute000

#6
so what happened? Did you find a single certificate solution? Or do iDevices play nice now with IOS9? or???


Am I reading this right: so you used to use 802.1X via AD (presumably) for user auth and machine certs for device auth - but this is no good for iDevices?


Most places I seen get around this by not enforcing certs on the iDevice BYOD/guest network and restricting iDevices to the BYOD/guest WLAN. But yes its no good for company owned iDevices that are MDMed hence theoretically deemed secure.

deanwebb

AD certificates on both the Windows and iDevices (via MDM on the mobiles).

No resolution beyond, "We are now aware of this situation." I still see it happening, but for now, most people expect the wireless to be shite so they go to the Guest Wireless.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

Tried eap-fast for byod ssid? Meant  to work for fruity devices

deanwebb

EAP-FAST makes me gag. :barf: It's EAP-TLS or use the LTE network.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

What's so bad about it, it's not That compromised is it?

deanwebb

EAP-FAST is fine if it's using EAP-TLS as an underlying method. But if you're doing that, might as well just use EAP-TLS.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

I hate to think what your opinion of (non EAP-TLS inside) PEAP.

Apparently, if the clients are configured to validate server certs and are unable to accept a new CA (which obvs you enforce via GP), its pretty secure (as obviously its a 'genuine HTTPS tunnel')

deanwebb

Quote from: wintermute000 on October 02, 2015, 05:02:17 PM
I hate to think what your opinion of (non EAP-TLS inside) PEAP.

Oh? You mean plaintext?

:haha4:

Mr. Clarkson and I agree, it's a joke. For enterprise security, you really want to have a good PKI server stood up, and the best news is that you can do it with a Windows Server on the cheap. As in free. For all the lads at home wanting to lab up some security, don't just go with self-signed certs and click through the error messages: stand up a Windows server and generate some for yourself, properly. Practice installing them so that you don't fear the whole arcane process.

And, yes, as Wintermute says, we don't allow acceptance of new CAs. Which can be an issue if we change RADIUS servers. That can either be taken care of via a fresh WLAN profile or via a registry entry push to Windows clients to accept the new RADIUS server. It can also be handled if the wireless is set up properly to push its config to the clients.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

#14
forgive me if its going over my head, but what do you mean plaintext? Isn't PEAP using a TLS tunnel - granted only authenticating the server cert - and thus the credentials are passing over a tunnel? (like a normal https website)


guess who has to take stupid wireless exams in a few months and learn how to setup 802.1x properly. LOL


going on an Aruba clearpass course on Friday, should be educational