Jan 15, 2014

user authentication vs. machine authentication

The main difference is that machine authentication uses the machine object in Active Directory to query against and User authentication uses the user object.


Now think about when the machine boots up.  If you use user authentication, then the user doesn't connect to the wireless until after you enter in the user name and password to log into the machines.  Well, computer based policies usually download at boot up, before the user logs in.  So if user authentication is used, the machine doesn't connect to the wireless at boot up and cannot download computer policies.

The only difference between the 2 really is what account the supplicant is using to authenticate with.  In a Windows AD environment, you have a computer account and a user account.  As the windows machine boots up, the computer account is used to authenticate to the Wireless using your windows supplicant.  Once connected to the Wireless the computer account is used to log into AD and downloads any machine policies that may be assgined to that computer or various groups it may belong to.

Then the user login screen appears on the windows device.  Up to this stage, the machine account has been used to attach to the wireless and connect to AD for machine specific policies.  

How to get the infromation of trunk vlan from wireshark

A vlan10 SVI on the Cat 3750 is pinging the vlan 20 SVI on the Cat 3560, and the vlan 10 SVI on the Cat 3560 is pinging the vlan 20 SVI on the Cat 3750.

On the Cat 3750:

monitor session 10 source int fa1/0/46
monitor session 10 destination int fa1/0/33 encapsulation replicate

As others have mentioned, on 3750 you need "encapsulation replicate". Also, the monitor port fa1/0/33 had to be a dot1q trunk, just like the actual trunk port fa1/0/46


https://learningnetwork.cisco.com/docs/DOC-15413

Jan 12, 2014

MAC Split

A generic 802.11 AP, at the simplest level, is nothing more than an 802.11 MAC-layer radio that bridges WLAN clients to a wired network based on association to a Basic Service Set Identifier (A) 
 
The 802.11 standard extends the single AP concept (above) to allow multiple APs to provide an extended service set (ESS), where multiple APs use the same ESS identifier (ESSID, commonly referred to as an SSID) to allow a WLAN client to connect to a common network via more than one AP (B) 

A key component of the LWAPP protocol is the concept of split MAC, where part of the 802.11 protocol operation is managed by the LWAPP AP, while the remaining parts are managed by the WLC. (C) 




X.509

X.509 is an ITU-T standard for a public key infrastructure (PKI) and Privilege Management Infrastructure (PMI). X.509 specifies, amongst other things, standard formats for public key Digital Certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.

In the X.509 system, a CA issues a certificate binding a public key to a particular Distinguished Name in the X.500 tradition, or to an Alternative Name such as an e-mail address or a DNS-entry.

An organization's trusted root certificates can be distributed to all employees so that they can use the company PKI system. X.509 also includes standards for certificate revocation list (CRL) implementations, an often neglected aspect of PKI systems. The IETF-approved way of checking a certificate's validity is the Online Certificate Status Protocol (OCSP). Popular browsers like Internet Explorer and Firefox don't check for certificate revocation by default. The time lag for performing the checking could be one of the reasons.

PKI (Public-Key Infrastructure)

PKI is a loaded term that involves the hardware, software, policies, and standards that are necessary to manage SSL certificates. A PKI lets you:
  • Authenticate users more securely than standard usernames and passwords
  • Encrypt sensitive information
  • Electronically sign documents more efficiently

A PKI allows you to bind public keys (contained in SSL certificates) with a person so in a way that allows you to trust the certificate. Public Key Infrastructures most commonly use a Certificate Authority (also called a Registration Authority) to verify the identity of an entity and create unforgeable certificates. Web browsers, web servers, email clients, smart cards, and many other types of hardware and software all have integrated, standards-based PKI support that can be used with each other.  A PKI is only as valuable as the standards that are established for issuing certificates.


Configuring IEEE 802.1x Port-Based Authentication


The IEEE 802.1x standard defines a client-server-based access control and authentication protocol that prevents clients from connecting to a LAN through publicly accessible ports unless they are authenticated. The authentication server authenticates each client connected to a switch port before making available any services offered by the switch or the LAN. 

Until the client is authenticated, IEEE 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the client is connected. After authentication, normal traffic can pass through the port. 

 Authentication Flowchart:

 

Man in the Middle Attack

There is an example of what might happen once the Man in the Middle has inserted him/herself





The hacker is impersonating the both sides of the conversation to gain access to funds. This example holds true for a conversation with a client and server as well as person to person conversations. In the example above the attacker intercepts a public key and with that can transpose his own credentials to trick the people on either end into believing they are talking to one another securely.

Known Plain text attack

   The simplest method of recovering keystreams is the known plaintext attack. The attacker sends data over a wired network to a machine on the wireless network. The AP encrypts it and sends it to the client. The attacker captures the encrypted wireless traffic. Finally, the attacker can apply the XOR operation to the plaintext and the captured traffic and recover the keystream. There are many ways to get known plaintext sent to a wireless user, from sending ping packets to sending e-mails to getting a user to visit a known website. Because the attacker knows the content of each message, he can match it with the encrypted traffic and recover the keystreams used to encrypt it. An attacker can send data rapidly to build up his keystream dictionary. Figure illustrates the known plaintext attack.







Binary XOR Operation:

A               B         C
0      XOR   0    ->   0
0      XOR   1    ->   1
1      XOR   0    ->   1
1      XOR   1    ->   0