Analyzing Huawei Router Wireless Network Authentication

 

RADIUS is a protocol based on a client/server architecture. Its clients were originally NAS (Network Access Server) devices, but nowadays any computer running RADIUS client software can act as a RADIUS client.

The RADIUS protocol features a flexible authentication mechanism, supporting various methods such as PAP, CHAP, or Unix login authentication. RADIUS is an extensible protocol; all its operations are based on Attribute-Length-Value vectors. RADIUS also supports vendor-specific attributes, allowing manufacturers to extend its functionality.

1. Generally, if you are running Windows Server 2003 or a later version with Active Directory, you can typically distribute network settings (including 802.1X and any digital certificates) to Windows XP and subsequently domain-joined machines via Group Policy.

However, for non-domain machines, such as employee-owned laptops, smartphones, and tablets, there are solutions beyond manual user configuration to consider. Key aspects here include the root certificate of the Certificate Authority used by the RADIUS server, user certificates if using EAP-TLS, and the network and 802.1X settings.

2. You can use the free SU1X 802.1X configuration deployment tool for Windows XP (SP3), Vista, and Windows 7. You need to go into settings and preferences to capture network information from a PC that has already been configured correctly. The tool then creates a wizard that users can run on their computers to automatically configure the network and other settings. This tool supports the distribution of root certificates along with network and 802.1X settings.

Additionally, you can configure it to add/remove other network configurations, modify network priorities, and enable NAP/SoH. The tool can even configure automatic or manual proxy server settings for IE and Firefox, as well as add/remove network printers.

3. Commercial products for 802.1X configuration deployment include XpressConnect, ClearPass QuickConnect, and ClearPass Onboard. XpressConnect supports the distribution of root certificates, other user certificates, and network and 802.1X (PEAP, TLS, and TTLS) settings on Windows, Mac OS X, Linux, Android, and iOS devices.

For TTLS, it also supports the installation of the SecureW2 TTLS client. XpressConnect is a cloud-based solution; you define your network settings in a web console, and it then creates a wizard that you can distribute to users.

4. Both ClearPass QuickConnect and ClearPass Onboard support the distribution of root certificates and network and 802.1X (PEAP, TLS, and TTLS) settings on Windows, Mac OS X, Linux, Android, and iOS devices. ClearPass QuickConnect is a cloud-based service and does not support the distribution of any user certificates.

ClearPass Onboard is a software module for the ClearPass Policy Manager platform that supports user certificate distribution. For some mobile operating systems, there are also dedicated solutions available for distributing 802.1X and other network settings.

5. Securing 802.1X Client Settings. 802.1X is vulnerable to man-in-the-middle attacks. For example, an attacker could set up a duplicate Wi-Fi signal with a modified RADIUS server and trick users into connecting in order to capture and track their login credentials. However, you can prevent this type of attack by securely configuring client computers and devices:

(1) Verify the server’s certificate: This setting should be enabled. You should select the Certification Authority used by your RADIUS server from the list box, which ensures that the network a user connects to uses a RADIUS server with a server certificate issued by that Certificate Authority.

(2) Connect to these servers: This setting should be enabled. You should enter the domain listed on your RADIUS server’s certificate, which ensures the client can only communicate with RADIUS servers possessing that specific server certificate.

(3) Do not prompt user to authorize new servers or trusted certification authorities: This should be enabled to automatically reject unknown RADIUS servers, rather than prompting users with the ability to accept and connect.

6. On Windows Vista and later versions, the first two settings should be automatically enabled and configured when a user first signs in. However, the last setting should be enabled manually, or via Group Policy or another distribution method. On Windows XP, users must manually configure all settings, or you can use Group Policy or another distribution method.

7. Securing the RADIUS Server. Do not forget the security of the RADIUS server itself; after all, it is the primary server handling authentication.

Consider dedicating a single server solely to act as the RADIUS server. Ensure its firewall is locked down and use encrypted links for any database connections located on another server that the RADIUS server uses. When generating shared secrets, which you need to input into the NAS client list or RADIUS server database, use strong secrets.

Since users do not need to know or remember them, you can use very long and complex secrets. Keep in mind that most RADIUS servers and NAS

Leave a Comment

Your email address will not be published.