This topic has a lot of moving parts to consider, so let me give a bit of background. I am seriously considering deprecating our "branded" WLAN SSID, and replacing it with just eduroam. To do this it will require making some GPO changes in the way our managed Windows assets connect to the network. Ideally, I'd like for computers in a startup state to connect via machine cert (PEAP-EAP-TLS), and upon login, hand-off the user credentials via the same protocol (PEAP-EAP-TLS), so that the identity being conveyed to the RADIUS service ends in the appropriate domain for the eduroam proxy to relay to our policy servers correctly.
Our domain structure is undergoing some changes, but the machines won't be migrated for some time to come, and referencing the domain of the user is the most certain way that the RADIUS messages will be handled by eduroam correctly, at least until we migrate machines to that domain.
AD, PKI, GPO, etc. let me handle this problem with most managed assets (JAMF and Airwatch for the rest), but we still have a massive BYOD problem to solve. While we could still use MSCHAPv2, I was looking toward the future and felt that having a more secure, and a better process to connect mobility would be wise. What I foresee in the coming years is that as eduroam, as a global SSID, becomes more widely deployed, it will become an increasingly common vector for exploiting credentials. A spoofed SSID (rogue) honeypot with a local RADIUS server and a bogus cert could gather dozens or hundreds of credentials in a day. Most clients go out of their way to ignore cert warnings or specify to never validate anyway.
EAP-TLS appears to be the only highly secure method of auth in the Enterprise. But how to convey client certs to the user and begin trust of the legit RADIUS server cert? Well, I looked into SecureW2, who sets up a SAML trust relationship (Shibboleth) that allows all users in the domain to authenticate and in doing so, it will integrate their user cert in an ephemeral client that they run on their device to configure the supplicant. And voila! EAP-TLS with outer cert trust.
Without getting too far down the rabbit hole on this topic, I wanted to see how others have approached similar issues, and if they found a solution that works "good enough" for their organization.
I'd also be super curious to hear any thoughts about the feasibility of the honeypot scenario. And for those unfamiliar, eduroam is a secure/trusted middleman to proxy RADIUS requests to the host institution when a reciprocal client is at another institution.
No comments:
Post a Comment