MY80211.com

George Stefanick - CWSP Journey, (Chapter 5 – TSN POST#3) - 7/5/2010

TSN stands for (Transition Security Network).  TSN supports both RSN and  pre-RSN legacy authentication and encryption on the same BSS.

Example – Think of WEP with WPA and/or WPA2 enabled on the same BSS. Pre-RSN +  RSN = TSN

Suppose your WLAN was secured with WEP and you wanted to upgrade to WPA2 . Instead of having to manage another WLAN and add additional wireless utilization (each WLAN you add you increase wireless utilization) you can modify the current WLAN to allow for WPA2 security.

Cisco often references TSN as a “migration” WLAN. I was emailed today about adding a config for a Cisco autonomous ap with TSN.

First lets look at a packet capture example:

Our SSID is: wep-wpa2

GROUP CIPHER WEP102 (WEP128)

RSNIE: You will notice the below capture the Group Cipher is Wep104 (WEP128). This is our indication WEP is enabled on this BSS. Since all stations share a single group encryption the lowest common denominator is used. In this case it is Wep104 (WEP128).

PAIRWISE CIPHER CODE 00-0F-AC-4

Some other areas of interest, the Pairwise Cipher code 00-0F-AC 4. This is our other indication AES-CCMP is being used.

NOTE:

OUI       Suite Type        Definition
00-0F-AC 0                    Use the group cipher suite (only valid for pairwise ciphers)
00-0F-AC 1                    WEP-40
00-0F-AC 2                    TKIP
00-0F-AC 3                    Reserved
00-0F-AC 4                    CCMP 

Auth Key Management Suite

Since we are in the frame, let me share what the AUTH KEY MANAGEMENT means. This is were the RSN authentication type lives. You will see 2 types, 00-0F-AC1 for 802.1X or 00-0F-AC2 fo PSK.  In our example we are using PSK.

Authentication and key management suites

OUI Suite type   Authentication                          Key management
00-0F-AC 1        802.1X or PMK caching              Key derivation from preshared master key
00-0F-AC 2        Pre-shared key                          Key derivation from pre-shared key

Cisco 1240 TSN Configuration

Configuration Notes:

SSID is wep-wpa2

WPA PSK: WPA2/AES

PSK: 1234567890

WEP KEY: Slot 3

WEP KEY: 128 / 12345678901234567890123456

Logon Cisco / Cisco

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
enable secret 5 $1$/d5u$WOD0P0tI3GSizQKugBNyj0
!
no aaa new-model
no ip domain lookup
!
!
dot11 syslog
!

! dot11: dot11 ssid wep-wpa2 is the SSID that your authentication    

! configuration will be applied

!

! Authentication OPEN: Auth OPEN allows open auth for WEP

! Authentication Key-Management: Key-Man WPA V2 optional allows WPA2 with ! the optional command meaning WPA and WEP can be used

! WPA-PSK: This is your key (note its encrypted)

 dot11 ssid wep-wpa2

   authentication open
   authentication key-management wpa version 2 optional
   wpa-psk ascii 7 135445415F59527D737D78
!
!
username Cisco password 7 02250D480809
!
bridge irb
!

! Dot11Radio0: This is your 802.11b/g radio where you encryption will live

! Encrypt: Key 3 is the slot, 128 bit is the length, next is your key and !then you are telling the ap that slot 3 is a transmit key

! Encrypt: Mode Cipher aes-ccm and wep128 is telling the radio what

! encryption modes to use. In this case use aes-ccmp AND WEP128

!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption key 3 size 128bit 7 904856427E9D21265549561E467E transmit-key
 encryption mode ciphers aes-ccm wep128
 !
 ssid wep-wpa2
 !
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 !
 encryption key 3 size 128bit 7 8F156E346C961F07447BA1D43824 transmit-key
 encryption mode wep mandatory
 dfs band 3 block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 10.10.0.30 255.255.0.0
 no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 login local
!
end

George Stefanick - CWSP Journey, (Chapter 5 – RSN  POST#2) - 7/4/2010

RSN stands for (Robust Security Network) which was defined in the 802.11i - 2004 standard. This was later rolled under the 802.11-2007 standard (clause 8).  The purpose of RSN is to provide stronger encryption and authentication methods.

RSNA stands for (Robust Security Network Association). RSNA requires (2) 802.11 stations to establish procedures to authenticate and associate with each other as well as create dynamic encryption keys through the 4-way handshake. *Note an access point is also a referenced as a station* The 802.11-2007 standard defines two classes of security methods pre-RSNA and RSNA.  RSNA security methods use either TKIP/RC4 or CCMP/AES.  This leads me to believe that WPA/TKIP is a RSNA as well. Although not under the RSNIE.

RSNIE stands for (Robust Security Network Information Element). RSNIE is the information element found in certain management frames. The purpose of this information element is to show station compatibilities. RSNIE can identify encryption capabilities and authentication type (802.1X/EAP) and (PSK)

NOTE: There are ONLY 4 types of 802.11 frames that contain the RSN Information Element (RSNIE). Remember (2) of these packets come from the (BSS) access point and (2) of them come from the station. The following FRAMES contain the RSNIE (RSN INFORMATION ELEMENT) when WPA2 / 802.11i is enabled on the BSS.

ACCESS POINT (BSS): BEACON and PROBE RESPONSE frames
CLIENT (Station) : ASSOCIATION RESPONSE and REASSOCIATION RESPONSE frames

Pre-RSN stands for (Pre-Robust Security Network).  A pre-RSN uses static or dynamic WEP keys. Anything WEP is considered Pre-RSN.  

TSN stands for (Transition Security Network).  TSN supports both RSN and  pre-RSN legacy authentication and encryption on the same BSS. Example – Think of WEP with  WPA and/or WPA2 enabled on the same BSS. Pre-RSN +  RSN = TSN

 Below is the RSNIE

RSNIE is enabled when you choose WPA2 (personal  (PSK) or enterprise(802.1X/EAP))

Example #1  WPA/TKIP  

Note WPA / TKIP is enabled on this BSS. The WPA information element is populated as you can see. Notice you won’t see an RSNIE.  WPA is part of RSN, the sniffer just isnt labling it as such. 

Example#2  WPA/AES 

Note WPA / AES is enabled on this BSS. The WPA information element is populated.  Notice you won’t see an RSNIE even though AES is enable. WPA is part of RSN, the sniffer just isnt labling it as such. 

Example#3  WPA2/TKIP 

WPA2 / TKIP is enabled on this BSS. The RSN information element is populated.  Note you don’t see the WPA information element. Rather you see the RSN element becuase WPA2 was selected. 

Example#4 – WPA2/AES 

Note WPA2 / AES is enabled on this BSS. The RSN information element is populated.  Note you don’t see the WPA information element, because WPA is not selected.

Example#5   TSN (Transition Security Network) WEP , WPA/WPA2 (TKIP/AES)

This is an example of a single BSS allowing pre-RSN (WEP) and RSN clients. This becomes beneficial when you want to migrate from WEP to a more secure wireless network such as WPA2.   

George Stefanick - CWSP Journey, (Chapter 5 – My Notes Post#1)  - 7/2/2010

What a busy week… Can I just tell you! On to more important things like my CWSP study. I like to hit the areas that interest me the most when I study. Chapter 5 “802.11 Layer 2 Dynamic Encryption Key Generation”  is just that chapter!  Why do you ask? Well (Dynamic Encryption Key Generation) is that “black magic” that just happens, right. It’s just there and it works… BUT HOW, really…  Let’s take a peek

I’m not new to Chapter 5, but I will tell you it was a great refresher. Not surprised I forgot a lot of the finer details. It has been a longtime … It was a good recap …

I am going to do things a little differently going forward. Since this is my CWSP blog notes, I am going to break up my blog post by sub-chapter with the respected sub topics within the chapter. This will allow me to add my own comments and pixs as needed without having one large blog post. Again remember this is my ramblings and I hope it will add value to your study.

REFERENCE MATERIAL FOR CHAPTER 5 AND NOTES:

Cipher suites

OUI       Suite Type        Definition
00-0F-AC 0                    Use the group cipher suite (only valid for pairwise ciphers)
00-0F-AC 1                    WEP-40
00-0F-AC 2                    TKIP
00-0F-AC 3                    Reserved
00-0F-AC 4                    CCMP

Authentication and key management suites

OUI Suite type   Authentication                          Key management
00-0F-AC 1        802.1X or PMK caching              Key derivation from preshared master key
00-0F-AC 2        Pre-shared key                          Key derivation from pre-shared key

MSK = Master Session Key
GMK =  Group Master Key
PMK = Pairwise Master Key
GTK =  Group  Temporal Key
PTK =  Pairwise Transient Key

I also referenced the following material to confirm and strengthen my understanding of RSN and dynamic keys.

Official CWSP Study Guide by Sybex - Chapter 5

Official CWSP Study Guide (2^nd Edition) by McGraw Hill - Chapter 15

802.11 Wireless Network – The definitive Guide (2^nd Edition)

Pgs, 104-105, This shows the complete Cipher Suites, which isn’t found in Chapter 5 of the CWSP (see below). It also is a different authored perspective, but consistent (which is ALWAYS a bonus! LOL)

Pgs,  163-169,  Talks about RSN Operations. Very clear and understanding especially after reading Chapter 5.

Real 802.11 Security: Wi-Fi Protected Access and 802.11i - Chapter 7 ,8,9 and 10

IEEE Std 802.11™-2007 - Section 8

Devin Akin (CWNP) – white papers.

What  can you say BUT thanks Devin for your hard work and translating the standard for us. These are A MUST READ if you want to ‘glue’ the pieces together.

http://www.cwnp.com/pdf/802.11_RSN_FT.pdf 

http://www.airspy.com/uploads/Chicken_Egg.pdf

Other Related Material

http://brave.sr.unh.edu/sav/UNH-CS-TR-06-01.pdf

George Stefanick - CWSP Journey, Post#1 - 5/15/2010

Hello, 

Welcome to my little spot on the web. I will be joining my counterparts John, Rick and Darby in the "CWNP or BUST" challenge!

For those of you who know me. Im a busy guy with a non-stop life style. I have an aggressive cert path the next 2 years.  I was in pursuit of my CCNP but that was derailed when the track was upgraded as I was sitting the (BCMSN). So I gave it some thought, and decided it was time to finish out the CWNP (CWNE) track. Then that was derailed with the cert upgrade! gezzz cut me a break!

So back to the drawing board. Goal is to nail the CWSP (3 months) then change gears to the CCNP track (9 – 12 months) then return when CWNP has the DP and AP complete to finish out my CWNE.  THEN on to the CCIE Wireless.

EXAM OBJECTIVES –

I think all to often folks who study for particular certifications think they can just buy the OFFICAL guide and all of LIFES questions and examples will be contain within! Cisco Press is notorious for this behavior. This is actually not the case. In fact, the authors of the books you and I read don’t have access to the questions on the exam! They are contracted by publishers to write about specific topics. With that being said, you are at the mercy of the author and his dictation of the material.

Thus why I like to read other “on topic” related material. For example, if this week Im reading 802.1X EAP types. I will not only read the CWSP, but I will also read other supported material from other authoritive perspectives. This other perspective often is the glue that pulls all the pieces together!

OK back to the CWSP objectives. I cant tell you how many times I’ve helped others with their studies and they would just glance over the objectives! BIG MISTAKE. We are here to PASS the exam while also retaining the correct knowledge to be applied in the field. You need to understand the objectives, especially for the CWSP.

Did you know 50% of the weight on the CWSP is on security design and architecture. The next heavy weight is Monitoring and Management at 25%. These two areas alone are 75% of the exam weight. Guess where my focus will be !?

THE PLAN –

The plan is to hit the CWSP objectives hot and heavy the next few weeks. Having been around the certification circuit more then once I will leverage various authored material around the CWSP objectives. I will also use the CWSP flash cards and various white paper material.

OFFICAL CWSP STUDY GUIDE –

 http://www.amazon.com/Certified-Wireless-Security-Professional-Official/dp/0470438916/ref=sr_1_1?ie=UTF8&s=books&qid=1273950993&sr=8-1

Implementing 802.1X Security Solutions for wired and wireless networks:

http://www.amazon.com/Implementing-Security-Solutions-Wireless-Networks/dp/0470168609/ref=sr_1_1?ie=UTF8&s=books&qid=1273951025&sr=1-1

Ive already completed a “quick” read of the CWSP and feel very comfortable with the content. It also helps I’ve had 10 years of hands on experience. Im going to sit down this week and focus on specific topics, which I will blog about next week.

Since CWNP is offering FREE exam retakes, I may just do some recon and schedule the exam in 2 – 3 weeks to see where I am …