topic Re: Enterprise wireless with OTP authentication in Network Access Control

Enterprise wireless with OTP authentication

Alexander Vasilev — Mon, 18 Sep 2017 06:10:46 GMT

Hello,

i spent couple of days researching is it possible enterprise wireless security design with OTP. The idea is to authenticate first the machine and then the user with OTP. If both successful - access to be granted. As far as my research went - i must rely on EAP-FAST and EAP Chaining (EAP-TLS and EAP-GTC as inner methods). But from here the unknown part follows - is it possible, does someone has such implementation and what is the user experience. Because if every time when the user roam to different AP (of course in the same mobility group) the OTP is required - it will be terrible experience.

Thanks!

Re: Enterprise wireless with OTP authentication

Craig Hyps — Mon, 18 Sep 2017 16:59:39 GMT

You could accomplish this with CWA Chaining (802.1X auth followed by CWA auth). CWA supports RSA and RADIUS Token as well as SAML auth options. You could optionally combine the CWA portion with device registration to eliminate continuous CWA reauth, then periodically purge device from registration to force new 1X + OTP auth.

Craig

Re: Enterprise wireless with OTP authentication

Alexander Vasilev — Mon, 18 Sep 2017 20:00:25 GMT

Thanks Craig,

but i don't find the CWA appropriate...actually currently we are on such solution, but with CWA on WLC. The roaming is terrible.

And if i use MAC authentication - it is very weak (if used without profiling).

Re: Enterprise wireless with OTP authentication

Craig Hyps — Mon, 18 Sep 2017 20:27:47 GMT

Alexander,

You state that forcing reauth on each roam is considered too secure, but easing restriction based on MAC (post auth) is considered too insecure. You are coming to the obvious conclusion that policy is often a balance between security controls and user experience/productivity!

If EAP Chaining is serving your purpose, then consider appropriate key caching mechanisms based on clients and test. For example, dot1x + adaptive 11r may be suitable, but best to confer with wireless team.

Also, ISE 2.2+ supports RADIUS Token caching which could help reduce the need to reauth OTP on each reauth. This may be your perfect balance between security and convenience, in addition to reduced reauth for viable key caching methods.

Craig

Re: Enterprise wireless with OTP authentication

Alexander Vasilev — Tue, 19 Sep 2017 20:23:42 GMT

Craig,

you are absolutely right, this is known "issue" - as something becomes more secure is more hard for use. But this is life

Today i tested one part of the whole solution - authentication against the RADIUS Token Server (HID). EAP-FAST+EAP*GTC as inner method and everything works like a charm. No special protocols for fast roaming of the wireless (i know they are specific and most commonly not recommended if we want high compatibility). And even with roaming between APs - no requirement for token code input. BUT there is some session cache on the ISE, which i don't understand...because on each roaming between APs there was no request to the RADIUS token server, nor the client was asked for OTP code. And the RADIUS Token caching feature was not enabled in the RADIUS Token server configuration.

Can someone explain me what is this cache and how can it be controlled?

I didn't finished the EAP-Chaining test, because for some reason the Machine authentication via certificates was not successful. Always fails. If someone can share experience with this i'll be very thankful.

Re: Enterprise wireless with OTP authentication

Craig Hyps — Tue, 19 Sep 2017 20:35:32 GMT

L2 roaming on secure network typically does not change session ID so would not expect disruption.

Re: Enterprise wireless with OTP authentication

Alexander Vasilev — Wed, 20 Sep 2017 05:59:32 GMT

Yes, but this session info where is cached and what control of the cache we have (cache time, erasing entry in the cache)?

Re: Enterprise wireless with OTP authentication

nikhilcherian — Wed, 20 Sep 2017 08:53:20 GMT

If the client is doing proper roaming in the wireless network, the wireless controller will not do a re-auth of the user. The authentication info of the client is retained in the wireless controller & the controller will not pass any authentication request to ISE. When I say proper roaming, I would mean the client will be moving from AP to another, without being in some areas no coverage.

By default this is an in-built feature in WPA2+AES and you don't need fast roaming protocols.How long the controller retains the information of client depends on many parameter like session time-out, idle-timeout, bcast key refresh & I would say that will be pure wireless question

Regards

Re: Enterprise wireless with OTP authentication

Alexander Vasilev — Sun, 24 Sep 2017 12:12:05 GMT

Nikhil,

i read many thins these days related to the topic, but i cannot agree with your post.

With reference to this community document:

802.11 WLAN Roaming and Fast Secure Roa... - Cisco Support Community

In summary - it seems that full Authentication is done during normal, supported roaming. If we use fast roaming technologies on the WLC - we can speed up the things. Also if the authentication server has some caching functions - we can save some time. Otherwise - full authentication is done.

Re: Enterprise wireless with OTP authentication

nikhilcherian — Sun, 24 Sep 2017 15:38:29 GMT

Hi Alex,

I have replied to the forum topic

802.11 WLAN Roaming and Fast Secure Roa... - Cisco Support Community

Still, I believe this is best to discuss in a wireless forum, than in a ISE forum

Regards

Nikhil