WEBVTT

00:00.120 --> 00:03.950
I want you to think a minute about connecting to something far away.

00:04.080 --> 00:09.210
Now normally we're going to do that through the Internet which is great but usually when you're connecting

00:09.210 --> 00:13.570
to something far away you're connecting to an application.

00:13.620 --> 00:16.480
If you go into Google you're connecting to a web page.

00:16.590 --> 00:19.830
If you're grabbing your e-mail you're connecting to an e-mail server.

00:19.830 --> 00:26.250
If you're playing Counter-Strike you're connecting to a gaming server so normally when you are a client

00:26.280 --> 00:31.050
and you're connecting to a server what you're doing is you're connecting not only to just one computer

00:31.230 --> 00:33.600
but one application within that computer.

00:33.600 --> 00:36.300
Now I want to take that a step further.

00:36.300 --> 00:42.030
In this episode network access control what I want to talk about is not the idea of simply connecting

00:42.030 --> 00:46.850
to one application but connecting to your ready an entire network.

00:46.950 --> 00:50.670
Now network access control is all over the place.

00:50.670 --> 00:55.800
For example if you're connecting to a wireless network if you're sitting in a airport and you want to

00:55.890 --> 00:59.970
connect to the Internet what you're actually doing first is you're connecting to a wireless network

01:00.030 --> 01:02.400
that's network access control.

01:02.520 --> 01:09.150
Let's say you have two offices one in Dallas and one in Houston and you have a dedicated T-3 line that

01:09.150 --> 01:11.400
you're paying thousands of dollars a month for.

01:11.430 --> 01:16.650
That's not on the Internet so your own dedicated line you're actually from one office to the other creating

01:16.650 --> 01:18.960
what we call remote access.

01:18.960 --> 01:23.580
And the third great example would be like a VPN connection with a VPN.

01:23.580 --> 01:30.930
What you're doing is you're sitting on some computer someplace and you're connecting not to simply one

01:30.930 --> 01:34.200
computer but to your entire local area network via the Internet.

01:34.200 --> 01:41.550
So in these three cases you've got some kind of box some kind of system that's acting as a gatekeeper

01:41.880 --> 01:47.010
that you need to get through through some kind of authentication process that allows you to become part

01:47.010 --> 01:48.740
of that other network.

01:48.750 --> 01:54.120
Now to do that we've got a whole bunch of different ways and that's really what this episode is all

01:54.120 --> 01:54.720
about.

01:54.870 --> 02:00.570
But to do that you'd need to understand that it all started with something a long long time ago called

02:00.570 --> 02:03.480
Point to Point protocol point to point protocol.

02:03.490 --> 02:07.640
BPP was originally designed arguably for Dial-Up networks.

02:07.710 --> 02:12.240
Anybody old enough out there to remember using a modem to connect to get onto the Internet.

02:12.240 --> 02:17.580
Keep in mind what you were doing back then is you were connecting your old computer through a modem

02:17.820 --> 02:23.190
through a telephone line to another modem to another computer which then gave you access to a big network

02:23.190 --> 02:26.020
called the Internet.

02:26.180 --> 02:28.810
He was an amazing protocol.

02:28.910 --> 02:35.270
It's not very much any more today how ever the cornerstone of so much network access control done today

02:35.270 --> 02:41.030
started with PPD and a lot of the traditions and concepts stay with it so that's why I want to talk

02:41.030 --> 02:48.230
about GPP for a moment or point to point protocol was designed primarily to take a computer that only

02:48.230 --> 02:54.380
had a phone line and make it look at Bark smell taste like it had some seven mile ethernet connection

02:54.560 --> 02:56.560
over to an Internet service provider.

02:56.660 --> 03:02.030
So people had a lot of jobs so it was a transport protocol it's jobs where to do things like for example

03:02.780 --> 03:04.490
initiate the connection.

03:04.490 --> 03:10.460
Its job was to get an IP address get a subnet mask default gateway interpret that in such a way that

03:10.460 --> 03:16.220
this computer here would think that he was connected via a network card and would go ahead and make

03:16.220 --> 03:17.240
that initial connection.

03:17.270 --> 03:21.420
Oh and by the way maybe we ought to put some authentication in there.

03:21.440 --> 03:27.350
One of the big problems with BP is that it had very rudimentary authentication mechanisms.

03:27.380 --> 03:31.370
It could basically just do passwords with people you had two choices.

03:31.370 --> 03:34.280
You could do what was known as a pap.

03:34.280 --> 03:39.400
So a pap protocol was simply passwords in the clear so you would simply send data.

03:39.770 --> 03:44.050
Your passwords were in the clear and Pap was not very exciting.

03:44.420 --> 03:48.670
The other alternative and one that we saw for a long long time was something called chap.

03:48.680 --> 03:54.130
Sometimes you'll hear the Microsoft version called and this chap chap was a little bit better than pap

03:54.130 --> 03:59.030
than that and it would at least you would create a connection that the server would make a challenge

03:59.300 --> 04:03.630
of some type and usually that would be the password that was hash or something like that.

04:03.680 --> 04:07.670
And then your computer would send that information and compare the hashes and at least it wasn't in

04:07.670 --> 04:08.230
the clear.

04:08.270 --> 04:09.710
At least it was hashed.

04:09.710 --> 04:15.380
So that was wonderful and fantastic and while we were doing Dial-Up GPP was the king.

04:15.560 --> 04:22.580
However it didn't take long for people to begin to understand that connecting to a network we might

04:22.580 --> 04:26.450
want something better than just a username and password.

04:26.660 --> 04:34.910
So we began to see it by this time things like T.L. s had come along and smart cards were being developed

04:35.330 --> 04:38.960
and what the powers of the Internet decided to do.

04:39.860 --> 04:47.180
Was to take TPP and initially the idea was just to create extensions to be but it really developed into

04:47.180 --> 04:49.690
something called a P.

04:49.700 --> 04:53.290
Now EAP is not even really a protocol.

04:53.300 --> 05:01.070
EAP is a framework that's designed to run inside some transport layer protocol that's actually doing

05:01.070 --> 05:05.360
all the work that's moving the data and setting the IP addresses and all that kind of stuff.

05:05.570 --> 05:09.290
And it's just handling the authentication stuff.

05:09.290 --> 05:17.410
So really EAP was developed initially as an extension to just the authentication part of it.

05:17.420 --> 05:22.160
Now what I want to do right now is run through all the different types of EAP that are out there.

05:22.160 --> 05:27.440
It is amazing that we can do certificates and smart cards and we can still use passwords if you want

05:27.440 --> 05:27.980
to.

05:27.980 --> 05:32.120
So let's take a moment and marched through the different EAP methods.

05:32.120 --> 05:39.860
The most simple form of EAP is EAP and the five it's basically just M-S chap in that it will take the

05:39.860 --> 05:44.390
passwords and hash them into an empty five hash and exchange them.

05:44.390 --> 05:47.560
Next is EAP pre-shared key.

05:47.660 --> 05:51.520
So DSK uses pre-determine symmetric key.

05:51.520 --> 05:58.040
So in this case we have two computers each by each computer already has the key typed into it and then

05:58.040 --> 06:02.270
they don't even have to exchange anything because they already have the keys built into them.

06:02.280 --> 06:05.200
Anybody who's worked with wireless access points.

06:05.240 --> 06:07.500
For example WPA or WPA too.

06:07.550 --> 06:09.940
It's very similar to that.

06:10.000 --> 06:12.880
Next is a p t ls.

06:13.030 --> 06:17.860
And yep that means that EAP will handle a full blown TLM.

06:17.860 --> 06:23.770
However when you say EAP t.a less that requires both a server and a client certificate.

06:23.770 --> 06:29.950
So if I have a computer that wants to connect to a network and it's using APL s both of them have to

06:29.950 --> 06:36.700
have certificates EAP TTL S uses the T.L. s exchange method.

06:36.790 --> 06:41.790
But in this case like going to most web sites only the server has a certificate.

06:41.920 --> 06:49.290
Now remember EAP is only an extension to some type of protocol that's actually making the connections

06:49.290 --> 06:57.250
so Peepy was great but BPP was really just a point to point protocol so as we begin to have more important

06:57.250 --> 07:03.730
uses for connections newer transport protocols came along and to make things a little bit more complicated

07:04.000 --> 07:08.340
some protocols actually predated EAP.

07:08.350 --> 07:14.140
So we have a couple of these authentication protocols that actually kind of predate EAP and kind of

07:14.140 --> 07:16.360
have their own little space in the sector.

07:16.360 --> 07:22.750
So what I want to do now is go through the different types of protocols that encapsulate EAP and a couple

07:22.750 --> 07:24.100
of weird guys while we're at it.

07:24.100 --> 07:29.320
So here's a scenario here on the left I've got a computer that wants to connect to some network now

07:29.380 --> 07:34.780
between the network and this computer's going to be some kind of gatekeeper this gatekeeper could be

07:34.780 --> 07:37.170
a wireless access point.

07:37.270 --> 07:43.180
It could be a VPN concentrator it could be all kinds of stuff but there's always some box that's going

07:43.180 --> 07:46.650
to be between me and the network it wants to get to.

07:46.840 --> 07:56.260
So probably the most common place we see EAP used is called 8:0 2.1 X ATO 2.1 X is a full blown authentication

07:56.260 --> 08:03.880
standard that allows us to make connections between some type of client system or in this case I'm going

08:03.880 --> 08:08.170
to actually call it the supplicant and my network itself.

08:08.170 --> 08:12.390
So in this case what say we have a wireless network able to 11.

08:12.440 --> 08:21.100
So 2.1 X which is also known as AP over ethernet or EAP over 8 0 to 11 cause it works both with wired

08:21.100 --> 08:26.680
and wireless connections just great great some form of connection between the supplicant and the authenticator

08:26.980 --> 08:32.590
which I'm going to call this middle box and then runs EAP within that for the actual authentication

08:32.590 --> 08:33.280
itself.

08:34.250 --> 08:39.860
Now keeping this diagram up the other place where we can make a connection is between the authenticator

08:40.040 --> 08:44.780
and then some kind of authentication server and if you've been watching other episodes you'll probably

08:44.780 --> 08:50.780
recognize that this is radious because radious lives on 8:0 2.1 x.

08:51.110 --> 08:54.400
OK let's go now and talk about a couple of the weirdos.

08:54.440 --> 09:01.860
One of the first weirdos is something called Leap leap was invented by Cisco before 8 0 to 11 standards

09:01.870 --> 09:07.820
the security standards came out and it's Cisco's high security wireless standard.

09:07.880 --> 09:14.460
It's basically EAP with a password within a TS tunnel leap is no good anymore.

09:14.480 --> 09:15.520
We don't use it.

09:15.560 --> 09:20.070
Instead it's been supplanted by something called EAP fast.

09:20.150 --> 09:26.000
So fast tends to be the where where we go within a Cisco environment the last oldie Goldie I want to

09:26.000 --> 09:33.500
talk about is something called Peep peep was Microsoft's version of HP before HP came along.

09:33.500 --> 09:41.660
Piep is designed for all kinds of different network access controls but it's basically like Lepe simply

09:41.660 --> 09:46.530
EAP communication within a TLM tunnel and we don't use Piep anymore either.

09:46.550 --> 09:48.750
The passwords are just too easy to hack.

09:48.890 --> 09:53.900
So when it comes to network access control EAP is really the way we go.

09:53.930 --> 09:58.280
I don't care if you're setting up a VPN if you're set up a wireless network whatever you're setting

09:58.280 --> 10:03.920
up at some point or another you're going to be running into EAP and the beautiful part about it is that

10:03.920 --> 10:05.760
it takes care of so much force.

10:05.840 --> 10:27.800
It makes life really easy when it comes to authenticating one computer that wants to join a network.