Windows 2003 and 802.1x Secure Wireless Windows 2003 and 802.1x Secure Wireless DeploymentsDeployments

Challenge of WirelessChallenge of Wireless

Impressions that wireless is insecureImpressions that wireless is insecureEarly implementations lacked securityEarly implementations lacked security

WEP shared secret, mac address filteringWEP shared secret, mac address filtering

Difficult to administer and manageDifficult to administer and manage

Need to protect network integrityNeed to protect network integrity

Need to secure dataNeed to secure data

Prevent unauthorized network access Prevent unauthorized network access

Must be able to trust an access point Must be able to trust an access point

Prevent credential theftPrevent credential theft

Security without excess complexitySecurity without excess complexity

Secure Wireless with Windows 2003Secure Wireless with Windows 2003

IASIASRADIUSRADIUS

•PKI integrated with Active DirectoryPKI integrated with Active Directory•Auto enrollment of certificatesAuto enrollment of certificates•Integrated 802.1x SupportIntegrated 802.1x Support•Integrated EAP SecurityIntegrated EAP Security

Checks for valid x509 CertificateChecks for valid x509 CertificateVia RADIUS to ADVia RADIUS to AD

Directory Enabled NetworkingDirectory Enabled Networking Secure 802.1x Wireless SupportSecure 802.1x Wireless Support Effortless PKI ServicesEffortless PKI Services Password or certificate-based Password or certificate-based

accessaccessActive Active

DirectoryDirectory

PKIPKI

WirelessWireless

•PKI Deployment OptionalPKI Deployment Optional•Passwords can be used w/ Trusted 3Passwords can be used w/ Trusted 3rdrd party party Cert.Cert.•Integrated 802.1x SupportIntegrated 802.1x Support

EAP/TLSEAP/TLSEAP/TLSEAP/TLS PEAPPEAPPEAPPEAP

All connections are authenticated and secured:All connections are authenticated and secured:All connections are authenticated and secured:All connections are authenticated and secured:

Why use 802.1X ?Why use 802.1X ?

Eases manageability by centralizingEases manageability by centralizingAuthentication decisionsAuthentication decisions

Authorization decisionsAuthorization decisions

Distributes keys for data encryption and Distributes keys for data encryption and integrity to the wireless client computerintegrity to the wireless client computer

Minimizes Access Point cost by moving Minimizes Access Point cost by moving expensive authentication to ADexpensive authentication to AD

Supports both WPA and WEPSupports both WPA and WEP

Why PEAP vs. EAP/TLS ?Why PEAP vs. EAP/TLS ?

Organizations may not ready for PKIOrganizations may not ready for PKIManaging user certificates stored on computer Managing user certificates stored on computer hard drives has challengeshard drives has challenges

Some personnel might roam among computersSome personnel might roam among computersSmartcards solve thisSmartcards solve this

Technical and sociological issues can delay Technical and sociological issues can delay or prevent deploymentor prevent deployment

PEAP enables secure wireless nowPEAP enables secure wireless nowLeverages existing domain credentialsLeverages existing domain credentialsAllows easy migration to certificates and Allows easy migration to certificates and smartcards latersmartcards later

PEAP Security and Ease of Deployment PEAP Security and Ease of Deployment Advantages Advantages

PEAP is an open standard PEAP is an open standard PEAP offers end-to-end negotiation protection.PEAP offers end-to-end negotiation protection.PEAP uses mutual authentication.PEAP uses mutual authentication.PEAP offers highly secure keys for data PEAP offers highly secure keys for data encryption. encryption. PEAP does not require the deployment of a full PEAP does not require the deployment of a full PKI or client certificates. PKI or client certificates. PEAP can be used efficiently with roaming PEAP can be used efficiently with roaming wireless devices. wireless devices. User's credentials are not exposed to brute force User's credentials are not exposed to brute force password attacks.password attacks.

Windows 2003 WirelessWindows 2003 Wireless

SecuritySecurityNative support for IEEE 802.1XNative support for IEEE 802.1X

Complete with all required infrastructureComplete with all required infrastructureIAS: RADIUS Server and ProxyIAS: RADIUS Server and Proxy

Windows Certificate Server : PKIWindows Certificate Server : PKI

AD: User and Computer account and Certificate repositoryAD: User and Computer account and Certificate repository

Same infrastructure used w/ RAS dial-up and VPN Same infrastructure used w/ RAS dial-up and VPN authenticationauthentication

Native interop. w/ Windows XP Client: (WinXP SP-1)Native interop. w/ Windows XP Client: (WinXP SP-1)

Down-level client support (PPC2002, W2K, NT4, 9x) Down-level client support (PPC2002, W2K, NT4, 9x)

Windows 2003 ImprovementsWindows 2003 ImprovementsWindows 2003 Active DirectoryWindows 2003 Active Directory

Auto Certificate enrollment and renewal for machines and Auto Certificate enrollment and renewal for machines and users users Performance enhancements when using certificate Performance enhancements when using certificate deploymentdeploymentGroup Policy support of Wireless settingsGroup Policy support of Wireless settings

Internet Authentication ServiceInternet Authentication ServiceEnhanced loggingEnhanced loggingAllows easier deployment of multiple authentication typesAllows easier deployment of multiple authentication typesScaling up Scaling up

Load BalancingLoad BalancingRADIUS ProxyRADIUS Proxy

Configuration export and restoreConfiguration export and restoreRegistering AP’s with RADIUS serversRegistering AP’s with RADIUS servers

Large number of AP’s in wireless deploymentLarge number of AP’s in wireless deploymentRequires Server 2003 Enterprise EditionRequires Server 2003 Enterprise Edition

System RequirementsSystem Requirements

Client: Windows XP service pack 1Client: Windows XP service pack 1

Server: Windows Server 2003 IASServer: Windows Server 2003 IASInternet Authentication Service—our RADIUS serverInternet Authentication Service—our RADIUS server

Certificate on IAS computerCertificate on IAS computer

Backporting to Windows 2000Backporting to Windows 2000Client and IAS must have SP3Client and IAS must have SP3

No zero-config support in the clientNo zero-config support in the client

See KB article 313664See KB article 313664

Supports only TLS and MS-CHAPv2Supports only TLS and MS-CHAPv2Future EAP methods in XP and 2003 might not be backportedFuture EAP methods in XP and 2003 might not be backported

802.1 x Setup802.1 x Setup

1.1. Build Windows Server 2003 IAS serverBuild Windows Server 2003 IAS server

2.2. Join to domainJoin to domain

3.3. Enroll computer certificateEnroll computer certificate

4.4. Register IAS in Active DirectoryRegister IAS in Active Directory

5.5. Configure RADIUS loggingConfigure RADIUS logging

6.6. Add AP as RADIUS clientAdd AP as RADIUS client

7.7. Configure AP for RADIUS and 802.1xConfigure AP for RADIUS and 802.1x

8.8. Create wireless client access policyCreate wireless client access policy

9.9. Configure clientsConfigure clientsDon’t forget to import CA rootDon’t forget to import CA root