A Secure Wireless Network Is Possible

Wireless networks can be secure if you use the right technologies. To add a secure wireless network to an existing Windows network, all you need to do is install one or more 802.1x-compliant wireless Access Points (APs) and one computer running Windows Server 2003. The Windows 2003 server will facilitate 802.1x authentication between your wireless clients and your existing Windows network. Your users will be able to gain access to your wireless network simply by using their existing Windows user accounts.

The Means to Security
To secure the wireless network, we'll use 802.1x and the related Protected Extensible Authentication Protocol (PEAP), which are the wireless networking industry's initial solution to the Wired Equivalent Privacy (WEP) standard's security problems. WEP's main vulnerabilities are poor encryption key handling and a lack of per-user authentication and authorization. The 802.1x standard addresses these problems by implementing better key-management methods and leveraging Remote Authentication Dial-In User Service (RADIUS) servers for authentication, accounting, and authorization.

Wi-Fi Protected Access (WPA) is an even more recent and secure standard that completely replaces WEP, and Microsoft offers Windows updates that support WPA. However, at the time of this writing, you can't use Group Policy to roll out or configure the WPA update; you must do the work manually or purchase some other method of automated software deployment. For more information about WPA, see the sidebar "The WPA Alternative."

The 802.1x standard supports conceivably any authentication protocol through its use of PEAP, a follow-on to Extensible Authentication Protocol (EAP) developed by Microsoft, Cisco Systems, and RSA Security. EAP facilitates choice in authentication methods but doesn't protect them from eavesdropping or modification by attackers. PEAP provides a secure, Secure Sockets Layer (SSL)-based, integrity-checked channel through which client and server can conduct authentication by any means, including certificates, passwords, smart cards, and biometrics. Windows 2003 and Windows XP feature built-in support for certificates, passwords, and smart cards. The Microsoft 802.1x Authentication Client (which I discuss later in the article) gives you the same support for Windows 2000, Windows NT, and Windows 98. All three options provide mutual authentication between the server and client, integrity checking, and encryption to foil eavesdroppers.

You can use either PEAP EAP-Transport Layer Security (TLS) or PEAP EAP-Microsoft Challenge Handshake Authentication Protocol (MSCHAP) v2 for authentication to your wireless LAN (WLAN). EAP-TLS accomplishes authentication by using client certificates, which can be stored on smart cards or the local computer. Smart cards provide the highest level of security for authenticating clients on your wireless network but require an investment in cards and readers and an infrastructure for deployment and support. Client certificates stored on the workstation provide the next highest level of security but require you to take on the maintenance work of deploying client certificates to each client workstation and deploying and managing a public key infrastructure (PKI).

Although Active Directory (AD) and Group Policy's built-in support for certificate management can help you manage certificates, some companies still need an alternative to client certificates for their wireless network—especially smaller companies that want to avoid rolling out a full PKI. That's where EAP-MSCHAP v2 comes in. EAP-MSCHAP v2 uses the familiar, password-based Windows authentication protocol MSCHAP v2 inside PEAP. EAP-MSCHAP v2 lets you leverage existing Windows accounts to control access to the WLAN instead of requiring a full PKI to deploy client certificates to each workstation. However, you should be aware of one limitation when using EAP-MSCHAP v2. Because EAP-MSCHAP v2 is based on the user's password, the user's computer doesn't gain access to the WLAN—or to anything on the network, such as Group Policy Objects (GPOs)—until the user logs on. In this article, I show you how to use EAP-MSCHAP v2 to employ your users' existing Windows account passwords for authentication to your secure 802.1x network. I assume you have a Win2K AD domain, but if not, you can use accounts stored on a Windows 2003 server in a legacy NT domain.

In 802.1x networks, the AP becomes a middleman, simply passing messages between the wireless client and a RADIUS server. The client and RADIUS server authenticate to each other. When authentication is successful, the RADIUS server notifies the AP that the wireless client can join the network. The RADIUS server can also provide the AP with a list of routing restrictions that should apply to the client based on profiles stored on the RADIUS server. This per-client routing control introduces some exciting possibilities, such as the ability to restrict visiting business partners to certain services or areas of your network. For instance, you could configure a profile on the RADIUS server that restricts guests who connect to your network to Internet access only and prevents them from accessing servers on your local network.

Previous [1] 2 3 4 Next

Great article, but has anyone tried to enable WPA on a 2003 server computer? I know it works on XP with the appropriate patches, but no luck with just a 2003 server.

Bill O'Sullivan May 07, 2004

I must be missing something. I am getting a message "A certificate could not be found that can be used with this Extesible Authentication Protocol" when I click on the configure button when adding the RAP. Am I supposed to be creating a certificate prior to this? I am logged on as a domain and enterprise admin. Thanks.

gibby111 June 01, 2004

I followed the article to the letter and I get the same error message as gibby111. I checked in the CA and the certificate was created, the RAP doesn't seem to know where to look for it. I would like to get this to work so more information would be helpful.

Kat Zumbach June 02, 2004

I am having the same problem that Gibby111 has.
As far as I know, we created the certificate already, but for some reason it doesn't seem to work. Anyone has any ideas? Thanks

Hector Matos June 07, 2004

gibby111 - you're not alone. I'm getting the *same* error! Tried searching TechNet, got nothing. I'm stumped. Anyone know how to get around this? I've verified that a cert. does exist!

Now, I installed as an enterprise sub-CA. Already have Root CA (Win2K). Does the root need to be 2K3?

omslaw June 08, 2004

Great article, but I too must be missing something. I couldn't locate a certicate while configuring the EAP.

ZumbachKat June 09, 2004

I enjoyed this article but found that it wasn't nearly as simple as the article made it out to be. I still have not been able to get the AP to talk to the radius server. The wireless router can ping the radius but the radius cannot ping the wireless router.

Stephen Ben June 11, 2004

Am I reading this right?............ that WEP is not needed here?

Oje Alexis June 16, 2004

I am getting the same error as above. I followed the instructions. What am i missing?

bobo June 22, 2004

The certificate error is stopping a lot of people from being able to implement this wonderful plan. C'mon, Randy. Post us a fix!

ckaiser July 12, 2004 (Article Rating:

)

See More Comments 1 2

You must log on before posting a comment.

If you don't have a username & password, please register now.