Without 802.1x, trying to set up and maintain a secure wireless LAN (WLAN) is a nightmare because of vulnerabilities in the Wired Equivalent Privacy (WEP) standard, especially poor key-management techniques such as manual key distribution. Although 802.1x addresses WEP's major vulnerabilities, you must configure each component to use 802.1x, including workstations, wireless Access Points (APs), and a Remote Authentication Dial-In User Service (RADIUS) server. In addition, the RADIUS server needs a credentials database that it can use to authenticate wireless clients, and you need a Certificate Authority (CA) to grant the RADIUS server a certificate for authenticating itself to wireless clients.
However, Microsoft has leveraged Active Directory (AD) and Group Policy to the point that you can completely insulate the user from the 802.1x implementation process. When your WLAN and clients are properly set up, an authorized workstation that's brought within range of your WLAN automatically authenticates and connects to the WLAN without any action by the user. Unauthorized workstations are blocked from connecting to the WLAN or snooping on its traffic. With 802.1x, there are no WEP keys to manually distribute to APs and workstations, and no lists of media access control (MAC) addresses of authorized workstations on each AP. An 802.1x WLAN first requires wireless clients to authenticate through the AP to a RADIUS server, then lets the AP and wireless client negotiate dynamic encryption keys instead of using the much weaker static keys that most WEP networks use.
I'm pretty blown away by what a good job Microsoft has done integrating 802.1x support into the Windows environment--how easy it is to set up and how well it works. I'm going to show you the simplest way to implement 802.1x and certification-based authentication on a typical network of Windows XP and Windows 2000 computers and a Win2K AD domain. Alternatively, you can use passwords for WLAN authentication. In this case, you can configure workstations so that when they come within range of your WLAN, they either use the username and password that the user specified when logging on to the workstation or prompt the user to manually enter new credentials. Password-based authentication is simpler to roll out than certificates because you don't have to create the certificates, but password authentication requires more action from the user to get on the network, and it's less secure. Password-based authentication leaves your network vulnerable to anyone who can guess an authorized user's password--and we all know how weak user passwords tend to be. Certificate-based authentication lets only users who have a computer with an authorized certificate and private key (or can steal such a computer) on the network. For in-depth coverage of setting up a password-based 802.1x WLAN, see the Windows & .NET Magazine article "A Secure Wireless Network Is Possible," May 2004, InstantDoc ID 42273.
Although Windows supports the most recent wireless security standard--Wi-Fi Protected Access (WPA), which uses 802.1x and addresses WEP's vulnerabilities--I don't use WPA in this article for several reasons. First, as I write this article, you can't use Group Policy to roll out the WPA update automatically to all your workstations--a major drawback if you have many workstations. Second, WPA is actually an interim standard adopted by the wireless industry until the official 802.11i is ratified, which means that if you implement WPA now, you'll need to roll out another update relatively soon. Third, WPA requires device driver or firmware updates for your many wireless NICs and firmware updates for your APs. When you look at all the work required to implement WPA and the little extra protection WPA provides compared with how easily you can implement 802.1x and how much protection 802.1x provides, WPA just doesn't seem worth the trouble. If Microsoft provides a way to update systems and NICs automatically to 802.11i when it comes out, I think 802.11i will be a worthwhile investment.
Adding X
To set up 802.1x on a WLAN, the first thing you need to do is make sure your network supports 802.1x. Windows Server 2003 comes with 802.1x built in, and Microsoft has added 802.1x support to XP with Service Pack 1 (SP1) and to Win2K with the Microsoft 802.1x Authentication Client available at http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/8021xclient.asp. (You can even obtain 802.1x authentication clients for Windows NT and Windows 9x if you have a Premier or Alliance support contract with Microsoft, but you won't be able to use Group Policy to push out a centrally configured wireless networking policy to those computers.)
Next, make sure that any APs you currently have or plan to purchase support 802.1x. Typically, 802.1x-compliant APs have an 802.1x configuration page that you can find when you log on to the AP through your Web browser.
Finally, you must set up one Windows 2003 server and install Internet Authentication Service (IAS) on it. IAS provides the RADIUS server necessary on an 802.1x WLAN. When a wireless client tries to connect to an AP, the AP contacts the RADIUS server to try to authenticate and authorize the client. The RADIUS server checks the client's credentials against AD and lets the AP know whether to let the wireless client connect. You need to use Windows 2003's IAS instead of Win2K Server's IAS because only Windows 2003's IAS supports 802.1x authentication services. Make sure that the Windows 2003 computer that will serve as the IAS server is a member of the domain but not a domain controller (DC). Then open the Control Panel Add/Remove Programs applet, select Add/Remove Components, and install Internet Authentication Service.