Scribd
Upload
53 views

Windows 2003 and 802.1x Secure Wireless Deployments

This document discusses using Windows 2003 and 802.1x to securely deploy wireless networks. It outlines challenges with early wireless implementations that lacked security and the need to protect network integrity and secure data. Windows 2003 provides secure wireless connections through directory enabled networking, secure 802.1x wireless support, and effortless PKI services. PEAP is recommended over EAP/TLS as it leverages existing credentials and allows easy migration to certificates later. The document provides an overview of setting up Windows 2003, IAS, and configuring an access point and wireless clients for 802.1x authentication.

Uploaded by

Raj
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
53 views

Windows 2003 and 802.1x Secure Wireless Deployments

This document discusses using Windows 2003 and 802.1x to securely deploy wireless networks. It outlines challenges with early wireless implementations that lacked security and the need to protect network integrity and secure data. Windows 2003 provides secure wireless connections through directory enabled networking, secure 802.1x wireless support, and effortless PKI services. PEAP is recommended over EAP/TLS as it leverages existing credentials and allows easy migration to certificates later. The document provides an overview of setting up Windows 2003, IAS, and configuring an access point and wireless clients for 802.1x authentication.

Uploaded by

Raj
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 10

Windows 2003 and 802.

1x Secure Wireless
Deployments
Challenge of Wireless
Impressions that wireless is insecure
Early implementations lacked security
WEP shared secret, mac address filtering
Difficult to administer and manage
Need to protect network integrity
Need to secure data
Prevent unauthorized network access
Must be able to trust an access point
Prevent credential theft
Security without excess complexity
Secure Wireless with Windows 2003
All
All connections
connections are authenticated and secured:
secured:
 Directory Enabled Networking
 Secure 802.1x Wireless Support
 Effortless PKI Services
Active
 Password or certificate-based
Directory access
IAS
RADIUS
Wireless

Checks for valid x509 Certificate


PKI Via RADIUS to AD

EAP/TLS
EAP/TLS PEAP
PEAP
•PKI integrated with Active Directory •PKI Deployment Optional
•Auto enrollment of certificates •Passwords can be used w/ Trusted 3rd party
•Integrated 802.1x Support Cert.
•Integrated EAP Security •Integrated 802.1x Support
Why use 802.1X ?

Eases manageability by centralizing


Authentication decisions
Authorization decisions
Distributes keys for data encryption and
integrity to the wireless client computer
Minimizes Access Point cost by moving
expensive authentication to AD
Supports both WPA and WEP
Why PEAP vs. EAP/TLS ?

Organizations may not ready for PKI


Managing user certificates stored on computer
hard drives has challenges
Some personnel might roam among computers
Smartcards solve this
Technical and sociological issues can delay
or prevent deployment
PEAP enables secure wireless now
Leverages existing domain credentials
Allows easy migration to certificates and
smartcards later
PEAP Security and Ease of Deployment
Advantages
PEAP is an open standard
PEAP offers end-to-end negotiation protection.
PEAP uses mutual authentication.
PEAP offers highly secure keys for data
encryption.
PEAP does not require the deployment of a full
PKI or client certificates.
PEAP can be used efficiently with roaming
wireless devices.
User's credentials are not exposed to brute force
password attacks.
Windows 2003 Wireless

Security
Native support for IEEE 802.1X
Complete with all required infrastructure
IAS: RADIUS Server and Proxy
Windows Certificate Server : PKI
AD: User and Computer account and Certificate repository
Same infrastructure used w/ RAS dial-up and VPN
authentication
Native interop. w/ Windows XP Client: (WinXP SP-1)
Down-level client support (PPC2002, W2K, NT4, 9x)
Windows 2003 Improvements
Windows 2003 Active Directory
Auto Certificate enrollment and renewal for machines and
users
Performance enhancements when using certificate
deployment
Group Policy support of Wireless settings
Internet Authentication Service
Enhanced logging
Allows easier deployment of multiple authentication types
Scaling up
Load Balancing
RADIUS Proxy
Configuration export and restore
Registering AP’s with RADIUS servers
Large number of AP’s in wireless deployment
Requires Server 2003 Enterprise Edition
System Requirements
Client: Windows XP service pack 1
Server: Windows Server 2003 IAS
Internet Authentication Service—our RADIUS server
Certificate on IAS computer
Backporting to Windows 2000
Client and IAS must have SP3
No zero-config support in the client
See KB article 313664
Supports only TLS and MS-CHAPv2
Future EAP methods in XP and 2003 might not be backported
802.1 x Setup
1. Build Windows Server 2003 IAS server
2. Join to domain
3. Enroll computer certificate
4. Register IAS in Active Directory
5. Configure RADIUS logging
6. Add AP as RADIUS client
7. Configure AP for RADIUS and 802.1x
8. Create wireless client access policy
9. Configure clients
Don’t forget to import CA root

You might also like