Secure 802.1X Wireless Networking in Windows Server 2003/2008

ovenforksqueeΑσφάλεια

3 Νοε 2013 (πριν από 3 χρόνια και 9 μήνες)

67 εμφανίσεις

Secure 802.1X
Wireless Networking in Windows

Server

2003
/2008

ITNW 2313


Networking Hardware



Prof. Michael P. Harris, CCNA, CCAI

Enhancements for Wireless Networking

The enhancements that SP1 provide for Wireless LANS are of great benefit to
enterprise

wide networks. Without SP1 on Windows Server 2003, the WPA security
method isn’t supported and therefore cannot be implemented


which is no longer an
issue with Service Pack 1. Apart from addressing the weaknesses that the original
Windows Server 2003 ha
s, SP1 makes it easier to deploy secure large scale wireless
LANS. Additionally, administrators are now able to give the users of wireless clients
-

with Windows XP SP2
-

a choice of pre
-
approved digital certificates and signing
authorities. This means the
y would only be allowed to install certificates for the
network that the administrator has previously acknowledged, making them less prone
to man in the middle attacks.

Centralized Management

The Active Directory Group Policy console allows for centralized

management of the
Wireless Zero Configuration client which makes it easier and faster to connect
wireless client to a secure network. WPA TKIP and AES encryption settings can now be
configured and any wireless client with Windows XP Service Pack 2, or Ser
vice Pack 1
and the WPA patch, can be centrally configured to use the more secure WPA TKIP or
AES methods to connect to the wireless LAN.

Wireless Setup Wizard

As did Windows XP SP2, Windows 2003 SP1 comes with a Wireless Network Wizard that
will help you
to configure secure wireless networks. Configuration settings can be
stored on removable media (such as a USB pen drive) and then copied over to other
machines.

PEAP Authentication Scheme

The
LEAP

(
Lightweight Extensible Authentication Protocol
) is a popular
non
-
TLS

(
Transport Layer Security
) authentication scheme introduced by Cisco in later
versions of their firmware belonging to the
Aironet access point

product range. This
protocol lacks point to point protection which leaves it open to dicti
onary attacks at
the credentials authentication stage. With the inauguration of
PEAP

(
Protected
Extensible Authentication Protocol
) authentication in the
IAS

(
Internet
Authentication Service
) component of Windows Server 2003
/2008
, these weaknesses
are addr
essed. Furthermore, a server
-
side
digital certificate

is able to support many
clients single handedly


without the use of an installed certificate on the client
-
side.



Wireless Provisioning Services

This new technology makes it easier for mobile workers
to connect to
hotspots

or
corporate LANS by eliminating the need for manual configuration of the network
connection. Enterprises can better manage guest access on their network and provide
payment plans such as pay
-
per
-
use or monthly Internet access to cus
tomers.

Securing Wireless in Windows

Server

2003
/2008

When configured incorrectly, wireless connections are probably one of the most
vulnerable points of a network. A simple
password

based authentication method is not
enough, especially over a wireless connection. By means of the
Internet
Authentication Service

in Windows 2003
/2008
, Administrators are able to setup
802.1X

based secure network.

In order to take advantage of the
802.1X

in Windows
Server
, you will require the use
of the following services:



DHCP

and
DNS




Active Directory Service



RADIUS Server

(Internet Authentication Service)




Certificate

based infrastructure (referred to as
PKI



Public Key Infrastructure
)

I will cover the following steps and show you how to setup an
802.1X

based security
structure using the
Internet Authentication Service

(
IAS
)
in Windows
Server
.



Configuring your
access point




Windows 2003
/2008

Certification Authority




Windows 2003
/2008

Act
ive Directory Service Configuration




Windows 2003
/2008

IAS Configuration


Configuring your
A
ccess
P
oint

Your
Access Points

must support
802.1X

and
WEP

authentication. If it doesn’t then
check for a firmware upgrade before you proceed. 802.1X and RADIUS provide
automatic generation of session keys so they will not have to be entered manually
into the Access Point. However, some access points do support m
anual inputting of
keys for simulation (testing) purposes.

Firstly, from your access point configuration web interface, you must set which
machines act as
RADIUS servers

on your network. There may be slight variations but
the idea is the same
-

go to the
R
ADIUS servers list

from either the ‘Wireless Security’
or ‘Wireless Settings’ panel and add the
IP address
,
port number

and
shared secret

for your RADIUS server connection.


Secondly, from the ‘Wireless Security’ panel go to the
802.1X Security

section an
d
enable it, select your required
key size

and
group key re
-
key settings
.


No rekeying

-

the clients will not have to re
-
key the password to re
-
authenticate to
the RADIUS server.

Rekeying every X minutes



this refers to the number of minutes before the c
lient will
have to re
-
enter the password.

Rekeying every X packets



this refers to the number of transmitted packets before
the client will have to re
-
enter the password.

Once you do all this you can move on to the next stage of configuring the Certificat
e
Authority on your Windows 2003 Server.

Windows
Server

Certification Authority

(CA)

The
PEAP

protocol needs the
IAS Server

to identify itself to the
wireless client

before
the client passes any encrypted credentials to it. Once the IAS Server has a
certificate

installed, it gets a
private key

which it then uses to decrypt the encrypted
credentials sent by the wireless client. The wireless client uses the certificate’s
public key
to encrypt the
username

and
password
.

To install the
certification autho
rity
(
CA
)

console

you will have to run the
Add/Remove components wizard and select
Certificate Services

from the list.
T
o
make use of the
Web Enrollment Wizard

(web interface used to request and generate
certificates) you will have to have
IIS

(Internet Information Server)
installed.

NOTE:


Before initiating the installation you will be warned about how changing the
machine
name

or
domain membership

will invalidate any certificates coming from the
CA

due
to the fact that CA information is stored
, and bound, in
Active Directory
. Make sure
you have all the properties of your machine setup properly before you continue
.

As part of the installation you will be asked to select the type of
CA

you want to set
up. You have a choice of
Enterprise CA
,
Ente
rprise Subordinate
,
Standalone CA

and
Standalone Subordinate
, with
Enterprise CA

being the most trusted Certificate
Authority in the enterprise. Make your choice and follow the wizard to complete the
installation.

Once the
CA console

is installed you will
have to Issue a certificate for the computer
running
IAS
. Do this from the web enrollment wizard (which is created automatically
when you install
Certification Services

unless you manually specified for it not to be
installed). By default you can logon and

request a certificate by opening Internet
Explorer and navigating to


http://<ip_address>/certsrv


Install user and computer certificates on wireless clients in the same manner as
stated above.

Windows Active Directory Service
Configuration

Your next step is to create a group for
wireless user

and computer accounts in AD.
Alternatively you could just create individual users but, it goes without saying that
groups are easier to manage. In the properties of the user account, go to

the Dial
-
In
properties account and select the “
Control Access through Remote Access Policy

option in the
Remote Access Permission

section.

NOTE:


If “
Control Access through Remote Access Policy
” is disabled then your current
domain functional level is probably set to Windows 2000. To change this, right click
the domain name in Active Directory and select Raise Domain Functional Level.
Choose Windows 2003 from the drop down list and press Apply.
Once
AD replication

is
complete, the “Control Access through Remote Access Policy” will no longer be
grayed out.

You must also verify that your
IAS Server

is a member of the
RAD

and
IAS Server

Security Group
.



Windows
Server

IAS Configuration

If you have
n’t already done so you will have to install the
Internet Authentication
Service

component from Add/Remove programs in the Control Panel. You will find it
under
Networking Services
.

Open the
IAS console

from the Administrative Tools folder in either the C
ontrol Panel
or Start Menu programs. Follow these steps:



Right click the main IAS node and select “
Register Server in Active Directory



this will authorize IAS to read the users’ dial in properties from the domain.



From the window on the right hand side

of the console, right click anywhere
and select “
New RADIUS Client
”. In the first screen, enter a friendly name for
the
RADIUS Client

and also the
Access Point

IP Address. Press Next.


Now select the
client
-
vendor attribute

of the RADIUS client. If you a
re not using a
remote access policy based on the client vendor’s attribute then select
RADIUS
Standard

from the list.


Type the
shared secret
, as you did when configuring the
802.1X Server

on your access
point. The IAS Server will only allow user informat
ion to be forwarded to it by the AP
once the correct shared key has been provided, so make sure that they match.


After pressing

Next the new client will show up in the right pane of the IAS Console.

Creating a Wireless Remote Access Policy

Your Next step

is to create a
Remote Access Policy

for wireless access. Right click
the
Remote Access Policies node

in the left hand pane and select
New Remote Access
Policy

to bring up the wizard. Enter a policy name in the given text box and select
whether you want to

set up the policy manually or via the wizard.

NOTE:


The wizard will do what most Microsoft wizards do; help you to setup a typical
scenario yet allowing you to add conditions to it later. You can set user or group
access and the authentication method us
ing
Protected EAP
. Manual configuration will
give you the option to set all your conditions straight away and customize the setup to
suit your specific needs.

If you select to use the wizard you will be given the option to choose a method of
access for th
e policy.
VPN
,
Dial
-
Up
,
Wireless

and
Ethernet

are your typical
RADIUS
server

options. Choose
Wireless

and press Next. Select whether you want to grant
access to a User or Group followed by the
EAP type
. In the
Authentication Method
screen

choose
PEAP

as an
EAP Authentication Method

and press the
Configure

button
if you want to edit which certificate will be issued to identify the server. Press Next
and
Finish
.

You have now deployed
802.1X security

on a Windows R
ADIUS

Server.