TechNet Home > TechNet Security > Library > Cryptography, Certificates, and Secure Communications

Securing Wireless LANs with PEAP and Passwords

Chapter 1: Securing Wireless LANs with PEAP and Passwords

Updated: April 2, 2004
On This Page
IntroductionIntroduction
Solution OverviewSolution Overview
Style ConventionsStyle Conventions
Support and FeedbackSupport and Feedback

Introduction

Today, wireless technology is a hot topic of debate in the business world; most organizations either have already deployed wireless local area networks (WLAN) or are involved in discussions on pros and cons of wireless technology. The productivity improvements perceived by users and the attractiveness of low maintenance networking for information technology (IT) departments are undeniable. However, serious security concerns have made the majority of IT heads cautious about, if not downright hostile toward, the idea of introducing WLANs into their organizations. At the same time, the solutions proposed by analysts and network vendors to address these concerns have seemed overly complex and costly to deploy.

Securing Wireless LANs with PEAP and Passwords is the second Microsoft security solution for WLANs. It is a companion to the first solution, Securing Wireless LANs —a Certificate Services Solution. Whereas the first solution was aimed at large organizations, the second is considerably simpler and easier to deploy and is designed for small and medium–sized organizations. The primary technological difference between the two solutions is that the first solution uses public key certificates to authenticate users and computers to the WLAN whereas the second uses user name and password authentication. Other distinguishing features of this solution are that it uses existing (rather than new) server hardware, employs a simpler administrative delegation model, and automates many more of the configuration tasks using scripts and predefined settings.

The documentation for this solution has two important characteristics, which distinguish it from general product documentation of Microsoft Windows operating system and many of the technical white papers available from Microsoft. The first is the prescriptive nature of the guidance; where design choices were available, decisions were taken based on knowledge gained from internal deployment as well as customer feedback received by Microsoft. The solution is based on these best practices and built and tested in Microsoft labs to ensure that the solution works as intended. The second characteristic is that it is an end–to–end solution encompassing the complete lifecycle of designing and planning, building, testing and managing the solution.

As detailed in later chapters, the solution is based on the Institute of Electrical and Electronic Engineers (IEEE) 802.1X standard and requires a RADIUS (Remote Authentication Dial–In User Service) infrastructure. It uses a flexible architecture that can be adapted for a range of organizations starting from those with only a few tens of users to those with several thousand users. The solution was built and tested using Microsoft Windows XP clients, Microsoft Pocket PC 2003 clients, and Microsoft Windows Server™ 2003 servers.

Solution Overview

This guidance is divided into four sections, each of which corresponds to a phase in the life cycle of the solution. These phases are planning, implementing, testing, and operating. These phases are further divided into chapters.

Figure 1.1 Overview of Securing Wireless LANs

Figure 1.1 Overview of Securing Wireless LANs
See full-sized image

The planning section consists of an introduction, "Choosing a Strategy for Wireless LAN Security”, and Chapter 2, "Planning a Wireless LAN Security Implementation.” The next four chapters make up the build and deploy section. These chapters provide instructions for implementing the RADIUS servers using Windows Server 2003 Internet Authentication Service (IAS), and deploying the wireless clients and supporting infrastructure. Each chapter provides detailed procedures on installing and configuring the software components and integrating them into the solution. The chapters also include verification procedures that help minimizes errors.

The testing section has one chapter, which explains how to confirm that the solution is working correctly before it is deployed. The operating section also has a single chapter; this explains how to operate, monitor, change, and troubleshoot all the components of the solution.

A set of tools and scripts accompany the guidance and are used for automating many of the implementation and operations tasks.

The following section gives a more detailed description of each chapter.

Choosing a Strategy for Wireless LAN Security

This document serves as an introduction to the two WLAN security solutions described earlier. Its objective is to help you select the right strategy for the security infrastructure for your wireless network. It describes the business reasons that drive the adoption of WLAN technology and the security concerns surrounding it. It discusses the different options available for addressing these security concerns and outlines a solution based on strong authentication and network data protection. It also contains a discussion on the relative merits of the different approaches to securing WLANs including native WLAN security solutions, virtual private networks (VPN), and IP security.

Chapter 1: Securing Wireless LANs with PEAP and Passwords

Chapter 1 is this current chapter and gives an overview of the content of the solution guidance.

Chapter 2: Planning a Wireless LAN Security Implementation

This chapter describes the architectural design of the wireless LAN security solution. It covers the following topics:

How a WLAN solution based on 802.1X and Protected Extensible Authentication Protocol (PEAP) works.

A description of the target organization for this solution and the key design criteria for the solution.

Developing a WLAN security solution design based on the requirements of the target organization.

Describing how this basic design can be scaled for much larger organizations.

Discussing variations on the design to accommodate requirements outside the core solution such as introducing VPN or wired 802.1X networking.

The chapter concentrates on the design of a RADIUS infrastructure (using IAS, the RADIUS implementation included with Windows Server) to provide strong authentication and key management services. The chapter also includes a discussion of the wireless clients supported by the solution and the certificate requirements.

Chapter 3: Preparing Your Environment

This chapter focuses on the underlying information technology (IT) infrastructure needed to support this WLAN solution. It describes the preparation of Microsoft Active Directory active directory, Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS) services, and underlying network requirements. It also includes procedures to apply security settings and install required security updates to the servers used in the solution.

Chapter 4: Building the Network Certification Authority

This chapter describes how to install a simple Certification Authority (CA) on a domain controller to provide certificates for the IAS servers. The procedures to do this are largely automated using scripts included with the guidance. The CA built for this solution is dedicated to the specific task of issuing certificates to the IAS servers and, as such, requires little or no ongoing maintenance.

Chapter 5: Building the Wireless LAN Security Infrastructure

This chapter gives instructions on how to deploy your WLAN security components, the IAS servers and the wireless access points (AP). It includes step–by–step guidance on installing IAS on a domain controller (or member server), configuring IAS settings and policies, setting up wireless APs to use the IAS servers, and replicating IAS settings between the IAS servers.

Chapter 6: Configuring the Wireless LAN Clients

This chapter contains the procedures to configure the clients supported by the solution. The three main sections of the chapter focus on controlling user and computer access to the WLAN, configuring the group policy settings for Windows XP WLAN clients, and manually configuring WLAN settings for Pocket PC 2003 clients.

Chapter 7: Testing the Secure Wireless LAN Solution

This chapter is derived from the test plan used by the Microsoft team when testing this solution. The build chapters (3 to 6) contain regular verification procedures used throughout the build process to verify that things are progressing correctly. This chapter supplements those procedures with a set of extra tests that you should carry out prior to deploying the solution in production.

Chapter 8: Maintaining the Secure Wireless LAN Solution

This chapter focuses on keeping the WLAN security infrastructure running properly. The first part of the chapter includes the key operational tasks that you need to maintain the system. These are divided into different categories covering: everyday maintenance tasks, monitoring and alerting; introducing changes into the environment; optimizing performance; and resolving problems. The final troubleshooting section includes a series of troubleshooting flowcharts, tables, and procedures along with detailed descriptions of a number of troubleshooting tools and techniques that you can use to help you diagnose and fix problems.

Appendixes

Appendix A: Using PEAP in the Enterprise

This solution was designed for small and medium businesses. This contrasts with the certificate–based WLAN solution (mentioned earlier) which was designed for an enterprise–level organization. However, a WLAN solution using PEAP with passwords can also be used by large organizations.

This appendix shows how you can adapt the enterprise–oriented guidance in the certificate–based WLAN solution to deploy a WLAN solution based on PEAP with passwords.

Appendix B: Using WPA in the Solution

This appendix provides information about the status of support for WiFi Protected Access (WPA) security and about how you can use WPA in place of dynamic WEP (Wired Equivalent Privacy) data protection. This solution was designed to support WPA, and WPA is referred to throughout the guidance. However, support for WPA was still not universal when this solution was being developed, therefore WPA was not used as the default option.

Appendix C: Supported Operating System Versions

This appendix comprises a table showing the operating system versions that are supported for wireless clients and for various server roles in this solution. It is intended to answer questions about whether alternative versions of Windows and other platforms can be used in the various roles of the solution.

Appendix D: Scripts and Support Files

The procedures in the implementation and operations chapters use a number of scripts and other support files. This appendix describes the scripts and how they work. This information is also provided in the SecuringWirelessLANs.rtf file included with the scripts.

Style Conventions

The following table describes style conventions used in this guidance.

Table 1.1: Style Conventions

ElementMeaning

Bold font

Characters that are typed exactly as shown, including commands and switches. User Interface (UI) elements in text that is prescriptive are also bold.

Italic font

Italic font is used in two special contexts:

–Where italic fonts  are used within the main body of the text, they indicate the title of another document.

–Where italic fonts are used within commands or code (or text referring to a command or code), they indicate a placeholder for variables where specific values need to be supplied. For example, Filename.ext indicates that you should replace the italicized Filename.ext with the file name of your choice.

Italic font is also occasionally used to provide emphasis to normal text.

Screen Text

For text displayed on the screen (for example, the output from a command–line tool) and for commands that need to typed in at the command line.

Some commands do not fit within the page margins. Where this occurs, the command text is wrapped onto multiple lines with subsequent lines indented (this is indicated by a note following the command).

Monospace font

Code samples and contents of configuration files.

%SystemRoot%

The folder in which the Windows Server operating system is installed.

Note

Alerts the reader to supplementary information.

Important

Alerts the reader to supplementary information that is essential to the completion of the task.

Caution

Alerts the reader to situation where failure to take or avoid a specific action could result in the loss of data.

Warning

Alerts the reader to situation where failure to take or avoid a specific action could result in physical harm to the user or hardware.

Support and Feedback

Support

For further help in implementing the technologies discussed in this solution, you may contact your local Microsoft office or a Microsoft Services partner.

To find your local Microsoft office, select the relevant country/region at http://www.microsoft.com/worldwide/.

To find a Microsoft partner in your region, see in the “Services” section of the Microsoft Resource Directory, at http://directory.microsoft.com/ResourceDirectory/Solutions.aspx.

For more information about how the Windows Server 2003 components used in this solution are supported, including escalation paths, support offerings, resources, and support levels, see Microsoft Help and Support at http://support.microsoft.com.

Read other security solutions from the Microsoft Solutions for Security and Compliance (MSSC) team.

Give Us Your Feedback

The Microsoft Solutions for Security and Compliance (MSSC) team would appreciate your thoughts about this and other security solutions.

Have an opinion? Let us know on the Security Solutions Blog for the IT Professional.

Or e-mail your feedback to the following address: SecWish@microsoft.com. We respond often to feedback that is sent to this mailbox.

We look forward to hearing from you.


**
**

Download

Get the Securing Wireless LANs with PEAP and Passwords

Solution Accelerator Notifications

Sign up to stay informed

Feedback

Send us your comments or suggestions