TechNet Home > TechNet Security > Library > Cryptography, Certificates, and Secure Communications

Securing Wireless LANs with PEAP and Passwords

Chapter 2: Planning a Wireless LAN Security Implementation

Published: April 3, 2004 | Updated: October 16, 2007

Overview

This chapter describes the overall design of the secure wireless local area network (WLAN) solution. It aims to give you a thorough understanding of the design of the solution and the reasons for designing it that way. It should also give you enough information to help you adapt the design to the particular needs of your organization.

The chapter begins with a description of how 802.1X and Protected Extensible Authentication Protocol (PEAP) work to secure access to the network. This is followed by a description of the target organization for the solution and explores some of their key requirements.

The middle portion of the chapter describes the design of the WLAN solution including: the network design; Internet Authentication Service (IAS) server placement; selection of hardware and software; obtaining certificates; and client configuration. How to migrate from an unsecured WLAN to 802.1X and PEAP is also outlined.

The sections towards the end of the chapter deal with variations on the basic solution design. The most important of these design variations is how to scale the solution for use in larger organizations, which is discussed at some length. Other design options covered are:

•	Reusing the IAS infrastructure for wired LAN security
•	Using IAS for remote access authentication
•	Deploying WLANs in SOHO environments

Top of page

Chapter Prerequisites

As part of planning for your secure WLAN implementation you need to ensure that you have the right skill sets available in your organization and that you involve the right people in the decisions affecting the deployment.

To get the best out of this chapter, it would be helpful if you were familiar with the following topics:

•	Networking concepts particularly Wireless LANs.
•	Microsoft 2000 Windows or Windows Server™ 2003.
•	Microsoft Active Directory directory service concepts, including Active Directory domains and forests, management tools, use of Group Policy, and manipulation of users, groups, and other Active Directory objects.
•	Certificate services and public key infrastructure (PKI) concepts.
•	General security concepts such as authentication, authorization and encryption.
•	Windows security features such as users, groups, auditing, and access control lists (ACL).
•	Application of security settings using Group Policy. Note: Although this solution can be implemented without in-depth technical knowledge, you should ideally have a Microsoft Certified Systems Engineer (MSCE) certification or equivalent knowledge and experience.

Top of page

How Wireless LAN Security Works

Different methods for securing WLANs were discussed at some length in the introductory document, “Choosing a Strategy for Wireless LAN Security”. The discussion focused on the use of strong authentication to the WLAN using 802.1X and encrypting the network traffic using dynamic Wired Equivalent Privacy (WEP) or WiFi Protected Access (WPA). The following are the key points from that discussion:

•	The original 802.11 WLAN security scheme, known as Wired Equivalent Privacy (WEP), has serious security deficiencies that allow an attacker to discover the network key and break on to the network. This scheme is known as "Static WEP" in this because of its use of a fixed network access and encryption key shared between all members of the WLAN.
•	Use of the IEEE 802.1X gives a strong access control mechanism for the WLAN. This must be coupled with a secure Extensible Authentication Protocol (EAP) method. The choice of EAP method defines the type of credentials that can be used to authenticate users and computers to the WLAN.
•	Microsoft supports and recommends the use of PEAP with MS-CHAP v2 for password authentication and EAP-TLS for certificate authentication.
•	PEAP is a means of protecting another EAP method (such as MS-CHAP v2) within a secure channel. The use of PEAP is essential to prevent attacks on password–based EAP methods.
•	Strong data protection of the WLAN traffic can be provided by either dynamic WEP or WPA. Master encryption keys for data protection are generated as part of the 802.1X authentication process (although dynamic WEP and WPA use these keys differently).
•	The distinction between static WEP and dynamic WEP is crucial. Dynamic WEP uses the same encryption algorithms as static WEP but continually refreshes the encryption keys, therefore defeating known attacks on static WEP. Dynamic WEP only refers to the network data protection mechanism, network authentication is handled separately by 802.1X.

How 802.1X with PEAP and Passwords Works

For password-based WLAN authentication, Microsoft supports the use of PEAP with MS-CHAP v2. Figure 2.2 illustrates how 802.1X with PEAP and MS-CHAP v2 works.

Figure 2.1 802.1X and PEAP authentication to the wireless LAN
See full-sized image

The figure shows the following four main components:

•	Wireless client: This is a computer or device running an application that requires access to network resources. The owner of the credentials that are used to authenticate the client to the network can be a user or a computer. The client must have a WLAN network adapter that supports 802.1X and dynamic WEP or WPA encryption. The client is also referred to as the station (STA) in many network standards documents. Before the client can be granted access to the WLAN, it must agree on a set of credentials with the authentication service (the RADIUS server and directory) in some out–of–band operation. In this case, the domain accounts of the user and computer are created prior to connecting to the WLAN. The client knows its password and the domain controller (the directory) is able to verify the password. The client must also be preconfigured with the correct WLAN settings, which include the WLAN name and the authentication method to use. Note: Strictly speaking, only one set of credentials (either the user or the computer) need to be agreed out-of-band. For example, you can connect the WLAN using the user credentials and then join the computer to the domain. However, this solution assumes that both user and computer accounts exist prior to accessing the WLAN.
•	Wireless access point (AP): The wireless AP is responsible for controlling access to the WLAN and bridging a client connection to the internal LAN. It must support 802.1X and dynamic WEP or WPA encryption. In network standards terminology, the AP fills the role of the Network Access Service (NAS). The wireless AP and the RADIUS server also have a shared secret to enable them to securely identify each other.
•	The RADIUS server and directory: the RADIUS server uses the directory to verify the credentials of WLAN clients. It makes authorization decisions based on a network access policy. It may also collect accounting and audit information about client access to the network. This is referred to as the authentication service (AS) in network standards terminology.
•	The internal network: This is a secure network to which the wireless client application needs to gain access.

The following steps describe how the client makes a request and is granted access to the WLAN and thus the internal network. These step numbers correspond to the numbers in figure 2.1.

When the client computer is in range of the wireless AP, it tries to connect to the WLAN that is active on the wireless AP and identified by its Service Set Identifier (SSID). The SSID is the name of the WLAN and is used by the client to identify the correct settings and credential type to use for this WLAN.

The wireless AP is configured to allow only secured (802.1X authenticated) connections. When the client tries to connect to it, the AP issues a challenge to the client. The AP then sets up a restricted channel, which allows the client to communicate only with the RADIUS server (blocking access to the rest of network). The RADIUS server will only accept a connection from a trusted wireless AP; that is, one which has been configured as a RADIUS client on the IAS server and provides the shared secret for that RADIUS client.

The client attempts to authenticate to the RADIUS server over the restricted channel using 802.1X. As part of the PEAP negotiation the client establishes a Transport Layer Security (TLS) session with the RADIUS server. Using a TLS session as part of PEAP serves a number of purposes:

•	It allows the client to authenticate the RADIUS server; this means that the client will only establish the session with a server holding a certificate that is trusted by the client.
•	It protects the MS-CHAP v2 authentication protocol against packet snooping.
•	The negotiation of the TLS session generates a key that can be used by the client and RADIUS server to establish common master keys. These keys are used to derive the keys used to encrypt the WLAN traffic.

Secured within the PEAP channel, the client authenticates itself to the RADIUS server using the MS-CHAP v2 EAP protocol. During this exchange, the traffic within the TLS tunnel is only visible to the client and RADIUS server and is never exposed to the wireless AP.

The RADIUS server checks the client credentials against the directory. If the client is successfully authenticated, the RADIUS server assembles information that allows it to decide whether to authorize the client to use the WLAN. It uses information from the directory (such as group membership) together with constraints defined in its access policy (for example, the times of day that WLAN access is allowed) to either grant or deny access to the client. The RADIUS relays the access decision to the AP.

If the client is granted access, the RADIUS server transmits the client master key to the wireless AP. The client and AP now share common key material that they can use to encrypt and decrypt the WLAN traffic passing between them.

When using dynamic WEP to encrypt the traffic, the master keys are directly used as the encryption keys. These keys need to be changed periodically to thwart WEP key recovery attacks. The RADIUS server does this by regularly forcing the client to re–authenticate and generate a new key set.

If WPA is used to secure the communication, the master key material is used to derive the data encryption keys, which are changed for each packet transmitted. WPA does not need to force frequent re–authentication to ensure key security.

The AP then bridges the client WLAN connection to the internal LAN, allowing the client to talk freely to systems on the internal network. The traffic sent between the client and AP is now encrypted.

If the client requires an IP address, it can now request a Dynamic Host Configuration Protocol (DHCP) lease from a server on the LAN. Once the IP address has been assigned, the client can begin communicating normally with systems on the rest of the network.

Computer and User Authentication to the WLAN

The process just described illustrates how a client (a user or a computer) successfully connects to the WLAN. Windows XP authenticates both the user and the computer independently. When computer first starts up, it uses its domain account and password to authenticate to the WLAN. The authorization of the computer to the WLAN follows all of the steps outlined in the previous section. Having the computer connect to the WLAN using its own credentials permits it to be managed even when no user is logged on. For example, group policy settings can be applied and software and patches distributed to the computer.

When a user logs on to the computer, the same authentication and authorization process is repeated, but this time with the user's name and password. The user’s session replaces the computer WLAN session; this means that the two are not active simultaneously. It also means that an unauthorized user cannot use an authorized computer to access the WLAN.

Note: Windows XP allows you to override this behavior and specify that either only the computer or user credentials are used. These are not recommended configurations. The former allows users to connect to the WLAN without authorization. The latter prevents the computer from connecting to the WLAN until a user logs on, which will interfere several computer management functions.

Top of page

Target Organization Profile

This solution is designed for a small business of 100–200 people. Although the organization is fictitious, its characteristics and requirements are derived from extensive real–world research. These real–world requirements have helped shape the style and scope of the guidance as well as the choices made in the design.

It is important to understand that this solution is not restricted to organizations of this size. The simplicity of the design and the scalability of the components used mean that the same PEAP–based WLAN solution can be easily scaled for much larger (with thousands of users) and much smaller organizations. By understanding the characteristics of the target organization, you will be better placed to understand the assumptions of the design and adapt them to your own organization.

Using the solution in larger organizations is covered in the "Scaling for Larger Organizations" section of this chapter. For very smaller organizations, all of the required components can be installed on a single existing server.

Organization Layout

The physical and information technology (IT) layout of the organization is shown in the following figure.

Figure 2.2 The physical and IT layout of the target organization
See full-sized image

There is a single large head office, which houses most of the IT systems and the majority of the users. All Active Directory domain controllers are located here. The head office has a connection to the Internet through a firewall server. There are a number of WLAN clients and wireless APs connected to the internal network.

There are also one or more outlying offices with very few local IT services beyond network connectivity to the head office. There are a small number of clients (possibly all wireless) at this office and it frequently receives visitors from head office who bring their WLAN clients to be able to connect back to their applications and data at the head office.

The wide area network (WAN) connectivity between offices is provided either by private lines (for example a T1—1.5Mbps) or by DSL Internet connections and a virtual private network (VPN) router–to–router link across the Internet. The WAN connection is typically not resilient to failure.

Note: If the WAN connection between offices is provided by a VPN connection across the Internet, each office will typically have a firewall protecting it from threats on the Internet. The presence of this firewall is not relevant to the WLAN discussion and has been omitted to aid clarity.

IT Environment

The Active Directory of this organization is a single domain forest with at least two domain controllers. It authenticates users to the domain and provides directory and authentication services to several applications such as Microsoft Exchange Server and Outlook for e–mail. The domain controllers have recently been upgraded from Windows 2000 Server to Windows Server 2003, Standard Edition. The domain controllers also run additional services such as Domain Name System (DNS), DHCP, and Windows Internet Name Service (WINS) for a few legacy applications.

The IT systems are predominantly Microsoft technologies, with Windows XP on client computers and Windows Server 2003 on server systems. There are also a number of servers running Windows 2000, which the company plans to upgrade as application testing and support allow. The organization has begun to invest in mobile systems such as Windows XP, Tablet Edition, and Pocket PC 2003 particularly for its sales, distribution, and warehouse staff.

Key server applications include Microsoft Exchange Server, SQL Server (running several Line–of–business applications), Internet Information Services (IIS), and Windows SharePoint™ Team Services.

Applications are deployed to client computers using Active Directory group policy. Operating system patches are deployed using Windows Server Update Services (WSUS) and the Windows Automatic Updates service.

System monitoring is done directly on the server systems by reviewing Windows event logs, performance logs, and application logs daily. Critical alerts for hardware and software are sent to the IT administrator through e–mails and alerts on the system consoles.

The organization has two full–time IT personnel, who look after the IT planning, service delivery, and day–to–day support. Both the IT manager and the IT support engineer have latest MCSE certifications and a number of years of experience in IT.

Top of page

Design Criteria

The organization described in the previous section will typically have the following types of criteria for a WLAN solution. These criteria have been extended to cover a broad category of organizations. The design presented in the rest of the chapter explicitly uses these criteria.

Table 2.1: WLAN Solution Design Criteria

Design Factor	Criteria
Security Requirements	–Robust authentication and authorization of wireless clients. –Robust access control to permit network access to authorized clients and to deny any unauthorized access. –High strength encryption (128–bit) of wireless network traffic. –Secure management of encryption keys.
Scalability—Min/Max users supported	25 to 5,000 or more WLAN users See Table 2.2 for authentication loads for different sizes of WLAN.
Scalability—Number of sites supported	Basic: Single large site with local domain controllers and IT services; one or more small sites with no domain controllers. Minimum users required are 25. High end: Single central site with multiple domain controllers; large offices with single domain controller and/or resilient WAN connectivity to head office; multiple small offices with no domain controller, probably no WAN resilience. Maximum users allowed are 5000. For use with larger organizations, refer to Appendix A, "Using PEAP in the Enterprise".
Availability Requirements	Use of multiple wireless APs, IAS, or domain controllers gives WLAN resilience to single component failure for larger offices. Small office WLANs are vulnerable to WAN failure unless redundant connectivity is installed.
Platform Support	Server platforms: Windows Server 2003, Standard Edition or Enterprise Edition (for IAS and Certification Authority (CA) installation). Standard edition supports maximum of 50 wireless APs (RADIUS clients) per server. Client platforms: Windows XP Professional or Tablet Edition; Pocket PC 2003.
Extensibility (reuse of solution components for other applications)	Other network access applications (remote access VPN, 802.1X wired network access, and firewall authentication) can be supported by same authentication infrastructure.
IT Organization Requirements	Installation and management of solution requires IT professional with latest MSCE certification or equivalent knowledge and 2 to 3 years experience in IT industry.
Manageability Requirements	The solution will require minimal management to maintain healthy operation. Alerts are sent through e-mail and/or Windows event log (or modified to trigger other alter types). IAS component can be monitored by Windows monitoring solution (using event logs and performance counters), by RADIUS logging and by Simple Network Management Protocol (SNMP) management system.
Standards Conformance	The solution supports the following standards: –IEEE 802.11 (a, b, or g) network standards. –IEEE 802.1X authentication with PEAP and MS-CHAP v2. It can be used with other EAP methods such as certificate-based EAP-TLS and PEAP-EAP-TLS. –Dynamically keyed WEP and WPA WLAN protection. Future capabilities and standards (for example, 802.11i). –RADIUS support for RFC 2865 and 2866.

The following table gives an indication of the WLAN authentication requirements for different sizes of organization. The "New Authentications per second" is part of the steady load and assumes an average of four new full authentications per user per day as users rove between wireless APs. The "Peak New Authentications per second" column indicates the type of load expected when all users authenticate over a 30 minute period (for example at the start of the day). The "Re-authentications per second” column shows the number of periodic re-authentications to force the renewal of dynamic WEP keys.

Table 2.2: WLAN Authentication Requirements

Number of WLAN Users	New Authentications per Second	Peak New Authentications per Second	Re–authentications per Second
100	> 0.1	0.1	0.1
1000	0.1	0.6	1.1
10,000	1.4	5.6	11.1

These figures are referred to later in the chapter when discussing IAS server sizing.

Top of page

WLAN Architecture

This section covers the architecture of the solution.

Network Design

The following figure illustrates the basic network layout for the head office.

Figure 2.3 The network layout for the head office
See full-sized image

The figure shows wireless clients, two or more wireless APs, two IAS servers running on Active Directory domain controllers, a DHCP server, and other network connected servers, clients, and devices. With the exception of the WLAN clients, all items are connected on a single LAN using one or more layer 2 switches. A single subnet is used for the entire internal network at this site. There are routed connections (not shown in the figure) through the firewall to the Internet and other offices.

Larger organizations are more likely to have a routed environment within a single site. Although this does not make any difference to the authentication infrastructure, it may have an impact on how the wireless APs are connected to the rest of the network. To make it easier for users to rove between multiple APs across a site, it is a normal practice to place all the wireless APs and WLAN clients on the same IP subnet. This allows users to rove between wireless APs but still keep the same IP address. A detailed discussion of this topic is beyond the scope of this guide. It is covered in more detail in the "Deploying a Wireless LAN" chapter of the Windows Server 2003 Deployment Kit.

In your network design, you must ensure the following:

•	The wireless APs have connectivity to both primary and secondary IAS servers. If the APs are on a different VLAN/subnet from the IAS servers, traffic must be routable between these subnets.
•	The WLAN clients must have connectivity to DHCP servers. If the servers are not on the same subnet, you need to have DHCP/BOOTP relay agents to forward the client DHCP request to a DHCP with a scope defined for that subnet. The clients will, of course, also need connectivity to their normal network services such as domain controllers, file servers, and so on.

Selection of Wireless Network Hardware

You should ensure that your wireless APs and wireless network adapters support the following:

•	128-bit WEP encryption (if using dynamic WEP) or TKIP encryption (RC4) or AES encryption (if using WPA).
•	802.1X Authentication.
•	Dynamic Key Update (WEP encryption only).
•	WPA Support (even if you are using dynamic WEP, you should have a clear commitment from vendor to provide firmware update to provide WPA support.)

You should have sufficient wireless APs to provide coverage for WLAN clients across the physical locations that you need to support. You should also plan the wireless AP placement so that there is adequate backup coverage in all locations in case a wireless AP fails. Wireless AP placement is covered in more detail in the "Deploying a Wireless LAN" chapter of the Windows Server 2003 Deployment Kit, also listed in the “References” section at the end of this chapter. You should also read the article "Recommendations for IEEE 802.11 Access Points" referenced at the end of this chapter.

IAS Server Placement

The goal of IAS server placement is to achieve a resilient WLAN service while keeping implementation and management costs low. A WLAN service that is resilient to a single component failure has the following characteristics:

•	All physical zones where you need WLAN coverage must have two or more wireless APs in range.
•	Each wireless AP must be able to communicate with a backup IAS server in the event that its primary IAS server fails or the network connection to this server fails.
•	The services on which IAS and the WLAN clients are dependent (for example, Active Directory, DHCP, and DNS) must also provide resilience.

The second of these is the most significant for planning IAS server placement. In this solution, IAS is on existing domain controllers. This provides the highest performance configuration together with relatively low implementation and management costs. As a general recommendation for organizations of all sizes, you should deploy IAS to every site that has a domain controller (although you may not need to install IAS on every domain controller).

The following figure illustrates the placement of IAS servers in the organization. IAS is deployed on two existing domain controllers in the head office. The network CA (refer to the section "Obtaining Certificates for IAS Servers" later in this chapter) is also installed on one of these domain controllers. All APs in the head office are configured to use these IAS servers.

Figure 2.4 The head office and branch office infrastructure
See full-sized image

The organization has a small branch office with no local domain controller. The wireless APs in this site use the two IAS servers in the head office for all authentication requests. This means that users will be unable to authenticate to the WLAN if the WAN connection to head office fails. This may be an unacceptable risk for many organizations.

To resolve this, you should either install redundant WAN connectivity or install a local IAS and domain controller. Although this might seem like an unreasonable cost for this type of office, WAN failure will also cause most other network services to fail (for example, local file servers) without access to a domain controller. Rectifying this will therefore benefit the reliability of these services as well as the local WLAN. Deploying domain controllers to branch offices is discussed in the section "Scaling for Larger Organizations", later in the chapter.

For small offices where WAN connectivity is highly unreliable and deploying a local domain controller is not feasible, you may decide to deploy a standalone WLAN. For more information on this, you should read the section "SOHO Environments" later in the chapter.

Assignment of APs to RADIUS Servers

You must assign all your wireless APs to IAS servers. Each wireless AP requires a primary and a secondary RADIUS server. This allows the wireless AP to use the secondary RADIUS server in the event that the primary server has failed or is not contactable. This arrangement is shown in the following figure.

Figure 2.5 Balancing AP between primary and secondary IAS servers

The figure shows how each of the wireless APs is configured with different primary and secondary RADIUS servers. This allows load balancing between the servers. Wireless APs in sites with no local IAS server will follow the same pattern using the IAS servers in the head office as primary and secondary RADIUS servers.

For wireless APs in sites with only one local IAS server, the local server should always be the primary server and the server in the head office (or other suitable location where there is reliable connectivity to an IAS server) should be the secondary server. This is illustrated in the following figure.

Figure 2.6 Configuring APs to use local and remote IAS servers
See full-sized image

If you have many APs, you should carefully document the assignment of APs to IAS servers. You can use this record to ensure that every AP has been assigned a primary and a secondary server and that the load from APs is evenly balanced across the available servers.

Note: All wireless APs will failover to the secondary IAS server when the primary IAS server is not available. However, most APs do not automatically revert to using the primary when it becomes available again (they will only fall back if the secondary subsequently fails). This is not a major problem where both IAS servers are at the same location; it will simply make load across the servers uneven. However, where the secondary IAS is remote, a temporary failure of the primary may leave all APs authenticating to the secondary over a non–optimal WAN link.

If your APs do not automatically revert to their designated primary server, you may need to manually reset the APs so that they start using the local IAS server when it recovers after a failure. Transient network conditions can also cause APs to failover to their secondary RADIUS servers, so you may need to occasionally check the authentication request events in the IAS server application logs to spot any APs using the wrong IAS.

Co-location of IAS with Domain Controllers

In this solution, IAS is installed on existing domain controllers. This keeps the costs of implementation low and gives a performance improvement over using IAS on a separate member server. The performance gain occurs because IAS can communicate with the Active Directory on the same computer without incurring any network delay.

You should be aware of some caveats of installing IAS on domain controllers. While these will not be of concern to many organizations, you may want to consider them before proceeding:

•	You will not be able to have a single configuration for all of your domain controllers unless, of course, you opt to install IAS on all domain controllers.
•	You will not be able to enforce separation between IAS administration and domain administration. Installing IAS on domain controllers means that the IAS Administrators need to be members of the built-in domain Administrators group as well.
•	High load on the domain controller functions will adversely affect the performance of IAS and vice versa. You may want to put these on separate servers to have more control over their individual performance and operation of these services.

IAS Software and Hardware Requirements

For a target organization of 100 to 200 users, it is unlikely that IAS load on servers will ever be an issue as long as you are using the recommended hardware specification for Windows Server 2003. However, for larger organizations, this may be a consideration, particularly if they are running IAS on existing domain controllers.

The load on the IAS will be affected by:

•	Number of users and devices requiring RADIUS authentication.
•	Choice of authentication options such as EAP type and the re-authentication frequency.
•	Whether RADIUS logging is enabled.

You can use the figures given in table 2.2, in earlier "Design Criteria" section, to estimate the number of authentications per second that you can expect from a given user population. You should consider the steady state load when users are authenticating normally and the 'worst case' load during peak times. Extrapolating the figures from this table, 200 users generate a steady state load of less than one full authentication every 50 seconds and one fast re–authentication every ten seconds. These are such small numbers that the only really significant figure is how long it takes to authenticate all users following an outage — when all users need to connect back to the WLAN immediately. This is a much more extreme peak than the start-of-day logon, which will tend to spread over 30 minutes or more.

Authentication options have a significant effect on IAS server load. Protocols such as PEAP perform a CPU–intensive public key operation upon initial log on; although for subsequent re-authentications, cached session information is used, allowing what is known as a "fast reconnect". If you are using dynamic WEP, the clients will re-authenticate every 15–60 minutes to generate new encryption keys. However, with WPA you need to enforce re-authentication much less frequently, typically every 8 hours.

The following table shows the approximate number of authentications per second for IAS on an Intel Pentium 4 2 GHz server running Windows Server 2003 with Active Directory on a separate server.

Note: The information in the following table was derived from tests done by Microsoft Solutions for Security. It is provided without warranty of any kind and should only be used as a guideline for capacity planning purposes and not for performance comparisons.

Table 2.3: Authentications per Second

Authentication Type	New Authentications	Fast Reconnect Authentications
PEAP authentications per second	36	166
Time to authenticate 200 users	6 sec	2 sec
Time to authenticate 1000 users	30 sec	7 sec

These figures were calculated with RADIUS logging enabled and with Active Directory running on a separate server; both of these factors reduce the performance of IAS, so these figures can be considered a pessimistic estimate.

As these figures show, this type of server will allow 200 WLAN users to authenticate to the network in six seconds and 1000 users in 30 seconds.

Using Windows Server Standard or Enterprise Edition

This solution uses Windows Server 2003, Standard Edition for all IAS servers; this keeps the cost of server licenses low and allows you to deploy on existing servers whether they be Standard or Enterprise Edition.

IAS in Windows Server 2003, Standard Edition has the limitations that each server can support only 50 RADIUS clients and two RADIUS server routing groups.

Note: RADIUS clients are not the same as WLAN clients. RADIUS client refers to wireless APs and also other network access servers, such as VPN servers and firewalls that make use of RADIUS authentication services.

For the target organization of 1 to 200 users, a maximum of 50 APs per server is more than sufficient. For larger organizations this limit may be significant particularly for large offices, or where many satellite offices feed into one or two hub IAS servers.

Assuming 15 users per wireless AP, this means that a single IAS server on Windows Server 2003, Standard Edition could support approximately 750 users. This calculation takes into account the total number of APs that will use a server as a primary or a secondary RADIUS server; therefore, two servers will support 50 APs and not 100. If any of your IAS servers need to support more than 50 APs, you need to use Windows Server 2003, Enterprise Edition. You can, of course, also mix and match the two editions by using Windows Server 2003, Enterprise Edition for large offices and hub offices, and Windows Server 2003, Standard Edition for smaller offices.

IAS Configuration

IAS settings can be broken down into four major categories:

•	IAS Server settings
•	RADIUS Logging configuration
•	Remote Access Policies
•	Connection Request Policies

These categories are described in detail in the following subsections. All these settings are common to all of the IAS servers used in this solution; this allows the settings to be configured on one IAS server and copied to the others. This technique is used in Chapter 5, “Building the WLAN Security Infrastructure” to ensure that the IAS settings are consistent between all servers in your organization.

In addition, each IAS server will also have one or more wireless APs configured as RADIUS clients. RADIUS clients were described in the earlier section "Assignment of APs to RADIUS Servers". The set of RADIUS clients is usually different for each server and therefore they are not replicated between the servers in the same way as the other settings.

IAS Server Settings

This category includes:

•

Logging of authentication requests to the Windows event log. Logging of both successes and failures is enabled in this solution.

Note: Request logging is covered in the "RADIUS Logging" section later in this chapter.

•

The User Datagram Protocol (UDP) ports that the IAS server listens on for RADIUS authentication and accounting requests. This solution uses the default RADIUS ports 1812 and 1813 for authentication and accounting, respectively.

RADIUS Policies

IAS policies control the authentication and authorization of accounts to the network. There are two types of policies:

•	Remote Access Policy (RAP).
•	Connection Request Policy (CRP).

The RAP controls how or whether a connection is authorized to the network. A RAP contains a set of filter conditions that determine whether that policy applies to a given connection request. Some examples of filter conditions are: specifying the Windows security group of which a client must be a member, specifying the connection type (such as Wireless or VPN) of the requesting client, and specifying the time of day that the client is attempting to connect. Each RAP has a policy action, which is set either to allow or deny a connection request. Connection requests matching the RAP condition filter will be allowed or denied access to the network according to the policy action setting.

A RAP also contains a set of parameters that apply to an allowed connection, known as the RAP profile. These parameters include the authentication methods that are acceptable for this connection, how an IP address will be assigned to the client, and the amount time for which the client can remain connected before re–authentication is required. There can be multiple RAPs on an IAS; each connection request is evaluated against them (in order of priority) until a matching RAP either allows or denies the request.

The RAP in this solution is configured as shown in the following table.

Table 2.4: Remote Access Policy Configuration

Configuration Item	Setting
Policy Name	Allow Wireless LAN Access
Policy Type	Allow
RAP Conditions
NAS-Port-Type matches	IEEE 802.11 Wireless Other Wireless
Windows Group matches	Wireless LAN Access
RAP Profile
Dial-in constraints — Client Timeout	60 minutes (dynamic WEP) 8 hours (WPA)
IP Address assignment	Server settings determine IP assignment
IP Filtering	None
Authentication	All disabled apart from EAP
Authentication—EAP Type used	Protected EAP (PEAP)
Authentication—PEAP EAP type used	EAP MS-CHAP v2
Authentication—Fast Reconnect	Enabled
RADIUS Attributes	Ignore-User-Dialin-Properties = "True" Termination Action = "RADIUS-Request"

The condition filter matches all wireless clients and all members of the domain group Wireless LAN Access. Parameters that are not relevant to WLAN access, such as Multilink and Microsoft Point-to-Point Encryption (MPPE) encryption settings, are not included in the table. For more details on the use of security groups with the RAP, refer to the “WLAN User and Computer Administration Model” section later in this chapter.

The Dial-in constraints — Client Timeout setting can have an impact on the security and the reliability of the solution. Reasons for using different values to those given in the table are discussed in the "Security Options for Dynamic WEP" section later in the chapter.

The RADIUS attribute "Ignore-User-Dialin-Properties" is used to bypass per user control of network access permissions. See the "WLAN User and Computer Administration Model" section for an explanation of per user and per group access control.

A connection request policy controls whether to process the request at a particular RADIUS server or send it to another RADIUS server (called RADIUS proxy). RADIUS proxies are typically used where the RADIUS server does not have the information to process the request itself and must forward it to an authoritative RADIUS server, for example, to a server in another Active Directory forest. RADIUS proxies are not used in this solution and are outside the scope of this guide.

For more information about remote access and connection request policies, and the use of RADIUS proxies, see the "References" section at the end of the chapter.

RADIUS Logging

You can configure IAS servers to log two types of optional information:

•	Successful and rejected authentication events.
•	RADIUS authentication and accounting information.

Successful and rejected authentication events generated from WLAN devices and users can be recorded in the Windows Server 2003 System Event Log on the IAS server. Authentication Event Log information is most useful for troubleshooting authentication issues, although this information may also be used for security auditing and alerting purposes.

Initially, you should keep success and reject event logging enabled but you may consider disabling success events once the system has stabilized. Successful WLAN access events will bloat the System Event Log but may be needed for audit purposes.

If you use a monitoring and alerting tool such as Microsoft Operations Manager (MOM), you should consider adding a rule to alert on IAS authentication failure events in the System Event Log. Alternatively, you could use an event log query tool such as eventquery.vbs to check the event log for authentication failures (see the "Eventquery.vbs" entry in the online help). Single events are usually insignificant but a series of such events can indicate an attempted break-in.

IAS also has the ability to record authentication and network access session information in the form of RADIUS request logs. You normally use RADIUS logging either when you need to charge for network usage (for example, as an Internet service provider (ISP), you need to charge based on connection time) or where you need specialized security audit information (although, for most purposes this is already covered by the authentication events logged to the event log).

For more information on RADIUS logging, refer to the ”References” section at the end of the chapter.

IAS Security

You should treat IAS with similar security precautions as you use with a domain controller. Secure control of your network is dependent on the security of your IAS infrastructure. There are several simple measures, which you can implement to improve the security of IAS:

•	Use strong passwords for your RADIUS clients (wireless APs). The solution includes scripts to generate true random passwords to make dictionary attacks difficult.
•	Enable RADIUS Message Authenticator for all RADIUS clients to prevent the IP addresses of wireless APs from being spoofed. It is enabled in this solution.
•	Ensure that your server security settings are appropriate. This is covered in Chapter 3, “Preparing Your Environment.”
•	Ensure that your servers are patched with the latest security hotfixes and that you maintain up-to-date patches on an ongoing basis. This is also covered in Chapter 3, “Preparing Your Environment.”
•	Ensure that you are using strong domain account settings. In particular, you should ensure that strong passwords and regular password changes are enforced. You may also consider enabling domain account lockout to block password guessing attacks. However, you should only enable account lockout if you have the support resources to unlock accounts for users in a timely fashion.
•	Consider using IPSec to secure the RADIUS traffic and strengthen mutual authentication between your wireless APs and IAS servers. However, not all wireless APs support the use of IPSec for this.

For more information on IAS security measures, see the “References” section at the end of this chapter.

WLAN User and Computer Administration Model

Access to the WLAN in this solution is controlled using domain security groups. Although it is possible to use the dial–in properties of domain user objects to allow and deny access to individuals, this is tedious to administer for many users.

This solution uses a very simple scheme of allowing all domain users and computers access to the WLAN. For many organizations, controlling access through domain membership is a strong enough control and minimizes additional management overhead associated with the WLAN. However, to give more control to organizations that require it, security groups can be used to define who is allowed to access the WLAN.

As described in the section "RADIUS Policies," the IAS remote access policy uses a filter condition that grants WLAN access to all members of the Wireless LAN Access group. The following table shows the membership of the Wireless LAN Access group.

Table 2.5: Wireless Access Groups to Allow All Users and Computers

Top Level Universal Group (Granted Access in RAP)	First Level Members(Domain Global Groups)	Second Level Members(Domain Global Groups)
Wireless LAN Access	Wireless LAN Users	Domain Users
Wireless LAN Access	Wireless LAN Computers	Domain Computers

The group in the first column, Wireless LAN Access, has two members listed in the second column namely, Wireless LAN Users and Wireless LAN Computers. These "First Level" groups themselves have members (shown in the third column — Second Level Members”) namely, the Domain Users and Domain Computers groups respectively. This arrangement of nested groups allows all users and computers in the domain to connect to the WLAN.

If allowing all users and computers to access the WLAN is overly permissive for your organization, you can remove either or both Domain Users and Domain Computers from these groups. You will then need to add the specific user and computer accounts or groups to the Wireless LAN groups. The following table illustrates how to use the Wireless LAN Access group structure in this manner.

Table 2.6: Wireless Access Groups to Allow Selected Users and Computers

Top Level Universal Group (Granted Access in RAP)

First Level Members (Domain Global Groups)

Second Level Members(Domain Global Groups)

Wireless LAN Access

Wireless LAN Users

User1
User2

User3

Wireless LAN Access

Wireless LAN Computers

Computer1
Computer2
Computer3

For more information on the use of these security groups in a multidomain forest, refer to the "Scaling for Larger Organizations" section later in this chapter.

Obtaining Certificates for IAS Servers

The IAS servers need to have certificates to authenticate the WLAN clients. Server certificates are required to create the TLS encrypted tunnel between IAS servers and clients. TLS helps protect the authentication exchange between the server and clients.

Note: TLS is an RFC standard based on the similar Secure Sockets Layer version 3.0 (SSL 3.0). Both are commonly used to secure Web traffic as part of the Hypertext Transfer Protocol, Secure (HTTPS).

Embedded CA vs. Commercial CA

To provide these certificates, you have the choice to either install a CA yourself or buy the certificates from a commercial certificate provider. Both options are valid and choosing one over the other creates no real technical difference to the WLAN solution.

The major pros and cons to using in–house CA compared to buying certificates from a commercial provider are summarized in the following table.

Table 2.7: Pros and Cons of Using Your Own CA vs. Commercial Certificates

In-house CA	Commercial CA
No per certificate cost	Per certificate cost
CA software to be installed and managed	No server software
Automatic enrollment and renewal	More complex enrollment process, manual installation of certificates

The balance of the argument depends on how complex and costly it is to manage your own CA. If the cost of setting up a local CA is low and the management is simple, it is often a more attractive proposition than purchasing external certificates.

This solution uses a simple internal CA to provide the certificates. The terms "embedded CA" and "network CA" have been used in this guide to indicate that it is a special purpose CA, which is essentially invisible to users and administrators and which issues certificates of a single type. The limited functionality of the CA in this solution means that it can be installed and used with little or no user or management intervention. For example, in this solution, the CA can issue a certificate with a lifetime of 25 years; therefore, you will not have to renew it during the lifetime of the solution. Automatic enrollment and renewal of the IAS server certificates means that there is no manual certificate distribution to perform.

Contrast this with using external certificates. You must remember to renew the certificates of all IAS servers every year or two years. Each time you have to manually create the certificate request on each IAS server, send the request to the commercial CA then retrieve and manually install the issued certificate. Failure to do this will prevent users from connecting the WLAN. For many organizations the management overhead of this is far more onerous than the simple internal CA described used in this solution.

Limitations of the Solution CA

This solution uses a special CA configuration to issue certificates to the IAS servers. It was only designed to meet this specific need and is not suitable as a general purpose certification authority.

Digital certificates are used in many applications, such as secure e-mail and Web browsing, IP Security (IPSec), Virtual Private Networks (VPN), Encrypting File System (EFS), and others. Each of these applications has its own security requirements. Your organization will have its own unique security requirements with respect to these applications. For these reasons, Microsoft strongly recommends not attempting to use the solution CA for any other purpose.

If you plan to use these or other certificate applications, design your certificate infrastructure around their requirements. Things that you need to consider include:

•	The solution CA is a self-signed root CA, so you cannot revoke it (you have to revoke the issued certificates in the case of CA compromise).
•	Industry or country-specific regulations may require you to use a multitier CA hierarchy for some or all certificate types.
•	Microsoft does not recommend installing a CA on a domain controller for high-security certificate uses.

For more information about the detailed planning required to design a more generic PKI architecture, see Chapter 4, "Designing the Public Key Infrastructure," in the companion solution, Securing Wireless LANs — A Certificate Services Solution.

You should also keep in mind that there are a number of constraints due to the CA being installed on the Standard Edition of Windows Server 2003. Although adequate for this solution, the Standard Edition supports a limited set of functionality compared to Windows Server 2003, Enterprise Edition. The salient features that are not available in Windows Server 2003, Enterprise Edition include:

•	Autoenrollment of certificates to both computers and users: The Automatic Certificate Request Service (as used in Windows 2000 Server and Windows Server 2003, Standard Edition) only supports automatic enrollment of computer certificates. User certificates cannot be enrolled automatically.
•	Version 2 certificate templates: Many certificate types used by Windows Server 2003 and Windows XP use the advanced features of version 2 templates. However, a CA based on Windows Server 2003, Standard Edition cannot issue certificates in version 2 templates.
•	Editable certificate templates: Version 1 templates cannot be modified or created to produce new certificate types.
•	Archival of keys is not supported.

If you require any of these features, you need a CA based on the more advanced capabilities of Windows Server 2003, Enterprise Edition. For a detailed description of the differences between Enterprise and Standard Edition, see the paper titled "PKI Enhancements in Windows XP Professional and Windows Server 2003" listed in the “References” section at the end of the chapter.

If you do not have clear requirements for other types of certificates at present, however, you can deploy the CA described in this solution without closing your options in the future. At a later stage, if you identify other requirements for certificates, you can deploy a more sophisticated PKI alongside this solution. You are then free to either run them side by side or migrate to issuing all certificates from the new PKI.

WLAN Clients

The WLAN solution supports several, different types of WLAN client either explicitly or implicitly. This solution supports Windows XP, Professional Edition, Windows XP, Tablet Edition, and Pocket PC 2003 clients. For specific guidance on how to configure and use these clients with the solution, refer to chapter 6, “Configuring the WLAN Clients”. The guide does not cover using other types of clients that support 802.1X with PEAP-MS-CHAP v2. Although some other types of clients will work (Windows 2000 Professional, for example), this guide has no instructions on how to configure them and the Microsoft Solutions for Security team has not tested them with this solution.

Windows XP

Windows XP, Professional Edition and Windows XP, Tablet Edition are fully supported in this solution. All Windows XP clients must be updated with Service Pack 1 or later. The computers must be members of the same domain as the IAS servers or members of another domain within the same forest. Domain membership is required so that the computers can authenticate themselves to the WLAN and can download the WLAN settings specified in Group Policy.

Computer authentication to the WLAN is used when no user is logged on to the computer. This allows the computer to obtain Group Policy object (GPO) settings, run startup scripts, and have patches downloaded to it. It is also required during the initial stages of user log on. The user cannot start to authenticate to the WLAN until after the user profile is loaded; therefore log on scripts, other GPO settings, and roaming profiles will fail if the computer does not have an existing connection to the network before the user logs on.

Windows XP computers that are not domain members may still be used with the solution, with the following caveats:

•	You will have to configure the WLAN client settings manually.
•	Computer authentication to the WLAN is difficult to achieve.
•	User authentication to the WLAN requires a separate user name and password prompt into which the user must type their domain (WLAN) credentials.

Microsoft also strongly recommends enabling the personal firewall on all client computers using wireless.

Pocket PC 2003

Pocket PC 2003 supports 802.1X and PEAP, however, you may have to obtain updates from the vendor of your device and Microsoft to get full WLAN functionality. It is also possible to use versions of Pocket PC earlier than 2003 but Microsoft did not provide built-in support for 802.1X for earlier versions. You may be able to obtain specific support from your Pocket PC device vendor or use WLAN client software from a third party.

Pocket PC systems have no concept of a computer domain account and are always authenticated to the WLAN using user credentials. Normally a connection to the WLAN will require a user to type their domain user name and password each time. It is possible to save the credentials so that the device connects automatically but this is not recommended unless you have very strong security features on the Pocket PC device.

In addition, Pocket PCs do not understand Group Policy so their WLAN settings cannot be set automatically using this. You have to set the WLAN configuration manually.

Other 802.1X Clients

Clients other than Windows XP and Pocket PC 2003 may work with this solution if they support 802.1X and PEAP-MS-CHAP v2. Windows 2000 clients are supported using the Windows 2000 Microsoft 802.1X Authentication Client. Details on how to obtain the Windows 2000 Microsoft 802.1X Authentication Client are included in the references at the end of this chapter. Windows clients other than Windows 2000 (such as Windows NT 4.0, Windows 9x and Windows Me) are supported with a client available through Microsoft Premier Support. You may also be able to obtain client for these and other platforms from non – Microsoft network software vendors.

You should also consult Appendix C, "Supported Windows Versions."

WPA Support

The WLAN solution described here supports the use of WPA WLAN protection in place of dynamic WEP. WPA is always preferred over WEP because it provides better key management and implements a stronger network encryption algorithm. WPA also supports the use of AES encryption, if the hardware (wireless APs and network adapters) provide the necessary support.

Although WPA provides a number of advantages over dynamically keyed, there are some caveats over its use. These include:

•	GPO support for configuring WPA settings on WLAN clients will not be available until Windows Server 2003 Service Pack 1.
•	Client support for systems other than Windows XP may not be available. Although Microsoft is likely to provide WPA support for Pocket PC 2003, Windows 2000 and other Microsoft clients may not be supported (non-Microsoft vendors may provide WPA support for these clients).
•	It may not be possible to upgrade the existing WLAN equipment (wireless APs and client network adapters) to support WPA. The cost of buying and deploying new hardware may also be prohibitive.

GPO and Pocket PC 2003 support for WPA will appear soon, making WPA the option of choice. Until then, dynamic WEP coupled with 802.1X authentication continues to provide a very high level of protection for WLANs and is the default choice for this solution. For more information on WPA, see the “References” section at the end of this chapter.

Migration from an Existing WLAN

If you have an existing wireless network in place, you should plan a migration strategy upfront to ensure minimal disruption to users and the environment.

Many organizations have 802.11–based WLANs operating without network authentication or encryption. Other organizations have implemented static WEP using shared key encryption often combined with Media Access Control (MAC) address filtering.

The process of migrating from either of these scenarios to an 802.1X secured WLAN involves the following steps:

1.	Deploy certificates to IAS Servers: For details on how to deploy certificates to an IAS server,refer to chapter 4, “Building a Certification Authority”, of this guidance.
2.	Configure the wireless network remote access policies on the IAS servers: Steps for configuring a wireless remote access policy are described in Chapter 5, “Building the WLAN Security Infrastructure”, of this guidance.
3.	Deploy a WLAN configuration for the new WLAN to client computers: The new 802.1X – enabled network needs a new network Service Set Identifier (SSID). The network settings for the new WLAN can then be deployed by Active Directory GPO. WLAN group policy should be deployed well in advance of wireless AP reconfiguration to ensure that mobile computers with only occasional LAN access receive the configuration. This is described in Chapter 6, “Configuring WLAN Clients.”
4.	Configuration of wireless APs to require 802.1X security: This is usually best done site by site, (for example, by building or campus) and it is either performed out of hours or with adequate warning to users about possible WLAN outage. You should create RADIUS client entries for the IAS for all APs on the site, configure the APs with the addresses of the IAS servers for the AP's RADIUS entries, and finally, switch the AP over to allow only 802.1X authenticated clients. To facilitate rollback, you may want to back up the wireless AP settings before starting this step, so that they can be restored in an emergency.

This type of rollout minimizes the disruption to users and allows you to rollback a site easily, if anything goes wrong. There will inevitably be some problems experienced by users during the switch over, so you should keep the users informed about the migration and be prepared to handle more support calls than normal.

As with all migration strategies, careful planning and testing is essential. The steps involved in configuring client computers and wireless APs can cause disruption to the environment if they are not tested thoroughly to iron out nascent problems.

Detailed planning of migration from unsecured and static WEP WLANs or from proprietary WLAN security schemes are not included in this guidance. All these are similar in principle and follow the pattern above. However, if you require more assistance with your migration planning, see your Microsoft partner or contact your local Microsoft subsidiary who will put you in touch either with a Microsoft partner in your area or with Microsoft Consulting Services.

Top of page

Scaling for Larger Organizations

This section describes some of the key considerations for using this solution in a large organization (one with several thousand users, for example). The use of PEAP and password authentication in the enterprise is detailed in Appendix A, “Using PEAP in the Enterprise.”

IAS Server Placement

As you increase the number of locations where you support WLANs, you need to decide how these wireless APs will be serviced by IAS servers. There are essentially two approaches:

•	Use a small number of central IAS servers: Use a small number of central IAS servers to handle all WLAN authentication traffic (two are likely to be sufficient). You need to ensure that the WAN connections between your outlying offices and the IAS servers are resilient.
•	Distribute IAS servers to each office: There is a lower limit to the size of an office where this makes economic sense but, as a rule of thumb, any office that is large enough to have its own domain controller can have IAS locally (usually installed on the domain controller).

Although the investment in network resilience may seem an expensive option, you need to weigh this against the administration cost of managing many distributed IAS servers. Even if IAS is installed on the same physical server as an existing domain controller there will be some cost of managing each IAS instance. In practice, most large organizations will use a hybrid of the two in the following ways:

•	Centralize IAS servers and invest in WAN resilience wherever possible.
•	Distribute IAS to offices where WAN resilience is not achievable or is prohibitively expensive.
•	Use pre–shared key (PSK) WPA WLANs for very small offices with poor connectivity or for employees’ home offices.

The centralized IAS strategy was illustrated in the "IAS Server Placement" section, earlier in this chapter. The use of a local domain controller and IAS in a branch office is shown in the following figure. This shows a larger outlying office that is linked by a WAN to the Head Office shown in the figure 2.4 earlier.

Figure 2.7 Larger branch office with local domain controller and IAS
See full-sized image

In this site, the APs are configured to use their local IAS server as the primary RADIUS server and one of the IAS servers in head office as the secondary RADIUS server. This means that WLAN clients can be authenticated, even if the local IAS server or WAN connectivity fails.

However, if you have resilient WAN connectivity (for example, multiple WAN links with different providers), there is little to be gained by deploying additional servers at branch offices; it only adds complexity and additional management overhead.

Multiple Domains

The basic solution design scales transparently to multi–domain forests. The key points to consider while using the solution with multiple domains are as follows:

•	IAS servers must be registered in each domain that has users or computers that will be accessing the WLAN. For details, refer to Chapter 5, “Building the WLAN Security Infrastructure.”
•	The GPOs for server settings and automatic certificate request settings must be imported into every domain in which IAS servers are installed. The steps to do this are detailed in Chapter 3, “Preparing Your Environment” and Chapter 4, “Building a Certification Authority.”
•	The GPO that controls client computer WLAN settings must be created in each domain where there are client computers that will access the WLAN. For more details on this, refer to Chapter 6, “Configuring WLAN Clients.”
•	The security groups used by IAS to filter remote access policies need to be configured to support multiple domains.

The first three items are mostly self-explanatory and the steps for configuring these for multiple domains are covered in later chapters. The use of the security groups is slightly more complex and is covered in detail in the following section.

Use of Security Groups in Multiple Domains

The following table shows how you can organize the security groups described in the "WLAN User and Computer Administration Model" section in a multidomain forest.

Table 2.8: Wireless Access Groups to Allow All Users and Computers

Top Level Universal Group (Granted Access in RAP)	First Level Members(Domain Global Groups)	Second Level Members(Domain Global Groups)
RootDom\Wireless LAN Access	UserDom1\Wireless LAN Users	UserDom1\Domain Users
RootDom\Wireless LAN Access	UserDom2\Wireless LAN Users	UserDom2\Domain Users
RootDom\Wireless LAN Access	UserDom3\Wireless LAN Users	UserDom3\User1 UserDom3\User2 UserDom3\User2
RootDom\Wireless LAN Access	UserDom1\Wireless LAN Computers	UserDom1\Domain Computers
RootDom\Wireless LAN Access	UserDom2\Wireless LAN Computers	UserDom2\Domain Computers
RootDom\Wireless LAN Access	UserDom3\Wireless LAN Computers	UserDom3\HR Computers UserDom3\Finance Computers

The table shows the same group nesting arrangement as the tables in the "WLAN User and Computer Administration Model" section. The members of the group listed in the first column are shown in the second column; the members of the groups listed in the second column are shown in the third column.

The example in the table uses fictitious names. For example, RootDom is the name of the domain where IAS servers are installed and UserDom1 and UserDom2 are other domains containing users and computers to be granted WLAN access.

In the example shown, all users and computers from UserDom1 and UserDom2 are implicitly granted access to the WLAN because the Domain Users and Domain Computers groups from those domains are members of the Wireless LAN Users and Wireless LAN Computers groups for the same domain. However, the users from UserDom3 are individually added to the Wireless LAN Users group of UserDom3. The computers are granted access by using business unit security groups (for example, all computers in the HR department).

The global groups for each domain, namely, Wireless LAN Users and Wireless LAN Computers, are then added as members of the universal group Wireless LAN Access. All members of this latter group are granted access to the WLAN in the IAS remote access policy.

PKI Architecture

As mentioned in the earlier section "Obtaining Certificates for IAS Servers," many applications can utilize certificates. It is important to note that while appropriate for this solution, a standalone CA is unlikely to meet the more varied needs of larger organizations. Before implementing the CA described in this guidance, ensure to carefully consider other uses for certificates that you might have in the future, as well as alternate PKI architectures more appropriate for these scenarios.

To read about PKI planning in more detail, refer to Chapter 4, "Designing the Public Key Infrastructure" in the companion solution, Securing Wireless LANs — A Certificate Services Solution. Although more sophisticated than the CA in this guide, the PKI discussed in that solution is still relatively simple: it uses only two CAs, for example. However, it is designed to be a foundation for a much broader range of certificate needs.

If you decide against implementing a more sophisticated PKI such as this, you can still use the guidance given in Chapter 4 of this guide, “Building a Certification Authority.” However, you should consider making the following changes to the instructions provided in that chapter:

•	Install the CA on its own server instead of installing on a domain controller.
•	Use Windows Server 2003, Enterprise Edition, to give you more flexibility in the future.
•	Instead of using the automatic certificate request service, use Windows Server 2003 autoenrollment. For instructions on how to use autoenrollment, see the product documentation for Windows Server 2003 Enterprise Edition.
•	Use the "RAS and IAS Server" certificate template or create a customer certificate type for the IAS server certificates instead of using the "Computer" template. Note: "RAS" in the certificate template name stands for Remote Access Service.

Guidance for how to do these is given in the “Public Key Infrastructure” section of the Windows Server 2003 product documentation and in Chapter 4, "Designing the Public Key Infrastructure," Chapter 7, "Building the Public Key Infrastructure," and Chapter 9 "Implementing Wireless LAN Security" in the companion solution, Securing Wireless LANs — A Certificate Services Solution.

Top of page

Variations on the Solution Architecture

This section discusses variations to the core design. The following subsections look at alternatives to the default security settings of the solution, using the IAS servers for wired and remote access authentication, creating guest WLANs for visitors and deploying WLANs to very small environments such as home offices.

Security Options for Dynamic WEP

The "How 802.1X with PEAP and Passwords Works" section earlier in this chapter discussed the use of dynamic WEP encryption in the solution. The security of dynamic WEP relies on its ability to renew the encryption keys at regular intervals to thwart known attacks on the WEP protocol. IAS ensures that the keys for each wireless client are renewed at a set interval by using a client session time-out, which forces the client to re-authenticate to the WLAN.

Reducing the session time-out value increases security but may reduce reliability and performance. A 60 minute time-out gives adequate security for most circumstances and certainly for 11 Mbps 802.11b networks. Normally, wireless clients will never transmit enough data in 60 minutes to allow a WEP key to be recovered by an attacker.

The latest research indicates that static WEP keys can be recovered by capturing between 1 and 5 million network packets encrypted with the same key. This is documented in the technical paper “Using the Fluhrer, Mantin, and Shamir Attack to Break WEP” by Adam Stubblefield, John Ioannidis and Aviel D. Rubin of AT&T Labs — see the reference at the end of this chapter).

Note: The figure of 1 million packets was obtained from testing static WEP WLANs using relatively weak keys (a "user–memorable passphrase") and is not directly applicable to dynamic WEP WLANs. Unlike typical static WEP WLANs, dynamic WEP uses strong random encryption keys and renders one of the key optimizations used by the authors much less effective. Nevertheless, it is good security habit to err on the side of caution and use the pessimistic figure of 1 million packets to assess the security threat to dynamic WEP WLANs.

One million packets typically equates to around 500 MB of data (assuming an average packet size of 500 bytes). For the encrypted data to be secure, the session time-out needs to be set so that it forces each client's key to be renewed before the client sends more than this amount of data.

For typical client network usage, such as e-mail, Web browsing, and file sharing, average data transfer rates are 160 Kbps or less. At this transfer rate, assuming 500 bytes packet size, it would take approximately 7 hours for an attacker to accumulate enough data to recover the client’s current encryption key.

Note: In laboratory conditions, 500 Mb could be transmitted in much less than 7 hours; around 10 minutes on a11 Mbps WLAN or less than 3 minutes on a 54 Mbps WLAN. However, this assumes a single client having exclusive use of the WLAN and streaming unacknowledged UDP packets in one direction. This scenario, or anything near it, is extremely unlikely for a real world WLAN.

A 60 minute session time-out is more than adequate for most organizations. This means that an average client would transmit around 150,000 packets before each key refresh; nearly an order of magnitude less than the 1 million packet threshold required for WEP key cracking. However, you may want to use a shorter time-out value for one or more of the following reasons:

•	If you have wireless clients that send or receive large amounts of data over the WLAN in relatively short time periods, you should set the time-out to a shorter duration than the time it takes a single client to send and receive 75 MB (this is less than 20 percent of the amount of data required to recover a WEP key, so has a large safety margin).
•	If you use 802.11a or 802.11g 54 Mbps WLANs, it is easier to transmit larger numbers of packets in a given time. You may want to reduce the session time–out to 15 minutes on these faster WLANs.
•	If the capabilities of WEP key cracking techniques improve significantly, less data will be needed to recover the WEP keys. For example, if a new cryptanalytic technique is discovered that allows keys to be recovered with only 100,000 packets, you would need to lower the session time-out to prevent wireless clients reaching this limit before their encryption keys are renewed.
•	If you have specialist security needs, you may wish to reduce the time-out below the threshold at which even theoretical attacks on WEP would be successful (10 minutes or 3 minutes as described in the previous note). However, you need to weigh this decision against the caveats described later in this section. If the data is sensitive enough to require this level of precaution, you should seriously consider using only WPA data protection on the WLAN and using IP security to help protect the data when traveling over wired LANs.

There are two main disadvantages to reducing session time-out:

•

Lower WLAN reliability: Very short WLAN session time-outs could cause clients to fail re-authentication and disconnect from the WLAN if communication with a domain controller or IAS server was lost temporarily.

•

Increased load on IAS servers: The shorter the time-out, the more often the client needs to re-authenticate with an IAS server and domain controller. As a result, the load on IAS servers and domain controllers will increase. Because IAS caches client authentication sessions the load increase will normally be significant only for organizations with a very large number of wireless clients or when using extremely short session time-out values.

Other Network Access Services

The RADIUS design used in this solution can provide authentication, authorization, and accounting services for other network access servers such as 802.1X wired network authentication and VPN and remote access authentication.

802.1X Wired Network Authentication

802.1X wired network authentication is the simplest such application requiring no modification of the basic RADIUS design. Organizations that have a widely-distributed wired network infrastructure may find it difficult to control unauthorized use of the corporate network. For example, it is often difficult to prevent visitors plugging in laptops or employees adding unauthorized computers to the network. Some parts of the network, such as data centers, may be designated high security zones and only authorized devices should be allowed on these networks; this could even mean the exclusion of employees with corporate computers.

How a wired network access solution would integrate with the design is illustrated in the following figure.

Figure 2.8 Using 802.1X wired authentication
See full-sized image

The bold–edged box represents the 802.1X wired components and the other boxes contain the relevant services. Compare this figure to figure 2.4. Only the head office is shown in this figure.

802.1X – capable network switches play an identical role to the wireless APs in the core solution and can take advantage of the same RADIUS infrastructure to authenticate clients and selectively authorize access to the appropriate network segment. This has the obvious advantages of centralizing account management in the corporate directory while still retaining network access policies under the control of the network security administrator.

VPN and Remote Dial–Up Authentication

Another network access service that could use the RADIUS components is VPN and remote dial-up. Particularly in larger organizations, it is likely that some additions would need to be made to the design as it stands, such as the addition of RADIUS proxies. The extended solution is shown in the following figure.

Figure 2.9 Extension of the RADIUS component to support VPN
See full-sized image

The VPN servers, in this variant, play the same functional role as the wireless APs in the core design. They pass the clients' authentication requests to the RADIUS infrastructure. It is possible to have the RADIUS requests passed directly to the internal IAS servers. However, many organizations like to add an additional layer of RADIUS proxies providing an extra security layer and routing the requests to the internal IAS servers.

As with wired network security, this solution brings the same advantages of reusing existing infrastructure and centralizing account management. Further enhancements are possible, such as using smart card-based user authentication. The internal remote access VPN solution from Microsoft for the company's own staff uses virtually the same VPN and RADIUS architecture with smart cards for user authentication.

Dial-up remote access works in a similar way by using the dial-up server capability instead of the VPN functions of Windows Server Routing and Remote Access.

A major advantage that using IAS brings to both VPN and Remote Dial-up is the ability to use Windows Server 2003 Network Access Quarantine Control. Quarantine Control uses capabilities of the Routing, Remote Access Server (RAS) and Windows enhanced remote access client (Connection Manager) to allow and deny access based on the security state of the client computer. It works by performing checks on the client at connect-time; for example, ensuring that the client has up-to-date antivirus software, or that it is running a corporate-approved operating system build. If the client fails these checks, the RADIUS server denies it access to the network. Therefore, even a properly authenticated user and computer may be denied access if they present a possible security threat to the company network.

To learn more about the quarantine feature of Windows Server 2003, see the references at the end of the chapter.

Bootstrapping Client Computers

Most wireless capable computers also have a wired network interface. This makes it relatively easy for the clients to join the domain and download WLAN settings prior to connecting to the WLAN. However, this may not always be the case. Already, handheld devices have only wireless, and do not have wired network adapters. This presents the problem of bootstrapping a client prior to connecting to the WLAN because it does not have the settings and credentials that it needs to connect to the WLAN.

This problem becomes even more difficult if an organization decides to use both wired and wireless 802.1X security, because a client cannot connect to a wired LAN without first having the correct credentials and settings.

There are two main approaches to bootstrapping a client computer if you cannot use a wired LAN to retrieve settings and credentials; these are:

•	Using a guest LAN and using an alternative authenticated connection (for example a VPN connection) to obtain credentials and settings.
•	Manually configuring clients.

Microsoft currently supports only the second option. Microsoft will be releasing a wireless provisioning service that will be suitable for using a "guest" WLAN to bootstrap the client computer WLAN configuration. Until then, manual configuration is a simple way to achieve this. To configure the client computer settings and join it to the domain, the person configuring the computer needs to be a member of the local Administrators group on the computer.

To bootstrap a computer using manual configuration:

1.	Manually configure WLAN settings for the correct WLAN SSID.
2.	Connect to WLAN using a valid user domain credentials. You will not be able to connect using the computer account until the computer is joined to the domain.
3.	Join the computer to the domain and then restart it.
4.	After rebooting, the client will be able to connect to the WLAN using the computer account and will download the WLAN GPO settings. These settings will simply overwrite the manually configured settings.
5.	Both the user and the computer can now connect to the WLAN.

SOHO Environments

You may need to deploy WLANs to locations where it is not possible or practical to authenticate users using your IAS infrastructure. For example, home offices for users who regularly work from home or small offices with very unreliable or low bandwidth connectivity to the main corporate network.

Previously the only solution to this was to configure static WEP security and hope that no one was determined enough to bother to attack your WLAN. A far better solution is to use WPA in PSK mode. All Wi-Fi certified wireless APs now ship with WPA security although older APs may not support this. You should ensure that your APs support WPA PSK because of the additional security value that it brings. Unlike static WEP, the WPA authentication key is not recoverable from the encrypted traffic; therefore, it is much more difficult for an attacker to break on to the network. You should also ensure that your users are trained to use strong WPA keys and to change them regularly and that understand the security implications of not doing so. To implement WPA PSK, you need a wireless AP, wireless network adapters, and a client operating system (such as Windows XP) that supports WPA. You do not need a RADIUS server or other server infrastructure.

Top of page

Summary

This chapter began with a description of how 802.1X wireless LAN security works. To provide focus for the design, a picture of the target organization for solution was given along with the organization's key design criteria for the WLAN solution. Following this, the main aspects of the chosen WLAN design were discussed. The design covered the network, IAS server placement and IAS configuration, the use of certificates, and the different types of wireless clients. The key points on migration from an existing WLAN were also outlined.

The two sections at the end of the chapter discussed important variations to the basic design. Firstly, how to scale the solution for larger organizations was described, along with instructions on how to deal with the main points of divergence from the core solution. This was followed by illustrations of how to use the same basic authentication infrastructure to support other network services such as remote access, VPN, and wired network security; and how to deal with the sticky problems of bootstrapping clients and deploying WLANs to SOHO environments.

The next chapter begins the implementation of the solution by helping you prepare your network, Active Directory, and server security for deployment of WLAN components.

Top of page

References

This section provides references to important supplementary information or other background material relevant to the content of this chapter.

•	For more details on 802.1X Authentication, see "IEEE 802.1X Authentication for Wireless Connections" at the following URL: http://www.microsoft.com/technet/community/columns/cableguy/cg0402.mspx
•	For more information on how PEAP with passwords works, see "PEAP with MS-CHAP Version 2 for Secure Password–based Wireless Access" at the following URL: http://www.microsoft.com/technet/community/columns/cableguy/cg0702.mspx
•	For more details on 802.1X authentication; the interaction between clients, wireless APs, and RADIUS servers; as well as recommendations for features that should be supported on wireless APs; see "Recommendations for IEEE 802.11 Access Points" at the following URL: http://www.microsoft.com/whdc/device/network/802x/accesspts.mspx
•	For more information on wireless LAN design including providing DHCP services and wireless AP layouts, see the "Deploying a Wireless LAN" chapter in the Windows Server 2003 Deployment Kit at the following URL: http://technet2.microsoft.com/windowsserver/en/library/87383ea4-bfbb-47da-8e4f-21145139780e1033.mspx
•	For more information on Securing IAS, see the Windows Server 2003 product documentation at the following URL: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/serverhelp/06E188EF-0C02-4554-8DBC-DD08B4EA804C.mspx
•	For more information on Certificate Services features available in Windows Server 2003, Enterprise Edition, see the paper "PKI Enhancements in Windows XP Professional and Windows Server 2003" at the following URL: http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx Note: This article was written before the release of Windows Server 2003 and uses the terms Windows .Net Server, Advanced Server, and Standard Server to refer to Windows Server 2003, Enterprise Edition and Standard Edition respectively.
•	For more information on Microsoft 802.1X Authentication Client for Windows 2000, see the Knowledge base article “Using 802.1x Authentication on Computers Running Windows 2000” at the following URL: http://support.microsoft.com/default.aspx?scid=313664
•	For more information on “Wi-Fi Protected Access (WPA) Overview" and "WPA Wireless Security Update” in Windows XP, see the following URLs: http://www.microsoft.com/technet/community/columns/cableguy/cg0303.mspx http://support.microsoft.com/default.aspx?kbid=815485
•	For a discussion of the security concerns with WEP, see the “Weaknesses in the Key Scheduling Algorithm of RC4” technical paper by Scott Fluhrer, Itsik Mantin, and Adi Shamir and the “Using the Fluhrer, Mantin, and Shamir Attack to Break WEP” technical paper by Adam Stubblefield, John Ioannidis, and Aviel D. Rubin. You should consider that these papers are discussing the security of static WEP; therefore, the conclusions drawn are not directly applicable to dynamic WEP WLANs. For the "Weaknesses in the Key Scheduling Algorithm of RC4", see the following URL: http://www.crypto.com/papers/others/rc4_ksaproc.pdf
•	For the “Using the Fluhrer, Mantin, and Shamir Attack to Break WEP” AT&T Technical Report, see the following URL: http://www.isoc.org/isoc/conferences/ndss/02/summaries.shtml#1
•	For more information on network access quarantine control, see the papers "Network Access Quarantine Control in Windows Server 2003" and "Planning for Network Access Quarantine Control" at the following URLs: http://technet.microsoft.com/en-us/library/bb726973.aspx http://technet2.microsoft.com/windowsserver/en/library/cc2503a6-d2bf-4e82-bfd9-0cb7564a38791033.mspx?mfr=true
•	For information on using WPA to secure SOHO WLANs, see "WPA Wireless Security for Home Networks" at the following URL: http://www.microsoft.com/windowsxp/using/networking/expert/bowman_03july28.mspx

Top of page

4 of 14

Securing Wireless LANs with PEAP and Passwords

Chapter 2: Planning a Wireless LAN Security Implementation

On This Page

Overview

Chapter Prerequisites

How Wireless LAN Security Works

How 802.1X with PEAP and Passwords Works

Computer and User Authentication to the WLAN

Target Organization Profile

Organization Layout

IT Environment

Design Criteria

WLAN Architecture

Network Design

Selection of Wireless Network Hardware

IAS Server Placement

Assignment of APs to RADIUS Servers

Co-location of IAS with Domain Controllers

IAS Software and Hardware Requirements

Using Windows Server Standard or Enterprise Edition

IAS Configuration

IAS Server Settings

RADIUS Policies

RADIUS Logging

IAS Security

WLAN User and Computer Administration Model

Obtaining Certificates for IAS Servers

Embedded CA vs. Commercial CA

Limitations of the Solution CA

WLAN Clients

Windows XP

Pocket PC 2003

Other 802.1X Clients

WPA Support

Migration from an Existing WLAN

Scaling for Larger Organizations

IAS Server Placement

Multiple Domains

Use of Security Groups in Multiple Domains

PKI Architecture

Variations on the Solution Architecture

Security Options for Dynamic WEP

Other Network Access Services

802.1X Wired Network Authentication

VPN and Remote Dial–Up Authentication

Bootstrapping Client Computers

SOHO Environments

Summary

References

In This Article