Securing Wireless LANs with PEAP and Passwords
Appendix A: Using PEAP in the Enterprise
Microsoft has produced two solutions for securing wireless local area networks (WLANs). The first solution Securing Wireless LANs — a Certificate Services Solution uses client certificates to authenticate wireless clients, and is primarily intended for large and enterprise organizations. The second solution, Securing Wireless LANs with PEAP and Passwords (the subject of this current guide), uses passwords and the Protected Extensible Authentication Protocol (PEAP) to authentication wireless clients. This latter guide was written primarily for small and medium organizations. However, there is nothing about PEAP that restricts its use to smaller organizations. Large and enterprise organizations can also use PEAP and password authentication to secure their WLANs. If you are part of a large organization that is planning to implement PEAP with passwords, this appendix will show you how to use sections from both solutions to implement the solution. Both solutions use the same technical architecture and components so it is relatively simple to take the enterprise–focussed content from the first solution but replace the certificate authentication protocols with the PEAP and password protocols. The aim is to leave you with merged guidance that includes details relevant to an enterprise WLAN solution, such as advanced administrative delegation, RADIUS logging and server role separation, but using password authentication for your wireless clients. Throughout this appendix, for reasons of brevity, the term "EAP–TLS solution" will be used to refer to the first solution Securing Wireless LANs LANs — a Certificate Services Solution and the term "PEAP solution" will refer to the second solution Securing Wireless LANs with PEAP and Passwords. Extensible Authentication Protocol–Transport Layer Security is the name of the client certificate based authentication protocol used in the first solution. What You Need From the EAP–TLS SolutionSince the EAP–TLS solution guide was written for large organizations, it should be your primary reference. It includes planning, implementation, and operational details (such as delegated administration) that are likely to be of more interest to large organizations. Following the table is a list of the chapters of the EAP–TLS solution. For each chapter, a short description is given indicating whether the content from this solution relevant for the "merged" guidance or not. Where the content from the PEAP solution should be used in place of the EAP–TLS solution instructions this is highlighted For reference, the mapping between chapters of the two solutions is shown in the following table. Due to the differences in scope and use of technology there is not a one–to–one mapping between the chapters. Table A.1: Mapping of Chapters between EAP–TLS and PEAP Solutions
You should note that the EAP–TLS solution was intentionally structured to keep the Public Key Infrastructure (PKI), RADIUS, and WLAN components as independent of each other as possible to allow the reuse of these components in other applications. This means that there is some repetition in the EAP–TLS solution. For example, chapters on PKI and RADIUS both include server build instructions, since, in large organizations, it is possible that the installation of CAs and IAS servers is the responsibility of different groups within IT. Also, some of the logical steps through the design and implementation chapters may be misleading in the context of a PEAP solution. Therefore, you should read through the PEAP solution to obtain an overview of the whole process and then return to the EAP–TLS solution for specific design and implementation details. The following sections contain the descriptions of how to use the chapters from the EAP–TLS solution in association with the chapters of the PEAP solution. Chapter 1—OverviewChapter 1 is an overview of the solution and contains short summaries of each of the chapters and appendixes in the guide. As you will be working primarily from the EAP–TLS guide, you should use chapter 1 from that solution. Chapter 2—Deciding on a Secure Wireless Networking StrategyThe content of this chapter is very similar to the content of the Introduction, “Choosing a Strategy for Wireless LANs Security” of the PEAP solution. The introduction to the PEAP solution works as a preface to both the solutions, so you should use this instead of using Chapter 2 from the EAP–TLS solution. Chapter 3—Secure Wireless LAN Solution ArchitectureThis chapter provides an architectural overview of the certificate–based WLAN solution, of all except the first of the following items are relevant:
The references to the certification authority (CA) may also be relevant for use in the next chapter. Chapter 4—Designing the Public Key InfrastructureThis chapter contains a detailed description of the planning process for a simple PKI. The PEAP solution also contains instructions for a simple, single–purpose CA. Even though you will not need to issue certificates to your WLAN clients, you should consider using following this chapter to help design your PKI. The larger your organization, the more likely it is that you will have requirements for certificates other than simple network authentication. This chapter will help to design a more robust and flexible PKI than the one presented in the PEAP solution. Chapter 5—Designing a RADIUS Infrastructure for Wireless LAN SecurityYou should follow the guidance provided in this chapter from the EAP–TLS solution. Chapter 6—Designing Wireless LAN Security Using 802.1XYou should follow the guidance provided in this chapter from the EAP–TLS solution. Chapter 7—Implementing the Public Key InfrastructureThis is only relevant if you have decided to implement a full featured PKI as described earlier. Otherwise follow Chapter 4, ”Building a Certification Authority” in the PEAP solution. Chapter 8—Implementing the RADIUS Infrastructure for Wireless LAN SecurityYou should follow the guidance provided in this chapter. You should also read Chapter 5, "Building the Wireless LAN Security Infrastructure" from the PEAP solution for supplementary information. Chapter 9—Implementing Wireless Security Using 802.1XYou should follow the instructions given in Chapters 5, "Building the Wireless LAN Security Infrastructure" and Chapter 6, “Configuring the Wireless LAN Clients” of the PEAP solution on how to configure the IAS remote access policy and the client Group Policy object (GPO) settings. Chapter 5 of the PEAP solution also contains useful details on configuring wireless AP settings and scripts to help automate the entry of RADIUS clients and replication of IAS settings that are not given in the EAP–TLS solution. Chapters 10, 11, and 12—Operating the SolutionYou should follow the guidance provided in these chapters of EAP–TLS solution. In addition, you should read the guidance provided in Chapter 7, “Maintaining the Secure Wireless LAN Solution” of the PEAP solution, on troubleshooting WLAN problems. There are detailed procedures and techniques given here that will provide useful supplement to the procedures in the EAP–TLS chapters. Chapter 13—Test GuideYou should use the content from this chapter. If you have chosen not to implement a full PKI as described in Chapter 4, “Designing the Public Key Infrastructure” of EAP–TLS solution, ignore some of the PKI–related testing in this chapter. ScriptsThe scripts used in the PEAP solution were developed from the EAP–TLS solution scripts. However, although the PEAP scripts contain more functionality than the EAP–TLS scripts, they are not an exact superset. The EAP–TLS scripts contain more sophisticated CA monitoring functions for example. In most cases the scripts provided in the PEAP solution should be used but you may want to install the scripts for both solutions into separate folders and use each of them as appropriate. The scripts are only provided as basic samples to illustrate techniques so you should feel free to modify them to better match your needs.
|
In This Article
|
