Chapter 6: Designing the Wireless LAN Security Using 802.1X
On This Page
Introduction
This chapter describes the architecture and design of the 802.1X-based secure wireless network components for the wireless LAN (WLAN) solution. The chapter presents the design decisions involved with securing wireless network components and the reasoning behind those decisions.
A important goal of the chapter is to help you determine the suitability of the design for your own organization. Where there are alternative design choices available, other relevant options are given alongside the option used in this solution. To help you understand the implications of the step without you having to refer to other documents, some topics are more detailed than might otherwise be necessary.
Chapter Prerequisites
Before reading this chapter, you should be familiar with both 802.11 wireless local area network (WLAN) concepts, 802.1X network access control, Remote Authentication Dial-In User Service (RADIUS) concepts, Microsoft Internet Authentication Service (IAS), and WLAN deployment options using Microsoft Windows XP Professional. You can familiarize yourself with these topics by reading the references listed at the end of this chapter in the “More Information” section. The Microsoft Windows Server™ 2003 Resource Kit and the Microsoft Windows Server 2003 Deployment Kit contain particularly valuable information.
Chapter Overview
The following flowchart illustrates the chapter structure.
Figure 6.1 Planning WLAN security using 802.1X
This chapter covers six main steps:
1. | Using 802.1X and Encryption to Secure WLANs. There are two main vulnerabilities to WLANs that anyone with a compatible WLAN adapter can exploit. This chapter explains both by telling you how to:
| ||||||||||
2. | Deciding on Certificates or Passwords. Microsoft offers native support for several types of authentication protocols that work with the 802.1X protocol. The most common forms of authentication credentials are passwords and digital certificates. The authentication method that you select for your organization can have a significant effect on the infrastructure required for your solution. This chapter helps you decide which method is best for your organization. | ||||||||||
3. | DetailingSolution Prerequisites. It is important to understand the solution prerequisites for the environment prior to starting your design. These include requirements for client computers, server infrastructure, and WLAN equipment. This section details these prerequisites. | ||||||||||
4. | Considering WLAN Security Options. Planning security options is complex and should include hardware purchasing representatives, security policy makers, usability representatives, network engineers, and network operations administrators. These experts should consider the following topics, which are detailed in this chapter:
| ||||||||||
5. | Determining Software Settings Required for 802.1X WLANs. To achieve 802.1X WLAN security, you must configure both an IAS network access policy and an Active Directory directory service Group Policy Object (GPO) for client computers. This section details how to achieve this. | ||||||||||
6. | Considering Additional Factors. This section briefly mentions topics to consider that are outside the scope of this solution but that may have an impact in your environment. These factors include:
|
Using 802.1X and Encryption to Secure WLANs
WLANs are becoming increasingly widespread with the adoption of industry standards such as IEEE 802.11 and 802.11b. WLANs allow users to roam around a building or campus and automatically connect to the network when they are in proximity to a wireless AP.
While providing convenience, WLANs pose the following security risks:
| • | Anyone who has a compatible WLAN adapter can gain access to the network. |
| • | Wireless networking signals use radio waves to send and receive information. Anyone within an appropriate distance to a wireless AP can detect and receive all data sent to and from the wireless AP. |
To counter the first security risk, you can configure IEEE 802.1X wireless APs as RADIUS clients to send access requests and accounting messages to RADIUS servers running IAS. IAS performs authentication of users and devices, and controls network access through centralized remote access policies.
To counter the second security risk, you can protect data sent between the wireless devices and the wireless APs by using 128-bit WEP encryption or WPA encryption capabilities built into 802.11 networking equipment.
Static WEP has serious design flaws and includes no native encryption key management to allow the keys to be regularly updated. This can expose encryption keys to determined malicious users. IAS enables strong WEP keys to be dynamically assigned to client computers running Windows XP during certificate-based authentication. In addition, WEP keys can be regenerated at regular intervals to thwart attack tools designed to discover those keys.
WPA is a subset of the forthcoming 802.11i security standard for 802.11-based WLAN equipment. WPA includes enhanced encryption designed to address security issues with static WEP. The solution presented in this guide also is suitable for use with WPA (this requires WPA capable hardware and an update to the Windows XP client).
Deciding on Certificates or Passwords
Microsoft offers native support for several different authentication methods that you can use with the 802.1X protocol. Most commonly, organizations select WLAN client authentication methods based on either passwords or certificate-based credentials.
As stated earlier, the authentication method selected can have a significant effect on the infrastructure required for your solution. The 802.1X standard uses an authentication scheme called Extensible Authentication Protocol (EAP) that allows you to “plug in” different authentication types.
The following table illustrates the EAP types that you can use in a Microsoft 802.1X infrastructure, and the advantages and disadvantages of each type.
Table 6.1: Advantages and Disadvantages of EAP Types
| Feature | PEAP | EAP-TLS | EAP-MD5 |
Mutual authentication | Mutual authentication. | Mutual authentication. | Only client authentication. |
Dynamic key generation and scheduled regeneration. | Generated during authentication and regenerated at timed intervals. | Generated during authentication and regenerated at timed intervals. | No dynamic key generation or regeneration: Relies on static keys. |
Security technology level | Can use strong password authentication or digital certificates. | Strongest authentication. | Weak security technology. |
User credential protection | Protected by Transport Layer Security (TLS) tunnel. | Certificate-based authentication protected by Transport Layer Security (TLS) tunnel. | Open to dictionary attack. |
Ease of implementation | Widely supported and offered natively in Windows clients. | Requires a Public Key Infrastructure (PKI). Widely supported and offered natively in Windows clients. | Simple, but not recommended for wireless. |
Credentials flexibility | Any approved EAP with TLS tunnel, including EAP – MSCHAPv2 (passwords-base method). | Only digital certificates. | Password only. |
The recommended EAP type for performing certificate-based client authentication is EAP – TLS, and the recommended EAP type for performing password-based client authentication is EAP – MSCHAPv2 within Protected Extensible Authentication Protocol (PEAP), also known as PEAP – EAP – MSCHAPv2.
Password-based 802.1X authentication using PEAP and MSCHAPv2 is a low cost and robust solution. It is suitable for organizations that do not currently have a certificate infrastructure in place and do not need certificates for other purposes, such as using the Encrypting File System (EFS) or a virtual private network (VPN). You can easily migrate from password-based 802.1X authentication to certificate-based authentication. This provides flexibility for your organization to later change from one authentication method to the other.
Note that even with a password solution using PEAP, a certificate is required on each RADIUS server. You should weigh the costs involved with purchasing server certificates from a commercial certificate provider against the value that a certificate infrastructure will bring to your organization.
This solution uses certificate-based client authentication because of the greater security level that the authentication method provides. The authentication method uses the Extensible Authentication Protocol – Transport Layer Security (EAP – TLS) protocol.
For guidance on how to deploy a password-based 802.1X solution that uses PEAP and MSCHAPv2, see the discussion in Chapter 2 "Deciding On a Secure Wireless Networking Strategy," and the reference at the end of this chapter to the companion solution guide, Securing Wireless LANs with PEAP and Passwords.
Solution Prerequisites
It is important that you understand the prerequisites for the environment for this solution before starting the design. This section details these prerequisites.
Client Computer Requirements
This solution has been designed and tested using Windows XP Professional with Service Pack (SP) 1. Windows XP with SP1 provides certain 802.1X and WLAN feature functionality that is required to achieve an extremely low cost and easily managed solution.
Testing this solution included client computers running both Windows XP Professional and Windows XP, Tablet PC Edition. Both Windows XP editions provide automatic certificate enrollment and renewal of computer and user WLAN authentication certificates that are required for EAP-TLS client authentication. This feature alone significantly reduces the cost typically associated with certificates, and thus a certificate-based 802.1X solution.
Microsoft also provides 802.1X clients for Windows 2000 (available as a free download), and Windows 9x and Microsoft Windows NT 4.0 (available free of charge to customers with a support agreement). However, these client types were not tested in this version of the solution.
Required Server Infrastructure
This solution depends on the Certificate Services and IAS components of Windows Server 2003. There are features of Certificate Services and IAS that have been designed explicitly for 802.1X-based WLANs. Some of the features used in this solution include editable certificate templates and remote access policy settings that allow you to simplify deployment settings required for the 802.1X protocol.
The solution was designed with both Windows Server 2003 and Windows 2000 Active Directory environments in mind. However, the solution was tested only with Windows Server 2003 domain controllers. If you choose to, you can install IAS on to existing domain controllers. For a detailed discussion of co-location considerations related to this option, see Chapter 5, “Designing a RADIUS Infrastructure for Wireless LAN Security.”
Required WLAN Equipment
This solution assumes that your organization has already deployed a well designed and fully functional WLAN infrastructure. This guide does not include any instructions on wireless network design, such as wireless AP positioning and channel selection. If your organization has not deployed a WLAN infrastructure, ensure that you have the appropriate level of expertise available to accomplish this before you start deploying the WLAN security components.
The network hardware must support 802.1X, and 128-bit WEP for encryption. In this solution guidance, it is assumed that the WLAN infrastructure is operating without error, and that either no security controls are enabled, or only basic 802.11 security controls are enabled. Migrating from either a Shared Key (static WEP) WLAN or an Open System (unsecured) 802.11 WLAN to this solution is very similar. You should be able to accomplish either type of migration without any significant problems.
Considering WLAN Security Options
If you have not already, you should spend time planning a WLAN security policy for your organization. Your planning discussions should include representatives from hardware purchasing, security policy, usability, network engineering, and network operations. Your security policy discussions with these people should include how your organization will address the threats it faces and what security controls you will use to mitigate them.
It is also important to document your WLAN security policy and make it available and visible to all of your network users. This solution provides security controls to mitigate the risk associated with modern WLAN technology. However, the solution cannot mitigate the risks of users in your organization who are performing unsecured, improvised networking, and deploying rogue wireless APs.
Selecting User- and Computer-Based Authentication
User authentication is a natural choice when considering identification to WLAN infrastructure. However, in most cases you also will want to implement computer (or device) authentication to ensure a comprehensive security solution for your WLAN.
There are a number of features in Windows XP Professional that will only work correctly with an active network connection. Using 802.1X computer authentication ensures that the WLAN network connection is established during the computer startup sequence before users see the initial Windows logon screen. The computer re-authenticates to the WLAN after the user logs off, ensuring that there is always a connection to the network.
Table 6.2: Reasons for using Computer Authentication
| Feature | Scenario requiring computer authentication |
Active Directory computer Group Policy | Computer-based Group Policy is applied during computer start up and at timed intervals — even when no one is logged in to the Windows operating system. |
Network logon scripts | Network logon scripts are run during initial user logon. |
Systems management agents | Systems management agents, such as those that come with Microsoft Systems Management Server (SMS), frequently require network access without user intervention. |
Remote Desktop Connection | Computers are accessible via the Windows Remote Desktop Connection when no one is logged on to the computer. |
Shared folders | Files and folders shared from a computer are still available, even when no user is logged on to it. |
The best strategy is to use user–based authentication when possible, and computer-based authentication when required. This solution uses the default behavior of the Windows XP Professional 802.1X client. This is to perform computer authentication when no user is logged on at the computer console, user authentication when a user logs on to Windows, and computer authentication again when the user log off. This ensures that authentication to the network uses user account credentials where possible for accountability, while still it ensures that Windows features that require network access continue to work properly when no one is logged on.
Validating Certificate Based Credentials
It is important to check for valid credentials as part of your certificate-based WLAN authentication strategy. Checking for revoked certificates allows you to block the use of client certificates stored on lost or stolen computer equipment. Forcing clients to verify server certificates helps prevent sophisticated man-in-the-middle attacks involving rogue APs and RADIUS servers.
Windows provides extensive support for validating certificates when performing certificate-based operations. Both IAS and the Windows XP Professional 802.1X features use this support to ensure that the certificates used for EAP – TLS are valid and represent a trusted security principal.
Table 6.3: IAS Validation of Client Certificate Credentials
| IAS validation of client certificate credentials | Default behavior | Settings used in this solution |
Check that the certificate is within its validity dates. | Enabled | No change |
Check that it is possible to build a chain from the certificate to a trusted root. | Enabled | No change |
Check that the required key usages and application policies are present in the certificate. | Enabled | No change |
Check that the client proves ownership by signing with a private key. | Enabled | No change |
Check that the certificate is not revoked. | Enabled | No change |
Windows XP Professional also performs the following IAS server credentials validation by default.
Table 6.4: Windows XP Validation of IAS Certificate Credentials
| Windows XP validation of server certificate credentials | Default behavior | Settings used in this solution |
Check that the certificate is within its validity dates. | Enabled | No change |
Check that it is possible to build a chain from the certificate to a trusted root. | Enabled | No change |
Check that the required key usages and application policies are present in the certificate. | Enabled | No change |
Check that the server proves ownership by signing with a private key. | Enabled | No change |
When authenticating to the WLAN, the client computer cannot perform a full revocation check of the server certificate, because network access is not available prior to the completion of a successful authentication.
You should also consider enabling the following additional credential validation options (that the client performs) to increase the security of the validity check.
Table 6.5: Advanced Windows XP Validation of IAS Certificate Credentials
| Windows XP validation of server certificate credentials | Default behavior | Settings used in this solution |
Subject of the certificate matches a Domain Name System (DNS) string value that you can configure on the client. | Not enabled | No change |
Explicit selection of trusted root CAs that the server certificate may chain. | Not enabled | Enabled |
Note that the subject name checking option on client computers will produce a trust decision prompt to users. In addition, you need to implement a management process to keep the permitted server certificate subject names up to date on the WLAN clients. You can do this using the Wireless Network Policies GPO settings. For these reasons, this solution does not implement this option. If you operate a high security environment, you may want to consider the threats that rogue IAS servers with wireless APs pose when deciding whether you need this extra level of validation.
Explicit selection of trusted root authorities minimizes the risk of forged server certificates from alternate CAs in the trusted root store. However, this setting requires an additional management process to ensure that changes to trusted root authority certificates are reflected in the WLAN client settings. These settings are also deployed using Wireless Network Policies GPO settings.
Determining Network Authorization Requirements
The key goals to achieve when designing network access management policies are to match organizational security policies as closely as possible and minimize management cost. A centralized representation of network authorization policy such as IAS remote access policies is well suited for this task.
Note: This solution uses network authorization administration through IAS remote access policy. For more information about the decisions involved to select a remote access policy administration model, refer to the resources listed in the “More Information” section at the end of this chapter.
Flexible yet simple management of network authorization should be a primary goal for any organization. Minimizing the number of remote access policies while still ensuring that all organizational security policies are represented is the key to achieving simplified management.
Determining Connection Criteria
IAS remote access policies can either allow or deny connections. A policy contains a set of criteria against which to match each connection attempt. The first policy found that matches a particular connection will be used to allow or deny access. The main connection attributes against which a policy can be matched are the following:
| • | Group membership |
| • | Type of connection |
| • | Time of day |
| • | Authentication methods |
In addition, you can specify many other advanced filter criteria such as the following:
| • | Access server identity |
| • | Access client phone number or Media Access Control (MAC) address |
| • | Whether to ignore user account dial-in properties |
| • | Whether to allow unauthenticated access |
This solution uses IAS connection criteria based on domain security group and source network type (rather than time of day, authentication method, or other condition). This ensures that the remote access policies are created for a particular type of network access (such as, wireless, VPN, wired, or dial-up) and client grouping, while keeping the policy criteria broad enough to minimize the number of policies required.
Note: This solution uses custom security groups (Remote Access Policy – Wireless Users, and Remote Access Policy – Wireless Computers) to restrict which users and computers are allowed access to the WLAN. If you want all of your domain users and computers to be able to access the WLAN, you can add the Domain Users and Domain Computers groups to these custom security groups to simplify administration.
Determining Connection Restrictions
Once a connection is authorized, the remote access policy also specifies connection restrictions and other attributes to be applied to that connection. These include the following:
| • | Idle time-out |
| • | Maximum session time |
| • | Encryption strength |
| • | IP packet filters |
In addition, you can apply the following attributes to the connection:
| • | IP address for Point-to-Point Protocol (PPP) connections |
| • | Static routes |
One major determining factor for the number of remote access policies that your organization will require is the number of different user types who need access to the wireless network. For example, full-time staff in many organizations requires full, unrestricted access to the entire corporate network. However, contractors and business partners may only require access to specific applications on specific network subnets.
Connection restriction profiles are unique to each remote access policy. Therefore, if multiple types of connection restriction profiles are required, so are multiple remote access policies.
The following table illustrates examples of various types of users and the some of the connection restrictions that you can apply through remote access policy.
Table 6.6: Examples of WLAN Connection Restrictions
| Type of user group | Connection restriction example |
Full-time staff | Authenticated, unrestricted access to the corporate network. |
Contractors and business partners | Authenticated, restricted access to specific networks and applications. |
Visiting guests | Unauthenticated access to Internet-only segments for Web browsing or VPN access to source organization. |
This solution only configures support for authenticated, full-time staff. Thus, only a single remote access policy with a simplified connection restriction profile is required. If your organization has additional requirements, such as a requirement to support restricted access users to the wireless network, you must add remote access policies to provide for this. See the references in the “More Information” section at the end of this chapter for more information about planning additional types of remote access policies.
Choosing a Client Configuration Strategy
Automating client computer configuration settings is an essential step to reducing the cost of deploying wireless networking security, and minimizing support issues that result from incorrectly configured settings.
Windows XP Professional has sophisticated features for reducing the need for manual configuration and reconfiguration of wireless network and 802.1X security settings on the WLAN clients. Windows Server 2003 adds the capability to completely automate client configuration using the Wireless Networking Policies settings in Group Policy. This solution uses the Wireless Networking Policy feature in Windows Server 2003 to automatically configure all wireless network clients.
You can deploy these GPO settings to client computers even before distributing WLAN network interface cards (NIC). This allows end users to simply install the wireless NICs and, using the WLAN settings deployed via the GPO, automatically connect to the secure 802.1X WLAN.
Determining Traffic Encryption Requirements
You should keep up to date on the evolving threats to 802.11 WEP encryption when determining your strategy for protecting your WLAN traffic. As discussed earlier, it is possible for determined malicious users to take advantage of cryptographic flaws in WEP to perform attacks that can disclose the WEP encryption key. To perform this kind of attack an intruder needs to capture several million packets that have been secured with the same encryption key.
The best strategy for mitigating threats to the security of a WEP-based WLAN is to ensure that keys used to encrypt network traffic are refreshed periodically. This can be done at a frequency that prevents an attacker ever being able to capture enough traffic to perform a successful attack. You can accomplish this by setting the IAS RADIUS options to enforce automatic client re-authentication, which initiates WEP key regeneration.
This solution configures IAS RADIUS options to enforce Windows XP client re-authentication every 10 minutes to ensure short-lived WEP session keys. This decision was based on known WEP attack tools and scenarios at the time of writing. Basic WEP encryption includes flaws such as poor initialization vector (IV) sequencing that an attacker can exploit to more quickly compromise keys. Ensure that your APs have the capability to generate less predictable and therefore stronger IVs.
Important: Using a session timeout of 10 minutes may be too short for many scenarios. Short timeouts place a high load on the IAS servers. Short timeouts also increase the possibility of making your IAS server temporarily unavailable, which will result in disconnecting clients from the WLAN. For these reasons, you can use a longer timeout of 60 minutes without significantly compromising the WLAN security.
The use of EAP – TLS ensures that unique WEP session keys are generated for each client during the TLS negotiation process, and that they are transported safely across the network between solution components. Unlike static WEP, the encryption keys are never reused and never shared between clients.
Choosing a WLAN Migration Strategy
If you have an existing wireless network in place, you should plan a migration strategy up front to ensure minimal disruption to users and the environment.
Studies have shown that many organizations have 802.11-based WLANs in place and are operating without network authentication or data protection. This type of 802.11 network security strategy is called Open System authentication. Other organizations have implemented static key network authentication and encryption. This type of 802.11 network security is also known as Shared Key authentication.
Migrations from Open System or Shared Key network security models to 802.1X security are very similar. The primary difference is that Shared Key security provides some security protection, thus migration schedules from Shared Key security may be more relaxed for some organizations.
Migration from either of these authentication strategies to the 802.1X security model typically involves the following steps:
1. | Deployment of certificates to computers and users — This should be done in advance of the 802.1X deployment to ensure that the certificates are deployed to mobile computers that only occasionally connect to the LAN. |
2. | Configuration of wireless network remote access policies on IAS servers — This involves guidance on configuring a wireless remote access policy. |
3. | Deployment of wireless network configurations on client computers — The new 802.1X enabled network will typically require a new network Service Set Identifier (SSID). You can deploy network settings for this SSID using Active Directory Group Policy. WLAN group policy must be deployed sufficiently in advance of wireless AP reconfiguration to ensure that mobile computers that connect to the LAN infrequently will have received the WLAN GPO settings. |
4. | Configuration of wireless APs to require 802.1X security — This step is typically performed on a location-by-location basis, such as by each building in the environment or campus. You should plan appropriate roll-back procedures in the event of unexpected behavior, and staff Help desks appropriately to handle associated support calls. |
As with all migration strategies, careful planning is essential. Configuring client computers and wireless APs erroneously can cause disruptive changes to your environment. You should test the intended changes thoroughly prior to deployment.
Note: Some wireless APs support configuring one 802.11 radio for static WEP security and another 802.11 radio for 802.1X. However, 802.11 channel separation issues may make this strategy impractical for many organizations.
Obtain commitment from your WLAN equipment vendors to support wireless AP and wireless NIC upgrades to WPA. Microsoft has released an update to Windows XP that provides support for WPA (it is included in SP2). Also, plan to upgrade your WLAN infrastructure in the future to support 802.11i, which will likely require you to update the firmware on your APs and wireless NICs.
This guidance does not include detailed migration planning for production WLANs that use proprietary security or Open System/Shared Key security. For assistance with detailed migration planning from production WLANs, see your Microsoft partner or contact your Microsoft Account Executive who can connect you with the appropriate partner or Microsoft Consulting Services professionals.
Wireless Network Infrastructure Design
General discussion on 802.11-based WLAN equipment and network design is beyond the scope of this guidance. The WLAN chapter in the Microsoft Windows Server 2003 Deployment Kit provides general guidance on this topic.
Effort has been made to ensure that this solution will work on a broad variety of products from various network equipment vendors. Configuration planning and procedures for specific wireless AP products is beyond the scope of this solution.
However, when you decide on the security settings and security management of your 802.11 equipment, educate yourself on the following topics by using documentation available from your hardware manufacturer:
| • | SSID name and default password — This topic includes changing the default SSID on all APs, and choosing a strategy regarding whether to configure APs to broadcast their SSIDs. |
| • | Changing default console password and Simple Network Management Protocol (SNMP) strings — This topic includes changing the default management passwords and access strings on wireless APs and maintaining them over time. |
| • | Secure administration of wireless APs — This topic includes using secure communications when performing administration on wireless APs by using protocols such as Secure Shell (SSH) or Hypertext Transfer Protocol (HTTP) with SSL or TLS. |
| • | RADIUS client settings — This topic includes configuring your APs to use RADIUS servers for authentication and accounting. Discussion on configuring APs for a primary and secondary RADIUS Server, use of strong RADIUS secrets, and the Message Authenticator attribute appears in Chapter 5, “Designing a RADIUS Infrastructure for Wireless LAN Security,” and Chapter 9, “Implementing the Wireless LAN Security Infrastructure.” Chapter 9 includes instructions on using a supplied script to generate strong RADIUS secrets. |
| • | Virtual local area network (VLAN) switching and traffic filtering — This discusses using network VLANs to restrict access to various types of users in different scenarios. IAS can provide RADIUS values based on remote access policy to assist with automated selection of appropriate VLANs during client connection. For more information about the IAS options for specifying VLANs to wireless APs, consult the references listed in the More Information section at the end of this chapter. |
| • | Tactics for limiting leakage of wireless LAN radio transmissions outside building boundaries — This topic includes such items as avoiding placement of APs against exterior walls or windows. It also includes reducing the broadcast strength of the APs when possible to keep coverage within the necessary area, and avoid coverage of unintended areas, such as parking lots. |
| • | Rogue wireless AP detection — This topic includes actively and regularly scanning for rogue APs on the corporate network using available Windows XP and Windows CE-based WLAN management tools, such as NetStumbler or AirMagnet. |
For assistance with these topics and wireless AP configuration, consult your vendor documentation or enlist the assistance of an equipment specialist. Some of these items are discussed in the "802.11 Wireless Network Technical Reference" topic in the Windows Server 2003 Technical Reference in the "More Information" section at the end of this chapter.
Wireless Network Group Policy Considerations
Consult with your domain GPO administrators to determine the strategy for applying Wireless Network Group Policy to client computers. The following table lists the key items that you need to decide on for your own environment and the settings that have been selected in this solution.
Table 6.7: Wireless Network Policy Planning
| Wireless network policy consideration | Solution strategy | Solution details |
Policy application criteria | Active Directory security group filtering to include selected computers. | Wireless Network Policy – Computer global group. |
Number of GPOs required | Single Wireless Network Policy. | The GPO used in this solution is called “Wireless Network Policy.” |
GPO location | Created and applied from the domain object. | woodgrovebank.com. |
Number of WLAN profiles configured within the policy | One WLAN profile is configured for organizations implementing 802.1X. | The GPO contains one WLAN profile for environments that have not entered their WLAN into production use. You may add additional WLAN profiles as required to suit a phased migration from a legacy production WLAN. |
Note: This solution grants a custom security group (Wireless Network Policy – Computer) "Apply Policy" permission on the "Wireless Network Policy" GPO. Membership of this group therefore determines which computers receive the WLAN GPO settings. If you want to allow all computers to receive the WLAN configuration settings, you can add the Domain Computers or Authenticated Users group to this group to simplify administration. However, you should be aware that doing this will apply the policy settings to all servers and clients in the domain (Domain Computers) or forest (Authenticated Users).
This solution uses a simple Wireless Network policy management strategy by creating a single GPO linked to the domain object. This means that any computer in the domain who is also a member of the "Wireless Network Policy — Computer" group will receive the policy settings. You may want to consider more sophisticated Group Policy management standards and apply your Wireless Network policies accordingly. Most organizations, however, will need only one Wireless Network Policy GPO (although you may choose to link it to a location other than the domain object).
Determining Software Settings Required for 802.1X WLANs
There are two major software solution components that you must configure to achieve 802.1X WLAN security:
| • | IAS network access policy |
| • | Active Directory Group Policy for client computers |
IAS network access policy is at the heart of your network access management solution. Settings that represent your WLAN security policy are deployed on each IAS-based RADIUS server in an automated fashion. This policy includes settings for:
| • | Remote access policies |
| • | Connection request policies |
Remote access policies enforce access to your networks via your wireless APs. Connection request policies determine the handling of RADIUS requests from various wireless APs configured as RADIUS clients.
Active Directory Group Policy for client computers contains all of the settings that will be deployed to Windows XP-based client computers. This Group Policy affects client interaction with the wireless APs, the RADIUS server, and other wireless networks.
Configuring Remote Access Policies
You must plan the creation of remote access policies on IAS servers to satisfy your organizational wireless network access strategy. Creating and configuring remote access policies involves establishing the following three setting types for each policy:
| • | Policy conditions |
| • | Policy permission |
| • | Policy profile |
This solution uses a single remote access policy that grants unrestricted access to the wireless network for full-time employees. The following table details the remote access policy conditions for this solution.
Table 6.8: Remote Access Policy Conditions
| Policy condition | Matching condition | comment |
NAS – Port – Type | Wireless–Other or Wireless–IEEE 802.11 | This identifies incoming requests as originating from wireless AP hardware. |
Windows – Group | Membership in Remote Access Policy — Wireless Access security group | This is a domain universal security group that contains nested global groups for users and computers that will receive access to the WLAN. |
The policy permission for the remote access policy in this solution is set to Grant, and user accounts are configured with the Control access through Remote Access Policy setting.
The following table details the remote access policy profile options that this solution uses. You may need to add additional settings to suit your particular environment.
Table 6.9: Remote Access Policy Profile Options
| Profile option | Profile setting | Comment |
Dial-in Constraints – Defines minutes that clients can be connected (Session-Timeout) | 10 minutes | This setting forces client computers to re-authenticate and create new encryption keys every 10 minutes. |
Authentication – EAP Methods | Smart card or other certificate | This setting selects EAP – TLS as the EAP type for the wireless profile. |
Ignore – User – Dial-in-Properties RADIUS attribute | Attribute set to True | This attribute ensures that dial-in settings (such as callback) on Active Directory user accounts are not sent to wireless APs. This is done to avoid issues with some network access products. |
Termination-Action RADIUS attribute | Attribute set to RADIUS Request | This attribute ensures that when clients are forced to re-authenticate, wireless APs do not disconnect them. |
Important: Using a session timeout of 10 minutes may be too short for many scenarios. Short timeouts place a high load on the IAS servers. Short timeouts also increase the possibility of making your IAS server temporarily unavailable, which will result in disconnecting clients from the WLAN much sooner. For these reasons, you can use a longer timeout of 60 minutes without significantly compromising the WLAN security.
Configuring Connection Request Policies
You should plan how IAS will handle RADIUS requests when it is operating as a RADIUS server and as a RADIUS Proxy. Discussion of selecting the RADIUS role for IAS appears in Chapter 5, “Designing a RADIUS Infrastructure for Wireless LAN Security.”
Regardless of which role you select for the IAS server, you must configure the following components of the connection request policies before you can achieve wireless network access:
| • | Policy conditions |
| • | Policy profile |
This solution uses IAS as a RADIUS server, thus connection requests are processed locally on each server. The settings in the following table illustrate policy conditions configured in the connection request policy for this solution.
Note: The connection request policy settings in this solution use the defaults that install with IAS in Windows Server 2003.
Table 6.10: Connection Request Policy Conditions
| Policy condition | Matching condition | Comment |
Date-And-Time-Restrictions | “Sun 00:00–24:00; Mon 00:00–24:00; Tue 00:00–24:00; Wed 00:00–24:00; Thu 00:00–24:00; | This condition of the default connection request policy ensures that connection requests arriving at any time match the policy. |
The following table illustrates profile settings used in the connection request policy for this solution.
Table 6.11: Connection Request Policy Profile Settings
| Profile option | Profile setting | Comment |
Authentication | Authenticate requests on this server | This setting ensures that requests are authenticated directly against Active Directory instead of being forwarded to additional RADIUS servers. |
Configuring Group Policy for Client Computers
Planning is required prior to using Active Directory Group Policy to configure WLAN settings and 802.1X security settings on client computers via Wireless Network (IEEE 802.11) Policies. This section details a number of the settings in this solution and the reasons to include them. You will find the Wireless Network (IEEE 802.11) Policies on the \Computer configuration\Windows Settings\Security Settings\Wireless Network (IEEE 802.11) Policies object within the Group Policy Object Editor.
Configuring Wireless Network Settings
You configure WLAN settings by editing the properties of the WLAN policy objects within Group Policy. These include the following setting types:
| • | General settings |
| • | Preferred networks |
| • | Network properties |
The following table illustrates general settings in the Wireless Networks Policy for this solution.
Table 6.12: Wireless Network Policies General Settings
| Option | Setting | Comment |
Name | Client Computer Wireless Configuration | You can change this value to match your organizational naming standards. |
Network to access | Any available network (access point preferred) | This setting prevents client computers connecting to other computers that are configured with the same SSID as your 802.1X enabled network. However, allowing ad–hoc networking enables employees to use other networks when required (such as at home), and therefore this setting has been left enabled. |
Automatically connect to non-preferred networks | Cleared | Windows XP Professional automatically provides users with notification of available wireless networks without automatically connecting to them. Notifying users without automatically connecting them strikes a balance between security and usability. |
You must create an entry for your 802.1X WLAN SSID on the Preferred Networks tab in the Wireless Networks Policy. Once a preferred network is created, you must edit the network properties from the defaults.
The following table details network properties settings for the newly enabled 802.1X network in the Wireless Networks Policy for this solution.
Table 6.13: Wireless Network Policy Properties Settings
| Option | Setting | Comment |
Name | MSSWLAN | Change this value to match your organization's naming standards. However, be sure to choose a name that is different from any existing production WLAN. |
Wireless network key (WEP) – Data encryption (WEP enabled) | Selected | Encryption is essential to protect the privacy of wireless network traffic on 802.11 networks. If you support 802.11 networks, ensure that they are protected by WEP or some other form of encryption. |
Wireless network key (WEP) – Network authentication (Shared mode) | Cleared | Shared key 802.11 wireless is a security strategy based on static WEP keys. This solution uses 802.1X to provide RADIUS authentication against Active Directory, and, therefore, this option is cleared. |
Wireless network key (WEP) – The network key is provided automatically | Selected | Having this setting enabled allows 802.1X to automatically provide dynamic WEP session keys for network traffic encryption. |
This is a computer-to-computer (ad–hoc) network; wireless access points are not used | Cleared | This setting in the solution uses 802.11 WLAN infrastructure mode with wireless APs configured for 802.1X, not point-to-point ad-hoc networking. |
Configuring 802.1X Settings on Client Computers
You configure 802.1X settings via your Wireless Network Policy, which includes the following setting types:
| • | 802.1X parameters |
| • | EAP type |
| • | Credentials validation |
| • | Computer authentication behavior |
The following table details 802.1X settings for the newly enabled 802.1X network in the Wireless Networks Policy for this solution.
Table 6.14: Wireless Network Policy 802.1X Settings
| Option | Setting | Comment |
Enable network access control using IEEE 802.1X | Enabled | This option enables the client computer to participate in networks secured using 802.1X. |
EAPOL-Start message | Transmit | This message tells the client to start the authentication process. |
Parameters (seconds) – Max Start | 3 | This value determines the number of successive EAP over LAN (EAPOL) – Start messages that the client will transmit after not receiving a response. This value should not be changed from the default value unless required. |
Parameters (seconds)-Held Period | 60 | This value determines the amount of time the client will wait before re-attempting a failed 802.1X authentication. This value should not be changed from the default value unless required. |
Parameters (seconds) – Start period | 60 | This value determines the time interval for resending EAPOL-Start messages. This value should not be changed from the default value unless required. |
Authentication period | 30 | This value determines the time interval for resending 802.1X request messages after not receiving a response. This value should not be changed from the default value unless required. |
EAP type | Smart card or other certificate | This option specifies EAP – TLS as the EAP type. |
The following details the EAP settings for the newly enabled 802.1X network in the Wireless Networks Policy for this solution.
Table 6.15: Wireless Network Policies EAP Settings
| Option | Setting | Comment |
When connecting | Use a certificate on this computer | This option specifies the use of software-based certificates and private keys rather than smart card-based credentials. |
Use a certificate on this computer – Use simple certificate selection (Recommended) | Selected | This enabled option determines that Windows will attempt to choose the correct certificate based on certificate properties. You can turn this option off to enable manual selection of the correct certificate when troubleshooting. |
Validate server certificate | Selected | This enabled option determines whether the certificate presented to the client during EAP – TLS authentication is valid (that the IAS server's correct DNS name is in the certificate, and that the certificate for server authentication has not expired and chains to a root CA in the client's certificate store). |
Validate server certificate – Connect to these servers | Cleared | When enabled, this option allows checking of the fully qualified domain name (FQDN) suffix in the subject field of the server certificate. Enabling this option will produce a text balloon box on client computers prompting for trust approval of the IAS server. You should evaluate usability versus security when selecting this option. |
Validate server certificate – Connect to these servers – Value | Blank | This value specifies the FQDN suffix that must match the subject information in the certificate presented to the client during EAP – TLS authentication. |
Trusted root certification authorities (CAs) | CompanyCA selected | This option allows administrators to specify the trusted root CAs to which 802.1X server certificate credentials are allowed to chain. You should select your own Trusted root CAs for this option. |
Use a different name for the connection | Cleared | When enabled, this option allows users to specify a user name other than that contained within the certificate presented during EAP – TLS authentication. This option is disabled for this solution. |
The following table details computer authentication settings for the newly enabled 802.1X network in the Wireless Networks Policy for the solution.
Table 6.16: 802.1X Computer Authentication Behavior Options
| Option | Setting | Comment |
Authenticate as guest when user or computer information is unavailable | Cleared | When enabled, this setting determines whether the computer will attempt to authenticate as guest when no credentials are available. This is most useful for public WLAN scenarios or visitors to your organization. |
Authenticate as computer when computer information is available | Selected | It is essential to enable this setting to ensure that computer authentication occurs when users are not interactively logged on to the computer. |
Computer authentication | With user re–authentication | This default option ensures that user credentials are used whenever possible. However, when users are not logged on to the computer, computer credentials are used to ensure that a network connection is available at all times. |
Additional Considerations
This section briefly mentions additional topics to consider that are outside the scope of this solution but that may have an impact in your environment.
Supporting Roaming Profiles and Roving Users
EAP–TLS-based 802.1X components of Windows depend on certificates and private key information being available within the certificate store on your client computers. For most organizations, wireless users have portable computers or Tablet PCs that travel with them, and thus the certificates and key information is always available.
However, if your WLAN strategy includes users who share computers, you will want to consider implementing roaming profiles. You can use roaming profiles to ensure that private key information and certificates are always available for use within your 802.1X-based environment.
Alternatively, Wireless Network Policy allows you to configure computers running Windows XP to perform computer-only authentication. Although not implemented in this solution, this may be useful for some organizations.
Supporting Clients Without Wired LAN Connections
Although not common for large organizations, some environments may not have a wired LAN at all. Wired LAN infrastructure is required to join client computers to a domain, and receive certificates and Group Policy. Without computer and user certificates, and appropriate client WLAN configuration, users cannot access the 802.1X-based WLAN. This issue also arises when an organization has deployed a wired network that always requires 802.1X authentication.
If you have such an environment, you should consider a strategy whereby users provide a password-based credential using PEAP-MSCHAPv2 to the RADIUS server for connection to a controlled VLAN with the Certificate Services Web enrollment pages. From there, users can enroll and install certificates to gain full access to the corporate WLAN using EAP – TLS. Such a strategy is currently outside the scope of this solution and would require an additional remote access policy on the IAS servers, in addition to specific VLAN design.
Summary
This chapter described the process of designing WLAN security using the 802.1X protocol, which included determining WLAN prerequisites, considering security options, establishing strategy, and additional considerations. Once you have established your design based on the options discussed in this chapter, you are in a position to deploy 802.1X-based WLAN security in your environment.
The design in this chapter will be used in the later Build and Operations chapters for this solution to implement the 802.1X WLAN security infrastructure.
More Information
For more information about secure wireless networking, see the following resources:
| • | The Product Documentation for Windows Server 2003 Web site at http://www.microsoft.com/windowsserver2003/proddoc/default.mspx. The product documentation provides an overview of IAS features, basic instructions for configuration, and best practices for deployment. |
| • | The Microsoft solution for Securing Wireless LANs with PEAP and Passwords is available at http://go.microsoft.com/fwlink/?LinkId=23459. |
| • | The “IAS Technical Reference” chapter of the Microsoft Windows Server 2003 Technical Reference at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/techref/8F5C89D5-FDAF-430C-9EF4-318F8C15BAF1.mspx. This resource kit chapter provides technical information about IAS that is more detailed than the product documentation, and you can use it as a reference when more information is required. |
| • | The Windows Server 2003 Technical Reference and the Microsoft Windows Server 2003 Deployment Kit at http://www.microsoft.com/windowsserver2003/proddoc/default.mspx. |
| • | The “Deploying a Wireless LAN” chapter of the Deploying Network Services guide in the Microsoft Windows Server 2003 Deployment Kit at http://www.microsoft.com/windowsserver2003/techinfo/reskit/deploykit.mspx. This deployment kit chapter contains deployment guidance for using IAS in a number of scenarios that fall outside the scope of this secure wireless networking guidance, but that affect design decisions. |
| • | For extensive coverage of 802.1X WLAN, WLAN security issues, and related standards, see The Unofficial 802.11 Security Web Page at http://www.drizzle.com/~aboba/IEEE/. |
| • | For information about WLAN solutions and industry information, visit the Wi – Fi Alliance Web site at http://www.wi-fialliance.org/. |
| • | For information about WLAN, including background information, market research, white papers, and training programs, visit the Wireless LAN Association (WLANA) Learning Center at http://www.wlana.org/learning_center.html. |
| • | For information about EAP–TLS, EAPOL, EAP–RADIUS, RADIUS, and other Internet standards used with 802.1X, see The Internet Engineering Task Force (IETF) Web site, at: http://www.ietf.org/. |
| • | For information about relevant WLAN standards that include: 802.11, 802.11a, 802.11b, 802.1X, 802.11i, and others, see the IEEE Wireless Standards Zone Web site at http://standards.ieee.org/wireless/. |
| • | The 802.11 Wireless Technical Reference is available at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/techref/47BA42BA-847E-43FD-9451-9E50AB47F94E.mspx. |