Chapter 7: Supporting Mobile Users continued
Wireless networking for Windows XP Professional can be categorized by the size of the area over which data can be transmitted. Wireless Personal Area Networking (WPAN) operates over a small coverage area (approximately 10 meters). Wireless Local Area Networking (WLAN) operates to a larger coverage area (approximately 100 meters). This chapter provides an overview of WPANs and WLANs and describes how you can use the wireless networking support in Windows XP Professional to exchange data over WPANs and WLANS. It does not discuss wireless wide area networks (WWANs) or wireless metropolitan area networks (WMANs).
The key WPAN technology supported in Windows XP Professional is Infrared Data Association (IrDA). IrDA is a WPAN technology that allows users with infrared-enabled devices to transfer files and images and to establish dial-up network connections and LAN access network connections.
Infrared Data Association
IrDA specifies a networking protocol that allows computers, printers, mobile phones, personal digital assistants, digital cameras, and other devices to exchange information over short distances by using infrared light. Infrared light is electromagnetic radiation covering a spectrum of wavelengths between 850 and 900 nanometers. These wavelengths are somewhat longer than visible light and are invisible to the human eye.
Due to propagation properties of light, a clear line of sight is required between the devices communication by infrared light. The clear line of sight requirement has some advantages (for example, when making a purchase with a mobile device, the required proximity between the devices ensures that you are communicating with the correct payment device), and some drawbacks (for example, you cannot connect a phone in your pocket to a portable computer on a desk) there are numerous clear advantages to using infrared light for communication:
IrDA is a short-range, half duplex, asynchronous serial transmission technology. Furthermore, IrDA specifies three distinct modes of transmission for different data transmission rates: Serial Ir (SIR), Fast Ir (FIR), and Very Fast Ir (VFIR). The SIR specification defines a maximum data rate of 115.2 kilobits per second (Kbps). FIR specifies a data rate of 4 megabits per second (Mbps), and VFIR specifies a data rate of 16 Mbps. A number of intermediate speeds are also available. For more information about the intermediate speeds that are available over infrared, see the Windows XP Professional Driver Development Kit (DDK) link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.
IrDA User Profiles
The IrDA implementation in Windows XP Professional supports the following five user profiles:
These supported profiles provide the following advantages:
For more information about installing, configuring, and using IrDA for wireless networking in Windows XP Professional, see "Wireless Networking" in Windows XP Professional Help and Support Center.
IEEE 802.11 is a shared WLAN standard using the carrier sense multiple access media access control protocol with collision avoidance. The standard allows for both direct sequence and frequency-hopping spread spectrum transmissions at the physical layer. The original 802.11 specification defines data rates of 1 Mbps and 2 Mbps and uses a radio frequency of 2.45 GHz.
The major enhancement to IEEE 802.11 by IEEE 802.11b is the standardization of the physical layer to support higher bandwidth. IEEE 802.11b supports two additional speeds, 5.5 Mbps and 11 Mbps, using the same frequency of 2.45 GHz. A different modulation scheme is used in order to provide the higher data rates of 5 Mbps and 11 Mbps. Direct sequence spread spectrum (DSSS) is the physical layer defined in the 802.11b standard.
The latest standard, IEEE 802.11a, is currently being developed. This wireless standard operates at a data transmission rate as high as 54 Mbps and uses a radio frequency of 5.8 gigahertz (GHz). Instead of DSSS, which 802.11b uses, 802.11a uses Orthogonal Frequency Division Multiplexing (OFDM). ODFM allows data to be transmitted by subfrequencies in parallel. This provides greater resistance to interference and provides greater throughput. This higher speed technology allows wireless networking to perform better for video and conferencing applications. Because they are not on the same frequencies as Bluetooth or microwave ovens, OFDM and IEEE 802.11a will provide both a higher data rate and a cleaner signal.
An IBSS is a wireless network, consisting of at least two STAs, used where no access to a DS is available. An IBSS is also sometimes referred to as an ad hoc wireless network.
A BSS includes connectivity to the existing network backbone through an AP. A BSS is also sometimes referred to as an infrastructure wireless network. All STAs in a BSS communicate through the AP. The AP provides connectivity to the wired LAN and provides bridging functionality when one STA initiates communication to another STA.
An ESS is where the APs of multiple BSSs are interconnected. This allows for mobility, because STAs can move from one BSS to another BSS. APs can be interconnected with or without wires; however, most of the time they are connected with wires. The DS is the logical component used to interconnect BSSs. The DS provides distribution services to allow for the roaming of STAs between BSSs.
Figure 7.1 shows the 802.11 architecture.
Figure 7.1 802.11 architecture
The IEEE 802 standards committee defines two separate layers, the Logical Link Control (LLC) and media access control, for the Data-Link layer of the OSI model. The IEEE 802.11 wireless standard defines the specifications for the physical layer and the media access control (MAC) layer and communicates up to the LLC layer.
All of the components in the 802.11 architecture fall into either the media access control layer or the physical layer.
Wireless stations, when entering the range of an access point, choose a wireless access point to associate with. This selection is made automatically by using signal strength and packet error rate information. Next, the wireless station selects the assigned frequency of the access point that it is to begin communicating with. Periodically, the wireless station listens to other access points to determine whether they would provide a stronger signal or a better error rate. If a different access point provides a better signal, the workstation switches to the frequency of that access point. This process is called reassociation.
Reassociation can occur for many different reasons. The signal can weaken because the wireless station moves away from the access point or the access point becomes congested with too much other traffic or interference. The wireless station, by switching to another wireless station, can distribute the load over adjacent access points, increasing the performance of other wireless stations. By using a pattern of overlapping channels, coverage over large areas can be achieved. As a wireless station moves about, it can associate and reassociate from one access point to another, maintaining a continuous connection during transit.
The 802.11 media access control frame, as shown in Figure 7.2, consists of a media access control header, the frame body, and a frame check sequence (FCS). The numbers in Figure 7.2 represent the number of bytes for each field.
Figure 7.2 802.11 Media access control frame format
Wireless Equivalent Privacy (WEP) is the encryption specification that is defined by the IEEE 802.11 standard. The intention of WEP security is to provide the same security to a wireless network that is provided on a wired network. In wireless networks, because the data is broadcast using an antenna, the signals can be intercepted, and, if not encrypted, viewed by an intruder to the system.
Although the 802.11 specification does provide both authentication and encryption, it does not define or provide a WEP key management protocol. This is a limitation to IEEE 802.11 security services especially in a wireless infrastructure network mode with a large number of STAs. The 802.1x draft standard addresses the security limitations of 802.11.
All 802.11 authentication frames have the management frame type and the authentication subtype. The authentication type is determined by the authentication algorithm number field, located in the frame body of the 802.11 media access control frame. An authentication algorithm number value of 0 indicates open system authentication, and a value of 1 indicates shared key authentication. The authentication transaction sequence number field, also located in the frame body of the 802.11 media access control frame, indicates the current status of the authentication process.
Open System Authentication
Open system authentication involves a two-step communication process using plaintext. The authentication-initiating STA sends a frame consisting of an identity assertion and a request for authentication. This has the authentication transaction sequence number field of 1 and the authentication algorithm number value of 0. The authenticating STA then replies to the authentication-initiating STA with the authentication result, which has the authentication transaction sequence number field of 2.
Open system authentication allows all devices that have the authentication algorithm number for open system to authenticate.
Shared Key Authentication
Shared key authentication involves a four-step process using secure or encrypted text by means of WEP. The authentication-initiating STA sends a frame consisting of an identity assertion and a request for authentication. This has the authentication transaction sequence number field of 1. The authenticating STA then responds to the authentication-initiating STA with a frame with the challenge text created by the WEP algorithm and the transaction sequence number field of 2. The authentication-initiating STA then replies to the authenticating STA with the encrypted challenge text created by the WEP algorithm and the transaction sequence number field of 3. The authenticating STA concludes the shared key authentication process by sending the authentication result, which has the transaction sequence number field of 4.
The authentication result is positive if the authenticating STA is able to conclude that the decrypted challenge text matches the challenge text originally sent in the second frame.
Wired networks normally require a physical connection in order to be compromised. In wireless networks, because the data is broadcast using an antenna, the signals can be intercepted, and, if not encrypted, viewed by an intruder to the system. Wireless Equivalent Privacy (WEP) security is intended to provide security that is equivalent to the security of a wired network.
WEP is the encryption standard that is specified by the IEEE 802.11 standard. Privacy is the encryption of data that is transmitted across the wireless network. IEEE 802.11 does not require that the same WEP keys be used by all portable devices. It also allows portable devices to maintain two sets of shared keys: a unicast session key and a multicast/global key. Current IEEE 802.11 implementations primarily support shared multicast/global keys.
WEP provides encryption services to protect authorized users of a wireless LAN from eavesdroppers. WEP functions by encrypting a data frame and its contents. The encrypted information then replaces the formerly unencrypted information. The WEP bit is set in the frame control field portion of the media access control header. This informs the receiving node that the transmission is encrypted. The receiving node unencrypts the encrypted portion of the data frame by using the same encryption scheme. It then places the unencrypted information back into the data frame, recreating the original data frame.
The IEEE 802.11 standard specifies 40-bit secret key encryption with a 24-bit initialization vector (IV). Different vendors utilize other encryption bit lengths, such as 104-bit secret key encryption with a 24-bit IV. The encryption mechanism is a symmetrical cipher that uses the same key for encryption and decryption. The secret key remains constant for a prolonged period. The initialization values are changed periodically, however, based on the degree of privacy required of the WEP algorithm.
The current IEEE 802.11 security option for access control does not scale appropriately in large infrastructure network mode (for example, corporate campuses and public places), or in an ad hoc network mode. A principal limitation to this security mechanism is that the standard does not define a key management protocol for distribution of the keys. This assumes that the secret, shared keys are delivered to the IEEE 802.11 wireless station by means of a secure channel independent of IEEE 802.11. This becomes even more challenging when a large number of stations are involved, such as on a corporate campus.
To provide a better mechanism for access control and security, a key management protocol must be included in the specification. The 802.1x draft standard addresses the key management and security limitations of the 802.11 standard.
The 802.1x draft standard defines port-based, network access control used to provide authenticated network access for Ethernet networks. This port-based network access control uses the physical characteristics of the switched LAN infrastructure to authenticate devices attached to a LAN port. Access to the port can be denied if the authentication process fails. While this standard is designed for wired Ethernet networks, it can be applied to 802.11 wireless LANs.
The following terms are specific to the 802.1x draft standard:
The 802.1x draft standard defines two port access control methods for the authenticator: controlled and uncontrolled. Access by means of the controlled port is only allowed to those entities that have been successfully authenticated. Before authentication takes place, all communication goes through the uncontrolled port. The 802.1x authentication process is illustrated in Figure 7.3.
Figure 7.3 802.1x authentication
When authentication successfully takes place, the supplicant is able to access the LAN resources and services through the controlled port.
PPP Extensible Authentication Protocol
The Point-to-Point Protocol (PPP), as defined in RFC 1661, does not require authentication, but it does provide an optional authentication phase. RFC 2284, PPP Extensible Authentication Protocol (EAP), defines the authentication process for PPP. The 802.1x draft standard lists EAP as the authentication protocol to use for the authentication process between the supplicant and the authentication server. Different EAP types are defined in RFC 2284, such as Message Digest 5 (MD5)-Challenge. Additional EAP types, such as Transport Layer Security (TLS), are also available through follow-up RFCs.
EAP-TLS, as defined in RFC 2716, is an EAP type that is used in certificate-based security environments. EAP-TLS is a Secure Channel (SChannel) authentication and encryption protocol, which provides for mutual authentication, integrity-protected cipher-suite negotiation, and key exchange between the two endpoints by means of public-key cryptography.
EAP-MD5 uses the same challenge-handshake protocol that is used by the PPP-based Challenge Handshake Authentication Protocol (CHAP), but the challenges and responses are sent as EAP messages. EAP MD5 is intended for prototyping and testing.
RADIUS and 802.1x with 802.11
While providing convenience, wireless networking technologies and wireless APs present the following security risks:
To counter the first security risk, wireless APs must require authentication and authorization of the wireless node before data can be sent to and received from the network attached to the wireless AP. To provide their own authentication and authorization, each WAP would need a user account database with each user's authentication credentials and a set of rules by which authorization is granted. Because this is administratively difficult to manage, modern WAPs are Remote Authentication Dial-In User Service (RADIUS) clients and use the industry standard RADIUS protocol to send a connection request and accounting messages to a central RADIUS server. The RADIUS server has access to a user account database and a set of rules for granting authorization. The RADIUS server processes the wireless AP's connection request and either grants the connection request or rejects it.
To counter the second security risk, the data sent between the wireless nodes and the wireless APs must be encrypted. Therefore, the authentication method used by the wireless node must allow for the determination of encryption keys that are used to encrypt data.
In addition to the security provided by authentication and encryption, using the combination of a RADIUS server and 802.1x in a WLAN also provides key management capabilities.
When using a RADIUS server and 802.1x in a WLAN, it is best if EAP-TLS is used for authentication. This is because the global key used for EAP authentication must be encrypted so that only the STA and AP can read the authentication key. The EAP authentication method used in a WLAN must be capable of generating an encryption key as part of the authentication process, which is possible with EAP-TLS.
If RADIUS is selected and configured as the authentication provider on the remote access server, then user credentials and parameters of the connection request are sent as a series of RADIUS request messages to a RADIUS server such as a computer running Windows 2000 Server and the Internet Authentication Service (IAS).
The RADIUS server receives a user-connection request from the remote access server and authenticates the client against its authentication database. A RADIUS server can also maintain a central storage database of other relevant user properties. In addition to the simple yes or no response to an authentication request, RADIUS can provide other applicable connection parameters for this user such as maximum session time, static IP address assignment, and so on.
When a RADIUS server is used for authentication in a WLAN, the AP acts as a RADIUS client to the RADIUS server (authenticating server), and acts as the authenticator to the supplicant STA.
The AP and STA must support a multicast/global authentication key, and might also support a per-STA unicast session key. The AP has a process that listens for IEEE 802.1x traffic both with and without authentication keys.
Windows 2000 includes technologies that allow wireless devices to detect the availability of a network and act appropriately. Windows XP Professional enhances this technology to accommodate the transitional nature of a wireless network.
The media sense feature of Windows 2000 is enhanced in Windows XP Professional to allow for detection of a move to a new access point, thus forcing reauthentication in order to ensure appropriate network access. Media sense also allows detection of changes in the IP subnet, so that an appropriate address can be used in order to ensure optimum resource access.
Multiple IP address configurations (DHCP assigned or static) can be made available on a Windows XP Professional system and the appropriate configuration automatically chosen. When an IP address change occurs, Windows XP Professional allows for additional reconfiguration to occur, if necessary. For example, IE proxy settings can be redetected. By means of Windows Sockets extensions, applications that can be configured to be network aware (such as firewalls or browsers) can be notified of changes in network connectivity and can update their behavior based on these changes. The auto-sensing and reconfiguration effectively negates the need for a mobile IP to act as a mediator and solves most of the problems users face when roaming between networks.
When a station is roaming from access point to access point, information about the state of the station, as well as other information, must be moved along with it. This includes station location information for message delivery and other attributes of the association. Rather than recreate this information upon each transition, one access point can pass the information to the new access point. The protocols to transfer this information are not defined in the standard, but several wireless LAN vendors have jointly developed an Inter-Access Point Protocol (IAPP) for this purpose, further enhancing multivendor interoperability.
Zero Client Configuration
Automatic wireless network configuration and 802.1x authentication are selected by default. When automatic wireless configuration is enabled on your computer, you can roam between different WLANs without having to reconfigure the network connection settings on your computer for each location. These Windows XP Professional technologies allow for zero client configuration.
Zero configuration is a client-based user identification method. Zero configuration allows wireless devices to work in different modes without the need for configuration changes after the initial configuration. The zero configuration initiative automatically provides the IP address, the network prefix, the gateway router location, the DNS server address, the address of a RADIUS or IAS server, and all other necessary settings for the wireless device. It also provides security features for the client.
Zero configuration allows a wireless device to function in different environments, such as work, the airport, and home, without any user intervention. Zero configuration uses the Windows XP Professional user interface when attempting to connect wireless devices. The order of preference for zero configuration IEEE 802.11 connection using IEEE 802.1x authentication is infrastructure before ad hoc mode, and computer authentication before user authentication. You can change the default settings to allow, for example, guest access, which is not enabled by default.
WEP authentication attempts to perform an IEEE 802.11 shared key authentication if the network adapter has been preconfigured with a WEP shared key. In the event that authentication fails or the network adapter is not preconfigured with a WEP shared key, the network adapter reverts to the open system authentication.
The IEEE 802.1x security enhancements are available in Windows XP Professional. Wireless network adapters and access points must also be compatible with IEEE 802.1x for an IEEE 802.1x deployment.
Network Adapter Support
Microsoft partnered with 802.11 network adapter vendors to improve the roaming experience by automating the process of configuring the network adapter to associate with an available network.
The wireless network adapter and its Network Driver Interface Specification (NDIS) driver need to do very little beyond supporting some new NDIS Object Identifiers (OIDs) used for the querying and setting of device and driver behavior. The network adapter scans for available networks and passes those to Windows XP Professional. The Windows XP Professional Wireless Zero Configuration service then takes care of configuring the network adapter with an available network. If there are two networks covering the same area, the user can configure a preferred network order and the computer will try each network in the order defined until it finds one that is active. It is even possible to limit association to only the configured, preferred networks.
If an 802.11 network is not found nearby, Windows XP Professional configures the network adapter to use ad hoc networking mode. It is possible for the user to configure the wireless network adapter either to disable or be forced into ad hoc mode.
These network adapter enhancements are integrated with security features so that if authentication fails another network will be located to attempt association with.
Automatic Wireless Configuration
Automatic wireless configuration supports the IEEE 802.11 standard for wireless LANs (WLANs) and minimizes the configuration required to access WLANS. When automatic wireless configuration is enabled on your computer, you can roam between different WLANs without having to reconfigure the network connection settings on your computer for each location. Whenever you move from one location to another, automatic wireless configuration scans for an available WLAN in the new location, configures your network adapter card to match the settings of that WLAN, and attempts to access that WLAN. When several WLANs are available in the same location, you can create a list of preferred WLANs and define the order in which access to each is attempted. You can also specify that if an access attempt to a preferred WLAN fails, an attempt will be made to access any visible (available) WLAN of the same type.
To set up automatic wireless configuration
To set up 802.1x authentication
To connect to an available wireless network
For more information about zero client configuration for wireless network clients in Windows XP Professional, see "Wireless Networking" in Windows XP Professional Help and Support Center.