Transcript Microsoft Technology Advantage Forum—Deploying Windows

Windows 2003 and 802.1x Secure Wireless
Deployments
Challenge of Wireless
Impressions that wireless is insecure
Early implementations lacked security
WEP shared secret, mac address filtering
Difficult to administer and manage
Need to protect network integrity
Need to secure data
Prevent unauthorized network access
Must be able to trust an access point
Prevent credential theft
Security without excess complexity
Secure Wireless with Windows 2003
All connections are authenticated and secured:




Active
Directory
IAS
RADIUS
PKI
EAP/TLS
•PKI integrated with Active Directory
•Auto enrollment of certificates
•Integrated 802.1x Support
•Integrated EAP Security
Directory Enabled Networking
Secure 802.1x Wireless Support
Effortless PKI Services
Password or certificate-based
access
Wireless
Checks for valid x509 Certificate
Via RADIUS to AD
PEAP
•PKI Deployment Optional
•Passwords can be used w/ Trusted 3rd party
Cert.
•Integrated 802.1x Support
Why use 802.1X ?
Eases manageability by centralizing
Authentication decisions
Authorization decisions
Distributes keys for data encryption and
integrity to the wireless client computer
Minimizes Access Point cost by moving
expensive authentication to AD
Supports both WPA and WEP
Why PEAP vs. EAP/TLS ?
Organizations may not ready for PKI
Managing user certificates stored on computer
hard drives has challenges
Some personnel might roam among computers
Smartcards solve this
Technical and sociological issues can delay
or prevent deployment
PEAP enables secure wireless now
Leverages existing domain credentials
Allows easy migration to certificates and
smartcards later
PEAP Security and Ease of Deployment
Advantages
PEAP is an open standard
PEAP offers end-to-end negotiation protection.
PEAP uses mutual authentication.
PEAP offers highly secure keys for data
encryption.
PEAP does not require the deployment of a full
PKI or client certificates.
PEAP can be used efficiently with roaming
wireless devices.
User's credentials are not exposed to brute force
password attacks.
Windows 2003 Wireless
Security
Native support for IEEE 802.1X
Complete with all required infrastructure
IAS: RADIUS Server and Proxy
Windows Certificate Server : PKI
AD: User and Computer account and Certificate repository
Same infrastructure used w/ RAS dial-up and VPN
authentication
Native interop. w/ Windows XP Client: (WinXP SP-1)
Down-level client support (PPC2002, W2K, NT4, 9x)
Windows 2003 Improvements
Windows 2003 Active Directory
Auto Certificate enrollment and renewal for machines and
users
Performance enhancements when using certificate
deployment
Group Policy support of Wireless settings
Internet Authentication Service
Enhanced logging
Allows easier deployment of multiple authentication types
Scaling up
Load Balancing
RADIUS Proxy
Configuration export and restore
Registering AP’s with RADIUS servers
Large number of AP’s in wireless deployment
Requires Server 2003 Enterprise Edition
System Requirements
Client: Windows XP service pack 1
Server: Windows Server 2003 IAS
Internet Authentication Service—our RADIUS server
Certificate on IAS computer
Backporting to Windows 2000
Client and IAS must have SP3
No zero-config support in the client
See KB article 313664
Supports only TLS and MS-CHAPv2
Future EAP methods in XP and 2003 might not be backported
802.1 x Setup
1.
2.
3.
4.
5.
6.
7.
8.
9.
Build Windows Server 2003 IAS server
Join to domain
Enroll computer certificate
Register IAS in Active Directory
Configure RADIUS logging
Add AP as RADIUS client
Configure AP for RADIUS and 802.1x
Create wireless client access policy
Configure clients
Don’t forget to import CA root