Wireless networks can be secure if you use the right technologies. To add a secure wireless network to an existing Windows network, all you need to do is install one or more 802.1x-compliant wireless Access Points (APs) and one computer running Windows Server 2003. The Windows 2003 server will facilitate 802.1x authentication between your wireless clients and your existing Windows network. Your users will be able to gain access to your wireless network simply by using their existing Windows user accounts.
The Means to Security
To secure the wireless network, we'll use 802.1x and the related Protected Extensible Authentication Protocol (PEAP), which are the wireless networking industry's initial solution to the Wired Equivalent Privacy (WEP) standard's security problems. WEP's main vulnerabilities are poor encryption key handling and a lack of per-user authentication and authorization. The 802.1x standard addresses these problems by implementing better key-management methods and leveraging Remote Authentication Dial-In User Service (RADIUS) servers for authentication, accounting, and authorization.
Wi-Fi Protected Access (WPA) is an even more recent and secure standard that completely replaces WEP, and Microsoft offers Windows updates that support WPA. However, at the time of this writing, you can't use Group Policy to roll out or configure the WPA update; you must do the work manually or purchase some other method of automated software deployment. For more information about WPA, see the sidebar "The WPA Alternative."
The 802.1x standard supports conceivably any authentication protocol through its use of PEAP, a follow-on to Extensible Authentication Protocol (EAP) developed by Microsoft, Cisco Systems, and RSA Security. EAP facilitates choice in authentication methods but doesn't protect them from eavesdropping or modification by attackers. PEAP provides a secure, Secure Sockets Layer (SSL)-based, integrity-checked channel through which client and server can conduct authentication by any means, including certificates, passwords, smart cards, and biometrics. Windows 2003 and Windows XP feature built-in support for certificates, passwords, and smart cards. The Microsoft 802.1x Authentication Client (which I discuss later in the article) gives you the same support for Windows 2000, Windows NT, and Windows 98. All three options provide mutual authentication between the server and client, integrity checking, and encryption to foil eavesdroppers.
You can use either PEAP EAP-Transport Layer Security (TLS) or PEAP EAP-Microsoft Challenge Handshake Authentication Protocol (MSCHAP) v2 for authentication to your wireless LAN (WLAN). EAP-TLS accomplishes authentication by using client certificates, which can be stored on smart cards or the local computer. Smart cards provide the highest level of security for authenticating clients on your wireless network but require an investment in cards and readers and an infrastructure for deployment and support. Client certificates stored on the workstation provide the next highest level of security but require you to take on the maintenance work of deploying client certificates to each client workstation and deploying and managing a public key infrastructure (PKI).
Although Active Directory (AD) and Group Policy's built-in support for certificate management can help you manage certificates, some companies still need an alternative to client certificates for their wireless network—especially smaller companies that want to avoid rolling out a full PKI. That's where EAP-MSCHAP v2 comes in. EAP-MSCHAP v2 uses the familiar, password-based Windows authentication protocol MSCHAP v2 inside PEAP. EAP-MSCHAP v2 lets you leverage existing Windows accounts to control access to the WLAN instead of requiring a full PKI to deploy client certificates to each workstation. However, you should be aware of one limitation when using EAP-MSCHAP v2. Because EAP-MSCHAP v2 is based on the user's password, the user's computer doesn't gain access to the WLAN—or to anything on the network, such as Group Policy Objects (GPOs)—until the user logs on. In this article, I show you how to use EAP-MSCHAP v2 to employ your users' existing Windows account passwords for authentication to your secure 802.1x network. I assume you have a Win2K AD domain, but if not, you can use accounts stored on a Windows 2003 server in a legacy NT domain.
In 802.1x networks, the AP becomes a middleman, simply passing messages between the wireless client and a RADIUS server. The client and RADIUS server authenticate to each other. When authentication is successful, the RADIUS server notifies the AP that the wireless client can join the network. The RADIUS server can also provide the AP with a list of routing restrictions that should apply to the client based on profiles stored on the RADIUS server. This per-client routing control introduces some exciting possibilities, such as the ability to restrict visiting business partners to certain services or areas of your network. For instance, you could configure a profile on the RADIUS server that restricts guests who connect to your network to Internet access only and prevents them from accessing servers on your local network.
Previous
Register
