Mobility and Collaboration
Wireless Networking for Mobility and Collaboration
By Jerry Honeycutt, Roslyn Lutsch
Microsoft Corporation
Published: December 2002
Abstract
Wireless networking enables users to be more productive and helps organizations reduce the cost of
their infrastructures. By itself, wireless networking is a potential boon for all organizations. Microsoft®
Windows® XP adds even more value to wireless networking by making it easier to deploy, configure,
and support. This paper describes the benefits of wireless networking with Windows XP and how you
can leverage this combination in your own organization.
The information contained in this document represents the current view of
Microsoft Corporation on the issues discussed as of the date of publication.
Because Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft cannot
guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO
WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user.
Without limiting the rights under copyright, no part of this document may be
reproduced, stored in or introduced into a retrieval system, or transmitted in any
form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other
intellectual property rights covering subject matter in this document. Except as
expressly provided in any written license agreement from Microsoft, the furnishing
of this document does not give you any license to these patents, trademarks,
copyrights, or other intellectual property.
© 2002 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, the
Office logo, Windows, the Windows logo, and Windows NT are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries.
The names of actual companies and products mentioned herein may be the
trademarks of their respective owners. Microsoft Corporation • One Microsoft Way
• Redmond, WA 98052-6399 • USA
1
Contents
Acknowledgments ................................................................................................................................... 3
Introduction .............................................................................................................................................. 4
Wireless Scenarios .................................................................................................................................. 5
Road Warriors ........................................................................................................................................ 5
Corridor Warriors.................................................................................................................................... 5
Telecommuters ...................................................................................................................................... 5
Data Collectors....................................................................................................................................... 6
Wireless in the Enterprise ...................................................................................................................... 7
Productivity............................................................................................................................................. 7
Infrastructure .......................................................................................................................................... 8
Wireless with Windows XP ..................................................................................................................... 9
Wireless Deployment ............................................................................................................................ 11
Performance......................................................................................................................................... 12
Scalability ............................................................................................................................................. 13
Roaming and Mobility .......................................................................................................................... 13
Security ................................................................................................................................................ 13
Wireless Security ................................................................................................................................... 15
IEEE 802.1X......................................................................................................................................... 16
RADIUS ................................................................................................................................................ 17
Active Directory .................................................................................................................................... 17
Certificates ........................................................................................................................................... 17
Summary ................................................................................................................................................ 19
For More Information ............................................................................................................................ 20
Glossary ................................................................................................................................................. 21
2
Acknowledgments
Mark Hassall, Microsoft Corporation
Bruce Kember, Microsoft Corporation
Warren Barkley, Microsoft Corporation
Anton Krantz, Microsoft Corporation
Drew Baron, Microsoft Corporation
Joseph Davies, Microsoft Corporation
David Talbott, Studio B
Elsa Rosenberg, Studio B
3
Introduction
Wireless networking has revolutionized mobile computing. Mobile users are now more productive—they
can access corporate network resources by using any public wireless network and can roam the building
with their laptop computers and still have network access. Wireless networking means that mobile users
can squeeze more work time out of their day, and it significantly enhances their quality of life.
IT professionals are more effective, too, and your IT dollar goes farther. Wireless networking reduces the
cost of network infrastructure by making it more feasible and less time-consuming to add networking to
unconventional locations, such as conference rooms, cafeterias, and community areas.
Wireless networking is better with Windows XP. For example, Windows XP reduces wireless deployment
costs via automatic configuration. It also reduces Help desks’ call times for wireless networking questions
due to simplified configuration, automatic roaming, and built-in Wi-Fi support. Windows XP makes wireless
networking practical for the average mobile user for whom it wasn’t previously feasible.
This paper describes all of these benefits. It starts with a description of the different types of mobile users
and their wireless requirements, describes the benefits of wireless networking so that you can consider
them independently of Windows XP, and shows you the value that Windows XP adds. Lastly, it gives you
an overview of how to deploy wireless networking with Windows XP and lays a foundation of best practices
to guide you. If you’re not already familiar with terminology such as 802.11 wireless networking and WLAN,
see the glossary. This paper also includes references to resources where you can find more information;
most of these references are at Microsoft’s WiFi Web site.
In this paper, you find the following sections:
This section:
Describes:
Wireless Scenarios
The four basic types of mobile users
Wireless in the Enterprise
How wireless benefits enterprise organizations
Wireless with Windows XP
The benefits of Windows XP wireless features
Wireless Deployment
Issues concerning wireless networking deployment
Wireless Best Practices
Best practices deploying wireless with Windows XP
4
Wireless Scenarios
This section describes four basic types of mobile users and their wireless requirements:

Road Warriors. Professionals who travel frequently and require remote access

Corridor Warriors. Knowledge workers who spend most of their time in meetings

Telecommuters. Knowledge workers who work occasionally at home

Data Collectors. Field service employees who travel full-time and thus require remote access
Road Warriors
Road warriors include executives, consultants, sales representatives, insurance agents, or pharmaceutical
representatives. Their requirement is to keep the lines of communication flowing, so wireless connectivity is
extremely important to this type of user. However, this relationship isn’t one-way (from sales representative
to client) because, with the new connectivity that Windows XP Professional provides, a road warrior's
relationship to a client can become a collaborative experience. Road warriors typically travel 80 percent or
less of the time, and thus their connectivity to the corporate network is vital.
A road warrior's preferred equipment includes either a laptop or Tablet PC with both wired and wireless
connections to the corporate network for maintaining essential corporate files. Preferred connectivity while
on the road for the laptop is a wireless wide area network (WWAN) or 802.11b (Wi-Fi) if a wireless hotspot
is available. A wireless Pocket PC or Smartphone to attend conference calls on the go and a handheld for
email and calendar capability are also key tools that the road warrior carries. Preferred connectivity for a
Pocket PC's Internet connectivity is General Packet Radio Service (GPRS).
Corridor Warriors
Corridor warriors include executives and knowledge workers in an enterprise environment. In addition,
mobile students in a campus environment can be considered corridor warriors. Their requirement is to have
instant connectivity to applications and information whether in an enterprise environment or a campus
environment. This type of user places more demands on a wireless network because not only do they need
connectivity in the midst of structured meetings, but also corridor warriors demand connectivity on the way
to the next meeting or class. Corridor warriors travel 20 percent or less of the time.
A corridor warrior's preferred equipment includes either a laptop or Tablet PC with both wired and wireless
connections to the corporate or campus network. If corridor warriors have a laptop, they’ll most likely also
need a docking station for their laptop or desktop PC at the office and a Pocket PC for mobile email and
calendar checking. Their preferred connectivity when roaming wirelessly throughout the office is Wi-Fi.
Telecommuters
Telecommuters include employees, consultants, and contractors who work at home at least one day per
week and who perform their work from home or in the office. They require infrequent network access away
from the office and travel (local to home or office) approximately 25 percent of the time between the office
and their home office.
A telecommuter’s preferred equipment is a laptop or desktop PC in the office and a PC at home. Working at
home requires corporate network access and might include smart card access via dial-up connections or
5
virtual private network (VPN) connections via dial-up or cable/Digital Subscriber Line (DSL) access.
Telecommuters will access their desktop PC/laptop at the office via a wired connection and the corporate
network from home via the VPN.
Data Collectors
Data collectors include field service employees from various vertical industries as diverse as manufacturing
to emergency and rescue. Data collection can be a tedious and boring task, but with the improvements and
new features of Windows XP and Office XP, you can collect data quicker and more securely than before.
Data collectors require access to data wherever they find themselves and must have enough resources on
hand to deliver enhanced services on demand. Data collectors travel approximately 80 percent or more of
the time. Their preferred equipment is a laptop or Tablet PC with wireless connection to the corporate
network and a handheld or cell phone with data capabilities. Their preferred connectivity is WWAN;
however, it’s possible to use Wi-Fi if a wireless hotspot is available to update data throughout the day.
6
Wireless in the Enterprise
According to Gartner Analyst, Andy Rolfe, in a study called “Wireless LAN Equipment Market: Strong
Growth Set to Continue” (Gartner, Inc., October 2002), the needs of mobile users, including mobile PC and
PDA users, will continue to drive the growth of wireless LAN (WLAN) equipment. Rolfe estimates that the
penetration of WLAN technology into the professional mobile PC space will grow from 20 percent in 2001 to
more than 90 percent in 2007. With an increase in performance, improved security, lower costs, and
industry standardization, Rolfe expects wireless networking to increase at a compound annual growth rate
of 42 percent through 2007. By the end of 2007, the price of wireless NICs will fall below $30 per unit, and
more than two-thirds of mobile computers will ship with integrated WLAN adapters.
The Wireless LAN Association (WLANA) also studied the benefits of wireless networking. It surveyed users
and IT professionals in 34 organizations from a cross section of industries (education, healthcare,
manufacturing, and retail). The association’s study’s findings are intriguing. First, WLANA found that
WLANs paid for themselves within the first 12 months in all of the industries it studied. Wireless networking
paid for itself quickest in the office automation industry (6.3 months), followed by the education industry (7.1
months), manufacturing (7.2 months), retail (9.7 months), and healthcare (11.4 months). The surveys
provided other interesting feedback, including the following points (see Wireless LAN ROI):

89 percent of the companies surveyed had successful deployments.

92 percent of the companies surveyed observed definite business benefits.

92 percent of the companies surveyed said they’d continue to deploy wireless technology based on
the experience of their users and IT staff.

97 percent of the users surveyed said that they agree or strongly agree that wireless networking
contributed to the speed at which they completed tasks that require real-time access to information.
All of these predictions paint a positive picture for mobile computing and wireless networking, but they don’t
answer the important question, “What’s wireless networking going to do for my business?” The following
sections describe how wireless networking benefits enterprises such as yours. It empowers users and
makes them more productive, reduces the cost of the organization’s infrastructure, and reduces the cost of
IT. The section “Wireless with Windows XP” describes additional benefits that Windows XP adds.
Productivity
Wireless networking makes all types of mobile users, particularly road warriors, corridor warriors, and data
collectors, more productive and improves their quality of life:

Users gain extra productive hours. Wireless networking can turn idle time into productive time by
allowing mobile users to connect to corporate network resources where traditional wired network
connections aren’t available. For example, an executive waiting for a delayed flight can connect to
the corporate network using a public hotspot at the airport. Knowledge workers can connect to the
network and collaborate during a meeting.

Decisions are made quicker as cycle times are reduced. Wireless networking enables
immediate collaboration regardless of whether a wired network connection is available. For
example, a technician on the manufacturing floor can send information to engineering without
delay, and a doctor can check a patient’s record without ever leaving the room. Decisions are made
7
quicker because the usual delay of users returning to their desktop computers is eliminated by an
instant, wireless connection to the corporate network.

Users’ quality of life is better. Wireless networking makes mobile computing more convenient.
Rather than the frustration of finding phones and dialing in to the network, many mobile users
choose to wait until later because of the inconvenience. Frustration levels decrease as mobile users
learn that they can connect to their resources without hassles.
Infrastructure
Wireless networking is also beneficial to an enterprise’s infrastructure:

Temporary network connectivity is more practical and less expensive. Wireless networking
makes it feasible to set up, use, and take down temporary networks as required. Microsoft is a good
example of leveraging this benefit. The company configures temporary wireless networks at trade
shows for the benefit of staff and attendees. A more general example is creating a temporary
wireless network for the final crunch of a big project, which you can disassemble at the project’s
completion.

Wireless networks are quicker to deploy than wired networks. Wireless networks are more
flexible than wired networks. They’re quicker to deploy because you don’t have to run cable
throughout your building, and Windows XP makes configuration easier.

Wireless networking is more feasible in locations where wired networks aren’t practical.
Locations such as conference rooms and cafeterias aren’t practically wired, and wireless
networking makes it easy to add a network to those rooms. Traditional wired networking isn’t
practical outdoors, for example, but wireless networking is a perfect solution for an outdoor network.
Additionally, older buildings and some types of construction prohibit pulling wires for a traditional
network. Wireless networking significantly reduces the cost of networking in those scenarios and
enables networking in environments that weren’t possible. For that matter, wireless networking is
cheaper to deploy than cabling a building with Category-5, and it scales more easily.
8
Wireless with Windows XP
The combined Rapid Economic Justification (REJ) and various TCO studies show that when Windows XP
Professional was installed, the increased reliability and stability directly influenced user productivity,
efficiency, and support costs. Combined with wireless capability, the studies show a significant drop in the
cost of ownership and a rise in productivity and efficiency. According to the studies, features such as Plug
and Play (PnP), Warm Docking, Hibernation, and Advanced Power Management save organizations $259
per laptop computer each year. For more information about the benefits of using Windows XP in mobile
scenarios, see Windows XP and Office XP for Mobile Users. The Windows XP wireless networking features
themselves save organizations an astonishing $830 per laptop computer each year. For more information
about REJ, see http://www.microsoft.com/value.
Windows XP Professional has new features and enhancements that make remote and wireless access
simple for any wireless user, which in turn provides significant productivity gains for employers.
Organizations considering Windows XP Professional find significant value in its ability to automatically
enable wireless networking. Such cost reductions are directly related to features, such as the Wireless Zero
Configuration service, which allow users to leverage the technology without involving IT support staff. The
following list describes scenarios in which Windows XP and the Wireless Zero Configuration service make
users more productive:

With a wireless network adapter installed, Windows XP Professional searches for available
networks to which it can connect. When an available network matches a preferred network,
Windows XP Professional connects to it. If there are no configured preferred networks or no
preferred networks are found, users can also select a specific network to which they want to
connect. Users can prioritize the list of preferred networks—Windows XP Professional stores the
list and connects to the networks in the chosen order. Connection management is possible without
user intervention, but user interaction is sometimes necessary to choose specific networks or
prioritize connection order.

Automatic configuration makes wireless networking more practical for mobile users. Because
configuring wireless network connections in Windows XP is much easier than in earlier versions of
Windows using third-party device drivers, all types of mobile users can easily configure their
wireless connections. Estimates are that simplified network configurations save organizations $68
per laptop each year. Wireless networking and simplified network configurations benefit IT
professionals, too. Because users are more able to configure their own network connections, they
become more self-sufficient. IT professionals no longer have to plan and configure every
connection when they deploy the operating system to mobile users. And the Help desk gets fewer
calls from mobile users as they change environments and thus need to configure new network
connections.

As users physically move their wireless computers from room to room, Windows XP Professional
automatically remains connected by finding the best wireless access point (AP) with which to
communicate. When it finds a new wireless AP, it automatically negotiates authentication and
authorization with that wireless AP without user intervention, which provides a great experience for
the mobile user. A user can move anywhere within a given wireless network and remain connected
to the network. You can also configure an ad hoc wireless network, which is convenient during
meetings when users want to share and collaborate.
9
Windows XP makes wireless networking better in ways other than provided by the Wireless Zero
Configuration service. For example, the operating system includes device drivers for most of the popular
wireless adapters. And the device drivers that come with Windows XP fully support Wireless Zero
Configuration. In many cases, IT professionals don’t need to deploy third-party device drivers for their
wireless adapters, and mobile users don’t have to download and install device drivers on their own (check
the Hardware Compatibility List—HCL—before purchasing wireless adapters). Also, Windows XP provides
built-in support for IEEE 802.1X security. 802.1X mitigates some of the basic security flaws in Wi-Fi
networking, making it possible to deploy wireless networks that use secure authentication methods and persession encryption keys. For more information about Windows XP and 802.1X wireless security, see the
section “Wireless Security.”
10
Wireless Deployment
Microsoft has deployed wireless networking throughout its campuses, and the company’s experience is a
good starting point for describing a deployment process. See Microsoft Wireless LAN Deployment and Best
Practices for more information about this project. That paper is only an overview, however. For more
information about deploying wireless networking, see Deploying Enterprise Mobility and Collaboration. The
following steps describe the deployment process that Microsoft used during its own project:
1.
Pre-installation. This phase of a wireless deployment involves three steps. The first is developing a
wireless AP location plan, which is based on your own design guidelines. For example, Microsoft’s
guidelines specified that 95 percent of the installations could not require specialized antennas. The
second step is field verification of proposed wireless AP locations to check for physical interference.
The last is to present the final locations for approval prior to beginning installation of the APs.
2.
Installation. The physical installation of wireless APs involves three steps. First is enclosing the
wireless APs and antennas in enclosures that meet fire safety codes. The next is configuring
centralized, low-voltage power supplies on backup power using uninterruptible power supplies. The
last is building out the authentication infrastructure (Internet Authentication Service—IAS—and a
public key infrastructure—PKI—in Microsoft’s case).
3.
Delivery. Delivery is a testing phase in which technicians spot-check wireless AP installation for
conformance to the specifications. These technicians also verify RF coverage and network
connectivity of each AP. Last, in this phase, technicians deliver as-built documentation, which reflects
the final placement of each wireless AP.
4.
Rollout. In Microsoft’s case, the rollout involved three steps. The first was to create a Cryptographic
API Component Object Model (CAPICOM) script to install certificates. Then, Microsoft created a Web
site to host information about instructions, updated drivers, and the CAPICOM script. Last, the
company informed users about the Web site with information to obtain wireless access. To get the
computer and user certificates required for wireless access, users must connect to the corporate
network by using a wired Ethernet connection.
The sections following this describe issues your organization might face when you deploy wireless
networking. They include performance; scalability; roaming and mobility; and security. These issues are
based on Microsoft’s experience with its own large-scale deployment. These issues assume a configuration
such as the following and shown in Figure 1 (for more information about these components and the
processes of secure wireless authentication, see the article Windows XP Wireless Deployment Technology
and Component Overview):
Wireless client computers running Windows XP. Windows XP has built-in support for Wi-Fi wireless
networking and 802.1X authentication using Extensible Authentication Protocol (EAP). The section
“IEEE 802.1X” contains more information about 802.1X and EAP.
At least two Windows 2000 IAS servers. At least two IAS servers (one primary and one secondary) are
used to provide fault tolerance for Remote Authentication Dial-In User Service (RADIUS)-based
authentication. If only one RADIUS server is configured and it becomes unavailable, wireless access
clients cannot connect. By using two IAS servers and configuring all wireless APs, which are the
RADIUS clients, for both the primary and secondary IAS servers, the RADIUS clients can detect when
the primary RADIUS server is unavailable and automatically fail over to the secondary IAS server. The
11
Windows 2000 IAS servers require Service Pack 3 (SP3). See the section “RADIUS” for more
information.
Active Directory service domains. Active Directory® domains contain the user accounts, computer
accounts, and dial-in properties that each IAS server requires to authenticate credentials and evaluate
both authorization and connection constraints. While not a requirement, to both optimize IAS
authentication and authorization response times and minimize network traffic, IAS should be installed
on Active Directory domain controllers. The domain controllers require SP3. See the section “Active
Directory” for more information.
A certificate infrastructure. The EAP-Transport Level Security (TLS) authentication protocol is used with
locally installed computer and user certificates to authenticate wireless clients. A certificate
infrastructure, also known as PKI, is needed to issue and provide validation for certificates. See the
section “Certificates” for more information. Alternatively, you can purchase computer certificates from a
third-party certification authority (CA) and use it for Protected EAP (PEAP) with Microsoft ChallengeHandshake Authentication Protocol (MS-CHAP) v2 authentication. See the paper PEAP with MS-CHAP
Version 2 for Secure Password-based Wireless Access for more information.
Wireless remote access policy. A remote access policy is configured for wireless connections so that
employees can access the organization’s intranet.
Multiple wireless APs. Multiple third-party wireless APs provide wireless access in different buildings of an
enterprise. The wireless APs must support 802.1X and RADIUS.
Figure 1. Secure Wireless Configuration (The Certification Authority—CA—server is optional if you
use third-party certificates with PEAP MS-CHAP v2 as described in the article PEAP with MS-CHAP
Version 2 for Secure Password-based Wireless Access.)
Performance
For the best performance possible, use the following best practices:
12

Don’t overload your wireless APs with too many connected wireless clients. Although most wireless
APs can support hundreds of wireless connections, the practical limit is 20–25 connected clients.
An average of 2–4 users per wireless AP is a good average to maximize the performance while still
effectively utilizing the WLAN.

For higher-density situations, lower the signal strength of the wireless APs to reduce the coverage
area, thereby allowing more wireless APs to fit in a specific space and more wireless bandwidth to
be distributed to more wireless clients.
Scalability
For maximum scalability, use the following best practices:

To ensure redundant coverage against the potential failure of a single wireless AP and to provide a
seamless roaming experience within a building, design your coverage areas carefully. Microsoft
based the company’s WLAN on a 20-meter diameter coverage area for this reason. The company
carefully verified coverage and network connectivity for each wireless AP. Microsoft tested for
decreased coverage-area size, overlapping coverage areas via channel configuration, and
mitigating Bluetooth (BT) interference.

For large amounts of authentication traffic within an Active Directory forest, use RADIUS proxies
running Windows .NET Server 2003 IAS between the wireless APs and the RADIUS servers. By
default, an IAS RADIUS proxy balances the load of RADIUS traffic across all the members of a
remote RADIUS server group on a per-authentication basis and uses failover and failback
mechanisms. Members of a remote RADIUS server group can also be individually configured with
priority and weight settings so that the IAS proxy favors specific RADIUS servers.
Roaming and Mobility
For the best wireless roaming experience, configure all of the wireless APs in each building to be on the
same IP subnet. Doing so makes wireless roaming seamless within each building. When wireless clients
associate with different wireless APs, the DHCP renewal process just renews the lease on the existing
TCP/IP configuration. Inter-building roaming and the DHCP renewal process cause a change in the TCP/IP
configuration, which might cause problems for applications that cannot gracefully handle a change in the
TCP/IP configuration. In either case, because EAP-TLS and certificates are used for authentication, the
user is never prompted to authenticate to the WLAN.
Security
Microsoft chose EAP-TLS using registry-based user and computer certificates as the authentication method
for wireless connectivity for the reasons you’ll learn about in the section “Wireless Security.” EAP-TLS
addresses secure authentication and key management.
EAP-TLS also helps protect against snooping on Microsoft’s WLAN. EAP messages for 802.1X negotiation
are sent as clear text. However, the use of EAP-TLS and public-key encryption prevents the eavesdropper
from obtaining the information needed to masquerade as either the wireless client or the authenticating
server. After EAP-TLS negotiation is complete, all traffic sent between an authenticated wireless client and
its associated wireless AP is encrypted with the Wired Equivalent Privacy (WEP) session key, which is
changed for each authentication.
13
Protection from rogue wireless APs on the Microsoft WLAN is also done through the use of EAP-TLS,
which provides mutual authentication of the wireless AP and the authenticating RADIUS server. To
masquerade as a Microsoft corporate wireless AP, the AP must have a security relationship with a
Microsoft RADIUS server. If a wireless AP doesn’t have this security relationship and configuration, it
cannot exchange RADIUS messages with the RADIUS server and, therefore, cannot authenticate 802.1X
wireless clients. It’s possible for the rogue wireless AP to be configured as the RADIUS client of a rogue
RADIUS server. However, by default, Microsoft wireless clients validate the certificate of the RADIUS
server. Therefore, if the RADIUS server of the wireless AP cannot provide a valid certificate and proof of
knowledge of its corresponding private key, the wireless client terminates the connection. See the next
section, “Wireless Security,” for more information about securing your wireless network.
14
Wireless Security
This section describes security challenges and their solutions, including the following:

Securing the data passing through the wireless network against eavesdropping

Securing the wireless network against intrusion by using strong authentication

Securing the network against rogue wireless APs
While the Wi-Fi standard has experienced a rapid growth in the WLAN marketplace, the industry has raised
a number of security concerns. The Wi-Fi standard defines authentication and encryption services based on
the WEP algorithm. The WEP algorithm uses a 40-bit shared-secret key for authentication and encryption,
and many Wi-Fi implementations also support 104-bit secret keys. However, the standard doesn’t define a
key management protocol and presumes that the secret, shared keys are delivered to the client via a
secure channel independent of Wi-Fi. The bottom line is that WEP doesn’t scale to typical enterprise
wireless deployments because key management is almost impossible.
The lack of a WEP key management protocol is the primary limitation with securing Wi-Fi, especially in a
wireless infrastructure network (a wireless network built using APs to connect to the wired network) with a
large number of stations. Some examples of this type of network include corporate campuses and public
places such as airports and malls. When manually configured shared keys are used, the keys tend to
remain in place for long periods of time, enabling hackers more time to use various attacks to gain access
to the network. The lack of authentication and encryption services also effects operation in a wireless, ad
hoc network (peer-to-peer wireless network) where users may wish to exchange files or collaborate
wirelessly. An example is peers sharing files in conference rooms. As a result, the enhanced importance of
authentication and encryption in a wireless environment proves the need for access control and security
mechanisms that include a key management protocol specified in Wi-Fi.
Additional issues (besides the lack of a key management protocol) with WEP have been raised, causing
concern with the level of security provided. Those concerns include the following:

Key Reuse. The technique that WEP uses to allocate keys can result in successful attacks to
determine the keys. These attacks require a large number of packets (5 to 6 million) to actually fully
derive the WEP key, but on a large, busy network, this can occur in a short time—as quickly as 10
minutes. Some of the largest corporate networks will likely require much more time than this to
gather enough packets. In WEP-protected wireless networks, all or some of the stations often use
the same shared key, and the network becomes insecure if the WEP keys aren’t changed often,
which furthers the need for a WEP key management protocol.

Injecting Malicious Packets. If attackers know the structure of an encrypted packet (known
protocol header fields and so on), they can modify the packet by flipping bits to create a malicious
packet—changing commands and addresses. The encrypted packet has an integrity check to
ensure it hasn’t been tampered with, but because of the way this is implemented in WEP, the
integrity check can be modified so that it’s valid for the new packet and accepted at the destination.
If the attacker knows the location of the destination address in this packet, the address can be
changed on an otherwise unknown packet. The new destination can be a machine controlled by the
attacker. If the packet is sent on the wireless network, the AP will decrypt the packet and send it to
the rogue destination.
15

Realtime Decryption. The weaknesses of the WEP algorithm can allow an attacker to decrypt all
traffic in realtime.

Other Weaknesses. Other security weaknesses that exist with Wi-Fi include the following:

No user identification and authentication

No central authentication, authorization, and accounting support

No per-packet authentication mechanism to identify the packet source

Implementations that derive WEP keys from passwords, making passwords vulnerable

No support for extended authentication; for example: token cards; certificates and smart cards;
one-time passwords; and biometrics

Key management issues, such as rekeying global keys, and no dynamic, per-station, or sessionkey management
All of these issues fall into three categories: user administration, key management, and security. Microsoft
has worked closely with other companies within the IEEE standards groups to define a port-based network
access control (802.1X) draft standard that addresses these issues. Microsoft also worked in the IEEE to
define how 802.1X can be applied to Wi-Fi wireless networks. The sections that follow describe the 802.1X
solutions to these issues. For more technical information about the solutions for wireless security, see
Microsoft Leads in Securing Wireless Networks and Wireless 802.11 Security with Windows XP.
IEEE 802.1X
802.1X addresses the key management and security issues. The 802.1X standard defines port-based,
network access control that provides authenticated network access for Ethernet networks. This network
access control uses the physical characteristics of the switched LAN infrastructure to authenticate devices
attached to a LAN port. Access to the port can be denied if the authentication process fails. Although this
standard was originally designed for wired Ethernet networks, IEEE has adapted it for use on Wi-Fi LANs.
To provide a standard authentication mechanism for 802.1X, IEEE chose EAP. EAP is based on a Point-toPoint Protocol (PPP) authentication mechanism but was adapted for use on point-to-point LAN segments.
To adapt EAP messages to be sent over Ethernet or WLAN segments, the 802.1X standard defines EAP
over LAN (EAPOL), a standard way to encapsulate EAP messages. For more detailed information about
802.1X, see Wireless Network Security with IEEE 802.1X.
EAP-TLS is an EAP type used in certificate-based security environments. If you’re using smart cards for
remote access authentication, you must use the EAP-TLS authentication method. The EAP-TLS
authentication process exchanges certificates installed on the access client and the authenticating server,
providing mutual authentication, encryption, and secured-secret key exchange and determination. EAP-TLS
provides a very strong authentication method.
Windows XP ships with support for 802.1X. All major NIC vendors also support 802.1X and most have
released Windows drivers that support it. Likewise, all major enterprise AP vendors are supporting 802.1X.
Contact your hardware vendor for more information on their support. To learn more about Microsoft
Windows 2000, Windows Millennium Edition, Windows 98, and Windows NT® 4.0 Workstation support for
802.1X, see Microsoft 802.1X Authentication Client.
16
RADIUS
RADIUS is a widely deployed protocol enabling centralized authentication, authorization, and accounting for
network access. Originally developed for dial-up remote access, RADIUS is now supported by wireless
APs, authenticating Ethernet switches, VPN servers, DSL access servers, and other network access
servers.
IAS provided with the Windows 2000 Server and Microsoft Windows .NET Server 2003 families is the
Microsoft implementation of a RADIUS server and, for the Windows .NET Server 2003 family, RADIUS
proxy. IAS performs centralized connection authentication, authorization, and accounting for many types of
network access, including wireless, authenticating switch, dial-up, and VPN-based remote access and
router-to-router connections. IAS enables the use of a heterogeneous set of wireless, switch, remote
access, or VPN equipment and can be used with the Windows 2000 Server or Windows .NET Server 2003
Routing and Remote Access service.
When an IAS server is a member of an Active Directory -based domain, IAS uses Active Directory as its
user account database and is part of a single sign-on (SSO) solution. The same set of credentials is used
for network access control (authenticating and authorizing access to a network), logging on to an Active
Directory -based domain, and accessing resources. This integration greatly simplifies the planning,
configuration, and deployment of user administration for a wireless network.
The following are great resources to starting learning more about using RADIUS servers:

For an in-depth discussion about RADIUS servers and best practices for deploying them, see the
paper RADIUS Protocol Security and Best Practices.To learn more about IAS, see the paper
Internet Authentication Service for Windows 2000.

To learn more about IAS as used for wireless deployment, see the article Enterprise Deployment of
IEEE 802.11 Using Windows XP and Windows 2000 Internet Authentication Service.

To learn more about how Microsoft deployed IAS in its own infrastructure and the best practices
that resulted, see the paper Microsoft Wireless LAN Deployment and Best Practices.
Active Directory
Active Directory is a directory service designed for distributed computing environments. It allows
organizations to centrally manage and share information about network resources and users while acting as
the central authority for network security. In addition to providing comprehensive directory services to a
Windows environment, Active Directory is designed to be a consolidation point for isolating, migrating,
centrally managing, and reducing the number of directories that companies require. For wireless access,
Active Directory domains contain the user and computer accounts for authentication and the Group Policy
settings to deploy computer certificates. To learn more about how Microsoft deployed Active Directory for
use with wireless networking and the best practices that resulted, see the paper Microsoft Wireless LAN
Deployment and Best Practices.
Certificates
A certificate is a digitally signed statement using public-key cryptography technology that binds the value of
a public key to the identity of the person, device, or service that holds the corresponding private key. A
certificate is issued by a certification authority (CA). Public-key cryptography uses public- and private-key
pairs to encrypt or digitally sign messages. For more information about public-key cryptography and the
Windows 2000 PKI, see the Windows 2000 Security Services Web page. To learn more about how
17
Microsoft deployed certificates for use with wireless networking and the best practices that resulted, see the
paper Microsoft Wireless LAN Deployment and Best Practices.
18
Summary
Windows XP Professional and Office XP provide extensive support for wireless networking and
collaboration. Moving to Windows XP Professional and Office XP may be your first step in building a mobile
solution, or it may be part of your ongoing strategy to build mobility into your business process. Either way,
it’s technology that’s here today. It’s also technology that’s compatible with legacy systems, which means
the Windows XP and Office XP business desktop is a stepping-stone from where you are to where you
want to be with your wireless solution.
Upgrading enterprise-level network systems is a challenge, but as you have seen in this paper, capabilities
built into Windows XP Professional greatly simplify the process of transitioning to a secure wireless
network. Additional applications such as Systems Management Server (SMS) facilitate deployment and
asset tracking. Features such as unattended installation and Wireless Zero Configuration make Windows
XP Professional the choice for an unparalleled wireless network experience.
Empower and inspire your road warriors, corridor warriors, telecommuters, and data collectors to
collaborate and work anywhere, anytime. Windows XP Professional and Office XP are powerful business
tools that allow users to operate more productively through mobility and collaboration.
19
For More Information

Business Value of Microsoft Solutions

Enterprise Deployment of IEEE 802.11 Using Windows XP and Windows 2000 Internet
Authentication Service

IEEE 802.1X Authentication for Wireless Connections

Microsoft 802.1X Authentication Client

Microsoft Leads in Securing Wireless Networks

Microsoft Wireless LAN Deployment and Best Practices

Microsoft's Wi-Fi Web Site

PEAP with MS-CHAP Version 2 for Secure Password-based Wireless Access

RADIUS Protocol Security and Best Practices

Windows 2000 Security Services

Windows XP Wireless Deployment Technology and Component Overview

Wireless 802.11 Security with Windows XP

Wireless Network Security with IEEE 802.1X

The Windows XP Wireless Zero Configuration Service
20
Glossary

CDMA. The U.S. military first used Code Division Multiple Access (CDMA) technology during World
War II. CDMA encodes radio signals by using a random sequence to define a channel and convert
speech into digital signals. It reportedly is more reliable, saves battery life, and is more secure than
other wireless transmission technologies. QUALCOMM provided the hardware for the military
during WW II and is now applying for patents on the technology that was made public after the war.

GPRS. General Packet Radio Service (GPRS) offers high-speed Internet service over a Global
System for Mobile Communication (GSM) network. This process sends packets in bursts so that
the user experience is instant connectivity, faster data transmission, and faster response time for
roaming users. It’s easy to set up and easy to install.

GSM. GSM was introduced in 1991 and came into service sometime in 1997. This packet
technology provides high-speed wireless access over a GSM network for access by mobile devices
and allows eight simultaneous calls per radio frequency. GSM is available in more than 100
countries, and the default service is available in Europe, Asia, and Australia. GSM is also available
in the Americas at the 1900 MHz frequency.

IEEE 802.11. The IEEE 802.11 protocol is a standard in the wireless industry. It defines a physical
layer and a sublayer that manages media access control (MAC). This protocol specifies two
authentication methods. Open Systems authentication allows free access to the network, and
Shared Key authentication provides security through a prearranged signature. For more information
about Open System and Shared Key authentication, see 802.11 Authentication and Configuring
Wireless Network Clients.

IEEE 802.11b (Wi-Fi). The IEEE 802.11b protocol enhances and standardizes the physical layer so
that it can support higher bit rates, which allows wireless networking at higher speeds. This protocol
supports bit rates of 5.5 Mbps and 11Mbps.

IEEE 802.1X. The 802.1X standard defines port-based, network access control used to provide
authenticated network access for Ethernet (wired) and wireless networks. 802.1X support is
included with Windows XP Professional. 802.1X support for Windows 2000, Windows Millennium
Edition, Windows 98, and Windows NT 4.0 Workstation is available with Microsoft 802.1X
Authentication Client.

IETF. Internet Engineering Task Force (IETF) is an open organization designed to promote
communication among network developers, architects, designers, and basically anyone with an
interest in promoting well-designed Internet applications and efficient development for Internet tools
and applications.

ITU. International Telecommunication Union (ITU) is located in Geneva, Switzerland, and works
with the United Nations to establish standards for global telecommunication networks and services.
Its purpose is to act as a free international agent to work with governments to establish telephony
and wireless standards worldwide.

TDMA. Time Division Multiple Access (TDMA) technology is used to transmit digital packets from a
cell phone to a base station AP. TDMA works by breaking transmissions into smaller chunks and
21
then stacking them into shorter time units so that more calls can be sent simultaneously. GSM is
using TDMA to provide the eight calls per frequency as mentioned under “GSM” above.

Wi-Fi Alliance. The Wi-Fi Alliance is a nonprofit international association formed in 1999 to certify
the interoperability of WLAN products based on the IEEE 802.11 specification. The goal of the WiFi Alliance's members is to enhance the user experience through product interoperability.
Microsoft's Wi-Fi site (Wi-Fi) contains links to a series of technical articles.

WLAN. Wireless local area networks (WLANs) provide wireless network access in a corporate
environment. With roaming wireless connections, users can move from building to building and
from room to room without disruption of service. Two types of WLANs are available: infrastructure
and ad hoc networks. An infrastructure network connects individual PCs (known as stations) to a
wired network via a wireless AP. Ad hoc networks allow individual users to form a temporary
wireless network for sharing and collaborating without the need for a wireless AP.

WPAN. Wireless personal area networks (WPANs) are designed to provide an individual with
wireless connectivity within a personal space. This space surrounds the user up to 10 meters
(approximately 30 feet) and provides an ad hoc wireless connection. Typically used for cell phones,
laptops, or PDAs, this ad hoc network uses either infrared technology to "squirt" data to another
device within 1 meter (3 feet) or takes advantage of Bluetooth technology.

WWAN. Wireless wide area networks (WWANs) are designed to establish wireless connections
over a large geographic area. Due to the size of the areas that a WWAN must transmit, WWAN
technologies transfer data by using satellites or multiple antenna sites that wireless service
providers maintain. Although wireless manufacturers and developers are working toward a wireless
world standard, there isn't one today. GSM is widely predominant throughout the world; however,
CDMA and its 1xRTT standard are also available.
22
Download

Wireless Networking for Mobility and Collaboration