Red paper Deploying the IBM Secure Wireless Networking
Front cover
Deploying the IBM Secure
Wireless Networking
Solution for Cisco Systems
Sample deployment scenarios
Best practices
Site survey ibm.com
/redbooks
Byron Braswell
Joe Earhart
Scott Friberg
Jamel Lynch
Justyna Nowak
Michaelle Walcutt
Red
paper
International Technical Support Organization
Deploying the IBM Secure Wireless Networking
Solution for Cisco Systems
February 2005
Note:
First Edition (February 2005)
This edition applies to Version 5.1 of WebSphere Everyplace Connection Manager, Version 3.53 of IBM
Access Connections, Version 8.2 of DB2 Express, Version 3.3.1 of Cisco Secure Access Control Server.
This document created or updated on October 20, 2005.
© Copyright International Business Machines Corporation 2005. All rights reserved.
Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule
Contract with IBM Corp.
Contents
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
3.3.2 Describe functional and non-functional requirements for a new solution . . . . . . . 16
3.3.3 Create use cases to eventually design appropriate system architecture . . . . . . . 18
3.3.4 Choose appropriate technology and runtime of the solution. . . . . . . . . . . . . . . . . 20
3.3.6 Create operational model as the base for the deployment of the solution . . . . . . 25
3.4.1 Wireless infrastructure security on device and data contained within. . . . . . . . . . 26
© Copyright IBM Corp. 2005. All rights reserved.
iii
4.1.10 Configure LEAP authentication with Cisco ACS and 1131 AP . . . . . . . . . . . . . . 51
4.1.12 Configuring MS-PEAP authentication with Cisco ACS and 1131 AP . . . . . . . . . 74
4.1.13 Configuring wireless clients for MS-PEAP authentication. . . . . . . . . . . . . . . . . . 96
4.2.8 WebSphere Everyplace Connection Manager V5.1 installation . . . . . . . . . . . . . 145
4.2.14 WebSphere Everyplace Connection Manager V5.1 mobility client . . . . . . . . . . 169
Chapter 5. Components, product details, and supporting material . . . . . . . . . . . . . . 179
5.1.2 Cisco Aironet 1130AG Series IEEE 802.11A/B/G Access Point. . . . . . . . . . . . . 180
Eserver xSeries 226 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
5.5 IBM WebSphere Everyplace Connection Manager (WECM) . . . . . . . . . . . . . . . . . . . 188
5.5.1 WebSphere Everyplace Connection Manager Starter Edition V5.1 . . . . . . . . . . 189
Appendix A. Deploying Access Connections
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
iv Deploying IBM Secure Wireless Solution for Cisco Systems
Appendix B. The IBM Embedded Security Subsystem
. . . . . . . . . . . . . . . . . . . . . . . . 201
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
and Personal Computing Division contact information . . . . . . . . . . . . . 208
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Contents v
vi Deploying IBM Secure Wireless Solution for Cisco Systems
Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A.
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law : INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products.
All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrates programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM's application programming interfaces. vii © Copyright IBM Corp. 2005. All rights reserved.
Trademarks
The following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both:
Chipkill™
DB2® e-business on demand™
Eserver ®
E server ®e-business on demand™
Everyplace® ibm.com®
IBM®
ImageUltra™
Infoprint®
Lotus Notes®
Lotus®
Notes®
Perform™
Redbooks (logo) ™
Redbooks™
Rescue and Recovery™
SecureWay®
THINK®
ThinkCentre™
ThinkPad®
ThinkVantage™
Tivoli®
UltraConnect™
WebSphere® xSeries®
The following terms are trademarks of other companies:
Aironet, Cisco IOS, and Cisco Systems, are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. The use of the word partner does not imply a partnership relationship between Cisco and any other company.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems,
Inc. in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the
United States, other countries, or both.
Intel, Intel Inside (logos), MMX, and Pentium are trademarks of Intel Corporation in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, or both.
Other company, product, and service names may be trademarks or service marks of others.
viii Deploying IBM Secure Wireless Solution for Cisco Systems
Preface
Wireless local area networks (LAN) connectivity within a small or medium enterprise intranet is becoming affordable and, in many cases, a necessity for businesses of any size.
Additionally, access to enterprise intranet applications from home, hotel, and wireless “hot spots” is a requirement for mobile employees.
However, small and medium businesses (SMBs) span companies of all sizes and industries.
Therefore, finding a wireless LAN with a mobile connectivity support solution that fits all the requirements is practically impossible.
This Redpaper discusses planning and architecture considerations for SMBs looking at installing wireless Loans within their enterprise and mobile connectivity from the Internet. In addition, this Redpaper includes a detailed, step-by-step scenario of installing a wireless LAN and support for mobile connectivity in a very basic environment.
The intention is that these simple steps can be expanded on and modified as required to meet the installation requirements for whatever solution is arrived at for a specific customer environment.
The team that wrote this Redpaper
This Redpaper was produced by a team of specialists from around the world working at the
International Technical Support Organization, Raleigh Center.
Byron Braswell is a Networking Professional at the International Technical Support
Organization, Raleigh Center. He received a B.S. degree in Physics and a M.S. degree in
Computer Sciences from Texas A&M University. He writes extensively in the areas of networking and host integration software. Before joining the ITSO four years ago, Byron worked in IBM Learning Services Development in networking education development.
Joe Earhart is a Systems Engineer based in Research Triangle Park (RTP), North Carolina.
He has 25 years of experience in the telecommunications field and worked at
Cisco Systems for the past four years. His areas of expertise include TCP/IP, routing, switching, wireless and storage area networking.
Scott Friberg (CCIE #9606) is a Systems Engineer, based in RTP, North Carolina. He has been with Cisco Systems for six years.
Jamel Lynch is a Senior Consultant and IT Architect in the IBM Strategic Consulting Group
(SCG). Prior to joining the SCG, he served as a Development Engineer in the Personal
Computing Division at RTP, North Carolina, responsible for integrating emerging wireless technology into the IBM brand of ThinkPad systems. Mr. Lynch holds a B.S. degree in
Electrical Engineering from the Virginia Military Institute, and an M.S. degree in Electrical
Engineering from the Virginia Tech College of Engineering.
Justyna Nowak is a Solution IT Architect in IBM Emerging & Competitive Markets, Global
SMB. In this role she designs solution architectures for SMB customers based on emerging technologies. She has over 16 years of experience in IT, including application programming, system and network design, UNIX systems administration and management, as well as technical consulting and design of solution architectures. She has held a variety of international technical and technical marketing positions with concentration on applying IT for
© Copyright IBM Corp. 2005. All rights reserved.
ix
medical research and the deployment of complex enterprise application systems integrated with e-business solutions. Justyna holds a M.S. degree in Computer Science from the
Technical University of Wroclaw, Poland.
Michaelle Walcutt has 14 years experience in the computer technologies industry. She is currently a Technical Project Manager for the IBM Personal Computing Division where she has worked for the past 9 years. Her responsibilities include the overall development and project management of several ThinkVantage Technologies including Software Delivery
Assistant, System Information Center, Software Delivery Center, and ImageUltra. Prior to working for IBM, Michaelle helped to plan, manage, and execute large migration projects for
Large Enterprise businesses.
Thanks to the following people for their contributions to this project:
Margaret Ticknor
Tamikia Barrow
Linda Robinson
KaTrina Love
International Technical Support Organization, Raleigh Center
Dennis Anderson
Ray Chandler
Edward Dyll
Gregory Eller
Egbert Gracias
Thomas Grimes
Donald Janeway
Peter Lee
Ratan Ray
Michael Wiles
Adam Wong
IBM RTP
Become a published author
Join us for a two-to-six week residency program! Help write an IBM Redbook dealing with specific products or solutions, while getting hands-on experience with leading-edge technologies. You will team with IBM technical professionals, Business Partners, and clients.
Your efforts will help increase product acceptance and customer satisfaction. As a bonus, you will develop a network of contacts in IBM development labs and increase your productivity and marketability.
Find out more about the residency program, browse the residency index, and apply online at: ibm.com
/redbooks/residencies.html
Comments welcome
Your comments are important to us!
We want our papers to be as helpful as possible. Send us your comments about this
Redpaper or other Redbooks in one of the following ways:
Use the online Contact us review redbook form found at: x Deploying IBM Secure Wireless Solution for Cisco Systems
ibm.com
/redbooks
Send your comments in an e-mail to: redbook@us.ibm.com
Mail your comments to:
IBM Corporation, International Technical Support Organization
Dept. HZ8 Building 662
P.O. Box 12195
Research Triangle Park, NC 27709-2195
Qualification criteria
Please note this document is intended to be used by qualified technicians having completed training in the IBM Secure Wireless Networking Solution for Cisco Systems course (TZI31) or having completed both the Implementing IBM Client Security course (TXI20) and the
WebSphere Everyplace Connections Manager courses. Course enrollment information can be found at the following Web sites: https://www.pc.ibm.com/training/pcd-thinkvantage-technology.html
http://www.pc.ibm.com/training/index-bp.html
http://knactest.lotus.com:8000/swg/EnableNow.nsf/doc/MMUY-629NPC
Preface xi
xii Deploying IBM Secure Wireless Solution for Cisco Systems
1
Chapter 1.
Introduction
The need for information does not stop when you move from office to conference room, office to home, or office to airport. Wireless technology gives you the power of information— wherever you are. This chapter discusses the standards, security, and components of wireless technology. It also provides a scope of this Redpaper and discusses the importance of wireless technology to IBM.
© Copyright IBM Corp. 2005. All rights reserved.
1
1.1 Wireless technology
Wireless communication solutions that provide logical presence through physical roaming, or the ability to stay in touch on one’s own terms, are in great demand. Today, these requirements are requested by mobile professionals and other workers who want to download
E-mail, update their calendars, send or receive a fax, check inventory, place an order, record route status, call a client, or talk to a peer—in short a virtual office anywhere, anytime.
1.1.1 The 802.11 standard
The 802.11 standard, specified by the Institute of Electrical and Electronics Engineers (IEEE), defines wireless Ethernet, or wireless LAN (WLAN). Solutions employing 802.11a, b, and g are designed to replace or complement wired LANs with wireless technology, eliminating cable runs and the associated networking hardware.
High-frequency WLANs, commonly called Wi-Fi, are specified in the 802.11a, b, and g standards (new standards and speeds are continually emerging). This technology is popular for business as well as for home networks. Wi-Fi operating in the 2.4 GHz range (802.11b and g) and 5 GHz range (802.11a) offer data speeds up to 54 megabits per second.
The small-business and home-office market are the primary drivers behind Wi-Fi device adoption. Since 802.11 equipment prices dropped below the cost of installing Ethernet cable runs and the associated Ethernet hardware, many business users choose Wi-Fi-based networks.
1.1.2 Security
With wireless communication, an intruder does not need physical access to the traditional wired network in order to gain access to data communications. To protect against any potential security issues, 802.11 wireless communications can employ data encryption techniques and authentication algorithms. These provide privacy comparable to that of a traditional wired network.
1.1.3 Components
A WLAN consists of two main components:
An access point that acts as the receiver of the wireless signal and transmits it to the internal cable
A wireless LAN-enabled client such as a mobile computer
Encryption and authentication are optional, and wireless access points are typically shipped with both turned off. We recommend throughout this document that encryption and authentication be mandatory for any wireless implementation. You will need to check your wireless network security very frequently as employees often add new wireless devices, which may become easy access points for hackers.
1.1.4 Is wireless important?
Wireless technology is important to IBM because it makes virtualization and integration of e-business resources much easier to achieve. Virtualization—one of the four pillars of the
IBM e-business on demand initiative—gives you computing power when and where you need it, such as with virtualized networks. For example, Grid technologies let you share and
2 Deploying IBM Secure Wireless Solution for Cisco Systems
manage collections of resources as though they were a large, virtualized computer—wireless provides the “anywhere, anytime” access to this powerful system.
Integration, another of the pillars, is the heart of e-business on demand. Horizontal integration lets you connect to data, legacy systems, and custom business applications inside and outside your business, delivering such benefits as real-time transaction processing, data mining, and decision-support systems. Wireless data-translation protocols allow disparate devices to effectively use the information from all sources.
1.1.5 Summary
The marriage of wireless communications and mobile computing will transform the way we do business. The convergence of hardware, software, communications, and wireless technologies will ensure that information and services are available to computer users at all times, in all places. Many different wireless communication technologies currently support hundreds of services. Cellular and cordless phones, pagers, portable computers, mobile radio units, and vehicle tracking units all use a wide range of protocols and transport options.
Personal Digital Assistants (PDAs) combine separate voice and data functions in compact portable packages.
The communications technologies provide a choice of communications methods with several wired and wireless options available in a single device, automatically selected for the most appropriate method according to the kind of information transfer required, the physical location of the device, and the needs of the user.
1.2 Scope of document
In this document, we focus on implementing secure wireless communications between
ThinkPad computers and enterprise applications running on the corporate intranet. We discuss planning and architecture considerations for SMBs who are looking at installing wireless LANs within their enterprise and mobile connectivity from the Internet. In addition, a detailed, step-by-step scenario of installing a wireless LAN and support for mobile connectivity in a very basic environment is covered. The use cases documented are intended to support installations of up to 250 clients. Installations with more than 250 clients will most likely need different switches and will potentially require bridged networks. Bridged networks are beyond the scope of this document.
1.3 Qualification criteria
To ensure reliability and delivery consistency, Business Partners must meet a set of qualification criteria to be listed by IBM and Cisco as a recommended reseller for this solution.
Qualified Partners receive sales leads from IBM and Cisco, and enjoy access to a deployment guide, training courses, and marketing collateral.
To become a qualified Business Partner you must meet the following qualification criteria:
Be an authorized IBM and Cisco reseller for all solution elements (PCD, SWG, xSeries,
PSD, Cisco)
Be a Cisco Certified Partner. You can find certification requirement information at the following Web address: http://www.cisco.com/en/US/partners/index.html
Chapter 1. Introduction 3
Be a Cisco Wireless LAN Design Specialist. You can find certification requirement information at the following Web address: http://www.cisco.com/en/US/partner/learning/le3/le2/le41/le86/ learning_certification_type_home.htm
Have at least one technical representative complete either of the following courses:
– Implementing and Securing a Wireless LAN , TX121 http://www.pc.ibm.com/training/txi21.html
– Implementing IBM Client Security , TXI20 http://www.pc.ibm.com/training/txi20.html
Have at least one technical representative complete the WebSphere Everyplace
Connection Manager workshop available at the following Web address: https://www.developer.ibm.com/spc/events/ws_econnection.html
Have at least one sales representative complete the following course:
– How to Sell the IBM Secure Wireless Solution for Cisco Systems (Course # SSW25)
Visit the following Web address for enrollment information http://www.pc.ibm.com/training/course_catalog_sales.html
To enroll in the program, contact your IBM Channel sales specialist.
Additional information is available at the IBM “Wireless e-business University”. Business
Partners can get to it through Partnerworld:
1. Sign in to Partnerworld with your user ID and password.
2. Select training and certifications.
3. Select training resources.
4. Select technical training.
5. Select Wireless e-business university.
http://www.ibmweblectureservices.ihost.com/services/weblectures/dlv/Gate.wss?handler=Log in&action=index&customer=ibm&offering=pvcu&sequence=1
4 Deploying IBM Secure Wireless Solution for Cisco Systems
2
Chapter 2.
Target client market
This chapter discusses some of the requirements that a small to medium business (SMB) needs for wireless networking and provides proposed solutions.
© Copyright IBM Corp. 2005. All rights reserved.
5
2.1 SMB client requirements for wireless networking
Small and medium businesses value wireless mobility but are concerned with network security and implementation issues:
Difficult to design secure wireless network
Complexity with seemingly endless choices available
Limited IT resources
New skill requirements
Time consuming to implement
Unneeded business interruption
Support issues
Customers interested in wireless networking want the following:
A highly secure wireless infrastructure
Improved productivity and ease of use
Cost effectiveness
Investment protection
Turnkey implementation services
Further discussion of wireless LAN considerations for SMB customers can be found at: http://www.ibm.com/businesscenter/smb/us/en/wireless
2.1.1 A recommended solution
IBM and Cisco created the IBM Secure Wireless Networking Solution for Cisco Systems®.
They also recommend this solution to small and medium businesses that want a secure wireless LAN with remote access. The solution is part of the IBM Express portfolio and leverages familiar components into a single secure wireless networking solution, tested for end-to-end compatibility.
Delivered with minimal business interruption by qualified Business Partners, the IBM Secure
Wireless Networking Solution for Cisco Systems takes the complexity out of the seemingly endless wireless choices and provides enterprise-class security and wireless access at an affordable price.
Users benefit from improved mobility, productivity, and secure wireless access both in and out of the office. The unique integration of IBM ThinkVantage Technologies (Embedded Security
Subsystem and Access Connections), Cisco Access Control Software, and IBM WebSphere
Everyplace Connection Manager, provide ease of use, provide ease of deployment, help maximize security, and allow for seamless roaming between existing networks.
The IBM Secure Wireless Networking Solution for Cisco Systems provides a secure wireless foundation that allows companies to start simple and grow by adding other wireless applications and pervasive devices.
This solution brings together the following tested hardware and software from IBM and Cisco and IBM business partner implementation and support services:
IBM ThinkPad Notebooks (Express Models including Integrated Wireless and the
Embedded Security Subsystem)
6 Deploying IBM Secure Wireless Solution for Cisco Systems
IBM xSeries Servers (Express Models)
Cisco Aironet® Access Points
Cisco Access Control Server software
IBM WebSphere Everyplace Connection Manager (WECM)
IBM InfoPrint Wireless Printers
Business Partner implementation and support services
2.2 Customer checklist
The following sample site survey reviews planning considerations for you to keep in mind when contemplating adding wireless and mobile access to a wired LAN.
2.2.1 Site survey
Wired LAN
To adequately design and install the network components that comprise the Secure Wireless
Solution, carefully consider and provide for the additional physical network components such as servers, access points, router, switch, firewall, etc. that may be added to the existing environment. Each Wireless Access Point and server requires additional power and Ethernet connections. The key to any successful network design is to not only consider what is currently installed, and what you are about to install for the Secure Wireless Solution, but also consider what you install in the future. Following is a list of items for you to consider when adding Secure Wireless LAN Solution components to your existing environment.
1. Wireless Access Point - The Cisco AP-1130AG requires an Ethernet connection to an
Ethernet switch. There are two options to power the Access Point (AP):
– First there is a local power adapter “brick” that converts 110VAC to DC power.
Assuming that the AP is placed overhead then you need to provide for an AC outlet near each AP location.
– A more convenient approach is to use the Cisco 2800 series Integrated Services
Router (ISR), which has an Ethernet switch supporting 802.1af (Power over Ethernet) or PoE. PoE allows the switch to be centrally located in a closet or secure area and an
Ethernet cable delivers DC voltage to power the AP.
This eliminates the need to install AC outlets and affords some flexibility if the AP needs to be moved to new locations.
2. Cisco 2800 series Router/Switch ISR - This device is used to integrate the wired components into the existing network. The ISR is used for not only the physical Ethernet connections but can be configured to implement higher level IP services such as DHCP,
Routing, Filtering, and Firewall as required. Carefully consider how many Ethernet connections will be added to the network such as Cisco Access Points, Cisco Secure ACS
Server along with the IBM WECM server.
3. Consider how you will connect the new wireless network to the existing wired network. Are there adequate ports available in the current network switches? Typically the distance limitation between the Ethernet switch and end device is 100M. If an AP needs to be positioned beyond this limit an intermediate switch might be required.
4. To support IEEE 802.3af Power over Ethernet, verify that the installed Ethernet cable is at least Cat5 or better. For more info on PoE technology visit the following Web site: http://www.cisco.com/en/US/netsol/ns340/ns394/ns147/ns412/networking_solutions_white_pap er09186a008026641c.shtml
Chapter 2. Target client market 7
5. Determine if you will add the new wireless network to the existing IP network address space. Is the DHCP scope adequate? If you plan to use a new network, you will need a router to translate and interconnect traffic. Do you have access to your local router to add or modify new or existing networks?
6. Find out if a firewall is being utilized currently. Will a DMZ be utilized for WECM connections? Can the Firewall be configured for this function?
Wireless LAN
Typically radio waves do not travel the same distance in all directions. Physical objects such as walls, doors, furniture, elevator shafts, and people, cause Radio Frequency (RF) patterns and ultimately coverage to be irregular and unpredictable.
The goal of an RF site survey is to gather adequate information to determine the number and placement of access points that will provide adequate coverage throughout the facility.
Consider possible “interference” that can come from outside sources as this affects the overall quality of the Wireless LAN (WLAN) operation.
Many factors can effect the requirements and complexity of a site survey. For instance, to cover a two-room office facility in a wood frame building the requirement of a site survey might not even be necessary. Compare this to a 2+ story metal frame structure that houses heavy machinery. These and other large facilities, like hospitals, warehouses or busy RF areas may require detailed surveys to adequately plan a complete RF coverage model. The following are items to consider when conducting a site survey.
Following is a list of general items to consider and steps to follow when deploying a wireless
LAN. This list is just a guideline and may not be all inclusive to your individual environment or specific facilities.
What are the applications and bandwidth requirement per user now and in the future?
What is the density of WLAN users in any given coverage area? Make sure you consider meeting rooms, public areas, cafeterias and auditoriums.
What future applications are being considered?
Aesthetics?
What are the local regulations?
– Plenum spaces
– HVAC restricted areas
Are there any issues with regulations governing use of 802.11? Although 802.11 uses unlicensed RF spectrum there may be some special regulations in medical and airport environments.
Is there any facility construction type (metal, wood) interference with the RF signal?
– Multiple floors
– Numerous rooms
– Sensitive equipment
– Hospital equipment should be built to a standard to avoid RF interference
– Physical Security
• Mounting and low-down
• Place above ceiling and out of site whenever possible
– Is there potential interference? Other nearby 2.4 and 5 GHz systems in place?
8 Deploying IBM Secure Wireless Solution for Cisco Systems
What is the frequency of use? (Plan for Peak Use)
– Meeting/Conference areas
– Public use
– Inventory (monthly/quarterly) peaks
Antennas and access points should be hidden to avoid damage and theft.
What is the current capability, performance, and health of the wired network today? What changes and additions are planned that might cause performance concerns?
The following specialty devices can cause interference:
– Telemetry equipment
– Industrial Equipment
– Microwave Ovens
Consider these general steps when conducting an RF site survey: Figure 2-1 on page 10 and
Figure 2-2 on page 10 illustrates some of these suggestions.
1.
Use a facility blueprint (floor plan).
A floor plan will show locations of walls, stairwells, elevators, walkways, and any special building considerations. You can then use the blueprint to document placement of the
Access Points and any cabling or power configurations.
2.
Visually walk the facility.
Be sure to visually inspect the facility before proceeding with any tests. Make note of any potential problem areas that might affect the RF signal that is not shown on the blueprint.
Ex: Metal enclosures, racks, equipment, etc.
3.
Identify wireless user areas.
Mark the likely areas where mobile users are likely to utilize the facility such as meeting rooms, cafes, and auditoriums. Likewise, analyze where users will not be in order to limit placement of WAPs.
4.
Note the approximate location of access points.
Based on your previous assumptions, note the approximate locations of WAPs. You can overlap channels with adjacent WAPs but make sure you document and plan the channel overlay. Note the possible mounting locations for the APs. Be mindful of physical security, power outlets if not using PoE, cable routing, and distance limitations.
5.
Verify the actual location of the WAPs.
Use a signal strength meter, data rate, and signal quality tool that allows you to verify the approximate locations, noted in the previous step, that will meet the signal requirements.
Validate the design using the same or similar wireless systems and antennas that end- users will implement. Document the readings and re-test. Re-validate this at different times of the day and days of the week. If you test over a weekend you may be surprised to learn that the office next door has machinery that only operates during the week. In the event of unexplained poor signal quality, use a spectrum analyzer to determine if interference is affecting survey tests.
Chapter 2. Target client market 9
2.4 GHz/100 mW
11 Mbps 130 Ft
5.5 Mbps 180 Ft
2 Mbps 250 Ft
1 Mbps 350 Ft
5 GHz/40 mW
54 Mbps @40–60 Ft
Radius
48 Mbps @ 70–90 Ft
36 Mbps @ 90–110 Ft
24 Mbps @ 110–125 Ft
18 Mbps @ 125–135 Ft
12 Mbps @ 135–150 Ft
9 Mbps @150–165 Ft
6 Mbps @ 165–300 Ft
Omni 2.2 dBi 2.4 GHz and Omni 5 dBi 5 GHz AP antennas
Omni 0 dBi 2.4 GHz client and Patch 5 dBi 5 GHz client
Distances vary greatly because of building layouts
Figure 2-1 Example indoor range comparisons
File/Supply
Room-
Large Filing or Metal
Cabinets
Elevator
Shafts Test lab
Break Room-
Microwave
Ovens
Stairwells (Reinforced
Building area)
Figure 2-2 Evaluate possible problem areas
Figure 2-3 on page 11 and Figure 2-4 on page 11 illustrate starting a site survey from the
outside edge looking into the building. The following steps tell you how to create the site survey shown in the Figures.
1. Place an Access Point at point A.
10 Deploying IBM Secure Wireless Solution for Cisco Systems
2. Measure the maximum range (inside building) using the mobile computer radio strength monitor.
3. Move the Access Point to the center of that arch (point B).
4. Continue with the other 4 corners.
5. Complete the center areas.
A
B
Figure 2-3 Site survey from the outside looking in - 1
CH 1 CH 6
Figure 2-4 Site survey from the outside looking in - 2
CH 11
Chapter 2. Target client market 11
12 Deploying IBM Secure Wireless Solution for Cisco Systems
3
Chapter 3.
Details of architecture
This chapter describes the client profile to which our wireless solution applies. We step through an example architectural design process to determine software and hardware requirements for the solution. Additionally, we provide a brief review of network protocols and standards, which you can use to help determine the level of wireless security to implement.
© Copyright IBM Corp. 2005. All rights reserved.
13
3.1 Context diagram
Our goal is to provide guidance on how to build a secure wireless LAN for a small and medium sized business (SMB) client, and how to later extend access to company network resources for mobile employees.
Keeping in mind that each client’s situation is unique, we nevertheless believe that with our design, we can address the majority of common requirements of medium size SMB customers.
We assumed the following generic profile for an SMB client:
100 - 999 employees
Up to 25% mobile employees
Ethernet wired LAN exists in some parts of the company with access to the Internet
Company maintains its own wired LAN (or network out sourced to an ISP)
Limited IT budget
Limited IT staff and skills
IT services typically acquired from a local IT services company
Figure 3-1 illustrates the context for our project.
Company Private Networks and Applications
Home
Existing Ethernet LAN
New Wi-Fi LAN
Hotel/restaurant/airport
Company’s IT Resources
(Applications, printers etc.)
Figure 3-1 Secure wireless LAN and mobile access context diagram
3.2 Summary of the project
This project implements secure wireless mobility for an SMB company in a medium sized market (100-999 employees) in two phases:
14 Deploying IBM Secure Wireless Solution for Cisco Systems
Phase I: In-building wireless LAN
Secure access to company's internal network and its resources for employees with wireless client devices within the premise of the company building.
1
Phase II: Mobile access to wireless LAN
Secure access to company's internal network and its resources for employees with wireless client ThinkPads from anywhere outside of the company:
– From home
– From public hot spots
– Through the WAN
3.3 Design points and architectural decisions in SMB environment
We follow a simple methodology to arrive at the suitable solution for the client.
1. Identify client's need and wants by analyzing their business initiatives and existing
environments. For more details, see 3.3.1, “Identify client's need and wants” on page 15.
2. Based on client needs and wants and any constrains, describe functional and
3. Based on functional requirements, create use cases to eventually design appropriate
4. Based on functional and non-functional requirements, choose appropriate technology and
5. Perform product mapping. For more details, see 3.3.5, “Perform product mapping” on page 22.
6. Create an operational model as the base for the deployment of the solution. For more
7. Describe details of the deployment and configurations.
3.3.1 Identify client's need and wants
The first step in building a system that addresses customers needs is to understand their business initiatives that need to be supported by the new system as well as their existing IT environment.
We will build our system using as an example analysis of a “sample SMB client”.
Business initiatives of a sample SMB client
1. Cost efficiently extend company network to new departments.
2. Enable company employees seamless mobile access to business applications and internal network resources.
1
For wireless LANs between buildings, please refer to the documentation at http://www.cisco.com
Chapter 3. Details of architecture 15
Analysis of environments of a sample SMB client
The network environment
Wired Ethernet LAN exists with access to the Internet (most likely via a local ISP service).
Internal and external networks are separated by security architecture (firewalls).
There are no wireless networks yet.
The security environment
All applications and resources have basic security services such as Identification and
Authentication, Authorization, Privacy, and Confidentiality.
Microsoft Active Directory is in use.
Windows 2000 Server or Windows 2003 Server Enterprise Edition is used for the domain controller.
Implementing wireless LAN and later on mobile access, must integrate into the existing security policy, and provide the same or strengthened security characteristics.
The mobile environment
Has growing population of mobile employees but no mobile access to company resources enabled yet.
Mobile employees are not a homogenous group of users and may need to access different applications.
Initially the only mobile device they will use is a mobile computer but may need to extend to PDAs or other handheld devices.
The application environment
This typically describes the application architecture, the programming model, communication protocols, application security, and the target device for each of the applications. As this will vary from client-to-client we assume that access to the existing applications and network resources remains unchanged both from wireless LAN as well as through the extension to the remote mobile access.
3.3.2 Describe functional and non-functional requirements for a new solution
Analysis of the client business initiatives and other pertinent information—such as discussions about client needs and wants, their budget and current way of doing business, as well as understanding their IT environment—serves as an input to documenting functional and non-functional requirements for the new system.
Functional requirements
The functional requirements are typically gathered from the client’s wants and needs. They address functionality of the new system and provide direct input for the use case model. They simply describe WHAT the system will do.
In our case we focus on two major functional requirements that limit the scope to wireless network design and mobile access to the network without specifics of accessing any of the back-end applications. Thus, the method of accessing applications will remain unchanged.
Functional requirements for wireless LAN and mobile access:
Secure and authorize in-building access to the existing company Ethernet LAN resources and applications from wireless client devices for all employees.
16 Deploying IBM Secure Wireless Solution for Cisco Systems
Enable remote access to the company's network resources while assuring “application persistence” (connection to application “does not drop” when physical network not available) from wireless clients anywhere from outside of company premises.
Non-functional requirements
Non-functional requirements address functions that influence the underlying system architecture. They describe the HOW of the system.
2
We will build an in-building wireless LAN and later enable remote access to the company's intranet keeping the following non-functional requirements in mind.
Table 3-1 Non-functional requirements
Definition of the requirement
Availability - High Availability minimizes the risk of an outage and increases the availability of network and mobile access systems.
Depending on the client situation a system outage can be costly.
Performance - Performance influences user experience and can impact usability of the entire system. Some factors to watch for are required data throughputs, number of users, and system loads.
Client situation
No 7 x 24 availability is critical yet, but it is anticipated to become a requirement as the business grows and more employees depend on wireless network and remote connectivity for their jobs.
It is expected that the end user will not experience any significant performance degradation while accessing the system through wireless LAN or remotely as compared with the access from the wired LAN. The client does not have the requirement for unusually high data throughput applications.
Client understands the impact of wireless communication on system performance (shared bandwidth, remote access communication links limitations etc.)
Currently only notebook PCs are used as mobile clients; however, the client plans to implement other pervasive devices in the near future.
Extensibility/Flexibility - Extensibility/Flexibility is the ability to extend the mobile access system with new services. New emerging technologies and business requirements demand a maximum of flexibility.
Maintainability - The ease of use to maintain a critical system, such as a mobile access service, is important. Good maintainability is a key factor for a robust system
Scalability - Since business goals and user needs will change over time, scalability addresses the ability to react in order to reduce cost and effort.
Security - In order to provide secure access to mobile devices, the mobile access system itself must be secure. Secure operating system and secure network access to the mobile access are essential.
Limited IT staff and skills require that the solution is easy to administer and easy to maintain.
Client’s plans are to grow business in a short time and expand the number of their mobile workforce.
The need to expand wireless LAN is likely.
The main issue for the client is to prevent unauthorized access to the company’s network and assure secure data transfer over wireless network connections.
Because a mobile access service will bridge an outside network to the internal network, security is an essential requirement. The mobile access service itself must run in a secure environment and be able to adopt the company security standard.
2
Non-functional requirements for mobile access are described in the IBM redbook IBM WebSphere Pervasive
Access Patterns , SG24-6315, chapter 15.
Chapter 3. Details of architecture 17
Additionally, while designing a wireless LAN, the physical location of the network components is imperative and must be planned based on a detailed survey of the client building. Data collected during the site survey will complement already available client analysis, in particular non-functional requirements and constrains, and will directly impact wireless LAN design. As
site survey results will vary from client to client, please refer to 2.2.1, “Site survey” on page 7
for details on performing a site survey.
3.3.3 Create use cases to eventually design appropriate system architecture
Use cases describe functional requirements of the system. They are used as inputs for the system design and describe the potential uses of the solution delivered to the client. It is a good practice to use them as the final solution test to see if the system performs as required.
Such tests can be used to demonstrate the final solution to the client at the end of the project and be treated as an acceptance case.
Table 3-2, Table 3-3, and Table 3-4 on page 19 contain examples of use cases.
Table 3-2 Use case - example 1
Criteria Actions/Results
Use case name
Business event
Actor(s)
Start using business application via wireless LAN while in the office
User starts his working day. Turns on the computer and starts using the applications.
User
Use case association
Preconditions
Termination outcomes
Authentication use case
All network configurations (client and server side), encryption keys and authentication credentials installed and configured prior to login to the application.
1. Application access successful
– Notebook functional
– Wireless LAN available
– Authentication successful
2. Application access failed
– Problems with notebook
– Wireless LAN not available
– Authentication was not successful
Use Case description
(flow of events)
1. User turns on the notebook.
2. Notebook associates with Access Point.
3. Authentication credentials are exchanged between user notebook and the Remote Authentication Dial-In User Service ( RADIUS) server.
4. Authentication completed successfully.
5. Login page for user application displayed.
Table 3-3 Use case - example 2
Criteria
Use case name
Business Event
Actor(s)
Action/Results
User resumes working from home wireless LAN
After arriving at home, user resumes working with the same application as in the office.
User
18 Deploying IBM Secure Wireless Solution for Cisco Systems
Criteria
Use case association
Preconditions
Termination outcomes
Use Case description (flow of events)
Action/Results
Authentication use case
WECM installed and configured to accept IP from outside company firewall
ACS installed and configured to authenticate ThinkPad and the user
ThinkPad Access Connection Profile set up to establish connection with the wireless network at home
Wireless network at home available
1. Application access successful
– Notebook functional
– Internet access available
– Authentication successful
2. Application access failed
– Problems with notebook
– Problems with access from home to the Internet
– If accessing enterprise applications fails, then corporate network could be down
1. User turns on the notebook
2. Access Connections connect user to wireless network at home
3. VPN connection established (WECM)
4. Application log in page is displayed
Table 3-4 Use case - example 3
Criteria
Use case name
Business Event
Action/Results
User resumes working from a public hot spot
User leaves home with the notebook and meets with the client in the coffee shop with wireless public Internet access.
Actor(s)
Use case association
Preconditions
Termination outcomes
User
User resumes working from home wireless LAN
An active account with public hotspot service provider
WECM installed and configured to accept IP from outside company firewall
ACS installed and configured to authenticate ThinkPad and the user
ThinkPad Access Connection Profile set up to establish connection with the wireless network from hot spot
After working at home notebook suspended but not turned off
1. Application access successful
– Notebook functional
– Sign on and authenticate to the public hotspot service provider
– Internet access available
– Access to application resumed without the need to re-authenticate and log on again
2. Application access failed
– Problems with notebook
– Problem with authenticating to public hotspot
– Problems with access to the Internet
– Application server could be down
Chapter 3. Details of architecture 19
Criteria
Use Case description (flow of events)
Action/Results
1. User “wakes up” the notebook.
2. Access Connections connects user to hot spot.
3. Application becomes alive.
3.3.4 Choose appropriate technology and runtime of the solution
The architectural decision provides documentation that describes underlying decisions that give the system architecture its desired characteristics based on both functional and non-functional requirements and constraints. It provides a basis for appropriate system design and technology choices.
Table 3-5 is an example of architectural decision documents for SMB secure wireless LAN.
Table 3-5 Architectural decision - SMB secure wireless LAN
Subject Area Wireless LAN Security
Architectural Decision Security of our Wireless LAN is based on IEEE 802.1x Extensible
Authentication Protocol (EAP) Framework recommendations, and will address encryption through WPA TKIP (RC4) (with direction to WPA2 AES when available) and authentication through alternatively CISCO LEAP or MS
PEAP protocols.
Issue or problem
Alternatives
Justification
Enhanced security through on board ESS card on IBM ThinkPads.
Main caveat in implementing a relatively cost-effective wireless network is a complex issue of assuring required level of security. SMB customers require strong security but do not want to deal with complex deployment issues.
1. Wired Equivalency Privacy (WEP)
2. CISCO proprietary authentication
3. Wi-Fi Alliance authentication protocols
4. Protocols that require digital certificates from 3rd-party certificate authority
Authentication protocols were chosen with SMB customers in mind: robust authentication/security combined with ease of implementation/administration and use.
CISCO LEAP is de facto standard in SMB market and provides easy transition to CISCO AEP-FAST once fully supported by all components in our network.
MS PEAP is a Wi-Fi standard. MS implementation rather than CISCO
PEAP was chosen for the ease of implementation (no need to acquire
3rd party digital certificate for the RADIUS server) and support for single sign on capability for Windows OS.
WPA TKIP is the standard Wi-Fi encryption currently in use and supported for interoperability for many wireless devices. WPA2 will be included in the future.
Please see 3.4, “Wireless LAN security considerations” on page 25 for more
information.
Table 3-6 on page 21 is an example of architectural decision documents for mobile access.
20 Deploying IBM Secure Wireless Solution for Cisco Systems
Table 3-6 Mobile access
Subject Area Enabling Remote Access for Mobile Employees
Architectural Decision Mobile access service enables mobile and remote workers to access corporate applications and information. Service is provided through WebSphere Everyplace Connection Manager.
Issue or Problem
Alternatives
Justification
Need to enable secure access to all company network resources including applications and data from any location from outside of the company premises. Want to use ready product to handle required functionality.
1. Point-to-Point Connectivity - This alternative connects the mobile client directly and individually to each necessary enterprise system and data using the protocol best suited for that system.
2. Existing Virtual Private Network (VPN) - This alternative would use an existing VPN used for remote access for PC and mobile devices.
3. Reverse Proxy - A Reverse Proxy can act as a gateway accessible from the Internet using an existing network link to the Internet.
Enabling access to the intranet through mobile access services helps avoid inconsistent and unmanageable connectivity and security issues.
WECM was tested to provide seamless roaming capabilities while always maintaining user session for majority of networks. It acts as sw VPN, providing strong encryption and data compression.
To properly design a wireless LAN, in addition to understanding functional and non-functional requirements, perform a detailed client site survey. Data collected during the site survey complements already available client analysis, in particular non-functional requirements and constraints and directly impacts the wireless LAN design. Site survey results will vary from
client to client, so refer to 2.2.1, “Site survey” on page 7 for a discussion on performing a site
survey.
Reuse of assets: Using Patterns for e-Business
3
To help with the design and the deployment of e-Business solutions IBM developed the IBM
Patterns for e-business. These Patterns are based on the collective experiences of IBM IT architects. Their purpose is to capture and publish e-business artifacts that were used, tested, and proven. The information the patterns capture is assumed to fit most of the typical situation scenarios.
We will apply Patterns for e-business approach to get to a common architecture baseline for enabling connectivity to the company intranet resources.
4
Typically the first step in using Patterns for e-business is to understand required functionality of the system and to find the Application pattern that reflects such a scenario. Each
Application pattern has a runtime pattern associated with it, which on an abstract level recommends logical nodes of the architecture and their placement in the overall network structure.
We are concerned with enabling secure connectivity to the intranet. This scenario is in fact about how to provide an infrastructure service that comes into consideration with networking and can be applied to any of the Application Patterns that require pervasive and secure connectivity.
3
To learn more on Patterns for e-business, please refer to IBM redpaper Introduction to Patterns for e-business ,
REDP-3836.
4
We consulted the IBM redbook IBM WebSphere Pervasive Access Patterns , SG24-6315 for the connectivity and access part of the pattern architecture. This part of the pattern describes mobile access services which enable mobile devices to connect to the company exiting infrastructure.
Chapter 3. Details of architecture 21
In the IBM Redbook IBM WebSphere Pervasive Access Patterns , SG24-6315, chapter 15 describes the connectivity and access part of the pattern architecture. It consists of mobile access services that enable mobile devices to connect to the enterprise infrastructure. The connectivity and access node accommodates different services specific to a mobile environment. This runtime pattern also depicts the location of the Directory and Security
Services node. See Figure 3-2.
Outside World
Demilitarized Zone
(DMZ)
User
Internal Network
Directory and Security
Services
Client
Figure 3-2 Runtime pattern for the secure wireless LAN configuration
3.3.5 Perform product mapping
The Connectivity and Access for Pervasive Services node is placed in the DMZ zone. Based on the environment data gathered during client analysis we know that they may not have a
DMZ zone. If establishing a DMZ will not be an option, we would place Connectivity and
Access for Pervasive services (WECM server
5
) behind the firewall. Details of the implementation are described in chapter 4 of this Redpaper.
5
WebSphere Everyplace Connection Manager requires access to directory services and the database for configuration purposes and maintaining user session data.
22 Deploying IBM Secure Wireless Solution for Cisco Systems
User
Client
Outside World
Windows XP
Access Connections V3.53
Demilitarized Zone
(DMZ) Internal Network
Directory and Security
Services
Windows 2003 Enterprise Server
•MS Active Directory
•DHCP
Cisco Secure ACS V3.3.1
Company private intranet
WECM V5.1 Client
SuSE Linux 9.0
WECM V5.1
•OpenLDAP
DB2 UDB Express V8.2
Figure 3-3 Product mapping for the secure wireless LAN configuration
Ethernet LAN
Wireless LAN
WECM supports various implementation topologies (single server, clusters and distributed environments)
6
. WECM requires access to directory services and a database for configuration purposes and for maintaining user data. If deployed in a single server
configuration in a DMZ, as shown in Figure 3-4, the directory services and database must not
contain any sensitive user data profiles, credentials, and so on. The user information required for authentication and authorization is stored in the directory and security services node behind the domain firewall in the internal network.
Pervasive
Client
Services
Connectivity and Access for Pervasive
Services
Directory and Security
Services
Figure 3-4 Connectivity runtime environment for a sample SMB client
After you make the major architectural decisions, document how the features and functions of the chosen technology components address the desired characteristics of the new system.
Table 3-7 on page 24 maps the impact of product components to the non-functional
requirements listed in Table 3-1 on page 17.
6
Refer to IBM redbook IBM WebSphere Everyplace Connection Manager Version 5 Handbook , SG24-7049-00 for detailed WECM server planning and implementation.
Chapter 3. Details of architecture 23
Table 3-7 Mapping of non-functional requirements to components of our system
Mobile Access Service An SMB sample client non-functional requirement
Availability
Wireless LAN
All hardware components of the
Wireless LAN have high RAS features (CISCO Integrated
Switch Router, Access Points and RADIUS server deployed on
IBM xSeries server). If desired
RADIUS server could be configured in HA cluster.
Extensibility/Flexibility Current design of Wireless LAN could be used as a building block for a larger wireless network based on the client’s needs to:
Extend to subsegments
Deploy on different floors of the building
Bridge to different buildings.
Modular architecture of the
CISCO Integrated Switch router provides a base to extend current simple switch capabilities to accommodate more Access Points and expand to provide a router functionality.
CISCO ACS RADIUS server has rich functionality to provide for authentication for a large number of users and devices.
Maintainability All network components have easy to use administrative interfaces.
WECM runs on reliable Linux OS on an
IBM xSeries server with high RAS features. If desired, it could be configured in HA cluster.
A comprehensive programming reference and toolkit allows you to extend connection services to practically any wireless mobile device and provides support for seamless roaming through practically any available network.
WECM administrative user interface
Gatekeeper enables you to define and manage wireless resources, register users and devices, and perform other administrative tasks.
Reliability
Scalability
CISCO ACS server is deployed on a reliable IBM eServer xSeries that features high RAS.
Scalability through 1 to 2 processors for CISCO ACS server. Possibility to add more
Access Points. Modular architecture of CISCO
Integrated Switch Router supports scalability.
WECM is deployed on reliable Linux OS and IBM eServer xSeries that features high RAS.
WECM is deployed on a an xSeries server model x226 that can scale from 1 to 2 processors. In addition WECM supports scalability through clustering.
24 Deploying IBM Secure Wireless Solution for Cisco Systems
An SMB sample client non-functional requirement
Security
Wireless LAN
Performance
IEEE 802.1x Extensible
Authentication Protocol
Framework, WPA encryption,
LEAP or PEAP authentication,
ESS card on notebooks.
Standard enforced client security: hardware password,
Windows password, etc.
Use of high throughput 802.11 a/g Access Points (with backward compatibility to
802.11 b) with built-in omnidirectional antennas for improved reliable coverage of
WLAN space
Mobile Access Service
Government’s highest security certification (FIPS 140-2 certification)
Strong encryption
Strong authentication
The following WECM features directly impact performance:
Compress IP data.
Increase the effective data rate.
Eliminate unnecessary protocol headers.
Optimize the number of messages sent.
Disconnect-reconnect, dynamically, to lower connection fees.
Optimize TCP communications to reduce retransmissions.
3.3.6 Create operational model as the base for the deployment of the solution
An operational model defines the involved computers, networks, and other platforms on which the application will execute and by which it is managed.
An operational model links the conceptual design with the deployment phase of the project.
An operational model serves as a base for the walk through for the client of sample use cases.
3.4 Wireless LAN security considerations
The information explosion and technology revolution are fueling the growth in wireless computing, resulting in employee mobility as the rule. Existing IT infrastructures can now be extended without adding cables, resulting in unprecedented communication paradigms, ultimately increasing a company’s efficiency and productivity. However, adopting wireless technology has some challenges that are not present in wired environments.
In a mobile environment, following are the key concerns for corporations implementing wireless technology.
Wireless infrastructure security on the device and the data contained in them
Encryption key management
Performance
Unlike a wired LAN network, WLANs intentionally propagate data over an area that often exceeds the boundaries that are physically controlled by an organization. Although no one can guarantee a completely secure wired networking environment that prevents all penetrations at all times, wireless security concerns are heightened because interception of radio signals is trivial to anyone with a Wi-Fi radio, while wired LANs require physical access
Chapter 3. Details of architecture 25
to hack into the network. This means that anyone using a Wi-Fi radio or equipment in proximity of the WLAN can connect to the network, if the network does not employ security mechanisms to prevent them from doing so.
3.4.1 Wireless infrastructure security on device and data contained within
802.11’s built in security mechanism, Wired Equivalency Privacy (WEP) protocol, has several serious security flaws. WEP uses a static secret key, shared between an access point and a mobile system, which is at the root of the well documented security vulnerabilities. If the WEP keys are not updated often, an unauthorized person with a sniffing tool, such as AirSnort or
WEP crack, can monitor a WLAN for less than a day and decode the encrypted messages.
Intruders have ready access to tools that crack WEP keys, thus enabling an attacker to passively monitor and analyze packets of data. They can then use this information to break the WEP key that encrypts the packets. WEP only provides one-way authentication—client to
Access Point—that opens up the possibility for man-in-the-middle attacks because the
Access Point (AP) is not required to prove who it is. This security vulnerability is addressed in
section 3.4.4, “Protocol and Standards” on page 26 where we discuss mutual authentication
and dynamic encryption keys in more detail.
3.4.2 Encryption key management
Most wireless devices are mobile and open to physical theft, which could compromise data stored on the client devices or allow network access to an unauthorized user. The security features of the IBM Embedded Security Subsystem (ESS), an exclusive crypto solution, provides hardware protection of credentials for industry-leading security. Network managers can prevent unauthorized access to data stored on a lost or stolen system, decrease risks to the network, and increase WLAN security. ESS requires the user to authenticate to the system and securely stores wireless certificates / credentials. This offers the best available protection against hacker break-in and unauthorized network access. For more information about the ESS chip, please visit the following Web site.
http://www-306.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-46391
3.4.3 Performance
As mobile users adopt wireless technology, they will also expect the same quality of service realized with wired communications. The Institute of Electrical and Electronics Engineers
(IEEE) define the 802.11 standard for wireless LAN (WLAN). Two data through put rates are specified on separate frequencies (5GHz & 2.4GHz), which depend on the IT environment, may impact range, ultimately decreasing throughput. Wireless network designers must also consider potential interference in the 2.4 GHz Industry Science and Medicine Spectrum (ISM) with Bluetooth, cordless phones, and microwaves when deploying wireless LAN. These concerns are in discussed in the Site Survey section.
The security and performance of the client device and the wireless infrastructure impacts the entire wired LAN network. The following sections address wireless network security details and best practices to increase the security and performance of a Wireless LAN.
3.4.4 Protocol and Standards
The IEEE defines the 802.11a (54Mbps) physical layer standard for WLANs in the 5 GHz radio band and 802.11b (11Mbps) / 802.11g (54Mbps/ backward compatible with b) both operating in the 2.4 GHz spectrum. The first wireless LAN standard introduced to the market by the IEEE, was the 802.11b standard that incorporates Wired Equivalency Privacy (WEP)
security protocol. However, as mentioned in section 3.4.1, “Wireless infrastructure security on
26 Deploying IBM Secure Wireless Solution for Cisco Systems
device and data contained within” on page 26, several serious security flaws were discovered
in the WEP protocol. In addition to the shared static key vulnerability, key management is an issue because WEP keys must be pre-shared, which requires that every Access Point in the network gets updated whenever a key is changed. The security vulnerabilities and lack of encryption key management presented numerous challenges and increased interest in secure enterprise deployment of wireless LAN technology.
3.4.5 Encryption and authentication
Wireless security consists of two components; encryption and authentication. Encryption makes intercepted network traffic unintelligible. Authentication is the process by which the proper credentials and the identity of a device are verified prior to completing a network connection. To address the confidentiality issue with wireless LAN for the enterprise deployment, the IEEE 802.11 standards committee created an open industry standard that would replace the inefficiency of WEP encryption.
Wi-Fi Protected Access
The Wi-Fi Protected Access (WPA) is a proactive response by the industry to offer an immediate and strong security solution, which provides a strong mechanism for authentication and centralized key management required to address the vulnerabilities of
WEP. WPA is a subset of the state of the art802.11i security standard, which will support the most advanced encryption available, Advanced Encryption Standard (AES).
WPA encryption is significantly strengthened because of a fast re-keying algorithm called
Temporal Key Integrity Protocol (TKIP). Unlike the WEP static key, TKIP implements per packet dynamic keys that are updated every 10,000 packets to further enhance the security.
TKIP is designed for software upgradeability of existing hardware. The IEEE 802.11i future security standard will provide the most robust encryption for new deployments with the support of Counter Mode with CDC-MAC Protocol (CCMP). CCMP is based on the Advanced
Encryption Standard (AES) and offers the highest level of data protection.
WPA also supports IEEE 802.1x, a standard for port-based access control that provides the framework for mutual authentication between a client and a Remote Authentication Dial-In
User Service (RADIUS) server (either LDAP or Active Directory based) as well as encryption key distribution on wired and wireless networks. 802.1X also ties a protocol called EAP
(Extensible Authentication Protocol) to wireless LAN media and supports multiple authentication methods, such as token cards, one-time passwords, certificates, and public key authentication. EAP communicates authentication information and encryption keys between a client (supplicant) and an access control server. The credentials used for authentication, such as logon passwords, are never transmitted without encryption, over the wireless medium.
Several different EAP authentication protocols are used in practice; EAP-TLS, Protected
Extensible Authentication Protocol ( PEAP), Lightweight Extensible Authentication Protocol
(LEAP), and Extensible Authentication Protocol-tunnelled transport layer security
(EAP-TTLS) that operate on top of 802.1x, as shown in Figure 3-5 on page 28. Cisco was the
first company that came out with pre-standard 802.1x EAP solution to address the issues identified in WEP. Cisco developed a proprietary security solution that provides full support for
WPA and its building blocks of 802.1X and TKIP. In addition to full WPA support, Cisco's proprietary wireless-network security standard implements LEAP. We discuss LEAP in detail in the following section; however, to obtain specific information about the other aforementioned EAP authentication protocols listed, see PEAP, EAP-FAST, Cisco LEAP and
EAP-TLS Comparison Chart or a Cisco white paper titled Cisco SAFE Wireless LAN Security in Depth . It can be found at the following Web site.
http://www.cisco.com/go/safe
Chapter 3. Details of architecture 27
Upper Layer
Authentication Protocols
802.1X
CCMP TKIP
Figure 3-5 Security protocol layers
Cisco LEAP
Cisco LEAP is the widely deployed EAP type in use today in WLANs. LEAP supports all three of the 802.1X and EAP elements: mutual authentication, dynamic encryption keys, and centralized policy control. With LEAP, mutual authentication relies on a shared secret, the
uses a one-way hash of the user-supplied password to fashion a response to the challenge and sends that response to the RADIUS server. Using information from its user database, the
RADIUS server creates its own response and compares that to the response from the client.
When the RADIUS server authenticates the client, the process repeats in reverse, enabling the client to authenticate the RADIUS server. When this is complete, an EAP-Success message is sent to the client and both the client and the RADIUS server derive the dynamic
WEP key.
For more details see the Cisco white paper, Cisco SAFE Wireless LAN Security in Depth. http://www.cisco.com/go/safe
28 Deploying IBM Secure Wireless Solution for Cisco Systems
RADIUS Server
User
Database
1
2
Wireless computer with Cisco
LEAP Supplicant
Access Point with
Cisco LEAP
Support
Access Switch
Campus
Network
4
5
6
RADIUS Server with
LEAP authentication support and dynamic WEP key generation
3
User
Database
8
7
9
Campus
Network
Wireless computer with Cisco
LEAP Supplicant
Access Point with
Cisco LEAP
Support
Figure 3-6 LEAP authentication process
Access Switch
1. Client associates with Access Point
2. Access point blocks all user requests to access the LAN
3. User provides login authentication credentials
4. RADIUS server authenticates user
5. User authenticates RADIUS server
6. RADIUS server and client derive unicast WEP key
7. RADIUS server delivers unicast WEP to Access Point
8. Access Point delivers broadcast WEP key encrypted with unicast WEP key to client
9. Client and Access Point activate WEP and use unicast and broadcast WEB keys for transmission
PEAP
PEAP is an Internet Engineering Task Force ( IETF) draft request for comment (RFC) authored by Cisco Systems, Microsoft, and RSA Security. PEAP uses a digital certificate for server authentication. For user authentication, PEAP supports various EAP-encapsulated methods within a protected transport layer security (TLS) tunnel. PEAP supports the three main elements of 802.1X/EAP: mutual authentication, dynamic encryption keys, and centralized policy control.
Chapter 3. Details of architecture 29
As shown in Figure 3-7, phase I of the authentication sequence is the same as that for
EAP-TLS (server-side TLS). At the end of phase 1, an encrypted TLS tunnel is created between the user and the RADIUS server for transporting EAP authentication messages.
In phase II, shown in Figure 3-7, the RADIUS server authenticates the client through the
encrypted TLS tunnel via another EAP type. As an example, a user can be authenticated using an OTP using the EAP-GTC subtype (as defined by the PEAP DRAFT). In this case, the RADIUS server relays the OTP credentials (user ID and OTP) to an OTP server to validate the user login. When this is complete, an EAP-Success message is sent to the client and both the client and the RADIUS server derive the dynamic WEP key.
For more information about PEAP, refer to the IETF Web site for the latest draft. Cisco white paper titled Cisco SAFE Wireless LAN Security in Depth.
RADIUS Server
Phase I
User
Database
1
2
Campus
Network
Wireless computer with
PEAP supplicant
Access Point with
PEAP support
Access Switch
RADIUS Server with
PEAP authentication support and dynamic WEP key generation
Phase II
3
4
5
User
Database
7
6
8
Campus
Network
Wireless computer with Cisco
LEAP Supplicant
Access Point with
Cisco LEAP
Support
Figure 3-7 PEAP authentication process
Access Switch
Following is the PEAP authentication process shown in Figure 3-7.
1. Client associates with Access Point
2. Access Point blocks all user requests to access the LAN
3. Client verifies RADIUS server’s digital certificate
4. RADIUS server authenticates user
5. RADIUS server and client derive unicast WEP key
6. RADIUS server delivers unicast WEP key to Access Point
7. Access Point delivers broadcast WEP key encrypted with unicast WEP key to client
30 Deploying IBM Secure Wireless Solution for Cisco Systems
8. Client and Access Point activate WEP and use unicast and broadcast WEP keys for transmission
To address some security and deployment issues with EAP, Microsoft and Cisco developed proprietary PEAP protocols.
Cisco PEAP is EAP-GTC (Generic Token Card)
MS PEAP is EAP- MS CHAP v2 (Microsoft Challenge Handshake Authentication Protocol version 2)
They both expand on the available EAP-based authentication schemes. Unlike EAP-TLS, which has the requirement to deploy and manage digital certificates for each access client,
PEAP does not require access client certificates
. This eases the administrative difficulty of user certificate management.
If you intend to use digital certificates such as PKI to authenticate the client, we recommend implementing CISCO PEAP or EAP-TLS. Single sign on using MS password, password expiration, and Internet Authentication Service (IAS) (MS RADIUS services) are supported by the
PEAP-MS-CHAP v2
.
In our wireless network configuration, we use the Cisco ACS, however MS PEAP customers may implement the MS RADIUS server.
For additional details on implementing MS IAS, visit the following Web site: http://www.microsoft.com/windowsserver2003/technologies/ias/default.mspx
For more details on MS PEAP visit the following Web site: http://www.microsoft.com/windowsserver2003/techinfo/overview/peap.mspx
For more details on Cisco PEAP visit the following Web site: http://www.cisco.com/en/US/netsol/ns339/ns395/ns176/ns178/netqa0900aecd801764fa.html
Table 3-8 PEAP, EAP-FAST, Cisco LEAP and EAP-TLS Comparison Chart
Cisco LEAP PEAP with
Microsoft
Challenge
Authentication
Protocol
(MS-CHAP)
Version 2
PEAP with
Generic Token
Card (GTC)
User authentication database and server
Windows NT
Domains, Active
Directory
No
Windows NT
Domains, Active
Directory
Yes
One-time password (OTP),
Lightweight
Directory Access
Protocol (LDAP),
Novell NDS,
Windows NT
Domains, Active
Directory
Yes Requires server certificates
Requires client certificates
No No No
EAP-TLS
OTP, LDAP,
Novell NDS,
Windows NT
Domains, Active
Directory
Yes
Yes
EAP-FAST
Windows NT
Domains,
Active
Directory,
LDAP
(limited)
No
No
Chapter 3. Details of architecture 31
Operating
System support
ASD support
Credentials
Used
Cisco LEAP
Driver: Windows
98, Windows
2000, Windows
NT, Windows Me,
Windows XP, Mac
OS, Linux,
Windows CE,
DOS
Yes
Windows password
PEAP with
Microsoft
Challenge
Authentication
Protocol
(MS-CHAP)
Version 2
Driver: Windows
XP, Windows
2000, Windows
CE
With third-party utility: Other OS3
No
Windows password
PEAP with
Generic Token
Card (GTC)
Yes
EAP-TLS EAP-FAST
Driver: Windows
XP, Windows
2000, Windows
CE1
With third-party utility: Other OS2
No
Client: Windows,
NDS, LDAP password; OTP or token
Server: Digital certificate
No
Driver: Windows
XP, Windows
2000, Windows
CE
With third-party utility: Other OS
Driver:
Windows
XP, Windows
2000, Windows
CE4
With third-party utility: Other
OS5
No Yes
Digital certificate Windows password,
LDAP user ID/ password
(manual provisioning required for
Pac provisioning)
No Yes Single sign-on using Windows login
Password expiration and change
Works with Fast
Secure
Roaming
Yes
No
Yes
Works with WPA Yes
Yes
No
Yes
No
No
Yes
--------
No
Yes
Yes
Yes
Yes
3.5 Architectural overview diagram
Figure 3-8 on page 33 is an architecture overview diagram. Use it as a tool for discussions
with the client to convey the major points of the solution. It is a high-level diagram that the client architects and the decision makers can easily understand. It summarizes the proposed approach to provide a solution that addresses client functional and non-functional requirements. Additional details appear in other architectural work products, particularly in the operational model that serves as a base for actual solution deployment.
32 Deploying IBM Secure Wireless Solution for Cisco Systems
Wireless Clients
Wireless Printer Switch
Firewall
RADIUS Server
Wireless Clients
WECM Server
Internet
Intranet
Figure 3-8 Architectural overview of SMB secure wireless LAN with remote access
Description of system components:
Wireless clients
The purpose of the client node is to provide access to the e-business application through a network. This could be through a standard web browser or through launching an application specific graphical user interface (GUI). In our case clients are limited to portable computers.
Firewall
The firewall is a set of related programs, located at a network gateway server, that protects the resources of a private network from users from other networks.
Connectivity and access server (WECM server)
The connectivity and access node accommodates different services specific to enabling remote access to the company intranet.
Access Points
Access Point acts as a communication hub for users of a wireless device to connect to a wired network.
Switch
The Switch joins multiple network devices together at a low-level network protocol layer.
Authentication services (RADIUS Server)
Remote Authentication Dial-In User Service (RADIUS) provides services for remote authentication of users and devices.
3.6 Operational model
The operational model defines the involved computers, networks, and other platforms on which the application will execute and by which it is managed.
The operational model links the conceptual design with the deployment phase of the project.
Chapter 3. Details of architecture 33
The operational model could also serve as a base for the walk through for the client of sample use cases. It could be drawn on the logical or a physical level.
Figure 3-9, is a operation model on a physical diagram for a secure wireless in-building LAN.
Windows 2003 Server Enterprise
Secure Access Control Server
V3.3.1 for Windows
Microsoft Active Directory
Microsoft DHCP Server
Microsoft Certificate Authority
Java JRE V1.4.2_06
Authentication and
Authorization Services
Windows XP
IBM Access Connections V3.53
WebSphere Everyplace Connection
Manager Client V5.1
wirelss card 802. 11 a/b/g
Access Point 1131
AP , Int
Radios, Ants, North
America Cnfg
IBM eServer xSeries 226 Express
Unless customer does not have a router only switch modules required.
Configuration depends on the number of users (Access Points) to support
CiSCO Integrated
Switch/Router 2811
Existing Wired
LAN
Figure 3-9 Secure wireless in-building LAN
Figure 3-10 on page 35 is an operation model on a physical diagram for mobile access.
34 Deploying IBM Secure Wireless Solution for Cisco Systems
Windows 2003 Server Enterprise
Secure Access Control Server v3.3 for Windows 2003
Microsoft Active Directory
Microsoft DHCP Server
Microsoft Certificate Authority
Java JRE V1.4.2.06
Authentication and
Authorization Services
Windows XP
IBM Access Connections v.3.53
WebSphere Everyplace Connection
Manager Client v.5.1
IBM ThinkPad T42,X40, R51 or later wirelss card 802.11 a/b/g
Access Point 1131,
802.11a, .11g AP, Int
Radios, Ants, North
America Cnfg
IBM eServer xSeries 226 Express
Unless customer does not have a router only switch modules required.
Configuration depends on the number of users (Access Points) to support
(summary table below)
CiSCO Integrated
Switch/Router 2811
Connection and Access Services
Any PC computer
Windows XP
IBM WECM Gatekeeper
(admin interface to WECM) Existing Wired
LAN
External IP address
IBM eServer xSeries 226 Express
2x Ethernet adapter
SuSe Linux 9.0
OpenLDAP
DB2 UDB Express v.8.2
Websphere Everyplace Connection
Manager v.5.1
Internet
Figure 3-10 Mobile access
Chapter 3. Details of architecture 35
Table 3-9 Recommended components/parts for up to 80 wireless users
Node Node description
Hardware platform
Directory and
Security
Services
Authenticates and authorizes users
IBM eServer xSeries 226 Express
(1 way, 2.8 GHz, 1GB RAM, 2x
36.4 GB HDD)
Software
Windows 2003 Server
Enterprise
Active Directory
DHCP Server
Certificate Authority
Secure Access Control
Server v3.3 for Windows
2003 a
Java JRE V1.4.2.06
Communication protocol
(transport layer)
TCP/IP b
Wireless communication
Connection to wired LAN
Up to 80 wireless clients
(assuming 1
Access Point for 80 users) c
Provides bi-directional communication with wireless clients
CISCO Access Point 1131,
802.11a, .11g AP, Int Radios,
Ants, North America Cnfg
Joins wireless
LAN with an existing wired
LAN
Secures, seamless access to the intranet from anywhere
Access Point 1131, 802.11a,
.11g AP, Int Radios, Ants,
North America Cnfg
Integrated Switch Router
2801 with inline power,2FE,4slots,IP
BASE,64F/128D
– 4-Port Ethernet Switch
HWIC with Power Over
Ethernet
– Cisco 2801 IOS IP BASE
– Power Cord,110V
– 64 MB CF default for
Cisco 2800 Series
– Cisco 2801 AC/IP power supply
– Device manager for routers IP
IBM eServer xSeries 226 Express
(1 way, 2.8 GHz, 1 GB RAM, 2x
36.4 GB HDD), 2x Ethernet adapter
Connectivity for
Access and pervasive services
(required if enabling remote access)
Red Hat Enterprise
3.0 Linux
OpenLDAP
DB2 UDB Express v.8.2
WebSphere
Everyplace
Connection Manager v.5.1 Starter Edition d
Printing services
(optional)
InfoPrint Printer 4523-XN1
802.11G Wireless Ethernet
Adapter a. On sizing for CISCO ACS please refer to: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/index.htm
(requires cisco partnet user id and pc) b. TCP/IP will support most of the application protocols (HTTP, TELNET, SMTP, FTP etc.)
c. For configurations for a larger number of users, please refer to Figure 3-11.
d. Sizing for WECM, see Redbook SG24-7049-00
TCP/IP (over
802.11 a/b/g)
IP
TCP/IP
TCP/IP (over
802.11g)
36 Deploying IBM Secure Wireless Solution for Cisco Systems
.
Figure 3-11 contains the recommended components and parts numbers for 80 to 320 wireless users
Small-Medium Deployment 81-160 Wireless Clients (8 PoE ports)
Product
CISCO2801-AC-IP
HWIC-D-9ESW-POE
S280IPB-12311T
CAB-AC
MEM2800-64CF-INC
PWR-2801-AC-IP
ROUTER-SDM
Total LeadTime: 13 - 16 Days Total Price: USD 3,450.00
Medium Deployment 161-240 Wireless Clients (12 PoE ports)
Product
CISCO2811-AC-IP
S28NIPB-12311T
HWIC-4ESW-POE
HWIC-D-9ESW-POE
CAB-AC
PWR-2811-AC-IP
ROUTER-SDM
MEM2800-256D-INC
MEM2800-64CF-INC
Total LeadTime: 15 - 18 Days Total Price: USD 4,550.00
Description
2801 Router with inline power,2FE,4slots,IP BASE,64F/128D
9-Port Ethernet Switch HWIC with Power Over Ethernet
Cisco 2801 IOS IP BASE
Power Cord,110V
64MB CF default for Cisco 2800 Series
Cisco 2801 AC/IP power supply
Device manager for routers
Description
2811 w/ AC+POE,2FE,4HWICs,2PVDMs,1NME,2AIMS,IP BAS
Cisco 2800 IOS IP BASE
4-Port Ethernet Switch HWIC with Power Over Ethernet
9-Port Ethernet Switch HWIC with Power Over Ethernet
Power Cord,110V
Cisco 2811 AC/IP power supply
Device manager for routers
256MB DDR DRAM Memory factory default for the Cisco 2800
64MB CF default for Cisco 2800 Series
Medium-Large Deployment 241-320 Wireless Clients (16 PoE ports)
Product
CISCO2811-AC-IP
S28NIPB-12311T
HWIC-D-9ESW-POE
CAB-AC
PWR-2811-AC-IP
ROUTER-SDM
MEM2800-256D-INC
MEM2800-64CF-INC
Total LeadTime: 15 - 18 Days Total Price: USD 5,055.00
Description
2811 w/ AC+POE,2FE,4HWICs,2PVDMs,1NME,2AIMS,IP BAS
Cisco 2800 IOS IP BASE
9-Port Ethernet Switch HWIC with Power Over Ethernet
Power Cord,110V
Cisco 2811 AC/IP power supply
Device manager for routers
256MB DDR DRAM Memory factory default for the Cisco 2800
64MB CF default for Cisco 2800 Series
Figure 3-11 Recommended components/parts numbers for 80-320 wireless users
Chapter 3. Details of architecture 37
38 Deploying IBM Secure Wireless Solution for Cisco Systems
4
Chapter 4.
Implementation scenarios
In this chapter, we document hardware and software requirements and detailed step-by-step installation and customization procedures for four basic use cases:
4.1, “Scenario 1: Deploy wireless LAN on a client site” on page 40
4.2, “Scenario 2: Mobile access from home” on page 113
4.3, “Scenario 3: Mobile access from hot spots” on page 176
4.4, “Scenario 4: Mobile access via WAN” on page 177
Even though the scenarios described in this chapter cover both LEAP and PEAP authentication, we recommend that you implement PEAP authentication.
The use cases documented in this chapter are intended to support installations of up to 250 clients. Installations with more than 250 clients most likely need different switches, and potentially require bridged networks. Bridged networks are beyond the scope of this document.
© Copyright IBM Corp. 2005. All rights reserved.
39
4.1 Scenario 1: Deploy wireless LAN on a client site
In this scenario, we add secure wireless LAN support to a currently existing wired intranet network. We configure support for both LEAP and MS PEAP authentication.
Windows 2003 Server
Active Directory
Certificate Authority
DNS
DHCP
Cisco Secure ACS
RADIUS server
SSID = leap1a
AP1
192.168.1.1
192.168.1.5
SSID = leap2
AP2
192.168.1.6
Wired intranet
192.168.1.254
Firewall / router
Wireless
Client
Internet
Figure 4-1 Network configuration for wireless implementation
Windows 2003 Server is configured with Active Directory support, Certificate Authority, DNS, and DHCP server support. Additionally, Cisco Secure ACS is installed on the same hardware to provide wireless configuration services and RADIUS server function. Typically, all of these functions are not installed on a single server.
IBM Access Connections is installed on wireless ThinkPad clients to support wireless connections and wireless network access management.
4.1.1 Installation planning
The current client network may already be running Windows 2000 Server or Windows 2003
Server Enterprise Edition for the domain controller. The steps documented here assume that no currently installed hardware or software is used.
IBM Access Connections supports a specific set of wireless adapters from IBM, Cisco, and
Intel. For more information about Access Connections wireless adapter support, visit the following IBM Access Connections Web site: http://www-307.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-4ZLNJB
4.1.2 Environment check
Refer to 2.2.1, “Site survey” on page 7 for wireless Access Point planning and placement
information. This scenario documents the installation and configuration of Windows 2003
Enterprise Edition with features such as Certificate Authority, DHCP, and Active Directory.
Many client environments already have this software installed and operational. In those situations, it is only necessary to install and configure the remaining software (Cisco Secure
ACS, Java JRE, IBM Access Connections) to work in your current environment.
40 Deploying IBM Secure Wireless Solution for Cisco Systems
4.1.3 Hardware and software to install and configure
The following software and hardware is installed and configured for this scenario.
Hardware
One IBM Eserver xSeries 226 with one network interface card
This server hosts the Cisco ACS server software and RADIUS server. In our environment, this server also hosted the Microsoft domain controller, Active Directory, Certificate
Authority, and DHCP server. A more secure solution is to have this server host only the
Cisco ACS server while other domain functions (domain controller, DHCP server,
Certificate Authority, Active Directory) are installed and managed on a separate server.
For more information, see 5.3, “IBM Eserver xSeries 226” on page 187.
Two Cisco AIR-AP1131AG wireless access points
In our environment, both access points supported 802.11a, b and g wireless networks. For
more information, see 5.1.2, “Cisco Aironet 1130AG Series IEEE 802.11A/B/G Access
Wireless adapters on client computers
We configured an IBM a/b/g Wireless Cardbus adapter, Intel PRO/Wireless 2200BG
Network Connection, and Intel PRO/Wireless LAN 2100 3B Mini PCI Adapter.
Software
Windows 2003 Server Enterprise Edition
Cisco Secure Access Control Server (ACS) V3.3.1
Microsoft Active Directory
Microsoft DHCP Server
Microsoft Certificate Authority
Java JRE V1.4.2.06
IBM Access Connections V3.53
4.1.4 Windows 2003 Server Enterprise Edition
We installed Windows 2003 Server Enterprise Edition on an IBM xSeries 226 with no additional server functions (file server, DHCP server, active directory, and so on). We added these additional functions as required in later steps.
In a currently established environment, these normal server functions would probably already be operational on other server machines in the intranet.
4.1.5 Cisco Secure Access Control Server (ACS) V3.3.1
The Cisco Installation Guide for Cisco Secure Access Control Server for Windows Server is located at the following Web site: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/install/i nst02.htm
The ACS installation guide provides all the information needed to install, reinstall, and upgrade the Cisco Secure Access Control Server (ACS) for Windows Server. In addition, see
5.1.1, “Cisco Secure Access Control Server V3.3.1” on page 180.
For this scenario, we completed the following steps.
Chapter 4. Implementation scenarios 41
1. Insert the ACS V3.3 product CD into the CD drive.
2. Unzip the sevt-fcs-acs-v331-w2k-K9.zip file to a folder on the desktop.
3. Open the folder, and click setup.exe
Figure 4-2 ACS setup.exe
4. On the Before You Begin screen, check all of the boxes, as shown in Figure 4-3.
Figure 4-3 ACS check ups
5. Disconnect your wireless access points (APs) if they are connected to the network
(switch).
42 Deploying IBM Secure Wireless Solution for Cisco Systems
6. Disconnect any other devices that will appear to the Cisco ACS server as AAA clients (this includes WECM Servers configured as AAA clients).
Important: It is very important that you disconnect any wireless access points from the network before installing ACS. If we did not disconnect the APs, the ACS administration utility would not start after installation.
7. On the Authentication Database Configuration window, click Also check the Windows
User Database
Figure 4-4 ACS authentication database selection
8. On the Advanced Options window, do not select any of the options at this time. You can select them later from within ACS.
9. Accept the default settings on the Active Service Monitoring window.
10.On the Cisco Secure ACS Service Initiation window, check Yes, I want to start the
CiscoSecure ACS Service now
, as shown in Figure 4-5 on page 44. Do not check the
remaining boxes.
Important:
You must install Java before logging on to the ACS Server (see “Install Java
JRE for Cisco Secure ACS” on page 50).
Chapter 4. Implementation scenarios 43
Figure 4-5 ACS service
This completes the installation Cisco Secure Access Control Server for Windows Server. We customize the ACS server in later steps.
4.1.6 Microsoft Active Directory
We used Microsoft Active Directory to manage userids and passwords. If a Microsoft domain
and Active Directory are already configured in your environment, skip to section 4.1.7,
“Microsoft DHCP Server” on page 47.
We defined a new domain and installed Active Directory on the same machine as our ACS server. We recommend that you put the ACS server on a separate machine in a production environment.
The Active Directory installation requires that you configure TCP/IP before the installation.
44 Deploying IBM Secure Wireless Solution for Cisco Systems
Install Microsoft Active Directory
1. Select Start
→
Run
and type in “dcpromo”. The window shown in Figure 4-6 is displayed.
Figure 4-6 Active directory installation wizard
2. Select Domain controller for a new domain on the Domain Controller Type window, as
Figure 4-7 Domain controller for a new domain
Chapter 4. Implementation scenarios 45
3. Select Domain in a new forest
Figure 4-8 Domain in a new forest
4. Select No, just install and configure DNS on this computer on the Install or Configure
DNS window shown in Figure 4-9.
Figure 4-9 Install and configure DNS
46 Deploying IBM Secure Wireless Solution for Cisco Systems
5. Configure a domain name. We configured (domain name).local, for example -
IBMWECMLAB.local. See Figure 4-9 on page 46.
Figure 4-10 DNS domain name
6. Choose the defaults for the remaining settings, and allow the install to complete.
Add users to Microsoft Active Directory
The procedure that adds users to Microsoft Active Directory is different from the procedure to add users in a Windows environment where Active Directory is not used. Use the following procedure to add users to Microsoft Active Directory.
1. Select Start
→
Programs
→
Administrative tools
→
Active Directory Users and
Computers .
2. Select your Domain in the left panel and right-click to display a selection menu.
3. Select New
→
User .
4. Add information for the new user.
Passwords must be safe-strong passwords.
To give a user administrator privileges, use the following steps:
1. Users are listed under Users in the right panel. Right-click the user and select Properties .
2. Select the Member of tab at the top.
3. Select Add...
in the Member of window.
4. In the Select Groups window, type administrators .
5. Click OK .
4.1.7 Microsoft DHCP Server
We installed a DHCP server on our ACS server machine. Normally, there is a DHCP server already running in an enterprise environment, thus the following steps are not performed. If
you have a DHCP server already configured in your environment, skip to 4.1.8, “Modify
Internet Explorer settings” on page 50.
Chapter 4. Implementation scenarios 47
DHCP installation
Follow these steps to install the Windows DHCP server.
1. Access the Windows Control Panel, and select Add or Remove Programs .
2. In the Add or Remove Programs window, select Add/Remove Windows Components on the left panel.
3. Select Network services, and click Details
Figure 4-11 Windows Networking Services components
4. Check Dynamic Host Configuration Protocol
, as shown in Figure 4-12, and click
OK .
5. Click Next .
Figure 4-12 Install DHCP networking component
This completes the installation of DHCP server on Windows 2003 Server.
48 Deploying IBM Secure Wireless Solution for Cisco Systems
DHCP configuration
1. After you install the DHCP service, go to the Windows Control Panel
Tools
→
DHCP .
→
Administrative
2. Highlight the name of the server, select Action
→
New Scope
Figure 4-13 Add a new DHCP scope
3. Type the name of this scope, and set the IP address range that this DHCP server
Figure 4-14 DHCP IP address range
4. Include options that are sent to the clients. This includes Router, DNS server (in our configuration, the ACS machine with Active Directory on it), and Domain name.
Chapter 4. Implementation scenarios 49
5. After you configure the DHCP server, authorize the server with Active Directory. From the
DHCP window, select Action
→
Authorize
Figure 4-15 Authorize the DHCP server to Active Directory
The DHCP server configuration is complete.
4.1.8 Modify Internet Explorer settings
Modifying Internet Explorer settings is required for the Cisco Secure ACS software.
1. Open Internet Explorer.
2. Select Tools
→
Internet Options.
3. Click the Security tab.
4. Change the security level from High to Medium .
4.1.9 Install Java JRE for Cisco Secure ACS
Cisco Secure Access Control Server V3.3.1 requires a Java upgrade.
1. Access the following Web site: http://java.sun.com/j2se/1.4.2/download.html
2. Select the Download J2SE JRE link.
3. Accept the licence, and click Windows Offline Installation, Multi-language .
4. Download and install the J2SE JRE file. At the time we downloaded the file, the file name was j2re-1_4_2_06-windows-i586-p.exe.
50 Deploying IBM Secure Wireless Solution for Cisco Systems
4.1.10 Configure LEAP authentication with Cisco ACS and 1131 AP
In this section, we configure the Cisco Access Points and Cisco Secure ACS software to support LEAP authentication. Get detailed information about this process, along with a discussion of EAP configuration options, at the following Cisco Web site: http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example091
86a00801bd035.shtml
Also, see 5.1, “Cisco components” on page 180 of this Redpaper.
Configuring the Access Point to support LEAP authentication enables Access Point to support PEAP authentication. We configured two Cisco AIR-AP1131AG Access Points. Both
Access Points have two radios and support 802.11 a/b/g communications.
The following sections document the steps we used to configure Access Point 1 (AP1) to support LEAP and PEAP authentication on the 802.11a radio. Configuration of Access Point
2 (AP2) is the same except for the items listed in the following table.
Table 4-1 Access Point configuration differences
Access Point host name (refer to
“Configure AP host name” on page 52)
SSID (refer to
“Configure AP SSID and security settings” on page 53
Access Point 1
Access Point 2
AP1
AP2 leap1a leap2
IP address (refer to
192.168.1.5
192.168.1.6
Access Point initial configuration
Initial configuration of the Access Point is via a console cable attached to the Access Point. To access the Web interface on the Access Point, attach a console cable to the Access Point and connect through hyperterminal. You must configure an IP address on each AP.
1. Go to enable mode by typing “enable” at the command prompt. The default enable password is “Cisco”.
2. When you are in enable mode, do the following: a. Type the command: config t b. Type the command: int bvi 1 c. Define the IP address and subnet mask in the following form: ip address <address you want> subnet mask d. For AP1, we typed in: ip address 192.168.1.5 255.255.255.0
e. For AP2, we typed in: ip address 192.168.1.6 255.255.255.0
3. Hold the CTRL button, and press z.
4. To save the configuration, type: wr mem
Chapter 4. Implementation scenarios 51
5. To leave enable mode, type: exit
After performing these steps, you can access the APs Web interface by using a PC with an IP address on the same network.
The Web address for the Access Point Web interface is its IP address - http://192.168.1.5 for AP1.
The default username is “Cisco”.
The password is “Cisco”.
The window shown in Figure 4-16 will display.
Figure 4-16 Access Point home page
When you reach the Access Point home page, you can further configure the Access Point.
Configure AP host name
1. Select EXPRESS SET-UP on the left panel, and enter the values you want for host name.
You can also modify the IP address that was selected during the initial Access Point
configuration (“Access Point initial configuration” on page 51). See Figure 4-17 on page 53.
52 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-17 Access Point express setup
2. Press Apply
at the bottom of the page (not shown in Figure 4-17) to apply the changes.
Configure AP SSID and security settings
1. Select SECURITY on the left panel, and click SSID Manager
2. Enter the SSID for the Access Point. We defined an SSID of “leap1a” for the 802.11a radio in AP1, and “leap2” for AP2. The SSID value is required when configuring IBM Access
Connections - see Figure 4-34 on page 71.
Chapter 4. Implementation scenarios 53
Figure 4-18 Configure Access Point SSID, LEAP and PEAP
When configuring LEAP or PEAP support, make the following changes under Authentication
Settings
1. Under Authentication Methods Accepted configure the following:
– Check Open Authentication
– Select with EAP
– Check Network EAP
– Leave the choice in the drop-down as No Addition .
2. Press Apply-Radio1
at the bottom of the page (not shown in Figure 4-18) to apply the
changes.
3. The warning window shown in Figure 4-19 may display. Press
Okay to continue.
54 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-19 Encryption warning message
Configure WEP encryption on the Access Point
We recommend PEAP authentication for wireless security. However, for both LEAP and
PEAP authentication, you must configure WEP encryption in the Access Point. Use the following steps for guidance.
1. Select SECURITY on the left panel, and click Encryption Manager .
2. Make sure that you select the correct radio tab at the top of the page. Since we are
configuring the “A” radio, we selected radio 1. See Figure 4-20 on page 56.
3. For Encryption modes, check WEP Encryption , and select Mandatory from the drop-down list.
4. Under Encryption Keys , note that no encryption key is entered. LEAP and PEAP use dynamic encryption keys. However, you can enter an encryption key for those devices in
your wireless network that may not support LEAP or PEAP authentication (see 4.1.16,
5. Select Apply-Radio1 at the bottom of the panel.
Chapter 4. Implementation scenarios 55
Figure 4-20 Configure WEP encryption support in the Access Point
Define ACS authentication server to the Access Point
The next step in configuring for EAP (LEAP or PEAP) is to define the Cisco Secure ACS authentication server to the Access Point, and establish a relationship with it.
1. Select SECURITY
→
Server Manager
from the left panel, as shown in Figure 4-21 on page 57.
56 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-21 Define the authentication server to the Access Point
2. Type the IP address of the authentication server in the Server field. In our configuration, the Cisco ACS server IP address is 192.168.1.1
.
3. Specify the Shared Secret and the Ports. We used “cisco” as the shared secret. We recommend a more secure shared secret in a production environment. This shared secret value must match the key value used when defining this Access Point to ACS as a AAA
client. See Figure 4-23 on page 60.
4. Click Apply to create the definition and populate the drop-down lists.
5. Under Default Server Priorities, set the EAP Authentication type Priority 1 field to the server IP address.
6. Click Apply .
Chapter 4. Implementation scenarios 57
Note: As an alternative to using the browser interface to the Access Point, you can issue the following CLI commands to configure the default authentication server information. See
Example 4-1 Command configuration of authentication server information in the Access Point
AP# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
AP(config)# aaa group server radius rad_eap
AP(config-sg-radius)# server 192.168.1.1 auth-port 1645 acct-port 1646
AP(config-sg-radius)# exit
AP(config)# aaa new-model
AP(config)# aaa authentication login eap_methods group rad_eap
AP(config)# radius-server host 192.168.1.1 auth-port 1645 acct-port 1646 key labap1200ip102
AP(config)# end
AP# write memory
Define the Access Point to the ACS authentication server
The next step in configuring for EAP (LEAP or PEAP) is to configure the Access Point in the
Cisco Secure ACS authentication server as a AAA client. There are two ways to access the
ACS server GUI interface:
1. Access the Cisco Secure ACS HTML interface using a browser on the ACS server machine with the following Web address: http://127.0.0:2002
2. Double-click the ACS Admin icon on the desktop.
58 Deploying IBM Secure Wireless Solution for Cisco Systems
3. Select Network Configuration on the left panel to go to the Network Configuration page
Figure 4-22 ACS Network Configuration page
4. Click Add Entry under the AAA Clients heading to add an Access Point AAA client. The
page shown in Figure 4-23 on page 60 is displayed.
Chapter 4. Implementation scenarios 59
5. On this page, type the access point's host name, IP address, key, and authentication method (RADIUS Cisco Aironet). The value for Key must match what you configured for
the shared secret on the Access Point in Figure 4-21 on page 57.
Perform this step for both Access Points, AP1 and AP2.
Figure 4-23 Add an AAA client to define the Access Point to the authentication server
6. Click Submit to complete the changes.
60 Deploying IBM Secure Wireless Solution for Cisco Systems
7. The page shown in Figure 4-24 is displayed to indicate that you must restart the ACS
server to activate the changes.
Figure 4-24 Restart ACS to activate changes
8. This completes the definition of the Access Point as an AAA client to Cisco ACS Server.
You must also configure the Cisco ACS authentication server to perform the desired EAP authentication method. We configured LEAP and PEAP support. We recommend PEAP authentication for a more secure wireless connection.
Configure CISCO Secure ACS to support LEAP or PEAP
Use the following instructions to configure LEAP/PEAP authentication on the System
Configuration - Global Authentication Setup page for Cisco Secure ACS to support LEAP or
PEAP.
1. Click System Configuration
→
Global Authentication Setup
page 62. The Global Authentication Setup page opens, as shown in Figure 4-26 on page 63.
Chapter 4. Implementation scenarios 61
Figure 4-25 Select Global Authentication Setup
62 Deploying IBM Secure Wireless Solution for Cisco Systems
2. On the Global Authentication Setup page, as shown in Figure 4-26, select the
authentication protocols you require for your wireless network. At this time, we only include
LEAP, and EAP-MD5. We will add PEAP authentication in a later step (see Figure 4-58 on page 91).
Figure 4-26 Configure ACS global authentication
Define users to the Cisco ACS Radius server
Define each client machine that uses LEAP authentication as a user in the Cisco ACS Secure server. Use the following steps to define users.
1. Click User Setup
on the left panel (Figure 4-26) to go to the User Setup page shown in
Chapter 4. Implementation scenarios 63
Figure 4-27 Cisco ACS user setup
2. Type the new user name in the User: field, and click Add/Edit to add the new user.
3. Add user information as shown in Figure 4-28 on page 65. Include any supplementary
user information as required along with the password required to authorize to the ACS
Radius server.
64 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-28 User information
4. Click Submit .
5. Repeat this process to add all users and passwords to the ACS Radius server for LEAP authentication.
4.1.11 IBM Access Connections V3.53
IBM Access Connections is used on the client computer to seamlessly manage the physical network connection. If multiple physical network interfaces are available (wired ethernet, wireless 802.11x ethernet), Access Connections selects the active network interface that has the fastest connection speed to be the active IP interface.
For more information about IBM Access Connections, see 5.2.2, “IBM Access Connections” on page 184.
For more detailed information about installing Access Connections and creating and
managing client profiles, see Appendix A, “Deploying Access Connections” on page 191.
Chapter 4. Implementation scenarios 65
Attention: The Access Connections screen captures appearing in this Redpaper are based on the version V3.53, which was current at the time we wrote this Redpaper. The screens in future versions of Access Connections may not be similar in appearance; however, they are similar in functionality.
Install Access Connections
1. Download the latest version of IBM Access Connections from the following Web site: http://www.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-4ZLNJB
2. Download required drivers for your wireless card from the same Web site.
Attention: IBM Access Connections supports specific wireless cards from IBM, Cisco, and Intel. The supported wireless cards are listed on the download site.
3. Expand the wireless adapter card driver download file, and install the driver as instructed by the download site.
Note: Install the wireless adapter card driver before you install IBM Access
Connections.
4. Expand the Access Connections download file, and install Access Connections as instructed by the download site.
Note: You can use the IBM ThinkPad Software Installer program to install both IBM
Access Connections and the driver code for the wireless hardware.
Configure Access Connections V3.53 for LEAP authentication
In this section, we create an Access Connections profile to support LEAP authentication and automatically connect to the Access Point we defined previously.
1. Open IBM Access connections using one of the following methods: a. Select Start
→
All Programs
→
Access IBM
→
IBM Access Connections .
b. Click the IBM Access Connections icon in the task bar. See Figure 4-29.
Figure 4-29 Access Connections icon
The Connections Status window, shown in Figure 4-30 on page 67, opens.
66 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-30 Access Connections status window
2. As shown in Figure 4-30, click
Manage Location Profiles
→
New . The Choose Your
Connection Type window, shown in Figure 4-31 on page 68, opens.
Chapter 4. Implementation scenarios 67
Figure 4-31 Profile name
3. Add a name for the location profile, as shown in Figure 4-31, and then click
Next . The
Choose Your Switching Rule and Network Adapters window, shown in Figure 4-32 on page 69, displays.
68 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-32 Network adapter selection
4. Accept the defaults shown in Figure 4-32. This allows Access Connections to select the
fastest connection speed when multiple adapters are active and connected to the network.
5. Click Next
. The Edit Your TCP/IP Settings window, shown in Figure 4-33 on page 70, is
displayed.
Chapter 4. Implementation scenarios 69
Figure 4-33 TCP/IP settings
6. Accept the defaults shown in Figure 4-33. This allows the client to get an IP address from
the DHCP server in the network.
7. Click Next . The Edit Your Advanced DNS Settings window is displayed.
8. Click Next to accept the defaults. The Edit Your Wireless Network Settings window
appears. It is shown in Figure 4-34 on page 71.
70 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-34 Edit Your Wireless Network Settings window - 1
9. Make the following changes on the Edit Your Wireless Network Settings window, shown in
a. Add the wireless network name (SSID) that you configured on the Access Point (refer
b. Select Enabled - use 802.1x - EAP - Cisco (LEAP) .
c. Click Next .
Chapter 4. Implementation scenarios 71
Figure 4-35 Edit Your Wireless Network Settings window - 2
10.On the second Edit Your Wireless Network Settings window, shown in Figure 4-35 make
the following changes: a. Select WEP for Data Encryption. b. Select Temporary User name and Password for user name and password settings.
c. Select Manually Prompt for LEAP User Name and Password . This forces the user to key in their LEAP user name and password when connecting over the wireless LAN.
11.To use the Windows logon user name and password as your LEAP user name and password use steps a and b to first enable the option from the Access Connections main menu.
a. Select Options
→
Global Settings . b. Select Allow wireless authentication using Windows log on user name and password (requires system restart)
. See Figure 4-75 on page 104.
72 Deploying IBM Secure Wireless Solution for Cisco Systems
12.For user name and password settings, select Temporary User name and Password , and then select Use Windows Name and Password
as shown in Figure 4-36. This forces the
same user name and password to be used as the Windows logon user name and password when connecting over the wireless LAN.
Figure 4-36 Use Windows user name and password
Chapter 4. Implementation scenarios 73
13.Alternatively, for user name and password settings, select Use Saved User Name and
Password
, as shown in Figure 4-37. This forces the system to always use the saved user
name and password when connecting over the wireless LAN without any prompt.
Figure 4-37 Use saved user name and password
Attention: To increase the overall client security, while at the same time simplifying the
and software to securely store certificates, userids, and passwords. Additionally, the integrated fingerprint reader on select ThinkPad models simplifies and further secures the logon process.
14.The remaining Access Connections configuration windows allow you to define additional settings such as default browser home page, printer, autostart applications, and so on.
Click Next to accept defaults or make changes as required.
This completes the configuration of Cisco ACS Server, Cisco Access Point, and IBM Access
Connections to support Cisco LEAP authentication and encryption.
4.1.12 Configuring MS-PEAP authentication with Cisco ACS and 1131 AP
The process of enabling LEAP authentication support in the Access Point also enables support for MS-PEAP authentication. There is no difference in the configuration on the
Access Point itself. See Figure 4-18 on page 54.
For an overview of PEAP, visit the following Web site: http://www.ietf.org/proceedings/02mar/slides/eap-3/sld002.htm
74 Deploying IBM Secure Wireless Solution for Cisco Systems
Creating a Certificate Authority using Windows 2003 Server
Information in this section is excerpted from the following Web sites: http://www.microsoft.com/technet/security/guidance/peap_4.mspx
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example0918
6a00801df0e4.shtml#acs-2
For the purposes of this step-by-step guide, you must be logged on as an enterprise administrator.
To install the Microsoft Certificate Authority on the ACS server perform the following steps:
1. Access the Windows Control Panel, and select Add or Remove Programs .
2. In the Add or Remove Programs window, select Add/Remove Windows Components on the left panel.
3. Select Certificate Services
, as shown in Figure 4-38, and click
Next .
Figure 4-38 Install Microsoft Certificate Services
For this scenario, we set up an Enterprise Root CA.
The next few steps include supplemental information concerning installation of the Microsoft
Certificate Authority. After you choose to make the CA an Enterprise Root, you can accept the defaults.
4. If you intend to use the Web components of the Certificate Services, ensure that the IIS check box is selected. We recommend that you use the Web components of the
Certificate Services. This simplifies certificate management and download.
Note: Install the CA
after
IIS to ensure that the Web pages are installed. If you install the CA first, it still functions, but you may not be able to access the Web pages. You can enable the Web pages by running the following command: certutil -vroot
Chapter 4. Implementation scenarios 75
5. The wizard prompts you to specify the type of Certification Authority (CA) you want to install. Setup attempts to guess which option is selected in order to make installation
– If no Active Directory is detected, the two enterprise options are disabled.
– If an Active Directory is detected, the Enterprise root CA option is selected when there are no CAs already registered in the Active Directory.
This describes our environment.
– If there are CAs registered in the Active Directory, the Enterprise subordinate CA option is selected.
Figure 4-39 Selecting the certificate authority type
If you plan to issue certificates to entities in your organization, or if you need seamless integration with the Active Directory, or if you need to enable smart card logon, select an enterprise CA from one of the following:
– Enterprise root CA - Choose this option if you do not have any CAs in your directory, or if you need a second enterprise root CA. The root CA is registered in the directory, and all computers in your enterprise using that directory automatically trust the root CA. It is a good security practice to limit the root CA to issuing certificates to subordinate CAs only, or to issuing only a few special purpose certificates. This means you want to install an enterprise subordinate after you finish installing the root. However, you can choose only the root CA.
We selected this option for this scenario.
– Enterprise subordinate CA - Choose this option if you already installed an enterprise root CA. Typically, you have multiple enterprise-subordinate CAs. Each of these CAs either serves different communities of users or provides different types of certificates. If there is more than one subordinate, it is possible to revoke the subordinate's certificate in case of disaster, and not have to reissue all certificates in the organization.
If you plan to issue certificates to entities outside your enterprise and do not want to use
Active Directory or other Windows 2000 public key infrastructure (PKI) features, then select a stand-alone CA from one of the following:
– Stand-alone CA - Choose this option if you do not already have a stand-alone CA, or if you need a second root for a purpose different than the first.
76 Deploying IBM Secure Wireless Solution for Cisco Systems
– Stand-alone subordinate CA - Choose this option if you plan to make this CA a member of an existing CA hierarchy. The parent CA in the hierarchy can be a stand-alone CA, an enterprise CA, or an external commercial CA.
6. The wizard prompts you to supply identifying information appropriate for your site and
organization. See Figure 4-40.
Figure 4-40 Certificate authority identifying information
The Certificate Authority name (or common name) is critical because it identifies the CA object created in the Directory. The Valid for time can only be set for a root CA. Set the root CA Valid for time to a reasonable value—the actual duration is a trade-off between security and administrative overhead. Keep in mind that each time a root certificate expires, an administrator has to update all trust relationships, and administrate the steps that need to be taken to move the CA to a new certificate. A time period of two or more years is usually sufficient. When you are finished entering the information, click Next .
Chapter 4. Implementation scenarios 77
7. A dialog box defines the locations of the certificate database, configuration information, and the location where the Certificate Revocation List (CRL) is stored. The Enterprise CA always stores its information, including the CRL, in the directory. Select the Shared folder check box. This option specifies the location of a folder where configuration information for the CA is stored. Make this folder a UNC path, and point all your CAs to the same folder.
Then the administration tools can use this folder for determining CA configuration if the
Active Directory is not available. If you have an Active Directory, this folder is optional. If
you do not have an Active Directory, this folder is required. See Figure 4-41.
If you are installing a CA in the same location as a previously installed CA, the Preserve existing certificate database option is enabled. Check this option if you wish your new CA to use this database; otherwise, the system deletes the database.
After you specify the storage locations for your information, click Next .
Figure 4-41 CA database settings
8. If IIS is running, a message prompts you to stop the service. Click OK to stop IIS. You must stop IIS to install the Web components. If you do not have IIS installed, you will not see this message.
Note: Install the CA
after
IIS to ensure that the Web pages are installed. If the CA is installed first, it still functions, but you may not be able to access the Web pages. You can enable the Web pages by running the following command: certutil -vroot
9. Click OK to complete the installation.
10.Click Finish to close the wizard.
Create a new Certificate Template when using Windows 2003
When using Windows 2003 Enterprise Edition, you must create a certificate template that works for this implementation. Perform the following steps:
1. Select Start
→
Run , and type certtmpl.msc.
78 Deploying IBM Secure Wireless Solution for Cisco Systems
2. Right-click the Web Server template, and select Duplicate Template
Figure 4-42 Create a duplicate Web Server template
3. On the Properties of New Template window, click the General Tab.
4. In the Template Display Name field, type an easily identifiable name since this template is
referenced later. We selected WECMlabtemplate. See Figure 4-43.
Figure 4-43 Template display name
Chapter 4. Implementation scenarios 79
5. Click the Request Handling tab, and check Allow private key to be exported , as shown
Figure 4-44 Export private key
6. Click the CSPs button at the bottom of the window shown in Figure 4-44. The CSP
Selection window appears.
7. Select Microsoft Base Cryptographic Provider v1.0
. You can leave the other options at
Figure 4-45 Select cryptographic service provider
8. Click OK .
9. Click Apply , and then click OK .
10.Select Administrative Tools
→
Certificate Authority to open the Certificate Authority.
80 Deploying IBM Secure Wireless Solution for Cisco Systems
11.Expand the CA (in our example, it is IBMWECMLAB), and right-click Certificate
Templates.
12.Select New
→
Certificate Template to Issue
Figure 4-46 Issue new certificate template
13.Select the template you previously created, and press OK
Figure 4-47 Select the new certificate template to issue
14.Restart the CA service from the services window.
15.Select Administrative Tools
→
Services . You may have to reboot to get the template to appear in the list.
Create a Server Certificate
MS-PEAP requires the use of a server certificate for client authentication of the server.
Information in this section is taken primarily from the following Web site: http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example0918
6a00801df0e4.shtml#config-wc
Chapter 4. Implementation scenarios 81
1. Open Internet Explorer and go to the following Web site: http://IP_of_CA_server/certsrv
In our configuration, the URL is http://192.168.1.1/certsrv.
2. Select Request a certificate
Figure 4-48 Request a certificate
3. On the next page, select Advanced certificate request .
4. On the Advanced Certificate Request page, select Create and submit a request to this
CA .
82 Deploying IBM Secure Wireless Solution for Cisco Systems
5. Select the template that created previously from the Certificate Template drop-down list. In
this scenario, the template name is WECMlabtemplate (refer to Figure 4-47 on page 81).
Figure 4-49 Advanced Certificate Request
6. Type a name for the certificate. We chose ibmcert. We recommend a distinctive name,
since this name is referred to later. Leave everything else blank. See Figure 4-49.
7. In the Key Options section complete the fields using the following information:
– CSP = Microsoft Base Cryptographic Provider v1.0
– Key Size = 1024
– Check Mark keys as Exportable
– Check Store certificate in the local computer certificate store
– Leave everything else as default.
8. Click Submit.
9. Click Install this certificate
Chapter 4. Implementation scenarios 83
Figure 4-50 Install the certificate
A page displays that says “Your new certificate has been successfully installed”. See
Figure 4-51 Certificate successfully installed
The following three steps may not be required with Windows 2003. We performed the previous steps to install the certificate on the ACS server with Windows 2003 Enterprise.
These steps are primarily required with Windows 2000 Server.
1. Approve the Certificate from the CA.
a. Select Start
→
Programs
→
Administrative Tools
→
Certificate Authority to open the CA.
b. On the left, expand the certificate. c. Click Pending Requests .
d. Right-click the certificate, select all tasks, and then select Issue .
2. Download the Server Certificate to the Cisco ACS Server.
a. Open the Web browser and go to the following Web address: http://IP_of_CA_server/certsrv/ b. Select Check on a Pending Certificate , and click Next .
c. Select the certificate, and click Next .
d. Click Install .
84 Deploying IBM Secure Wireless Solution for Cisco Systems
3. This step is not required if the Cisco ACS Server and the CA are installed on the same server. Install the CA Certificate on the ACS Server. a. Open the Web browser, and go to the following Web address: http://IP_of_CA_server/certsrv/ b. Select Retrieve the CA certificate or certificate revocation list , and click Next .
c. Select Base 64 encoded . d. Click Download CA certificate .
e. Click Open , and then click Install certificate .
f. Click Next .
g. Select Place all certificates in the following store, and click Browse .
h. Check Show physical stores .
i.
Expand Trusted root certification authorities , select Local Computer , and then click
OK .
j.
Click Next
→
Finish
→
OK .
Configure Cisco ACS to use a certificate from storage
Follow these steps to configure ACS to use the certificate in storage.
1. Open a web browser.
2. Type the following Web address in the address bar to get to the ACS server: http://ACS-ip-address:2002/
3. Click System Configuration in the left panel.
4. Click ACS Certificate Setup
Figure 4-52 ACS certificate setup
5. On the next page, click Install ACS Certificate
. Figure 4-53 on page 86 is displayed.
Chapter 4. Implementation scenarios 85
6. Select Use certificate from storage
Note: This entry must match the name that you typed in the Name field during the advanced certificate request. It is the CN name in the subject field of the server certificate. You can edit the server certificate to check for this name. Do not enter CN as the name of issuer.
8. Click Submit .
Figure 4-53 Install ACS Certificate
86 Deploying IBM Secure Wireless Solution for Cisco Systems
9. After the configuration is complete, a confirmation message appears indicating that the
configuration of the ACS server changed. See Figure 4-54.
Figure 4-54 Certificate added
Note: You do not need to restart the ACS at this time.
10.Click System Configuration in the left panel.
11.Click Edit Certificate Trust List
Chapter 4. Implementation scenarios 87
Figure 4-55 Edit the ACS certificate trust list
12.Check all the CAs that the ACS can trust.
13.Deselect all the CAs that the ACS cannot trust. We configured a CA on the ACS server; therefore, we checked the name of that server.
14.Click Submit
88 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-56 Certificates to trust
Restart the service, and configure PEAP settings on the ACS
Use the following steps to restart the service and configure PEAP settings.
1. Click System Configuration , and then click Service Control .
2. Click Restart .
3. To configure PEAP settings, click System Configuration
→
Global Authentication
Setup
Chapter 4. Implementation scenarios 89
Figure 4-57 Global authentication setup
4. On the pages shown in Figure 4-58 on page 91 and Figure 4-59 on page 92, check the
following two settings shown below.
– Allow EAP-MSCHAPv2
– Allow MS-CHAP Version 2 Authentication
Leave all other settings at the default. You can specify additional settings, such as Enable
Fast Reconnect.
5. Click Submit .
90 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-58 Configure Cisco ACS PEAP settings - part 1
Chapter 4. Implementation scenarios 91
Figure 4-59 Configure Cisco ACS PEAP settings - part 2
Configure the external user databases
Follow these steps to configure the external user databases. We recommend using the
Microsoft Windows Active Directory for the external database.
Note: Only ACS 3.2 or later supports PEAP-MS-CHAPv2 with machine authentication to a
Windows database.
1. Select External User Databases on the left panel. Click Database Configuration
→
Windows Database
92 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-60 ACS external data base
2. Click Configure . Under Configure Domain List, move the IBMWECMLAB domain from
Available Domains to Domain List. See Figure 4-61 on page 94.
Chapter 4. Implementation scenarios 93
Figure 4-61 Select domain
3. To enable machine authentication, under Windows EAP Settings, select Enable PEAP machine authentication . Do not change the machine authentication name prefix.
Microsoft currently uses “/host” (the default value) to distinguish between user and machine authentication. You can also select Enable password change inside PEAP , but it is not mandatory.
4. Click Submit
94 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-62 Enable PEAP machine authentication
Chapter 4. Implementation scenarios 95
Figure 4-63 Select Windows external database
5. As shown in Figure 4-63, make the following changes:
– Click External User Databases in the left panel.
– Click Unknown User Policy .
– Select Check the following external user databases , then use the right arrow button
( -> ) to move Windows Database from External Databases to Selected Databases.
6. Click Submit .
Restart the Service
After you configure the ACS, follow these steps to restart the service.
1. Click System Configuration
→
Service Control .
2. Click Restart .
4.1.13 Configuring wireless clients for MS-PEAP authentication
Following is the process for configuring MS-PEAP authentication support in the client machines.
1. Join the domain.
2. Manually install the root certificate on the Windows client.
3. Configure IBM Access Connections for MS-PEAP authentication.
96 Deploying IBM Secure Wireless Solution for Cisco Systems
Join the Domain
Use the following steps to add the wireless client to the domain.
Note: To complete these steps, the wireless client must have connectivity to the CA, either through a wired connection or through the wireless connection with 802.1x security disabled.
1. Log in to Windows XP as the local administrator.
2. Access the Control Panel
→
Performance and Maintenance
→
System .
3. Select the Computer Name tab, and then click Change .
4. Type the host name in the field for computer name. Select Domain , and then type the
name of the domain (IBMWECMLAB in this scenario). See Figure 4-64.
Figure 4-64 Join the domain
5. Click OK .
6. When a login dialog is displayed, join the domain by logging in with an account that has
permission to join the domain (see “Add users to Microsoft Active Directory” on page 47).
7. After the computer successfully joins the domain, restart the computer. The machine will be a member of the domain. Since Active Directory is set up by default for machine autoenrollment, the machine has a certificate for the CA installed as well as a certificate for machine authentication.
Manually install the Root Certificate on the Windows client
This step is only necessary if the client does not automatically pull the certificate down to the client PC through autoenrollment. Active Directory is set up by default to push the trusted root certificate down to the client.
Use the following steps to see if the certificate is installed on the client machine.
1. Select Start
→
Run , and type mmc.
2. Click File
→
Add/Remove Snap-in .
3. Click Add
Chapter 4. Implementation scenarios 97
Figure 4-65 Add a snap-in - 1
4. Select Certificates , and click Add
Figure 4-66 Add a snap-in - 2
5. Click Close to close the Add Standalone Snapin window.
6. Click OK on the Add/Remove Snap in window.
7. Expand Certificates - Current User .
8. Expand Trusted Root Certification Authorities , and click Certificates .
9. Scroll down the window to find the CA that you installed on the ACS server. See
98 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-67 Find installed certificate
10.If your certificate is not in the list, proceed with the next sections to install your certificate;
Otherwise, go to “Configure IBM Access Connections V3.53 for MS-PEAP authentication” on page 104.
Windows 2003 Enterprise Certificate Authority
If you are using Windows 2003 Enterprise server as the CA, use the following instructions to install the root certificate on the client machine.
1. Access the CA server by typing the following Web address into a browser: http://root-CA-ip-address/certsrv
You must log on with the Administrator user name and password of the CA server itself.
2. Click Download a CA certificate, certificate chain, or CRL , as shown in
Chapter 4. Implementation scenarios 99
Figure 4-68 Install certificate - Windows 2003 - 1
3. In the encoding method section, click Base 64 , and select Download CA certificate . See
100 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-69 Install certificate - Windows 2003 - 2
4. When the File download page opens, click Open
→
Install Certificate
Figure 4-70 Install certificate - Windows 2003 - 3
Chapter 4. Implementation scenarios 101
5. Click Next.
6. When the certificate Import Wizard screen opens, select Automatically select the certificate store based on the type of certificate .
7. Click Next .
8. Click Finish .
Windows 2000 Server Certificate Authority
Use the following steps to install the root certificate on the client machine if you are using
Windows 2000 server CA. If you followed the steps in “Windows 2003 Enterprise Certificate
Authority” on page 99 for Windows 2003 Enterprise server, you do not need to perform these
steps.
1. On the Windows client machine, open a Web browser.
2. Type the following Web address into the browser address field http://root-CA-ip-address/certsrv
In this example, the CA's IP address is 10.66.79.241, as shown in Figure 4-71.
Figure 4-71 Install certificate - Windows 2000 - 1
3. Log into the CA site.
4. Select Retrieve the CA certificate or certification revocation list , and click Next . See
Figure 4-72 Install certificate - Windows 2000 - 2
5. Click Download CA certificate to save the certificate on the local machine. See
102 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-73 Install certificate - Windows 2000 - 3
6. Open the certificate, and click Install Certificate
Note: In the following example, the icon at the top left indicates that the certificate is not yet trusted (installed).
Figure 4-74 Install certificate - Windows 2000 - 4
7. Install the certificate in Current User/ Trusted Root Certificate Authorities.
– Click Next .
– Select Automatically select the certificate store based on the type of the certificate , and click Next .
Chapter 4. Implementation scenarios 103
– Click Finish to place the root certificate automatically under Current User/ Trusted
Root Certificate Authorities.
Configure IBM Access Connections V3.53 for MS-PEAP authentication
Use the following steps to configure a PEAP profile with IBM Access Connections.
1. See “Install Access Connections” on page 66 for information about installing IBM Access
Connections if it is not already installed on the client computer.
2. Configure Access Connections to support wireless logon using Windows user ID and password (single sign-on).
3. Start Access Connections, and select Options from the task bar.
4. Select Global Settings...
. The window shown in Figure 4-75 is displayed.
Attention: To increase the overall client security, while simultaneously simplifying the
and software to securely store certificates, userids, and passwords. Additionally, the integrated fingerprint reader on select ThinkPad models simplifies and further secures the logon process.
Figure 4-75 Configure wireless authentication using Windows log on and password
5. Select Allow wireless authentication using Windows log on user name and password . This requires a system restart.
6. Click OK .
7. After you restart the system, create a profile for PEAP support. Refer to “Configure Access
Connections V3.53 for LEAP authentication” on page 66 for information about how to
create an Access Connections profile.
104 Deploying IBM Secure Wireless Solution for Cisco Systems
8. Open Access Connections, click Manage Location Profiles , and click New .
9. Enter a name for the Location Profile, and click Next .
10.On the Choose Your Switching Rule and Network Adapters page, accept the defaults. This allows Access Connections to select the fastest connection speed when multiple adapters are active and connected to the network. Click Next .
11.On the Edit your TCP/IP Settings page, click Next to obtain an address from DHCP.
12.On the Edit Your Advanced DNS Settings page, click Next to use the defaults.
13.Add the SSID for the Access Point. In this scenario, the SSID for PEAP testing is leap2,
For the Wireless Security Type, select Enabled - Use IEEE 802.1x Authentication . This
allows you to use PEAP. See Figure 4-76.
Figure 4-76 SSID and security type
14.Click Next .
Chapter 4. Implementation scenarios 105
Figure 4-77 Configure Access Connections PEAP settings
15.On the Edit Your Wireless Network Settings page, shown in Figure 4-77, make the
following changes and selections:
– Select Use Access Connections to configure wireless authentication settings .
– In the EAP type drop-down list, select PEAP .
– Select Validate Server Certificate .
– In the Certificate Issuer drop-down list, select the server certificate you imported in
step 7 on page 97. We named our server certificate
IBMWECMLAB .
– In the Authentication Protocol drop-down list, select MS-CHAP-V2
– Click Enter user credentials
Figure 4-78 Enter user credentials
106 Deploying IBM Secure Wireless Solution for Cisco Systems
– Select Use Windows log on user name and password . This enables single sign-on support.
– Click OK.
– Click Next on the Edit Your Wireless Network Settings page to continue configuring
Access Connections
16.Click Next three consecutive times.
17.Save the profile.
Cisco ACS Server, Cisco Access Point, and IBM Access Connections are now configured to support MS-PEAP authentication and encryption.
4.1.14 Verify
This section provides information you can use to confirm that your configuration is working properly.
To verify that the wireless client authenticate:
1. On the wireless client go to Control Panel
→
Network and Internet Connections
→
Network Connections .
2. On the menu bar, go to View
→
Tiles . The wireless connection should display the message “Authentication succeeded.”
To verify that wireless clients authenticate:
On the ACS web interface go to Reports and Activity
→
Passed Authentications
→
Passed Authentications active.csv
.
Table 4-2 Client and Access Point security settings
Security feature Client setting
Static WEP with open authentication
Create a WEP key and enable
Use Static WEP Keys and
Open Authentication
Static WEP with shared authentication
LEAP Authentication
Create a WEP key and enable
Use Static WEP keys and
Shared Key authentication
Enable LEAP
Access Point setting
Set up and enable WEP and enable
Open Authentication for the SSID
Set up and enable WEP and enable
Shared Key for the SSID
802.1x authentication and
CCKM
Enable LEAP
802.1x authentication and
WPA
Enable any 802.1x authentication method
Set up and enable WEP and enable
Network-EAP for the SSID
Select a cipher suite, and enable
Net-work-EAP and CCKM for the
SSID. NOTE: To allow both 802.1x clients and non-802.1x clients to use the SSID, enable optional CCKM.
Select a cipher suite, and enable
Open authentication and WPA for the
SSID. You can also enable
Net-work-EAP authentication in addition to or instead of Open authentication. NOTE: To allow both
WPA clients and non-WPA clients to use the SSID, enable optional WPA.
Chapter 4. Implementation scenarios 107
Security feature
802.1x authentication and
WPA-PSK
Client setting
Enable any 802.1x authentication method
Access Point setting
Select a cipher suite, and enable
Open authentication and WPA for the
SSID. You can also enable
Net-work-EAP authentication in addition to or instead of Open authentication. Enter a WPA pre-shared key. NOTE: To allow both
WPA clients and non-WPA clients to use the SSID, enable optional WPA.
PEAP authentication
If using Access
Connections to configure card
If using Windows XP to configure card
Enable Host Based EAP, and use Dynamic WEP Keys in
ACU. Select Enable network access control using IEE
802.1x and PEAP as the EAP type in Windows 2000 (with
Service Pack 3) or Windows XP.
Select Enable network access control using IEE 802.1x and
PEAP as the EAP Type
Setup and enable WEP. Enable EAP.
Open authentication for the SSID.
Setup and enable WEP. Enable EAP.
Open authentication for the SSID.
EAP-TLS authentication
If using Access
Connections to configure card
If using Windows XP to configure card
Enable Host Based EAP, and use Dynamic WEP Keys in
ACU. Select Enable network access control using IEE
802.1x and PEAP as the EAP type in Windows 2000 (with
Service Pack 3) or Windows XP.
Select Enable network access control using IEE 802.1x and
Smart Card or other Certificate as the EAP Type
Setup and enable WEP. Enable EAP.
Open authentication for the SSID.
Setup and enable WEP. Enable EAP.
Open authentication for the SSID.
4.1.15 Troubleshooting
If you are having a problem with the CSadmin.exe service starting, unplug the APs from the switch when you install ACS.
If you are having a problem viewing the ACS admin screen, namely if nothing is showing, then make sure that the Security level is set to Medium.
If you try to configure ACS from the admin page, and you receive “Error on page” errors at the bottom of the screen, make sure that the Java upgrade completed.
Make sure that the server certificate is using the correct format.
– On the ACS server, go to Start
→
Run
→
mmc .
– Click File
→
Add/Remove Snap-in .
– Click Add , and choose Certificates from the Add Standalone Snap-in screen.
– Click Add , and choose Computer account , and click Next .
– Choose Local computer, and click Finish .
– Click Close , and click OK on the Add/Remove snap-in page.
108 Deploying IBM Secure Wireless Solution for Cisco Systems
– Expand Certificates, and expand ACSCertStore.
– Click Certificates , and then select the certificate that shows up. This should be the one that you installed on ACS.
– Double-click the certificate, and choose the Details tab. There should be an Enhanced
Key Usage field.
4.1.16 Printers
For wireless printer support, we configured an OTC Wireless, Inc, ACR-201-G 802.11g
Wireless Print Adapter for use with an IBM Infoprint 1422 network attached printer. Addition of the Wireless Print Adapter to the Infoprint 1422 configuration enables wireless printer communications and allows more flexible placement of the printer in the work environment.
For more information about the IBM Infoprint 1422 printer, see Figure 5-6 on page 188.
The Wireless Print Adapter is preconfigured to work with a wireless network that broadcasts the SSID. WEP is not enabled. The Wireless Print Adapter does not support LEAP or PEAP authentication.
We performed the following customization to configure the Wireless Print Adapter for our environment.
1. Use the supplied white straight-through Cat5 cable to temporarily connect the Wireless
Print Adapter to your computer's network port.
2. Open a Web browser and type the following Web address in the location field: http://169.254.98.200
When prompted, type admin as the user name and public as the password.
Note: The computer must have its network card configured for the same subnet as the
Wireless Print Adapter to access the device web page.
The page shown in Figure 4-79 on page 110 appears. This is the Administration page. No
changes are required on this page.
Chapter 4. Implementation scenarios 109
Figure 4-79 Administration page
3. Select the Wireless
tab. The page shown in Figure 4-80 on page 111 appears. This page
allows you to set the basic wireless information.
110 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-80 Wireless page
4. In the Wireless network name (SSID) field, type the SSID name for your wireless LAN.
Click Save , then click the Security tab.
Chapter 4. Implementation scenarios 111
Figure 4-81 Security page
5. The page shown in Figure 4-81 allows you to configure the WEP key used for encryption.
The Wireless Print Adapter does not support PEAP authentication. Select the WEP key length, and type the required WEP key. Click Save .
6. You may have to reboot the Wireless Print Adapter. This completes the software configuration.
7. Detach the Wireless Print Adapter from your computer and attach it to the printer using an
Ethernet cable.
This completes the configuration of the IBM InfoPrint 1422 printer with the Wireless Print
Adapter.
112 Deploying IBM Secure Wireless Solution for Cisco Systems
4.2 Scenario 2: Mobile access from home
This scenario expands on the environment configured in scenario 1. It adds the ability to log on to the enterprise intranet from home using a secure virtual private network (VPN) tunnel through the Internet. The primary facilitator for this capability is the addition of WebSphere
Everyplace Connection Manager (WECM) software in the intranet to create and manage the
VPN tunnels, as illustrated in Figure 4-82.
Windows 2003 Server
Active Directory
Certificate Authority
DNS
DHCP
Cisco Secure ACS
RADIUS server
192.168.1.1
SSID = leap1a
AP1
192.168.1.5
SSID = leap2
AP2
192.168.1.6
Wired intranet
WECM
OpenLDAP
192.168.1.4
9.9.9.9
192.168.1.254
VPN = 10.10.10.0
9.9.9.1
Internet
Firewall / router
Red Hat Enterprise
Linux
Wireless
Client
HOME
Figure 4-82 Network configuration for wireless implementation with WECM
4.2.1 Installation planning
This scenario requires the installation of additional software to create the VPN tunnel through the Internet from the home user’s computer to the enterprise intranet.
Install the WebSphere Everyplace Connection Manager (WECM) server software on a server machine within the private intranet or demilitarized zone (DMZ). You must install the WECM client code on all the client machines that access the private intranet from the Internet.
WECM requires LDAP and database software. We installed Open LDAP software that is provided with Red Hat Enterprise Linux, and DB2 Express for database support. We installed this software on the same machine running the WECM server software. If you already have
LDAP and database software configured in your environment, then you may be able to configure WECM to use them.
4.2.2 Environment check
An additional server machine is required to run the WECM server software. It is possible that you can install the WECM server software on a currently existing server machine in the
Chapter 4. Implementation scenarios 113
private intranet. However, the WECM server is responsible for setting up the VPN tunnels between client computers on the Internet and the WECM server machine. It must be connected to the Internet via a router or firewall to receive client requests to set up a VPN tunnel. So, for security purposes, install the WECM server software on a separate machine to isolate it from the rest of the enterprise intranet.
In addition, the WECM server machine is typically placed in a demilitarized zone (DMZ) to further isolate it from the Internet and corporate intranet. If the LDAP and database server that WECM uses are located in the intranet, ports must be opened in the firewall between the intranet and the DMZ to support WECM LDAP and database traffic.
The WECM server machine must have two network interface cards (NIC):
One card to connect to the internal network
One card to connect to the external network (Internet) via a firewall or router
This scenario assumes that the home user already has Internet access from their home location. It does not matter if the home Internet access is via cable or DSL, or if the user implemented a wired or wireless network in their home.
4.2.3 Security considerations
In this and the following scenarios, we are setting up an environment where an employee can access an enterprise network from a non-secure environment: their home, a wireless hotspot at an airport, a train, and so on. Once they establish a connection to an enterprise intranet, all the corporate applications and tools that employee is authorized for are available from that client. Theft of the client ThinkPad, especially while it is connected to the enterprise network, is a major concern.
We recommend that you implement every password and inactivity time out option provided by
Windows, WebSphere Everyplace Connection Manager, and other software. This includes:
Power on password
Hard drive password
Screen saver password with minimal idle time trigger
Minimal application inactivity time out values
WECM session time out values
4.2.4 Hardware and software to install and configure
The software and hardware configuration we installed in scenario 1 is also required in this
scenario. See 4.1.3, “Hardware and software to install and configure” on page 41.
In addition to the software and hardware we configured and installed during scenario 1, we also install and configure the following additional software and hardware configured.
Hardware
One IBM Eserver xSeries 226 with two network interface cards. This server hosts the
WebSphere Everyplace Connection Manager server software. For more information, see 5.3,
“IBM Eserver xSeries 226” on page 187.
Software
Red Hat Enterprise 3.0 Linux
114 Deploying IBM Secure Wireless Solution for Cisco Systems
DB2 V8.2 Express
WebSphere Everyplace Connection Manager V5.1
4.2.5 Red Hat Enterprise 3.0 Linux installation
WECM server code runs in the Linux environment. We used Red Hat Enterprise 3.0 Linux.
Red Hat Enterprise Linux is distributed on 4 CD’s for installation. Insert CD1 and boot the machine from the CD. When installing Red Hat Enterprise 3.0 Linux, make sure that you include and install the following features:
Install OpenLDAP (see Figure 4-100 and Figure 4-101 on page 124))
Install glibc libraries (see Figure 4-102 and Figure 4-103 on page 125)
Install kernel source (see Figure 4-104 and Figure 4-105 on page 126)
The following series of figures details the installation of Red Hat Enterprise 3.0 Linux on an
IBM
Eserver
xSeries 226 server.
Figure 4-83 Begin installation
Press Enter to install Red Hat Enterprise 3.0 Linux on your system.
Chapter 4. Implementation scenarios 115
Figure 4-84 Test the CD media
Often, the CD media can become damaged or scratched. Red Hat provides an option to test the integrity of the CD media. If you choose to perform this task, it can take several minutes.
We chose to skip this test. See Figure 4-84.
Figure 4-85 Anaconda installer
The Red Hat Enterprise Linux anaconda installer begins the installation wizard.
116 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-86 Red Hat welcome page
After a while, the welcome page for the Red Hat Enterprise Linux installation wizard will be displayed.
Figure 4-87 Language selection
Select the installation language in the window shown in Figure 4-87.
Chapter 4. Implementation scenarios 117
Figure 4-88 Keyboard selection
Select the keyboard layout for this installation.
Figure 4-89 Mouse selection
Select the mouse configuration for this installation.
118 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-90 Disk partitioning setup
For simplicity, we chose to automatically partition the system. For more advanced users, you may customize your system to match your specific requirements. However, be sure to read the system requirements for RECM prior to custom partitioning of your system.
Figure 4-91 Remove partitions
We selected to remove all partitions on the system in order to get a clean installation of Red
Chapter 4. Implementation scenarios 119
Hat Enterprise Linux. See Figure 4-91.
Figure 4-92 Warning dialog
The WARNING dialog shown in Figure 4-92 will be displayed confirming the deletion of all
existing partitions.
Figure 4-93 Partition information
Information on the newly created partition is displayed in Figure 4-93.
120 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-94 Boot loader configuration
The default boot loader configuration is sufficient for this installation. More advanced users can perform additional configuration as required.
Figure 4-95 Firewall configuration
For this installation, we disable the firewall until later. See Figure 4-95. After WECM is
installed, there will be an additional virtual NIC (Network Interface Card). This is a software
Chapter 4. Implementation scenarios 121
implementation of an actual NIC. If you are not a firewall expert, the easiest configuration is to turn off the firewall until WECM is installed and working. At that point, you can configure the firewall accordingly, otherwise the firewall WILL cause problems and prevent WECM from working correctly.
Figure 4-96 Additional language support
For this installation, we do not require any additional languages. See Figure 4-96.
Figure 4-97 Time zone selection
122 Deploying IBM Secure Wireless Solution for Cisco Systems
Select your time zone as required as shown in Figure 4-97.
Figure 4-98 Root password
Set the root ID password for your Red Hat Enterprise Linux installation.
Figure 4-99 Reading package information
The system will begin reading software package information. We will not take the default package selections. We must select additional software packages required by WECM.
Chapter 4. Implementation scenarios 123
Figure 4-100 Select Network Servers
Be default, the Network Servers package group is not selected. This group must be selected, then click Details
Figure 4-101 Select OpenLDAP
OpenLDAP is not selected by default. However, OpenLDAP is required by WECM. Select openldap-servers under Optional Packages and click OK .
124 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-102 Development Tools selection
Development Tools are not selected by default during installation. However, WECM requires them. Select Details
to see more information. See Figure 4-102.
Figure 4-103 glibc libraries glibc libraries are required to compile a component of WECM installation. Click OK .
Chapter 4. Implementation scenarios 125
Figure 4-104 Kernel Development
Kernel Development is not selected in a default Red Hat Enterprise installation. It is required during WECM installation. Click Details
to see what will be installed. See Figure 4-104.
Figure 4-105 Base Packages kernel-source is required to compile one of the WECM components. Click OK to return.
126 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-106 Begin installation
Click Next to begin the installation of Red Hat Enterprise Linux and associated software packages.
Figure 4-107 Format file system
The file system must be formatted.
Chapter 4. Implementation scenarios 127
Figure 4-108 CD 2, CD 3, CD 4
Insert product CD 2, 3 and 4 when requested.
Figure 4-109 CD 1
Insert product CD 1 when requested. This will complete the installation.
128 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-110 Graphical Interface Configuration
The installation wizard will attempt to detect and configure the video card installed on the system.
Figure 4-111 Monitor Configuration
The installation wizard will attempt to install and configure the monitor attached to the system.
Chapter 4. Implementation scenarios 129
Figure 4-112 Customize Graphics Configuration
Be careful when changing the graphics configuration if you are not an advanced Linux user.
Changing these values can cause problems being able to see the graphical login screen if the resolution is set too high.
Figure 4-113 Installation complete
Remove all media and click Enter to reboot the machine.
130 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-114 First time setup
The Setup Agent starts after the first system reboot.
Figure 4-115 License Agreement
Select Yes to the License Agreement and click Next .
Chapter 4. Implementation scenarios 131
Figure 4-116 Date and Time
Set the date and time for your system.
Figure 4-117 User Account
It is recommended that you create another system account other than the default account of
root. We created a system user account named wecmadmin. See Figure 4-117.
132 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-118 System registration
If connected to a network, registering your system with Red Hat is the best way to keep the system current with any software package updates. We chose to skip the registration at this point. Advances users can register their system after installation of WECM.
Figure 4-119 Additional CDs
We did not require any additional CDs for this installation.
Chapter 4. Implementation scenarios 133
Figure 4-120 Finish Setup
This screen confirms completion of the setup wizard.
Figure 4-121 Kernel selection
Select the Red Hat Enterprise Linux kernel during system boot.
134 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-122 Log in
Log in using the user account created previously.
Figure 4-123 wecmadmin
This completes the installation of Red Hat Enterprise 3.0 Linux on an IBM Eserver xSeries
226 server.
Chapter 4. Implementation scenarios 135
4.2.6 OpenLDAP configuration
After you install Red Hat Enterprise 3.0 Linux, make the following modifications to the
OpenLDAP installation. For further documentation on OpenLDAP, visit the following Web address: http://www.openldap.org
Make the following modifications.
Figure 4-124 Edit the slapd.conf file
The slapd.conf file is the OpenLDAP configuration file. Edit the slapd.conf file as shown in
Figure 4-124. We used the VI editor.
cd /etc/openldap vi slapd.conf
The VI editor opens as shown in Figure 4-125.
136 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-125 slapd.conf file
Make the following changes to the slapd.conf file:
Suffix “dc=wecmsmb”
Rootdn “cn=Manager,dc=wecmsmb”
Rootpw secret
Save and close the slapd.conf file.
In Red Hat Enterprise Linux, OpenLDAP is not configured to automatically start when the
machine reboots. We modified this as shown in Figure 4-126.
Chapter 4. Implementation scenarios 137
Figure 4-126 Configure OpenLDAP to start at machine reboot
Use the chkconfig command to automatically start OpenLDAP when the machine reboots: chkconfig -list (to view the existing service settings) chkconfig -level 345 ldap on (to change the service setting for OpenLDAP)
We can now start the OpenLDAP service. See Figure 4-127.
138 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-127 Start the OpenLDAP service
Use the following command to start the OpenLDAP service: service start ldap
This completes the configuration of OpenLDAP.
4.2.7 DB2 8.2 Express installation
DB2 is required to store data from Open LDAP. The procedure to install DB2 8.2 on Linux is documented in the IBM Redbook Up and Running with DB2 for Linux , SG24-6899. The following figures illustrate a few of the installation steps.
Chapter 4. Implementation scenarios 139
Figure 4-128 D2 Express setup window
Mount the product CD and run the following command: db2setup
The window shown in Figure 4-128 will be displayed. Select
Install Products . You are then asked to select which product to install (DB2 UDB Express). The DB2 Setup wizard begins,
followed by a license agreement window. Finally, the window shown in Figure 4-129 is
displayed.
140 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-129 Installation type selection
A typical setup is sufficient for WECM. Select Typical and click Next .
The window shown in Figure 4-130 is displayed.
Chapter 4. Implementation scenarios 141
Figure 4-130 DAS password
Select a password for the DB2 Administration Server user. You may want to consider selecting a different, less well known, user ID for security purposes.
Click Next
to proceed to the window shown in Figure 4-131.
142 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-131 DB2 instance
The window shown in Figure 4-131 creates a default DB2 instance. It is not used by WECM,
however it is a good test to make sure the installation is successful. You can remove this instance later if you wish. Press Next .
Chapter 4. Implementation scenarios 143
Figure 4-132 DB2 instance owner information
Only a password is required to complete this step.
In a similar manner, the next step of the installation requests a password for the DB2 Fenced user. Fenced user defined functions (UDFs) are stored procedures and execute under the
Fenced user and group.
A window showing a summary of what is going to be installed is displayed, followed by an installation progress bar.
The window shown in Figure 4-133 is displayed when DB2 Setup is complete.
144 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-133 Post-install steps
The steps on the Post-Install tab are not required for WECM. The Status Report tab identifies if there were any error during setup.
Click Finish to complete the DB2 V8.2 Express installation.
4.2.8 WebSphere Everyplace Connection Manager V5.1 installation
See 5.5, “IBM WebSphere Everyplace Connection Manager (WECM)” on page 188 for an
overview of WebSphere Everyplace Connection Manager.
You can find additional information about WebSphere Everyplace Connection Manger installation and customization in the IBM Redbook IBM WebSphere Everyplace Connection
Manager Version 5 Handbook , SG24-7049.
When installing WECM server on Red Hat Enterprise Linux, include the following packages:
Connection Manager IP LAN Support
Connection Manager Mobile Access
IBM Gatekeeper
WECM server network information
The following data is required to configure the WECM server. The values shown are the values used in our configuration.
Internal (intranet) WECM static IP address: 192.168.1.4
External (Internet or DMZ) static IP address: 9.9.9.9
Chapter 4. Implementation scenarios 145
Hostname: wecm
Domain: cetd01
4.2.9 WECM server software configuration
The WECM Gatekeeper application configures and manages the WECM server.
1. Configure the WECM server by first installing the WECM Gatekeeper software on a
Windows XP client.
2. Create a login profile in the Gatekeeper to connect to the WECM server for configuration purposes.
Gatekeeper profile configuration
After you install the WECM Gatekeeper software on a machine, perform the following steps to define a login profile to connect to the WECM server.
1. When the Gatekeeper is started, the window shown in Figure 4-134 is displayed.
The first time Gatekeeper is started, there are no login profiles defined.
Figure 4-134 Gatekeeper profile selection
2. Click Add Profile...,
in Figure 4-134, to add a new login profile for the WECM server.
Figure 4-135 Add a login profile
3. As shown in Figure 4-135, we named our login profile WECMTEST and specified the IP
address of the WECM server. The default port number is 9555. Do not change it. Click
OK
. The window shown in Figure 4-136 is displayed.
4. Select the logon profile, and click OK .
146 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-136 Select a profile
5. In the window shown in Figure 4-137, type in the Administrator ID and password to
connect to the WECM server and click Log In .
Figure 4-137 Login to the WECM server from the Gatekeeper
4.2.10 Create Connection Manager
For each installed WebSphere Everyplace Connection Manger server, you must create a
Connection Manager resource. Configuration of the Connection Manager prepares it for the addition of resources later in the configuration steps.
1. The window shown in Figure 4-138 is displayed when the Gatekeeper application
successfully connects with the WECM server. Select WECM
→
Add Resource
→
Connection Manager to add a connection manager.
Chapter 4. Implementation scenarios 147
Figure 4-138 Create a connection manager
2. If DB2 UDB or a DB2 client is installed, a window is displayed informing you that the connection manager detected DB2 installed on the connection manager machine and that it will use DB2 for persistent storage. In this scenario, DB2 Express is already installed on the WECM server machine. Click Next to continue.
148 Deploying IBM Secure Wireless Solution for Cisco Systems
3. The window shown in Figure 4-139 allows you do specify a unique identifier for the WECM
server, along with appropriate descriptive information. Click Next to continue.
We chose to identify our WECM server with its intranet IP address.
Figure 4-139 Connection Manager identifier
Chapter 4. Implementation scenarios 149
4. On the following window, you select a database instance name and home directory. See
Figure 4-140. We accepted the default DB2 instance name
wgdb . Click Next when complete.
In the case where a remote DB2 database is to be used, ensure the following is completed prior to continuing:
– Install DB2 on the intended DB2 host.
– Install a DB2 client on the Connection Manager host.
– Create an instance for the Connection Manager database. When Connection Manager creates this instance, the default instance name is wgdb
Either use the one Connection Manager creates, or create your own. Connection
Manager requires that the instance already exist prior to creating the database for a remote connection.
Figure 4-140 DB2 instance ID
150 Deploying IBM Secure Wireless Solution for Cisco Systems
5. Select a database name, and specify whether you plan to use a remote or local database for persistent session data for Connection Manager. We used a local DB2 database as
Figure 4-141 DB2 database name
6. Click Next to continue.
Chapter 4. Implementation scenarios 151
7. The Connection Manager can store accounting and billing records either in a file or in a
DB2 database. We chose to not write any accounting or billing records, as shown in
Figure 4-142 WECM accounting and billing records
8. Click Next .
152 Deploying IBM Secure Wireless Solution for Cisco Systems
9. Verify the primary Organizational Unit (OU) in which this Connection Manager is being
created. See Figure 4-143. We accepted the default OU.
Figure 4-143 Select the primary organizational unit for this Connection Manager
10.Click Next to continue. The wizard uses the configuration information to create a database for persistent session information for the Connection Manager.
Note: The process to create a database and to update the LDAP server takes a little while.
After completing the previous steps, the wizard asks if you want to create any Mobile
Access services. Mobile Access service provides an encrypted tunnel securing a connection between the Connection Manager and the Mobility Client.
11.If you want to add Mobile Access services to the Connection Manager, click Yes .
We selected Yes , as shown in
Figure 4-144. If you choose not to define it now, you can add it
later.
Figure 4-144 Configure Mobile Access services
Chapter 4. Implementation scenarios 153
12.Figure 4-144 on page 153 shows the option to start Connection Manager. Click
Yes to start the Connection Manager.
Figure 4-145 Start the Connection Manager
Create Mobile Network Interface (MNI)
A Mobile Network Interface is a resource assigned to a Mobile Access Service. It defines an
IP subnet, which is a contiguous range of IP addresses or groups of IP addresses, to support the number of Mobility Clients and mobile devices that can concurrently connect to the Mobile
Access Services.
WebSphere Everyplace Connection Manager implements Mobile Network Interfaces through which the operating system IP layer on the WECM machine communicates with all supported wireless dial or wireline networks. The platform controls one or more IP subnets of users whose traffic is routed through the appropriate MNI.
During initial WECM configuration using the Gatekeeper, the message shown in Figure 4-146
appears after you configure and start the Connection Manager.
1. The message asks if you want to continue the WECM configuration by adding a Mobile
Network Interface (MNI) to this Mobile Access Service. Click Yes . A window reviewing the
MNI functions and definition requirements is displayed.
Figure 4-146 Add an MNI to Mobile Access Service
2. Click Next .
154 Deploying IBM Secure Wireless Solution for Cisco Systems
3. Define the VPN IP subnet you plan to use to communicate with Mobility Clients. We defined private IP subnetwork 10.10.10.0 for our VPN subnet address.
In the Network interface adapter to bind
field, shown in Figure 4-147, select the IP
address on the WECM server that is connected to the corporate intranet. In our configuration, the IP address on the corporate intranet is 192.168.1.4
.
Figure 4-147 MNI VPN subnet
4. Click Next .
5. DNS and WINS negotiation are defined in the next window. We disabled both of these negotiations. Click Next to continue.
Chapter 4. Implementation scenarios 155
6. Add a routing table entry to each Mobility Client to define how the client can reach
resources in your corporate network. As shown in Figure 4-148, check
Enable routing table entry negotiation . Type the IP address of your corporate network in the IP address box field, and click Add .
Figure 4-148 Define network routes for Mobility Clients
7. Click Next to finish the MNI definition.
Mobile Network Connection (MNC)
After adding the Mobile Network Interface, add a Mobile Network Connection to provide the interface between the Connection Manager and the wireless network. The MNC becomes a means for communication between the Connection Manager and the network provider of
Mobility Clients and mobile devices.
A Mobile Network Connection is a resource assigned to the Connection Manager. It defines a specific type of network connection. The MNC consists of a line driver, a network protocol interpreter, and one or more physical ports. You configure one MNC for each network provider that you plan to use. In this scenario, where we connect to our clients via an IP-based network, we require only one MNC.
156 Deploying IBM Secure Wireless Solution for Cisco Systems
1. The message in Figure 4-149 asks if you want to continue the WECM configuration by
adding a Mobile Network Connection (MNC) to this Mobile Access Service. Click Yes .
Figure 4-149 Add am MNC to Mobile Access Service
2. In our configuration, we connect to our Mobility Clients using an IP LAN-based network.
As shown in Figure 4-150, select
ip-lan , and click OK .
Figure 4-150 IP LAN MNC type
Chapter 4. Implementation scenarios 157
3. The window shown in Figure 4-151 allows you to add a description for this MNC. The UDP
port that the MNC listens on is defined. The default port number is 8889. Accept this port number. Click Next to continue.
Note: If there is a firewall between the WECM server and your IP network service provider, ensure that port specified here is open on the firewall.
Figure 4-151 MNC UDP port number
4. Select available to set the current state of the MNC.
5. Click Finish .
Network Address Translator (NAT)
A WECM Network Address Translator (NAT) is a resource assigned to an MNI. You use the
NAT to redirect traffic through a specified subnetwork represented by an MNI. NAT lets the
Connection Manager act as an agent between a public network and a private corporate network. In a corporate network that handles only origin or destination traffic from inside the network, there are very few IP addresses that need globally unique IP addresses. This aspect means that only a single, unique IP address within the corporate network is required to represent an entire group of Mobility Clients.
The NAT defines a range of unique IP source addresses, then randomly assigns a packet originating from a Mobility Client to a port number (1024 through 65535). The NAT maintains the mapping of the packet to the port number in a translation table for the duration of a TCP session, or until a time out occurs for a TCP session or UDP connection.
158 Deploying IBM Secure Wireless Solution for Cisco Systems
Use the following instructions to configure a NAT:
1. While in the Gatekeeper, Select WECM
→
Add Resource translator
to add a NAT, as shown in Figure 4-152.
→
Network address
Figure 4-152 Add a NAT
2. Select Enable proxy-arp for NAT addresses . In the Configuration mode section, select the Static IP address
button, as shown in Figure 4-153 on page 160.
In this scenario, we use a single IP address for all Mobility Client sessions. Select the
Single button, and add the IP address in the IP address field. We added an IP address of
192.169.1.3.
Note: This address must be a valid IP address on your corporate intranet.
Chapter 4. Implementation scenarios 159
Figure 4-153 Specify NAT IP address
3. Click Next to continue.
160 Deploying IBM Secure Wireless Solution for Cisco Systems
4. Specify an IP address or range of IP addresses within the MNI VPN subnet to which the
NAT applies. In this scenario, the NAT applies to all IP addresses in our MNI, so we left all
fields blank, as shown in Figure 4-154.
Figure 4-154 NAT MNI IP address range
5. Click Next .
6. A NAT can grouped into packet mapping groups for manageability. A window is displayed that allows you to specify a packet mapping group for this NAT. We did not add the NAT to any group. Click Next to continue.
Chapter 4. Implementation scenarios 161
7. Verify the primary Organizational Unit (OU) in which this Network Address Translator is
being created. See Figure 4-155. We accepted the default OU.
Figure 4-155 Select the primary organizational unit for this Network Address Translator
8. Click Finish to continue.
9. After creating the NAT resources, you must update the MNI to associate the NAT
definitions with the MNI as illustrated in Figure 4-156 on page 163. This process binds our
static NAT address of 192.168.1.3 to the MNI IP address of 192.168.1.4 (refer to
– Select the MNI created in previous steps (mn0 in Figure 4-156 on page 163).
– Select the Security
tab in the MNI display window, as shown in Figure 4-156 on page 163.
– Check the Network address translator in the Packet mapping selection area.
162 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-156 Bind NAT to MNI
4.2.11 Add secondary authentication
Remote users accessing the corporate intranet must be authenticated through the RADIUS server similar to the way local intranet wireless users are authenticated.
Create a RADIUS authentication profile within WECM to define the WECM server to the
Cisco ACS RADIUS server using the following instructions.
Chapter 4. Implementation scenarios 163
1. While in the Gatekeeper, select WECM
→
Add Resource
→
Authentication profile
→
RADIUS authentication
to define a RADIUS server. See Figure 4-157.
Figure 4-157 WECM RADIUS authentication - 1
164 Deploying IBM Secure Wireless Solution for Cisco Systems
2. In this scenario, we challenge the Mobility Client users for a user ID and password. Select
Challenge user for user ID and password
as shown in Figure 4-158. You can also enter
a name to use to reference the RADIUS server in the Common name field.
Figure 4-158 WECM RADIUS authentication - 2
3. Click Next .
Chapter 4. Implementation scenarios 165
4. As shown in Figure 4-159, type the IP address of the RADIUS server (
192.168.1.1
in this scenario). Do not change the RADIUS port number of 1645. This is the default port number. Type the RADIUS shared secret ( cisco in this scenario).
Note: The shared secret value must match the key value used when defining this
WECM server to ACS as a AAA client. See Figure 4-162 on page 169.
Figure 4-159 WECM RADIUS authentication - 3
5. Click Next .
6. Do not enable LTPA when given the option on follow-on windows. Click Next until completed.
4.2.12 Associate the profiles
We must now associate the secondary authentication profile created in the previous steps
with the Mobile Network Connection (MNC) profile created in Figure 4-151 on page 158.
166 Deploying IBM Secure Wireless Solution for Cisco Systems
1. While in the Gatekeeper, select WECM
→
Default Resource
→
Connection profile to
display the connection profiles. See Figure 4-160.
Figure 4-160 Connection profiles
Properties .
3. The Connection profile - IP profile window is displayed. Select the Security tab as shown
Chapter 4. Implementation scenarios 167
Figure 4-161
4. In the Secondary authentication profile field , select CiscoACS from the pulldown list.
CiscoASC is the common name we chose for the secondary authentication profile. See
5. Select Apply to complete the association.
4.2.13 Cisco ACS server
Add the WECM server to the ACS network configuration as an AAA client. This allows the
ACS RADIUS server to perform authentication for users logging on to the intranet from the
Internet using WECM.
1. Log on to the ACS server utility.
2. Select Network Configuration , and add an AAA client definition for the WECM server.
168 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-162 Add AAA client to ACS for WECM server
1. Make sure the AAA Client Hostname matches the host name of the WECM server.
2. Type the internal (intranet) IP address of the WECM server as the value for the AAA
Client IP Address .
3. Make sure the value of Key matches the value set when creating the RADIUS
Authentication Profile in the WECM server.
4. Select RADIUS (IETF) for the Authenticate Using drop-down value.
5. Click Submit to save this AAA client.
4.2.14 WebSphere Everyplace Connection Manager V5.1 mobility client
Install and configure the WECM mobility client code to communicate with the WECM server on each client computer. The Mobility Client software runs locally on your mobile device, and provides a full-function interface to communicate with Connection Manager. After authenticating to the Connection Manager, a VPN is established and the device securely joins the enterprise intranet. The Connection Manager supports standard IP routing even over non-IP wireless bearer networks to ensure unbroken, end-to-end TCP sessions between mobile devices and application servers.
Chapter 4. Implementation scenarios 169
WECM mobility client software installation
The WECM mobility client is included with the WECM server distribution media and is located in f:\client\Win32\ on the product CD. The file name is WC_Win32.exe. Use the following instructions to install the WECM mobility client software.
1. To begin the WECM mobility client installation, execute the WC_Win32.exe shown in
Figure 4-163 WECM mobility client installation executable
A series of windows are displayed that indicate install status, and request a destination folder to install the product.
2. After a while, the window shown in Figure 4-164 is displayed. Select
Typical to install all the components.
Figure 4-164 WECM setup type
170 Deploying IBM Secure Wireless Solution for Cisco Systems
3. The installation process installs the IBM Mobility Client Interface device driver. When prompted to install the device driver, click Yes or Continue Anyway , as shown in
Figure 4-165 Windows Logo testing message
4. When the window shown in Figure 4-166 is displayed, the WECM mobility client
installation is complete. You can launch the mobility client now to create a mobile connection, or you can create a mobile connection at a later time.
Figure 4-166 Install of WECM Mobility Client completed
WECM mobility client configuration
Configure a mobility client connection for each WECM server to which the client computer connects.
Important: Locate the IP address of the WECM server before you configure the mobility client.
You can configure a mobility client connection during the WECM Mobility Client installation process. You can also configure a mobility client connection using the following steps.
Chapter 4. Implementation scenarios 171
1. Select Start
→
All Programs IBM Mobility Client
→
Connections . The window shown
Figure 4-167 Create a mobility connection
The Mobility Connections window, shown in Figure 4-167, lists all the mobility connections
that defined on that client computer.
2. Select Create Connection to create a new connection. The window shown in
Figure 4-168 Create Connection window
3. Type the name of the connection you are about to define. In our example, we chose
WECMTEST .
4. Press Next
to continue. The Select a Network window shown in Figure 4-169 is displayed.
172 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure 4-169 Select a Network window
5. Select the network type (or types) that this connection intends to use to connect to the
WECM server. Make sure that the physical network adapters are installed for each network type selected. For a wireless broadband connection using IP, select IP, WiFi,
GPRS, 1xRTT, Broadband .
6. Press Next
to continue. The IP Based window shown in Figure 4-170 is displayed if you
selected IP, WiFi, GPRS, 1xRTT, Broadband
Figure 4-170 WECM server IP address
7. Type the IP address used to access the WECM connection manager machine into the
address field, as shown in Figure 4-170. This may be an address on the connection
manager machine. However, it is more likely an IP address on the enterprise firewall or router that is forwarded to the WECM connection manager machine. Obtain this IP address from your network administrator.
8. Click Advanced
to continue. The window shown in Figure 4-171 appears, where you can
select the network interface the Connection Manager can use.
Chapter 4. Implementation scenarios 173
9. We use IBM Access Connections to manage our IP interface; therefore, select Default
Local IP Interface . This allows the WECM mobility client to use whatever IP interface IBM
Access Connections sets up.
Figure 4-171 Network interface selection
10.Press Next to continue. A window to complete the configuration is displayed.
11.Press Next to continue. The final window of the configuration process appears. See
12.Click Yes to start the Mobility Client using the connection just defined.
Figure 4-172 Start the mobile connection
Important: When you start the WECM mobility client, it initiates a session with the WECM server. If you are running firewall software on your client, you may receive a message stating that an application is attempting to initiate an outbound connection. Permit this connection to start.
4.2.15 Access Connections V3.53
IBM Access Connections is used on the client computer to seamlessly manage the physical network connection. If multiple physical network interfaces are available (wired ethernet, wireless 802.11x ethernet), Access Connections selects the active network interface with the fastest connection speed to be the active IP interface.
Refer to 4.1.11, “IBM Access Connections V3.53” on page 65 for detailed installation
instructions.
See 5.2.2, “IBM Access Connections” on page 184 for an overview of Access Connections
Review Appendix A, “Deploying Access Connections” on page 191 for more information
about Access Connection profile management.
174 Deploying IBM Secure Wireless Solution for Cisco Systems
Change the Access Connections profile created for PEAP support (see “Configure IBM
Access Connections V3.53 for MS-PEAP authentication” on page 104). This change allows
Access Connections to automatically start the WebSphere Everyplace Connection Manager mobility client when this profile is selected.
1. Open Access Connections, and click Manage Location Profiles.
2. Select your PEAP profile, and click Edit ....
3. Select VPN
from the list of tabs across the top. The window shown in Figure 4-173 is
displayed.
Figure 4-173 Use VPN connection for Access Connections profile
4. Select Use VPN connection with this location profile .
5. Select I use IBM Mobility Client provided by my company .
6. Click Select Mobility Client profile...
to select the WECM mobility client profile created in the previous section.
7. Click OK, and then save the updated Access Connections profile.
Important: When the WECM mobility client is started, it initiates a session with the WECM server. If you are running firewall software on your client, you may receive a message stating that an application is attempting to initiate an outbound connection. Permit this connection to start.
Chapter 4. Implementation scenarios 175
4.3 Scenario 3: Mobile access from hot spots
This scenario uses the same hardware and software infrastructure created in
4.2, “Scenario 2: Mobile access from home” on page 113. The only difference is that mobile
access is from a wireless hot spot such as an airport or local establishment that provides
wireless access on their premises, as illustrated in Figure 4-174.
Windows 2003 Server
Active Directory
Certificate Authority
DNS
DHCP
Cisco Secure ACS
RADIUS server
192.168.1.1
SSID = leap1a
AP1
192.168.1.5
SSID = leap2
AP2
192.168.1.6
Wired intranet
WECM
OpenLDAP
192.168.1.4
9.9.9.9
192.168.1.254
VPN = 10.10.10.0
9.9.9.1
Internet
Firewall / router
Red Hat Enterprise
Linux
Wireless
Client
HOT SPOT
Figure 4-174 Intranet access from a wireless hot spot
4.3.1 Security considerations
In this scenario, we set up an environment where an employee can access an enterprise network from a non-secure environment: their home, a wireless hotspot at an airport, a train, and so on. Once they establish a connection to an enterprise intranet, all the corporate applications and tools that employee is authorized for are available from that client. Theft of the client ThinkPad, especially while it is connected to the enterprise network, is a major concern.
Implement every password and inactivity time out option provided by Windows, WebSphere
Everyplace Connection Manager, and other software. This includes:
Power on password
Hard drive password
Screen saver password with minimal idle time trigger
Minimal application inactivity time out values
WECM session time out values
176 Deploying IBM Secure Wireless Solution for Cisco Systems
4.4 Scenario 4: Mobile access via WAN
This scenario uses the same hardware and software infrastructure created in
4.2, “Scenario 2: Mobile access from home” on page 113. The only difference is that the client
computer uses a wireless WAN card to access the Internet via a wireless WAN connection,
as illustrated in Figure 4-175.
Windows 2003 Server
Active Directory
Certificate Authority
DNS
DHCP
Cisco Secure ACS
RADIUS server
192.168.1.1
SSID = leap1a
AP1
192.168.1.5
SSID = leap2
AP2
192.168.1.6
Wired intranet
WECM
OpenLDAP
192.168.1.4
9.9.9.9
192.168.1.254
VPN = 10.10.10.0
9.9.9.1
Internet
Firewall / router
Red Hat Enterprise
Linux
Wireless
Client
WWAN
Figure 4-175 Intranet access from a wireless WAN card
Chapter 4. Implementation scenarios 177
178 Deploying IBM Secure Wireless Solution for Cisco Systems
5
Chapter 5.
Components, product details, and supporting material
This chapter provides additional product detail on hardware and software components discussed in the previous chapters. Additionally, we included Web address for many of the product descriptions where you can get even more product details.
© Copyright IBM Corp. 2005. All rights reserved.
179
5.1 Cisco components
The following sections provide details and Web sites for additional information about the
Cisco hardware and software presented in this Redpaper
5.1.1 Cisco Secure Access Control Server V3.3.1
Cisco Secure Access Control Server (ACS) for Windows provides a centralized identity networking solution and a simplified user management experience across all Cisco devices and security management applications. Cisco Secure ACS helps to ensure enforcement of assigned policies by allowing network administrators to control the following things:
Who can log into the network
The privileges each user has in the network
Recorded security audit or account billing information
Access and command controls that are enabled for each configuration's administrator
With Cisco Secure ACS, you can manage and administer user access for Cisco IOS® routers, virtual private networks (VPNs), firewalls, dial-up and DSL connections, cable access solutions, storage, content, voice over IP (VoIP), Cisco wireless solutions, and Cisco
Catalyst® switches using IEEE 802.1x access control.
For more information, visit the following Web sites: http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_data_sheet09186a00800887d
5.html
http://www.cisco.com/en/US/products/ps5917/index.html
The Recommended Resources for the Cisco Secure ACS User document presents links to a variety of documents that help users of Cisco Secure Access Control Server. You can see this document at the following Web site: http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_technical_reference09186a0080
1c7424.html
5.1.2 Cisco Aironet 1130AG Series IEEE 802.11A/B/G Access Point
Cisco® Aironet® 1130AG Series IEEE 802.11a/b/g access points provide high-capacity, high-security, enterprise-class features in an unobtrusive, office-class design, delivering
WLAN access with the lowest total cost of ownership. With high-performing dual IEEE
802.11a and 802.11g radios, the Cisco Aironet 1130AG Series provides a combined capacity of up to 108 Mbps to meet the needs of growing WLANs. Hardware-assisted Advanced
Encryption Standard (AES) or temporal key integrity protocol (TKIP) encryption provides uncompromised support for interoperable IEEE 802.11i, Wi-Fi Protected Access 2 (WPA2) or
WPA security. Supporting Cisco IOS Software, the Cisco Aironet 1130AG Series is a component of the Cisco Structured Wireless-Aware Network (SWAN) framework, which is a comprehensive framework that delivers an integrated, end-to-end wired and wireless network. Using the radio and network management features of the Cisco SWAN framework for simplified deployment, along with built-in omnidirectional antennas that provide robust and predictable WLAN coverage for offices and similar RF environments, the competitively priced
Cisco Aironet 1130AG Series is ready to install and easy to manage, reducing the cost of deployment and ongoing maintenance.
The hardware-accelerated AES encryption of Cisco Aironet 1130AG Series access points supports enterprise-class, government-grade secure encryption over the WLAN without compromising performance. IEEE 802.1X authentication helps to ensure that only authorized
180 Deploying IBM Secure Wireless Solution for Cisco Systems
users are allowed in the network. Backward compatibility for WPA client devices running TKIP, which is the RC4 encryption algorithm, is also supported by the Cisco Aironet 1130AG access point.
For more information, visit the following Web site: http://www.cisco.com/en/US/products/ps6087/products_data_sheet0900aecd801b9058.html
The Quick Start Guide Cisco Aironet 1130AG Access Point is available at the following Web site: http://www.cisco.com/en/US/products/ps6087/products_quick_start09186a00803388d1.html
The Cisco Aironet 1130AG Series Ordering Guide is available at the following Web site: http://www.cisco.com/en/US/products/ps6087/products_data_sheet0900aecd801b901c.html
5.1.3 Cisco 2800 Integrated Services Router
Cisco Systems, Inc. is redefining best-in-class enterprise and small-to-midsize business routing with a new line of integrated services routers that are optimized for the secure, wire-speed delivery of concurrent data, voice, and video services. The Cisco® 2800 Series of
integrated services routers, as shown in Figure 5-1, intelligently embeds data, security, and
voice services into a single, resilient system for fast, scalable delivery of mission-critical business applications. The unique integrated systems architecture of the Cisco 2800 Series delivers maximum business agility and investment protection.
Figure 5-1 Cisco 2800 Series
The Cisco 2800 Series comprises four new platforms: the Cisco 2801, the Cisco 2811, the
Cisco 2821, and the Cisco 2851. The Cisco 2800 Series provides significant additional value compared to prior generations of Cisco routers at similar price points by offering up to a five-fold performance improvement, up to a tenfold increase in security and voice performance, new embedded service options, and dramatically increased slot performance and density. It also maintains support for most of the more than 90 existing modules that are available today for the Cisco 1700, Cisco 2600, and Cisco 3700 Series.
The Cisco 2800 Series features the ability to deliver multiple high-quality simultaneous services at wire speed up to multiple T1/E1/xDSL connections. The routers offer the following items:
Embedded encryption acceleration and on the motherboard voice digital-signal-processor
(DSP) slots
Chapter 5. Components, product details, and supporting material 181
Intrusion prevention system (IPS) and firewall functions
Optional integrated call processing and voice mail support
High-density interfaces for a wide range of connectivity requirements
Sufficient performance and slot density for future network expansion requirements and advanced applications
Cisco 2800 security
Security has become a fundamental building block of any network. Routers play an important role in any network defense strategy because security needs to be embedded throughout the network. The Cisco 2800 Series features advanced, integrated, end-to-end security for the delivery of converged services and applications.
With the Cisco IOS® Software Advanced Security feature set, the Cisco 2800 provides a robust array of common security features such as a Cisco IOS Software Firewall, intrusion prevention, IPsec VPN, Secure Shell (SSH) Protocol Version 2.0, and Simple Network
Management Protocol (SNMPv3) in one secure solution set. Additionally, by integrating security functions directly onto the router itself, Cisco can provide unique intelligent security solutions other security devices cannot, such as network admissions control (NAC) for antivirus defense, Voice and Video Enabled VPN (V3PN) for quality-of-service (QoS) enforcement when combining voice, video, and VPN, and Dynamic Multipoint VPN (DMVPN) and Easy VPN for enabling more scalable and manageable VPN networks.
Cisco also offers a range of security acceleration hardware such as the intrusion-prevention network modules and advanced integration modules (AIM) for encryption, which makes the
Cisco 2800 Series the industry's most robust and adaptable security solution available for branch offices. Using a Cisco 2800 Series uniquely enables customers to deliver concurrent, mission-critical data, voice, and video applications with integrated, end-to-end security at wire-speed performance.
For more information, visit the following Web sites:
Cisco 2800 Series Integrated Services Routers data sheet http://www.cisco.com/en/US/products/ps5854/products_data_sheet0900aecd8016fa68.html
Cisco 2800 Series Integrated Services Routers Q&A http://www.cisco.com/en/US/products/ps5854/products_qanda_item0900aecd80169bd6.shtml
Cisco EtherSwitch 4- and 9-Port High-Speed WAN Interface Cards http://www.cisco.com/en/US/products/ps5854/products_data_sheet0900aecd8016bf0b.html
Cisco EtherSwitch 4- and 9-Port High-Speed WAN Interface Cards Q&A http://www.cisco.com/en/US/products/ps5854/products_qanda_item0900aecd8016c026.shtml
Wireless Services on the Cisco 2800 and 3800 Series Integrated Services Routers http://www.cisco.com/en/US/products/ps5854/products_data_sheet0900aecd8016ef57.html
5.2 IBM components
The following sections provide details and Web sites for additional information about the IBM hardware and software presented in this Redpaper.
182 Deploying IBM Secure Wireless Solution for Cisco Systems
5.2.1 IBM ThinkPad models T, X, R
IBM offers a wide range of ThinkPad notebook computers, from ultra-portables to desktop alternatives. Known for their classic design and award-winning quality, ThinkPad notebooks offer outstanding performance and flexibility to meet your mobile computing needs. Select models offer the strongest security available as a standard feature, the easiest connectivity and outstanding wireless performance with Intel Centrino Mobile Technology.
X Series ThinkPads
X Series ThinkPads are ultra-light and ultra-thin for powerful computing to fit even the smallest carry-on. Intel CentrinoTM Mobile Technology (select models), full expansion capabilities, and a full-size keyboard provide an ideal all-day computing solution for business movers and shakers.
Xtreme portability
Starting at 2.7 lbs/1.23kg
Available with 12" LCD
Ultimate mobility in a versatile ultra portable
Figure 5-2 X Series ThinkPad
T Series ThinkPads
When employees work in the office, on the road and everywhere in between, they need security and power. Select T42 and T43 notebooks offer an integrated fingerprint reader. This series also features modular bay, UltraConnectTM Wireless Antennas and Intel Centrino
Mobile Technology (select models).
Thin and light for travel
Starting at 4.5 lbs/2.05kg
Available with 14” & 15” LCD
Perfect balance of performance and portability
Figure 5-3 T Series ThinkPad
Chapter 5. Components, product details, and supporting material 183
R Series ThinkPads
The R Series ThinkPad is powerful computing that the accountants will love. This series suits frequently mobile users who want ready-to-run computing. It is designed to deliver the essential features they need for versatility, power and portability, including Intel CentrinoTM
Mobile Technology (select models).
Essential mobility
Starting at 5.6 lbs/2.6kg
Available with 14" & 15” LCD
Mainstream performance and features
Figure 5-4 R Series ThinkPad
5.2.2 IBM Access Connections
IBM Access Connections is a ThinkVantage Technology that makes finding, connecting to and switching between wired and wireless networks easy, so you can easily manage connectivity wherever work takes you—without wasting time on the phone with your help desk.
Access Connections gives you a one-stop interface so you can manage your connectivity and wireless security settings in one program—there is no need to run another utility. For example, if your ThinkPad notebook is equipped with the new IBM 11a/b/g Wi-Fi wireless adapter, you can choose between no security, Wired Equivalent Privacy (WEP) encryption,
802.1x (EAP-TLS) authentication, Wi-Fi Protected Access (WPA), or Cisco LEAP.
After you save the basic settings for your various profiles, following are some of the ways IBM
Access Connections can help you get — and stay — connected:
Automatically manages your basic network connections, even if you use static and dynamic IP addresses in different locations
Manages your printing by automatically reassigning the Microsoft Windows default printer to match your location, so you can quickly get your printout on your preferred printer
Automatically adjusts your network configuration to match the IT needs of each location
For example:
– At what locations do you need to use a Virtual Private Network, or any other application?
– When do you need File and Printer Sharing, Internet Sharing and Internet Connection
Firewall enabled or disabled?
– Do you need a proxy server for browsing, or do you need to change your Internet
Explorer home page?
– What about other connection choices such as wireless WAN (cellular), modem, or
Bluetooth® wireless technology?
184 Deploying IBM Secure Wireless Solution for Cisco Systems
Once your profiles are created, getting connected is simply a matter of selecting a profile and letting Access Connections do the rest. Even when you move between a WLAN and a wired
LAN, Access Connections is smart enough to make the appropriate connection. Access
Connections takes the hassle out of “getting connected” whether you are an individual PC user or a network administrator.
IBM Access Connections is also designed for easy administration. A network administrator can build unique “Connectivity Profiles” for any location (home, office, travel), for any network adapter (WLAN, WAN, Ethernet, and Bluetooth wireless), and in any combination. These profiles can then be remotely deployed, greatly simplifying the task.
IBM Access Connections works with Microsoft Windows XP and 2000 and is installed on all new IBM ThinkPad notebooks.
For more information about IBM Access Connections, go to the following Web site: http://www.pc.ibm.com/us/think/thinkvantagetech/accessconnections.html
5.2.3 IBM Embedded Security System (ESS)
The IBM Embedded Security Subsystem is a ThinkVantage Technology that is available on select ThinkPad and ThinkCentre systems. The subsystem consists of an integrated security chip and downloadable IBM Client Security Software. Together, they provide a higher level of security with hardware and software-based technology that lets you “lock” your data.
This hardware and software-based technology protects your company information, including vital security information like passwords, encryption keys, and electronic credentials, while guarding against unauthorized user access. This level of security is critical for both desktop and notebook systems. In fact, you cannot get a higher level of security as a standard feature on a PC from any other manufacturer.
IBM provides enhanced security for both wired and wireless networks. In both cases, the
Embedded Security Subsystem ensures secure data and communications by providing a hardware and software-based architecture that provides better protection for sensitive keys, identity information, and confidential data. Further, for wireless networks, the Embedded
Security Subsystem hardware provides enhanced authentication and session confidentiality by concealing authentication credentials for industry-standard 802.1x protocols and Cisco
LEAP.
You can use the new IBM Integrated Fingerprint Reader, available on select ThinkPad models, with the Embedded Security System for wireless authentication.
To learn more about IBM Embedded Security System, go to the following URL: http://www.pc.ibm.com/us/think/thinkvantagetech/security.html
5.2.4 Advantages of ThinkVantage Technologies
ThinkVantage Technologies help customers become more competitive and on demand by delivering industry-leading capabilities that improve productivity and reduce cost. These tools help make IBM personal computers less dependent on IT staff or user intervention for basic tasks like deployment, backup, security (select models), and more. This frees users and IT staff to focus on business success.
Access IBM guides you to a host of information and tools to help you set up, understand, maintain, and enhance your IBM ThinkPad® notebook or ThinkCentre™ desktop.
Chapter 5. Components, product details, and supporting material 185
IBM Access Connections allows you to easily shift between wireless and wired networks— a single interface to assist with connectivity in your home, office, or on the road.
IBM Rescue and Recovery is a one-button recovery and restore solution that includes a set of self recovery tools to help users diagnose, get help, and recover from system crashes quickly, even if the primary operating system will not boot.
IBM Embedded Security Subsystem and IBM Client Security Software is a unique hardware-software combination that helps protect your company information, including vital security information like passwords, encryption keys, and electronic credentials, while guarding against unauthorized user access to data.
IBM Active Protection System is available on many ThinkPad X, T, and R Series models. It features an integrated motion sensor that continuously monitors movement of the
ThinkPad notebook. Like an airbag's sensor, it can detect sudden changes in motion and temporarily stop the hard drive to help protect your valuable data from some crashes that could occur due to everyday notebook accidents. This ThinkVantage Technology provides up to four times greater impact protection than systems without this feature, thereby helping to decrease employee down-time and reduce support cost.
IBM Secure Data Disposal makes erasing confidential information off a disk drive fast and simple and the data irretrievable.
IBM System Migration Assistant helps get your end-users up and running by quickly and accurately migrating their individual data and settings to their new IBM systems—which are then familiar and ready to go. It is ideal for a large corporation that moves hundreds of users' data over an enterprise network, or a small business with just a few systems in a peer-to-peer environment.
IBM ImageUltra Builder helps simplify image creation, deployment, and management. It allows you to build and deploy even just a single image across your enterprise. By combining multiple languages, applications, and operating systems into a single hard drive image, you help eliminate or reduce the need for manual application installation, hardware testing, and support.
IBM System Information Center automates the collection, assessment, and reporting of your PC inventory—whether users are logged on or not. It is quick and easy to implement in a PC environment, and maintenance is minimal. System Information Center provides features over and above standard inventory solutions:
– Assists with measuring client security compliance
– Reports ThinkVantage Technology software usage
– Allows tracking of on-PC assets
– Mines and organizes collected asset and support information into predefined or customized reports
IBM Software Delivery Center provides push and pull capabilities that allow users to download applications on demand, and enables administrators to push software updates without end-user involvement. Implementing this tool helps users have the software and updates you want them to have. Having the latest software updates and the latest versions of the ThinkVantage Technologies deployed helps decrease the number of support calls and help desk assistance required for system, application, and operating system problems. Software Distribution Center provides a flexible distribution solution, with low network bandwidth usage and little or no need for infrastructure changes. It also supports both industry-standard and custom software applications.
Visit the following Web site for more information about all of the ThinkVantage Technologies: http://www.pc.ibm.com/us/think/thinkvantagetech.html
186 Deploying IBM Secure Wireless Solution for Cisco Systems
5.3 IBM
Eserver
xSeries 226
The IBM Eserver xSeries 226 provides superb availability at a price that small and midsize businesses can afford. New support for 64-bit extensions through Intel EM64T as well as up to 16GB
1
DDR2 memory provides outstanding performance and helps protect investments for future growth.
Figure 5-5 IBM
Eserver
xSeries 226
Following are the key features of the IBM
Eserver
xSeries 226:
Intel EM64T Technology- Runs 32-bit applications and operating systems faster than ever, and can migrate to 64-bit when you are ready.
The x226 supports up to 16 GB
2
of latest PC2-3200 DDR technology for optimal system performance.
Optional Online Spare memory
3
can provide clients with an extra layer of memory protection beyond Chipkill.
IBM offers SATA technology for those clients looking for a cost effective alternative to
SCSI, with simple swap for easy serviceability.
The x226 is a rack mountable server, via an optional rack mount kit in industry standard racks that takes up a modest 4U of space.
RAID 1 standard helps some clients save money and an I/O slot, while also providing cost effective data protection (plus RAID 10 standard support on SCSI models).
The x226 has flexibility to use a range of adapters, from the powerful PCI-Express slot to legacy PCI slots.
PCI-Express provides high-speed I/O enhancements to support 64-bit applications you can implement now or in the future.
The x226 contains the IBM Director - advanced systems management.
The x226 has an Alert Standard Format 2.0 (ASF 2.0) that can help decrease downtime by allowing you to proactively monitor system conditions, alert you to potential problems, and, when used with IBM Director, power on or off remote systems, even when the operating system isn't responding.
For more information about the IBM
Eserver
xSeries 226, visit the following Web site: http://www.ibm.com/servers/eserver/xseries/x226.html
1 when 4GB DIMMS become available
2 when 4GB DIMMS are available
3
Planned future support
Chapter 5. Components, product details, and supporting material 187
5.4 IBM Infoprint 1422
IBM offers monochrome and color laser printers that are versatile, reliable, and affordable for small businesses and workgroups of all sizes.
Within the Infoprint 1000 family, choose from print speeds of up to 8 through 45 pages per minute (ppm) and many user-friendly features and paper-handling options. Many of these printers also allow you to add an IBM MFP Option that provides scan/copy/fax capabilities, so you can consolidate devices and supplies while expanding functionality. Also available is a new all-in-one MFP that allows you to print, copy, scan and fax from a single machine. A range of connectivity options, including wireless, helps simplify network printing and enable mobile communication.
Figure 5-6 IBM Infoprint 1422
The IBM Infoprint 1422 gives your workgroup or small business the speed and reliability it needs, at a low cost of acquisition and ownership. The low-profile 1422 occupies little space, so it fits nearly anywhere. High-yield toner cartridges reduce supply interventions.
Print up to 32 ppm, with a first-page-out-time of eight seconds.
Simplify use with the LCD operator panel.
Improve productivity with 366 MHz processor.
Set up the 1422 quickly with easy-to-follow instructions.
Enjoy low total cost of ownership.
5.5 IBM WebSphere Everyplace Connection Manager (WECM)
The WebSphere Everyplace Connection Manager is a distributed, scalable, multipurpose
UNIX® communications platform that supports optimized, secure data access by both
Wireless Application Protocol (WAP) and non-WAP clients over a wide range of international wireless network technologies, as well as local area (LAN), and wide area (WAN) wireline networks.
It integrates the WAP Version 1.2.1 standard support, as defined by the WAP Forum, together with award-winning IBM SecureWay wireless technology for supporting standard Internet
Protocols (IP) efficiently and securely over both IP and non-IP wireless bearer networks.
WebSphere Everyplace Connection Manager can help boost the productivity of mobile workers by giving them highly-secure, uninterrupted access to the data they need. Offering a distributed, scalable, multipurpose communications platform, WebSphere Everyplace
Connection Manager can help enterprises optimize bandwidth, reduce costs, and ensure
188 Deploying IBM Secure Wireless Solution for Cisco Systems
security by efficiently extending their existing applications to workers in the field over many different wireless and wireline networks.
WebSphere Everyplace Connection Manager provides several key capabilities for a mobile deployment:
Data encryption over vulnerable wireless LAN and wireless WAN connections
Seamless cross-network roaming, making it possible to dynamically switch network connections without interrupting applications
Compression and other network optimizations that increase user response time and lower network costs
Support for various types of devices - Palm, Symbian, PocketPC, Win32
WebSphere Everyplace Connection Manager is FIPS 140-2 certified, which is one of the government's highest security ratings.
For more information about WebSphere Everyplace Connection Manger, visit the following
Web site: http://www.ibm.com/software/pervasive/ws_everyplace_connection_manager/
5.5.1 WebSphere Everyplace Connection Manager Starter Edition V5.1
WECM Starter Edition is designed for customers who want to start with a small initial investment and then expand at a later time. It provides the same functionality as WECM (with
WAP) but licensing is limited to a maximum of 50 users. Upgrade from WECM Starter Edition to a full license of WECM is available for a 25% discount.
Chapter 5. Components, product details, and supporting material 189
190 Deploying IBM Secure Wireless Solution for Cisco Systems
A
Appendix A.
Deploying Access Connections
IBM added features to make deployment and management of Access Connections in an
Enterprise environment much easier. After creating the location profiles required for client users, you can manage and deploy new, updated, or revised location profiles to client computers.
The Access Connections Administrator Profile Deployment Feature is an additional feature that allows an administrator to distribute location profiles to Access Connections clients.
Administrators can create location profiles and distribute them as part of a preload image, or install them after the client systems are deployed.
For additional information, visit the following Web sites:
Access Connections Administrator Profile Deployment feature overview http://www.ibm.com/pc/support/site.wss/document.do?lndocid=ACON-DEPLOY
Access Connections Administrator Profile Deployment guide http://www.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-52881
© Copyright IBM Corp. 2005. All rights reserved.
191
Access Connections deployment features
Following is a list of features to help IT administrators deploy and manage Access
Connections:
The IBM Access Connections Enabler for Administrator Profile Deployment feature is required to deploy location profiles that you create for client users. The Enabler is available to IT professionals only at following Web site: http://www.ibm.com/pc/support/site.wss/document.do?lndocid=ACON-DEPLOY
Administrators can create location profiles and distribute them as part of a preloaded image or install them after the client systems are deployed.
Set control policies for each profile.
Create distribution control lists to limit who can import various deployment packages.
Set a client configuration policy to configure the operation of Access Connections on the client computer.
Deployment packages are encrypted and password protected to be sure that only authorized individuals can import the location profiles that may contain wireless security information such as WEP or static password, for example.
Installing IBM Access Connections
You can install IBM Access Connections using either a bundled package that includes IBM
Access Connections software and all the necessary drivers, or using the IBM Access
Connections software alone, where you install the necessary drivers separately.
Installing the integrated IBM Access Connections package
To install IBM Access Connections 3.0 or later without user interaction, complete the following steps:
1. Start Windows 2000 or Windows XP, and then log on with administrative privileges.
2. Extract the Access Connections drivers to the hard disk drive.
3. Click Start
→
Run .
4. Type the following command:
SETUP.EXE /S
To download the software package along with the installation instructions:
1. Visit the following Web site: http://www.pc.ibm.com/us/think/thinkvantagetech/downloads_support.html
2. Click Software download and User's Guide to download the software package.
Installing the standalone IBM Access Connections
To install IBM Access Connections 3.0 or later without user interaction, complete the following steps:
1. Start Windows 2000 or Windows XP, and then log on with administrative privileges.
192 Deploying IBM Secure Wireless Solution for Cisco Systems
2. Extract the Access Connections drivers to the hard disk drive.
3. Click Start
→
Run .
4. Type one of the following commands:
– For computers that do not automatically restart, type the following command:
SETUP.EXE -S -SMS
– To install from a CD, type the following command:
SILENT.BAT
To download the software package along with the installation instructions:
1. Visit the following Web site: http://www.pc.ibm.com/us/think/thinkvantagetech/downloads_support.html
2. Click Software download and User's Guide to download the software package.
Enabling the Administrator Feature
To enable the Administrator Feature of Access Connections, you must first have Access
Connections 3.53 or later installed on a donor computer. When deploying location profiles that provide a wireless network connection, the donor and recipient computers must contain wireless adapters that support the capabilities defined in the location profile. For instance, if the location profile being deployed is configured for LEAP authentication, the adapters on the recipient systems must support LEAP authentication.
To enable the Administrator Feature, complete the following steps:
1. Obtain the Administrator Feature Enabler, and save it on the computer on which you will develop location profiles.
2. Click Start
→
Run .
3. Click Browse .
4. Select the self-extracting executable file that you saved in step 1.
5. Click OK . This extracts the Enabler application to the following directory:
C:\ProgramFiles\Thinkpad\ConnectUtilities
6. Close the main window of Access Connections if it is open.
7. Click Start
→
Run , and type:
C:\ProgramFiles\Thinkpad\ConnectUtilities\AdmEnblr.exe
Figure A-1 Enabler for Administrator Profile Deployment Feature window
Appendix A. Deploying Access Connections 193
8. Select Enable Administrator Feature .
9. Select Exit to close the Enabler.
10.Start Access Connections.
If you have not previously created profiles on the computer, the initial window for the profile creation wizard is displayed. After you create at least one profile, you can view the main window of Access Connections. A menu bar item labeled “Profile Distribution” is displayed.
Using the Administrator Feature
To use the Administrator Feature, complete the following steps:
1. Create all the location profiles that users require. Consider the following, and other needs, as you create the profiles:
– Office, building connections
– Home connections
– Branch-office connections
– Connections while traveling
– Hot-spot connections
2. After you create the location profiles, click Profile Distribution
Package .
→
Create Distribution
Figure A-2 Profile Distribution
3. Select the location profiles that you want to deploy.
4. For each location profile selected, choose the appropriate user-access policy. If a profile that is selected contains a wireless profile with encryption enabled, the administrator is prompted to re-enter the wireless settings data again to ensure sensitive data is not exposed.
194 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure A-3 Create Distribution Package window
The access control policy defines the restrictions that are in place for a particular profile.
You can define access control policies per profile with the following values:
– Deny all changes / Deny Deletion : Users cannot perform operations such as modify, copy, or delete on the profile.
– Deny network setting changes / Deny deletion : In this case, users cannot modify, delete, or copy the network settings in the profile. The parameters that users cannot modify are TCP/IP settings, Advanced TCP/IP settings, and wireless settings. The profile cannot be deleted.
– Deny all changes /Allow deletion : Users cannot modify or copy the profile; however, users can delete the profile.
– Allow all changes / Allow deletion : Users can modify, copy, and delete the profile.
– Limitation : The above control policies are applied to local users with Administrator level privileges. If the local users are configured as Limited Users, stricter restrictions are imparted by the operating system. Limited Users can only create dial-up, connection-type profiles and cannot modify, copy, or delete profiles that the administrator created. A global setting in Access Connections enables Limited Users to switch between profiles that the administrator created.
5. When the Allow silent import of this package even after installation of client check box is marked, the IT administrator can silently export to any client computer *.LOA files, regardless of the privileges of the user who is actually logged on to the client computer.
You can copy later packages (consisting of *.LOA and *.SIG files) to the installation folder for Access Connections. The next time Access Connections runs, it will detect and import the package silently.
Appendix A. Deploying Access Connections 195
6.
Optional: The administrator can define a Distribution Control List based on computer serial numbers. This method of distribution enables the administrator to type individual serial numbers or to create different groups of serial numbers that represent different organizations of users who need different location profiles. This optional step is designed primarily for securing the distribution of the profile location file (*.LOA), when it is being sent to remote users for manual importing. Distribution control lists ensure that individuals install appropriate network connection profiles only. They can help reduce unauthorized network access.
Figure A-4 Define Distribution Control List
When creating groups of serial numbers, you can import flat text files that contain the group of serial numbers. The file must be formatted such that each line contains a single serial number. Create these text files by exporting a list that was created with the
Administrator Feature or by an asset management system, if it has such capabilities. This simplifies the process of controlling distribution to a large number of computers based on their serial number.
196 Deploying IBM Secure Wireless Solution for Cisco Systems
Figure A-5 Create Group
Optional: You can define the Client Configuration Policy, which controls the capabilities that are available to the user after the *.LOA file is imported.
Note: Check the Do not allow clients to become an administrator check box to prevent users from enabling the Administrator Feature on their installation of Access
Connections. This setting is useful in large enterprise environments, where IT administrators want to prevent others from creating and distributing network access profiles.
The Client Configuration Policy panel also enables the administrator to set the Global
Settings for Access Connections. If the end-user logs onto a computer with a Limited User account, then the administrator must enable the “Allow all users of this system to switch to any existing location profile” setting under Global Setting. Otherwise, the users cannot switch between the pre-configured location profiles that the administrator provided.
Appendix A. Deploying Access Connections 197
Figure A-6 Define Client Configuration Policy
7. After you specify all the necessary settings in the Define Client Configuration Policy window, click Create . A passphrase prompt is displayed. The passphrase encrypts the
*.LOA file so that the file can be imported only if the Access Connections application was installed as described in Section 4.4 or if you provide the passphrase to the user.
8. Give the *.LOA file a name and location.
Attention: For image deployment, *.LOA file must reside in the Access Connections install directory - (C:\PROGRAM FILES\THINKPAD\CONNECTUTILITIES).
Preparing for a new-image installation
To deploy the Access Connections software, complete the following steps:
1. Install Access Connections on a sample system from the group of systems being deployed.
2. Start the Administrator Feature Enabler, as described in, “Enabling the Administrator
198 Deploying IBM Secure Wireless Solution for Cisco Systems
4. Create the deployment package, as described in section, “Using the Administrator
5. While creating the location deployment package, check the Do not allow clients to become administrator check box in the Client Configuration Policy window.
6. Save the *.loa and the *.sig files to another computer, removable media, or network drive to generate a collection of deployment packages.
Note: The *.sig file contains the signature data generated from the password used in generating the deployment package. This file is located in the install directory of Access
Connections, typically C:\PROGRAMFILES\THINKPAD\CONNECTUTILITIES.
7. Install Access Connections on the image building system according to your process.
– If the computer that you are using to create the build image is the same as the computer on which you created the location profiles, complete the following:
• Uninstall Access Connections from the build-image computer so that the
Administrator Feature is removed.
• Add Access Connections to the image in an uninstalled state.
• Create a directory that contains the setup files plus the loa and *.sig files, which were saved in step 6.
– Add a new DWORD value under the following path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce in the registry
– Name the value ACinstall and set it to the following path:
<Path where Access Connection setup files exist>\setup.exe -s
8. Upon the first boot of the client computers, Access Connections silently installs and automatically launches. Access Connections imports the *.loa file silently. The *.loa and
*.sig files are deleted.
Deploying Access Connections location profiles remotely
There are two ways to remotely deploy Access Connections:
Unattended deployment
Attended deployment.
The following sections describe each remote deployment method.
Unattended deployment
Tivoli®, etc.) to push updated *.loa files to the client and have Access Connections silently import them if the following conditions are met:
1. The *.loa files must be created using the exact password used originally in the build that was deployed on the client computer.
Appendix A. Deploying Access Connections 199
2. The *.loa files must be placed in the Access Connections installation directory. Access
Connections must be restarted, either by restarting the computer or by closing the System
Tray icon (QCTRAY.EXE), and then launching Access Connections again.
Attended deployment
To deploy Access Connections location profiles to remote users or to computers that are already deployed, complete the following steps:
1. Using the Administrator Feature, create the *.loa file that contains the profiles that remote users need.
2. During the export process, specify the serial numbers of the remote users' computers and set a password to use in encrypting the *.loa file.
3. In separate e-mail messages (one for the password and one for the *.loa file), send to the users, over a secure medium, the password and *.loa file.
4. Prepare the following instructions for the users: a. Detach the *.loa files to your hard disk.
b. Open Access Connections. Depending on the way you set up the Start menu, you might need to provide navigation instructions to the Access Connections entry.
c. Click Manage Location Profiles . d. Click Options
→
I mport/Export .
e. Click Import Location Profiles .
f. Using the drop-down selection for Files of type, select Profile Distribution files (*.loa).
g. Browse to the location where you saved the *.loa file that you detached in step 4a.
h. Select the saved *.loa file, and then click Open .
i.
Access Connections checks the serial number of your computer to make sure that the
*.loa file matches your computer. If a message is displayed that the serial number in the *.loa file and your computer serial do not match, contact the administrator who sent you the *.loa file. You will need a revised *.loa file that contains the correct serial number for your computer.
j.
If the serial numbers match, you are prompted to type the passphrase your administrator provided in a separate e-mail. Type the password carefully and precisely, using upper and lower-case characters, where applicable.
k. Press Enter .
5. When the user correctly types the passphrase and presses Enter, Access Connections decrypts the *.loa file, and imports the location profiles as well as global settings and access controls you set. The *.loa file is then automatically deleted.
200 Deploying IBM Secure Wireless Solution for Cisco Systems
B
Appendix B.
The IBM Embedded Security
Subsystem
Select IBM computers are equipped with built-in cryptographic hardware that works together with software technologies to provide a powerful level of security in a client PC platform.
Collectively, this hardware and software is called the IBM Embedded Security Subsystem
(ESS).
This appendix provides an overview of the IBM Embedded Security System and IBM Client
Security Software.
© Copyright IBM Corp. 2005. All rights reserved.
201
Trusted Platform Module
The hardware component of the IBM Embedded Security Subsystem meets all Trusted
Computing Group (TCG) TPM Specification Version 1.1b requirements. This hardware component, known as a Trusted Platform Module (TPM), is sometimes referred to as the IBM
Embedded Security Chip. This security chip works with IBM Client Security Software (CSS) to enhance the security of your system and data.
Client Security Software
IBM Client Security Software is a suite of security tools that utilizes the IBM Embedded
Security Subsystem to help protect access to your computer, your data, and your personal settings. Client Security Software activates the IBM Embedded Security Subsystem and creates the security keys necessary to protect your identity and data. Using a secure key pair that is encrypted within the secure confines of IBM hardware, Client Security Software is comprised of the following local applications:
IBM Password Manager
IBM Password Manager enables you to manage your sensitive and easy-to-forget logon information, such as user IDs, passwords, and other personal information, encrypting all information through the IBM Security Chip. IBM Password Manager works with Microsoft
Internet Explorer to securely store and recall data entered into Web pages.
Hardware-based secure Windows logon
Client Security Software transfers authentication operations to the IBM Embedded
Security Subsystem. Utilizing the security of this powerful hardware chip, multiple authentication methods can be configured, including:
– Passphrase authentication - Passphrase authentication enables users to expand upon often limited password options. Client Security Software allows passphrases of up to
256 characters.
– Fingerprint authentication - Client Security Software integrates with IBM fingerprint software to provide fingerprint authentication through the IBM Embedded Security
Subsystem.
IBM Client Security Software has two configuration options: typical and advanced. Selecting the appropriate configuration option for your needs is very important. Because of the complexity of security concepts, most users should select the typical configuration option.
This option, which uses default settings, makes the configuration process easy, but some advanced features of Client Security Software are unavailable under the typical configuration.
Selecting the appropriate configuration option is very important. Review the following information carefully before selecting a configuration option. Novice security users should select the typical configuration option.
Typical configuration
The typical configuration of IBM Client Security Software installs and configures the following
Client Security features:
IBM Password Manager
Right-click file encryption
Passphrase and fingerprint authentication support
Digital signature support
202 Deploying IBM Secure Wireless Solution for Cisco Systems
Advanced configuration
As the name implies, the advanced configuration of IBM Client Security Software is designed for advanced security users. You should not select this configuration option unless you have an advanced knowledge of security concepts. The advanced configuration of IBM Client
Security Software installs and configures the following additional Client Security Software features in addition to those available under the typical configuration:
Secure logon protection
Key storage location selection
Application support, such as Lotus Notes and Entrust
Some CSS features are not available when a typical configuration is selected. To enable these functions, simply convert your typical configuration to an advanced configuration.
For more information about IBM Client Security Software, visit the following Web site: http://www.pc.ibm.com/us/think/thinkvantagetech/downloads_support.html
IBM Password Manager
The IBM Client Security Password Manager program enables you to manage your sensitive and easy-to-forget login information, such as user IDs, passwords, and other personal information, using the IBM Embedded Security Subsystem. The IBM Client Security
Password Manager program stores all information through the IBM Security Chip so that your user-authentication policy controls access to your secure applications and Web sites.
This means that rather than having to remember and provide a plethora of individual passwords—all subject to different rules and expiration dates—you only remember one passphrase, or provide your fingerprint, to gain access to any application or Web site entered into the Password Manager program.
The IBM Password Manager enables you to perform the following functions:
Encrypt all stored information through the IBM Embedded Security Subsystem.
The IBM Client Security Password Manager automatically encrypts all information through the IBM Embedded Security Subsystem. This ensures that all your sensitive password information is secured by the IBM Client Security encryption keys.
Transfer user IDs and passwords quickly and easily utilizing a simple type-and-transfer interface.
Use the IBM Client Security Password Manager type and transfer interface to place information directly into the logon dialog of your browser or application. This helps minimize typing errors and enables you to save all of your information securely through the
IBM Embedded Security Subsystem.
Securely provide Wireless, Web site, and application credentials using the IBM fingerprint software program and the IBM Embedded Security Subsystem.
The IBM Client Security Password Manager can utilize the IBM fingerprint software program and the IBM Embedded Security Subsystem to securely automate your login process. The IBM Client Security Password Manager can provide your login information automatically to any registered wireless network, application, or Web site upon a successful fingerprint authentication. By utilizing these technologies together, users gain an increase in security and an increase in convenience.
Appendix B. The IBM Embedded Security Subsystem 203
Generate random passwords.
The IBM Client Security Password Manager enables you to generate random passwords for each application or Web site. This enables you to increase the security of your data because each application has much more rigorous password protection enabled. Random passwords are far more secure than user-defined passwords because experience indicates that most users use easy-to-remember personal information for passwords that are often relatively easy to crack.
Export login information.
The IBM Client Security Password Manager enables you to export your sensitive login information so that you can securely carry it from computer to computer. When you export your login information from the IBM Password Manager, a password-protected export file is created that you can store on removable media. Use this file to access your user information and passwords anywhere you go.
For more information about the IBM Client Security Password Manager, visit the following
Web site: http://www.pc.ibm.com/us/think/thinkvantagetech/downloads_support.html
IBM fingerprint software
The IBM fingerprint software enhances the vulnerable software-based Windows user security with hardware encryption protection. The IBM fingerprint software program simultaneously increases both the security and convenience of authentication by replacing cumbersome password authentication with convenient biometric fingerprint authentication, and by utilizing the increased protection of the IBM Embedded Security Subsystem.
The IBM fingerprint software Logon Protector secures access to the Windows operating system using registered fingerprints to replace Windows logon credentials. When a user swipes a registered finger over the fingerprint reader, access to the operating system is granted following a successful fingerprint authentication.
You can set up secure IBM biometric fingerprint protection to provide the following:
User power-on credentials
Windows user logon credentials
Windows user password-protected screen saver credentials
User application and Web site credentials (when the fingerprint reader is used with the
IBM Client Security Password Manager)
User wireless credentials (when the fingerprint reader is used with the IBM Client Security
Password Manager)
The IBM fingerprint software program uses the fingerprint reader to generate a passport to authenticate each user. Each passport contains specific authentication information to represent a user identity.
Each passport can contain up to ten fingerprints, but no two local passports can contain the same fingerprint. A passport contains Windows user account information and various types of data, such as data objects, keys, and certificates.
The integrated fingerprint reader is available on select ThinkPad T42 and T43 models. It will also be available on future ThinkPad models.
204 Deploying IBM Secure Wireless Solution for Cisco Systems
Abbreviations and acronyms
AAA
ACS
AES
AP
ASF
CA
CCMP
CHAP
DSL
EAP
ESS
GPRS
GTC
HVAC
IAS
IBM
CLI
CRL
CSS
DDR
DHCP
DMZ
DN
JRE
LAN
LDAP
LEAP
LTPA
MAC
MNC
MNI
IETF
IIS
ISM
ISP
ISR
ITSO authentication, authorization, and accounting
Access Control Server
Advanced Encryption Standard access point
Alert Standard Format certificate authority
Counter Mode with CDC-MAC Protocol
Challenge Handshake Authentication
Protocol command line interface
Certificate Revocation List
Client Security Software double data rate dynamic host configuration protocol demilitarized zone distinguished name
Digital Subscriber Line
Extensible Authentication Protocol
Embedded Security Subsystem
General Packet Radio Service
Generic Token Card
High Voltage Alternating Current
Internet Authentication Service
International Business Machines
Corporation
Internet Engineering Task Force
Internet Information Server
Industry Science and Medicine
Internet Service Provider
Integrated Services Router
International Technical Support
Organization
Java Runtime Environment
Local Area Network
Lightweight Directory Access Protocol
Lightweight Extensible Application Protocol
Lightweight Third Party Authentication media access control
Mobile Network Connection
Mobile Network Interface
TKIP
TLS
TPM
TTLS
UPD
URL
VoIP
VPN
WAN
WAP
WECM
NAT
NIC
OTP
OU
PCI
PEAP
QoS
RADIUS
Network Address Translation network interface card
One-Time Password authentication
Organizational Unit peripheral component interconnect
Protected Extensible Authentication Protocol
Quality of Service
Remote Authentication Dial-In User Service
RAID
RFC
RSA
SATA
SCSI
SMB
SSID
SSL
Redundant Array of Inexpensive Disks request for comment
Rivest, Shamir, & Adleman serial ATA small computer system interface
Small, Medium Business service set identification secure sockets layer
SWAN Structured Wireless-Aware Network
TACACS Terminal Access Controller Access Control
System
TCG Trusted Computing Group
WEP
Wi-Fi
WINS
WLAN
WPA
Temporal Key Integrity Protocol transport layer security
Trusted Platform Module tunnelled TLS user datagram protocol
Universal Resource Locator
Voice over IP virtual private network wide area network
Wireless Application Protocol
WebSphere Everyplace Connection
Manager
Wired Equivalency Protocol
Wireless Fidelity
Windows Internet Naming Service wireless LAN
Wireless (Wi-FI) Protected Access
© Copyright IBM Corp. 2005. All rights reserved.
205
206 Deploying IBM Secure Wireless Solution for Cisco Systems
Related publications
The publications listed in this section are considered particularly suitable for a more detailed discussion of the topics covered in this Redpaper.
IBM Redbooks
only.
Up and Running with DB2 for Linux , SG24-6899
IBM WebSphere Everyplace Connection Manager Version 5 Handbook , SG24-7049
Other publications
These publications are also relevant as further information sources:
IBM Access Connections Deployment Guide Version 3.3.0, provided with the product
Cisco SAFE Wireless LAN Security in Depth, Cisco White paper
How to get IBM Redbooks
You can search for, view, or download Redbooks, Redpapers, Hints and Tips, draft publications and Additional materials, as well as order hardcopy Redbooks or CD-ROMs, at this Web site: ibm.com
/redbooks
Help from IBM
IBM Support and downloads ibm.com
/support
IBM Global Services ibm.com
/services
IBM Software Group support contact information
IBM Software Group Web support http://www.ibm.com/software/support/
IBM Software Group voice based support
1 800-553-2447
207 © Copyright IBM Corp. 2005. All rights reserved.
IBM
Eserver
and Personal Computing Division contact information
Web support http://www.IBM.com/support
Voice based support
1 800-426-7378
IBM Printing Systems Division support contact information
IBM PSD Web support https://www.ibm.com/support/esc/signin.jsp
IBM PSD voice based support
1 800-553-2447
Cisco support contact information
Cisco Web support http://www.cisco.com/tac/
Cisco voice based support
800-553-2447
208 Deploying IBM Secure Wireless Solution for Cisco Systems
Index
Numerics
1130AG
2800 Integrated Services Router
A
Access Connections
Access Control Server
Access Point
E
Embedded Security System
ESS
I
Infoprint 1422
R
S
System Migration Assistant 186
T
ThinkPad
ThinkVantage Technologies
© Copyright IBM Corp. 2005. All rights reserved.
System Migration Assistant 186
W
WebSphere Everyplace Connection Manager
WECM
See WebSphere Everyplace Connection Manager
X
xSeries 226
209
210 Deploying IBM Secure Wireless Solution for Cisco Systems
Back cover
Deploying the IBM Secure
Wireless Networking
Solution for Cisco Systems
®
Red
