Secure 802.1X Wireless Networking in Windows Server 2003/2008
ITNW 2313 – Networking Hardware
Prof. Michael P. Harris, CCNA, CCAI
Enhancements for Wireless Networking
The enhancements that SP1 provide for Wireless LANS are of great benefit to
enterprise wide networks. Without SP1 on Windows Server 2003, the WPA security
method isn’t supported and therefore cannot be implemented – which is no longer an
issue with Service Pack 1. Apart from addressing the weaknesses that the original
Windows Server 2003 has, SP1 makes it easier to deploy secure large scale wireless
LANS. Additionally, administrators are now able to give the users of wireless clients with Windows XP SP2 - a choice of pre-approved digital certificates and signing
authorities. This means they would only be allowed to install certificates for the
network that the administrator has previously acknowledged, making them less prone
to man in the middle attacks.
Centralized Management
The Active Directory Group Policy console allows for centralized management of the
Wireless Zero Configuration client which makes it easier and faster to connect
wireless client to a secure network. WPA TKIP and AES encryption settings can now be
configured and any wireless client with Windows XP Service Pack 2, or Service Pack 1
and the WPA patch, can be centrally configured to use the more secure WPA TKIP or
AES methods to connect to the wireless LAN.
Wireless Setup Wizard
As did Windows XP SP2, Windows 2003 SP1 comes with a Wireless Network Wizard that
will help you to configure secure wireless networks. Configuration settings can be
stored on removable media (such as a USB pen drive) and then copied over to other
machines.
PEAP Authentication Scheme
The LEAP (Lightweight Extensible Authentication Protocol) is a popular non-TLS
(Transport Layer Security) authentication scheme introduced by Cisco in later
versions of their firmware belonging to the Aironet access point product range. This
protocol lacks point to point protection which leaves it open to dictionary attacks at
the credentials authentication stage. With the inauguration of PEAP (Protected
Extensible Authentication Protocol) authentication in the IAS (Internet
Authentication Service) component of Windows Server 2003/2008, these weaknesses
are addressed. Furthermore, a server-side digital certificate is able to support many
clients single handedly – without the use of an installed certificate on the client-side.
Wireless Provisioning Services
This new technology makes it easier for mobile workers to connect to hotspots or
corporate LANS by eliminating the need for manual configuration of the network
connection. Enterprises can better manage guest access on their network and provide
payment plans such as pay-per-use or monthly Internet access to customers.
Securing Wireless in Windows Server 2003/2008
When configured incorrectly, wireless connections are probably one of the most
vulnerable points of a network. A simple password based authentication method is not
enough, especially over a wireless connection. By means of the Internet
Authentication Service in Windows 2003/2008, Administrators are able to setup
802.1X based secure network.
In order to take advantage of the 802.1X in Windows Server, you will require the use
of the following services:




DHCP and DNS
Active Directory Service
RADIUS Server (Internet Authentication Service)
Certificate based infrastructure (referred to as PKI – Public Key Infrastructure)
I will cover the following steps and show you how to setup an 802.1X based security
structure using the Internet Authentication Service (IAS) in Windows Server.




Configuring your access point
Windows 2003/2008 Certification Authority
Windows 2003/2008 Active Directory Service Configuration
Windows 2003/2008 IAS Configuration
Configuring your Access Point
Your Access Points must support 802.1X and WEP authentication. If it doesn’t then
check for a firmware upgrade before you proceed. 802.1X and RADIUS provide
automatic generation of session keys so they will not have to be entered manually
into the Access Point. However, some access points do support manual inputting of
keys for simulation (testing) purposes.
Firstly, from your access point configuration web interface, you must set which
machines act as RADIUS servers on your network. There may be slight variations but
the idea is the same - go to the RADIUS servers list from either the ‘Wireless Security’
or ‘Wireless Settings’ panel and add the IP address, port number and shared secret
for your RADIUS server connection.
Secondly, from the ‘Wireless Security’ panel go to the 802.1X Security section and
enable it, select your required key size and group key re-key settings.
No rekeying - the clients will not have to re-key the password to re-authenticate to
the RADIUS server.
Rekeying every X minutes – this refers to the number of minutes before the client will
have to re-enter the password.
Rekeying every X packets – this refers to the number of transmitted packets before
the client will have to re-enter the password.
Once you do all this you can move on to the next stage of configuring the Certificate
Authority on your Windows 2003 Server.
Windows Server Certification Authority (CA)
The PEAP protocol needs the IAS Server to identify itself to the wireless client before
the client passes any encrypted credentials to it. Once the IAS Server has a certificate
installed, it gets a private key which it then uses to decrypt the encrypted
credentials sent by the wireless client. The wireless client uses the certificate’s
public key to encrypt the username and password.
To install the certification authority (CA) console you will have to run the
Add/Remove components wizard and select Certificate Services from the list. To
make use of the Web Enrollment Wizard (web interface used to request and generate
certificates) you will have to have IIS (Internet Information Server) installed.
NOTE:
Before initiating the installation you will be warned about how changing the machine
name or domain membership will invalidate any certificates coming from the CA due
to the fact that CA information is stored, and bound, in Active Directory. Make sure
you have all the properties of your machine setup properly before you continue.
As part of the installation you will be asked to select the type of CA you want to set
up. You have a choice of Enterprise CA, Enterprise Subordinate, Standalone CA and
Standalone Subordinate, with Enterprise CA being the most trusted Certificate
Authority in the enterprise. Make your choice and follow the wizard to complete the
installation.
Once the CA console is installed you will have to Issue a certificate for the computer
running IAS. Do this from the web enrollment wizard (which is created automatically
when you install Certification Services unless you manually specified for it not to be
installed). By default you can logon and request a certificate by opening Internet
Explorer and navigating to… http://<ip_address>/certsrv
Install user and computer certificates on wireless clients in the same manner as
stated above.
Windows Active Directory Service Configuration
Your next step is to create a group for wireless user and computer accounts in AD.
Alternatively you could just create individual users but, it goes without saying that
groups are easier to manage. In the properties of the user account, go to the Dial-In
properties account and select the “Control Access through Remote Access Policy”
option in the Remote Access Permission section.
NOTE:
If “Control Access through Remote Access Policy” is disabled then your current
domain functional level is probably set to Windows 2000. To change this, right click
the domain name in Active Directory and select Raise Domain Functional Level.
Choose Windows 2003 from the drop down list and press Apply. Once AD replication is
complete, the “Control Access through Remote Access Policy” will no longer be
grayed out.
You must also verify that your IAS Server is a member of the RAD and IAS Server
Security Group.
Windows Server IAS Configuration
If you haven’t already done so you will have to install the Internet Authentication
Service component from Add/Remove programs in the Control Panel. You will find it
under Networking Services.
Open the IAS console from the Administrative Tools folder in either the Control Panel
or Start Menu programs. Follow these steps:


Right click the main IAS node and select “Register Server in Active Directory” –
this will authorize IAS to read the users’ dial in properties from the domain.
From the window on the right hand side of the console, right click anywhere
and select “New RADIUS Client”. In the first screen, enter a friendly name for
the RADIUS Client and also the Access Point IP Address. Press Next.
Now select the client-vendor attribute of the RADIUS client. If you are not using a
remote access policy based on the client vendor’s attribute then select RADIUS
Standard from the list.
Type the shared secret, as you did when configuring the 802.1X Server on your access
point. The IAS Server will only allow user information to be forwarded to it by the AP
once the correct shared key has been provided, so make sure that they match.
After pressing Next the new client will show up in the right pane of the IAS Console.
Creating a Wireless Remote Access Policy
Your Next step is to create a Remote Access Policy for wireless access. Right click
the Remote Access Policies node in the left hand pane and select New Remote Access
Policy to bring up the wizard. Enter a policy name in the given text box and select
whether you want to set up the policy manually or via the wizard.
NOTE:
The wizard will do what most Microsoft wizards do; help you to setup a typical
scenario yet allowing you to add conditions to it later. You can set user or group
access and the authentication method using Protected EAP. Manual configuration will
give you the option to set all your conditions straight away and customize the setup to
suit your specific needs.
If you select to use the wizard you will be given the option to choose a method of
access for the policy. VPN, Dial-Up, Wireless and Ethernet are your typical RADIUS
server options. Choose Wireless and press Next. Select whether you want to grant
access to a User or Group followed by the EAP type. In the Authentication Method
screen choose PEAP as an EAP Authentication Method and press the Configure button
if you want to edit which certificate will be issued to identify the server. Press Next
and Finish. You have now deployed 802.1X security on a Windows RADIUS Server.