Windows 2003 and 802.1x Secure Wireless Deployments - PowerPoint PPT Presentation

About This Presentation
Title:

Windows 2003 and 802.1x Secure Wireless Deployments

Description:

Windows 2003 Wireless Security Native support for IEEE 802.1X Complete with all required infrastructure IAS: RADIUS Server and Proxy Windows Certificate Server : ... – PowerPoint PPT presentation

Number of Views:15
Avg rating:3.0/5.0
Slides: 11
Provided by: MicrosoftC83
Category:

less

Transcript and Presenter's Notes

Title: Windows 2003 and 802.1x Secure Wireless Deployments


1
Windows 2003 and 802.1x Secure Wireless
Deployments
2
Challenge of Wireless
  • Impressions that wireless is insecure
  • Early implementations lacked security
  • WEP shared secret, mac address filtering
  • Difficult to administer and manage
  • Need to protect network integrity
  • Need to secure data
  • Prevent unauthorized network access
  • Must be able to trust an access point
  • Prevent credential theft
  • Security without excess complexity

3
Secure Wireless with Windows 2003
All connections are authenticated and secured
  • Directory Enabled Networking
  • Secure 802.1x Wireless Support
  • Effortless PKI Services
  • Password or certificate-based access

Active Directory
IAS RADIUS
Checks for valid x509 Certificate Via RADIUS to AD
PKI
PEAP
EAP/TLS
  • PKI integrated with Active Directory
  • Auto enrollment of certificates
  • Integrated 802.1x Support
  • Integrated EAP Security
  • PKI Deployment Optional
  • Passwords can be used w/ Trusted 3rd party Cert.
  • Integrated 802.1x Support

4
Components
  • Access Point
  • 802.1x
  • PKI
  • IAS (aka RADIUS)
  • WEP
  • WPA
  • EAP
  • TLS
  • PEAP

5
Why use 802.1X ?
  • Eases manageability by centralizing
  • Authentication decisions
  • Authorization decisions
  • Distributes keys for data encryption and
    integrity to the wireless client computer
  • Minimizes Access Point cost by moving expensive
    authentication to AD
  • Supports both WPA and WEP

6
EAP-TLS
Wireless Station
7
PEAP
Wireless Station
8
Why PEAP vs. EAP/TLS ?
  • Organizations may not ready for PKI
  • Managing user certificates stored on computer
    hard drives has challenges
  • Some personnel might roam among computers
  • Smartcards solve this
  • Technical and sociological issues can delay or
    prevent deployment
  • PEAP enables secure wireless now
  • Leverages existing domain credentials
  • Allows easy migration to certificates and
    smartcards later

9
PEAP Security and Ease of Deployment Advantages
  • PEAP is an open standard
  • PEAP offers end-to-end negotiation protection.
  • PEAP uses mutual authentication.
  • PEAP offers highly secure keys for data
    encryption.
  • PEAP does not require the deployment of a full
    PKI or client certificates.
  • PEAP can be used efficiently with roaming
    wireless devices.
  • User's credentials are not exposed to brute force
    password attacks.

10
Windows 2003 Wireless
  • Security
  • Native support for IEEE 802.1X
  • Complete with all required infrastructure
  • IAS RADIUS Server and Proxy
  • Windows Certificate Server PKI
  • AD User and Computer account and Certificate
    repository
  • Same infrastructure used w/ RAS dial-up and VPN
    authentication
  • Native interop. w/ Windows XP Client (WinXP
    SP-1)
  • Down-level client support (PPC2002, W2K, NT4, 9x)

11
Windows 2003 Improvements
  • Windows 2003 Active Directory
  • Auto Certificate enrollment and renewal for
    machines and users
  • Performance enhancements when using certificate
    deployment
  • Group Policy support of Wireless settings
  • Internet Authentication Service
  • Enhanced logging
  • Allows easier deployment of multiple
    authentication types
  • Scaling up
  • Load Balancing
  • RADIUS Proxy
  • Configuration export and restore
  • Registering APs with RADIUS servers
  • Large number of APs in wireless deployment
  • Requires Server 2003 Enterprise Edition

12
PEAP Interoperability
  • Confusion with PEAP versions
  • Most RADIUS servers on market now support PEAP
    version 0
  • Cisco ACS (RADIUS server)
  • Funk Steal Belted RADIUS (both server and client)
  • Interlink RADIUS (only server)
  • MeetingHouse RADIUS (both server and client)
  • PEAP is supported in the following families
  • Natively - Microsoft Windows 2003, Windows
    XPSP1, Windows 2000 SP4
  • Application or system upgrade - Windows 98,
    Windows NT 4.0 and Pocket PC 2002
  • Internet Authentication Service (IAS) Windows
    Server 2003 family support PEAP
  • no need to install third party RADIUS software.
  • PEAP is an open standard and has been submitted
    to the IETF.

13
Windows PEAP Authentication
  • First phasemachine logon
  • 802.11 association
  • Authenticate AP
  • Authenticate computer
  • Transition controlled port status
  • For machine account access to authorized
    resources
  • Second phaseuser logon
  • Authenticate user
  • Transition controlled port status
  • For user account access to authorized resources

14
Why Use Machine Accounts?
  • Domain logon required for
  • Machine group policies
  • Computer startup scripts
  • Software installation settings
  • When user account passwords expire
  • Need associated WIC and transitioned controlled
    port for user notification and change dialog
  • Machine account logon phase allows password
    expiration notices and changes to occur normally
  • Ciscos LEAP cant deal with this
  • No facility for machine authentication

15
System Requirements
  • Client Windows XP service pack 1
  • Server Windows Server 2003 IAS
  • Internet Authentication Serviceour RADIUS server
  • Certificate on IAS computer
  • Backporting to Windows 2000
  • Client and IAS must have SP3
  • No zero-config support in the client
  • See KB article 313664
  • Supports only TLS and MS-CHAPv2
  • Future EAP methods in XP and 2003 might not be
    backported

16
802.1 x Setup
  • Build Windows Server 2003 IAS server
  • Join to domain
  • Enroll computer certificate
  • Register IAS in Active Directory
  • Configure RADIUS logging
  • Add AP as RADIUS client
  • Configure AP for RADIUS and 802.1x
  • Create wireless client access policy
  • Configure clients
  • Dont forget to import CA root
Write a Comment
User Comments (0)
About PowerShow.com