1. Windows 2003 and 802.1x Secure Wireless Deployments

2. Challenge of Wireless Impressions that wireless is insecure Early implementations lacked security WEP shared secret, mac address filtering Difficult to administer and manage Need to protect network integrity Need to secure data Prevent unauthorized network access Must be able to trust an access point Prevent credential theft Security without excess complexity

3. Secure Wireless with Windows 2003 IASRADIUS PKI integrated with Active Directory PKI integrated with Active Directory Auto enrollment of certificates Auto enrollment of certificates Integrated 802.1x Support Integrated 802.1x Support Integrated EAP Security Integrated EAP Security Checks for valid x509 Certificate Via RADIUS to AD Directory Enabled Networking Directory Enabled Networking Secure 802.1x Wireless Support Secure 802.1x Wireless Support Effortless PKI Services Effortless PKI Services Password or certificate-based access Password or certificate-based access Active Directory PKIWireless PKI Deployment Optional PKI Deployment Optional Passwords can be used w/ Trusted 3 rd party Cert. Passwords can be used w/ Trusted 3 rd party Cert. Integrated 802.1x Support Integrated 802.1x Support EAP/TLS PEAP All connections are authenticated and secured:

4. Components Access Point 802.1xPKI IAS (aka RADIUS) WEPWPAEAPTLSPEAP

5. Why use 802.1X ? Eases manageability by centralizing Authentication decisions Authorization decisions Distributes keys for data encryption and integrity to the wireless client computer Minimizes Access Point cost by moving expensive authentication to AD Supports both WPA and WEP

6. EAP-TLS Wireless Station Authentication Server Step 1: Use TLS to authenticate AS to Station Step 2: Use TLS key to protect the channel between Station, AS Step 3: Use Certificate method protected by TLS key to authenticate Station to AS Access Point

7. PEAP Wireless Station Authentication Server Step 1: Use TLS to authenticate AS to Station Step 2: Use TLS key to protect the channel between Station, AS Step 3: Use legacy method (e.g., MD5 Challenge, MS-Chapv2, etc.) protected by TLS key to authenticate Station to AS Access Point

8. Why PEAP vs. EAP/TLS ? Organizations may not ready for PKI Managing user certificates stored on computer hard drives has challenges Some personnel might roam among computers Smartcards solve this Technical and sociological issues can delay or prevent deployment PEAP enables secure wireless now Leverages existing domain credentials Allows easy migration to certificates and smartcards later

9. PEAP Security and Ease of Deployment Advantages PEAP is an open standard PEAP offers end-to-end negotiation protection. PEAP uses mutual authentication. PEAP offers highly secure keys for data encryption. PEAP does not require the deployment of a full PKI or client certificates. PEAP can be used efficiently with roaming wireless devices. User's credentials are not exposed to brute force password attacks.

10. Windows 2003 Wireless Security Native support for IEEE 802.1X Complete with all required infrastructure IAS: RADIUS Server and Proxy Windows Certificate Server : PKI AD: User and Computer account and Certificate repository Same infrastructure used w/ RAS dial-up and VPN authentication Native interop. w/ Windows XP Client: (WinXP SP-1) Down-level client support (PPC2002, W2K, NT4, 9x)

11. Windows 2003 Improvements Windows 2003 Active Directory Auto Certificate enrollment and renewal for machines and users Performance enhancements when using certificate deployment Group Policy support of Wireless settings Internet Authentication Service Enhanced logging Allows easier deployment of multiple authentication types Scaling up Load Balancing RADIUS Proxy Configuration export and restore Registering AP’s with RADIUS servers Large number of AP’s in wireless deployment Requires Server 2003 Enterprise Edition

12. PEAP Interoperability Confusion with PEAP versions Most RADIUS servers on market now support PEAP version 0: Cisco ACS (RADIUS server) Funk Steal Belted RADIUS (both server and client) Interlink RADIUS (only server) MeetingHouse RADIUS (both server and client) PEAP is supported in the following families: Natively - Microsoft® Windows® 2003, Windows XPSP1, Windows® 2000 SP4 Application or system upgrade - Windows 98, Windows NT 4.0 and Pocket PC 2002 Internet Authentication Service (IAS) Windows Server® 2003 family support PEAP no need to install third party RADIUS software. PEAP is an open standard and has been submitted to the IETF.

13. Windows PEAP Authentication First phase—machine logon 802.11 association Authenticate AP Authenticate computer Transition controlled port status For machine account access to authorized resources Second phase—user logon Authenticate user Transition controlled port status For user account access to authorized resources

14. Why Use Machine Accounts? Domain logon required for: Machine group policies Computer startup scripts Software installation settings When user account passwords expire Need associated WIC and transitioned controlled port for user notification and change dialog Machine account logon phase allows password expiration notices and changes to occur normally Cisco’s LEAP can’t deal with this No facility for machine authentication

15. System Requirements Client: Windows XP service pack 1 Server: Windows Server 2003 IAS Internet Authentication Service—our RADIUS server Certificate on IAS computer Backporting to Windows 2000 Client and IAS must have SP3 No zero-config support in the client See KB article 313664 Supports only TLS and MS-CHAPv2 Future EAP methods in XP and 2003 might not be backported

16. 802.1 x Setup 1.Build Windows Server 2003 IAS server 2.Join to domain 3.Enroll computer certificate 4.Register IAS in Active Directory 5.Configure RADIUS logging 6.Add AP as RADIUS client 7.Configure AP for RADIUS and 802.1x 8.Create wireless client access policy 9.Configure clients Don’t forget to import CA root