Deploying a Secure Mobile Network Access Infrastructure with Windows Server 2003

1
Deploying a Secure Mobile Network Access
Infrastructure with Windows Server 2003
2
James McIlleceTechnical Writer Windows Server
Content Group Microsoft Corporation

• Advanced Network Pack
• Wireless Provisioning Services
• WS03 Resource Kit chapters for IAS
• WS03 Product Help DHCP, IAS, IPv6, Netsh, VPN,
  and WINS
• Some topics for Windows XP

3
Program

• IAS and PEAP overview and security benefits
• Certificate requirements for PEAP
• How to configure secure password authentication

4
Windows Server 2003sku-specific information

• Web Server sku no IAS.
• Standard Edition limitations -- maximum of 50
  RADIUS clients, maximum of 2 remote RADIUS server
  groups RADIUS clients cannot be configured by IP
  address range.
• Enterprise Server, Datacenter Server unlimited
  IAS.

5
What you need

• Clients running Windows 2000 (with 802.1X client
  pack), Pocket PC 2002, Windows XP SP1
• 802.11 Access points that are compatible with
  802.1X and EAP
• Windows Server 2003 running Internet
  Authentication Service
• IAS server certificate

6
IAS and PEAPOverview and Security Benefits
7
Basic IAS/RADIUS infrastructure
Remote access clients
802.1x wireless clients
Network security is provided by configuring
RADIUS clients and IAS server with a shared
secret or cert
8
PEAP overview

• 802.1X encapsulates EAP and PEAP defines EAPOL,
  or EAP over LANs.
• PEAP uses Transport Layer Security (TLS) to
  create encrypted channel between client PC and
  IAS server. AP merely forwards messages.
• Complete EAP communication occurs through the TLS
  channel.
• Mutual authentication With MS-CHAP v2 as
  authentication type (PEAP-MS-CHAP v2), users are
  authenticated with password-based credentials and
  the IAS server authenticates to the client with a
  server certificate.
• Fast reconnect When enabled, users do not need
  to retype credentials when moving between access
  points that are RADIUS clients to the same IAS
  server.

9
802.1x / PEAP wireless scenario
802.1X AP (RADIUS Client)
XP Client
IAS (RADIUS Server)
DC/AD

• Client associates with Wireless Access Point
  using 802.11
• The AP blocks traffic to the LAN (the virtual
  port), and initiates 802.1X to client.
• AP transfers PEAP packets between IAS server
  client. TLS channel created between client and
  IAS server. Credentials exchanged during
  authentication..
• If PEAP client is successfully authenticated and
  authorized
• IAS tells AP to open the port for the client.
• IAS returns encryption keys that are used to
  encrypt traffic between Client AP.
• If configured to do so, IAS can return
  restrictions that the AP MUST implement for that
  port. These restrictions can include VLANs, IP
  Filters, and Encryption Policies.
• After the port is opened, client initiates DHCP
  to get IP address.

DHCP Server
10
PEAP fast reconnect
WAP-01- 802.1x WAP (RADIUS Client)
IAS Server
5th floor office
802.11
Wireless client
WAP-01 range
WAP-22 - 802.1x WAP (RADIUS Client)
1st floor conference room
WAP-02 range
802.11
11
PEAP security benefits over EAP

• EAP is clear text. Identity Request packets are
  sent in clear. PEAP creates secure tunnel and no
  information is sent in the clear.
• IAS with PEAP generates encryption keys.
• EAP with MS-CHAPv2 as EAP type does not require
  server authentication. PEAP-MS-CHAP v2 requires
  that the server authenticate to client with cert.
• With EAP, wireless client users must
  reauthenticate each time the laptop associates
  with a new AP. With PEAP fast reconnect,
  credentials sent once.

12
Certificate Requirements for PEAP-MS-CHAP v2
13
Choosing a Certification Authority

• You can use a public CA like Verisign. Pro
  Windows XP clients already trust this CA. Con
  You have to pay Verisign for your IAS server
  certificate. May not be cost-effective for large
  IAS deployments.
• You can deploy Certificate Services in Windows
  Server 2003 or use another CA product. Pro No
  additional cost. Con CA cert must be installed
  on clients.
• In either case, the CA that issues the
  certificate to the IAS server must be trusted by
  the wireless clients connecting to your APs.

14
Certificates needed on XP client

• CA certificate in two certificate stores
• Trusted Root Certification Authorities store for
  the Current User
• Trusted Root Certification Authorities store for
  the Local Computer.

Verisign and other public CA certificates are
already in the certificate stores, so MSFT
clients trust certificates issued to your IAS
server by the Verisign CA.
15
Trust establishment
Verisign public trusted root Certification
Authority
IAS server request for Server Cert from Verisign
CA
Windows XP install CD with Verisign certificates
CA enrolls Server Certificate to IAS server
IAS Server Cert
UN PW
Windows Server 2003 IAS server
XP client with Verisign certs in Current User and
Local Computer stores
16
XP certificate store
17
How to configure secure password authentication
18
Download a whitepaper
Title Obtaining and Installing a VeriSign WLAN
Server Certificate for PEAP-MS-CHAP v2 Wireless
Authentication. URL http//www.microsoft.com/wind
owsserver2003/technologies/ias/default.mspx
19
Configure access points (aka RADIUS clients)

• With a Secure Set Identifier (SSID), or network
  name
• To use RADIUS authentication on ports 1812, 1813
• With a shared secret
• To require EAP from wireless clients
• With IEEE 802.1X authentication and WEP enabled.

For ease of configuration in Enterprise Edition
IAS, deploy APs on the same subnet or VLAN with
one IP address range
20
Create Wireless Users Group in AD
Add members or other groups to the group.
21
Configure dial-in properties
Or configure IAS to ignore these properties in
remote access policy.
22
IAS RADIUS clients

• Use the same shared secret you used on the AP
  that youre configuring as a client
• With Enterprise Edition you can configure APs by
  IP address range use same shared secret on all
  APs
• PEAP automatically uses Message Authenticator
  attribute, so you dont need to check the box

23
IAS logging

• No logging is configured by default
• Use SQL Server Logging if you have a large
  deployment and the resources

24
IAS remote access policy

• Run the New Remote Access Policy Wizard.
• This example policy is also found in the WS03 IAS
  Help topic Wireless access with secure password
  authentication.

25
(No Transcript)
26
(No Transcript)
27
(No Transcript)
28
(No Transcript)
29
Configure encryption manually in the IAS console
after running the New Remote Access Policy
wizard deselect all except Strongest encryption.
30
Use the default Connection Request Policy as it
is, or modify it for your circumstances.
31
Configure PEAP-compatible clients
If clients are domain members, PEAP settings can
be pushed down via Group Policy. Manual
configuration

• Bring wireless client in range of AP
• Select the wireless network when prompted
• Configure connection properties

32

33
Resources

• Windows Server 2003 Wi-Fi http//www.microsoft.co
  m/windowsserver2003/technologies/networking/wifi/d
  efault.mspx
• Windows Server 2003 IAS http//www.microsoft.com/
  windowsserver2003/technologies/ias/default.mspx.
  Has Enterprise deployment whitepaper and PEAP
  advantages whitepaper.
• Windows Server 2003 IAS product Help on the Web
  http//www.microsoft.com/technet/treeview/default.
  asp?url/technet/prodtechnol/windowsserver2003/pro
  ddocs/entserver/sag_IAStopnode.asp
• Windows Server 2003 Deployment Kit
  http//www.microsoft.com/windowsserver2003/techinf
  o/reskit/deploykit.mspx
• microsoft.public.internet.radius Post questions
  in this Usenet newsgroup, IAS team members will
  help!

34
Thank you for attending. Visit www.mshug.org.