Title: Deploying a Secure Mobile Network Access Infrastructure with Windows Server 2003
1Deploying a Secure Mobile Network Access
Infrastructure with Windows Server 2003
2James McIlleceTechnical Writer Windows Server
Content Group Microsoft Corporation
- Advanced Network Pack
- Wireless Provisioning Services
- WS03 Resource Kit chapters for IAS
- WS03 Product Help DHCP, IAS, IPv6, Netsh, VPN,
and WINS - Some topics for Windows XP
3Program
- IAS and PEAP overview and security benefits
- Certificate requirements for PEAP
- How to configure secure password authentication
4Windows Server 2003sku-specific information
- Web Server sku no IAS.
- Standard Edition limitations -- maximum of 50
RADIUS clients, maximum of 2 remote RADIUS server
groups RADIUS clients cannot be configured by IP
address range. - Enterprise Server, Datacenter Server unlimited
IAS.
5What you need
- Clients running Windows 2000 (with 802.1X client
pack), Pocket PC 2002, Windows XP SP1 - 802.11 Access points that are compatible with
802.1X and EAP - Windows Server 2003 running Internet
Authentication Service - IAS server certificate
6IAS and PEAPOverview and Security Benefits
7Basic IAS/RADIUS infrastructure
Remote access clients
802.1x wireless clients
Network security is provided by configuring
RADIUS clients and IAS server with a shared
secret or cert
8PEAP overview
- 802.1X encapsulates EAP and PEAP defines EAPOL,
or EAP over LANs. - PEAP uses Transport Layer Security (TLS) to
create encrypted channel between client PC and
IAS server. AP merely forwards messages. - Complete EAP communication occurs through the TLS
channel. - Mutual authentication With MS-CHAP v2 as
authentication type (PEAP-MS-CHAP v2), users are
authenticated with password-based credentials and
the IAS server authenticates to the client with a
server certificate. - Fast reconnect When enabled, users do not need
to retype credentials when moving between access
points that are RADIUS clients to the same IAS
server.
9802.1x / PEAP wireless scenario
802.1X AP (RADIUS Client)
XP Client
IAS (RADIUS Server)
DC/AD
- Client associates with Wireless Access Point
using 802.11 - The AP blocks traffic to the LAN (the virtual
port), and initiates 802.1X to client. - AP transfers PEAP packets between IAS server
client. TLS channel created between client and
IAS server. Credentials exchanged during
authentication.. - If PEAP client is successfully authenticated and
authorized - IAS tells AP to open the port for the client.
- IAS returns encryption keys that are used to
encrypt traffic between Client AP. - If configured to do so, IAS can return
restrictions that the AP MUST implement for that
port. These restrictions can include VLANs, IP
Filters, and Encryption Policies. - After the port is opened, client initiates DHCP
to get IP address.
DHCP Server
10PEAP fast reconnect
WAP-01- 802.1x WAP (RADIUS Client)
IAS Server
5th floor office
802.11
Wireless client
WAP-01 range
WAP-22 - 802.1x WAP (RADIUS Client)
1st floor conference room
WAP-02 range
802.11
11PEAP security benefits over EAP
- EAP is clear text. Identity Request packets are
sent in clear. PEAP creates secure tunnel and no
information is sent in the clear. - IAS with PEAP generates encryption keys.
- EAP with MS-CHAPv2 as EAP type does not require
server authentication. PEAP-MS-CHAP v2 requires
that the server authenticate to client with cert. - With EAP, wireless client users must
reauthenticate each time the laptop associates
with a new AP. With PEAP fast reconnect,
credentials sent once.
12Certificate Requirements for PEAP-MS-CHAP v2
13Choosing a Certification Authority
- You can use a public CA like Verisign. Pro
Windows XP clients already trust this CA. Con
You have to pay Verisign for your IAS server
certificate. May not be cost-effective for large
IAS deployments. - You can deploy Certificate Services in Windows
Server 2003 or use another CA product. Pro No
additional cost. Con CA cert must be installed
on clients. - In either case, the CA that issues the
certificate to the IAS server must be trusted by
the wireless clients connecting to your APs.
14Certificates needed on XP client
- CA certificate in two certificate stores
- Trusted Root Certification Authorities store for
the Current User - Trusted Root Certification Authorities store for
the Local Computer.
Verisign and other public CA certificates are
already in the certificate stores, so MSFT
clients trust certificates issued to your IAS
server by the Verisign CA.
15Trust establishment
Verisign public trusted root Certification
Authority
IAS server request for Server Cert from Verisign
CA
Windows XP install CD with Verisign certificates
CA enrolls Server Certificate to IAS server
IAS Server Cert
UN PW
Windows Server 2003 IAS server
XP client with Verisign certs in Current User and
Local Computer stores
16XP certificate store
17How to configure secure password authentication
18Download a whitepaper
Title Obtaining and Installing a VeriSign WLAN
Server Certificate for PEAP-MS-CHAP v2 Wireless
Authentication. URL http//www.microsoft.com/wind
owsserver2003/technologies/ias/default.mspx
19Configure access points (aka RADIUS clients)
- With a Secure Set Identifier (SSID), or network
name - To use RADIUS authentication on ports 1812, 1813
- With a shared secret
- To require EAP from wireless clients
- With IEEE 802.1X authentication and WEP enabled.
For ease of configuration in Enterprise Edition
IAS, deploy APs on the same subnet or VLAN with
one IP address range
20Create Wireless Users Group in AD
Add members or other groups to the group.
21Configure dial-in properties
Or configure IAS to ignore these properties in
remote access policy.
22IAS RADIUS clients
- Use the same shared secret you used on the AP
that youre configuring as a client - With Enterprise Edition you can configure APs by
IP address range use same shared secret on all
APs - PEAP automatically uses Message Authenticator
attribute, so you dont need to check the box
23IAS logging
- No logging is configured by default
- Use SQL Server Logging if you have a large
deployment and the resources
24IAS remote access policy
- Run the New Remote Access Policy Wizard.
- This example policy is also found in the WS03 IAS
Help topic Wireless access with secure password
authentication.
25(No Transcript)
26(No Transcript)
27(No Transcript)
28(No Transcript)
29Configure encryption manually in the IAS console
after running the New Remote Access Policy
wizard deselect all except Strongest encryption.
30Use the default Connection Request Policy as it
is, or modify it for your circumstances.
31Configure PEAP-compatible clients
If clients are domain members, PEAP settings can
be pushed down via Group Policy. Manual
configuration
- Bring wireless client in range of AP
- Select the wireless network when prompted
- Configure connection properties
32 33Resources
- Windows Server 2003 Wi-Fi http//www.microsoft.co
m/windowsserver2003/technologies/networking/wifi/d
efault.mspx - Windows Server 2003 IAS http//www.microsoft.com/
windowsserver2003/technologies/ias/default.mspx.
Has Enterprise deployment whitepaper and PEAP
advantages whitepaper. - Windows Server 2003 IAS product Help on the Web
http//www.microsoft.com/technet/treeview/default.
asp?url/technet/prodtechnol/windowsserver2003/pro
ddocs/entserver/sag_IAStopnode.asp - Windows Server 2003 Deployment Kit
http//www.microsoft.com/windowsserver2003/techinf
o/reskit/deploykit.mspx - microsoft.public.internet.radius Post questions
in this Usenet newsgroup, IAS team members will
help!
34Thank you for attending. Visit www.mshug.org.