Re: Aironet 1200/Radius Help Needed
From: James McIllece [MS] (jamesmci_at_online.microsoft.com)
Date: 08/09/04
- Next message: James McIllece [MS]: "Re: Problems with RADIUS on member server"
- Previous message: James McIllece [MS]: "Re: PEAP error message with CA and IAS"
- In reply to: Jolly Student: "Aironet 1200/Radius Help Needed"
- Next in thread: Bernie: "Re: Aironet 1200/Radius Help Needed"
- Reply: Bernie: "Re: Aironet 1200/Radius Help Needed"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 09 Aug 2004 14:36:31 -0700
"Jolly Student" <jolly@joy.com> wrote in
news:vlPRc.48453$zc4.19757212@news4.srv.hcvlny.cv.net:
> Dear Colleagues:
>
> Okay, I think I sort of understand this setup. New to this of course.
>
> I have fifteen Cisco Aironet 1200 series wireless access points on
> campus. I just fired up a W2003 Advanced Server so that I can take
> advantage of the policies for our XP Pro computers.
>
> I also got a certificate from verisign to install on one of the two
> IAS servers (do I need a separate certificate for the secondary IAS
> Server?)
>
> Great article on how to just go to verisign from your IAS 2003 server
> and install the certificate via Microsoft is located at:
>
> http://www.microsoft.com/downloads/details.aspx?FamilyID=1971d43c-d2d9-
> 408d-bd97-139afc60996b&DisplayLang=en
>
> Also read a great article on generally confiuring Windows XP/Server
> 2003 at the following link:
>
> http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.ms
> px
>
> Pretty step by step and I decided to use the PEAP-MS-CHAP v2 version
> of authentication since it involves just installing the certificate on
> the servers.
>
> Okay, here is where I am completely confused.
>
> Deploy group policies to the Windows XP workstations for shared key,
> huh, what shared key? I thought this was taken care of via the CA
> authority courtesy of verisign.
>
> Also, I think, if I read this correctly, that the clients will hit the
> WAPS, the waps will point them to the RADIUS servers, if the computers
> are configured for the SSIDs and shared keys (huh) then they should
> connect transparently.
>
> But my question is, if the clients have keys as do the wireless access
> points, then where is the security and how does the RADIUS server
> along with the CA Authority prevent any yahoo from setting up the keys
> on their workstation and connecting?
>
> Basically I am a bit confused here and, well, I am asking for help.
> Lastly, if somebody comes on campus with an XP home edition box, what
> do I do to allow them to access our network via PEAP-MS-CHAP v2?
>
> Advise is greatly appreciated
>
>
>
I am guessing that your question is regarding step 6 from the Enterprise
deployment whitepaper with the section title "Configuring Wireless Network
(IEEE 802.11) Policies Group Policy Settings." If you use Group Policy you
can configure domain member computers automatically -- the configuration is
pushed down to the computer by GP. No matter what authentication method you
use (such as PEAP), you still need clients to be configured properly to be
able to communicate with your AP's.
The shared key I think you are asking about is used for WEP. To be fairly
basic about it, there are communications between the client and access
point that need to be secured. (See 802.11 standards.) This is very
different than authentication, it has to do with securing communications
between the AP and the client.
When you deploy 802.1X with PEAP-MS-CHAP v2, PEAP creates a secure TLS
channel between the wireless client and the IAS server (not the AP). This
process is about authenticating the user with user name and password and
the IAS server with the server cert.
Here's the basic connection/authentication process with PEAP (For detail
see standards for the technology you're interested in):
1. AP advertises w/beacon & SSID; and Wireless client scanning (probe
request, etc) for AP
2. WPA or WEP (802.11) secures communication between client and AP. An IEEE
802.11-based association provides an Open System or Shared Key
Authentication before a secure association is created between the client
and access point.
3. 802.1X port-based authentication begins (client virtual port remains
closed until authentication and authorization are successful)
4. AP sends Access-Request to IAS
5. TLS channel created between wireless client and IAS server. AP forwards
encrypted packets back and forth. Negotiation of authentication method -
PEAP. (Note that the EAP method negotiation that occurs between client and
server is protected by the TLS channel.)
6. Authentication (IAS to DC) and authorization (IAS reads dial-in
properties of AD user account and IAS remote access policy) are performed
by IAS, plus client authenticates server with server cert.
7. If OK, Access-Accept sent by IAS to AP.
8. 802.1X on AP opens port
9. Association between client and AP (client registered on network by AP
using client's MAC address).
10. Client broadcasts DHCP, DHCP server responds and client obtains a
lease.
11. Client is on network.
So even if some yahoo gets the keys, it won't matter because they still
need a user name and password to be authenticated by IAS. What they could
use the keys for is to decrypt other's messages, but then that won't work
either for a variety of reasons, including the fact that all PEAP
communications are secured by the TLS channel and encryption keys auto-
generated by IAS.
In addition, the TLS master secret created by the IAS server and client is
not shared with the access point. Because of this, the access point (or
someone monitoring it) cannot decrypt the messages protected by PEAP.
-- James McIllece, Microsoft Please do not send email directly to this alias. This is my online account name for newsgroup participation only. This posting is provided "AS IS" with no warranties, and confers no rights.
- Next message: James McIllece [MS]: "Re: Problems with RADIUS on member server"
- Previous message: James McIllece [MS]: "Re: PEAP error message with CA and IAS"
- In reply to: Jolly Student: "Aironet 1200/Radius Help Needed"
- Next in thread: Bernie: "Re: Aironet 1200/Radius Help Needed"
- Reply: Bernie: "Re: Aironet 1200/Radius Help Needed"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
