Re: Aironet 1200/Radius Help Needed
From: Bernie (Bernie_at_weekend.com)
Date: Tue, 10 Aug 2004 01:36:25 -0500
On Mon, 09 Aug 2004 14:36:31 -0700, "James McIllece [MS]"
>"Jolly Student" <email@example.com> wrote in
>> Dear Colleagues:
>> Okay, I think I sort of understand this setup. New to this of course.
>> I have fifteen Cisco Aironet 1200 series wireless access points on
>> campus. I just fired up a W2003 Advanced Server so that I can take
>> advantage of the policies for our XP Pro computers.
>> I also got a certificate from verisign to install on one of the two
>> IAS servers (do I need a separate certificate for the secondary IAS
>> Great article on how to just go to verisign from your IAS 2003 server
>> and install the certificate via Microsoft is located at:
>> Also read a great article on generally confiuring Windows XP/Server
>> 2003 at the following link:
>> Pretty step by step and I decided to use the PEAP-MS-CHAP v2 version
>> of authentication since it involves just installing the certificate on
>> the servers.
>> Okay, here is where I am completely confused.
>> Deploy group policies to the Windows XP workstations for shared key,
>> huh, what shared key? I thought this was taken care of via the CA
>> authority courtesy of verisign.
>> Also, I think, if I read this correctly, that the clients will hit the
>> WAPS, the waps will point them to the RADIUS servers, if the computers
>> are configured for the SSIDs and shared keys (huh) then they should
>> connect transparently.
>> But my question is, if the clients have keys as do the wireless access
>> points, then where is the security and how does the RADIUS server
>> along with the CA Authority prevent any yahoo from setting up the keys
>> on their workstation and connecting?
>> Basically I am a bit confused here and, well, I am asking for help.
>> Lastly, if somebody comes on campus with an XP home edition box, what
>> do I do to allow them to access our network via PEAP-MS-CHAP v2?
>> Advise is greatly appreciated
>I am guessing that your question is regarding step 6 from the Enterprise
>deployment whitepaper with the section title "Configuring Wireless Network
>(IEEE 802.11) Policies Group Policy Settings." If you use Group Policy you
>can configure domain member computers automatically -- the configuration is
>pushed down to the computer by GP. No matter what authentication method you
>use (such as PEAP), you still need clients to be configured properly to be
>able to communicate with your AP's.
>The shared key I think you are asking about is used for WEP. To be fairly
>basic about it, there are communications between the client and access
>point that need to be secured. (See 802.11 standards.) This is very
>different than authentication, it has to do with securing communications
>between the AP and the client.
>When you deploy 802.1X with PEAP-MS-CHAP v2, PEAP creates a secure TLS
>channel between the wireless client and the IAS server (not the AP). This
>process is about authenticating the user with user name and password and
>the IAS server with the server cert.
>Here's the basic connection/authentication process with PEAP (For detail
>see standards for the technology you're interested in):
>1. AP advertises w/beacon & SSID; and Wireless client scanning (probe
>request, etc) for AP
>2. WPA or WEP (802.11) secures communication between client and AP. An IEEE
>802.11-based association provides an Open System or Shared Key
>Authentication before a secure association is created between the client
>and access point.
>3. 802.1X port-based authentication begins (client virtual port remains
>closed until authentication and authorization are successful)
>4. AP sends Access-Request to IAS
>5. TLS channel created between wireless client and IAS server. AP forwards
>encrypted packets back and forth. Negotiation of authentication method -
>PEAP. (Note that the EAP method negotiation that occurs between client and
>server is protected by the TLS channel.)
>6. Authentication (IAS to DC) and authorization (IAS reads dial-in
>properties of AD user account and IAS remote access policy) are performed
>by IAS, plus client authenticates server with server cert.
>7. If OK, Access-Accept sent by IAS to AP.
>8. 802.1X on AP opens port
>9. Association between client and AP (client registered on network by AP
>using client's MAC address).
Minor nitpick. The "association" occurs before 802.1x authentication
(between step 1 &2) You have to associate before you can send frames
to the AP. Also the 802.11 authentication phase precedes the 802.11
association phase. In the case of 802.1x, 802.11 authentication will
be "open system."
Also in step 7, the RADIUS server assigns a key to the AP and client
to use for encrypting normal data sent to the network via the AP.
>10. Client broadcasts DHCP, DHCP server responds and client obtains a
>11. Client is on network.
>So even if some yahoo gets the keys, it won't matter because they still
>need a user name and password to be authenticated by IAS. What they could
>use the keys for is to decrypt other's messages, but then that won't work
>either for a variety of reasons, including the fact that all PEAP
>communications are secured by the TLS channel and encryption keys auto-
>generated by IAS.
>In addition, the TLS master secret created by the IAS server and client is
>not shared with the access point. Because of this, the access point (or
>someone monitoring it) cannot decrypt the messages protected by PEAP.