Aironet 1200/MS Radius Help - Yet Again

From: Jolly Student (jolly_at_joy.com)
Date: 08/12/04 

Date: Thu, 12 Aug 2004 17:05:52 GMT

Dearest Colleagues:

Your collective help thus far has made me understand more about wireless
security than I ever thought possible, in particular the PEAP-CHAP2 method
involving Cisco Aironet 1200 Wireless Access points and a Windows 2003
RADIUS/IAS Server.

The complete thread hitherto to my last question is posted merely to annoy
you, yeah, righ, sorry about that.

Okay, I understand that if no username/password is provided by some rogue
workstation out there, the access point sends them to the radius server
which, in turn, checks against its Active Directory database and, if not
there, it says "nope, sorry".

Now here is the rub, so what if my buddy comes on campus with his wireless
computer, lets say he has a Mac or even a Dell or for that matter a compaq
super palm device that keeps everything from his bowling stats right on down
to all of his phone numbers.

Obviously, those devices are going to pick up the SSID at the wireless
access points and then send them to the RADIUS server which is going to deny
them access based upon the fact that there exists no account in Active
Directory.

So my question is, succinctly, what do I have to add to active directory to
allow them to connect? If I add their username/password combination, is
that enough for something like, lets say, a Macintosh wireless client, but
what about the palm pilot or other laptop, lets say a laptop that uses XP
home edition. Do i simply create a machine account in active directory
under an organizational unit called, lets say "Wireless guests" within the
organizational unit that already holds the policies for the wireless
laptops.

Sorry Bernie, but I bit the bullet and actually set up a Windows 2003 server
on the network, it was basically simple as I had to disconnect the
infrastructre master from the network, run the 2003 server CD with what
amounts to a forestprep switch, plug it back in, wait about an hour while I
grabbed a smoke and a cup of java and, bingo bango, now I can have 2003
domain controllers to my hearts desire. Seems that 2000 Active directory
networks dont like 2003 domain controllers until you update the schema,
therafter, they all play well in the same sandbox and I am pretty happy to
have the Windows 2003 servers to play with. By the way, is it me or does
Windows 2003 simply look like XP professional with a bunch of added bells
and whistles?

Thank you all so very much for your advise, you guys embody the spirit of
professionals helping one another out and I am honored to have your kind and
freely given advise.

Regards,

Jolly Roger

Dear Colleagues:

Okay, I think I sort of understand this setup. New to this of course.

I have fifteen Cisco Aironet 1200 series wireless access points on campus.
I just fired up a W2003 Advanced Server so that I can take advantage of the
policies for our XP Pro computers.

I also got a certificate from verisign to install on one of the two IAS
servers (do I need a separate certificate for the secondary IAS Server?)

Great article on how to just go to verisign from your IAS 2003 server and
install the certificate via Microsoft is located at:

http://www.microsoft.com/downloads/details.aspx?FamilyID=1971d43c-d2d9-408d-bd97-139afc60996b&DisplayLang=en

Also read a great article on generally confiuring Windows XP/Server 2003 at
the following link:

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx

Pretty step by step and I decided to use the PEAP-MS-CHAP v2 version of
authentication since it involves just installing the certificate on the
servers.

Okay, here is where I am completely confused.

Deploy group policies to the Windows XP workstations for shared key, huh,
what shared key? I thought this was taken care of via the CA authority
courtesy of verisign.

Also, I think, if I read this correctly, that the clients will hit the WAPS,
the waps will point them to the RADIUS servers, if the computers are
configured for the SSIDs and shared keys (huh) then they should connect
transparently.

But my question is, if the clients have keys as do the wireless access
points, then where is the security and how does the RADIUS server along with
the CA Authority prevent any yahoo from setting up the keys on their
workstation and connecting?

Basically I am a bit confused here and, well, I am asking for help. Lastly,
if somebody comes on campus with an XP home edition box, what do I do to
allow them to access our network via PEAP-MS-CHAP v2?

Advise is greatly appreciatedPost a follow-up to this message

            Message 2 in thread
      From: James McIllece [MS] (jamesmci@online.microsoft.com)
      Subject: Re: Aironet 1200/Radius Help Needed

            View this article only
      Newsgroups: alt.certification.cisco, microsoft.public.internet.radius
      Date: 2004-08-09 14:38:31 PST

"Jolly Student" <jolly@joy.com> wrote in
news:vlPRc.48453$zc4.19757212@news4.srv.hcvlny.cv.net:

> Dear Colleagues:
>
> Okay, I think I sort of understand this setup. New to this of course.
>
> I have fifteen Cisco Aironet 1200 series wireless access points on
> campus. I just fired up a W2003 Advanced Server so that I can take
> advantage of the policies for our XP Pro computers.
>
> I also got a certificate from verisign to install on one of the two
> IAS servers (do I need a separate certificate for the secondary IAS
> Server?)
>
> Great article on how to just go to verisign from your IAS 2003 server
> and install the certificate via Microsoft is located at:
>
> http://www.microsoft.com/downloads/details.aspx?FamilyID=1971d43c-d2d9-
> 408d-bd97-139afc60996b&DisplayLang=en
>
> Also read a great article on generally confiuring Windows XP/Server
> 2003 at the following link:
>
> http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.ms
> px
>
> Pretty step by step and I decided to use the PEAP-MS-CHAP v2 version
> of authentication since it involves just installing the certificate on
> the servers.
>
> Okay, here is where I am completely confused.
>
> Deploy group policies to the Windows XP workstations for shared key,
> huh, what shared key? I thought this was taken care of via the CA
> authority courtesy of verisign.
>
> Also, I think, if I read this correctly, that the clients will hit the
> WAPS, the waps will point them to the RADIUS servers, if the computers
> are configured for the SSIDs and shared keys (huh) then they should
> connect transparently.
>
> But my question is, if the clients have keys as do the wireless access
> points, then where is the security and how does the RADIUS server
> along with the CA Authority prevent any yahoo from setting up the keys
> on their workstation and connecting?
>
> Basically I am a bit confused here and, well, I am asking for help.
> Lastly, if somebody comes on campus with an XP home edition box, what
> do I do to allow them to access our network via PEAP-MS-CHAP v2?
>
> Advise is greatly appreciated
>
>
>

I am guessing that your question is regarding step 6 from the Enterprise
deployment whitepaper with the section title "Configuring Wireless Network
(IEEE 802.11) Policies Group Policy Settings." If you use Group Policy you
can configure domain member computers automatically -- the configuration is
pushed down to the computer by GP. No matter what authentication method you
use (such as PEAP), you still need clients to be configured properly to be
able to communicate with your AP's.

The shared key I think you are asking about is used for WEP. To be fairly
basic about it, there are communications between the client and access
point that need to be secured. (See 802.11 standards.) This is very
different than authentication, it has to do with securing communications
between the AP and the client.

When you deploy 802.1X with PEAP-MS-CHAP v2, PEAP creates a secure TLS
channel between the wireless client and the IAS server (not the AP). This
process is about authenticating the user with user name and password and
the IAS server with the server cert.

Here's the basic connection/authentication process with PEAP (For detail
see standards for the technology you're interested in):

1. AP advertises w/beacon & SSID; and Wireless client scanning (probe
request, etc) for AP

2. WPA or WEP (802.11) secures communication between client and AP. An IEEE
802.11-based association provides an Open System or Shared Key
Authentication before a secure association is created between the client
and access point.

3. 802.1X port-based authentication begins (client virtual port remains
closed until authentication and authorization are successful)

4. AP sends Access-Request to IAS

5. TLS channel created between wireless client and IAS server. AP forwards
encrypted packets back and forth. Negotiation of authentication method -
PEAP. (Note that the EAP method negotiation that occurs between client and
server is protected by the TLS channel.)

6. Authentication (IAS to DC) and authorization (IAS reads dial-in
properties of AD user account and IAS remote access policy) are performed
by IAS, plus client authenticates server with server cert.

7. If OK, Access-Accept sent by IAS to AP.

8. 802.1X on AP opens port

9. Association between client and AP (client registered on network by AP
using client's MAC address).

10. Client broadcasts DHCP, DHCP server responds and client obtains a
lease.

11. Client is on network.

So even if some yahoo gets the keys, it won't matter because they still
need a user name and password to be authenticated by IAS. What they could
use the keys for is to decrypt other's messages, but then that won't work
either for a variety of reasons, including the fact that all PEAP
communications are secured by the TLS channel and encryption keys auto-
generated by IAS.

In addition, the TLS master secret created by the IAS server and client is
not shared with the access point. Because of this, the access point (or
someone monitoring it) cannot decrypt the messages protected by PEAP. 

-- 
James McIllece, Microsoft
Please do not send email directly to this alias.  This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no
rights.Post a follow-up to this message
            Message 3 in thread
      From: Bernie (Bernie@weekend.com)
      Subject: Re: Aironet 1200/Radius Help Needed
            View this article only
      Newsgroups: alt.certification.cisco, microsoft.public.internet.radius
      Date: 2004-08-09 23:25:08 PST
On Mon, 09 Aug 2004 14:36:31 -0700, "James McIllece [MS]"
<jamesmci@online.microsoft.com> wrote:
>"Jolly Student" <jolly@joy.com> wrote in
>news:vlPRc.48453$zc4.19757212@news4.srv.hcvlny.cv.net:
>
>> Dear Colleagues:
>>
>> Okay, I think I sort of understand this setup.  New to this of course.
>>
>> I have fifteen Cisco Aironet 1200 series wireless access points on
>> campus. I just fired up a W2003 Advanced Server so that I can take
>> advantage of the policies for our XP Pro computers.
>>
>> I also got a certificate from verisign to install on one of the two
>> IAS servers (do I need a separate certificate for the secondary IAS
>> Server?)
>>
>> Great article on how to just go to verisign from your IAS 2003 server
>> and install the certificate via Microsoft is located at:
>>
>> http://www.microsoft.com/downloads/details.aspx?FamilyID=1971d43c-d2d9-
>> 408d-bd97-139afc60996b&DisplayLang=en
>>
>> Also read a great article on generally confiuring Windows XP/Server
>> 2003 at the following link:
>>
>> http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.ms
>> px
>>
>> Pretty step by step and I decided to use the PEAP-MS-CHAP v2 version
>> of authentication since it involves just installing the certificate on
>> the servers.
>>
>> Okay, here is where I am completely confused.
>>
>> Deploy group policies to the Windows XP workstations for shared key,
>> huh, what shared key?  I thought this was taken care of via the CA
>> authority courtesy of verisign.
>>
>> Also, I think, if I read this correctly, that the clients will hit the
>> WAPS, the waps will point them to the RADIUS servers, if the computers
>> are configured for the SSIDs and shared keys (huh) then they should
>> connect transparently.
>>
>> But my question is, if the clients have keys as do the wireless access
>> points, then where is the security and how does the RADIUS server
>> along with the CA Authority prevent any yahoo from setting up the keys
>> on their workstation and connecting?
>>
>> Basically I am a bit confused here and, well, I am asking for help.
>> Lastly, if somebody comes on campus with an XP home edition box, what
>> do I do to allow them to access our network via PEAP-MS-CHAP v2?
>>
>> Advise is greatly appreciated
>>
>>
>>
>
>I am guessing that your question is regarding step 6 from the Enterprise
>deployment whitepaper with the section title "Configuring Wireless Network
>(IEEE 802.11) Policies Group Policy Settings." If you use Group Policy you
>can configure domain member computers automatically -- the configuration is
>pushed down to the computer by GP. No matter what authentication method you
>use (such as PEAP), you still need clients to be configured properly to be
>able to communicate with your AP's.
>
>The shared key I think you are asking about is used for WEP. To be fairly
>basic about it, there are communications between the client and access
>point that need to be secured. (See 802.11 standards.) This is very
>different than authentication, it has to do with securing communications
>between the AP and the client.
>
>When you deploy 802.1X with PEAP-MS-CHAP v2, PEAP creates a secure TLS
>channel between the wireless client and the IAS server (not the AP). This
>process is about authenticating the user with user name and password and
>the IAS server with the server cert.
>
>Here's the basic connection/authentication process with PEAP (For detail
>see standards for the technology you're interested in):
>
>
>1. AP advertises w/beacon & SSID; and Wireless client scanning (probe
>request, etc) for AP
>
>2. WPA or WEP (802.11) secures communication between client and AP. An IEEE
>802.11-based association provides an Open System or Shared Key
>Authentication before a secure association is created between the client
>and access point.
>
>3. 802.1X port-based authentication begins (client virtual port remains
>closed until authentication and authorization are successful)
>
>4. AP sends Access-Request to IAS
>
>5. TLS channel created between wireless client and IAS server. AP forwards
>encrypted packets back and forth. Negotiation of authentication method -
>PEAP. (Note that the EAP method negotiation that occurs between client and
>server is protected by the TLS channel.)
>
>6.  Authentication (IAS to DC) and authorization (IAS reads dial-in
>properties of AD user account and IAS remote access policy) are performed
>by IAS, plus client authenticates server with server cert.
>
>7. If OK, Access-Accept sent by IAS to AP.
>
>8. 802.1X on AP opens port
>
>9. Association between client and AP (client registered on network by AP
>using client's MAC address).
Minor nitpick.  The "association" occurs before 802.1x authentication
(between step 1 &2)  You have to associate before you can send frames
to the AP.  Also the 802.11 authentication phase precedes the 802.11
association phase.  In the case of 802.1x, 802.11 authentication will
be "open system."
Also in step 7, the RADIUS server assigns a key to the AP and client
to use for encrypting normal data sent to the network via the AP.
>10. Client broadcasts DHCP, DHCP server responds and client obtains a
>lease.
>
>11. Client is on network.
>
>So even if some yahoo gets the keys, it won't matter because they still
>need a user name and password to be authenticated by IAS. What they could
>use the keys for is to decrypt other's messages, but then that won't work
>either for a variety of reasons, including the fact that all PEAP
>communications are secured by the TLS channel and encryption keys auto-
>generated by IAS.
>
>In addition, the TLS master secret created by the IAS server and client is
>not shared with the access point. Because of this, the access point (or
>someone monitoring it) cannot decrypt the messages protected by PEAP.
--Bernie

Relevant Pages

  • Re: Aironet 1200/Radius Help Needed
    ... I just fired up a W2003 Advanced Server so that I can take ... >> IAS servers (do I need a separate certificate for the secondary IAS ... >> of authentication since it involves just installing the certificate on ... >between the AP and the client. ...
    (microsoft.public.internet.radius)
  • Re: Wireless Print Server - Without Connecting to Router or PC
    ... connection, Layers 1 and 2. ... wireless end points are 'clients' to an access point. ... That also brings up the question of what's a client and what's a ... Kinda reminds me of the X11 server versus client and ...
    (alt.internet.wireless)
  • Re: Aironet 1200/Radius Help Needed
    ... I just fired up a W2003 Advanced Server so that I can take ... > IAS servers (do I need a separate certificate for the secondary IAS ... > of authentication since it involves just installing the certificate on ... between the AP and the client. ...
    (microsoft.public.internet.radius)
  • Re: Wireless AP wants Radius Server, advice?
    ... > secure the wireless network, both client to server and client to ap? ... the wireless network settings rather than the 3rd party software otherwise ...
    (microsoft.public.windows.server.sbs)
  • Re: Securing Cisco devices using MS IAS (RADIUS) server
    ... Open up the MMC for the IAS service and connect to the server. ... Clients Container and select New | Client. ... Enter the IP Address of the RADIUS client and the ...
    (microsoft.public.win2000.networking)