Re: Aironet 1200/MS Radius Help - Yet Again

From: Bernie (Bernie_at_weekend.com)
Date: 08/13/04

• Next message: Paul: "IAS configuration for authenticating passport 8600"
• Previous message: James McIllece [MS]: "Re: PEAP error message with CA and IAS"
• In reply to: Jolly Student: "Aironet 1200/MS Radius Help - Yet Again"
• Messages sorted by: [ date ] [ thread ]

Date: Thu, 12 Aug 2004 19:54:59 -0500

On Thu, 12 Aug 2004 17:05:52 GMT, "Jolly Student" <jolly@joy.com>
wrote:

>Dearest Colleagues:
>
>Your collective help thus far has made me understand more about wireless
>security than I ever thought possible, in particular the PEAP-CHAP2 method
>involving Cisco Aironet 1200 Wireless Access points and a Windows 2003
>RADIUS/IAS Server.
>
>The complete thread hitherto to my last question is posted merely to annoy
>you, yeah, righ, sorry about that.
>
>Okay, I understand that if no username/password is provided by some rogue
>workstation out there, the access point sends them to the radius server
>which, in turn, checks against its Active Directory database and, if not
>there, it says "nope, sorry".
>
>Now here is the rub, so what if my buddy comes on campus with his wireless
>computer, lets say he has a Mac or even a Dell or for that matter a compaq
>super palm device that keeps everything from his bowling stats right on down
>to all of his phone numbers.
>
>Obviously, those devices are going to pick up the SSID at the wireless
>access points and then send them to the RADIUS server which is going to deny
>them access based upon the fact that there exists no account in Active
>Directory.
>
>So my question is, succinctly, what do I have to add to active directory to
>allow them to connect? If I add their username/password combination, is
>that enough for something like, lets say, a Macintosh wireless client, but
>what about the palm pilot or other laptop, lets say a laptop that uses XP
>home edition. Do i simply create a machine account in active directory
>under an organizational unit called, lets say "Wireless guests" within the
>organizational unit that already holds the policies for the wireless
>laptops.

For guests who are not exactly "domain users" there are a couple of
check boxes of interest on the client side. One is "authenticate as
computer when....." Uncheck that so you don't have to create any
machine accounts for the laptops. The other is "automatically use my
windows login name and password..." Uncheck that as well so they
don't have to have their normal username that they login to windows
with (locally) also configured on your AD.

So with that type of setup, you can now create a couple of guest
accounts in your AD and just let those users know the proper name and
password to use to get on the network.

Oh also one other thing while I am thinking of it. The other
requirement is obviously that the device have an 802.1x supplicant.
With Windows and the right patch level, the OS has that. With Mac,
you may have to check to make sure you have a supplicant. Also the
client supplicant must support MS-CHAP-V2. So there are some
dependencies that you have to make sure of.

>Sorry Bernie, but I bit the bullet and actually set up a Windows 2003 server
>on the network, it was basically simple as I had to disconnect the
>infrastructre master from the network, run the 2003 server CD with what
>amounts to a forestprep switch, plug it back in, wait about an hour while I
>grabbed a smoke and a cup of java and, bingo bango, now I can have 2003
>domain controllers to my hearts desire. Seems that 2000 Active directory
>networks dont like 2003 domain controllers until you update the schema,
>therafter, they all play well in the same sandbox and I am pretty happy to
>have the Windows 2003 servers to play with. By the way, is it me or does
>Windows 2003 simply look like XP professional with a bunch of added bells
>and whistles?
>
>Thank you all so very much for your advise, you guys embody the spirit of
>professionals helping one another out and I am honored to have your kind and
>freely given advise.
>
>Regards,
>
>Jolly Roger
>
>
>
>Dear Colleagues:
>
>Okay, I think I sort of understand this setup. New to this of course.
>
>I have fifteen Cisco Aironet 1200 series wireless access points on campus.
>I just fired up a W2003 Advanced Server so that I can take advantage of the
>policies for our XP Pro computers.
>
>I also got a certificate from verisign to install on one of the two IAS
>servers (do I need a separate certificate for the secondary IAS Server?)
>
>Great article on how to just go to verisign from your IAS 2003 server and
>install the certificate via Microsoft is located at:
>
>http://www.microsoft.com/downloads/details.aspx?FamilyID=1971d43c-d2d9-408d-bd97-139afc60996b&DisplayLang=en
>
>Also read a great article on generally confiuring Windows XP/Server 2003 at
>the following link:
>
>http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx
>
>Pretty step by step and I decided to use the PEAP-MS-CHAP v2 version of
>authentication since it involves just installing the certificate on the
>servers.
>
>Okay, here is where I am completely confused.
>
>Deploy group policies to the Windows XP workstations for shared key, huh,
>what shared key? I thought this was taken care of via the CA authority
>courtesy of verisign.
>
>Also, I think, if I read this correctly, that the clients will hit the WAPS,
>the waps will point them to the RADIUS servers, if the computers are
>configured for the SSIDs and shared keys (huh) then they should connect
>transparently.
>
>But my question is, if the clients have keys as do the wireless access
>points, then where is the security and how does the RADIUS server along with
>the CA Authority prevent any yahoo from setting up the keys on their
>workstation and connecting?
>
>Basically I am a bit confused here and, well, I am asking for help. Lastly,
>if somebody comes on campus with an XP home edition box, what do I do to
>allow them to access our network via PEAP-MS-CHAP v2?
>
>Advise is greatly appreciatedPost a follow-up to this message
>
> Message 2 in thread
> From: James McIllece [MS] (jamesmci@online.microsoft.com)
> Subject: Re: Aironet 1200/Radius Help Needed
>
>
> View this article only
> Newsgroups: alt.certification.cisco, microsoft.public.internet.radius
> Date: 2004-08-09 14:38:31 PST
>
>
>"Jolly Student" <jolly@joy.com> wrote in
>news:vlPRc.48453$zc4.19757212@news4.srv.hcvlny.cv.net:
>
>> Dear Colleagues:
>>
>> Okay, I think I sort of understand this setup. New to this of course.
>>
>> I have fifteen Cisco Aironet 1200 series wireless access points on
>> campus. I just fired up a W2003 Advanced Server so that I can take
>> advantage of the policies for our XP Pro computers.
>>
>> I also got a certificate from verisign to install on one of the two
>> IAS servers (do I need a separate certificate for the secondary IAS
>> Server?)
>>
>> Great article on how to just go to verisign from your IAS 2003 server
>> and install the certificate via Microsoft is located at:
>>
>> http://www.microsoft.com/downloads/details.aspx?FamilyID=1971d43c-d2d9-
>> 408d-bd97-139afc60996b&DisplayLang=en
>>
>> Also read a great article on generally confiuring Windows XP/Server
>> 2003 at the following link:
>>
>> http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.ms
>> px
>>
>> Pretty step by step and I decided to use the PEAP-MS-CHAP v2 version
>> of authentication since it involves just installing the certificate on
>> the servers.
>>
>> Okay, here is where I am completely confused.
>>
>> Deploy group policies to the Windows XP workstations for shared key,
>> huh, what shared key? I thought this was taken care of via the CA
>> authority courtesy of verisign.
>>
>> Also, I think, if I read this correctly, that the clients will hit the
>> WAPS, the waps will point them to the RADIUS servers, if the computers
>> are configured for the SSIDs and shared keys (huh) then they should
>> connect transparently.
>>
>> But my question is, if the clients have keys as do the wireless access
>> points, then where is the security and how does the RADIUS server
>> along with the CA Authority prevent any yahoo from setting up the keys
>> on their workstation and connecting?
>>
>> Basically I am a bit confused here and, well, I am asking for help.
>> Lastly, if somebody comes on campus with an XP home edition box, what
>> do I do to allow them to access our network via PEAP-MS-CHAP v2?
>>
>> Advise is greatly appreciated
>>
>>
>>
>
>I am guessing that your question is regarding step 6 from the Enterprise
>deployment whitepaper with the section title "Configuring Wireless Network
>(IEEE 802.11) Policies Group Policy Settings." If you use Group Policy you
>can configure domain member computers automatically -- the configuration is
>pushed down to the computer by GP. No matter what authentication method you
>use (such as PEAP), you still need clients to be configured properly to be
>able to communicate with your AP's.
>
>The shared key I think you are asking about is used for WEP. To be fairly
>basic about it, there are communications between the client and access
>point that need to be secured. (See 802.11 standards.) This is very
>different than authentication, it has to do with securing communications
>between the AP and the client.
>
>When you deploy 802.1X with PEAP-MS-CHAP v2, PEAP creates a secure TLS
>channel between the wireless client and the IAS server (not the AP). This
>process is about authenticating the user with user name and password and
>the IAS server with the server cert.
>
>Here's the basic connection/authentication process with PEAP (For detail
>see standards for the technology you're interested in):
>
>
>1. AP advertises w/beacon & SSID; and Wireless client scanning (probe
>request, etc) for AP
>
>2. WPA or WEP (802.11) secures communication between client and AP. An IEEE
>802.11-based association provides an Open System or Shared Key
>Authentication before a secure association is created between the client
>and access point.
>
>3. 802.1X port-based authentication begins (client virtual port remains
>closed until authentication and authorization are successful)
>
>4. AP sends Access-Request to IAS
>
>5. TLS channel created between wireless client and IAS server. AP forwards
>encrypted packets back and forth. Negotiation of authentication method -
>PEAP. (Note that the EAP method negotiation that occurs between client and
>server is protected by the TLS channel.)
>
>6. Authentication (IAS to DC) and authorization (IAS reads dial-in
>properties of AD user account and IAS remote access policy) are performed
>by IAS, plus client authenticates server with server cert.
>
>7. If OK, Access-Accept sent by IAS to AP.
>
>8. 802.1X on AP opens port
>
>9. Association between client and AP (client registered on network by AP
>using client's MAC address).
>
>10. Client broadcasts DHCP, DHCP server responds and client obtains a
>lease.
>
>11. Client is on network.
>
>So even if some yahoo gets the keys, it won't matter because they still
>need a user name and password to be authenticated by IAS. What they could
>use the keys for is to decrypt other's messages, but then that won't work
>either for a variety of reasons, including the fact that all PEAP
>communications are secured by the TLS channel and encryption keys auto-
>generated by IAS.
>
>In addition, the TLS master secret created by the IAS server and client is
>not shared with the access point. Because of this, the access point (or
>someone monitoring it) cannot decrypt the messages protected by PEAP.

--Bernie

• Next message: Paul: "IAS configuration for authenticating passport 8600"
• Previous message: James McIllece [MS]: "Re: PEAP error message with CA and IAS"
• In reply to: Jolly Student: "Aironet 1200/MS Radius Help - Yet Again"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint