Re: Aironet 1200/Radius Help Needed

From: James McIllece [MS] (jamesmci_at_online.microsoft.com)
Date: 08/13/04 

Date: Fri, 13 Aug 2004 12:55:29 -0700

Bernie <Bernie@weekend.com> wrote in
news:cpqgh09eb15vmodi77gtgbnjp5uq5ekk9d@4ax.com:

> On Mon, 09 Aug 2004 14:36:31 -0700, "James McIllece [MS]"
> <jamesmci@online.microsoft.com> wrote:
>
>>"Jolly Student" <jolly@joy.com> wrote in
>>news:vlPRc.48453$zc4.19757212@news4.srv.hcvlny.cv.net:
>>
>>> Dear Colleagues:
>>>
>>> Okay, I think I sort of understand this setup. New to this of
>>> course.
>>>
>>> I have fifteen Cisco Aironet 1200 series wireless access points on
>>> campus. I just fired up a W2003 Advanced Server so that I can take
>>> advantage of the policies for our XP Pro computers.
>>>
>>> I also got a certificate from verisign to install on one of the two
>>> IAS servers (do I need a separate certificate for the secondary IAS
>>> Server?)
>>>
>>> Great article on how to just go to verisign from your IAS 2003
>>> server and install the certificate via Microsoft is located at:
>>>
>>> http://www.microsoft.com/downloads/details.aspx?FamilyID=1971d43c-d2d
>>> 9- 408d-bd97-139afc60996b&DisplayLang=en
>>>
>>> Also read a great article on generally confiuring Windows XP/Server
>>> 2003 at the following link:
>>>
>>> http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.
>>> ms px
>>>
>>> Pretty step by step and I decided to use the PEAP-MS-CHAP v2 version
>>> of authentication since it involves just installing the certificate
>>> on the servers.
>>>
>>> Okay, here is where I am completely confused.
>>>
>>> Deploy group policies to the Windows XP workstations for shared key,
>>> huh, what shared key? I thought this was taken care of via the CA
>>> authority courtesy of verisign.
>>>
>>> Also, I think, if I read this correctly, that the clients will hit
>>> the WAPS, the waps will point them to the RADIUS servers, if the
>>> computers are configured for the SSIDs and shared keys (huh) then
>>> they should connect transparently.
>>>
>>> But my question is, if the clients have keys as do the wireless
>>> access points, then where is the security and how does the RADIUS
>>> server along with the CA Authority prevent any yahoo from setting up
>>> the keys on their workstation and connecting?
>>>
>>> Basically I am a bit confused here and, well, I am asking for help.
>>> Lastly, if somebody comes on campus with an XP home edition box,
>>> what do I do to allow them to access our network via PEAP-MS-CHAP
>>> v2?
>>>
>>> Advise is greatly appreciated
>>>
>>>
>>>
>>
>>I am guessing that your question is regarding step 6 from the
>>Enterprise deployment whitepaper with the section title "Configuring
>>Wireless Network (IEEE 802.11) Policies Group Policy Settings." If you
>>use Group Policy you can configure domain member computers
>>automatically -- the configuration is pushed down to the computer by
>>GP. No matter what authentication method you use (such as PEAP), you
>>still need clients to be configured properly to be able to communicate
>>with your AP's.
>>
>>The shared key I think you are asking about is used for WEP. To be
>>fairly basic about it, there are communications between the client and
>>access point that need to be secured. (See 802.11 standards.) This is
>>very different than authentication, it has to do with securing
>>communications between the AP and the client.
>>
>>When you deploy 802.1X with PEAP-MS-CHAP v2, PEAP creates a secure TLS
>>channel between the wireless client and the IAS server (not the AP).
>>This process is about authenticating the user with user name and
>>password and the IAS server with the server cert.
>>
>>Here's the basic connection/authentication process with PEAP (For
>>detail see standards for the technology you're interested in):
>>
>>
>>1. AP advertises w/beacon & SSID; and Wireless client scanning (probe
>>request, etc) for AP
>>
>>2. WPA or WEP (802.11) secures communication between client and AP. An
>>IEEE 802.11-based association provides an Open System or Shared Key
>>Authentication before a secure association is created between the
>>client and access point.
>>
>>3. 802.1X port-based authentication begins (client virtual port
>>remains closed until authentication and authorization are successful)
>>
>>4. AP sends Access-Request to IAS
>>
>>5. TLS channel created between wireless client and IAS server. AP
>>forwards encrypted packets back and forth. Negotiation of
>>authentication method - PEAP. (Note that the EAP method negotiation
>>that occurs between client and server is protected by the TLS
>>channel.)
>>
>>6. Authentication (IAS to DC) and authorization (IAS reads dial-in
>>properties of AD user account and IAS remote access policy) are
>>performed by IAS, plus client authenticates server with server cert.
>>
>>7. If OK, Access-Accept sent by IAS to AP.
>>
>>8. 802.1X on AP opens port
>>
>>9. Association between client and AP (client registered on network by
>>AP using client's MAC address).
>
> Minor nitpick. The "association" occurs before 802.1x authentication
> (between step 1 &2) You have to associate before you can send frames
> to the AP. Also the 802.11 authentication phase precedes the 802.11
> association phase. In the case of 802.1x, 802.11 authentication will
> be "open system."
>
> Also in step 7, the RADIUS server assigns a key to the AP and client
> to use for encrypting normal data sent to the network via the AP.
>
>>10. Client broadcasts DHCP, DHCP server responds and client obtains a
>>lease.
>>
>>11. Client is on network.
>>
>>So even if some yahoo gets the keys, it won't matter because they
>>still need a user name and password to be authenticated by IAS. What
>>they could use the keys for is to decrypt other's messages, but then
>>that won't work either for a variety of reasons, including the fact
>>that all PEAP communications are secured by the TLS channel and
>>encryption keys auto- generated by IAS.
>>
>>In addition, the TLS master secret created by the IAS server and
>>client is not shared with the access point. Because of this, the
>>access point (or someone monitoring it) cannot decrypt the messages
>>protected by PEAP.
>
>
> --Bernie
>

Yep, that's correct -- thanks Bernie! 

-- 
James McIllece, Microsoft
Please do not send email directly to this alias.  This is my online account 
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.

Relevant Pages

  • Re: WCF security advice (and clarification) needed
    ... You, the client, resolve the foo.mycompany.com hostname within your ... TCP/IP) with that ticket as the security token. ... There are two parties participating in a security scenario, the server ... HTTP supports other authentication ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: SSPI Kerberos for delegation
    ... We want the authentication to happen without providing credentials ... But SSPI while authenticating from the client to the server can do mutual ...
    (comp.protocols.kerberos)
  • Re: Aironet 1200/Radius Help Needed
    ... I just fired up a W2003 Advanced Server so that I can take ... >> IAS servers (do I need a separate certificate for the secondary IAS ... >> of authentication since it involves just installing the certificate on ... >between the AP and the client. ...
    (microsoft.public.internet.radius)
  • Re: Windows Authentication, Single sign on and Active Directory
    ... service proxy client fails to connect due to authentication failure and then ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... The server is always in the domain. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Outlook -> remote exchange -> always wants a password
    ... I have my server set to use Integrated Windows authentication over SSL. ... almost certainly "break" your existing users if the client setup does not ... Close out of these configuration dialogs, ...
    (microsoft.public.windows.server.sbs)