Re: Basic WEP/RADIUS/802.11 (Cisco/MS) question

• Previous message: James McIllece [MS]: "Re: IAS configuration for authenticating passport 8600"
• Messages sorted by: [ date ] [ thread ]

Date: Tue, 24 Aug 2004 13:37:12 -0700

"Jolly Student" <jolly@joy.com> wrote in
news:bQBNc.31599$ps5.10404207@news4.srv.hcvlny.cv.net:

> Dear Colleagues:
>
> Okay, we were all new at one time or another to this. I figured I was
> pretty safe with my wireless home network, restricted mac address
> access and a 128bit Key that I changed every couple of weeks. . .
> easy enough.
>
> I read up on the vulnerabilities and hey, lo and behold, my neighbors
> have a bunch of unsecured wireless access points in their homes. . .
>
> Now, about my question (sorry, its been a long day).
>
> At work I have fifteen Cisco 1200 aironet series wireless access
> points. There are about 60 laptops that I would like to secure. I
> know that I could set up a Wep key in the Waps and set them up
> similiarly in the laptops, but I am interested in this whole Radius
> thing. Here is the problem, my boss thinks that a Radius server has
> to do with the circumference of a circle and since they always know
> more than me, they dont think that security is a concern. . . of no
> consequence here.
>
> So here are my stupid newbie questions.
>
> I see that I can pull a Radius server out of the Microsoft Windows
> 2000 server install process, so I guess you could say that you could
> point the Waps to the radius server. I also know that a certificate
> server is involved, which I know I can set up with a Win2k Server box.
> But my general questions is how to set such a wireless authentication
> up and how it works. In short, hyperlinks to guides, dummies books,
> bad jokes, etc., would be appreciated.
>
> My desired goal is to set up these fifteen or so wireless access
> points using a Radius server and to be able to use Active Directory
> and Windows XP Pro to the benefit of our network. We run nothing but
> XP Pro and Windows 2k Advanced server. . . well, there is the
> occassional mac and Linux box, but thats a different story.
>
> Help is appreciated, links to jokes are as well.
>
> Regards,
>
> Roger
>
>

Hi Roger --

Sorry, I don't have any links to jokes -- but The Onion is usually pretty
funny if you check that out. :-)

Hopefully I can clarify a couple of things for you...

-- RADIUS is a protocol that is used between RADIUS servers (such as W2K
Server Internet Authentication Service, or IAS) and RADIUS clients -- which
are network access servers, not client computers. So in your situation, the
Cisco 1200 APs would be the RADIUS clients. In other situations, RADIUS
clients can be 802.1X authenticating switches, VPN servers, or dial-up
servers. If you deploy IAS in your organization, you will configure each AP
as a RADIUS client in the IAS console. At both the IAS server and the APs,
you configure a shared secret that the client and server use to encrypt
communications and verify each others' identities.

-- Even if you use RADIUS, you should configure WEP or WPA. The WEP or WPA
key is used between the client computers running XP and the APs, and they
are used to encrypt traffic between the two. WEP and WPA don't have
anything to do with RADIUS, but are part of the IEEE 802.11 standards.

-- In IAS, you create remote access policies (RAP) that determine who can
access the network. In RAP, you choose and configure authentication methods
that the clients can/must use. For secure wireless connections, you will
want to deploy PEAP-MS-CHAP v2.

PEAP-MS-CHAP v2 requires NO certificates deployed on the clients if you use
a third party CA for your server certificate that your clients already
trust. If you open the Certificates snap-in on a Windows XP machine, then
browse to the Local Computer/Trusted Root Certification Authorities store,
you will see tons of third party CA certificates already installed. Because
the certs are in this store, the client trusts the CA that issued the
certs.

Thus if you purchase a server certificate from one of the companies that
already has a trusted root CA cert in this store on clients, the clients
will trust your IAS server.

What this all means is that you do not need to deploy Certificate Services
and your own CA in order to deploy secure wireless.

For more info on how to purchase and install a server cert, see "Obtaining
and Installing a VeriSign WLAN Server Certificate for PEAP-MS-CHAP v2
Wireless Authentication" at
http://www.microsoft.com/downloads/details.aspx?FamilyID=1971d43c-d2d9-
408d-bd97-139afc60996b&DisplayLang=en

For more information on PEAP (Protected Extensible Authentication
Protocol), see "The Advantages of Protected Extensible Authentication
Protocol (PEAP): A Standard Approach to User Authentication for IEEE 802.11
Wireless Network Access"
http://www.microsoft.com/windowsserver2003/techinfo/overview/peap.mspx

-- 
James McIllece, Microsoft
Please do not send email directly to this alias.  This is my online account 
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.

• Previous message: James McIllece [MS]: "Re: IAS configuration for authenticating passport 8600"
• Messages sorted by: [ date ] [ thread ]