Wireless Networking in Windows 2003

In Part 2 of my Introduction to Wireless Networking series I briefly touched on the subject of IAS in Windows 2003. Here we will look at the Internet Authentication Service in a bit more detail and also see what Windows 2003, and SP1, have to offer when it comes to Wireless Networking. I’ll also show you how to setup 802.1X based security in Windows 2003.

Service Pack 1

Enhancements for Wireless Networking

The enhancements that SP1 provide for Wireless LANS are of great benefit to enterprise wide networks. Without SP1 on Windows Server 2003, the WPA security method isn’t supported and therefore cannot be implemented – which is no longer an issue with Service Pack 1. Apart from addressing the weaknesses that the original Windows Server 2003 has, SP1 makes it easier to deploy secure large scale wireless LANS. Additionally, administrators are now able to give the users of wireless clients – with Windows XP SP2 – a choice of pre-approved digital certificates and signing authorities. This means they would only be allowed to install certificates for the network that the administrator has previously acknowledged, making them less prone to man in the middle attacks.

Centralized Management

The Active Directory Group Policy console allows for centralized management of the Wireless Zero Configuration client which makes it easier and faster to connect wireless client to a secure network. WPA TKIP and AES encryption settings can now be configured and any wireless client with Windows XP Service Pack 2, or Service Pack 1 and the WPA patch, can be centrally configured to use the more secure WPA TKIP or AES methods to connect to the wireless LAN.

Wireless Setup Wizard

As did Windows XP SP2, Windows 2003 SP1 comes with a Wireless Network Wizard that will help you to configure secure wireless networks. Configuration settings can be stored on removable media (such as a USB pen drive) and then copied over to other machines.

PEAP Authentication Scheme

The LEAP (Lightweight Extensible Authentication Protocol) is a popular non-TLS (Transport Layer Security) authentication scheme introduced by Cisco in later versions of their firmware belonging to the Aironet access point product range. This protocol lacks point to point protection which leaves it open to dictionary attacks at the credentials authentication stage. With the inauguration of PEAP (Protected Extensible Authentication Protocol) authentication in the IAS (Internet Authentication Service) component of Windows Server 2003, these weaknesses are addressed. Furthermore, a server-side digital certificate is able to support many clients single handedly – without the use of an installed certificate on the client-side.

(more…)

Setting up a wireless network with Windows Server 2003 and PEAP/EAP

Setting up a wireless network with Windows Server 2003 and PEAP/EAP

PEAP with IAS is a great way to setup wireless networks that require:

a)Their security to be top notch.
b)Lot’s of Access Points (greater than 10 or so).
c)Minimal administrative maintenance overhead.

It brings your wireless security up to a level that is acceptable for use on a security sensitive domain. It is approximately as secure as domain logon is on a wired network.

The whole IAS management of your AP’s as Radius Clients makes it very simple to make changes to your infrastructure without having to reprogram every AP on site to reflect a simple change (which is the case in most WPA setups). You don’t need to worry about keeping WPA keys up to date as the encryption keys are generated dynamically each time a client connects.

Below I have detailed the steps that I take when setting on of these networks up. Screenshots are on their way (I will get them next time I set up one of these networks) but most of the steps are fairly self explanatory.

Install IAS from the Add/ Remove Windows Components area in the control panel.

Install Certificate Services from the Windows Components area in the control panel.

When prompted you want to install an “Enterprise Root CA”.

Load up the “Certificates” plugin for mmc and then submit a request for a new domain controller certificate.

Create a group in Active Directory called “WirelessUsers”.

Inside the administrative tools section load up the IAS plugin and create a “new remote access policy”. Call it “Wireless Access Policy”. Follow the wizard which is reasonably intuitive and when prompted for access restrictions you want to allow only computers and users that are a member of the “Wireless Users” group you created previously. Also make sure when prompted for the authentication method that you select EAP/PEAP.

Then right click on the policy you just created and goto “Properties”. Then click on the “Edit Profile” button and make the following changes:

1.Encryption tab: Make sure “No Encryption” is not ticked.
2.Authentication tab: Tick MSCHAP-V2.
3.Advanced tab: Add Ignore_User_Dial_In_Properties = true and also Terminate-Action = Radius-Request.

(more…)