Creating a secure 802.1x wireless infrastructure using Microsoft Windows

My name is Prachand and I am an SE on the Platforms Networking Team. My intent of this post is for it to be a quick reference guide for setting up secure wireless networking using Microsoft products. It describes how to create an infrastructure for authentication, authorization, and accounting for wireless connections using Microsoft RADIUS Server (IAS/NPS) and Windows clients. Before going into the details of how to create the protected 802.1x network, let’s take a minute to understand the components of 802.1x.

IEEE 802.1X is an IEEE Standard for port-based Network Access Control. It provides authenticated network access to wired Ethernet networks and wireless 802.11 networks. It offers the capability to permit or deny network connectivity, control VLAN access and apply traffic policy, based on user or machine identity. It enhances security and deployment by providing support for centralized user identification, authentication, dynamic key management, and accounting.

802.1X defines the following components:

  • Supplicant – Software which enables wireless communication.
  • Authenticator – Wireless Access Point
  • Authentication Server – RADIUS Server (NPS/IAS)
  • Logical Port – Logical endpoint between the station and the WAP

802.1X uses EAP, EAP-TLS, EAP-MS-CHAP v2, and PEAP authentication methods:

  • EAP (Extensible Authentication Protocol) uses an arbitrary authentication method, such as certificates, smart cards, or credentials.
  • EAP-TLS (EAP-Transport Layer Security) is an EAP type that is used in certificate-based security environments, and it provides the strongest authentication and key determination method.
  • EAP-MS-CHAP v2 (EAP-Microsoft Challenge Handshake Authentication Protocol version 2) is a mutual authentication method that supports password-based user or computer authentication.
  • PEAP (Protected EAP) is an authentication method that uses TLS to enhance the security of other EAP authentication protocols.

When selecting the authentication mechanism, you need to balance between the levels of security required with the effort required for deployment. For the highest level of security, choose PEAP with certificates (EAP-TLS). For the greatest ease of deployment, choose PEAP with passwords (EAP-MS-CHAP v2).

Now let’s move on to the main topic. In order to create an infrastructure for authentication, authorization, and accounting for protected wireless connections for an organization using Windows wireless clients, the following steps need to be completed:

  1. Configure the certificate infrastructure.
  2. Configure Active Directory for accounts and groups.
  3. Configure the wireless Access Point.
  4. Configure the NPS server on a computer.
  5. Configure Wireless Network (IEEE 802.11) Policies Group Policy settings.
  6. Configure wireless clients for EAP-TLS or PEAP-TLS.

Step 1: Configuring the Certificate Infrastructure

Let’s first understand certificates requirements for the different types of protected wireless authentication.

Authentication Type

Certificates on Wireless Client

Certificates on NPS Server

EAP-TLS or PEAP-TLS

Computer certificates

User certificates

Root CA certificates for issuers of NPS server computer certificates

Computer certificates

Root CA certificates for issuers of wireless client computer and user certificates

PEAP-MS-CHAP v2

Root CA certificates for issuers of NPS server computer certificates

Computer certificates

Regardless of which authentication method used for wireless connections, computer certificates must be installed on the NPS servers.

For PEAP-MS-CHAP v2, there is no need to deploy a certificate infrastructure to issue computer and user certificates for each wireless client computer. Instead, you can obtain individual certificates for each NPS server from a commercial CA and install them on the NPS servers.

For computer authentication with EAP-TLS or PEAP-TLS, a computer certificate, also known as a machine certificate, must be installed on each wireless client computer. For user authentication with EAP-TLS or PEAP-TLS after a network connection is made and the user logs on, you must use a user certificate on the wireless client computer.

In order to create Certificate Infrastructure, follow the below steps:

· Install a Certificate Infrastructure

· Install Computer Certificates

· Install User Certificates

Step 2: Configuring Active Directory for Accounts and Groups

Once the Certificate Infrastructure is ready, you need to configure AD accounts and groups.To configure Active Directory user and computer accounts and groups for wireless access, do the following:

· Create a USER account for all users who would make wireless connections.

· Create a COMPUTER account for all computers that would use wireless connections.

· Set the remote access permission on user and computer accounts to the appropriate setting (either Allow access or Control access through Remote  Access Policy) as shown below: 

clip_image001

Step 3: Configuring the Wireless Access Point

The next step is to deploy the wireless Access Point. The AP needs to be configured to support WPA, WPA2, or WEP encryption with 802.1X authentication. Additionally, configure RADIUS settings on your wireless AP switches with the following:

· The IP address or name of the RADIUS server

· The RADIUS shared secret

· UDP ports for authentication and accounting, and failure detection settings.

If the wireless APs require vendor specific attributes (VSAs) or additional RADIUS attributes, you must add the VSAs or attributes to the remote access policies of the IAS/NPS servers.

Step 4: Configuring the NPS Server

Now the RADIUS Server needs to be configured. The steps needed are:

· Install the NPS server role on the server.

· Install the Certificate on the NPS.

· Add the access point as a RADIUS Client.

· Create the connection request policies and network policies required.

· The NPS server requires a certificate. You can use the RAS and IAS certificate template to create a new template to use for NPS servers. The link below discusses configuring this template and enabling it for auto-enrollment:

PS Server Certificate: Configure the Template and Autoenrollment

We can follow the blog given below to install and Configure the NPS:

http://blogs.technet.com/b/rrasblog/archive/2009/03/25/remote-access-deployment-part-3-configuring-radius-server-for-remote-access.aspx

Step 5: Configuring Wireless Network (IEEE 802.11) Policies Group Policy Settings

To configure Wireless Network Policies Group Policy settings, do the following:

1. Open the Active Directory Users and Computers snap-in.

2. In the console tree, double-click Active Directory Users and Computers, right-click the domain container that contains your wireless computer accounts, and then click Properties.

3. On the Group Policy tab, click the appropriate Group Policy object (the default object is Default Domain Policy), and then click Edit.

4. In the console tree, open Computer Configuration, then Windows Settings, then Security Settings, then Wireless Network (IEEE 802.11) Policies.

clip_image002

5. Right-click Wireless Network (IEEE 802.11) Policies and then click Create Wireless Network Policy. In the Wireless Network Policy Wizard, type a name and description.

6. In the details pane, double-click your newly created wireless network policy.

7. Change settings on the General tab as needed.

clip_image003

8.  Click Add to add a preferred network.

9. On the Network Properties tab, type the wireless network name (SSID) and change wireless network key settings as needed.

clip_image004

10. Click the IEEE 802.1x tab. Change 802.1X settings as needed, including specifying and configuring the correct EAP type. Click OK twice to save changes.

clip_image005

Step 6: Configuring Wireless Clients Authentication

If you are using EAP-TLS or PEAP-TLS, you need to install computer and user certificates on wireless clients. If the domain is configured for autoenrollment of computer certificates, each computer that is a member of the domain requests a computer certificate when Computer Configuration Group Policy is refreshed. To force a refresh of Computer Configuration Group Policy for a computer running Windows 7, Windows XP, or Windows Server 2003, restart the computer or type gpupdate /target:computer at a command prompt.

For user authentication with EAP-TLS, a locally installed user certificate or a smart card must be used. The locally installed user certificate must be obtained through autoenrollment, Web enrollment, by requesting the certificate using the Certificates snap-in, by importing a certificate file, or by running a CAPICOM program or script.

If you have configured autoenrollment of user certificates, then the wireless user must update their User Configuration Group Policy to obtain a user certificate. If you are not using autoenrollment for user certificates, use one of the following procedures to obtain a user certificate:

If you have configured settings for the Wireless Network (IEEE 802.11) Policies Group Policy extension and specified the authentication type wireless network, no other configuration is needed for wireless.

If you are not using GPO, you can manually configure the authentication on a wireless client running Windows 7, using the  following steps:

1. From the Network and Sharing Center, click the Manage wireless networks task. In the Manage Wireless Networks window, double-click your wireless network name.

2. Click the Security tab. In Security type, select 802.1x, WPA-Enterprise, or WPA2-Enterprise. In Choose a network authentication method, from the drop down and then click Settings.

clip_image006

3. If using EAP-TLS or PEAP-TLS under the Smart Card or other Certificate Properties dialog box, select Use a certificate on this computer to use a registry-based user certificate or Use my smart card for a smart card-based user certificate.

If you want to validate the computer certificate of the NPS server, select Validate server certificate (recommended and enabled by default). If you want to specify the names of the NPS servers that must perform the TLS authentication, select Connect to these servers and type the names.

clip_image007

clip_image008

4. Click OK twice.

To summarize, for EAP-TLS or PEAP-TLS, you need to have a certificate infrastructure to issue computer certificates to your NPS servers and both computer and user certificates to your wireless client computers. For PEAP-MS-CHAP v2, you only need to install computer certificates on the NPS servers, provided that the appropriate root CA certificates are already installed on the wireless clients. You will need to manage Active Directory users and groups for wireless access, configure NPS servers as RADIUS servers to the wireless APs, and configure the wireless APs as RADIUS clients to the IAS servers.

– Prachand Kumar