Deploying Secure 802.11 Wireless Networks with Microsoft Windows - page 50
Summary
Before you deploy your wireless APs, consider your wireless AP requirements; the channel separation; the presence of signal propagation modifiers and sources of interference; and the number of wireless APs needed to meet your wireless coverage, bandwidth, and redundancy requirements.
To deploy your wireless APs, estimate wireless AP locations using building plans and knowledge of signal propagation modifiers and interference sources. Install your wireless APs in their temporary locations and perform a site survey, noting the areas with inadequate coverage. Change the locations of your wireless APs, signal propagation modifiers, or sources of interference and verify coverage by performing an additional site survey. After your final wireless AP locations are determined, update your building plans with their locations and note remaining areas of decreased bandwidth or signal strength.
Chapter 8
Intranet Wireless Deployment Using EAP-TLS
Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) is used for certificate-based wireless authentication when a public key infrastructure (PKI) is available to issue computer and
Required
The following components are required for an intranet wireless deployment using EAP-TLS:
-
Wireless client computers running Windows.
Wireless client computers must be running Microsoft Windows XP, Windows Server 2003, or Windows 2000 with Microsoft 802.1X Authentication Client.
-
At least two Internet Authentication Service (IAS) servers.
At least two IAS servers (one primary and one secondary) are recommended to provide fault tolerance for Remote Authentication Dial-In
User Service (RADIUS)–based authentication. If only one RADIUS server is configured and it becomes unavailable, wireless accessclients cannot connect. By using two IAS servers and configuring all wireless access points (APs) to use both the primary and secondary IAS servers, the wireless APs can detect when the primary RADIUS server is unavailable and automatically fail over to the secondary IAS server.You can use either Windows Server 2003 or Windows 2000 Server IAS. IAS servers running Windows 2000 must have Service Pack 3 (SP3) or later installed. (IAS is not included with Windows Server 2003, Web Edition.)
-
Active Directory directory service domains.
Active Directory domains contain the user accounts, computer accounts, and dial-in properties that each IAS server requires to authenticate credentials and evaluate authorization. Although not a requirement, IAS should be installed on Active Directory domain controllers to optimize IAS authentication and authorization response times and to minimize network traffic.
You can use either Windows Server 2003 or Windows 2000 Server domain controllers. Windows 2000 domain controllers must have SP3 or later installed.
-
Computer certificates installed on the IAS servers.
{% if main.adsdop %}{% include 'adsenceinline.tpl' %}{% endif %}
To authenticate the IAS server to the wireless client during EAP-TLS authentication, a computer certificate must be installed on the IAS server computers.
-
Computer and user certificates installed on the wireless clients.
To authenticate the wireless client computer or user during EAP-TLS authentication, a computer or user certificate must be installed on the wireless client computers.
-
Wireless remote access policy.
A remote access policy is configured for wireless connections so that wireless users and their computers can access the organization’s intranet.
-
Multiple wireless APs.
Multiple third-party wireless APs provide wireless access in different coverage areas of an organization. The wireless APs must support IEEE 802.1X, Wired Equivalent Privacy (WEP), RADIUS, and,
optionally , Wi-Fi Protected Access (WPA).
Figure 8-1 shows the components of EAP-TLS authentication.
CAUTION
If you use EAP-TLS authentication, do not also use Protected EAP-TLS (PEAP-TLS) for wireless connections. Allowing both protected and
Figure 8-1. The components of EAP-TLS authentication.
