Planning to Deploy a WPA Network
If you haven't yet installed a wireless network, life is a little simpler. You don't have to worry about
Consider isolating and canalizing your wireless equipment. You must also evaluate the equipment you'll be purchasing from the vendor. For instance, if IEEE 8802.11i RSN (based on AES) isn't out yet, can you upgrade the equipment you purchase later? Is the upgrade via software or hardware? (Most likely, it will be a hardware upgrade.) Also, look very carefully at proprietary vendor solutions. Ask to see the details of the proprietary solution, and who has evaluated it besides the vendor. If the vendor won't share the details with you or can't answer the question, think
If you have a medium to large deployment, install an authentication server infrastructure to centralize
Deploying the Infrastructure
A significant amount of infrastructure is required to support WPA when you are not using preshared keys. The effort required to set up the infrastructure is,
As with everything in security, the
Add a RADIUS Server for IEEE 802.1X Support
The central arbiter for all access and authentication decisions in WPA is the organization's RADIUS server. It's likely that this is exactly how your Internet service provider (ISP) makes access decisions when you dial up the service. You can obtain a RADIUS server in many ways. For example, the software package Microsoft Windows 2000 Server includes a RADIUS server, and several
Managing a RADIUS server is an extremely important task because the server makes all of the security-relevant decisions. As a result, improper configuration can lead to breaches in your security. Fortunately, an
Use a Public Key Infrastructure for Client Certificates
To use WPA to its fullest, you need to use EAP/TLS as an authentication mechanism, and this requires using public key certificates based on the X.509 standard. Issuing and managing these certificates requires that a public key infrastructure (PKI) be established within your organization, if it hasn't been already.
Setting up a PKI has been the subject of several books, and we can't cover all of the
Install Client IEEE 802.1X Supplicant Software
To gain the full benefit of WPA, you need to upgrade your
To install the software, you have to review the documentation for the clients you use, and you have to generate and add public key certificates to each client. This is mandatory to support the EAP/TLS protocol.