Windows XP (with SP1, or later) is the preferred client in a WLAN environment. 802.1x and automatic wireless configuration, also known as Wireless Zero Configuration (WZC), are included in Windows XP. WZC is enabled when you choose Use Windows to Configure My Wireless Network Settings check box in your Wireless Network Connection Properties dialog box. WZC really comes into play when you have group policies configured on your Windows Server 2003 domain controllers. Customers Who Participate in Microsoft's Premier Support Microsoft provides the 802.1x Authentication Client for Windows 98 and Windows NT 4.0 Workstation to customers who participate in Microsoft's Premier Support. You've seen WZC in action when you see the "One or more wireless networks are available" message in the notification area of the desktop. If you don't have group policies configured, the following defaults will apply:
If the default settings don't conform to your wireless network the user must manually configure each option to match the wireless AP and your Windows Server 2003 security settings. Configuring Wi-Fi Protected Access (WPA)Windows XP (Post SP1) clients can take advantage of a stronger encryption standard known as WPA. WPA is an interoperable interim standard that has been developed by the Wi-Fi Alliance. WPA is a replacement for WEP, which has many known and published vulnerabilities. To take advantage of this new standard you will need to make sure that all your WLAN components are compatible. Required UpdatesTo implement WPA to protect your data you'll need to verify or update the software/firmware at the following:
AuthenticationWPA requires that 802.1x authentication be in place. This can be accomplished through the RADIUS (EAP-TLS) method. This is configured through the Windows Server 2003 Internet Authentication Server. In smaller organizations a preshared key can be used. Key ManagementWPA requires the rekeying of both unicast and global encryption keys. Temporal Key Integrity Protocol (TKIP) is used to change the unicast encryption key for every frame and also synchronizes the changes between the AP and the wireless client. Temporal Key Integrity Protocol (TKIP)TKIP is a replacement for WEP. It provides a new encryption algorithm that is stronger than WEP. TKIP uses the calculation facilities that are already present of existing wireless devices to perform the encryption operations. To be in compliance with the WPA standard TKIP is required. MichaelWPA uses a new data integrity method called Michael. WEP relies upon a 32-bit integrity check value (ICV) to proved data integrity assurance. This method can be captured and manipulated with cryptanalysis tools to update the ICV without the client knowing about it. Michael specifies an algorithm that calculates an 8-byte message integrity code (MIC) using facilities available on existing wireless devices. This MIC is located between the data portion of the 802.11 frame and the ICV. Both the MIC and the ICV are encrypted along with the data frame. Michael also implements a new frame counter to prevent replay protection. Advanced Encryption Standard (AES)WPA calls for AES to encrypt the traffic between the AP and wireless clients. AES is optional as a replacement to your current WEP encryption. This is because manufacturers need to update their firmware and drivers. This might not be feasible in all cases. Mixing WEP and WPA Wireless ClientsDuring the transition to a fully WPA-compliant environment it might be necessary to support pre-existing WEP clients. This is supported by the wireless AP after it has been upgraded. The AP determines which encryption method is being requested by the client. The WEP clients won't take advantage of the dynamic global encryption keys because they cannot support them. |