Design and Deployment Considerations

Design and Deployment Considerations

Microsoft s deployment of wireless connectivity is for production access into the enterprise corporate intranet (hereafter known as Corpnet). Once on the Microsoft Corpnet, no firewalls restrict employees or other authorized users from accessing all network and corporate resources.

Performance

Because the WLAN was designed to supplement not replace Microsoft s wired Ethernet LAN infrastructure, two to four users on average share 11 Mbps of bandwidth per wireless AP. Real throughput fluctuates between 4 6.5 Mbps. The result of this design rule is that for a fully loaded AP (25 users), the user experience is similar to using a home DSL or cable modem connection.

An additional technique was used to ensure high performance in dense areas, such as executive briefing conference rooms and training areas, in which large numbers of users are located in a very densely populated area. By reducing transmit power of the wireless APs from 30 milliwatts (mW) to 15 or 5 mW (or even as low as 1 mW), smaller coverage areas were created. The reduction in transmission power allows a greater number of wireless APs to be placed in the same area. For example, in a room for 200 people, in which only three wireless APs can normally be placed with full power without coverage area overlap issues, additional lower-power wireless APs are used, resulting in a smaller number of wireless clients per wireless AP and better average bandwidth available per wireless client.

Scalability

Microsoft s WLAN design is based on a 20-meter diameter coverage area, which ensures redundant coverage against the potential failure of a single wireless AP and provides seamless roaming within a building. Microsoft s Operations and Technology Group (OTG) verified wireless AP installation for conformance with an internally developed commissioning checklist. It also checked the coverage and network connectivity of each wireless AP. On the engineering side, Microsoft was concerned about decreased coverage area size, overlapping coverage areas via channel configuration, and mitigating Bluetooth (BT) interference.

Roaming and Mobility

In Microsoft s WLAN deployment, all the wireless APs within each building are on the same IP subnet, so intra-building wireless roaming is seamless. When wireless clients associate with different wireless APs, the DHCP renewal process renews the lease on the existing TCP/IP configuration. Inter-building roaming and the DHCP renewal process cause a change in the IP address configuration, which can cause problems for applications that cannot gracefully handle a change in the IP address or other configuration. In either case, because EAP-TLS and certificates are used for authentication, the user is never prompted to authenticate to the WLAN.

Security

Elements of the security design include the following, which are discussed in the following sections:

• Authentication

• Eavesdropping

• Rogue wireless APs

Authentication

Microsoft chose EAP-TLS using user and computer certificates that are stored on the computer as the authentication method for wireless connectivity for the following reasons:

• EAP-TLS does not require any dependencies on the user account s password.

• EAP-TLS authentication occurs automatically, usually with no intervention by the user.

• EAP-TLS uses certificates, which provide a relatively strong authentication mechanism.

• The EAP-TLS exchange is protected with public key cryptography and is not susceptible to offline dictionary attacks.

• The EAP-TLS authentication process results in mutually determined keying material for data encryption (the WEP unicast session encryption key) and signing.

Eavesdropping

Wireless traffic on the Microsoft WLAN is protected from eavesdropping in the following ways:

• EAP messages for IEEE 802.1X negotiation are sent as clear text. However, the use of EAP-TLS and public key encryption prevents the eavesdropper from obtaining the information needed to masquerade as either the wireless client or the authenticating server.

• After EAP-TLS negotiation is complete, all traffic sent between an authenticated wireless client and its associated wireless AP is encrypted with either the WEP multicast/global or unicast session key.

By monitoring the 802.1X exchange and 802.11 control and data traffic, an eavesdropper listening to wireless traffic could obtain the following types of information:

• Names of the computer or user accounts involved in each EAP-TLS negotiation

• Wireless client and wireless AP MAC addresses

• MAC addresses of nodes on the wireless AP subnets

• Times of association and disassociation

An eavesdropper could use such information to do long-term traffic profiling and analysis that might provide user or device details.

For an eavesdropper listening on the wired network, sensitive attributes of RADIUS messages sent between the wireless APs and the RADIUS servers and proxies are protected with the RADIUS shared secret.

Rogue Wireless APs

The Microsoft WLAN is protected from rogue wireless APs by the use of EAP-TLS, which provides mutual authentication of the wireless client and the authenticating RADIUS server. To masquerade as a Microsoft corporate wireless AP, a rogue AP would require a security relationship with a Microsoft OTG RADIUS server, which is defined and controlled by the configuration of the wireless AP as a RADIUS client on the RADIUS server or proxy and a RADIUS shared secret. If a wireless AP does not have this security relationship and configuration, it cannot exchange RADIUS messages with the RADIUS server, and thus cannot authenticate 802.1X wireless clients. It is possible for the rogue wireless AP to be configured as the RADIUS client of a rogue RADIUS server. However, Microsoft wireless clients validate the certificate of the RADIUS server by default. Therefore, if the RADIUS server of the wireless AP cannot provide a valid certificate and proof of knowledge of its corresponding private key, the wireless client terminates the connection.