Using EAP-TLS and PEAP-MS-CHAP v2

Using EAP-TLS and PEAP-MS-CHAP v2

Although a typical secure wireless configuration uses either EAP-TLS or PEAP-MS-CHAP v2, there are situations that require the simultaneous use of both authentication methods. For example, if you use PEAP-MS-CHAP v2 exclusively and then deploy a certificate infrastructure for EAP-TLS authentication, you need to support both types as you transition from the password-based PEAP-MS-CHAP v2 authentication method to the certificate-based EAP-TLS authentication method.

The way in which you configure the IAS servers to simultaneously support both EAP-TLS and PEAP-MS-CHAP v2 authentication for wireless connections depends on whether you are using Windows 2000 IAS or Windows Server 2003 IAS.

Configuring Windows 2000 IAS for Both EAP-TLS and PEAP-MS-CHAP v2 Authentication

Because Windows 2000 IAS remote access policies do not allow for the configuration of multiple EAP types, it is necessary to create two different remote access policies: one that requires EAP-TLS authentication and one that requires PEAP-MS-CHAP v2 authentication. To differentiate the two types of wireless access, you must create two different groups: one for the user and computer accounts that are using EAP-TLS authentication and one for the user and computer accounts that are using PEAP-MS-CHAP v2 authentication.

To configure a wireless remote access policy for users using EAP-TLS authentication, create a remote access policy with the following settings:

  • Policy name.

    EAP-TLS authenticated wireless access (example).

  • Conditions.

    NAS-Port-Type=Wireless-Other or Wireless-IEEE 802.11, Windows-Groups=WirelessEAP-TLS (example).

  • Permissions.

    Select Grant Remote Access Permission.

  • Profile, Authentication tab.

    Select the Extensible Authentication Protocol check box and the Smart Card Or Other Certificate EAP Type. Clear all other check boxes.

  • Profile, Encryption tab.

    Clear the No Encryption check box. Select all other check boxes.

To configure a wireless remote access policy for users using PEAP-MS-CHAP v2 authentication, create a remote access policy with the following settings:

  • Policy name.

    PEAP-MS-CHAP v2 authenticated wireless access (example).

  • Conditions.

    NAS-Port-Type=Wireless-Other or Wireless-IEEE 802.11, Windows-Groups=WirelessPEAP-MS-CHAPv2 (example).

  • Permissions.

    Select Grant Remote Access Permission.

  • Profile, Authentication tab.

    Select the Extensible Authentication Protocol check box and the Protected EAP (PEAP) EAP Type. Clear all other check boxes.

  • Profile, Encryption tab.

    Clear the No Encryption check box. Select all other check boxes.

Windows 2000 and Per-Policy EAP Types

Windows 2000 IAS does not allow for per-policy configuration of a specific EAP type. For example, if you use EAP-TLS for both virtual private network (VPN) and wireless authentication, you must configure the properties of the EAP-TLS type so that authentication will work for both VPN and wireless connections. The computer certificate selected for EAP-TLS authentication must be usable for both types of connections. For example, if EAP-TLS authentication for VPN connections must use one computer certificate and EAP-TLS authentication for wireless connections must use a different computer certificate, a single Windows 2000 IAS server cannot be used. You must use different sets of Windows 2000 IAS RADIUS servers for the different types of connection, or you must use Windows Server 2003 IAS, which allows per-policy configuration of EAP type properties.

Configuring Windows Server 2003 IAS for Both EAP-TLS and PEAP-MS-CHAP v2 Authentication

Windows Server 2003 IAS allows the configuration of multiple EAP types in a single remote access policy. Therefore, you configure the initial wireless remote access policy according to the instructions in Chapter 8 or Chapter 10. You can then configure the resulting remote access policy to support both EAP types by using EAP-TLS first and then using PEAP-MS-CHAP v2.

For example, if you configure your IAS servers with the remote access policy described in Chapter 8, the remote access policy for EAP-TLS must be modified by using the following steps:

  1. From the console tree of the Internet Authentication Service snap-in, open Remote Access Policies.

  2. In the details pane, double-click the remote access policy for wireless connections.

  3. Click Edit Profile.

  4. From the Authentication tab, click EAP Methods.

  5. In the Select EAP Providers dialog box, the EAP Types list should contain the Smart Card Or Other Certificate EAP Type.

  6. Click Add, select Protected EAP (PEAP) in Authentication Methods and click OK. The Protected EAP (PEAP) EAP Type is added to the list of EAP Types after the Smart Card Or Other Certificate Type. The following figure shows the resulting configuration.

    graphic

  7. Click OK to save the changes to EAP methods.

  8. Click OK to save the changes to the remote access policy profile.

  9. Click OK to save changes to the remote access policy.

This is the correct order for the EAP types. You want IAS to attempt to negotiate EAP types from the most secure to the least secure. If you modify the remote access policy, as created in Chapter 10, use the preceding procedure to add the Smart Card or Other Certificate EAP Type to the list of EAP types. Then, in the Select EAP Providers dialog box, select the Smart Card Or Other Certificate EAP Type and click Move Up, so that it is first in the list of EAP types.



Deploying Secure 802.11 Wireless Networks with Microsoft Windows
Deploying Secure 802.11 Wireless Networks with Microsoft Windows
ISBN: 0735619395
EAN: 2147483647
Year: 2000
Pages: 123
Authors: Joseph Davies

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net