Lesson 3: Configuring Clients for Wireless Security
Configuring encryption can prevent hackers from attaching to your valid wireless devices. However, encryption doesn't prevent hackers who have gained physical access to your facilities from placing their own unsecured WAPs on your network. These devices, once placed, can go undiscovered, because you can't find them without expensive wireless test equipment.
Preventing illicit attachment of wireless devices to an existing network requires reconsidering whether to allow devices to connect to the network without authentication. Fixing the problem, once it occurs, requires major changes to your network devices. The problem doesn't go away just because you don't use wireless in your network; wireless equipment doesn't cause the problemhackers cause the problem.
This lesson discusses the 802.1x port authentication protocol, which is the future of data-link layer port authentication. Essentially, this protocol requires users to authenticate before they are granted access to the network even at the most basic level.
Understand the need for data-link layer access control and authentication
Configure the 802.1x authentication protocol
Secure wireless access using certificates
Ensuring Secure Access
No form of simple encryption or authentication can solve the most vexing problem with wireless security: the attachment of an illicit WAP to your network that provides unauthorized access.
Preventing illicit WAPs requires controlling access to the network at the data-link physical port level. No client computer, hub, or other device should be given access to a bridge, hub, or switch unless the device can authenticate successfully with an authentication server. To function, a protocol that could provide this level of security would have to control access to every data link port connected to the networkwired ports as well as wireless. If access to any port on the network is provided without authentication, a WAP could be connected to the unsecured ports to compromise network security.
Securing ports is the theory behind 802.1x authentication. While 802.1x was developed as a response to the security problems caused by wireless networking, it is not only an authentication protocol for wireless portsit must be supported by every data-link layer hub, switch, and bridge in your network infrastructure to effectively prevent unauthorized access to your network.
The 802.1x authentication protocol challenges clients to provide machine authentication when they attach to the network, and then again to provide user authentication when a user logs on. If either phase of authentication fails, the data-link layer access device (WAP, bridge, or switch) will not forward packets from the device onto the network. This prevents an attacker from exploiting the network layer or reaching other servers or clients on the network.
The 802.1x protocol must be supported at three places in the network: on the client, on the data-link device, and on an authentication server. The data-link device (WAP or switch) is responsible for detecting new clients, passing their authentication to an authentication server, and locking the client out if the server reports that the authentication failed. The authentication server is responsible for checking the clients' credentials and reporting the authentication status back to the data-link device.
Because data-link devices are simple, they do not maintain the sort of processing power necessary to perform complex cryptographic authentication for a large number of users.
Authentication should be centralized and not distributed to numerous individual devices.
In Windows 2000, the existing Internet Authentication Service (IAS) is used to provide Remote Authentication Dial-In User Service (RADIUS) remote user authentication based on either Message Digest version 5 (MD5) secret key encryption protocol or user and machine certificates. The data-link device opens the UDP port for authentication to all clients that connect, but blocks all other ports until the authentication server reports that the client's authentication has been successful. Once the client authenticates with the IAS server, the data-link device lifts the restriction and allows the client open access to the network.
Remember that 802.1x cannot prevent surreptitious attachment of WAPs to your network unless every data-link device in your network supports 802.1x. For most enterprises, this means that there's little reason to implement 802.1x until you've upgraded your entire network to the next generation of Ethernet switches.
Even if you can't enable 802.1x throughout your network, 802.1x can be used to perform machine authentication. But WEP, which is required to use 802.1x in Windows, already does that in a manner that provides a similar level of security. In addition, while it's true that 802.1x can also perform per-user authentication, your domain logon process provides that function automatically, so there's little reason to duplicate that functionality, either. The 802.1x protocol was designed to prevent illicit attachment of devices to the network. Its complexity is warranted for that purpose alone in high-security environments.
Identifying Security Problems with 802.1x Implementation
The most important problem with 802.1x is that it's an all-or-nothing proposition. Unless every network attachment port on your network, wired or wireless, supports 802.1x, there's little point in deploying the protocol at all, because WEP can be used to prevent unauthorized clients from attaching to the network.
Another major problem is the chicken-and-egg dilemma that comes with new computers. A computer requires a domain association, a machine certificate, and a user certificate before it can authenticate on the network, but it can't be joined to the domain or have certificates installed securely unless it's able to connect to the network. This means that all clients must be configured on a non-802.1x network port before they're deployed to users. Technically, this violates the all-or-nothing premise of 802.1x. In the real world, machines are usually configured in an access-controlled IT room and then deployed to end users, but this might not be an option in large enterprises with many hundreds of computers to roll out.
Finally, flaws in the 802.1x protocol have already been exploited by security researchers. While somewhat esoteric, this attack is easy to perpetrate and hackers are likely to generate programs to completely automate it. To perpetrate the attack, the attacker listens on the wireless network for a client to authenticate. Once it has located a client, the attacker sends the client an 802.11"disassociate" packet, which causes the client to drop off the network. The attacker then assumes the MAC address of the dropped client and participates on the network until the next connection timeout, which is usually hourly.
WEP encryption, which is required in the Windows 2000 implementation of 802.1x, makes this attack much more difficultthe attacker must first crack the WEP encryption key before the 802.1x protocol weakness can be exploited. As you learned in the lesson on WEP, a determined attack against WEP will succeed within a few weeks and, because WEP keys are not automatically refreshed (in reality, they are usually never changed), determined attackers will eventually succeed in exploiting any existing wireless protocol.
Other weaknesses exist in 802.1x. Because implementing 802.1x requires complex configuration and the complete replacement of existing infrastructure, 802.1x is likely to be superseded by the next generation of 802.11b security protocols before it is ever widely implemented.
The measures described in this section are intended to keep casual hackers from exploiting your network. Other methods can be used to determine if hackers are attacking the network for the length of time that would be required to perpetrate these attacks. Exploiting the weaknesses of 802.1x requires a serious effort and is attempted only by hackers who are specifically trying to attack your network.
Troubleshooting 802.1x Connections
The 802.1x protocol relies on many services of Windows 2000, which makes configuring it correctly difficult to achieve and subject to a wide range of possible failures. 802.1x can fail for any one of the following reasons:
There is a general connectivity problem with the client, WAP, or network. Ensure that all participants in the network can communicate correctly without any form of encryption or authentication enabled. Ensure that the client can log on to the domain and that DNS is correctly configured on the client and server.
WEP is not correctly configured between the client and the WEP. Ensure that WEP encryption is working correctly before attempting to enable 802.1x.
IAS is not installed correctly or has not been activated correctly in the domain. Ensure that IAS is correctly installed and enabled in the domain.
The IAS policy is incorrect. Study the example in this lesson and ensure that IAS policy is configured similarly.
IAS and the WAP are not pointing to each other properly with a correctly configured shared secret key. You must add the WAP as a client to the IAS server, and you must point the WAP to the server in the WAP's authentication configuration settings.
The 802.1x client does not have a valid machine certificate. Use the certificates console on the client to request a machine certificate, or use Group Policy to automatically distribute certificates to domain members.
The user attempting to log on does not have a valid user certificate on the client. Use the Certificates management console or the Certificate Services Web site to request a valid user certificate.
The user does not have dial-in permissions configured in the domain. Use the Active Directory Users And Computers management console to allow dial-in permissions for the user in question.
Practice: Configuring Your Network for 802.1x Authentication
In this practice, you configure the domain controller to authenticate wireless clients, configure the WAP to pass authentication requests to the domain controller, and configure the client computer to authenticate using 802.1x.
Exercise 1: Installing Internet Authentication Server
In this exercise, you configure the domain.Fabrikam.com domain controller to authenticate 802.1x clients. The server-side configuration is somewhat complex. Be certain that you go through the steps carefully. If you already have Service Pack 3 installed, you can skip the first procedure.
To install Windows 2000 Service Pack 3
Log on to the Windows 2000 domain controller as the administrator.
Open Internet Explorer, and browse to http://windowsupdate.microsoft.com. The Security Warning dialog box appears asking to install Windows Update Control, as shown in Figure 10.13.
Figure 10-13. Downloading the Windows Update Active-X control
Click Yes. After a moment, the Welcome to Windows Update page appears, as shown in Figure 10.14.
Click Scan For Updates.
In the left pane, click Review And Install Updates. A list of updates will appear.
Figure 10-14. The Welcome To Windows Update Web page
Click Remove for every item except Windows 2000 Service Pack 3. Your screen should appear as shown in Figure 10.15.
Figure 10-15. Selecting Service Pack 3 on the Total Selected Updates page
Click Install Now.
When the Microsoft Windows Update EULA dialog box appears, click Accept to continue.
When the Welcome To Windows 2000 Service Pack Setup Wizard appears, click Next.
On the License Agreement page, select I Agree, and click Next.
On the Select Options page, when the wizard asks if you want to archive files for un-installation, select Archive Files, and click Next.
The wizard will inspect your configuration and begin downloading files. The process may take a considerable amount of time, depending upon your Internet connection speed.
When the Wizard finishes, click Finish to restart you computer.
To install Internet Authentication Service
Click Start, point to Settings, and click Control Panel. Control Panel appears.
Double-click Add/Remove Programs, and click Add/Remove Windows Components. The Windows Components Wizard appears.
In the Components list, double-click Networking Services. The Networking Services dialog box appears.
Select the Internet Authentication Service check box, as shown in Figure 10.16, and click OK.
Figure 10-16. Selecting Internet Authentication Service for installation
In the Windows Components Wizard, click Next, and click Finish.
In the Add/Remove Programs window, click Close.
Close Control Panel.
To enable IAS authentication
Click Start, point to Programs, point to Administrative Tools, and click Internet Authentication Service.
The Internet Authentication Service management console appears, as shown in Figure 10.17.
Figure 10-17. The Internet Authentication Service management console
Right-click Internet Authentication Service (Local), and click Register Service in Active Directory. The Register Internet Authentication Service In Active Directory dialog box appears.
Click OK to register the service. The Service Registered dialog box appears.
Click OK to enable IAS.
To add the WAP as an IAS client
Right-click the clients folder in the IAS management console, and click New Client. The Add Client dialog box appears as shown in Figure 10.18.
Figure 10-18. Adding the WAP as an IAS client
On the Name And Protocol page, type TestWLAN WAP as the Friendly Name for the client, and click Next.
The Client Information page appears, as shown in Figure 10.19.
Figure 10-19. The Add RADIUS Client page with information about an 802.1x client
On the Client Information page, type 192.168.241.254 or the IP address of your WAP in the Client Address box.
Type the same password in both the Shared Secret and Confirm Shared Secret boxes. Remember this password for later use when configuring the WAP. The longer the password is, the more secure it will be.
Click Finish. The TestWLAN WAP client now appears in the list of clients in the IAS management console, as shown in Figure 10.20.
Figure 10-20. The client showing in the Internet Authentication Service management console
To create a wireless remote access policy
In the Internet Authentication Service management console, right-click Remote Access Policies, and click New Remote Access Policy. The Add Remote Access Policy Wizard appears, as shown in Figure 10.21.
Figure 10-21. Adding a Remote Access Policy
Type WLAN Access Policy in the Policy Friendly Name box, and click Next. The Conditions page appears, with no conditions showing.
On the Conditions page, click Add. The Select Attribute dialog box appears, as shown in Figure 10.22.
Figure 10-22. The Select Attribute dialog box shows the available policy attributes
Select Windows-Groups, and click Add. The Groups dialog box appears.
In the Groups dialog box, click Add. The Select Groups dialog box appears, as shown in Figure 10.23.
Figure 10-23. Selecting Groups to allow for RADIUS authentication
In the Select Groups dialog box, double-click Domain Users, and click OK.
Click OK to close the Groups dialog box. The Conditions page in the Add Remote Access Policy Wizard shows the new condition.
On the Conditions page, click Add. The Select Attribute dialog box appears.
Select NAS-Port-Type, and click Add. The NAS-Port-Type dialog box appears, as shown in Figure 10.24.
Figure 10-24. Selecting the NAS Port Type for RADIUS authentication
Select Wireless - IEEE 802.11 in the Available Types list, click Add, and click OK.
On the Conditions page in the Add Remote Access Policy Wizard, click Next. The Permissions page appears.
On the Permissions page, select Grant Remote Access Permission, and click Next. The User Profile page appears.
On the User Profile page, click the Edit Profile button. The Edit Dial-In Profile dialog box appears as shown in Figure 10.25.
Figure 10-25. The Edit Dial-In Profile dialog box
Click the Authentication tab.
Select Extensible Authentication Protocol, and clear all the other check boxes. The dialog box should appear as in Figure 10.26.
Figure 10-26. Enabling Extensible Authentication Protocol for 802.1x authentication
Click Apply.
Click the Encryption tab.
Clear all check boxes except Strongest. The dialog box should appear as shown in Figure 10.27.
Figure 10-27. Selecting an encryption level
Click OK. Click No if a message box asks if you want to view help.
In the Add Remote Policy Wizard, click Finish.
Select Remote Access Policies in the console tree of the Internet Authentication Service management console.
Right-click the Allow Access If Dial-In Permission Is Enabled policy, and click Delete. The Delete Policy dialog box appears.
Click Yes, and close the Internet Authentication Service management console.
To allow dial-in access for the administrator
Open the Active Directory Users And Computers management console.
Expand domain.Fabrikam.com, and click the Users folder.
Double-click the Administrator account. The Administrator Properties dialog box appears.
Click the Dial-In tab as shown in Figure 10.28.
Figure 10-28. Enabling dial-in permission for the Administrator
Click Allow Access.
Click OK to close the Administrator Properties dialog box.
Close the Active Directory Users And Computers management console.
Exercise 2: Configuring the WAP for 802.1x
In this exercise, you enable the 802.1x protocol in the WAP by configuring it to relay authentication requests to a RADIUS server. Your equipment might vary, so be sure to follow the instructions provided by the manufacturer of your devices, using these procedures as a guide.
To configure the WAP to relay authentication requests
Open Internet Explorer, and browse to http://192.168.241.254 or the IP address of your WAP.
In the left pane in Internet Explorer, expand Access Point, and expand Security.
Click Authentication. The logon prompt appears.
Type Admin and the WAP password, and click OK. The Authentication page appears.
Type 192.168.241.10 or your domain controller's IP address in the Server IP Address box.
Type the shared secret key you entered in the previous exercise in the Shared Secret box.
Type 1812 in the Port box.
For Enable Authentication, select Yes.
Click Apply. The Add Server dialog box appears. Click OK.
Click Restart AP. The Restart AP dialog box appears. Click OK.
Exercise 3: Configuring Windows XP for 802.1x
The final component in an 802.1x configuration is the client. Clients must have a certificate installed that grants them access to the network, and they must be configured to request authentication from the RADIUS server to participate on the network.
To prepare the client for 802.1x
Connect the wireless laptop client to the network with a network cable.
Join the computer to the domain.
Ensure that the computer has a computer certificate. Chapter 6, "Managing a Public Key Infrastructure," has detailed instructions on how to verify the presence of a computer certificate.
Log on as the domain administrator.
Ensure that the administrator has a user certificate on the computer.
To enable 802.1x authentication on the client
Right-click My Network Places, and click Properties. The Network Connections window appears.
Right-click Wireless Network Connection, and click Properties. The Wireless Network Connections 3 Properties dialog box appears.
Click the Wireless Networks tab. The Wireless Networks tab appears, as shown in Figure 10.29.
Figure 10-29. The Windows XP Wireless Networks tab
Click Configure. The Wireless Network Properties dialog box appears.
Click Authentication. The Authentication tab appears, as shown in Figure 10.30.
Figure 10-30. Enabling 802.1x in Windows XP
Select Enable IEEE 802.1x Authentication For This Network.
Click OK to close the Wireless Network Properties dialog box.
Click OK to close the Wireless Network Connection 3 Properties dialog box.
To negotiate authentication and enable secure wireless access
In the Network Connections window, right-click Wireless Network Connection 3, and click Disable. The Wireless Network Connection icon will appear dimmed, indicating that it is not available.
Right-click Wireless Network Connection 3 again, and click Enable. The icon will indicate the enabling and authenticating status. When the authentication succeeds, the Network Connections window will appear as shown in Figure 10.31. If the authentication fails for any reason, the network connection will be disconnected, and a red X will appear on the icon.
Figure 10-31. A connection that uses 802.1x authentication
Lesson Review
The following questions are intended to reinforce key information in this lesson. If you are unable to answer a question, review the lesson and try the question again. Answers to the questions can be found in the appendix.
What is the most difficult security problem that wireless networks cause?
What security measure is required to prevent the illicit attachment of uncontrolled wireless equipment, and what protocol was developed to solve it?
How does 802.1x work?
Which component of Windows 2000 is used to implement authentication for 802.1x?
What is the primary problem with 802.1x that will prevent its adoption in the near term?
Lesson Summary
The 802.1x protocol was developed to solve the problem of users or hackers illicitly attaching WLAN devices to the network in an unsecure manner.
The 802.1x protocol works by blocking traffic from a client until an authentication server has informed the WAP that the client has successfully authenticated.
The 802.1x protocol must be supported by clients, data-link equipment, and an authentication server. Support is built into Windows XP for client-side authentication and into IAS for Windows 2000.
The 802.1x protocol performs both machine authentication and user authentication using certificates or MD5 shared secrets.