Creating a secure 802.1x wireless infrastructure using Microsoft Windows

Creating a secure 802.1x wireless infrastructure using Microsoft Windows

  • Comments 6
  • Likes

My name is Prachand and I am an SE on the Platforms Networking Team. My intent of this post is for it to be a quick reference guide for setting up secure wireless networking using Microsoft products. It describes how to create an infrastructure for authentication, authorization, and accounting for wireless connections using Microsoft RADIUS Server (IAS/NPS) and Windows clients. Before going into the details of how to create the protected 802.1x network, let’s take a minute to understand the components of 802.1x.

IEEE 802.1X is an IEEE Standard for port-based Network Access Control. It provides authenticated network access to wired Ethernet networks and wireless 802.11 networks. It offers the capability to permit or deny network connectivity, control VLAN access and apply traffic policy, based on user or machine identity. It enhances security and deployment by providing support for centralized user identification, authentication, dynamic key management, and accounting.

802.1X defines the following components:

  • Supplicant – Software which enables wireless communication.
  • Authenticator – Wireless Access Point
  • Authentication Server – RADIUS Server (NPS/IAS)
  • Logical Port – Logical endpoint between the station and the WAP

802.1X uses EAP, EAP-TLS, EAP-MS-CHAP v2, and PEAP authentication methods:

  • EAP (Extensible Authentication Protocol) uses an arbitrary authentication method, such as certificates, smart cards, or credentials.
  • EAP-TLS (EAP-Transport Layer Security) is an EAP type that is used in certificate-based security environments, and it provides the strongest authentication and key determination method.
  • EAP-MS-CHAP v2 (EAP-Microsoft Challenge Handshake Authentication Protocol version 2) is a mutual authentication method that supports password-based user or computer authentication.
  • PEAP (Protected EAP) is an authentication method that uses TLS to enhance the security of other EAP authentication protocols.

When selecting the authentication mechanism, you need to balance between the levels of security required with the effort required for deployment. For the highest level of security, choose PEAP with certificates (EAP-TLS). For the greatest ease of deployment, choose PEAP with passwords (EAP-MS-CHAP v2).

Now let’s move on to the main topic. In order to create an infrastructure for authentication, authorization, and accounting for protected wireless connections for an organization using Windows wireless clients, the following steps need to be completed:

  1. Configure the certificate infrastructure.
  2. Configure Active Directory for accounts and groups.
  3. Configure the wireless Access Point.
  4. Configure the NPS server on a computer.
  5. Configure Wireless Network (IEEE 802.11) Policies Group Policy settings.
  6. Configure wireless clients for EAP-TLS or PEAP-TLS.

Step 1: Configuring the Certificate Infrastructure

Let’s first understand certificates requirements for the different types of protected wireless authentication.

Authentication Type

Certificates on Wireless Client

Certificates on NPS Server

EAP-TLS or PEAP-TLS

Computer certificates

User certificates

Root CA certificates for issuers of NPS server computer certificates

Computer certificates

Root CA certificates for issuers of wireless client computer and user certificates

PEAP-MS-CHAP v2

Root CA certificates for issuers of NPS server computer certificates

Computer certificates

Regardless of which authentication method used for wireless connections, computer certificates must be installed on the NPS servers.

For PEAP-MS-CHAP v2, there is no need to deploy a certificate infrastructure to issue computer and user certificates for each wireless client computer. Instead, you can obtain individual certificates for each NPS server from a commercial CA and install them on the NPS servers.

For computer authentication with EAP-TLS or PEAP-TLS, a computer certificate, also known as a machine certificate, must be installed on each wireless client computer. For user authentication with EAP-TLS or PEAP-TLS after a network connection is made and the user logs on, you must use a user certificate on the wireless client computer.

In order to create Certificate Infrastructure, follow the below steps:

· Install a Certificate Infrastructure

· Install Computer Certificates

· Install User Certificates

Step 2: Configuring Active Directory for Accounts and Groups

Once the Certificate Infrastructure is ready, you need to configure AD accounts and groups.To configure Active Directory user and computer accounts and groups for wireless access, do the following:

· Create a USER account for all users who would make wireless connections.

· Create a COMPUTER account for all computers that would use wireless connections.

· Set the remote access permission on user and computer accounts to the appropriate setting (either Allow access or Control access through Remote  Access Policy) as shown below: 

clip_image001

Step 3: Configuring the Wireless Access Point

The next step is to deploy the wireless Access Point. The AP needs to be configured to support WPA, WPA2, or WEP encryption with 802.1X authentication. Additionally, configure RADIUS settings on your wireless AP switches with the following:

· The IP address or name of the RADIUS server

· The RADIUS shared secret

· UDP ports for authentication and accounting, and failure detection settings.

If the wireless APs require vendor specific attributes (VSAs) or additional RADIUS attributes, you must add the VSAs or attributes to the remote access policies of the IAS/NPS servers.

Step 4: Configuring the NPS Server

Now the RADIUS Server needs to be configured. The steps needed are:

· Install the NPS server role on the server.

· Install the Certificate on the NPS.

· Add the access point as a RADIUS Client.

· Create the connection request policies and network policies required.

· The NPS server requires a certificate. You can use the RAS and IAS certificate template to create a new template to use for NPS servers. The link below discusses configuring this template and enabling it for auto-enrollment:

PS Server Certificate: Configure the Template and Autoenrollment

We can follow the blog given below to install and Configure the NPS:

http://blogs.technet.com/b/rrasblog/archive/2009/03/25/remote-access-deployment-part-3-configuring-radius-server-for-remote-access.aspx

Step 5: Configuring Wireless Network (IEEE 802.11) Policies Group Policy Settings

To configure Wireless Network Policies Group Policy settings, do the following:

1. Open the Active Directory Users and Computers snap-in.

2. In the console tree, double-click Active Directory Users and Computers, right-click the domain container that contains your wireless computer accounts, and then click Properties.

3. On the Group Policy tab, click the appropriate Group Policy object (the default object is Default Domain Policy), and then click Edit.

4. In the console tree, open Computer Configuration, then Windows Settings, then Security Settings, then Wireless Network (IEEE 802.11) Policies.

clip_image002

5. Right-click Wireless Network (IEEE 802.11) Policies and then click Create Wireless Network Policy. In the Wireless Network Policy Wizard, type a name and description.

6. In the details pane, double-click your newly created wireless network policy.

7. Change settings on the General tab as needed.

clip_image003

8.  Click Add to add a preferred network.

9. On the Network Properties tab, type the wireless network name (SSID) and change wireless network key settings as needed.

clip_image004

10. Click the IEEE 802.1x tab. Change 802.1X settings as needed, including specifying and configuring the correct EAP type. Click OK twice to save changes.

clip_image005

Step 6: Configuring Wireless Clients Authentication

If you are using EAP-TLS or PEAP-TLS, you need to install computer and user certificates on wireless clients. If the domain is configured for autoenrollment of computer certificates, each computer that is a member of the domain requests a computer certificate when Computer Configuration Group Policy is refreshed. To force a refresh of Computer Configuration Group Policy for a computer running Windows 7, Windows XP, or Windows Server 2003, restart the computer or type gpupdate /target:computer at a command prompt.

For user authentication with EAP-TLS, a locally installed user certificate or a smart card must be used. The locally installed user certificate must be obtained through autoenrollment, Web enrollment, by requesting the certificate using the Certificates snap-in, by importing a certificate file, or by running a CAPICOM program or script.

If you have configured autoenrollment of user certificates, then the wireless user must update their User Configuration Group Policy to obtain a user certificate. If you are not using autoenrollment for user certificates, use one of the following procedures to obtain a user certificate:

If you have configured settings for the Wireless Network (IEEE 802.11) Policies Group Policy extension and specified the authentication type wireless network, no other configuration is needed for wireless.

If you are not using GPO, you can manually configure the authentication on a wireless client running Windows 7, using the  following steps:

1. From the Network and Sharing Center, click the Manage wireless networks task. In the Manage Wireless Networks window, double-click your wireless network name.

2. Click the Security tab. In Security type, select 802.1x, WPA-Enterprise, or WPA2-Enterprise. In Choose a network authentication method, from the drop down and then click Settings.

clip_image006

3. If using EAP-TLS or PEAP-TLS under the Smart Card or other Certificate Properties dialog box, select Use a certificate on this computer to use a registry-based user certificate or Use my smart card for a smart card-based user certificate.

If you want to validate the computer certificate of the NPS server, select Validate server certificate (recommended and enabled by default). If you want to specify the names of the NPS servers that must perform the TLS authentication, select Connect to these servers and type the names.

clip_image007

clip_image008

4. Click OK twice.

To summarize, for EAP-TLS or PEAP-TLS, you need to have a certificate infrastructure to issue computer certificates to your NPS servers and both computer and user certificates to your wireless client computers. For PEAP-MS-CHAP v2, you only need to install computer certificates on the NPS servers, provided that the appropriate root CA certificates are already installed on the wireless clients. You will need to manage Active Directory users and groups for wireless access, configure NPS servers as RADIUS servers to the wireless APs, and configure the wireless APs as RADIUS clients to the IAS servers.

- Prachand Kumar

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Just wanted to say, this isn't really a well written article.

    I read a lot of the articles on this blog, and most of them are a) professionally written, b) accurate, and c) also provide end-to-end solution. In end-to-end I mean it guides me through all the step from the beginning till the desired result is achieved, and they are made in clear descriptive way. But they are definitely not written in the form of just throwing you a list outdated technet articles, so you should "..go on and read them, I am not gonna waste my time here to explain all these things to you!"

    However, this particular post is like stealing (or "borrowing" if you say I am too harsh here) from unrelated technet articles, without proper explanations why each step or technet link is needed in the process of achieving secure 802.1x wireless infrastructure.

    In order to justify my statement, let me highlight the issues in this article:

    Step 1: Configuring the Certificate Infrastructure -> EAP-TLS -> "Certificates on wireless client": it says "computer certificates, user certificates, Root CA".

    I know how PKI works, so its clear to me that the Root CA is a must here, out of question. But what is the relation between the computer and user certificate in this list?  "AND" or "OR"? The bottom part of the article talks about autoenrollment of domain-based computer certificates and certificates issued to the user. However, the PEAP-Tls CAN work with either user or computer certificate, it does not enforce both. This is not indicated in this article properly. The referenced NPS configuration Technet article in "Step 4: Configuring the NPS Server" does not specify the explicit use of user or computer certificate, so why should we say at the beginning that we must have both?

    Also, "Root CA certificates for issuers of NPS server computer certificates" is an incomplete statement, as the "Root CA certificates for issuers of wireless client computer and user certificates" must also be present on the wireless client, otherwise the client wont trust the user/computer certificate.

    Next issue (still in the same table): Certificates on NPS Server --> Computer certificates: this is incorrect terminology! On the NPS server actually a "Server"-type certificate must be present. Sounds like a minor difference, right? Its not! A server certificate in the Microsoft terminology is a certificate, that has the "Server Authentication" Enhanced Key Usage EKU, opposed to what the Microsoft terminology calls as "computer" certificate, which is a certificate with the "Client Authentication" EKU. Significant difference!

    Next issue: PEAP-MS-CHAP v2 -> Certificates on the NPS server -> only the computer certificate is listed here (which is the incorrect terminology, as explained above). But what about the Root CA cert that issued the "server" certificate for NPS? It must be listed in the table as well, thats out of question.

  • Next issue: guidelines provided for installing PKI:  "Install a Certificate Infrastructure", "Install Computer Certificates", "Install User Certificates".

    All these links point to obsolete Windows Server 2003 Certificate Services guides.

    This article was published on the 30th May 2012, so what is the reason of recommending guidelines based on 9 year old technology, if Windows Server 2008 and Windows Server 2008 R2-based

    Certification Authority is also available, and the NPS itself is also a Windows Server 2008+ based technology. It does not make sense to use the most recent version of the Radius-role of Microsoft (the

    NPS server), while referring to the CA, based on Windows Server 2003.

    The recommendation in installing computer and user certificates are also misleading! The Windows Server 2008/2008 R2 guides (I even specify the document title, you can look for it: Windows Server

    2008 R2 Core Network Companion Guide: Deploying Computer and User Certificates)

    recommends duplicating templates (the result is a Version2 or v3 certificate template), that needs different GPO solution to activate auto-enrollment.

    (just as a reference for the benefit of the readers: V1 template needs "Automatic Certificate Request Settings" GPO setting, V2 template needs "Certificate Services Client - Auto-Enrollment" GPO setting)

  • Nex issue: Step 2: Configuring Active Directory for Accounts and Groups

    "Create a USER account for all users who would make wireless connections", "Create a COMPUTER account for all computers that would use wireless connections"

    "Set the remote access permission on user and computer accounts to the appropriate setting (either Allow access or Control access through Remote  Access Policy) as shown below"

    Why do I need to create a computer account and A user account? The whole article does not say a word, about what I need this particular computer and user account for.

    Why do I need to set the Dial-in parameter? The whole article does not say a word, why do I need to configure this attribute for the computer and user account. The default NPS 802.1x wired/wireless connection wizard sets

    the rule to "Grant" and enables the option "Ignore user dial-in properties". So it seems to me the account dial-in config will be ignored in anyway, why to configure then?

    At a later stage, there is again a bunch of technet articles thrown into my face, how to configure and install NPS. However in those technet URLs, they set up network policies based on GROUPS and not accounts. Yet another

    sign, that if you refer to the work of others, at least read them before using them in your own article.

    Next issue: Step 4: Configuring the NPS Server -> The NPS server requires a certificate. You can use the RAS and IAS certificate template to create a new template to use for NPS servers. The link below discusses configuring this template and enabling it for auto-enrollment: PS Server Certificate: Configure the Template and Autoenrollment

    This URL goes to the certificate template duplication solution, and not the Windows 2003 CA solution, so again: there is no cohesion between the instructions for computer/user certificate autoenrollment, and NPS server certificate autoenrollment. If you "borrow" similar topics from others, borrow from the same guy, so similar topics borrowed will all look the same.

  • Next issue: Step 5: Configuring Wireless Network (IEEE 802.11) Policies Group Policy Settings --> "10. Click the IEEE 802.1x tab. Change 802.1X settings as needed, including specifying and configuring the correct EAP type. Click OK twice to save changes."

    The screenshot actually shows a scrolled-down list of Authentication modes, and does not give indication which option I should choose (User-or-Computer Authentication / Comp. auth only/ User auth only/ Guest auth)?

    Step 6: Configuring Wireless Clients Authentication

    "If you are using EAP-TLS or PEAP-TLS, you need to install computer and user certificates on wireless clients. "

    No, I dont need! I can, but I dont need! There was no explanation at the beginning of this article, if computer OR user OR computer+user authentication is the desired result, so just plainly stating that you NEED both, in pure unprofessionalism.

    I'm finishing my review here, the article basically is not that bad, but we are talking here about PKI, certificates, NPS, all kind of stuff that does not allow any kind of chance for misunderstanding. I would recommend to pull this article back, and fix it properly!

  • Thanks Prachand, thanks Richard!