Wireless Networking in Windows 2003
Service Pack 1
Enhancements for Wireless Networking
The enhancements that SP1 provide for Wireless LANS are of great benefit to enterprise wide networks. Without SP1 on Windows Server 2003, the WPA security method isn’t supported and therefore cannot be implemented – which is no longer an issue with Service Pack 1. Apart from addressing the weaknesses that the original Windows Server 2003 has, SP1 makes it easier to deploy secure large scale wireless LANS. Additionally, administrators are now able to give the users of wireless clients - with Windows XP SP2 - a choice of pre-approved digital certificates and signing authorities. This means they would only be allowed to install certificates for the network that the administrator has previously acknowledged, making them less prone to man in the middle attacks.
The Active Directory Group Policy console allows for centralized management of the Wireless Zero Configuration client which makes it easier and faster to connect wireless client to a secure network. WPA TKIP and AES encryption settings can now be configured and any wireless client with Windows XP Service Pack 2, or Service Pack 1 and the WPA patch, can be centrally configured to use the more secure WPA TKIP or AES methods to connect to the wireless LAN.
Wireless Setup Wizard
As did Windows XP SP2, Windows 2003 SP1 comes with a Wireless Network Wizard that will help you to configure secure wireless networks. Configuration settings can be stored on removable media (such as a USB pen drive) and then copied over to other machines.
PEAP Authentication Scheme
The LEAP (Lightweight Extensible Authentication Protocol) is a popular non-TLS (Transport Layer Security) authentication scheme introduced by Cisco in later versions of their firmware belonging to the Aironet access point product range. This protocol lacks point to point protection which leaves it open to dictionary attacks at the credentials authentication stage. With the inauguration of PEAP (Protected Extensible Authentication Protocol) authentication in the IAS (Internet Authentication Service) component of Windows Server 2003, these weaknesses are addressed. Furthermore, a server-side digital certificate is able to support many clients single handedly – without the use of an installed certificate on the client-side.
Wireless Provisioning Services
This new technology makes it easier for mobile workers to connect to hotspots or corporate LANS by eliminating the need for manual configuration of the network connection. Enterprises can better manage guest access on their network and provide payment plans such as pay-per-use or monthly Internet access to customers.
Securing Wireless in Windows 2003
When configured incorrectly, wireless connections are probably one of the most vulnerable points of a network. A simple password based authentication method is not enough, especially over a wireless connection. By means of the Internet Authentication Service in Windows 2003, Administrators are able to setup 802.1X based secure network.
In order to take advantage of the 802.1X in Windows 2003, you will require the use of the following services:
- DHCP and DNS
- Active Directory Service
- RADIUS Server (Internet Authentication Service)
- Certificate based infrastructure (referred to as PKI – Public Key Infrastructure)
I will cover the following steps and show you how to setup an 802.1X based security structure using the Internet Authentication Service in Windows 2003.
- Configuring your access point
- Windows 2003 Certification Authority
- Windows 2003 Active Directory Service Configuration
- Windows 2003 IAS Configuration
Configuring your access point
Your Access Points must support 802.1X and WEP authentication. If it doesn’t then check for a firmware upgrade before you proceed. 802.1X and RADIUS provide automatic generation of session keys so they will not have to be entered manually into the Access Point. However, some access points do support manual inputting of keys for simulation (testing) purposes.
Firstly, from your access point configuration web interface, you must set which machines act as RADIUS servers on your network. There may be slight variations but the idea is the same - go to the RADIUS servers list from either the ‘Wireless Security’ or ‘Wireless Settings’ panel and add the IP address, port number and shared secret for your RADIUS server connection.
Secondly, from the ‘Wireless Security’ panel go to the 802.1X Security section and enable it, select your required key size and group key re-key settings.
No rekeying - the clients will not have to re-key the password to re-authenticate to the RADIUS server.
Rekeying every X minutes – this refers to the number of minutes before the client will have to re-enter the password.
Rekeying every X packets – this refers to the number of transmitted packets before the client will have to re-enter the password.
Once you do all this you can move on to the next stage of configuring the Certificate Authority on your Windows 2003 Server.
Windows 2003 Certification Authority
The PEAP protocol needs the IAS Server to identify itself to the wireless client before the client passes any encrypted credentials to it. Once the IAS Server has a certificate installed, it gets a private keys which it then uses to decrypt the encrypted credentials sent by the wireless client. The wireless client uses the certificate’s public key to encrypt the username and password.
To install the certification authority console you will have to run the Add/Remove components wizard and select Certificate Services from the list. Keep in mind that to make use of the Web Enrollment Wizard (web interface used to request and generate certificates) you will have to have IIS installed.
Before initiating the installation you will be warned about how changing the machine name or domain membership will invalidate any certificates coming from the CA due to the fact that CA information is stored, and bound, in Active Directory. Make sure you have all the properties of your machine setup properly before you continue.
As part of the installation you will be asked to select the type of CA you want to set up. You have a choice of Enterprise CA, Enterprise Subordinate, Standalone CA and Standalone Subordinate, with Enterprise CA being the most trusted Certificate Authority in the enterprise. Make your choice and follow the wizard to complete the installation.
Once the CA console is installed you will have to Issue a certificate for the computer running IAS. Do this from the web enrollment wizard (which is created automatically when you install Certification Services unless you manually specified for it not to be installed). By default you can logon and request a certificate by opening Internet Explorer and navigating to http://<ip_address>/certsrv
Install user and computer certificates on wireless clients in the same manner as stated above.
Windows 2003 Active Directory Service Configuration
Your next step is to create a group for wireless user and computer accounts in AD. Alternatively you could just create individual users but, it goes without saying that groups are easier to manage. In the properties of the user account, go to the Dial-In properties account and select the “Control Access through Remote Access Policy” option in the Remote Access Permission section.
If “Control Access through Remote Access Policy” is disabled then your current domain functional level is probably set to Windows 2000. To change this, right click the domain name in Active Directory and select Raise Domain Functional Level. Choose Windows 2003 from the drop down list and press Apply. Once AD replication is complete, the “Control Access through Remote Access Policy” will no longer be grayed out.
You must also verify that your IAS Server is a member of the RAD and IAS Server Security Group.
Windows 2003 IAS Configuration
If you haven’t already done so you will have to install the Internet Authentication Service component from Add/Remove programs in the Control Panel. You will find it under Networking Services.
Open the IAS console from the Administrative Tools folder in either the Control Panel or Start Menu programs. Follow these steps:
- Right click the main IAS node and select “Register Server in Active Directory” – this will authorize IAS to read the users’ dial in properties from the domain.
- From the window on the right hand side of the console, right click anywhere and select “New RADIUS Client”. In the first screen, enter a friendly name for the RADIUS Client and also the Access Point IP Address. Press Next.
Now select the client-vendor attribute of the RADIUS client. If you are not using a remote access policy based on the client vendor’s attribute then select RADIUS Standard from the list.
Type the shared secret, as you did when configuring the 802.1X Server on your access point. The IAS Server will only allow user information to be forwarded to it by the AP once the correct shared key has been provided, so make sure that they match.
Once you have pressed Next the new client will show up in the right pane of the IAS Console.
Creating a Wireless Remote Access Policy
Your Next step is to create a Remote Access Policy for wireless access. Right click the Remote Access Policies node in the left hand pane and select New Remote Access Policy to bring up the wizard. Enter a policy name in the given text box and select whether you want to set up the policy manually or via the wizard.
The wizard will do what most Microsoft wizards do; help you to setup a typical scenario yet allowing you to add conditions to it later. You can set user or group access and the authentication method using Protected EAP. Manual configuration will give you the option to set all your conditions straight away and customize the setup to suit your specific needs.
If you select to use the wizard you will be given the option to choose a method of access for the policy. VPN, Dial-Up, Wireless and Ethernet are your typical RADIUS server options. Choose Wireless and press Next. Select whether you want to grant access to a User or Group followed by the EAP type. In the Authentication Method screen choose PEAP as an EAP Authentication Method and press the Configure button if you want to edit which certificate will be issued to identify the server. Press Next and Finish.
In this article I have shown you how Windows Server 2003 Service Pack 1 can help to improve centralized management of clients and provide better security for your wireless network. We also looked at the different steps you have to take in order to deploy the 802.1X security on a Windows 2003 RADIUS Server.