Quantcast
Channel: Windows Server Administration » Active Directory
Viewing all articles
Browse latest Browse all 4

Secure Your Wireless Network With WPA2-EAP

0
0

I have been reading a bit about wireless security over the past week, as it is part of the 70-642 MCTS Exam “Configuring Windows 2008 Network Infrastructure” that I am currently studying (I will be sitting the exam in the next week or two, so subscribe to my RSS Feed so you don’t miss out on some inside tips !!!). We are curently running a wireless infrastructure with Cisco 1200 Access Points, a Windows 2003 Radius Server and using WEP 128bit (keys auto rotated every hour) encryption and Auto Enrolled Certificates from our Windows 2003 CA for authentication. This has been working pretty well, but with WPA2, an updated version of WPA and comes in two flavours WPA2-PSK and WPA2-EAP, it offers improved security and better protection from attacks. Now if all clients can support WPA2-EAP then this should be your first choice.

To kick things off you first of all need a PKI Infrustructure and enable autoenrollment so that all your wireless clients obtain the correct certificates for the authentication process.

1. Install the Active Directory Certificate Services (ADCS) Role to the server and just use the default settings here.

2. Next Open up the Group Policy Management Console and either edit a policy or create a new one to apply the wireless settings to your clients. The section we want is Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies. In the details pane now you need to right click the Certificate Services Client – Autoenrollment and then select properties. In the Properties dialog box select enabled from the rop down box and then place a tick in the other boxes, which is optional.

Let’s now install and configure the Radius Server to handle the authentication. Install the Network Policy and Access Services Role. Once install you need to then navigate to the NPS Node in Server Manager, under Roles\Network Policy and Access Services.

1. In the Details Pane, from the drop down list under Standard Configuration select RADIUS server for 802.1x Wireless or Wired Connections and click Configure 802.1X Hyperlink.

2. Select the top radio button “Secure Wireless Connections” click next

3. On the Specify 802.1X Swtiches Page Add your Wireless Access Points and Radius Clients. You need to do this for each Access Point you have. When you click the add button fill out the Friendly Name, IP Address. For the Shared Seceret you can either enter one in manually or have one generated (which will then need to be entered into the AP’s), once all AP’s have been entered click next.

4. Next up Configure an authentication method. From the Drop Down list select the method you want to use. We were currently using Smart Card or Other Certificate and I wanted to change to Microsoft: Protected EAP (PEAP).

NOTE: This method requires a Computer Certificate and the Radius Server and either a computer or user certificate on the client machine. The best way to do this is to use a Domain PKI see above.

5. Select the groups you would like to give wireless access to.

6. Next configure VLAN Settings. You can use this to restrict Wireless users to specific network resources. Then click Finish.

7. You then need to Reegister the server with Active Directory. Right Click the NPS Node and select Register Server.

Configure Wirelss Clients to Connect Automatically……

1. There are a couple of Group Policy settings that you will need to adjust here to get your wireless clients to automatically connect to your network. Open up your Group Policy Management Console and navigate and right click Computer Configuration\Policies\Windows Settings\Security Settings\Wireless Network (IEEE 802.11) and select Create A New XP Policy. If you have both XP and Vista Clients then you will need to select this option as if there is no Vista Policy, Vista Clients will use the XP one.

2. Give the Policy a Name and Description and then click the Preferred Networks Tab. Click the Add Button and select Infrastructure.

3. Enter the SSID of your Wireless Network, then from the Authentication drop down box select WPA2 and from the enryption drop down box select TKIP.

4. Then click on the IEEE 802.1X Tab leave the EAP Type and PEAP and under Authentication Mode selct Computer Only. This means that the authentication will take place prior to the Computer getting to the Login Screen. This is what I wanted.

Auto Enrolling Computer Certificates Via Group Policy

The process above regarding the PKI Infrastrucure will auto enroll the Root Cert. But we also need to auto enroll a computer certificate which can be done like this.

1. Open up your Group Policy Management Console and navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Automatic Certificate Request Settings.

2. Right Click in the details pane and select New > Automatic Certificate Request.

3. This will open up a wizard and you can select a Computer Certificate.

Now do a policy update on your client machines and they SHOULD automatically connect to your newly secured wireless network.

Hope this helps you out. Cheers

Daniel
Securing My Wireless Network


Viewing all articles
Browse latest Browse all 4

Latest Images

Trending Articles





Latest Images