5-Minute Security Advisor - Deploying 802.1X With Windows XP
|Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
In previous 5-Minute Advisor articles, you've learned about the flaws in 802.11 encryption and authentication. The common theme in those articles was a little depressing: the 802.11 WLAN protocol isn't very secure, and there's not much you can do about it. Fortunately, the IEEE (in conjunction with Microsoft, Cisco, and other industry leaders) realized the shortcomings of 802.11; the result, the IEEE 802.1x standard, provides a much more robust set of authentication and security mechanisms for wireless LANs (WLANs) and ordinary LANs. You can deploy 802.1x by using a combination of Windows 2000 or Windows Server 2003 domain controllers and Windows XP clients.
On This Page
How 802.1x Works
802.1x implements port-based access controls. In the case of a WLAN, a port is just a connection between an access point (AP) and a station. There are two types of ports in 802.1x-land has two types of ports: uncontrolled and controlled. An uncontrolled port is probably what you're using right now: it It allows the device connected to it to talk to any other network device. A controlled port, by contrast, limits which network addresses the connected device can talk to. You can probably see where this is going: 802.1x allows all clients to connect to controlled ports, but those ports only pass traffic to authentication servers. After the client's been authenticated, the client is allowed to start using the uncontrolled port. The magic of 802.1x is that uncontrolled and controlled ports are logical entities that can exist on the same physical network port.
With regard to authentication, 802.1x further defines two roles for network devices: A supplicant is a device (such as a laptop with an 802.11b card in it) that requests access to network resources. An authenticator is a device that authenticates supplicants and decides whether or not to grant them access. A wireless AP could be an authenticator; however, it's more flexible to use the industry-standard Remote Authentication Dial-In User Service(RADIUS) protocol, which is conveniently included with Windows 2000; with RADIUS, the AP accepts the authentication request and proxies it to a RADIUS server, which authenticates the user against Active Directory.
802.1x doesn't use Wired Equivalent Privacy (WEP) for authentication; instead, it uses the industry-standard Extensible Authentication Protocol (EAP) or a newer variant, Protected EAP (PEAP). In either case, the key advantage of EAP/PEAP is that they allow a choice of authentication methods. By default, 802.1x uses EAP-TLS (EAP-Transport Layer Security), in which all of the EAP-protected exchanges are secured by the TLS protocol (a close relative of the familiar SSL). The overall flow of the authentication process looks like this:
The wireless station attempts to connect to the AP over the uncontrolled port. (because the station hasn't authenticated yet, it cannot use the controlled port). The AP issues a plain text challenge to the station.
The station responds by identifying itself.
The AP forwards the identity message from the station to the authenticator, using RADIUS, over the wired LAN.
The RADIUS server looks up the specified account to determine what kind of credential is required (e.g., you might have configured your RADIUS server to accept only digital certificates). That information is turned into a credential request and returned to the station.
The station sends its credentials over the uncontrolled port on the AP.
The RADIUS server validates the credentials; if they pass, an authentication key is sent to the AP. The key is encrypted so that only the AP can decrypt it.
The AP decrypts the key and uses it to create a new key specific to that station. That key is sent to the station, where it's used to encrypt the master global authentication key to the station.
At periodic intervals, the AP can generate a new master authentication key and send it to the clients. This neatly resolves the 802.11 problem of having a long-lifetime, fixed key that attackers can easily attack by using brute force.
Configuring 802.1x on the Client
Configuring the 802.1x client included with Windows XP is easy; I'll outline the basic steps here, but a more detailed description is available if you need it.
Open the Network Connections folder, then right-click the connection for which you want to use 802.1x and choose the Properties command.
Switch to the Wireless Networks tab, then select the WLAN connection with which you want to use 802.1x. Click the Configure button.
In the Wireless Network properties dialog box, switch to the Authentication tab.
Make sure that the "Enable IEEE 802.1x authentication for this network" check box is selected, then choose the appropriate EAP type. Generally, enterprise networks will use EAP-TLS with smartcards or locally stored certificates, and small networks will use PEAP (which appears as a choice only if you've installed Windows XP Service Pack 1.)
Deploying 802.1x for Small Networks
If you have a small network, you might think that all this 802.1x stuff is just gibberish. The good news is that you can still deploy 802.1x without having a complete public-key infrastructure and without expending a lot of effort. This article describes exactly what you need to do. In brief, you'll need to set your Windows XP SP1 or later clients to use PEAP, then set up at least one machine running the Windows Internet Authentication Service (IAS), which provides RADIUS connectivity. Each IAS service has to have a digital certificate—either issued yourself or purchased from third-party certification authorities (CAs). That's it—of course, you have to set up IAS in the first place, but that's easy.
Deploying 802.1x for Large Enterprises
If you're using a Windows 2000-based network with at least one domain controller, you can set up a more flexible and powerful 802.1x infrastructure by taking advantage of Active Directory and Windows 2000s support for remote access policies. The first step is to obtain digital certificates for your clients. Fortunately, you can easily obtain these certificates by creating a group policy that automatically requests machine certificates for the machines in your domain. Once that's done, you can deploy the rest of the required infrastructure (including IAS) , configure your wireless APs to use RADIUS to talk to the IAS servers, and relax, secure in the knowledge that your WLAN traffic is properly protected.