project: d.r.e.a.m

Configuring 802.1x EAP-PEAP using cisco access points and windows 2003

Prerequisites

• General understanding of wireless and wired networking
• Basic understanding of 802.1x and EAP, see wikipedia and google
• Good Knowledge of Windows XP, 2003
• A patched XP SP2 machine with a WPA-capable Wireless Card
• A patched Windows Server 2003 with IAS installed
• An access point supporting WPA and 802.1x (I used cisco 1121G and 1130AG)

Why EAP-PEAP?

EAP-PEAP is the best compromise between security, complexity and ease of implementability. We thought about switching from WPA-PSK to a more secure alternative, and our first choice was EAP-TLS. However, EAP-TLS has several drawbacks:

• For full functionality, you need Windows Server 2003 Enterprise, because you can't auto-enroll user certificates with Windows Server 2003 Standard. The alternative would be to change the authmode registry key on all clients (no GPO for that one).
• Having non-domain computers (like Macs, or private machines) join the wireless network requires either a second SSID with WPA-PSK, or a lot of work

EAP-PEAP doesn't have these drawbacks. EAP-PEAP works by using the machine account, or the domain user account, or manually entered credentials (which allows Macs, Linux or non-domain computers to join the wireless lan)

EAP can work together with WPA/TKIP, WEP, and WPA2/AES. I've never got the last combination to work properly, so we're working with WPA/TKIP for now.

There are other ways to secure a wireless lan, like LEAP, which is a proprietary cisco protocoll, and of course a varierty of PSK variants.

Important facts

Common pitfalls for those new to 802.1x. At least those things i didn't know.

• 802.1x consists of three involved parties:
  
  • Client (aka Supplicant)
  • Access Point, Switch (aka Authenticator)
  • IAS (aka Authentication Server)
• Authentication is configured on the authentication server, not on the access point
• RADIUS uses UDP, not TCP

Configuring EAP

Create a working PKI infrastructure

You will need a certificate on your server (but not on your clients). But your clients need to accept the CA certificate that signed your server certificate. If you already have AD working, you most probably have got this infrustructure already. Otherwise, see the documentation readily available on the internet

Configuring IAS (Internet Authentication Server)

IAS is the RADIUS Component of Windows Server 2003. It includes the most horrible logging i've ever seen, so don't attempt to read the logs without a tool like IAS Viewer.

There are several things we need to do with IAS:

• Add a RADIUS client, which consists of an IP address and a shared secret
• Create an appropiate RAS policy, which defines the authentication method to be used

Adding the radius client is simple. It needs a shared secret, and the ip address of the client. This shouldn't be a problem, but here's a screenshot anyway:

Creating the RAS policy is a bit more complicated. But it's still possible to use the assistant provided to configure EAP-PEAP. Here are some screenshots:





A rather important step. Make sure to choose the right server certificate.


Make sure to allow access. Otherwise all authentications will fail.

Configuring the access point

The simplest step. You will just need to specify the IP of your IAS/RADIUS server, and supply the shared secret. You will need to enable 802.1x/EAP. This differs from AP to AP, and is usally very straightforward. Remember, all authentication details were already configured on the IAS.

Configuring the clients

You can configure your clients using group policy. This makes it very straightforward to switch even a large number of laptops to the new authentication standard. Here are some more screenshots: