Deploying secure wireles Networks with windows

How This Book Is Structured

Deploying Secure 802.11 Wireless Networks with Microsoft Windows is structured to provide a conceptual overview of not only wireless networking but also all the other components of the authentication infrastructure such as Remote Authentication Dial-In User Service (RADIUS) and certificates. Many companies have not implemented RADIUS or a public key infrastructure (PKI), so this book takes the time to explain them in detail and how they apply to the authentication and authorization of wireless connections. It then describes the steps of deploying secure wireless connections using certificate and password-based authentication in a large organization as well as SOHO and public access wireless networks. Finally, it describes how to troubleshoot wireless problems from the wireless client, the wireless AP, and the authentication infrastructure.

Part I, “Wireless Network Technology and Components,” provides an introduction to the various elements of secure wireless networking. To understand how to deploy and troubleshoot a secure wireless network, you must have an understanding of the underlying technologies and how they work. These technologies include 802.11 wireless LAN networking, wireless security, the various Windows wireless clients, and the elements of the authentication infrastructure. This background is provided in Part I, which includes the following chapters:

Chapter 1, “IEEE 802.11 Overview,” briefly describes the advantages of wireless LAN networking and then describes the IEEE 802.11 standards including 802.11b, 802.11a, and 802.11g; components of wireless networking; and operating modes.

Chapter 2, “Wireless Security,” provides an overview of how authentication, confidentiality (encryption), and data integrity are supported with both the original 802.11 standard and the new Wi-Fi Protected Access (WPA) standard. Authentication with the 802.1X standard is also discussed.

Chapter 3, “Windows Wireless Client Support,” details the support for wireless networks provided in Windows XP (prior to Service Pack 1 [SP1]), Windows XP SP1 and later, Windows Server 2003, and Windows 2000 (with Microsoft 802.1X Authentication Client). The Wireless Zero Configuration (WZC) service and the set of configuration dialog boxes for each operating system are described in detail. This chapter also discusses the manual configuration of wireless settings and the automated configuration using the Wireless Network (IEEE 802.11) Policies Group Policy extension.

Chapter 4, “RADIUS, IAS, and Active Directory,” presents a detailed look at Remote Authentication Dial-In User Service (RADIUS), a protocol and infrastructure for providing authentication, authorization, and accounting for network connections. Internet Authentication Service (IAS) is the Microsoft implementation of a RADIUS server and proxy. This chapter describes the configuration dialog boxes for IAS global settings, remote access policies, and connection request policies. Finally, this chapter presents an overview of the Active Directory directory service and how user accounts, computer accounts, and groups are used to provide wireless access.

Chapter 5, “EAP,” details the Extensible Authentication Protocol (EAP) and its support in Windows for secure authentication of wireless access. This chapter provides detailed explanations of EAP-Transport Layer Security (EAP- TLS) and Protected EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) with their corresponding client and server-side configuration dialog boxes in Windows.

Chapter 6, “Certificates and Public Key Infrastructure,” presents an overview of public key encryption and the role of certificates in providing authentication. This chapter includes discussions of PKI, certification authorities, certification hierarchies, certificate revocation and validation, and how Windows supports certificates using the Certificates snap-in and Certificate Services. This chapter also details the various methods of obtaining a user or computer certificate on a Windows wireless client or an IAS server.

After you understand the basic concepts and components of secure wireless networking, the next step is to begin the planning and deployment of secure wireless connectivity in your organization. Part II, “Wireless Network Deployment,” provides you with the information you need to plan and deploy your secure wireless network solution. Part II includes the following chapters:

Chapter 7, “Wireless AP Placement,” includes wireless LAN design guidelines such as wireless access point (AP) requirements, signal propagation modifiers and sources of interference, and the number of wireless APs needed. This chapter then gives you step-by-step instructions on how to deploy your wireless APs to provide adequate coverage for all desired areas.

Chapter 8, “Intranet Wireless Deployment Using EAP-TLS,” provides detailed step-by-step instructions on how to deploy the authentication infrastructure (PKI, Active Directory, and IAS) and wireless clients for EAP- TLS authentication.

Chapter 9, “Case Study: The Microsoft Wireless Network,” details the history, design and deployment considerations, and phases of the deployment of the wireless network that is in place at the Microsoft Corporation. This chapter also provides details on the authentication infrastructure, including domains, PKI, and IAS RADIUS proxies and servers.

Chapter 10, “Intranet Wireless Deployment Using PEAP-MS-CHAP v2,” provides detailed step-by-step instructions on how to deploy the authentication infrastructure (certificates, Active Directory, and IAS) and wireless clients for PEAP-MS-CHAP v2 authentication.

Chapter 11, “Additional Intranet Wireless Deployment Configurations,” details the following additional wireless configurations: Internet access for business partners, cross-forest authentication, using RADIUS proxies to scale authentications, and using both EAP-TLS and PEAP-MS-CHAP v2 authentication.

Chapter 12, “Secure Wireless Networks for the Home and Small Business,” provides detailed step-by-step instructions on how to deploy a secure wireless network in a SOHO using either infrastructure mode or ad hoc mode, and either Wired Equivalent Privacy (WEP) or WPA.

Chapter 13, “RADIUS Infrastructure for Public Place Deployment,” details the configuration of RADIUS proxies and servers for a wireless Internet service provider (WISP) that is offering public wireless access to its own customers or wireless users that have a benefactor (another telecommunications provider or a private organization).

After you deploy secure wireless networking, you must know how to troubleshoot the common problems with obtaining wireless connectivity. Part III, “Troubleshooting Wireless Networks,” includes the following chapters:

Chapter 14, “Troubleshooting the Windows Wireless Client,” describes the troubleshooting tools available to gather troubleshooting information on a Windows wireless client and provides a discussion of common connectivity and authentication problems that can be solved from the Windows wireless client.

Chapter 15, “Troubleshooting the Wireless AP,” describes the typical troubleshooting tools provided with wireless APs to gather troubleshooting information and discusses common connectivity and authentication problems that can be solved from the wireless AP.

Chapter 16, “Troubleshooting the Authentication Infrastructure,” describes the troubleshooting tools provided with Windows to gather troubleshooting information for IAS and discusses IAS-authentication, certificate-validation, and password-validation problems that can be solved from the authentication infrastructure.

Part IV, “Appendixes,” includes the following:

Appendix A, “Wireless Deployment Best Practices,” is a single location for the best practices for all the elements of a secure wireless deployment, as described in Chapters 1–16.

Appendix B, “Wireless ISPs and Windows Provisioning Services,” is a brief overview of the upcoming Wireless Provisioning Services update for Windows XP wireless clients, which attempts to solve various security, automated configuration, and consistency issues that WISPs and public wireless users now have to face.

Appendix C, “Setting Up Secure Wireless Access in a Test Lab,” provides detailed step-by-step instructions on how to configure secure wireless access using IEEE 802.1X and PEAP-MS-CHAP v2 and EAP-TLS authentication in a test lab using a wireless AP and four computers.

Conventions Used in This Book

Throughout the book, you will find special sections set aside from the main text. These sections draw your attention to topics of special interest and importance or to problems that implementers invariably face during the course of a deployment. These features include the following:

Note This feature is used to underscore the importance of a specific concept or to highlight a special case that might apply only to certain situations.

More Info When additional material is available on a subject, whether in other sections in the book or from outside sources such as Web sites or white papers, the links to these extra sources are provided in the More Info features.

Caution The Caution feature points out the places where you can get yourself into trouble if you do something or fail to do something. Pay close attention to these sections because they could save you a great deal of aggravation.

Tip This feature directs your attention to advice on timesaving or strategic moves.

Best Practices Getting the most stable performance and the highest quality deployment often means knowing a few ins and outs. The Best Practices features are where you’ll find such pieces of knowledge.

Planning There are times when an ounce of prevention through planning is worth many hours of troubleshooting and downtime. Such times merit the Planning feature.


Table Of Contents

Introduction

Part I - Wireless Network Technology and Components

Chapter 1 - IEEE 802.11 Overview
Chapter 2 - Wireless Security
Chapter 3 - Windows Wireless Client Support
Chapter 4 - RADIUS, IAS, and Active Directory
Chapter 5 - EAP
Chapter 6 - Certificates and Public Key Infrastructure

Part II - Wireless Network Deployment

Chapter 7 - Wireless AP Placement
Chapter 8 - Intranet Wireless Deployment Using EAP-TLS
Chapter 9 - Case Study: The Microsoft Wireless Network
Chapter 10 - Intranet Wireless Deployment Using PEAP-MS-CHAP v2
Chapter 11 - Additional Intranet Wireless Deployment Configurations
Chapter 12 - Secure Wireless Networks for the Home and Small Business
Chapter 13 - RADIUS Infrastructure for Public Place Deployment
Chapter 14 - Troubleshooting the Windows Wireless Client

Part III - Troubleshooting Wireless Networks

Chapter 15 - Troubleshooting the Wireless AP
Chapter 16 - Troubleshooting the Authentication Infrastructure

Part IV - Appendixes

Appendix A - Wireless Deployment Best Practices
Appendix B - Wireless ISPs and Windows Provisioning Services
Appendix C - Setting Up Secure Wireless Access in a Test Lab
Index
List of Figures
List of Tables
List of Sidebars
Read comments