Security Basics mailing list archives
RE: 802.1x RADIUS Deployment in Wireless LAN
From: "Batkin, Seva" <Seva_Batkin () canaccord com>
Date: Tue, 25 Nov 2003 14:32:33 -0800
Hi There, I have deployed this scenario based on Cisco APs and MS IAS. We settled on PEAP using MsCHAPv2 and without key management features. The reason for the latter were driver support which at the time was non-existant, however with the latest vendor drivers this solution should be viable as well. The process was relatively straight forward, the most annoying things were the little details such as - getting certificates for the IAS server to use with PEAP, have to be careful with server name, domain, etc. It has to match exactly - OS issues - version of IAS that supports PEAP is exclusively for Windows 2003. The IAS included with 2000 does not support PEAP. - RADIUS authentication fields from Cisco APs,it was mostly trial and error (and some sniffing) to figure out what works for management and wireless user authentication. Be careful however, the latest code (13.JA1) has changed the NAS-Port-Type from Virtual to Wireless In terms of deployment, once we had a test unit locked down and working perfectly, it was just a matter of slightly modifying configs for each AP (IP address, hostname, location) and deploying in bulk via CiscoWorks. The advantage of the current solution is that it works (relatively) seamlessly with Windows XP out of the box and requires a simple patch deployment on Win2k clients to support PEAP and 802.1x authentication. Becareful however, windows login is amazingly persistent, and once a user is authenticated it is relatively hard to get windows to ask for the password again (a possible security issue). Management of this solution is quite easy, for each user you have to make sure of two things - dial-in is enabled (IAS is effectively RAS) - user is part of the group which is allowed to use wireless Below are some links which you may find useful http://support.microsoft.com/?kbid=815485 http://www.cisco.com/application/pdf/en/us/guest/netsol/ns314/c654/ccmigrati on_09186a008009c8b3.pdf http://www.microsoft.com/downloads/details.aspx?FamilyId=009D8425-CE2B-47A4- ABEC-274845DC9E91&displaylang=en There are also a number of other useful deployment guides on the net. Feel free to contact me personally if you need a hand. Thanx Seva -----Original Message----- From: David J. Jackson [mailto:djackson () netdmz com] Sent: Monday, November 24, 2003 9:12 PM To: security-basics () securityfocus com Subject: 802.1x RADIUS Deployment in Wireless LAN Has anyone deployed RADIUS services in a WLAN environment and if so can you give me (this list) some feedback as to your experience on the following: - Design Difficulty? - Ease of Installation? - Software OS: Windows 2000, 2003, XP, Linux, Unix, etc. - Ease of Deployment? - Ease of Management? - Dynamic or Static WEP Key Distribution? I'm also looking for some more specific information on setting up RADIUS authentication on the WLAN with cards that don't specifically say they support 802.1x or RADIUS. If I'm using a RADIUS client or Windows XP with built-in support for 802.1x and Smartcard Authentication, etc. does the Wireless NIC have to support 802.1x or does it matter? Also, I found a link on Microsoft's site on setting up RADIUS authentication for Windows 2000 and Windows 2003 servers. Has anyone used these articles/instructional guides and if so did they work properly? Thanks very much in advance for your help with this. David Jackson, GSEC djackson () netdmz com "Canaccord Capital Corporation <canaccord.com>" made the following annotations on 11/25/2003 02:32:35 PM ------------------------------------------------------------------------------ This message may contain confidential or privileged material. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this message in error, please immediately reply to the sender and delete this information from your computer. Thank you. ============================================================================== --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- 802.1x RADIUS Deployment in Wireless LAN David J. Jackson (Nov 25)
- Re: 802.1x RADIUS Deployment in Wireless LAN Eric Hagen (Nov 25)
- Re: 802.1x RADIUS Deployment in Wireless LAN Jimi Thompson (Nov 26)
- <Possible follow-ups>
- RE: 802.1x RADIUS Deployment in Wireless LAN Batkin, Seva (Nov 25)
- RE: 802.1x RADIUS Deployment in Wireless LAN shankarnarayan . d (Nov 26)
- RE: 802.1x RADIUS Deployment in Wireless LAN shankarnarayan . d (Nov 26)
- Re: 802.1x RADIUS Deployment in Wireless LAN Eric Hagen (Nov 25)