RE: 802.1x RADIUS Deployment in Wireless LAN

["Batkin, Seva" <Seva_Batkin () canaccord com>]

Hi There,

I have deployed this scenario based on Cisco APs and MS IAS. We settled on
PEAP using MsCHAPv2 and without key management features. The reason for the
latter were driver support which at the time was non-existant, however with
the latest vendor drivers this solution should be viable as well.

The process was relatively straight forward, the most annoying things were
the little details such as

- getting certificates for the IAS server to use with PEAP, have to be
careful with server name, domain, etc. It has to match exactly
- OS issues - version of IAS that supports PEAP is exclusively for Windows
2003. The IAS included with 2000 does not support PEAP.
- RADIUS authentication fields from Cisco APs,it was mostly trial and error
(and some sniffing) to figure out what works for management and wireless
user authentication. Be careful however, the latest code (13.JA1) has
changed the NAS-Port-Type from Virtual to Wireless

In terms of deployment, once we had a test unit locked down and working
perfectly, it was just a matter of slightly modifying configs for each AP
(IP address, hostname, location) and deploying in bulk via CiscoWorks.

The advantage of the current solution is that it works (relatively)
seamlessly with Windows XP out of the box and requires a simple patch
deployment on Win2k clients to support PEAP and 802.1x authentication.
Becareful however, windows login is amazingly persistent, and once a user is
authenticated it is relatively hard to get windows to ask for the password
again (a possible security issue).

Management of this solution is quite easy, for each user you have to make
sure of two things
- dial-in is enabled (IAS is effectively RAS)
- user is part of the group which is allowed to use wireless

Below are some links which you may find useful
http://support.microsoft.com/?kbid=815485
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns314/c654/ccmigrati
on_09186a008009c8b3.pdf
http://www.microsoft.com/downloads/details.aspx?FamilyId=009D8425-CE2B-47A4-
ABEC-274845DC9E91&displaylang=en

There are also a number of other useful deployment guides on the net.

Feel free to contact me personally if you need a hand.

Thanx

Seva


-----Original Message-----
From: David J. Jackson [mailto:djackson () netdmz com]
Sent: Monday, November 24, 2003 9:12 PM
To: security-basics () securityfocus com
Subject: 802.1x RADIUS Deployment in Wireless LAN

Has anyone deployed RADIUS services in a WLAN environment and if so can you
give me (this list) some feedback as to your experience on the following:

- Design Difficulty?
- Ease of Installation?
- Software OS:  Windows 2000, 2003, XP, Linux, Unix, etc.
- Ease of Deployment?
- Ease of Management?
- Dynamic or Static WEP Key Distribution?

I'm also looking for some more specific information on setting up RADIUS
authentication on the WLAN with cards that don't specifically say they
support 802.1x or RADIUS.  If I'm using a RADIUS client or Windows XP with
built-in support for 802.1x and Smartcard Authentication, etc. does the
Wireless NIC have to support 802.1x or does it matter?

Also, I found a link on Microsoft's site on setting up RADIUS authentication
for Windows 2000 and Windows 2003 servers.  Has anyone used these
articles/instructional guides and if so did they work properly?

Thanks very much in advance for your help with this.

David Jackson, GSEC
djackson () netdmz com



"Canaccord Capital Corporation <canaccord.com>" made the following
 annotations on 11/25/2003 02:32:35 PM
------------------------------------------------------------------------------
This message may contain confidential or privileged material. Any use of this information by anyone other than the 
intended recipient is prohibited.  If you have received this message in error, please immediately reply to the sender 
and delete this information from your computer. Thank you.
==============================================================================


---------------------------------------------------------------------------
----------------------------------------------------------------------------