David Szpunar: Lead Engineer, PC Help Services

David's Church Information Technology

May 18th, 2007 at 11:52 pm Print This Post Print This Post

Wireless 802.1x Authentication: Overview

I’ve been asked to post some information on how I implemented 802.1x authentication in our wireless network. This setup involved a lot of experimentation, and I’m not completely done although I have a working solution. This post will be a high-level overview of the process. I will post some additional information when I have time (no guarantees!) that contains a bit more of the nitty-gritty details of some of the steps. How did I learn? I had a burning desire to figure out how “real enterprises” did wireless security and authentication, so I read, and Googled, and read, and read, and tested, and read, and tested some more. And that was just with an off-the-shelf Linksys router! When we got the good equipment and I learned its configuration options, I just needed to do a bit more configuration and testing to get it functional at the level of the Linksys, but with more flexibility.

I’m using the built-into-Windows-Server IAS, which is the Microsoft implementation of a RADIUS server. Basically, I set up a profile in the IAS configuration to allow specific Windows Active Directory groups to be allowed “dial-up” access through a Wireless port type. Then I created a new client in IAS with its IP address and a secret key that I also enter in the wireless access point (AP) where it asks for a RADIUS server (while setting up WPA/WPA2 authentication, not the Pre-Shared Key (PSK) kind). If I did everything right (insert hours of testing and learning here), I can connect to the wireless SSID I configured by specifying a username and password (or to use the Windows logon credentials) in the settings, rather than needing a pre-shared key that’s the same for everyone.

If I go a step further and put a certificate on the server that the clients trust, I can also authenticate with the certificates rather than the username/password credentials, which is actually more secure due to the certificate being longer, more random, and harder to obtain than a username and password (this is why I limit access for now to users in the Active Directory group I specify, creating fewer users with wireless login privileges). I haven’t completed the certificate step of the process, and I’m still running a WPA-PSK SSID as an alternate connection method until I’m sure I have everyone switched over to the RADIUS-based SSID. But once I deactivate the WPA-PSK network, security should go up because now you can’t just share the PSK key, which has a way of getting out no matter how hard you try and protect it (having free wi-fi now helps this as well, since if someone just wants internet access, they don’t need the internal network key!). And your keys get changed every time your passwords change, rather than coordinating updating the PSK and then making sure everyone needing wireless access has the new key (if they don’t, expect cell phone calls asking for it pretty quickly).

That’s the high level why and how. I sleep now :-)