- David's Church Information Technology - https://infotech.davidszpunar.com -

Wireless 802.1x Authentication: Overview

I’ve been asked [1] to post some information on how I implemented 802.1x authentication in our wireless network. This setup involved a lot of experimentation, and I’m not completely done although I have a working solution. This post will be a high-level overview of the process. I will post some additional information when I have time (no guarantees!) that contains a bit more of the nitty-gritty details of some of the steps. How did I learn? I had a burning desire to figure out how “real enterprises” did wireless security and authentication, so I read, and Googled, and read, and read, and tested, and read, and tested some more. And that was just with an off-the-shelf Linksys router! When we got the good equipment and I learned its configuration options, I just needed to do a bit more configuration and testing to get it functional at the level of the Linksys, but with more flexibility.

I’m using the built-into-Windows-Server IAS, which is the Microsoft implementation of a RADIUS server. Basically, I set up a profile in the IAS configuration to allow specific Windows Active Directory groups to be allowed “dial-up” access through a Wireless port type. Then I created a new client in IAS with its IP address and a secret key that I also enter in the wireless access point (AP) where it asks for a RADIUS server (while setting up WPA/WPA2 authentication, not the Pre-Shared Key (PSK) kind). If I did everything right (insert hours of testing and learning here), I can connect to the wireless SSID I configured by specifying a username and password (or to use the Windows logon credentials) in the settings, rather than needing a pre-shared key that’s the same for everyone.

If I go a step further and put a certificate on the server that the clients trust, I can also authenticate with the certificates rather than the username/password credentials, which is actually more secure due to the certificate being longer, more random, and harder to obtain than a username and password (this is why I limit access for now to users in the Active Directory group I specify, creating fewer users with wireless login privileges). I haven’t completed the certificate step of the process, and I’m still running a WPA-PSK SSID as an alternate connection method until I’m sure I have everyone switched over to the RADIUS-based SSID. But once I deactivate the WPA-PSK network, security should go up because now you can’t just share the PSK key, which has a way of getting out no matter how hard you try and protect it (having free wi-fi now helps this as well, since if someone just wants internet access, they don’t need the internal network key!). And your keys get changed every time your passwords change, rather than coordinating updating the PSK and then making sure everyone needing wireless access has the new key (if they don’t, expect cell phone calls asking for it pretty quickly).

That’s the high level why and how. I sleep now :-)

2 Comments (Open | Close)

2 Comments To "Wireless 802.1x Authentication: Overview"

#1 Comment By Austin Spooner On May 19, 2007 @ 11:47 pm

David- I did this at our church about a year ago, but the one problem I have is that you cant just have a laptop out for a user to login to over wireless, because it does not authenticate until they are logged in. Have you found a way to fix this?

#2 Comment By David Szpunar On May 19, 2007 @ 11:57 pm

Austin – We are only using 802.1x for the employee SSID (network name). The public wireless uses a second SSID with broadcast turned on and all security turned off, like a coffee shop is often set up. People still have to authenticate using a single, common username and password (to make sure they’ve actually come in the church) posted on brochures around the lobby areas, but our Nomadix AG-3000 takes care of that and redirects people to the home/login page when they open their browser, no matter where they try to go.

I mentioned our Wirless system briefly on my post about [2] but I haven’t really said much about the wireless hardware in its own post. The ProCurve equipment we have lets us use 16 (32 in advance mode) SSIDs over the same radios, each with independent security settings and each connected to any specific VLAN I choose. This is why I say that the professional grade equipment rocks…a cheap Linksys won’t do this! (With the exception of a Linksys with modified firmware, but I haven’t done much with this.) Good question, thanks! I’ll write more about the wireless hardware soon.