Академический Документы
Профессиональный Документы
Культура Документы
1 Overview __________________________________________________________ 2
1.1 Our Lab environment is configured as follows: ______________________________ 3
2 Set up your Certificate Authority Server________________________________ 4
2.1 To configure a computer certificate enrollment for a Certificate Authority Server,
do the following:_____________________________________________________________ 4
2.2 Configure a User Certificate Template to use the Wave CSP ___________________ 5
2.3 To create a User Certificate Template that uses the Wave CSP follow these steps:__ 8
3 RADIUS Configuration using Microsoft’s Internet Authentication Service __ 15
3.1 Configuring IAS ______________________________________________________ 15
3.2 Installing a RADIUS Service Certificate ___________________________________ 25
4 Configuring Wireless Access Points for 802.1x __________________________ 26
5 Configure your Enterprise Domain Policy for Wireless 802.1x authentication 29
5.1 To configure Wireless Network (IEEE 802.11) Policies Group Policy settings, do
the following: ______________________________________________________________ 29
6 Installing User Certificates __________________________________________ 33
6.1 Configuring User Certificates for autoenrollment ___________________________ 33
6.2 Installing a User Certificate via a Web Request _____________________________ 35
7 Configure your wireless client to access your Enterprise network using secure
802.1x _______________________________________________________________ 42
7.1 Steps taken to configure your wireless client: _______________________________ 42
8 Table of Figures ___________________________________________________ 50
This article describes the steps taken to deploy secure 802.11 wireless access,
employing Microsoft Windows-based client computers with 802.1x authentication,
using wireless access point in our lab. Our lab’s wireless authentication
infrastructure consists of Microsoft Windows 2003 Server Domain Controller,
Certification Authority Server, Internet Authentication Service Server (also known as
a RADIUS server) and a Wireless Access point that is 802.1x compatible.
This article does not go into details regarding the evolution of wireless technology
and security standards. To learn more about this, you could visit the following links:
Wireless Networking
http://www.microsoft.com/technet/itsolutions/network/wifi/default.mspx
This article discusses the process taken to configure secure 802.11 wireless
infrastructures in our Lab.
Windows XP has built-in support for IEEE 802.11 wireless access and IEEE
802.1 authentication using Extensible Authentication Protocol (EAP).
The domain active directory contains the user accounts, computer accounts
and dial-in properties that each RADIUS Server requires to authenticate
credentials and evaluate authorization.
This device complies with industry security standards for wireless data
encryption and user authorization. WPA and 802.1x support enables strong
mutual authentication to ensure only valid clients can communicate with the
Enterprises.
Regardless of which authentication method you use for wireless connections, EAP-
TLS or PEAP-MS-CHAP v2, you must install computer certificates on the RADIUS
servers.
The computer certificate is installed on the RADIUS server computer so that during
EAP-TLS authentication, the RADIUS server has a certificate to send to the wireless
client computer for mutual authentication, regardless of whether the wireless client
computer authenticates with a computer certificate or a user certificate.
Configure your Certificate Authority to meet the needs of your Enterprise PKI
policies. Our lab CA server was configured as a Enterprise root certificate authority.
Once the Certificate Authority service was configured on the server, a computer
certificate was needed for the server.
2. In the console tree, double-click Active Directory Users and Computers, right-
click the domain name to which your CA belongs. Click Properties.
3. On the Group Policy tab, click the appropriate Group Policy object (the default
object is Default Domain Policy. Click Edit.
10. To immediately obtain a computer certificate for the CA Server, type the
following at a command prompt:
gpupdate /target:computer
In order for the Wave CSP to be available in the Certificate Authority Server, you
need to make some modifications to your Certificate Authority Server Registry.
2. Once your Server Registry has been backed up, you need to create the
following files using Notepad (see Figures 4 & 5). These files will be used to
import the Wave CSP information into the Certificate Authority Server.
3. Once these files have been created you may double click on each file (see
Figure 6). You will be prompted to verify that you want to import the content
of the file into the registry (see Figures 7 & 8). Select Yes.
1. Open the Microsoft Management Console (mmc) and add the Certificate
Templates snap-in and the Certificate Authority snap-in.
2. Select the Certificate Templates.
3. On the right pane, select User (see Figure 9). Right-click and select
Duplicate Template (see Figure 10).
4. On the right pane, you will see a new template called Copy of User. Select
and open, in order to modify it. (See Figure 11.)
5. In our Lab environment, I called this new User Certificate Template Wireless
User (see Figure 12), making sure you select the “Publish Certificate in
Active Directory” checkbox. Select Apply.
6. Select the “Request Handling” tab of the Wireless User Certificate Template
(see Figure 13); in Purpose, select “Signature and Smartcard logon.”
7. On the “Request Handling” tab, select “Prompt the user during
enrollment and require user input when the private key is used.”
8. On the “Request Handling” tab, press the CSPs button; this will allow you to
restrict the type of CSP with which this User Certificate will work. (See Figure
14.)
9. On the CSP Selection window, make sure you have selected “Request must
use one of the following CSPs,” and under the list of CSPs, select “Wave
TCG-Enabled CSP and Wave TCG- Enabled SChannel CSP.” Select OK.
Using this CSP will allow the private key of the Certificate to be stored in the
TPM.
10. Go to the Subject Name tab of the Wireless User Certificate Properties. Select
Build from this Active Directory information. Select Subject name and include
other information according to your Enterprise policies (see Figure 15).
11. Create a group in Active Directory called Wireless Users. Users in this group
will be allowed to Enroll and Autoenroll User certificates. In the Security tab
of the Certificate template ensure that this group has access to Enroll and
Autoenroll by checking the Allow box next to the Permissions (see Figure
16).
12. In the mmc, select the Certificate Authority, select the Certificate Authority
and Certificate Templates. Right-click (see Figure 17). Select New –
Certificate Template to Issue and select Wireless User. You can now see
(Figure 18) that the Wireless User Certificate Template is available.
Note: Now the “Wireless User” user certificate which uses the Wave TCG CSP is
available to be used….and it gets configured in Domain Group Policy for User
Certificate Auto-Enrollment
This section provides direction for building a RADIUS (Remote Authentication Dial-In
User Service) infrastructure for wireless LAN (WLAN) security based on Microsoft
Windows Server 2003 Internet Authentication Service (IAS). The objective of this
section is to provide the steps taken to configure the RADIUS service in our Lab
infrastructure; this section does not try to explain any of the general concepts of
RADIUS or how IAS implements the RADIUS protocol.
This section makes the following assumptions about the existing IT infrastructure:
• A deployed Windows 2003 Active Directory domain infrastructure exists.
• All users of the RADIUS infrastructure in this solution should be members of
domains within the same active directory domain.
• Server hardware capable of running Windows Server 2003 IAS is available
For instructions on installing IAS, see the following article written by Microsoft:
http://support.microsoft.com/kb/317588
In order for the RADIUS server to be able to process certificate login, it needs to
have a certificate install for that service. To get the certificate for the Radius server,
you need to do the following:
The procedure for configuring Wireless Access Points (APs) varies depending on the
make and model of the device. However, wireless AP vendors will generally provide
instructions for configuring the device. The following are the essential items to
configure the AP for 802.1x authentication:
• 802.1x networking settings
• IP Address for primary RADIUS server
• RADIUS shared secret for primary RADIUS server
• IP address for secondary RADIUS server
• RADIUS shared secret for secondary RADIUS server
It is recommended that you have a primary and a secondary RADIUS server for
redundancy. For the purpose of this document, we only configured a primary
RADIUS server and that information was entered into the access point as follows.
We used a NETGEAR® ProSafe™ 802.11g Wireless Access Point WG302 and the
instructions and figures displayed in this section pertain to configuring such a device.
The figures shown below are the essential information for configuring the access
point used in our Lab to communicate with the Lab’s RADIUS Server.
Windows Server 2003 provides the Wireless Network (IEEE 802.11) Policies Group
Policy extension. This enables administrators to specify a list of preferred networks
and their settings to automatically configure wireless LAN settings for clients running
Windows XP with SP1, Windows XP with SP2, Windows Server 2003 .
For each preferred network, you can specify association settings (such as the SSID,
authentication, encryption method) and 802.1x authentication settings; such as, the
specific EAP type.
As an IT administrator in your organization, you have two options for installing user’s
certificates in your enterprise:
• Use your domain autoenrollment feature
• Have the user manually request and install the user certificate
Note:
(1) Next time the user logs into the network they will see a prompt in their system
tray that informs them of the installation of a user certificate.
(2) The instructions provided above are for a Certificate Authority running in a
Microsoft Windows Server 2003, Enterprise Edition or Windows Server 2003,
Datacenter Edition.
If your environment does not support a user autoenrollment, you could require that
the user enroll manually by installing a User Certificate via a Web request.
Please remember that when you are doing Certificate Request via the Web, you must
have a Web server Service running at the Certificate Authority Server:
Once the user has installed their User Certificate either by autoenrollment or by a
web request, he/she is ready to configure the Wireless portion. For the purpose of
the cookbook, we used a Dell Latitude D620 with an Intel ® PRO/Wireless 3945ABG
Network adapter, using the Intel® PROSet/Wireless Software Version 10.1.0.3 to
configure our Wireless access.
1. Go to the system Tray and open the Intel PROSet/Wireless utility (see
Figure 50).
2. Select the Wireless Network in question (see Figure 51). Click on
Profiles.
3. Verify the Profile Name and Wireless Network Name select Network as
the operating mode (see Figure 52). Click Next.
4. Configure Security Settings section, as follows (see Figures 53,53 &
54):
a) Select Enterprise Security.
b) Check the “Enable 802.1x” box.
c) Set Network Authentication: WPA2 – Enterprise.
d) Set Data Encryption: TKIP.
e) Set Authentication Type: TLS.
5. Configure the TLS User as follows (see Figure 55):
a) Select Use a User Certificate on this computer.
b) Click the Select button. Select a User Certificate that was
created using the Wave CSP TCP (Wireless User Certificate
Template). Click OK.
c) Click on Next.
6. Configure the TLS Server as follows (see Figures 56 & 57):
a) Check the “Validate Server Certificate” box.
b) Select from the Certificate Issuer List. Choose the Certificate
Authority from which the Wireless User Certificate Template
was issued.
c) Click OK.
7. Click Connect (see Figure 58). This will start the 802.1x
authentication process.
8. A window will be displayed (see Figure 59), prompting you to
authenticate to your TCG Security Password Vault. If you are using
biometrics, you will need to swipe your finger (see Figure 60). This
method of authentication assumes that you have used the EMBASSY
Security Center to initialize a TCG Security Password Vault. If not, you
will be prompted for an individual password here.
9. Once the authentication is validated, the connection will be established
(see Figures 61 & 62).