1 / 53

Setting up 802.1X networks by using Internet Authentication Service

Setting up 802.1X networks by using Internet Authentication Service . Objective. Main objective is to educate network enterprise administrators about how to set up 802.1X secure networks. Agenda. Server setup Authentication methods and vulnerabilities Best practices and recommendations

ostinmannual
Télécharger la présentation

Setting up 802.1X networks by using Internet Authentication Service

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Setting up 802.1X networks by using Internet Authentication Service

  2. Objective • Main objective is to educate network enterprise administrators about how to set up 802.1X secure networks

  3. Agenda • Server setup • Authentication methods and vulnerabilities • Best practices and recommendations • Certificate Authority (CA) setup • Best practices and recommendations • Active Directory® and client setup • User and computer account setup and management • Policy configuration in the domain • Best practices and recommendations • Troubleshooting

  4. Abstract • At the moment, setting up 802.1X is one of the most challenging tasks that network and systems administrators face • This Support WebCast is targeted at network professionals, such as administrators, who need to improve security and centralize wireless access to their networks

  5. Recap • RADIUS • RADIUS is a standard for authentication, authorization, and accounting (Microsoft implementation adds auditing); AAA or AAAA for short (triple A or quad A) • RADIUS is primarily used to manage network access through dial-in, wireless, and VPN network access servers. • The protocol was standardized in RFC 2058; the current implementation is defined in RFCs 2138 and 2139. • RADIUS uses User Datagram Protocol (UDP) packets. • Older servers used ports 1645 and 1646. • Latest standards are ports 1812 for authentication and 1813 for accounting. • Internet Authentication Service (IAS) has the ability to map any other unused port to do RADIUS.

  6. Recap (2) • IEEE 802.1X (8021X for short) • A mechanism to provide authentication and key management • Dynamic key management = Different keys per different client • More secure than WEP, and less susceptible to WEP crack techniques • Works with wired and wireless LANs • Supports multiple authentication methods, token keys, passwords, certificates, one-time passwords, and others • Many more great features such as central user management and mutual authentication

  7. Setting up Active Directory • To set up Active Directory, run Dcpromo.exe on your future domain controller. • When the domain is up, you can create user accounts and add computer accounts to the Active Directory. • In Windows 2000 mixed domains, the accounts must be set to Allow access so that it can be successfully authenticated. There are mechanisms to override this on the IAS server. • In native domains in Windows 2000 (and later), the Control access through Remote Access Policy option is available. This is the default (and the recommended setup for all user and computer accounts), because this option allows the IAS server to determine whether to let the user in or not.

  8. Certificate Authority (CA) setup • To set up the CA, perform the following steps on your future CA server: • Click Start, click Control Panel, and then double-click Add or Remove Programs. • Click Add/Remove Windows Components. • Click Certificate Services, and then click Details. • Make sure that Certificate Services Web Enrollment Support is selected. (You must have IIS installed before you perform this step.)

  9. CA setup (2) • Recommendation • Use Certificate Services on computers running Microsoft® Windows Server™ 2003 Enterprise Edition. This allows the administrator to have custom templates and it includes two important certificate templates: • RAS and IAS Server Authentication • Wireless Authentication These customized templates have the correct settings for the IAS server and wireless clients

  10. CA setup (3) • When the CA is installed, you must publish the certificate templates: • RAS and IAS Server Authentication • Wireless Authentication

  11. CA setup (4) • Follow these steps to add the templates: • Click Start, point to Programs, point to Administrative tools, and then click Certificate Authority. • Find the certificate templates. • Right-click the certificate templates, and then click Certificate Template to issue. • In the dialog box that appears, click RAS and IAS server authentication and Wireless authentication.

  12. Setting up Group Policy • By default, wireless Group Policy settings are not set. • An administrator might want to change the default to make the process of getting wireless clients on the network easier. • Group Policy must be downloaded to the client before it can take effect on the client computers. This happens automatically when a domain user logs on to the computer for the first time, or when a new computer joins the domain (after first boot). It also happens at regular intervals.

  13. Setting up Group Policy (2) • To force the Group Policy download on the client computer, use the GPUPDATE.EXE command-line tool with the /F[orce]option. This makes the computer download and update Group Policy locally (with any new modifications). • Use Group Policy to automatically enroll certificates for client computers. This is in addition to other certificates needed by the client (like the enterprise root certificate or other third-party root certificates that the administrator wants to push down to the clients automatically through Group Policy).

  14. Setting up Group Policy (3) • Open the Active Directory Users and Computers snap-in. • Locate an organizational unit (OU) that you would like to have wireless policy applied to, or create a new one by right-clicking the domain name, pointing to New, and then clicking Organizational Unit. • Add computers that you would like to apply the Group Policy to. • Note Wireless Group Policy applies only to computers

  15. Setting up Group Policy (4) • Right-click the OU, and then click Properties. • Tip You can make the policy domain wide by right-clicking the domain name. Check the links at the end for additional information about Group Policy. • Click the Group Policy tab. • Click New. • Type the new name. • Click Edit to start editing the policy.

  16. Setting up Group Policy (5) Note You can also use new Group Policy Console Management GPMC, which works the same. Check links at the end of this WebCast for more information.

  17. Group PolicyConfiguring 802.1X in GP • Find the Wireless Network (IEEE 802.11) and right-click it. • Select Create Wireless Network Policy. • After the wizard is done, continue to edit properties.

  18. Group Policy (2)Configuring 802.1X in GP • Recommendation On the General tab, make sure to change the Networks to access list to Access point (infrastructure) networks only. • This option will only push this SSID as the default on your clients. (It will be added in the Preferred Networks list.) • Wireless group policy is not exclusionary technology; you cannot prevent users from connecting to other SSIDS. • You can limit your clients to connect only to APs or ad hoc networks. • Click the Preferred Networks tab, and then click Add.

  19. Group Policy (3)Configuring 802.1X in GP

  20. Group Policy (4)Configuring 802.1X in GP • Select the Service Set Identifier (SSID) of your network. Clients will default to this SSID when presented with multiple SSIDs. • Add a description (optional). • Leave the other default settings unchanged.

  21. Group Policy (5)Configuring 802.1X in GP

  22. Group Policy (6)Configuring 802.1X in GP • Click the IEEE 802.1X tab. • Select the appropriate EAP type. • Click Settings.

  23. Group Policy (7)Configuring 802.1X in GP • Select EAP method’s additional configuration.

  24. Group Policy (7)Configuring 802.1X in GP • Recommendations • Always enable validate server certificate (to make sure that the client authenticates the server) • Always enable Fast Reconnect with PEAP • Optionally, supply the names of your IAS servers in the Connect to these servers field. This will prevent the clients from connecting to rogue servers. Make sure that you specify the fully qualified domain name (FQDN) of the server as it appears in the server certificate. • Starting in Windows® XP SP2, this field is a regular expression, so if you want to accept servers in the Microsoft.com domain you type: ^.*\.microsoft\.com$ • These settings are available on the client for individual client configuration.

  25. Server setup • Setting up the IAS server • IAS is Microsoft implementation of RADIUS. RADIUS is one of the most popular authentication protocols. • IAS is included in Windows 2000 Server and Windows Server 2003. Add IAS by using Add/Remove Windows Components.

  26. Server setup (2) • There are some limitations in the Standard Server IAS. There are 50 RADIUS clients and 2 server groups • Windows Server 2003, Enterprise Edition and Windows Server 2003, Datacenter Edition do not have these limitations • Windows XP and Windows Server 2003, Web Edition do not have IAS • Windows Small Business Server 2003, Standard Edition has the standard server IAS • IAS has been a component in Windows since Windows NT® 4.0 • 802.1X network support is available only in Windows 2000 Server IAS and Windows Server 2003 family IAS

  27. Server setupAuthentication methods • IAS supports many authentication methods: • Extensible Authentication Protocol – Transport Layer Security (EAP-TLS) • This is a robust and secure protocol, used with smart cards and certificates • EAP-TLS provides very high levels of security and leverages the use of Public Key Infrastructure (PKI) based on the widely accepted Secure Sockets Layer (SSL) technology

  28. Server setupAuthentication methods (2) • PEAP-EAP-MSCHAPv2 • Protected EAP (PEAP) is also a very secure authentication protocol. It has an internal protected authentication method that is flexible and easy to deploy, without the need for client-side certificates. • PEAP-EAP-TLS • This authentication is the ultimate in security, providing a secured external channel for EAP-TLS to be negotiated.

  29. Server setupAdvantages of EAP and PEAP • The main advantages of EAP and PEAP are that the Access Point (AP) becomes a pass-through for the authentication allowing the client to communicate directly with the server with little interference of the AP. • EAP and PEAP allow the mutual authentication of client and server, where the client validates the server certificate to ensure its validity and authenticity, before connecting to the network. Note Mutual authentication is not done in all EAP methods.

  30. Server setupAdvantages of EAP and PEAP (2) • Combined with 802.1X, EAP and PEAP provide a great framework for exchanging encryption keys without resorting to static Wired Equivalent Privacy (WEP) for encryption. • Keys are provided to the AP and the client after successful authentication.

  31. Server setupServer configuration • Before IAS can be set up for EAP/PEAP, the infrastructure for this must be in place. • Active Directory, DHCP, and Certificate Authority all must be in place before IAS. We will discuss the basic setup of Active Directory and Certificate Authority. DHCP and DNS are beyond the scope of this WebCast

  32. Server setupServer configuration (2) • Active Directory and Certificate Authority are optional for only PEAP-EAP-MSCHAPv2, but are highly recommended for centralized management. • Active Directory is also mandatory in the case of computer authentication. • IAS can be deployed with a public domain certificate that can be obtained from any public Certificate Authority.

  33. Server setupServer configuration (3) • Register IAS in Active Directory • Log on to the IAS server as a domain administrator. • Right-click the IAS root node, and then click Register IAS in Active Directory. • This is a very important step. Without successfully registering IAS, the server may not be able to look up users or get proper certificates

  34. Server setupServer configuration, add clients • Make sure that the client is a member of the clients list. • Confirm that the case-sensitive shared secret is correctly configured on IAS and Access Server (802.1X capable switch or Access Point). • Select a strong secret that is more than15 characters and contains both alpha-numeric and special characters.

  35. Server setupServer configuration, add Remote Access Policy • Add an appropriate Remote Access Policy (RAP) to the IAS server • You may use the wizard or you can modify an existing policy. • Recommendation Add Wireless IEEE802.11 and Wireless-Other to the NAS-Port-Type policy condition. You may also add this as a dial-in constraint in the Remote Access Policy profile (double-click the policy after you create it, and then click Edit profile to see the constraints).

  36. Server setupServer configuration, add RAP (2) • You may use this setting with additional conditions and constraints as long as they do not conflict • Recommendation When creating a policy, make sure that you make it as restrictive as possible, to make sure that only authorized users are allowed access • Use Windows Groups membership, date and time restrictions, and similar items

  37. Server setupServer configuration, add RAP (3)

  38. Server setupServer configuration, add RAP (4) • Condition versus constraint • If a condition is met, that policy is invoked • The constraint is checked after the condition is met • Use constraints to have better control over users connecting, even if they are authorized to connect • Recommendation Always make your constraints as restrictive as possible

  39. Server setupServer configuration, add RAP (5) Policy condition Policy constraint

  40. Server setupServer configuration, authentication types • Selecting the authentication type • RecommendationMake sure that no other authentication types are selected

  41. Server setupServer configuration, authentication types (2) • Recommendation Make sure that you select only one EAP type. You can have more, but try to be as restrictive as possible. As a general rule, have only ONE per policy

  42. Server setupServer configuration, authentication types (3) • If your CA infrastructure is correctly configured, you will see a certificate issued to your computer. If no suitable certificate is found, authentication will not be successful. • Recommendation Always enable fast reconnect if you are using PEAP. Fast reconnect improves performance without sacrificing security.

  43. Server setupServer configuration • Set up as many policies as required and make sure that they are as restrictive as possible. • There is no limitation for the number of policies on IAS server. • Policies are evaluated sequentially. The first one that matches is used and the rest are ignored.

  44. Server setupServer configuration, connection request processing • Next, you must set up connection request processing. By default, IAS authenticates on the local server (against Active Directory). You may proxy the authentication to a remote computer. Check the links at the end for setting up IAS proxy.

  45. Troubleshooting • First step: Check the IAS server’s event log • The event log will contain information for all authentications that take place. Make sure that you select both Rejected authentication requests and Successful authentication requests on the IAS server properties page. • Right-click the root node in the IAS Snap-In, and then click Properties to see this page.

  46. Troubleshooting (2)

  47. TroubleshootingTrace logs • When troubleshooting, always enable tracing:NETSH RAS SET TRACING * ENABLED • When done troubleshooting, always disable tracing to eliminate additional overhead:NETSH RAS SET TRACING * DISABLED • Trace files are available under %windir%\Tracing(windir is the folder where Windows is installed)

  48. TroubleshootingTrace logs (2) • Trace files are generated on the client and on the server. • Traces to look for on the client are RASTLS and RASCHAP. These depend on the authentication method being used. Additionally, they will give a rough idea about what is going on during the authentication process. • Traces to look for on the IAS server are RASTLS, IASSAM, and possibly RASCHAP when using PEAP-EAP-MSCHAPv2. These will also give a rough idea about what is going on during the authentication. • An unexplainable error or a failure that is written in the logs might mean that there has been a problem.

  49. TroubleshootingNetwork Monitor • Install Network Monitor • Network Monitor will help you sniff the RADIUS traffic and understand what is going on • When doing 802.1X, all EAP payloads (inside RADIUS) are encrypted. • Other RADIUS information might not be encrypted. • Network Monitor is included with Windows Server 2003. Use Add/Remove Windows Components (look under Management and Monitoring Tools) to add Network Monitor.

  50. TroubleshootingThings to check • Always check your connections: • Make sure that you can ping the APs • Make sure that the firewall is not blocking traffic

More Related