How to secure a wireless network with Windows 2003 Server [30 mn of reading - published 5/12/2005 6:46:24 PM - Target : Confirmé]

Author

Thomas LIAUTARD Student-Engineer Supinfo Paris SUPINFO graduate year  2007    Write to the person    All projects of the same author    Mini-CV of the author

1 Presentation

1.1 Presentation of WPA and 802.1X

Awaiting for the new standard 802.11i under development, The Wi-Fi Alliance and the IEEE decided to define the protocol WPA in order to fill the gaps of the protocol WEP.

Previously the Wi-Fi networks had WEP keys  fixed, decided on the access points.

But the use of WEP keys  revealed two important weaknesses:

• The use of little developed cryptographic algorithms made it very vulnerable. Few hours are needed to a pirate to break the used keys .
• Second weakness, the impossibility of authenticating a computer or a user who will connect themselves to the network.

In order to resolve the problem of cryptography, WPA defines two new methods of coding and control of integrity:

• TKIP (Temporal Key Integrity Protocol): this protocol was conceived in order to adapt as well as possible to the existing material. It uses RC4 as encryption algorithm, adds a control of integrity MIC and introduced a mechanism of management of the keys (creation of dynamic keys with an interval of preset time)
• CCMP (Counter Mode with Cipher Block Chaining Message Authentication Codes Protocol): more powerful than TKIP, it uses AES like encryption algorithm. It is the solution which seems to be distinguished at long-term. However this protocol is completely incompatible with the current material.

WPA uses the protocol 802.1X. Also called EAPOL (EAP Over Lan), it is used as method of transport for an EAP authentification . Like that it is possible to authenticate the machines or the users connected on a local area network.

The protocol 802.1X defines three categories of actor playing each one a different role.

• Supplicant: it is  the work station which requires to reach the network.
• The authenticator: it is the Wi-Fi device(also Radius customer,  see next chapter) providing connection to the network. It supports two states, unauthorized and authorized, but it only plays the part of a relay in the authentification.
• The server of authentification: It is a server implementing a Radius solution

WPA is a complexe solution, however, a special mode of WPA (WPA-PSK: Pre Shared Key) also exists in order to make it possible to private individuals to benefit from this safety without having a server of authentification. The configuration of the WPA-PSK starts with the determination of a static key or a “passphrase” as for the WEP. But, using TKIP, WPA-PSK changes the keys automatically with an interval of preset time.

1.2 Presentation of EAP authentification

There are various methods of authentification for EAP (Extensible Authentication Protocol).

Here are differents methods :

• EAP-MD5: It is simplest. The customer is authenticated by the server, using a mechanism of challenge answer. The server sends a random value (the challenge), the customer concatene with it the password and calculates it, by using the algorithm MD5. The server which knows the password calculates its own print, compares both and validates or not the result.
• LEAP (Lightweight EAP): is a method specific to Cisco which use secrecies shared to mutually authenticate the server and the customer. It does not use any certificate and it is based on the exchange of a challenge and an answer.
• EAP-TTLS (tunneled Secure Transport To bush-hammer): use TLS like a tunnel to exchange couples of attributes value with the manner of RADIUS being used for the authentification. Practically any method of authentification can be used.
• PEAP (Protected EAP): is a method very similar to EAP-TTLS. It is developed by Microsoft. It uses a tunnel TLS to make circulate EAP. Then you can use all the methods of authentification supported by EAP.
• EAP-TLS (Extensible Authentication Protocol-Transport To bush-hammer Security): It is surest. The server and the customer have each one their certificate which will be use to authenticate them mutually. It is  relatively constraining because of the need of deploying a Public Key  Infrastructure . TLS, the standardized version of SSL (Secure Socket Layer), is a protected transport protocol(coding, mutual authentification, control of integrity also used in a subjacent way by HTTPS, the protected version of HTTP, to make  the Web safer.

We will use the EAP-TLS method.

With  EAP-TLS the authentification of the customer is various :

• Using a personal certificate associated to the machine, the authentification takes place with the starting of the machine.
• Using a personal certificate associated to the user, the authentification takes place after the logon of the user. 

It is possible to combine the two preceding methods. The value of the key of register “HKEY_LOCAL_MACHINE \ Software \ Microsoft \ EAPOL \ Parameters \ General \ Global \ AuthMode” makes it possible to modify this behavior: 

• 0 authentification of the machine to start, in the event of  a uthentification failure of the user to the logon
• 1 authentification of the machine to start, then authentification of the user to the logon
• 2 only authentification of the machine

We will use certificates of the type X509v3 Extended Key Usage delivered by the Web site of the authority of certificate.

1.3 Presentation of Radius

The Radius Server (Remote Authentication Dial-In Using Service) was initially designed to authenticate connections by modem (PPP).

Now Radius can be used to centralize the authentification, the authorization and the management of the accounts for  remote access, VPN, Wi-Fi…

It is possible under Windows 2003 Server to create policies of access to authorize users, user groups, computers or any other resource wanting to connect itself to the network.

The Radius protocol ensures the exchanges between a Radius customer and the authentification server. It uses the protocol UDP using the ports 1812 for the authentification and 1813 for accountancy.

A Radius environment is made up:

• Of a Radius server which centralizes the authentification, the authorization and the management of the accounts
• Of a customer Radius, a Wi-Fi authenticator which receives the requests for authentification RADIUS of the customers and retransmits them with the Radius waiter.
• Of a Wi-Fi customer (supplicant)  with Windows XP, 2000 and some other operating systems .

In our case , the Radius protocol will only be used to transport TLS and to define which user or which group will have access to the network.