Using IAS server to setup 802.1x networks Sam Salhi Software Test

Document Sample
Using IAS server to setup 802.1x networks Sam Salhi Software Test Powered By Docstoc
					Setting up 802.1X networks
     by using Internet
  Authentication Service


   Main objective is to educate network enterprise
    administrators about how to set up 802.1X
    secure networks

   Server setup
       Authentication methods and vulnerabilities
       Best practices and recommendations
   Certificate Authority (CA) setup
       Best practices and recommendations
   Active Directory® and client setup
       User and computer account setup and management
       Policy configuration in the domain
       Best practices and recommendations
   Troubleshooting


   At the moment, setting up 802.1X is one of the
    most challenging tasks that network and
    systems administrators face
   This Support WebCast is targeted at network
    professionals, such as administrators, who need
    to improve security and centralize wireless
    access to their networks

   RADIUS                 Recap
       RADIUS is a standard for authentication, authorization,
        and accounting (Microsoft implementation adds
        auditing); AAA or AAAA for short (triple A or quad A)
       RADIUS is primarily used to manage network access
        through dial-in, wireless, and VPN network access
       The protocol was standardized in RFC 2058; the
        current implementation is defined in RFCs 2138 and
       RADIUS uses User Datagram Protocol (UDP) packets.
       Older servers used ports 1645 and 1646.
       Latest standards are ports 1812 for authentication and
        1813 for accounting.
       Internet Authentication Service (IAS) has the ability to
        map any other unused port to do RADIUS.

                         Recap         (2)
   IEEE 802.1X    (8021X for short)
       A mechanism to provide authentication and key
       Dynamic key management = Different keys per
        different client
       More secure than WEP, and less susceptible to WEP
        crack techniques
       Works with wired and wireless LANs
       Supports multiple authentication methods, token keys,
        passwords, certificates, one-time passwords, and
       Many more great features such as central user
        management and mutual authentication
          Setting up Active Directory
   To set up Active Directory, run
    Dcpromo.exe on your future domain
   When the domain is up, you can
    create user accounts and add
    computer accounts to the Active
   In Windows 2000 mixed domains, the
    accounts must be set to Allow access
    so that it can be successfully
    authenticated. There are mechanisms
    to override this on the IAS server.
   In native domains in Windows 2000
    (and later), the Control access
    through Remote Access Policy
    option is available. This is the default
    (and the recommended setup for all
    user and computer accounts), because
    this option allows the IAS server to
    determine whether to let the user in or
    Certificate Authority (CA) setup
    To set up the CA, perform the following steps
     on your future CA server:
    1.   Click Start, click Control Panel, and then double-
         click Add or Remove Programs.
    2.   Click Add/Remove Windows Components.
    3.   Click Certificate Services, and then click Details.
    4.   Make sure that Certificate Services Web
         Enrollment Support is selected. (You must have
         IIS installed before you perform this step.)

                       CA setup              (2)

   Recommendation
       Use Certificate Services on computers running
        Microsoft® Windows Server™ 2003 Enterprise
        Edition. This allows the administrator to have custom
        templates and it includes two important certificate
          RAS and IAS Server Authentication
          Wireless Authentication

         These customized templates have the correct
         settings for the IAS server and wireless clients

                   CA setup      (3)

   When the CA is installed, you must publish
    the certificate templates:
       RAS and IAS Server Authentication
       Wireless Authentication

                       CA setup          (4)
    Follow these steps to add the templates:
    1.   Click Start, point to Programs, point to
         Administrative tools, and then click Certificate
    2.   Find the certificate templates.
    3.   Right-click the certificate templates, and then click
         Certificate Template to issue.
    4.   In the dialog box that appears, click RAS and IAS
         server authentication and Wireless

        Setting up Group Policy
   By default, wireless Group Policy settings are
    not set.
   An administrator might want to change the
    default to make the process of getting wireless
    clients on the network easier.
   Group Policy must be downloaded to the client
    before it can take effect on the client
    computers. This happens automatically when a
    domain user logs on to the computer for the
    first time, or when a new computer joins the
    domain (after first boot). It also happens at
    regular intervals.
       Setting up Group Policy (2)
   To force the Group Policy download on the client
    computer, use the GPUPDATE.EXE command-line tool
    with the /F[orce] option. This makes the
    computer download and update Group Policy
    locally (with any new modifications).
   Use Group Policy to automatically enroll
    certificates for client computers. This is in
    addition to other certificates needed by the client
    (like the enterprise root certificate or other third-
    party root certificates that the administrator
    wants to push down to the clients automatically
    through Group Policy).

       Setting up Group Policy (3)
   Open the Active Directory Users and
    Computers snap-in.
   Locate an organizational unit (OU) that
    you would like to have wireless policy
    applied to, or create a new one by right-
    clicking the domain name, pointing to
    New, and then clicking Organizational
   Add computers that you would like to
    apply the Group Policy to.
   Note Wireless Group Policy applies only to
        Setting up Group Policy (4)
   Right-click the OU, and then click Properties.
       Tip You can make the policy domain wide by right-
        clicking the domain name. Check the links at the end
        for additional information about Group Policy.
   Click the Group Policy tab.
   Click New.
   Type the new name.
   Click Edit to start editing the policy.

Setting up Group Policy (5)

Note You can also use new Group Policy Console Management GPMC, which works the same.
                  Check links at the end of this WebCast for more information.          16
                Group Policy
              Configuring 802.1X in GP

   Find the Wireless Network (IEEE
    802.11) and right-click it.
   Select Create Wireless
    Network Policy.
   After the wizard is done,
    continue to edit properties.

                  Group Policy             (2)
                  Configuring 802.1X in GP
       Recommendation On the General tab, make
        sure to change the Networks to access list to
        Access point (infrastructure) networks
         This option will only push this SSID as the default on
          your clients. (It will be added in the Preferred
          Networks list.)
         Wireless group policy is not exclusionary technology;
          you cannot prevent users from connecting to other
         You can limit your clients to connect only to APs or
          ad hoc networks.
       Click the Preferred Networks tab, and then
        click Add.
Group Policy        (3)
Configuring 802.1X in GP

               Group Policy         (4)
              Configuring 802.1X in GP

   Select the Service Set Identifier (SSID) of your
    network. Clients will default to this SSID when
    presented with multiple SSIDs.
   Add a description (optional).
   Leave the other default settings unchanged.

Group Policy        (5)
Configuring 802.1X in GP

              Group Policy       (6)
             Configuring 802.1X in GP

   Click the IEEE 802.1X
   Select the appropriate
    EAP type.
   Click Settings.

               Group Policy        (7)
               Configuring 802.1X in GP

   Select EAP method’s
    additional configuration.

                      Group Policy                (7)
           Configuring 802.1X in GP
   Recommendations
       Always enable validate server certificate (to make sure
        that the client authenticates the server)
       Always enable Fast Reconnect with PEAP
       Optionally, supply the names of your IAS servers in the
        Connect to these servers field. This will prevent the
        clients from connecting to rogue servers. Make sure
        that you specify the fully qualified domain name
        (FQDN) of the server as it appears in the server
            Starting in Windows® XP SP2, this field is a regular
             expression, so if you want to accept servers in the
    domain you type: ^.*\.microsoft\.com$
   These settings are available on the client for
    individual client configuration.
                  Server setup

   Setting up the IAS server
       IAS is Microsoft implementation of RADIUS.
        RADIUS is one of the most popular
        authentication protocols.
       IAS is included in Windows 2000 Server and
        Windows Server 2003. Add IAS by using
        Add/Remove Windows Components.

             Server setup          (2)
   There are some limitations in the Standard
    Server IAS. There are 50 RADIUS clients and 2
    server groups
      Windows Server 2003, Enterprise Edition and
       Windows Server 2003, Datacenter Edition do not
       have these limitations
      Windows XP and Windows Server 2003, Web Edition
       do not have IAS
      Windows Small Business Server 2003, Standard
       Edition has the standard server IAS
   IAS has been a component in Windows since
    Windows NT® 4.0
   802.1X network support is available only in
    Windows 2000 Server IAS and Windows Server
    2003 family IAS                             26
                    Server setup
                 Authentication methods

   IAS supports many authentication
       Extensible Authentication Protocol –
        Transport Layer Security (EAP-TLS)
          This is a robust and secure protocol, used with
           smart cards and certificates
          EAP-TLS provides very high levels of security and
           leverages the use of Public Key Infrastructure
           (PKI) based on the widely accepted Secure
           Sockets Layer (SSL) technology
                 Server setup
             Authentication methods       (2)

       Protected EAP (PEAP) is also a very secure
        authentication protocol. It has an internal
        protected authentication method that is flexible
        and easy to deploy, without the need for client-
        side certificates.
       This authentication is the ultimate in security,
        providing a secured external channel for EAP-TLS
        to be negotiated.

                  Server setup
             Advantages of EAP and PEAP

   The main advantages of EAP and PEAP are that
    the Access Point (AP) becomes a pass-through
    for the authentication allowing the client to
    communicate directly with the server with little
    interference of the AP.
   EAP and PEAP allow the mutual authentication
    of client and server, where the client validates
    the server certificate to ensure its validity and
    authenticity, before connecting to the network.
    Note Mutual authentication is not done in all
    EAP methods.                                      29
                 Server setup
           Advantages of EAP and PEAP   (2)

   Combined with 802.1X, EAP and PEAP provide a
    great framework for exchanging encryption
    keys without resorting to static Wired
    Equivalent Privacy (WEP) for encryption.
   Keys are provided to the AP and the client after
    successful authentication.

                 Server setup
                 Server configuration

   Before IAS can be set up for EAP/PEAP, the
    infrastructure for this must be in place.
   Active Directory, DHCP, and Certificate
    Authority all must be in place before IAS. We
    will discuss the basic setup of Active Directory
    and Certificate Authority. DHCP and DNS are
    beyond the scope of this WebCast

                 Server setup
               Server configuration   (2)

   Active Directory and Certificate Authority are
    optional for only PEAP-EAP-MSCHAPv2, but are
    highly recommended for centralized
   Active Directory is also mandatory in the case
    of computer authentication.
   IAS can be deployed with a public domain
    certificate that can be obtained from any public
    Certificate Authority.
                      Server setup
                    Server configuration     (3)

   Register IAS in Active Directory
       Log on to the IAS server as a domain
       Right-click the IAS root node, and then click
        Register IAS in Active Directory.
            This is a very important step. Without
             successfully registering IAS, the server may not
             be able to look up users or get proper

                   Server setup
              Server configuration, add clients
   Make sure that the client
    is a member of the
    clients list.
   Confirm that the case-
    sensitive shared secret is
    correctly configured on
    IAS and Access Server
    (802.1X capable switch
    or Access Point).
   Select a strong secret
    that is more than 15
    characters and contains
    both alpha-numeric and
    special characters.                           34
                     Server setup
    Server configuration, add Remote Access Policy
   Add an appropriate Remote Access Policy
    (RAP) to the IAS server
        You may use the wizard or you can modify an
         existing policy.
        Recommendation Add Wireless
         IEEE802.11 and Wireless-Other to the
         NAS-Port-Type policy condition. You may
         also add this as a dial-in constraint in the
         Remote Access Policy profile (double-click the
         policy after you create it, and then click Edit
         profile to see the constraints).                35
                 Server setup
          Server configuration, add RAP   (2)

   You may use this setting with additional
    conditions and constraints as long as they do
    not conflict
   Recommendation When creating a policy,
    make sure that you make it as restrictive as
    possible, to make sure that only authorized
    users are allowed access
        Use Windows Groups membership, date and time
         restrictions, and similar items

      Server setup
Server configuration, add RAP   (3)

                  Server setup
            Server configuration, add RAP   (4)

   Condition versus constraint
       If a condition is met, that policy is invoked
       The constraint is checked after the condition
        is met
       Use constraints to have better control over
        users connecting, even if they are authorized
        to connect
       Recommendation Always make your
        constraints as restrictive as possible
      Server setup
Server configuration, add RAP     (5)

           Policy condition

              Policy constraint         39
                    Server setup
         Server configuration, authentication types
   Selecting the authentication type
       Recommendation
        Make sure that no other
        authentication types
        are selected

                 Server setup
    Server configuration, authentication types   (2)

   Recommendation Make sure that you select
    only one EAP type. You can have more, but try
    to be as restrictive as possible. As a general
    rule, have only ONE per policy

                 Server setup
      Server configuration, authentication types   (3)
   If your CA infrastructure is
    correctly configured, you
    will see a certificate issued
    to your computer. If no
    suitable certificate is found,
    authentication will not be
   Recommendation Always
    enable fast reconnect if you
    are using PEAP. Fast
    reconnect improves
    performance without
    sacrificing security.
                   Server setup
                   Server configuration

   Set up as many policies as required and
    make sure that they are as restrictive as
       There is no limitation for the number of
        policies on IAS server.
       Policies are evaluated sequentially. The first
        one that matches is used and the rest are

                 Server setup
Server configuration, connection request processing

   Next, you must set up connection request
    processing. By default, IAS authenticates on the
    local server (against Active Directory). You may
    proxy the authentication to a remote computer.
    Check the links at the end for setting up IAS


   First step: Check the IAS server’s event
       The event log will contain information for all
        authentications that take place. Make sure
        that you select both Rejected
        authentication requests and Successful
        authentication requests on the IAS server
        properties page.
            Right-click the root node in the IAS Snap-In, and
             then click Properties to see this page.
Troubleshooting (2)

                         Trace logs

   When troubleshooting, always enable tracing:
   When done troubleshooting, always disable
    tracing to eliminate additional overhead:
   Trace files are available under
    (windir is the folder where Windows is installed)

                          Trace logs    (2)

   Trace files are generated on the client and on the server.
   Traces to look for on the client are RASTLS and RASCHAP.
    These depend on the authentication method being used.
    Additionally, they will give a rough idea about what is going
    on during the authentication process.
   Traces to look for on the IAS server are RASTLS, IASSAM,
    and possibly RASCHAP when using PEAP-EAP-MSCHAPv2.
    These will also give a rough idea about what is going on
    during the authentication.
   An unexplainable error or a failure that is written in the logs
    might mean that there has been a problem.

                      Network Monitor
   Install Network Monitor
       Network Monitor will help you sniff the RADIUS
        traffic and understand what is going on
          When doing 802.1X, all EAP payloads (inside
           RADIUS) are encrypted.
          Other RADIUS information might not be encrypted.

       Network Monitor is included with
        Windows Server 2003. Use Add/Remove
        Windows Components (look under
        Management and Monitoring Tools) to add
        Network Monitor.                                  49
                     Things to check

   Always check your connections:
       Make sure that you can ping the APs
       Make sure that the firewall is not blocking

                     Things to check     (2)

   Check that the IAS server has a valid certificate
    (a valid certificate will be requested on behalf
    of the computer if it has been added as a
    member of the RAS and IAS servers group).
       If Register Server in Active Directory is
        unavailable and you still can’t find the IAS server in
        the RAS and IAS servers group on the DC, you can
        add it manually.
       You can also specify an IAS server in the RAS and
        IAS servers certificate template; click the Security
        tab of the Certificate template.

                  Ask the experts

   Visit the RADIUS newsgroup and post questions
    there to obtain help from the community.
    Additionally, many members of the IAS
    development team monitor and respond to
    questions posted to the newsgroup.

    If you have to contact Product Support Services

   When you send a question to Product
    Support Services (PSS), provide:
        Network Monitor captures
        Trace logs from the client and the server to
         help PSS identify the problem
        A configuration dump, using the command-
         line command:
         NETSH AAAA SHOW CONFIG > ConfigFile.TXT

        A rough description of your network

Shared By: