Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Whats my best option other than Certs 2

Status
Not open for further replies.

teckystuff

Technical User
Jan 26, 2006
289
ZA
Hi guys - a little advice if you could. We currently have a wireless solution that involves certificates and IAS. This was setup by a previous employee so I am still trying to figure what he did, but any way I would like to move away from a certificate based solution as its causing more hassle than good. The certificates stop working randomly and you need to find a physical network point to download a new certificate etc etc and then it works. Often management come in early and find they cant work because of this and then the shouting starts. What are my options besides certificates to provide a secure yet simple solution. If it helps I am using a Cisco Aironet 1200 series AP.

*****************************************
Your mouse has moved - reboot for changes to take effect
 
Using certificates in conjunction with WPA2/AES & EAP-TLS is currently the most secure way of securing your Wireless network. However as you have experienced if you don't get it set up quite right you can have issues. If you feel the Certificate setup is too complex and troublesome then you have other options that are still secure, albeit slightly less secure if you get my meaning.

WPA2/AES using EAP-TLS is the most secure but requires Certificates on the Clients as well as the Radius (IAS) Server
WPA2/AES using PEAP is next, this requires only a certificate on the IAS Server and clients use EAP-MSCHAPv2 to authenticate themselves.

We have a Certificate Based Wireless infrastructure (WPA2/AES using EAP-TLS) and this works flawlessly using Both Machine & User authentication. Certificates do expire, however AD is configured to allow the Machines and Users to automatically request certificates (no user intervention). There is also redundancy built-in since there are mutliple Radius (IAS) servers and a 2-level CA hierarchy.

There are quite a few resources on Microsoft's website, however this is a good starting point:


HTH

Andy
 
I have also gone back and forth on this issue. There is a lot to be said for WPA-PSK, that is, WPA with a preshared key. It is very simple conceptually. As long as you use a long random key, offline dictionary cracking is just wasting your attacker's time.

You'd still have to touch every client to enter the key. If your complaint is that you must do special client stuff to download a cert, you haven't improved the situation much. In fact, if you have Active Directory on your IAS machine, you can use Group Policy to autoenroll, that is automatically download the cert to the client. That would mean LESS admin per client and GREATER control over who gets authorized (it can be by domain account). You can even require only certain machines, only certain users, either-or, or both-and.

With the preshared key, one breach and you can't just throw one machine or user off the network (as you could with Certs/IAS/AD by removing the user or machine from the wireless group). You must change the key which means reentering it on EVERY WIRELESS CLIENT! Not bad if there's a half dozen. If there's many, the chances of changing them all smoothly approaches zero.

Of course with autoenroll, you can still have certain attacks that could be avoided with manual certificate loading. But as you point out, administration must be smooth enough that users have it "just work" without you having to continually muck about with their laptops and that's unlikely without the autoenroll.
 
Many thanks - so if I understand you correctly with the WPA-PSK I can get away from using a IAS server altogether? albiet it a bit less secure. If I implement this and setup the pre shared key once on the machine will that hopefully be the only time, unless I change the key obviously?
Will the machines connect to the network before logging into windows ok?

I dont think I am understanding the Autoenroll function. At the moment if the machine does not have a certificate installed or if it has a problem I have to connect it to a physical network point and download and install the cert. Would the autoenroll help in this case?

Ps: Thanks for the link. Lots of reading but it has to be done.

*****************************************
Your mouse has moved - reboot for changes to take effect
 
To initially get a certificate on a PC it must be connected to either a wired network or an unsecured wireless network. The PC must be enrolled, however this can be automated using Autoenrollment. You should only need to connect the PC to the wired network once though and this would normally be done during the Laptop build, which has to happen anyway. Certificates can also be renewed via Autoenrollment so once the PC is on the network you should be OK and not need to connect to the wired network again.

The main issue with Pre-Shared-Keys is once the key is compromised you must manually change all the devices with the key. This is fine if there are only a handful of PC's but if there are lots.... Plus do you know the key has been compromised? It is possible that the key has been guessed or discovered and a user is actively accessing the network without your knowledge.

I would suggest using WPA/AES with PEAP since this is much more secure than WPA-PSK and does not rely on any static key configuration.

HTH

Andy
 
Thanks again. I am going to be looking into the WPA/AES with PEAP option in detail.

*****************************************
Your mouse has moved - reboot for changes to take effect
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top