f0c9a61bb8cf5dc1fbc86fee3675d737.ppt
- Количество слайдов: 53
Setting up 802. 1 X networks by using Internet Authentication Service 1
Objective n Main objective is to educate network enterprise administrators about how to set up 802. 1 X secure networks 2
Agenda n Server setup n n n Certificate Authority (CA) setup n n Best practices and recommendations Active Directory® and client setup n n Authentication methods and vulnerabilities Best practices and recommendations User and computer account setup and management Policy configuration in the domain Best practices and recommendations Troubleshooting 3
Abstract n n At the moment, setting up 802. 1 X is one of the most challenging tasks that network and systems administrators face This Support Web. Cast is targeted at network professionals, such as administrators, who need to improve security and centralize wireless access to their networks 4
n RADIUS n n n n Recap RADIUS is a standard for authentication, authorization, and accounting (Microsoft implementation adds auditing); AAA or AAAA for short (triple A or quad A) RADIUS is primarily used to manage network access through dial-in, wireless, and VPN network access servers. The protocol was standardized in RFC 2058; the current implementation is defined in RFCs 2138 and 2139. RADIUS uses User Datagram Protocol (UDP) packets. Older servers used ports 1645 and 1646. Latest standards are ports 1812 for authentication and 1813 for accounting. Internet Authentication Service (IAS) has the ability to map any other unused port to do RADIUS. 5
Recap (2) n IEEE 802. 1 X (8021 X for short) IEEE 802. 1 X n n n A mechanism to provide authentication and key management Dynamic key management = Different keys per different client More secure than WEP, and less susceptible to WEP crack techniques Works with wired and wireless LANs Supports multiple authentication methods, token keys, passwords, certificates, one-time passwords, and others Many more great features such as central user management and mutual authentication 6
Setting up Active Directory n n To set up Active Directory, run Dcpromo. exe on your future domain controller. When the domain is up, you can create user accounts and add computer accounts to the Active Directory. In Windows 2000 mixed domains, the accounts must be set to Allow access so that it can be successfully authenticated. There are mechanisms to override this on the IAS server. In native domains in Windows 2000 (and later), the Control access through Remote Access Policy option is available. This is the default (and the recommended setup for all user and computer accounts), because this option allows the IAS server to determine whether to let the user in or not. 7
Certificate Authority (CA) setup n To set up the CA, perform the following steps on your future CA server: 1. 2. 3. 4. Click Start, click Control Panel, and then doubleclick Add or Remove Programs. Click Add/Remove Windows Components. Click Certificate Services, and then click Details. Make sure that Certificate Services Web Enrollment Support is selected. (You must have IIS installed before you perform this step. ) 8
CA setup (2) n Recommendation n Use Certificate Services on computers running Microsoft® Windows Server™ 2003 Enterprise Edition. This allows the administrator to have custom templates and it includes two important certificate templates: RAS and IAS Server Authentication n Wireless Authentication These customized templates have the correct settings for the IAS server and wireless clients n 9
CA setup (3) n When the CA is installed, you must publish the certificate templates: RAS and IAS Server Authentication n Wireless Authentication n 10
CA setup (4) n Follow these steps to add the templates: 1. 2. 3. 4. Click Start, point to Programs, point to Administrative tools, and then click Certificate Authority. Find the certificate templates. Right-click the certificate templates, and then click Certificate Template to issue. In the dialog box that appears, click RAS and IAS server authentication and Wireless authentication. 11
Setting up Group Policy n n n By default, wireless Group Policy settings are not set. An administrator might want to change the default to make the process of getting wireless clients on the network easier. Group Policy must be downloaded to the client before it can take effect on the client computers. This happens automatically when a domain user logs on to the computer for the first time, or when a new computer joins the domain (after first boot). It also happens at regular intervals. 12
Setting up Group Policy (2) n n To force the Group Policy download on the client computer, use the GPUPDATE. EXE command-line tool with the /F[orce] option. This makes the computer download and update Group Policy locally (with any new modifications). Use Group Policy to automatically enroll certificates for client computers. This is in addition to other certificates needed by the client (like the enterprise root certificate or other third-party root certificates that the administrator wants to push down to the clients automatically through Group Policy). 13
Setting up Group Policy (3) n n Open the Active Directory Users and Computers snap-in. Locate an organizational unit (OU) that you would like to have wireless policy applied to, or create a new one by rightclicking the domain name, pointing to New, and then clicking Organizational Unit. Add computers that you would like to apply the Group Policy to. Note Wireless Group Policy applies only to computers 14
Setting up Group Policy (4) n Right-click the OU, and then click Properties. n n n Tip You can make the policy domain wide by rightclicking the domain name. Check the links at the end for additional information about Group Policy. Click the Group Policy tab. Click New. Type the new name. Click Edit to start editing the policy. 15
Setting up Group Policy (5) Note You can also use new Group Policy Console Management GPMC, which works the same. Check links at the end of this Web. Cast for more information. 16
Group Policy Configuring 802. 1 X in GP n n n Find the Wireless Network (IEEE 802. 11) and right-click it. Select Create Wireless Network Policy. After the wizard is done, continue to edit properties. 17
Group Policy (2) n Configuring 802. 1 X in GP Recommendation On the General tab, make sure to change the Networks to access list to Access point (infrastructure) networks only. n n This option will only push this SSID as the default on your clients. (It will be added in the Preferred Networks list. ) Wireless group policy is not exclusionary technology; you cannot prevent users from connecting to other SSIDS. You can limit your clients to connect only to APs or ad hoc networks. Click the Preferred Networks tab, and then click Add. 18
Group Policy (3) Configuring 802. 1 X in GP 19
Group Policy (4) Configuring 802. 1 X in GP n n n Select the Service Set Identifier (SSID) of your network. Clients will default to this SSID when presented with multiple SSIDs. Add a description (optional). Leave the other default settings unchanged. 20
Group Policy (5) Configuring 802. 1 X in GP 21
Group Policy (6) Configuring 802. 1 X in GP n n n Click the IEEE 802. 1 X tab. Select the appropriate EAP type. Click Settings. 22
Group Policy (7) Configuring 802. 1 X in GP n Select EAP method’s additional configuration. 23
Group Policy (7) n Configuring 802. 1 X in GP Recommendations n n n Always enable validate server certificate (to make sure that the client authenticates the server) Always enable Fast Reconnect with PEAP Optionally, supply the names of your IAS servers in the Connect to these servers field. This will prevent the clients from connecting to rogue servers. Make sure that you specify the fully qualified domain name (FQDN) of the server as it appears in the server certificate. n n Starting in Windows® XP SP 2, this field is a regular expression, so if you want to accept servers in the Microsoft. com domain you type: ^. *. microsoft. com$ These settings are available on the client for individual client configuration. 24
Server setup n Setting up the IAS server IAS is Microsoft implementation of RADIUS is one of the most popular authentication protocols. n IAS is included in Windows 2000 Server and Windows Server 2003. Add IAS by using Add/Remove Windows Components. n 25
Server setup (2) n There are some limitations in the Standard Server IAS. There are 50 RADIUS clients and 2 server groups Windows Server 2003, Enterprise Edition and Windows Server 2003, Datacenter Edition do not have these limitations n Windows XP and Windows Server 2003, Web Edition do not have IAS n Windows Small Business Server 2003, Standard Edition has the standard server IAS n IAS has been a component in Windows since Windows NT® 4. 0 n 802. 1 X network support is available only in Windows 2000 Server IAS and Windows Server 2003 family IAS 26 n
Server setup Authentication methods n IAS supports many authentication methods: n Extensible Authentication Protocol – Transport Layer Security (EAP-TLS) This is a robust and secure protocol, used with smart cards and certificates n EAP-TLS provides very high levels of security and leverages the use of Public Key Infrastructure (PKI) based on the widely accepted Secure Sockets Layer (SSL) technology n 27
Server setup Authentication methods (2) n PEAP-MSCHAPv 2 n n Protected EAP (PEAP) is also a very secure authentication protocol. It has an internal protected authentication method that is flexible and easy to deploy, without the need for clientside certificates. PEAP-TLS n This authentication is the ultimate in security, providing a secured external channel for EAP-TLS to be negotiated. 28
Server setup Advantages of EAP and PEAP n n The main advantages of EAP and PEAP are that the Access Point (AP) becomes a pass-through for the authentication allowing the client to communicate directly with the server with little interference of the AP. EAP and PEAP allow the mutual authentication of client and server, where the client validates the server certificate to ensure its validity and authenticity, before connecting to the network. Note Mutual authentication is not done in all 29 EAP methods.
Server setup Advantages of EAP and PEAP (2) n n Combined with 802. 1 X, EAP and PEAP provide a great framework for exchanging encryption keys without resorting to static Wired Equivalent Privacy (WEP) for encryption. Keys are provided to the AP and the client after successful authentication. 30
Server setup Server configuration n n Before IAS can be set up for EAP/PEAP, the infrastructure for this must be in place. Active Directory, DHCP, and Certificate Authority all must be in place before IAS. We will discuss the basic setup of Active Directory and Certificate Authority. DHCP and DNS are beyond the scope of this Web. Cast 31
Server setup Server configuration (2) n n n Active Directory and Certificate Authority are optional for only PEAP-MSCHAPv 2, but are highly recommended for centralized management. Active Directory is also mandatory in the case of computer authentication. IAS can be deployed with a public domain certificate that can be obtained from any public Certificate Authority. 32
Server setup Server configuration (3) n Register IAS in Active Directory Log on to the IAS server as a domain administrator. n Right-click the IAS root node, and then click Register IAS in Active Directory. n n This is a very important step. Without successfully registering IAS, the server may not be able to look up users or get proper certificates 33
Server setup n n n Server configuration, add clients Make sure that the client is a member of the clients list. Confirm that the casesensitive shared secret is correctly configured on IAS and Access Server (802. 1 X capable switch or Access Point). Select a strong secret that is more than 15 characters and contains both alpha-numeric and special characters. 34
Server setup Server configuration, add Remote Access Policy n Add an appropriate Remote Access Policy (RAP) to the IAS server You may use the wizard or you can modify an existing policy. n Recommendation Add Wireless IEEE 802. 11 and Wireless-Other to the NAS -Port-Type policy condition. You may also add this as a dial-in constraint in the Remote Access Policy profile (double-click the policy after you create it, and then click Edit profile to see the constraints). 35 n
Server setup Server configuration, add RAP (2) You may use this setting with additional conditions and constraints as long as they do not conflict n Recommendation When creating a policy, make sure that you make it as restrictive as possible, to make sure that only authorized users are allowed access n n Use Windows Groups membership, date and time restrictions, and similar items 36
Server setup Server configuration, add RAP (3) 37
Server setup Server configuration, add RAP (4) n Condition versus constraint If a condition is met, that policy is invoked n The constraint is checked after the condition is met n Use constraints to have better control over users connecting, even if they are authorized to connect n Recommendation Always make your constraints as restrictive as possible n 38
Server setup Server configuration, add RAP (5) Policy condition Policy constraint 39
Server setup Server configuration, authentication types n Selecting the authentication type n Recommendation Make sure that no other authentication types are selected 40
Server setup Server configuration, authentication types (2) n Recommendation Make sure that you select only one EAP type. You can have more, but try to be as restrictive as possible. As a general rule, have only ONE per policy 41
Server setup n n Server configuration, authentication types (3) If your CA infrastructure is correctly configured, you will see a certificate issued to your computer. If no suitable certificate is found, authentication will not be successful. Recommendation Always enable fast reconnect if you are using PEAP. Fast reconnect improves performance without sacrificing security. 42
Server setup Server configuration n Set up as many policies as required and make sure that they are as restrictive as possible. There is no limitation for the number of policies on IAS server. n Policies are evaluated sequentially. The first one that matches is used and the rest are ignored. n 43
Server setup Server configuration, connection request processing n Next, you must set up connection request processing. By default, IAS authenticates on the local server (against Active Directory). You may proxy the authentication to a remote computer. Check the links at the end for setting up IAS proxy. 44
Troubleshooting n First step: Check the IAS server’s event log n The event log will contain information for all authentications that take place. Make sure that you select both Rejected authentication requests and Successful authentication requests on the IAS server properties page. n Right-click the root node in the IAS Snap-In, and then click Properties to see this page. 45
Troubleshooting (2) 46
Troubleshooting Trace logs n When troubleshooting, always enable tracing: NETSH RAS SET TRACING * ENABLED n When done troubleshooting, always disable tracing to eliminate additional overhead: NETSH RAS SET TRACING * DISABLED n Trace files are available under %windir%Tracing (windir is the folder where Windows is installed) 47
Troubleshooting Trace logs (2) n n Trace files are generated on the client and on the server. Traces to look for on the client are RASTLS and RASCHAP. These depend on the authentication method being used. Additionally, they will give a rough idea about what is going on during the authentication process. Traces to look for on the IAS server are RASTLS, IASSAM, and possibly RASCHAP when using PEAP-MSCHAPv 2. These will also give a rough idea about what is going on during the authentication. An unexplainable error or a failure that is written in the logs might mean that there has been a problem. 48
Troubleshooting Network Monitor n Install Network Monitor n Network Monitor will help you sniff the RADIUS traffic and understand what is going on When doing 802. 1 X, all EAP payloads (inside RADIUS) are encrypted. n Other RADIUS information might not be encrypted. n n Network Monitor is included with Windows Server 2003. Use Add/Remove Windows Components (look under Management and Monitoring Tools) to add Network Monitor. 49
Troubleshooting Things to check n Always check your connections: Make sure that you can ping the APs n Make sure that the firewall is not blocking traffic n 50
Troubleshooting Things to check (2) n Check that the IAS server has a valid certificate (a valid certificate will be requested on behalf of the computer if it has been added as a member of the RAS and IAS servers group). n n If Register Server in Active Directory is unavailable and you still can’t find the IAS server in the RAS and IAS servers group on the DC, you can add it manually. You can also specify an IAS server in the RAS and IAS servers certificate template; click the Security tab of the Certificate template. 51
Troubleshooting Ask the experts n Visit the RADIUS newsgroup and post questions there to obtain help from the community. Additionally, many members of the IAS development team monitor and respond to questions posted to the newsgroup. microsoft. public. internet. radius 52
Troubleshooting If you have to contact Product Support Services n When you send a question to Product Support Services (PSS), provide: Network Monitor captures n Trace logs from the client and the server to help PSS identify the problem n A configuration dump, using the commandline command: n NETSH AAAA SHOW CONFIG > Config. File. TXT n A rough description of your network 53
f0c9a61bb8cf5dc1fbc86fee3675d737.ppt