Deploying Secure 802.11 Wireless Networks with Microsoft Windows

Required Components

The following components are required for an intranet wireless deployment using EAP-TLS:

• Wireless client computers running Windows.

  Wireless client computers must be running Microsoft Windows XP, Windows Server 2003, or Windows 2000 with Microsoft 802.1X Authentication Client.

• At least two Internet Authentication Service (IAS) servers.

  At least two IAS servers (one primary and one secondary) are recommended to provide fault tolerance for Remote Authentication Dial-In User Service (RADIUS) based authentication. If only one RADIUS server is configured and it becomes unavailable, wireless access clients cannot connect. By using two IAS servers and configuring all wireless access points (APs) to use both the primary and secondary IAS servers, the wireless APs can detect when the primary RADIUS server is unavailable and automatically fail over to the secondary IAS server.

  You can use either Windows Server 2003 or Windows 2000 Server IAS. IAS servers running Windows 2000 must have Service Pack 3 (SP3) or later installed. (IAS is not included with Windows Server 2003, Web Edition.)

• Active Directory directory service domains.

  Active Directory domains contain the user accounts, computer accounts, and dial-in properties that each IAS server requires to authenticate credentials and evaluate authorization. Although not a requirement, IAS should be installed on Active Directory domain controllers to optimize IAS authentication and authorization response times and to minimize network traffic.

  You can use either Windows Server 2003 or Windows 2000 Server domain controllers. Windows 2000 domain controllers must have SP3 or later installed.

• Computer certificates installed on the IAS servers.

  To authenticate the IAS server to the wireless client during EAP-TLS authentication, a computer certificate must be installed on the IAS server computers.

• Computer and user certificates installed on the wireless clients.

  To authenticate the wireless client computer or user during EAP-TLS authentication, a computer or user certificate must be installed on the wireless client computers.

• Wireless remote access policy.

  A remote access policy is configured for wireless connections so that wireless users and their computers can access the organization s intranet.

• Multiple wireless APs.

  Multiple third-party wireless APs provide wireless access in different coverage areas of an organization. The wireless APs must support IEEE 802.1X, Wired Equivalent Privacy (WEP), RADIUS, and, optionally, Wi-Fi Protected Access (WPA).

Figure 8-1 shows the components of EAP-TLS authentication.

CAUTION If you use EAP-TLS authentication, do not also use Protected EAP-TLS (PEAP-TLS) for wireless connections. Allowing both protected and unprotected authentication traffic for the same type of network connection renders the protected authentication traffic susceptible to spoofing attacks.

Figure 8-1. The components of EAP-TLS authentication.