Best Practices for Wireless/Wired LAN Implementation

19 Oct 2006 4:58 AM

Tane M. Baum

I thought I throw this question for an advice. We're just about to
implement our wireless solution. After reading numerous technical
documentation cover to cover, it came down to the below questions.

Scope:
    Clients - Windows(XP/2000/2003)(Primarily WinXP),Linux, MacOS X
    Wireless Router/Switches/Access Point: Cisco, Nortel

RADIUS Server:
    Microsoft IAS, Juniper Steel-Belted RADIUS

Authentication Server(Authenticator):
    Microsoft Active Directory, Linux Server, MacOS X Server

Authentication Method:
    Juniper Steel-Belted:    TTLS Pass-thru, PEAP Pass-thru, Web-AAA
    Microsoft IAS:        PEAP-Offload,   PEAP Pass-thru, Web-AAA

What I'm trying to achieve is:
    1 - Have the best overall security
    2 - No additional wireless client required
        3 - Widely supported

My question:
    Which Authentication Method is the best? Why?
    Which encryption to use?

Thanks

23 Oct 2006 8:39 PM

James McIllece [MS]

Show quote Hide quote

"Tane M. Baum" <tanemb***@bluebottle.com> wrote in
news:uwZrDsz8GHA.3264@TK2MSFTNGP04.phx.gbl:

> I thought I throw this question for an advice. We're just about to
> implement our wireless solution. After reading numerous technical
> documentation cover to cover, it came down to the below questions.
>
> Scope:
>      Clients - Windows(XP/2000/2003)(Primarily WinXP),Linux, MacOS X
>      Wireless Router/Switches/Access Point: Cisco, Nortel
>
> RADIUS Server:
>      Microsoft IAS, Juniper Steel-Belted RADIUS
>
> Authentication Server(Authenticator):
>      Microsoft Active Directory, Linux Server, MacOS X Server
>
> Authentication Method:
>      Juniper Steel-Belted:     TTLS Pass-thru, PEAP Pass-thru, Web-AAA
>      Microsoft IAS:          PEAP-Offload,   PEAP Pass-thru, Web-AAA
>
> What I'm trying to achieve is:
>      1 - Have the best overall security
>      2 - No additional wireless client required
>          3 - Widely supported
>
> My question:
>      Which Authentication Method is the best? Why?
>      Which encryption to use?
>
>
> Thanks
>
>
>
>
>
>

Hi Tane --

Certificate-based authentication methods are the most secure as they
protect against a large variety of possible attacks.

Because you plan on using Microsoft WS03 with IAS, the most secure method
provided with that OS is EAP-TLS. EAP-TLS provides mutual authentication
and requires certificates on IAS servers; it also requires either a
certificate in the client certificate store or the use of smartcards.

If the cost of deploying certificates is prohibitive, you can deploy
Protected EAP with MS-CHAP v2 (PEAP-MS-CHAP v2). PEAP-MS-CHAP v2 also
provides mutual authentication, where the IAS server has a server
certificate; however user authentication is performed with password-based
credentials (user name and password).

If you haven't previously seen this paper you will probably find it useful.

"The Advantages of Protected Extensible Authentication Protocol (PEAP): A
Standard Approach to User Authentication for IEEE 802.11 Wireless Network
Access" http://www.microsoft.com/downloads/details.aspx?familyid=05951071-
6b20-4cef-9939-47c397ffd3dd&displaylang=en

And these are the companion deployment papers, which also explain how to
deploy EAP-TLS:

"Enterprise Deployment of Secure 802.11 Networks Using Microsoft Windows"
at
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx

"Deployment of IEEE 802.1X for Wired Networks Using Microsoft Windows" at
http://www.microsoft.com/downloads/details.aspx?FamilyID=05951071-6b20-
4cef-9939-47c397ffd3dd&DisplayLang=en

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.