Understand 802.1x authentication of wireless networks
802.1X is an IEEE standard for authenticated network access to wired Ethernet and wireless 802.11 networks. IEEE 802.1x improves security and deployment by providing support for centralized user ID, authentication, dynamic key management, and billing.
EAP, EAP-TLS, EAP-MS-CHAP V2 and PEAP authentication
802.1X is supported for the Scalable Authentication Protocol (EAP) type, allowing you to select authentication methods from multiple authentication methods for wireless clients and servers.
EAP
802.1X uses EAP to exchange in the authentication process. With EAP, any authentication method can be used, for example, a certificate, a smart card or credentials. EAP allows both ends between EAP clients (such as wireless computers) and EAP servers (such as Internet Authentication Service (IAS) servers). The conversation contains the server's request for authentication information and the response of the client. To make authentication, clients and servers must use the same authentication method.
EAP-TLS
EAP Transport Layer Security (TLS) is an EAP type used in a certificate-based security environment that provides the most powerful authentication and key determination. EAP-TLS provides mutual authentication, encryption method negotiation, and encryption key determination between client and verification servers. If you want to use a certificate or smart card to verify user and client computer authentication, you must use EAP-TLS, or to enhance security while using EAP-TLS and protected EAP (PEAP).
EAP-MS-CHAP V2
EAP-Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAP V2) is a mutual authentication method that supports a password-based user or computer authentication. During the EAP-MS-CHAP V2 authentication process, both servers and clients must prove that they have user password knowledge required for authentication to success. With EAP-MS-CHAP V2, users can change their passwords after the authentication is successful, and can be notified when their password expires.
note
EAP-MS-CHAP V2 is only available for PEAP.
PEAP
PEAP is an authentication method that uses TLS to enhance security of other EAP authentication protocols. PEAP has the following benefits: protect the encrypted channel of the EAP method running within PEAP, from the dynamic key data generated by TLS, quickly reconnect (using the cache's ability to reconnect to the wireless access point, so you can access Quick roaming between points), and server authentication that can be used to prevent unauthorized wireless access points.
PEAP authentication process
The PEAP authentication process contains two phases:
Server authentication and TLS password channel creation. The server identifies itself to the client by providing certificate information to the client. After the client verifies the identity of the server, generates a primary security information. A TLS encryption channel is then created using the session key derived from the main security information, and all subsequent communications between the encryption channel encryption server and the wireless client. EAP session and user and client computer authentication. The full EAP session between the client and the server is packaged in the TLS encryption channel. With PEAP, you can verify the identity of users and client computers using a variety of EAP authentication methods (such as password, smart cards, and certificates).
The session key generated during the PEAP authentication process provides a key material for the wired equivalent privacy (WEP) encryption key (this key is used to encrypt data transmitted between the wireless client and the wireless access point).
You can use the PEAP with any of the following authentication methods for wireless authentication:
EAP-TLS, which uses server authentication certificates and users and client computer authentication certificates or smart cards. EAP-MS-CHAP V2, which uses server authentication certificates and user authentication credentials. Non-Microsoft EAP authentication methods. note
Do not support the PEAP with EAP-MD5. PEAP can be used as an 802.11 wireless client authentication method, but the virtual private network (VPN) client or other remote access client does not support it. Therefore, only the PEAP can be configured as an authentication method of the remote access policy when using the Internet Authentication Service (IAS).
PEAP supports rapid reconnection
When the client is connected to an 802.11 wireless network, the authenticated session has a determined time division, which is determined by the network administrator, with the aim of restricting the duration of the verified session. To avoid notifications for the need to review and restore the credentials of the session, you can enable the quick reconnect option.
PEAP supports rapid reconnection, as long as each wireless access point is configured as a client of the same IAS (RADIUS) server, the PEAP quickly reconnects to keep continuous wireless networks when moving between different wireless access points of the same network. connection. In addition, fast reconnection must be enabled on the wireless client and the RADIUS server.
After the initial PEAP authentication is successful, each time the user moves to a new wireless access point, the system will not prompt the user to provide its credentials (if PEAP is used for authentication with EAP-MS-CHAP V2) or its personal identification Code (PIN) (if PEAP is used for authentication together with the smart card). Conversely, if you enable PEAP fast reconnection, the client and server cache the TLS session key after the initial PEAP authentication is successful. When the user is associated with a new wireless access point, the client and server use the cache key to re-verify each other's identity until the cache expires. Since the key is cached, the RADIUS server can quickly determine that the client is connected to reconnect. This reduces the client's authentication request and the time delay between the RADIUS server. You can also provide resources to the request of the client and the server.
If you do not use the original RADIUS server, you must have full authentication, and the system will prompt the user to provide credentials or PIN. Such errors may occur in the following cases:
The user is associated with a new wireless access point that is configured as a client of the new RADIUS server. The user is associated with the same wireless access point, however, the wireless access point forwards the authentication request to a new RADIUS server.
In both cases, after the new RADIUS server is successful in the initial authentication, the client caught the new TLS session key. The client can cache the TLS session key of multiple RADIUS servers.
For more information, see EAP, MS-CHAP Version 2, and PEAP.
For more information on configuring session for wireless remote access policy, see Remote Access Policy, Configuring Remote Access Policy, and elements for remote access policies.
Safety and deployment consideration
When choosing an authentication method, balance between the required security level and the effort to be deployed. To get the highest level of security, select the PEAP (EAP-TLS) with the certificate. To get the easiest deployment, select PEAP (EAP-MS-CHAP V2) with password.
Although PEAP with EAP-TLS and individual EAP-TLS is enhanced by using server-side authentication certificates and client computers and user authentication certificates or smart cards, when using PEAP with EAP-TLS When the client certificate information will be encrypted. PEAP with EAP-MS-CHAP V2 is most easily deployed because the client's authentication is based on a password, so there is no need to install a certificate or smart card on the client. Because the PEAP has created an end-to-end encryption channel before occurrence of EAP-MS-CHAP V2 verification, the authentication exchange is not easy to attack offline Dictionary attacks. For more information on certificate requirements for the 802.1x authentication method, see Network Access Authentication and Certificates. For information on deploying smart cards, see List: Deploying smart cards used to log in to Windows.
Point
When deploying PEAP and EAP protected by PEAP, please do not bring PEAP and no PEAP at the same EAP authentication type. For example, if you deploy a PEAP (PEAP-EAP-TLS) with EAP-TLS, don't deploy EAP-TLS without PEAP at the same time. Deploy authentication method with the same type - a protected PEAP protection, another no PEAP - will have safety defects. Certificate template provides a new certificate template (version 2) called Workstation Authentication. The certificate template can be configured to be automatically registered and can be used to run
Windows Server 2003 Enterprise Edition;
Windows Server 2003 Datacenter Edition; or 64-bit version
Enterprise Certificate Authority (CA) on the computer of Windows Server 2003 family. Certificate based on this template allows the client computer to verify its identity to the server. If you are running
Windows XP's wireless client uses a certificate-based authentication, while running
Windows Server 2003 Enterprise Edition;
Windows Server 2003 Datacenter Edition; or 64-bit version
The Windows Server 2003 family computer provides enterprise CA, and the certificate template should be used. If in this case, you use the Computer certificate template, client authentication will fail. For more information, see the certificate template and administrative certificate template for the Enterprise Certificate Authority.
802.1x how to affect 802.11 wireless network
802.1x Perform port-based network access control. Port network access control uses the physical features of the exchanged LAN (LAN) infrastructure to verify the port connected to the LAN port and prevent the access to the authentication process has failed.
During the interaction based on port-based network access control, the LAN port uses one of the two roles: the verifier or aspect. If it is an authenticator, the LAN port enforces authentication before allowing the user to access the service accessed through this port. If it is an please, the LAN port requests access to services that can be accessed by the validator's port. The "Authentication Server" can be a single entity or coexist with the verifier, which represents the verifier check the credentials of the request. Then verify the server reply verifier, pointing out whether you have authorized access to the validator.
Validers' port-based network access control, define two logical data paths that enter the LAN through a physical LAN port. The first data path (uncontrolled port) allows data exchange between the verifiers and the computing devices on the LAN, regardless of the authentication state of the device. This is the path to EAPOL (EAP over LAN). The second data path (controlled port) allows data exchange between the proven LAN user and the verifier. This is the path to all other network communication after the computing device is verified. 802.1x and IAS
To support authentication, authorization, and wireless network connection account, you can use 802.1x with IAS. IAS is a Microsoft implementation of a remote authentication dial-up user service (RADIUS) server and proxy server. When RADIUS is executed, the wireless access point blocks data communication to a wired network or another wireless client without a valid authentication key. The process of obtaining a valid authentication key is as follows:
When the wireless client is within the valid range of a wireless access point, the wireless access point sends a client. The wireless client sends its identity to the wireless access point, and the wireless access point forwards this information to the RADIUS server. The RADIUS server requests the wireless client credential to verify the client's identity. As part of this request, the RADIUS server specifies the type of credentials required. The wireless client sends its credentials to the RADIUS server. The RADIUS server verifies the credentials of the wireless client. If the credentials are valid, the RADIUS server sends a encrypted authentication key to the wireless access point. Wireless Access Point Use this authentication key, securely transmit each station unicast session and multi-authentication key to the wireless client.
For information on configuring IAS for wireless access authentication, see List: Configuring IAS Server and Wireless Access Points and Wireless Access for Wireless Access.
For information on how to configure 802.1x settings for clients, see Defining 802.1X Authentication for WiFi.com on the client computer.
For general information on wireless network security, see Safety Information for Wi-Fi.
