RE: 802.1x RADIUS Deployment in Wireless LAN

shankarnarayan.d_at_netsol.co.in
Date: 11/26/03

  • Next message: ZyberGeek: "RE: Altiris Deployment Server vs. Microsoft SMS"
    To: djackson@netdmz.com, security-basics@securityfocus.com
    Date: Wed, 26 Nov 2003 12:27:09 +0530
    
    

    Hi,

    Have designed and implemented Wireless Networks with RADIUS for many of our
    customers and the same are working fine. We primarily work with Cisco as
    our partner and these cards do support 802.1X. Have used the Cisco Aironet
    1200 series AP with Cisco 352 Client cards/ Intel Centrino based Laptops/
    Orinoco and Cisco ACS v3.2 - discussions below are based on those
    components. Going into your questions

    1. Design of a Wireless Network involving RADIUS is not very difficult if
    you are clear on what you want it to do. There are a large number of
    different types of RADIUS based EAP authentication mechanisms - the LEAP
    (Cisco proprietary), EAP-TLS, EAP-TTLS (Funk promoted, now well accepted in
    the Wireless community), PEAP (promoted by MS and Cisco) WPA / TKIP and
    finally a Cisco proprietary IBNS (enter your user name and password and you
    get assigned to a predefined SSID - Cisco supports 16 of them on the same AP
    and calls this a VLAN capability). If you were to look at each of these LEAP
    is pretty easy to design - among the easiest, EAP-TLS and EAP-TTLS, we have
    found are among the more painful ones to design as they involve integration
    of multiple components over and above just RADIUS (EAP-TTLS is easier than
    EAP-TLS). WPA / TKIP based designs are pretty much OK with RADIUS. IBNS was
    the toughest, trying to get RADIUS to integrate with ADS - there are a huge
    bunch of factors to think up when designing this one guy. Never tried PEAP

    2. LEAP was easiest to install. EAP-TTLS (Funk provides some pretty neat
    ways to help overcome problems that EAP-TLS using Microsoft CA presents -
    the Odyssey clients and Steel Belted RADIUS eval copies are available on
    www.funk.com) and EAP-TLS were tougher to install and IBNS was the worst
    (primarily due to some Microsoft based password caching problems - peculiar
    problems of sometimes not re-authenticating, other-times automatically
    authenticating even without asking for password or suddenly asking for
    re-authentication - we scoured to web for a full two days before we cracked
    that one)

    3. OS: Ranges from Win2K (ACS on Win2K Adv Server and clients on Win2K
    Professional) to XP - never tried on UNIX or the likes

    4. Ease of Management - WPA / TKIP produced the best management, LEAP - was
    decent, EAP-TLS and EAP-TTLS (due the CA stuff) were and are pretty
    difficult to manage. IBNS is pretty easy to manage once deployed, but to get
    it deployed was hell (atleast to us)

    5. Keys were dynamic wherever we deployed Wireless

    Wrt to Implementation, Cisco provides excellent documentation throughout its
    website and these can be efficiently used for both design and
    implementation. Cisco SAFE series carries beautiful explanations and step by
    step configuration. Somehow, have not found any problems with using Cisco
    documentation - even as a novice when first implementing Wireless. Yes, the
    ACS does contain so many options that you can be sometimes confused about
    what is it you are doing, but Aironet configs - using the web-interface were
    pretty easy to get along with. However integration with other components -
    yes a new guy will face problems if he is not very aware of technology or if
    he is not sure about what he wants

    The MS documentation on RADIUS did actually work in a Lab test setup - but
    on the field it does bring up some idiosyncrasies - everything works fine
    independently, but do produce hiccups when trying to integrate multiple
    components

    Hope this helps.....

    Rgds,
    Shankar

    -----Original Message-----
    From: David J. Jackson [mailto:djackson@netdmz.com]
    Sent: Tuesday, November 25, 2003 10:42 AM
    To: security-basics@securityfocus.com
    Subject: 802.1x RADIUS Deployment in Wireless LAN

    Has anyone deployed RADIUS services in a WLAN environment and if so can you
    give me (this list) some feedback as to your experience on the following:
     
    - Design Difficulty?
    - Ease of Installation?
    - Software OS: Windows 2000, 2003, XP, Linux, Unix, etc.
    - Ease of Deployment?
    - Ease of Management?
    - Dynamic or Static WEP Key Distribution?
     
    I'm also looking for some more specific information on setting up RADIUS
    authentication on the WLAN with cards that don't specifically say they
    support 802.1x or RADIUS. If I'm using a RADIUS client or Windows XP with
    built-in support for 802.1x and Smartcard Authentication, etc. does the
    Wireless NIC have to support 802.1x or does it matter?
     
    Also, I found a link on Microsoft's site on setting up RADIUS authentication
    for Windows 2000 and Windows 2003 servers. Has anyone used these
    articles/instructional guides and if so did they work properly?
     
    Thanks very much in advance for your help with this.
     
    David Jackson, GSEC
    djackson@netdmz.com

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: ZyberGeek: "RE: Altiris Deployment Server vs. Microsoft SMS"

    Relevant Pages