Re: wireless network disconnects when using IEEE 802.1x authentica

From: Steve Riley [MSFT] (steriley_at_microsoft.com)
Date: 10/18/04 

Date: Sun, 17 Oct 2004 22:10:09 -0700

Before I discuss wireless encryption differences, let me address the bank
web site example. Your bank's web site (and usually just about any
well-designed web site that requires entering IDs and passwords) will create
an SSL session between the web server and your browser. This encrypted
session keeps your information confidential on the Internet. As an
interesting side effect, it also keeps that some information confidential
over the air, since it gets encrypted before it leaves the wireless NIC in
your computer.

But this isn't good enough: what about all the rest of your communications?
Or what about someone hijacking your wireless network? You still need to
"secure the air," so to speak, so you've got to do something. Choosing what
to do can be daunting.

Now, generally, for wireless security, the more computers you have, the
stronger of a security system you want. For a home network or small office
network of say 20 computers or less, plain old 128-bit WEP is good enough.
Change the encryption key in your access point and in all your computers
once a month -- I like to recommend on the first Monday of each month as an
easy-to-establish habit that you can put in your calendar as a reminder. To
brute-force the key an attacker will need far more data than what a small
network will generate in that time frame.

If your hardware can perform WPA PSK (pre-shared key), use that and you can
get completley out of the key-management business. WPA uses a key-management
mechanism called TKIP (temporal key integrity protocol). You program a
pre-shared *authentication* key into the AP and each client; WPA generates
new *encryption* keys for every frame (packet) of data that passes between
each client the AP. That's a lot of encryption; it's best to use the AES
encryption algorithm (rather than WEP's RC-4) since AES is so much faster.
Change that authentication key say every six months.

If you've got multiple access points, or more than about 20 clients, then
you'll want to use a RADIUS server to handle keys and policies instead of
individually setting keys in clients. You will need to implement your own
RADIUS server to do that, and it works best if you've got an Active
Directory domain. Older wireless hardware can use only 802.1x. 802.1x is a
network port authentiction protocol that uses EAP (extensible authentication
protocol) to process the authentication and RADIUS for carrying the
authentication conversation. In your RADIUS policy you'll indicate a key
lifetime -- 60 minutes is good for 802.11b, 15 minutes for 802.11a/g. Each
client that associates to the access point will receive its own WEP key and
EAP changes this key according to the interval set in the RADIUS policy.

Newer wireless hardware can use WPA, and again if you've got a network of
more than one AP or more than 20 clients WPA with RADIUS is the best way to
go. WPA still relies on RADIUS and 802.1x/EAP for the initial
authentication, but replaces EAP's key handling mechanism with its own TKIP
implementation, again changing those keys every frame.

I know this is a lot of information, but choosing a wireless security suite
isn't a trivial decision. This should help summarize:

                         hardware manu- encyrption RADIUS
network size facture date protocol needed?
-------------------------------------------------------------------
>1 AP or >20 clients after 8/2003 WPA yes
>1 AP or >20 clients before 8/2003 802.1x + EAP yes
1 AP and <20 clients after 8/2000 WPA + PSK no
1 AP and <20 clients before 8/2003 WEP 128-bit no

Note: for hardware made before 8/2003 you might be able to apply a firmware
upgrade to add WPA support. Check with the manufacturer.

Steve Riley
steriley@microsoft.com

"Patrick B. Moore" <PatrickBMoore@discussions.microsoft.com> wrote in
message news:7CC72E38-02A8-4A76-AD91-C24234AB7273@microsoft.com...
> Steve,
> Thanks for the speedy reply. According to the owners manual, Blitzz AP
> Firewall Router gateway supports four different types of security modes.
> WEP,
> WPA(Pre-Shared Key), WPA RADIUS and 802.1x RADIUS.
> But, I have no idea of what the IP address for the RADIUS server would be.
> So if I am unable to use 802.1x authentication on my computer, would my
> security be compromised even though I will be using WEP 128 bit
> encryption??
> Would my sensitve information be seen when I connect to my bank's website
> when I am conducting online banking business without the authentication
> on??
> If worse comes to worse, I could always turn on authentication when doing
> sensitive business and turn it off when finished.
> If you need anymore information, please let me know.
> Thank you again for your time in this matter.
>
>
> "Steve Riley [MSFT]" wrote:
>
>> 802.1x usually requires a sophisticated infrastructure involving a RADIUS
>> server, a certificate server, and computer and user certificates. I don't
>> know what a Blitzz firewall router is; does that device provide all this
>> for
>> you?
>>
>> Steve Riley
>> steriley@microsoft.com
>>
>>
>> "Patrick B. Moore" <Patrick B. Moore@discussions.microsoft.com> wrote in
>> message news:B93B23AA-E087-40D8-A691-412C0CF4614C@microsoft.com...
>> > Hello,
>> > I have a Blitzz 108 mb Super G Firewall Router and wireless adapter I
>> > recently purchased.
>> > I had everything up and running but anytime I use the IEEE 802.1x
>> > authentication function for Windows XP Service Pack 2, my wireless
>> > network
>> > disconnects from the internet. When I go and uncheck "Enable IEEE
>> > 802.1x
>> > authentication for this network" I get my connection back. I have
>> > gotten
>> > so
>> > frustrated, I have hooked my computer back up to my ethernet card.
>> > I have looked at my certificates that I have on my desktop and most if
>> > not
>> > all are still valid and have not expired.
>> > Any suggestions of how I can get this to work?? I have my WEP set at
>> > Hex/128 bit encryption.
>> > Thank you for your time in this matter.
>>
>>
>>

Relevant Pages

  • Re: wireless network disconnects when using IEEE 802.1x authentica
    ... since it gets encrypted before it leaves the wireless NIC ... For a home network or small ... >> Change that authentication key say every six months. ... >> RADIUS server to do that, and it works best if you've got an Active ...
    (microsoft.public.windowsxp.security_admin)
  • Radius + wireless access
    ... I've got a couple of wireless AP around the office, ... mange the laptop with wireless cards using Radius for authentication. ... wirelessly authenticate users based on a username and password like you ...
    (Debian-User)
  • Re: AT&T WiFi at McDonalds, etc
    ... has a functional authentication server, such as AT&T obviously does, ... can also provide RADIUS based authentication, ... wireless client has no problem using. ... enable WPA-RADIUS in their wireless access points. ...
    (alt.internet.wireless)
  • Re: RADIUS server setup
    ... sure which one to pick for authentication. ... Wireless Configuration and there's a setting for WEP but it doesn't allow me ... There are two encryption options for WPA Pre-Shared Key, ... WPA RADIUS: WPA RADIUS uses an external RADIUS server to perform user ...
    (microsoft.public.windows.server.sbs)
  • RE: 802.x L2TP Authentication
    ... I understand that you have some wireless ... authentication issue after setup RADIUS server. ...
    (microsoft.public.windows.server.sbs)