Re: wireless network disconnects when using IEEE 802.1x authentica
From: Patrick B. Moore (PatrickBMoore_at_discussions.microsoft.com)
Date: 10/19/04
- Next message: Jim Hubbard: "Controlling JAVA Applications....."
- Previous message: Michellew: "RE: XP SP2"
- In reply to: Steve Riley [MSFT]: "Re: wireless network disconnects when using IEEE 802.1x authentica"
- Next in thread: Steve Riley [MSFT]: "Re: wireless network disconnects when using IEEE 802.1x authentica"
- Reply: Steve Riley [MSFT]: "Re: wireless network disconnects when using IEEE 802.1x authentica"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 18 Oct 2004 16:45:01 -0700
Steve,
Thank you again for your detailed information. I will print this out and
configure for my 1 AP and my 1 computer. I hope this will keep my computer
from disconnecting every 5 minutes.
Thank you again for your time in this matter.
"Steve Riley [MSFT]" wrote:
> Before I discuss wireless encryption differences, let me address the bank
> web site example. Your bank's web site (and usually just about any
> well-designed web site that requires entering IDs and passwords) will create
> an SSL session between the web server and your browser. This encrypted
> session keeps your information confidential on the Internet. As an
> interesting side effect, it also keeps that some information confidential
> over the air, since it gets encrypted before it leaves the wireless NIC in
> your computer.
>
> But this isn't good enough: what about all the rest of your communications?
> Or what about someone hijacking your wireless network? You still need to
> "secure the air," so to speak, so you've got to do something. Choosing what
> to do can be daunting.
>
> Now, generally, for wireless security, the more computers you have, the
> stronger of a security system you want. For a home network or small office
> network of say 20 computers or less, plain old 128-bit WEP is good enough.
> Change the encryption key in your access point and in all your computers
> once a month -- I like to recommend on the first Monday of each month as an
> easy-to-establish habit that you can put in your calendar as a reminder. To
> brute-force the key an attacker will need far more data than what a small
> network will generate in that time frame.
>
> If your hardware can perform WPA PSK (pre-shared key), use that and you can
> get completley out of the key-management business. WPA uses a key-management
> mechanism called TKIP (temporal key integrity protocol). You program a
> pre-shared *authentication* key into the AP and each client; WPA generates
> new *encryption* keys for every frame (packet) of data that passes between
> each client the AP. That's a lot of encryption; it's best to use the AES
> encryption algorithm (rather than WEP's RC-4) since AES is so much faster.
> Change that authentication key say every six months.
>
> If you've got multiple access points, or more than about 20 clients, then
> you'll want to use a RADIUS server to handle keys and policies instead of
> individually setting keys in clients. You will need to implement your own
> RADIUS server to do that, and it works best if you've got an Active
> Directory domain. Older wireless hardware can use only 802.1x. 802.1x is a
> network port authentiction protocol that uses EAP (extensible authentication
> protocol) to process the authentication and RADIUS for carrying the
> authentication conversation. In your RADIUS policy you'll indicate a key
> lifetime -- 60 minutes is good for 802.11b, 15 minutes for 802.11a/g. Each
> client that associates to the access point will receive its own WEP key and
> EAP changes this key according to the interval set in the RADIUS policy.
>
> Newer wireless hardware can use WPA, and again if you've got a network of
> more than one AP or more than 20 clients WPA with RADIUS is the best way to
> go. WPA still relies on RADIUS and 802.1x/EAP for the initial
> authentication, but replaces EAP's key handling mechanism with its own TKIP
> implementation, again changing those keys every frame.
>
>
> I know this is a lot of information, but choosing a wireless security suite
> isn't a trivial decision. This should help summarize:
>
> hardware manu- encyrption RADIUS
> network size facture date protocol needed?
> -------------------------------------------------------------------
> >1 AP or >20 clients after 8/2003 WPA yes
> >1 AP or >20 clients before 8/2003 802.1x + EAP yes
> 1 AP and <20 clients after 8/2000 WPA + PSK no
> 1 AP and <20 clients before 8/2003 WEP 128-bit no
>
> Note: for hardware made before 8/2003 you might be able to apply a firmware
> upgrade to add WPA support. Check with the manufacturer.
>
>
> Steve Riley
> steriley@microsoft.com
>
>
>
> "Patrick B. Moore" <PatrickBMoore@discussions.microsoft.com> wrote in
> message news:7CC72E38-02A8-4A76-AD91-C24234AB7273@microsoft.com...
> > Steve,
> > Thanks for the speedy reply. According to the owners manual, Blitzz AP
> > Firewall Router gateway supports four different types of security modes.
> > WEP,
> > WPA(Pre-Shared Key), WPA RADIUS and 802.1x RADIUS.
> > But, I have no idea of what the IP address for the RADIUS server would be.
> > So if I am unable to use 802.1x authentication on my computer, would my
> > security be compromised even though I will be using WEP 128 bit
> > encryption??
> > Would my sensitve information be seen when I connect to my bank's website
> > when I am conducting online banking business without the authentication
> > on??
> > If worse comes to worse, I could always turn on authentication when doing
> > sensitive business and turn it off when finished.
> > If you need anymore information, please let me know.
> > Thank you again for your time in this matter.
> >
> >
> > "Steve Riley [MSFT]" wrote:
> >
> >> 802.1x usually requires a sophisticated infrastructure involving a RADIUS
> >> server, a certificate server, and computer and user certificates. I don't
> >> know what a Blitzz firewall router is; does that device provide all this
> >> for
> >> you?
> >>
> >> Steve Riley
> >> steriley@microsoft.com
> >>
> >>
> >> "Patrick B. Moore" <Patrick B. Moore@discussions.microsoft.com> wrote in
> >> message news:B93B23AA-E087-40D8-A691-412C0CF4614C@microsoft.com...
> >> > Hello,
> >> > I have a Blitzz 108 mb Super G Firewall Router and wireless adapter I
> >> > recently purchased.
> >> > I had everything up and running but anytime I use the IEEE 802.1x
> >> > authentication function for Windows XP Service Pack 2, my wireless
> >> > network
> >> > disconnects from the internet. When I go and uncheck "Enable IEEE
> >> > 802.1x
> >> > authentication for this network" I get my connection back. I have
> >> > gotten
> >> > so
> >> > frustrated, I have hooked my computer back up to my ethernet card.
> >> > I have looked at my certificates that I have on my desktop and most if
> >> > not
> >> > all are still valid and have not expired.
> >> > Any suggestions of how I can get this to work?? I have my WEP set at
> >> > Hex/128 bit encryption.
> >> > Thank you for your time in this matter.
> >>
> >>
> >>
>
>
>
- Next message: Jim Hubbard: "Controlling JAVA Applications....."
- Previous message: Michellew: "RE: XP SP2"
- In reply to: Steve Riley [MSFT]: "Re: wireless network disconnects when using IEEE 802.1x authentica"
- Next in thread: Steve Riley [MSFT]: "Re: wireless network disconnects when using IEEE 802.1x authentica"
- Reply: Steve Riley [MSFT]: "Re: wireless network disconnects when using IEEE 802.1x authentica"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
