Re: wireless network disconnects when using IEEE 802.1x authentica

From: Steve Riley [MSFT] (steriley_at_microsoft.com)
Date: 10/19/04 

Date: Mon, 18 Oct 2004 21:26:39 -0700

With one AP and one computer, you're fine with the 128-bit WEP key and
monthy key rotation. That's what I do at home.

Glad to have helped out.

Steve Riley
steriley@microsoft.com

"Patrick B. Moore" <PatrickBMoore@discussions.microsoft.com> wrote in
message news:002331D5-6908-4A0F-952B-1B95788558E0@microsoft.com...
> Steve,
> Thank you again for your detailed information. I will print this out
> and
> configure for my 1 AP and my 1 computer. I hope this will keep my
> computer
> from disconnecting every 5 minutes.
> Thank you again for your time in this matter.
>
> "Steve Riley [MSFT]" wrote:
>
>> Before I discuss wireless encryption differences, let me address the bank
>> web site example. Your bank's web site (and usually just about any
>> well-designed web site that requires entering IDs and passwords) will
>> create
>> an SSL session between the web server and your browser. This encrypted
>> session keeps your information confidential on the Internet. As an
>> interesting side effect, it also keeps that some information confidential
>> over the air, since it gets encrypted before it leaves the wireless NIC
>> in
>> your computer.
>>
>> But this isn't good enough: what about all the rest of your
>> communications?
>> Or what about someone hijacking your wireless network? You still need to
>> "secure the air," so to speak, so you've got to do something. Choosing
>> what
>> to do can be daunting.
>>
>> Now, generally, for wireless security, the more computers you have, the
>> stronger of a security system you want. For a home network or small
>> office
>> network of say 20 computers or less, plain old 128-bit WEP is good
>> enough.
>> Change the encryption key in your access point and in all your computers
>> once a month -- I like to recommend on the first Monday of each month as
>> an
>> easy-to-establish habit that you can put in your calendar as a reminder.
>> To
>> brute-force the key an attacker will need far more data than what a small
>> network will generate in that time frame.
>>
>> If your hardware can perform WPA PSK (pre-shared key), use that and you
>> can
>> get completley out of the key-management business. WPA uses a
>> key-management
>> mechanism called TKIP (temporal key integrity protocol). You program a
>> pre-shared *authentication* key into the AP and each client; WPA
>> generates
>> new *encryption* keys for every frame (packet) of data that passes
>> between
>> each client the AP. That's a lot of encryption; it's best to use the AES
>> encryption algorithm (rather than WEP's RC-4) since AES is so much
>> faster.
>> Change that authentication key say every six months.
>>
>> If you've got multiple access points, or more than about 20 clients, then
>> you'll want to use a RADIUS server to handle keys and policies instead of
>> individually setting keys in clients. You will need to implement your own
>> RADIUS server to do that, and it works best if you've got an Active
>> Directory domain. Older wireless hardware can use only 802.1x. 802.1x is
>> a
>> network port authentiction protocol that uses EAP (extensible
>> authentication
>> protocol) to process the authentication and RADIUS for carrying the
>> authentication conversation. In your RADIUS policy you'll indicate a key
>> lifetime -- 60 minutes is good for 802.11b, 15 minutes for 802.11a/g.
>> Each
>> client that associates to the access point will receive its own WEP key
>> and
>> EAP changes this key according to the interval set in the RADIUS policy.
>>
>> Newer wireless hardware can use WPA, and again if you've got a network of
>> more than one AP or more than 20 clients WPA with RADIUS is the best way
>> to
>> go. WPA still relies on RADIUS and 802.1x/EAP for the initial
>> authentication, but replaces EAP's key handling mechanism with its own
>> TKIP
>> implementation, again changing those keys every frame.
>>
>>
>> I know this is a lot of information, but choosing a wireless security
>> suite
>> isn't a trivial decision. This should help summarize:
>>
>> hardware manu- encyrption RADIUS
>> network size facture date protocol needed?
>> -------------------------------------------------------------------
>> >1 AP or >20 clients after 8/2003 WPA yes
>> >1 AP or >20 clients before 8/2003 802.1x + EAP yes
>> 1 AP and <20 clients after 8/2000 WPA + PSK no
>> 1 AP and <20 clients before 8/2003 WEP 128-bit no
>>
>> Note: for hardware made before 8/2003 you might be able to apply a
>> firmware
>> upgrade to add WPA support. Check with the manufacturer.
>>
>>
>> Steve Riley
>> steriley@microsoft.com
>>
>>
>>
>> "Patrick B. Moore" <PatrickBMoore@discussions.microsoft.com> wrote in
>> message news:7CC72E38-02A8-4A76-AD91-C24234AB7273@microsoft.com...
>> > Steve,
>> > Thanks for the speedy reply. According to the owners manual, Blitzz
>> > AP
>> > Firewall Router gateway supports four different types of security
>> > modes.
>> > WEP,
>> > WPA(Pre-Shared Key), WPA RADIUS and 802.1x RADIUS.
>> > But, I have no idea of what the IP address for the RADIUS server would
>> > be.
>> > So if I am unable to use 802.1x authentication on my computer, would
>> > my
>> > security be compromised even though I will be using WEP 128 bit
>> > encryption??
>> > Would my sensitve information be seen when I connect to my bank's
>> > website
>> > when I am conducting online banking business without the authentication
>> > on??
>> > If worse comes to worse, I could always turn on authentication when
>> > doing
>> > sensitive business and turn it off when finished.
>> > If you need anymore information, please let me know.
>> > Thank you again for your time in this matter.
>> >
>> >
>> > "Steve Riley [MSFT]" wrote:
>> >
>> >> 802.1x usually requires a sophisticated infrastructure involving a
>> >> RADIUS
>> >> server, a certificate server, and computer and user certificates. I
>> >> don't
>> >> know what a Blitzz firewall router is; does that device provide all
>> >> this
>> >> for
>> >> you?
>> >>
>> >> Steve Riley
>> >> steriley@microsoft.com
>> >>
>> >>
>> >> "Patrick B. Moore" <Patrick B. Moore@discussions.microsoft.com> wrote
>> >> in
>> >> message news:B93B23AA-E087-40D8-A691-412C0CF4614C@microsoft.com...
>> >> > Hello,
>> >> > I have a Blitzz 108 mb Super G Firewall Router and wireless
>> >> > adapter I
>> >> > recently purchased.
>> >> > I had everything up and running but anytime I use the IEEE 802.1x
>> >> > authentication function for Windows XP Service Pack 2, my wireless
>> >> > network
>> >> > disconnects from the internet. When I go and uncheck "Enable IEEE
>> >> > 802.1x
>> >> > authentication for this network" I get my connection back. I have
>> >> > gotten
>> >> > so
>> >> > frustrated, I have hooked my computer back up to my ethernet card.
>> >> > I have looked at my certificates that I have on my desktop and most
>> >> > if
>> >> > not
>> >> > all are still valid and have not expired.
>> >> > Any suggestions of how I can get this to work?? I have my WEP set
>> >> > at
>> >> > Hex/128 bit encryption.
>> >> > Thank you for your time in this matter.
>> >>
>> >>
>> >>
>>
>>
>>

Relevant Pages

  • RE: Wireless Security Notes and Findings (from this list and other places)
    ... There are two general areas of wireless security: Authentication and ... authentication standard that works with wireless networks. ... client computer runs a client program to connect to the network with a ...
    (Security-Basics)
  • Re: IP address assignment problem
    ... I have a little problem and seek for ur thoughts, let's assume I'm in a very open environment where everyone can very easily try to get his/her laptop on the network and IP addresses are assigned by a DHCP server and we are in a domain environment, how do I prevent machines that are not part of our domain to be assigned an IP address? ... This approach doesn't stop your rogue clients from connecting to other clients, but merely doesn't give them the information they normally need to do so. ... Using 802.1x, your workstations authenticate through the switch to a radius server before they are allowed any connectivity. ... This authentication can use X.509 certificates, computer account credentials from AD, or whatever else you'd normally configure radius to authenticate with. ...
    (Focus-Microsoft)
  • Re: Why wireless connection needs refresh (every 5 minutes) ?
    ... authentication setting when used on wireless networks. ... network that does not have authentication servers. ... In the Control Panel window, if you're in Category View, ...
    (microsoft.public.windowsxp.network_web)
  • Re: wireless network disconnects when using IEEE 802.1x authentica
    ... Before I discuss wireless encryption differences, ... Change that authentication key say every six months. ... RADIUS server to do that, and it works best if you've got an Active ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Security. WPA?/-TKIP /-CCMP
    ... only for key distribution and authentication? ... RADIUS is only for authentication. ... a few wireless router with small RADIUS servers inside. ... bulk of the RADIUS servers are built on FreeRADIUS and MySQL database. ...
    (alt.internet.wireless)