WPA2-Enterprise w/ IAS - Easy deployment?

Unanswered Question
Apr 16th, 2009
User Badges:

I am tasked with trying to implement wireless for a client using wpa2-enterprise tied in with Microsoft IAS. Everything I am reading so far points me to the requirement for using certificates. A lot of these computers will either be running out of the domain (kind of like guests) and will be a mix of operating systems. So to keep administration of end user computers down, I was trying to find a solution that either does not use certificates or only requires me to do something with the certificate on the head end (IAS). Is this possible?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gamccall Thu, 04/16/2009 - 08:08
User Badges:
  • Silver, 250 points or more

Well, any WPA-Enterprise setup is going to require some client configuration. However, that doesn't have to mean certificate installation.

If you use PEAP as your EAP method, a certificate is required on the RADIUS server, but client-side certificates are not required.

There is another wrinkle, though. You could use a self-signed certificate on the IAS, but your clients have no way to recognize it unless you manually install that certificate on each client. So you would have to disable the client setting for "validate the server certificate". This opens you to MITM attacks: bad idea.

The way to forestall this issue is to purchase a commercial certificate for your RADIUS server- Verisign or whoever- for which your clients already have the appropriate root CA certificate installed.

clamasters Thu, 04/16/2009 - 12:15
User Badges:

Thank you. That's exactly what I needed to know. PEAP looks like my answer for now. Any drawbacks to using this method?

gamccall Thu, 04/16/2009 - 12:27
User Badges:
  • Silver, 250 points or more

Well, there's the root certificate issue I mentioned above. Also, there are issues with using PEAP to authenticate against an LDAP where passwords are not hashed. However, assuming you're authenticating against an AD that's a non-issue.

Other than that, PEAP is very easy to work with. I've deployed it at multiple sites and in general it "just works".

Robert.N.Barrett_2 Thu, 04/16/2009 - 13:40
User Badges:
  • Bronze, 100 points or more

Since you have a diverse group of user types, it doesn't look like you'll be able to enforce machine authentication. This means that someone with valid logon credentials can connect any WPA2/PEAP-capable machine to your wireless network. That behavior appears to be what you want, but I thought I'd mention it (even an iPhone will do PEAP!).

clamasters Mon, 05/04/2009 - 11:39
User Badges:

Ok. I tried doing this on my own plus the help of Google but I am not getting it to work. Below is the configuration of one of the access points, and a basic description of how I have IAS setup.

The SSID in question is WIFISEC

I started IAS and added the host as a RADIUS client. Then created a new wireless policy, added in a Certificate that was purchased for the IAS server from GoDaddy. Added in Domain Users so they can authenticate and then changed the encryption to 128bit only.

I thought this would have been simple but I guess I was wrong. The logs on the RADIUS server say I'm not even attempting authentication, but on the server under "System Logs" I can see things happening but auth is failing. On the AP, it just tells me that auth failed.

Please help :)



This Discussion



Trending Topics - Security & Network