Deploying a secure internal wireless network

rajarora4 · ‎04-09-2012

Hi, We've got a 5508 WLAN controller with about 200 WAPs currently deployed for guest access only. We would now like to deploy wireless for our internal network as well and would like for this to support voice as well. I'm reviewing the various options that are available and trying to figure out which one is the best. I've narrowed it down to EAP-TLS and PEAP with MS-CAHPV2 with Windows based certificates. Our management wants us to use Microsoft RADIUS servers instead of ACS. Just wanted to get some feedback to see if someone has done this in their environment before and the pros and cons of choosing one authentication method over another.

Thanks in advance for you valuable input!

Stephen Rodriguez · ‎04-09-2012

FIrst for doing VoIP, make sure you have the appropriate coveraged.

RSSI -65dBm

SNR of 25 db

and 25% cell overlap.

As for PEAP vs EAP-TLS, PEAP tends to be simpler. You do need to have a certificate on the IAS/NPS server that allows it to authenticate clients, but this is the only required certificate. You can use a GPO to push the wireless config down, and the Root CA certificate to the client devices making that task a lot easeier.

With EAP-TLS, every machine/user needs a certificate. So getting everyone enrolled can be a bit of a PITA. But if a machine is lost, or a user leaves you only need to revoke those certificates, to stop the device from getting on the network.

My .02, go with PEAP. Less certificate stuff to deal with, pretty easy to deploy and maintain.

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

rajarora4 · ‎04-09-2012

Stephen, thanks for your post

Regarding PEAP, from what I've read, it seems like the user will need to enter their AD credentials every time they want to connect.

With EAP-TLS, the computer certificates should automatically connect the pc to the internal wireless network once it's in range.

Am I correct with these two statements?

if so, wouldn't option 2 be easier for users, and more secure?

Regards,

Raj

Stephen Rodriguez · ‎04-09-2012

Actually the user shouldn't need to input credentials beyond the windows login screen. If you use the WZC, and most supplicants, when you login to the machine with domain credentials, they will be transmitted across the wireless for the user login. That being said, if there is an issue, they could get prompted.

But I'd rather troubleshoot why the user loign isn't happening than have to get hip deep in PKI issues.

Yes EAP-TLS can be considered the most secure, and potentially easier on the user, so long as you are willing to do all of the certificate enrollments yourself.

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

rajarora4 · ‎04-09-2012

yes, on reading the guide again, it does say that the client computer will pass on the credentials in the second phase of authentication once it has verified the identity of the NPS server using the certificate so thanks for clarifying that for me.

Agree but this will design will pass through our information security department and I'm sure they'll want me to go the EAP-TLS route.

So I have a question regarding the certificates. We already deply computer certificates on each client computer that is assigned to a user for VPN access, couldn't I just use these existing certificates for EAP-TLS or do I need to use dedicated certificates for this purpose?

Stephen Rodriguez · ‎04-09-2012

If you only do machine level authentication for the TLS, you should be good, with what you have.

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

George Stefanick · ‎04-09-2012

I want to add, but not o confuse you, but you can do PEAP/EAP-TLS with mutual authentication. Its overkill, the benny is the cert is sent inside a tunnel. If you do native TLS it is sent in the open, unless you select privacy.

But as Steve mentioned, the cert can be used. In fact, when you configure the supplicant you select what cert you want to use.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

rajarora4 · ‎04-09-2012

Thanks for chiming in George.

Stephen, with machine level authentication, I'm assuming you mean that as long as the machine is a member of the domain, has a valid certificate and the user account is active in AD, that machine should be able to connect to the wireless network using the certificate.

George, PEAP/EAP-TLS sounds like a great option that I could present as well. Could you provide some additional details? I can look it up if not but thanks for the idea.

Can you guys point me to a good step by step guide to deploy EAP-TLS with windows NPS and RADIUS. I can find one as well but you guys seem to have good experience doing this.

George Stefanick · ‎04-09-2012

Here give a peek at these to get you started

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtml

http://www.mombu.com/microsoft/windows-server-security-general/t-peap-tls-vs-eap-tls-443617.html

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Stephen Rodriguez · ‎04-09-2012

Stephen, with machine level authentication, I'm assuming you mean that as long as the machine is a member of the domain, has a valid certificate and the user account is active in AD, that machine should be able to connect to the wireless network using the certificate.

With Machine authentication the user doesn't matter. The machine certificate is the only 'credential' sent to be validated.

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

rajarora4 · ‎04-09-2012

Interesting, so am I correct in assuming that PEAP/EAP-TLS would utilize both methods of authentication. It would validate the machine credentials as well as the user credentials?

George Stefanick · ‎04-09-2012

I would not implement PEAP/TLS as not all clients will support it. However, most client support EAP/TLS. I just wanted to mention it becuase if you are new to TLS this will be one of those "oh i didnt know you could do that" ..

BTW --

The first EAP is the outter and the second eap is the inner

EAP/PEAP (Outter) - MsChapV2(Inner)

EAP/TLS (there is no tunnel unless you select "privacy")

EAP/PEAP (Outter) - TLS (inner)

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

George Stefanick · ‎04-09-2012

Steve, his users have a VPN cert, this is not a machine cert, correct ? So I am thinking he would need to config his client with EAP-TLS and select the cert in the client supplicant.

Also, "machine authentcaion" uses a SID (system id). This would not use a cert, correc? Rather it would use the SID that is unquie to the device and AD, which is used insetad of a AD ID for example ...

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

rajarora4 · ‎04-09-2012

Actually I believe it's a machine certificate

George Stefanick · ‎04-09-2012

I have to say, the term "machine authentication", can mean a few different things.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________