Securing Wireless Network

The security of wireless local area network (WLAN) solution works better with Wi-Fi Protected Access (WPA) WLAN protection compared to Wired Equivalent Privacy (WEP). 

Currently, ITD have to admit there are some potential difficulties faced by IIUM user with using WPA, which include: 

• Manual configuration of WPA settings: The support for setting Windows XP client WPA settings using group policy is not available in the versions of Windows earlier than Windows Server™ 2003 Service Pack 1. Until Service Pack 1 is available and you have deployed it in your organization, you will have to configure your clients manually (there is no way to script WLAN settings for Windows XP). You need to install Service Pack 1 only on the server on which you are editing the WLAN settings Group Policy object (GPO); it is not required on the clients, domain controllers, or IAS servers.

• Restricted availability of WLAN clients: At the time of writing, Microsoft only provides WPA support for Windows XP Service Pack 2 and later. PDA and Smart Phone operating systen running on Windows Mobile and Symbion does not support WPA yet. The only operating system that really support secured wireless environment is MacOS for iPhone and iPod. For those who want to get connected through SSID iium-gadgetmust comply with WPA requirement.

• Availability of WPA compliant hardware: Although WPA support is now mandatory for all Wi-Fi certified hardware, existing network equipment may need to be upgraded to support WPA. You will need to obtain firmware updates for any access points or network adapters that do not currently support WPA. In some (rare) cases, you may need to replace equipment if the manufacturer does not produce WPA updates. Again, it is a common problem to the low-end Microsoft product.

Manually Configuring Windows XP WLAN Settings for WPA
Until GPO support becomes available in Windows Server 2003 Service Pack 1, you must configure WPA settings on the client manually. WPA is supported on Windows XP Service Pack 1 with the WPA client download installed (or on Windows XP Service Pack 2).

Note: When GPO support becomes available, you can also use the following procedure to create a Wireless Network Policy using the same settings.

To manually configure WPA WLAN settings:

1. Open the properties of the Wireless Network interface. If the WLAN is displayed in the Available Networks list, select it, and click Configure…, otherwise click Add (in the Preferred Networks section).

2. Type the WLAN name into the Network Name (SSID) field (if it is not already displayed there) and, in the Description field, enter a description of the network.

Note: If you have an existing WLAN and you intend to run this side–by–side with the 802.1X–based WLAN of this solution, you must use a different Service Set Identifier (SSID) for the new WLAN. This new SSID should then be used here.

3. In the Wireless Network Key section, select WPA (not WPA PSK) as the Network Authentication type and TKIP as the Data Encryption type. (If your hardware supports it, you can choose the higher strength Advanced Encryption Standard (AES) in place of TKIP).

4. Click the IEEE 802.1x tab, and select Protected EAP (PEAP) from the EAP Type drop–down list. 

5. Click the Settings… button to modify the PEAP settings. From the Trusted Root Certificate Authorities list, select the root CA certificate for the CA. 

Important: If you ever need to re–install your CA from scratch (not just restore from backup), you will need to edit the client settings and select the root CA certificate for the new CA. 

6. Ensure that Secured Password (EAP-MS-CHAP v2) is selected in the Select Authentication Method and check the Enable Fast Reconnect option.

7. Close each properties window by clicking OK.

Configuring Pocket PC 2003/PDA/Smart Phone for WPA
WPA was not supported natively in Pocket PC 2003 using Windows Mobile and Symbion at the time of writing; however, this may be implemented in the future. Support for WPA on other type of Pocket PC available from other vendors such Mac OS (iPhone and iPod),

Original Post : ERM Blog

Securing Wireless Network

The security of wireless local area network (WLAN) solution works better with Wi-Fi Protected Access (WPA) WLAN protection compared to Wired Equivalent Privacy (WEP). 

Currently, ITD have to admit there are some potential difficulties faced by IIUM user with using WPA, which include: 

• Manual configuration of WPA settings: The support for setting Windows XP client WPA settings using group policy is not available in the versions of Windows earlier than Windows Server™ 2003 Service Pack 1. Until Service Pack 1 is available and you have deployed it in your organization, you will have to configure your clients manually (there is no way to script WLAN settings for Windows XP). You need to install Service Pack 1 only on the server on which you are editing the WLAN settings Group Policy object (GPO); it is not required on the clients, domain controllers, or IAS servers.

• Restricted availability of WLAN clients: At the time of writing, Microsoft only provides WPA support for Windows XP Service Pack 2 and later. PDA and Smart Phone operating systen running on Windows Mobile and Symbion does not support WPA yet. The only operating system that really support secured wireless environment is MacOS for iPhone and iPod. For those who want to get connected through SSID iium-gadgetmust comply with WPA requirement.

• Availability of WPA compliant hardware: Although WPA support is now mandatory for all Wi-Fi certified hardware, existing network equipment may need to be upgraded to support WPA. You will need to obtain firmware updates for any access points or network adapters that do not currently support WPA. In some (rare) cases, you may need to replace equipment if the manufacturer does not produce WPA updates. Again, it is a common problem to the low-end Microsoft product.

Manually Configuring Windows XP WLAN Settings for WPA
Until GPO support becomes available in Windows Server 2003 Service Pack 1, you must configure WPA settings on the client manually. WPA is supported on Windows XP Service Pack 1 with the WPA client download installed (or on Windows XP Service Pack 2).

Note: When GPO support becomes available, you can also use the following procedure to create a Wireless Network Policy using the same settings.

To manually configure WPA WLAN settings:

1. Open the properties of the Wireless Network interface. If the WLAN is displayed in the Available Networks list, select it, and click Configure…, otherwise click Add (in the Preferred Networks section).

2. Type the WLAN name into the Network Name (SSID) field (if it is not already displayed there) and, in the Description field, enter a description of the network.

Note: If you have an existing WLAN and you intend to run this side–by–side with the 802.1X–based WLAN of this solution, you must use a different Service Set Identifier (SSID) for the new WLAN. This new SSID should then be used here.

3. In the Wireless Network Key section, select WPA (not WPA PSK) as the Network Authentication type and TKIP as the Data Encryption type. (If your hardware supports it, you can choose the higher strength Advanced Encryption Standard (AES) in place of TKIP).

4. Click the IEEE 802.1x tab, and select Protected EAP (PEAP) from the EAP Type drop–down list. 

5. Click the Settings… button to modify the PEAP settings. From the Trusted Root Certificate Authorities list, select the root CA certificate for the CA. 

Important: If you ever need to re–install your CA from scratch (not just restore from backup), you will need to edit the client settings and select the root CA certificate for the new CA. 

6. Ensure that Secured Password (EAP-MS-CHAP v2) is selected in the Select Authentication Method and check the Enable Fast Reconnect option.

7. Close each properties window by clicking OK.

Configuring Pocket PC 2003/PDA/Smart Phone for WPA
WPA was not supported natively in Pocket PC 2003 using Windows Mobile and Symbion at the time of writing; however, this may be implemented in the future. Support for WPA on other type of Pocket PC available from other vendors such Mac OS (iPhone and iPod),

Original Post : ERM Blog

Securing Wireless Network

The security of wireless local area network (WLAN) solution works better with Wi-Fi Protected Access (WPA) WLAN protection compared to Wired Equivalent Privacy (WEP). 

Currently, ITD have to admit there are some potential difficulties faced by IIUM user with using WPA, which include: 

• Manual configuration of WPA settings: The support for setting Windows XP client WPA settings using group policy is not available in the versions of Windows earlier than Windows Server™ 2003 Service Pack 1. Until Service Pack 1 is available and you have deployed it in your organization, you will have to configure your clients manually (there is no way to script WLAN settings for Windows XP). You need to install Service Pack 1 only on the server on which you are editing the WLAN settings Group Policy object (GPO); it is not required on the clients, domain controllers, or IAS servers.

• Restricted availability of WLAN clients: At the time of writing, Microsoft only provides WPA support for Windows XP Service Pack 2 and later. PDA and Smart Phone operating systen running on Windows Mobile and Symbion does not support WPA yet. The only operating system that really support secured wireless environment is MacOS for iPhone and iPod. For those who want to get connected through SSID iium-gadgetmust comply with WPA requirement.

• Availability of WPA compliant hardware: Although WPA support is now mandatory for all Wi-Fi certified hardware, existing network equipment may need to be upgraded to support WPA. You will need to obtain firmware updates for any access points or network adapters that do not currently support WPA. In some (rare) cases, you may need to replace equipment if the manufacturer does not produce WPA updates. Again, it is a common problem to the low-end Microsoft product.

Manually Configuring Windows XP WLAN Settings for WPA
Until GPO support becomes available in Windows Server 2003 Service Pack 1, you must configure WPA settings on the client manually. WPA is supported on Windows XP Service Pack 1 with the WPA client download installed (or on Windows XP Service Pack 2).

Note: When GPO support becomes available, you can also use the following procedure to create a Wireless Network Policy using the same settings.

To manually configure WPA WLAN settings:

1. Open the properties of the Wireless Network interface. If the WLAN is displayed in the Available Networks list, select it, and click Configure…, otherwise click Add (in the Preferred Networks section).

2. Type the WLAN name into the Network Name (SSID) field (if it is not already displayed there) and, in the Description field, enter a description of the network.

Note: If you have an existing WLAN and you intend to run this side–by–side with the 802.1X–based WLAN of this solution, you must use a different Service Set Identifier (SSID) for the new WLAN. This new SSID should then be used here.

3. In the Wireless Network Key section, select WPA (not WPA PSK) as the Network Authentication type and TKIP as the Data Encryption type. (If your hardware supports it, you can choose the higher strength Advanced Encryption Standard (AES) in place of TKIP).

4. Click the IEEE 802.1x tab, and select Protected EAP (PEAP) from the EAP Type drop–down list. 

5. Click the Settings… button to modify the PEAP settings. From the Trusted Root Certificate Authorities list, select the root CA certificate for the CA. 

Important: If you ever need to re–install your CA from scratch (not just restore from backup), you will need to edit the client settings and select the root CA certificate for the new CA. 

6. Ensure that Secured Password (EAP-MS-CHAP v2) is selected in the Select Authentication Method and check the Enable Fast Reconnect option.

7. Close each properties window by clicking OK.

Configuring Pocket PC 2003/PDA/Smart Phone for WPA
WPA was not supported natively in Pocket PC 2003 using Windows Mobile and Symbion at the time of writing; however, this may be implemented in the future. Support for WPA on other type of Pocket PC available from other vendors such Mac OS (iPhone and iPod),

Original Post : ERM Blog

Protect your mobile : anywhere, anytime !

Many endpoint security solutions protect laptops and remote client tools only when they are connected to the network, leaving these devices open to malicious attacks and data interception. Implementing a comprehensive approach to endpoint security can mitigate the risks of theft, malware, and other vulnerabilities to increase data protection and help your company avoid the consequences of information loss and leakage.

Same goes to stealing information while you are accessing your personal information from public hotspots what so called ” Evil Twin” attacks. In this scenario a hotspot user connects to the “Evil Twin” wireless access point, believing it to be a legitimate commercial hotspot. Once connected the hacker impersonates a legitimate hotspot, and records all information entered into the web page, which can include your passwords, emails or worse credit card information.

This concept is very similar to the email “phishing” scams, where a message is sent to users tricking them to enter confidential information, such as bank account information or other sensitive username and password combinations. The process of tricking someone to voluntarily provide confidential information has been used for years in a variety of forms; more generally it is known as “social engineering”.

Every wireless device that is Wi-Fi enabled actually makes the hacker’s job even easier. Every device continues to “probe” for access points it has been connected to in the past. If the Wireless Connection manager in Windows XP sees a legitimate SSID it will automatically re-connect to that access point. All the hacker has to do is give his soft AP a default SSID, such as “linksys”, “boingo”, “home” or “public” and the laptop will automatically establish a wireless connection without any required user action.

Protect your mobile : anywhere, anytime !

Many endpoint security solutions protect laptops and remote client tools only when they are connected to the network, leaving these devices open to malicious attacks and data interception. Implementing a comprehensive approach to endpoint security can mitigate the risks of theft, malware, and other vulnerabilities to increase data protection and help your company avoid the consequences of information loss and leakage.

Same goes to stealing information while you are accessing your personal information from public hotspots what so called ” Evil Twin” attacks. In this scenario a hotspot user connects to the “Evil Twin” wireless access point, believing it to be a legitimate commercial hotspot. Once connected the hacker impersonates a legitimate hotspot, and records all information entered into the web page, which can include your passwords, emails or worse credit card information.

This concept is very similar to the email “phishing” scams, where a message is sent to users tricking them to enter confidential information, such as bank account information or other sensitive username and password combinations. The process of tricking someone to voluntarily provide confidential information has been used for years in a variety of forms; more generally it is known as “social engineering”.

Every wireless device that is Wi-Fi enabled actually makes the hacker’s job even easier. Every device continues to “probe” for access points it has been connected to in the past. If the Wireless Connection manager in Windows XP sees a legitimate SSID it will automatically re-connect to that access point. All the hacker has to do is give his soft AP a default SSID, such as “linksys”, “boingo”, “home” or “public” and the laptop will automatically establish a wireless connection without any required user action.

Protect your mobile : anywhere, anytime !

Many endpoint security solutions protect laptops and remote client tools only when they are connected to the network, leaving these devices open to malicious attacks and data interception. Implementing a comprehensive approach to endpoint security can mitigate the risks of theft, malware, and other vulnerabilities to increase data protection and help your company avoid the consequences of information loss and leakage.

Same goes to stealing information while you are accessing your personal information from public hotspots what so called ” Evil Twin” attacks. In this scenario a hotspot user connects to the “Evil Twin” wireless access point, believing it to be a legitimate commercial hotspot. Once connected the hacker impersonates a legitimate hotspot, and records all information entered into the web page, which can include your passwords, emails or worse credit card information.

This concept is very similar to the email “phishing” scams, where a message is sent to users tricking them to enter confidential information, such as bank account information or other sensitive username and password combinations. The process of tricking someone to voluntarily provide confidential information has been used for years in a variety of forms; more generally it is known as “social engineering”.

Every wireless device that is Wi-Fi enabled actually makes the hacker’s job even easier. Every device continues to “probe” for access points it has been connected to in the past. If the Wireless Connection manager in Windows XP sees a legitimate SSID it will automatically re-connect to that access point. All the hacker has to do is give his soft AP a default SSID, such as “linksys”, “boingo”, “home” or “public” and the laptop will automatically establish a wireless connection without any required user action.

Is Dynamic WEP Secure Enough enterprise solution ?

Dynamic WEP refers to the combination of 802.1x technology and the EAP. EAP is a flexible Layer 2 authentication protocol and a replacement to PAP and CHAP under Point-to-Point Protocol (PPP). The term dynamic WEP is derived from its unique ability to change (rekey) encryption keys. This prevents an attacker from being able to collect enough data to crack the current encryption keys. Each time a user logs into the network, a new key is created for that session. No other user will have the same session key, and the key lengths are such that reuse of the keys would be impossible to predict. Dynamic WEP also initiates more frequent key updates during the user's session, constantly changing the user's key by periodically renewing the keys every few minutes. This prevents an attacker from capturing significant data with the same key, thereby preventing any meaningful decryption of the WEP key. 

The argument of secure environment using Dynamic WEP comes from the original post written by Mr. Shankar. I forgot the original link which linked back to his original post.

We have all considered how insecure Wireless is using dynamic WEP in the scenario mentioned and I quote - "Due to one of our applications, we will be sending a clear strong signal to the parking lot". As also the mail says "Right now my plan is use PEAP w MSCHAP v2 with dynamic WEP crypto for my corporate SSID" to quote from the mails of Rocko.

My understanding of Dynamic WEP is that, in the case of PEAP or for that matter any other form of EAP derived security, there is no single common WEP key that is derived and used for all the clients. The point I am trying to lay my stress on is "no single common WEP key". In this scenario - if we were to look at this organization where we assume, should I say about 100 Wireless clients, then at an average of 15 people under each Access Point, this translates to 15 different keys - one key per person on the same Access Point. Add to this the probability of people moving from one Access Point to another at every (say) 3hours interval. Add to that the probability that the keys are not all changing at a defined point in time - this implies that based on when the user has derived the first dynamic key - the key changes at configured intervals.

To an external user (sitting in the parking lot) this poses 5 levels of randomness -

1. different users have different keys
2. different users changing their keys at different points in time
3. different users traversing across Access Points and hence changing their keys
4. The physical security that is existing on the ground that can contribute (if not greatly - at least to a reasonable extent) and hence the probability of finding out a parking lot hacker
5. Add again the probability of this guy getting sufficient numbers of weak IV's

Add to this, the number of users that are really sitting down in an area that provides a strong signal to the parking lot. Add also "direction finding capabilities" - (I am not too sure what this direction finding capability of the Access Point is, but based on context I guess it is something that deals with improving security).

SHOULD WE STILL BE AS PARANOID AS THESE MAILS SOUND OR CAN WE RELAX A BIT.

Ofcourse I would also like to add that we have not looked at whether this is a scenario where we have a Patch Antenna/ Parabolic Antenna that transmits signals in a defined direction - in this scenario there is a possibility of the replies above being used as an effective hack

Moreover, most Organizations that have this level of consideration for security should be having some form of IDS/ IPS - NIDS/ HIDS - wouldn't these have detected/ alarmed the Admin in some way or the other if he is on the LAN/ some Server/ workstation

Technically, if we were to sit down in front of a box, it will crack after sometime, but realistically in the scenario - is this possible, I guess this is the outlook that we should take when we discuss on such problems. Moreover, this immediately puts a doubt in the mind of the person about PEAP and EAP related security measures or for that matter any solution when thought from this point angle


I WOULD LIKE TO KNOW THE COMMUNITIES' VIEW IN THIS SCENARIO.

Is Dynamic WEP Secure Enough enterprise solution ?

Dynamic WEP refers to the combination of 802.1x technology and the EAP. EAP is a flexible Layer 2 authentication protocol and a replacement to PAP and CHAP under Point-to-Point Protocol (PPP). The term dynamic WEP is derived from its unique ability to change (rekey) encryption keys. This prevents an attacker from being able to collect enough data to crack the current encryption keys. Each time a user logs into the network, a new key is created for that session. No other user will have the same session key, and the key lengths are such that reuse of the keys would be impossible to predict. Dynamic WEP also initiates more frequent key updates during the user's session, constantly changing the user's key by periodically renewing the keys every few minutes. This prevents an attacker from capturing significant data with the same key, thereby preventing any meaningful decryption of the WEP key. 

The argument of secure environment using Dynamic WEP comes from the original post written by Mr. Shankar. I forgot the original link which linked back to his original post.

We have all considered how insecure Wireless is using dynamic WEP in the scenario mentioned and I quote - "Due to one of our applications, we will be sending a clear strong signal to the parking lot". As also the mail says "Right now my plan is use PEAP w MSCHAP v2 with dynamic WEP crypto for my corporate SSID" to quote from the mails of Rocko.

My understanding of Dynamic WEP is that, in the case of PEAP or for that matter any other form of EAP derived security, there is no single common WEP key that is derived and used for all the clients. The point I am trying to lay my stress on is "no single common WEP key". In this scenario - if we were to look at this organization where we assume, should I say about 100 Wireless clients, then at an average of 15 people under each Access Point, this translates to 15 different keys - one key per person on the same Access Point. Add to this the probability of people moving from one Access Point to another at every (say) 3hours interval. Add to that the probability that the keys are not all changing at a defined point in time - this implies that based on when the user has derived the first dynamic key - the key changes at configured intervals.

To an external user (sitting in the parking lot) this poses 5 levels of randomness -

1. different users have different keys
2. different users changing their keys at different points in time
3. different users traversing across Access Points and hence changing their keys
4. The physical security that is existing on the ground that can contribute (if not greatly - at least to a reasonable extent) and hence the probability of finding out a parking lot hacker
5. Add again the probability of this guy getting sufficient numbers of weak IV's

Add to this, the number of users that are really sitting down in an area that provides a strong signal to the parking lot. Add also "direction finding capabilities" - (I am not too sure what this direction finding capability of the Access Point is, but based on context I guess it is something that deals with improving security).

SHOULD WE STILL BE AS PARANOID AS THESE MAILS SOUND OR CAN WE RELAX A BIT.

Ofcourse I would also like to add that we have not looked at whether this is a scenario where we have a Patch Antenna/ Parabolic Antenna that transmits signals in a defined direction - in this scenario there is a possibility of the replies above being used as an effective hack

Moreover, most Organizations that have this level of consideration for security should be having some form of IDS/ IPS - NIDS/ HIDS - wouldn't these have detected/ alarmed the Admin in some way or the other if he is on the LAN/ some Server/ workstation

Technically, if we were to sit down in front of a box, it will crack after sometime, but realistically in the scenario - is this possible, I guess this is the outlook that we should take when we discuss on such problems. Moreover, this immediately puts a doubt in the mind of the person about PEAP and EAP related security measures or for that matter any solution when thought from this point angle


I WOULD LIKE TO KNOW THE COMMUNITIES' VIEW IN THIS SCENARIO.

Is Dynamic WEP Secure Enough enterprise solution ?

Dynamic WEP refers to the combination of 802.1x technology and the EAP. EAP is a flexible Layer 2 authentication protocol and a replacement to PAP and CHAP under Point-to-Point Protocol (PPP). The term dynamic WEP is derived from its unique ability to change (rekey) encryption keys. This prevents an attacker from being able to collect enough data to crack the current encryption keys. Each time a user logs into the network, a new key is created for that session. No other user will have the same session key, and the key lengths are such that reuse of the keys would be impossible to predict. Dynamic WEP also initiates more frequent key updates during the user's session, constantly changing the user's key by periodically renewing the keys every few minutes. This prevents an attacker from capturing significant data with the same key, thereby preventing any meaningful decryption of the WEP key. 

The argument of secure environment using Dynamic WEP comes from the original post written by Mr. Shankar. I forgot the original link which linked back to his original post.

We have all considered how insecure Wireless is using dynamic WEP in the scenario mentioned and I quote - "Due to one of our applications, we will be sending a clear strong signal to the parking lot". As also the mail says "Right now my plan is use PEAP w MSCHAP v2 with dynamic WEP crypto for my corporate SSID" to quote from the mails of Rocko.

My understanding of Dynamic WEP is that, in the case of PEAP or for that matter any other form of EAP derived security, there is no single common WEP key that is derived and used for all the clients. The point I am trying to lay my stress on is "no single common WEP key". In this scenario - if we were to look at this organization where we assume, should I say about 100 Wireless clients, then at an average of 15 people under each Access Point, this translates to 15 different keys - one key per person on the same Access Point. Add to this the probability of people moving from one Access Point to another at every (say) 3hours interval. Add to that the probability that the keys are not all changing at a defined point in time - this implies that based on when the user has derived the first dynamic key - the key changes at configured intervals.

To an external user (sitting in the parking lot) this poses 5 levels of randomness -

1. different users have different keys
2. different users changing their keys at different points in time
3. different users traversing across Access Points and hence changing their keys
4. The physical security that is existing on the ground that can contribute (if not greatly - at least to a reasonable extent) and hence the probability of finding out a parking lot hacker
5. Add again the probability of this guy getting sufficient numbers of weak IV's

Add to this, the number of users that are really sitting down in an area that provides a strong signal to the parking lot. Add also "direction finding capabilities" - (I am not too sure what this direction finding capability of the Access Point is, but based on context I guess it is something that deals with improving security).

SHOULD WE STILL BE AS PARANOID AS THESE MAILS SOUND OR CAN WE RELAX A BIT.

Ofcourse I would also like to add that we have not looked at whether this is a scenario where we have a Patch Antenna/ Parabolic Antenna that transmits signals in a defined direction - in this scenario there is a possibility of the replies above being used as an effective hack

Moreover, most Organizations that have this level of consideration for security should be having some form of IDS/ IPS - NIDS/ HIDS - wouldn't these have detected/ alarmed the Admin in some way or the other if he is on the LAN/ some Server/ workstation

Technically, if we were to sit down in front of a box, it will crack after sometime, but realistically in the scenario - is this possible, I guess this is the outlook that we should take when we discuss on such problems. Moreover, this immediately puts a doubt in the mind of the person about PEAP and EAP related security measures or for that matter any solution when thought from this point angle


I WOULD LIKE TO KNOW THE COMMUNITIES' VIEW IN THIS SCENARIO.

Securing Wireless LANs with PEAP and Passwords

The wireless local area network (WLAN) solution described in this documentation works equally well with either dynamic Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA) WLAN protection. The implementation differences between the two are minor and are documented in this appendix.

Currently, there are some potential difficulties with using WPA, which include:

• Manual configuration of WPA settings: The support for setting Windows XP client WPA settings using group policy is not available in the versions of Windows earlier than Windows Server™ 2003 Service Pack 1. Until Service Pack 1 is available and you have deployed it in your organization, you will have to configure your clients manually (there is no way to script WLAN settings for Windows XP). You need to install Service Pack 1 only on the server on which you are editing the WLAN settings Group Policy object (GPO); it is not required on the clients, domain controllers, or IAS servers.

• Restricted availability of WLAN clients: At the time of writing, Microsoft only provides WPA support for Windows XP Service Pack 1 and later.

• Availability of WPA compliant hardware: Although WPA support is now mandatory for all Wi-Fi certified hardware, existing network equipment may need to be upgraded to support WPA. You will need to obtain firmware updates for any access points or network adapters that do not currently support WPA. In some (rare) cases, you may need to replace equipment if the manufacturer does not produce WPA updates.


Using WPA in Place of WEP
Although the majority of the guide is applicable to both WPA and dynamic WEP, there are two main points in the documentation where the instructions differ:

• The “Creating an IAS Remote Access Policy for WLAN” section in Chapter 5, “Building the Wireless LAN Security Infrastructure.”

• The “Creating the WLAN Settings GPO” section in Chapter 6, “Configuring the Wireless LAN Clients.”


Creating an IAS Remote Access Policy for WLAN with WPA
To use WPA WLAN protection in place of dynamic WEP, you should set the client session time–out value to 8 hours instead of 60 minutes. WPA has an in–built mechanism to generate new WLAN encryption keys, so it does not need to force the clients to re–authenticate frequently. Eight hours is a reasonable value to ensure that clients have valid up–to–date credentials (for example, it ensures that a client cannot remain connected for excessive periods after its account has been disabled). In very high security environments, you can reduce this time–out value, if needed.

In the "Modifying the WLAN Access Policy Profile Settings" section in Chapter 5, “Building the Wireless LAN Security Infrastructure,” use the following procedure to set the remote access policy profile settings:

To modify wireless access policy profile settings:

1. In the Internet Authentication Service MMC, open the properties of the Allow Wireless LAN Access policy, and then click Edit Profile.

2. On the Dial-in Contraints tab, in the Minutes clients can be connected (Session-Timeout) field, type the value 480 (480 minutes or 8hours).

3. On the Advanced tab, add the Ignore-User-Dialin-Properties attribute, set it to True, and then add the Termination-Action attribute and set it to RADIUS Request.


You also need to change the session time–out in the wireless access point (AP) to match (or exceed) the time–out value set in this procedure.

Manually Configuring Windows XP WLAN Settings for WPA
Until GPO support becomes available in Windows Server 2003 Service Pack 1, you must configure WPA settings on the client manually. WPA is supported on Windows XP Service Pack 1 with the WPA client download installed (or on Windows XP Service Pack 2).

Note: When GPO support becomes available, you can also use the following procedure to create a Wireless Network Policy using the same settings.

To manually configure WPA WLAN settings:

1. Open the properties of the Wireless Network interface. If the WLAN is displayed in the Available Networks list, select it, and click Configure..., otherwise click Add (in the Preferred Networks section).

2. Type the WLAN name into the Network Name (SSID) field (if it is not already displayed there) and, in the Description field, enter a description of the network.

Note: If you have an existing WLAN and you intend to run this side–by–side with the 802.1X–based WLAN of this solution, you must use a different Service Set Identifier (SSID) for the new WLAN. This new SSID should then be used here.

3. In the Wireless Network Key section, select WPA (not WPA PSK) as the Network Authentication type and TKIP as the Data Encryption type. (If your hardware supports it, you can choose the higher strength Advanced Encryption Standard (AES) in place of TKIP).

4. Click the IEEE 802.1x tab, and select Protected EAP (PEAP) from the EAP Type drop–down list.

5. Click the Settings... button to modify the PEAP settings. From the Trusted Root Certificate Authorities list, select the root CA certificate for the CA. (This is the CA that you installed to issue IAS server certificates—see Chapter 4 for more details).

Important: If you ever need to re–install your CA from scratch (not just restore from backup), you will need to edit the client settings and select the root CA certificate for the new CA.

6. Ensure that Secured Password (EAP-MS-CHAP v2) is selected in the Select Authentication Method and check the Enable Fast Reconnect option.

7. Close each properties window by clicking OK.


Configuring Pocket PC 2003 for WPA
WPA was not supported natively in Pocket PC 2003 at the time of writing; however, this may be implemented in the future. Support for WPA on Pocket PC may also be available from other vendors.

Migrating from WEP to WPA
If you have deployed a secure WLAN solution based on dynamic WEP and want to migrate to WPA, you need to follow the steps in this section. You must ensure that you have deployed WPA software support (for example, the Windows XP WPA component) and hardware support (AP firmware and network adapter driver updates) prior to the migration. References in this procedure to configuring WPA settings in GPOs are only valid when the GPO is edited from Windows Server 2003 Service Pack 1 or later. This service pack had not been released at the time of writing. If you are not using Windows Server 2003 Service Pack 1 or later, follow the instructions given in the “Manually Configuring Windows XP WLAN Settings” section in this appendix.

To migrate from WEP to WPA, if your APs support dynamic WEP and WPA simultaneously:

1. Configure all wireless APs to support both dynamic WEP and WPA.

2. Create a new WLAN client settings GPO. Create a Wireless Network policy that configures the correct settings for WPA (refer to the procedure provided in the "Manually Configuring Windows XP WLAN Settings" section in this appendix). Then disable the existing WEP GPO and enable the WPA GPO so that all WPA settings are sent out to all clients. The clients will start using WPA on the WLAN following the next GPO refresh.

Note: If you are configuring your clients manually, you must disable the GPO that contains the WEP settings; if you do not do this, the manual WPA settings will be overwritten by the GPO.

3. Finally, you should update the IAS remote access policy session time–out and the client session time–out in the AP (as described in the "IAS Remote Access Policy" section earlier in this appendix).

To migrate from WEP to WPA, if your APs do not support simultaneous use of WEP and WPA:

1. Create a new WLAN SSID for the WPA network.

2. Edit the client network settings GPO and add the new SSID using WPA parameters (as described in the "Manually Configuring Windows XP WLAN Settings" section earlier in this appendix). If you are configuring your clients manually, you should configure them with the new SSID and WPA settings for that SSID. Do not remove the settings for the old WEP SSID in either case.

3. Working site–by–site, reconfigure your APs from WEP to WPA support, changing the SSID of the AP. As you reconfigure each AP, the clients will switch to the new SSID and use WPA.

4. Once you have reconfigured all APs, you can update the remote access policies on all IAS servers. You need to increase the session time–out value in the remote access policy (from 60 minutes to 8 hours) and change the same setting in the wireless APs (as described in the "IAS Remote Access Policy" section in this appendix).

5. Once the migration is complete, you can remove the WEP SSID from the GPO.


References
This section provides references to important supplementary information or other background material relevant to this appendix.

• The Cable Guy — March 2003, Wi-Fi Protected Access™ (WPA) Overview, available at the following URL:

http://www.microsoft.com/technet/community/columns/
cableguy/cg0303.mspx

• Microsoft Knowledge Base Article 815485, "Overview of the WPA Wireless Security Update in Windows XP," available at the following URL:

http://support.microsoft.com/?kbid=815485

• Microsoft Press Pass Announcement on WPA Availability, available at the following URL:

http://www.microsoft.com/presspass/press/2003/mar03/03-31WiFiProtectedAccessPR.mspx

• "Wireless 802.11 Security with Windows XP" white paper available at the following URL:

http://www.microsoft.com/windowsxp/pro/techinfo/
administration/wirelesssecurity/

Securing Wireless LANs with PEAP and Passwords

The wireless local area network (WLAN) solution described in this documentation works equally well with either dynamic Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA) WLAN protection. The implementation differences between the two are minor and are documented in this appendix.

Currently, there are some potential difficulties with using WPA, which include:

• Manual configuration of WPA settings: The support for setting Windows XP client WPA settings using group policy is not available in the versions of Windows earlier than Windows Server™ 2003 Service Pack 1. Until Service Pack 1 is available and you have deployed it in your organization, you will have to configure your clients manually (there is no way to script WLAN settings for Windows XP). You need to install Service Pack 1 only on the server on which you are editing the WLAN settings Group Policy object (GPO); it is not required on the clients, domain controllers, or IAS servers.

• Restricted availability of WLAN clients: At the time of writing, Microsoft only provides WPA support for Windows XP Service Pack 1 and later.

• Availability of WPA compliant hardware: Although WPA support is now mandatory for all Wi-Fi certified hardware, existing network equipment may need to be upgraded to support WPA. You will need to obtain firmware updates for any access points or network adapters that do not currently support WPA. In some (rare) cases, you may need to replace equipment if the manufacturer does not produce WPA updates.


Using WPA in Place of WEP
Although the majority of the guide is applicable to both WPA and dynamic WEP, there are two main points in the documentation where the instructions differ:

• The “Creating an IAS Remote Access Policy for WLAN” section in Chapter 5, “Building the Wireless LAN Security Infrastructure.”

• The “Creating the WLAN Settings GPO” section in Chapter 6, “Configuring the Wireless LAN Clients.”


Creating an IAS Remote Access Policy for WLAN with WPA
To use WPA WLAN protection in place of dynamic WEP, you should set the client session time–out value to 8 hours instead of 60 minutes. WPA has an in–built mechanism to generate new WLAN encryption keys, so it does not need to force the clients to re–authenticate frequently. Eight hours is a reasonable value to ensure that clients have valid up–to–date credentials (for example, it ensures that a client cannot remain connected for excessive periods after its account has been disabled). In very high security environments, you can reduce this time–out value, if needed.

In the "Modifying the WLAN Access Policy Profile Settings" section in Chapter 5, “Building the Wireless LAN Security Infrastructure,” use the following procedure to set the remote access policy profile settings:

To modify wireless access policy profile settings:

1. In the Internet Authentication Service MMC, open the properties of the Allow Wireless LAN Access policy, and then click Edit Profile.

2. On the Dial-in Contraints tab, in the Minutes clients can be connected (Session-Timeout) field, type the value 480 (480 minutes or 8hours).

3. On the Advanced tab, add the Ignore-User-Dialin-Properties attribute, set it to True, and then add the Termination-Action attribute and set it to RADIUS Request.


You also need to change the session time–out in the wireless access point (AP) to match (or exceed) the time–out value set in this procedure.

Manually Configuring Windows XP WLAN Settings for WPA
Until GPO support becomes available in Windows Server 2003 Service Pack 1, you must configure WPA settings on the client manually. WPA is supported on Windows XP Service Pack 1 with the WPA client download installed (or on Windows XP Service Pack 2).

Note: When GPO support becomes available, you can also use the following procedure to create a Wireless Network Policy using the same settings.

To manually configure WPA WLAN settings:

1. Open the properties of the Wireless Network interface. If the WLAN is displayed in the Available Networks list, select it, and click Configure..., otherwise click Add (in the Preferred Networks section).

2. Type the WLAN name into the Network Name (SSID) field (if it is not already displayed there) and, in the Description field, enter a description of the network.

Note: If you have an existing WLAN and you intend to run this side–by–side with the 802.1X–based WLAN of this solution, you must use a different Service Set Identifier (SSID) for the new WLAN. This new SSID should then be used here.

3. In the Wireless Network Key section, select WPA (not WPA PSK) as the Network Authentication type and TKIP as the Data Encryption type. (If your hardware supports it, you can choose the higher strength Advanced Encryption Standard (AES) in place of TKIP).

4. Click the IEEE 802.1x tab, and select Protected EAP (PEAP) from the EAP Type drop–down list.

5. Click the Settings... button to modify the PEAP settings. From the Trusted Root Certificate Authorities list, select the root CA certificate for the CA. (This is the CA that you installed to issue IAS server certificates—see Chapter 4 for more details).

Important: If you ever need to re–install your CA from scratch (not just restore from backup), you will need to edit the client settings and select the root CA certificate for the new CA.

6. Ensure that Secured Password (EAP-MS-CHAP v2) is selected in the Select Authentication Method and check the Enable Fast Reconnect option.

7. Close each properties window by clicking OK.


Configuring Pocket PC 2003 for WPA
WPA was not supported natively in Pocket PC 2003 at the time of writing; however, this may be implemented in the future. Support for WPA on Pocket PC may also be available from other vendors.

Migrating from WEP to WPA
If you have deployed a secure WLAN solution based on dynamic WEP and want to migrate to WPA, you need to follow the steps in this section. You must ensure that you have deployed WPA software support (for example, the Windows XP WPA component) and hardware support (AP firmware and network adapter driver updates) prior to the migration. References in this procedure to configuring WPA settings in GPOs are only valid when the GPO is edited from Windows Server 2003 Service Pack 1 or later. This service pack had not been released at the time of writing. If you are not using Windows Server 2003 Service Pack 1 or later, follow the instructions given in the “Manually Configuring Windows XP WLAN Settings” section in this appendix.

To migrate from WEP to WPA, if your APs support dynamic WEP and WPA simultaneously:

1. Configure all wireless APs to support both dynamic WEP and WPA.

2. Create a new WLAN client settings GPO. Create a Wireless Network policy that configures the correct settings for WPA (refer to the procedure provided in the "Manually Configuring Windows XP WLAN Settings" section in this appendix). Then disable the existing WEP GPO and enable the WPA GPO so that all WPA settings are sent out to all clients. The clients will start using WPA on the WLAN following the next GPO refresh.

Note: If you are configuring your clients manually, you must disable the GPO that contains the WEP settings; if you do not do this, the manual WPA settings will be overwritten by the GPO.

3. Finally, you should update the IAS remote access policy session time–out and the client session time–out in the AP (as described in the "IAS Remote Access Policy" section earlier in this appendix).

To migrate from WEP to WPA, if your APs do not support simultaneous use of WEP and WPA:

1. Create a new WLAN SSID for the WPA network.

2. Edit the client network settings GPO and add the new SSID using WPA parameters (as described in the "Manually Configuring Windows XP WLAN Settings" section earlier in this appendix). If you are configuring your clients manually, you should configure them with the new SSID and WPA settings for that SSID. Do not remove the settings for the old WEP SSID in either case.

3. Working site–by–site, reconfigure your APs from WEP to WPA support, changing the SSID of the AP. As you reconfigure each AP, the clients will switch to the new SSID and use WPA.

4. Once you have reconfigured all APs, you can update the remote access policies on all IAS servers. You need to increase the session time–out value in the remote access policy (from 60 minutes to 8 hours) and change the same setting in the wireless APs (as described in the "IAS Remote Access Policy" section in this appendix).

5. Once the migration is complete, you can remove the WEP SSID from the GPO.


References
This section provides references to important supplementary information or other background material relevant to this appendix.

• The Cable Guy — March 2003, Wi-Fi Protected Access™ (WPA) Overview, available at the following URL:

http://www.microsoft.com/technet/community/columns/
cableguy/cg0303.mspx

• Microsoft Knowledge Base Article 815485, "Overview of the WPA Wireless Security Update in Windows XP," available at the following URL:

http://support.microsoft.com/?kbid=815485

• Microsoft Press Pass Announcement on WPA Availability, available at the following URL:

http://www.microsoft.com/presspass/press/2003/mar03/03-31WiFiProtectedAccessPR.mspx

• "Wireless 802.11 Security with Windows XP" white paper available at the following URL:

http://www.microsoft.com/windowsxp/pro/techinfo/
administration/wirelesssecurity/

Securing Wireless LANs with PEAP and Passwords

The wireless local area network (WLAN) solution described in this documentation works equally well with either dynamic Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA) WLAN protection. The implementation differences between the two are minor and are documented in this appendix.

Currently, there are some potential difficulties with using WPA, which include:

• Manual configuration of WPA settings: The support for setting Windows XP client WPA settings using group policy is not available in the versions of Windows earlier than Windows Server™ 2003 Service Pack 1. Until Service Pack 1 is available and you have deployed it in your organization, you will have to configure your clients manually (there is no way to script WLAN settings for Windows XP). You need to install Service Pack 1 only on the server on which you are editing the WLAN settings Group Policy object (GPO); it is not required on the clients, domain controllers, or IAS servers.

• Restricted availability of WLAN clients: At the time of writing, Microsoft only provides WPA support for Windows XP Service Pack 1 and later.

• Availability of WPA compliant hardware: Although WPA support is now mandatory for all Wi-Fi certified hardware, existing network equipment may need to be upgraded to support WPA. You will need to obtain firmware updates for any access points or network adapters that do not currently support WPA. In some (rare) cases, you may need to replace equipment if the manufacturer does not produce WPA updates.


Using WPA in Place of WEP
Although the majority of the guide is applicable to both WPA and dynamic WEP, there are two main points in the documentation where the instructions differ:

• The “Creating an IAS Remote Access Policy for WLAN” section in Chapter 5, “Building the Wireless LAN Security Infrastructure.”

• The “Creating the WLAN Settings GPO” section in Chapter 6, “Configuring the Wireless LAN Clients.”


Creating an IAS Remote Access Policy for WLAN with WPA
To use WPA WLAN protection in place of dynamic WEP, you should set the client session time–out value to 8 hours instead of 60 minutes. WPA has an in–built mechanism to generate new WLAN encryption keys, so it does not need to force the clients to re–authenticate frequently. Eight hours is a reasonable value to ensure that clients have valid up–to–date credentials (for example, it ensures that a client cannot remain connected for excessive periods after its account has been disabled). In very high security environments, you can reduce this time–out value, if needed.

In the "Modifying the WLAN Access Policy Profile Settings" section in Chapter 5, “Building the Wireless LAN Security Infrastructure,” use the following procedure to set the remote access policy profile settings:

To modify wireless access policy profile settings:

1. In the Internet Authentication Service MMC, open the properties of the Allow Wireless LAN Access policy, and then click Edit Profile.

2. On the Dial-in Contraints tab, in the Minutes clients can be connected (Session-Timeout) field, type the value 480 (480 minutes or 8hours).

3. On the Advanced tab, add the Ignore-User-Dialin-Properties attribute, set it to True, and then add the Termination-Action attribute and set it to RADIUS Request.


You also need to change the session time–out in the wireless access point (AP) to match (or exceed) the time–out value set in this procedure.

Manually Configuring Windows XP WLAN Settings for WPA
Until GPO support becomes available in Windows Server 2003 Service Pack 1, you must configure WPA settings on the client manually. WPA is supported on Windows XP Service Pack 1 with the WPA client download installed (or on Windows XP Service Pack 2).

Note: When GPO support becomes available, you can also use the following procedure to create a Wireless Network Policy using the same settings.

To manually configure WPA WLAN settings:

1. Open the properties of the Wireless Network interface. If the WLAN is displayed in the Available Networks list, select it, and click Configure..., otherwise click Add (in the Preferred Networks section).

2. Type the WLAN name into the Network Name (SSID) field (if it is not already displayed there) and, in the Description field, enter a description of the network.

Note: If you have an existing WLAN and you intend to run this side–by–side with the 802.1X–based WLAN of this solution, you must use a different Service Set Identifier (SSID) for the new WLAN. This new SSID should then be used here.

3. In the Wireless Network Key section, select WPA (not WPA PSK) as the Network Authentication type and TKIP as the Data Encryption type. (If your hardware supports it, you can choose the higher strength Advanced Encryption Standard (AES) in place of TKIP).

4. Click the IEEE 802.1x tab, and select Protected EAP (PEAP) from the EAP Type drop–down list.

5. Click the Settings... button to modify the PEAP settings. From the Trusted Root Certificate Authorities list, select the root CA certificate for the CA. (This is the CA that you installed to issue IAS server certificates—see Chapter 4 for more details).

Important: If you ever need to re–install your CA from scratch (not just restore from backup), you will need to edit the client settings and select the root CA certificate for the new CA.

6. Ensure that Secured Password (EAP-MS-CHAP v2) is selected in the Select Authentication Method and check the Enable Fast Reconnect option.

7. Close each properties window by clicking OK.


Configuring Pocket PC 2003 for WPA
WPA was not supported natively in Pocket PC 2003 at the time of writing; however, this may be implemented in the future. Support for WPA on Pocket PC may also be available from other vendors.

Migrating from WEP to WPA
If you have deployed a secure WLAN solution based on dynamic WEP and want to migrate to WPA, you need to follow the steps in this section. You must ensure that you have deployed WPA software support (for example, the Windows XP WPA component) and hardware support (AP firmware and network adapter driver updates) prior to the migration. References in this procedure to configuring WPA settings in GPOs are only valid when the GPO is edited from Windows Server 2003 Service Pack 1 or later. This service pack had not been released at the time of writing. If you are not using Windows Server 2003 Service Pack 1 or later, follow the instructions given in the “Manually Configuring Windows XP WLAN Settings” section in this appendix.

To migrate from WEP to WPA, if your APs support dynamic WEP and WPA simultaneously:

1. Configure all wireless APs to support both dynamic WEP and WPA.

2. Create a new WLAN client settings GPO. Create a Wireless Network policy that configures the correct settings for WPA (refer to the procedure provided in the "Manually Configuring Windows XP WLAN Settings" section in this appendix). Then disable the existing WEP GPO and enable the WPA GPO so that all WPA settings are sent out to all clients. The clients will start using WPA on the WLAN following the next GPO refresh.

Note: If you are configuring your clients manually, you must disable the GPO that contains the WEP settings; if you do not do this, the manual WPA settings will be overwritten by the GPO.

3. Finally, you should update the IAS remote access policy session time–out and the client session time–out in the AP (as described in the "IAS Remote Access Policy" section earlier in this appendix).

To migrate from WEP to WPA, if your APs do not support simultaneous use of WEP and WPA:

1. Create a new WLAN SSID for the WPA network.

2. Edit the client network settings GPO and add the new SSID using WPA parameters (as described in the "Manually Configuring Windows XP WLAN Settings" section earlier in this appendix). If you are configuring your clients manually, you should configure them with the new SSID and WPA settings for that SSID. Do not remove the settings for the old WEP SSID in either case.

3. Working site–by–site, reconfigure your APs from WEP to WPA support, changing the SSID of the AP. As you reconfigure each AP, the clients will switch to the new SSID and use WPA.

4. Once you have reconfigured all APs, you can update the remote access policies on all IAS servers. You need to increase the session time–out value in the remote access policy (from 60 minutes to 8 hours) and change the same setting in the wireless APs (as described in the "IAS Remote Access Policy" section in this appendix).

5. Once the migration is complete, you can remove the WEP SSID from the GPO.


References
This section provides references to important supplementary information or other background material relevant to this appendix.

• The Cable Guy — March 2003, Wi-Fi Protected Access™ (WPA) Overview, available at the following URL:

http://www.microsoft.com/technet/community/columns/
cableguy/cg0303.mspx

• Microsoft Knowledge Base Article 815485, "Overview of the WPA Wireless Security Update in Windows XP," available at the following URL:

http://support.microsoft.com/?kbid=815485

• Microsoft Press Pass Announcement on WPA Availability, available at the following URL:

http://www.microsoft.com/presspass/press/2003/mar03/03-31WiFiProtectedAccessPR.mspx

• "Wireless 802.11 Security with Windows XP" white paper available at the following URL:

http://www.microsoft.com/windowsxp/pro/techinfo/
administration/wirelesssecurity/