topic Deploying a secure internal wireless network in Wireless

Deploying a secure internal wireless network

rajarora4 — Sun, 04 Jul 2021 04:58:14 GMT

Hi, We've got a 5508 WLAN controller with about 200 WAPs currently deployed for guest access only. We would now like to deploy wireless for our internal network as well and would like for this to support voice as well. I'm reviewing the various options that are available and trying to figure out which one is the best. I've narrowed it down to EAP-TLS and PEAP with MS-CAHPV2 with Windows based certificates. Our management wants us to use Microsoft RADIUS servers instead of ACS. Just wanted to get some feedback to see if someone has done this in their environment before and the pros and cons of choosing one authentication method over another.

Thanks in advance for you valuable input!

Deploying a secure internal wireless network

Stephen Rodriguez — Mon, 09 Apr 2012 18:55:53 GMT

FIrst for doing VoIP, make sure you have the appropriate coveraged.

RSSI -65dBm

SNR of 25 db

and 25% cell overlap.

As for PEAP vs EAP-TLS, PEAP tends to be simpler. You do need to have a certificate on the IAS/NPS server that allows it to authenticate clients, but this is the only required certificate. You can use a GPO to push the wireless config down, and the Root CA certificate to the client devices making that task a lot easeier.

With EAP-TLS, every machine/user needs a certificate. So getting everyone enrolled can be a bit of a PITA. But if a machine is lost, or a user leaves you only need to revoke those certificates, to stop the device from getting on the network.

My .02, go with PEAP. Less certificate stuff to deal with, pretty easy to deploy and maintain.

Steve

Deploying a secure internal wireless network

rajarora4 — Mon, 09 Apr 2012 19:12:36 GMT

Stephen, thanks for your post

Regarding PEAP, from what I've read, it seems like the user will need to enter their AD credentials every time they want to connect.

With EAP-TLS, the computer certificates should automatically connect the pc to the internal wireless network once it's in range.

Am I correct with these two statements?

if so, wouldn't option 2 be easier for users, and more secure?

Regards,

Raj

Deploying a secure internal wireless network

Stephen Rodriguez — Mon, 09 Apr 2012 19:16:38 GMT

Actually the user shouldn't need to input credentials beyond the windows login screen. If you use the WZC, and most supplicants, when you login to the machine with domain credentials, they will be transmitted across the wireless for the user login. That being said, if there is an issue, they could get prompted.

But I'd rather troubleshoot why the user loign isn't happening than have to get hip deep in PKI issues.

Yes EAP-TLS can be considered the most secure, and potentially easier on the user, so long as you are willing to do all of the certificate enrollments yourself.

Steve

Deploying a secure internal wireless network

rajarora4 — Mon, 09 Apr 2012 19:25:53 GMT

yes, on reading the guide again, it does say that the client computer will pass on the credentials in the second phase of authentication once it has verified the identity of the NPS server using the certificate so thanks for clarifying that for me.

Agree but this will design will pass through our information security department and I'm sure they'll want me to go the EAP-TLS route.

So I have a question regarding the certificates. We already deply computer certificates on each client computer that is assigned to a user for VPN access, couldn't I just use these existing certificates for EAP-TLS or do I need to use dedicated certificates for this purpose?

Deploying a secure internal wireless network

Stephen Rodriguez — Mon, 09 Apr 2012 19:32:17 GMT

If you only do machine level authentication for the TLS, you should be good, with what you have.

Steve

Deploying a secure internal wireless network

George Stefanick — Mon, 09 Apr 2012 19:39:11 GMT

I want to add, but not o confuse you, but you can do PEAP/EAP-TLS with mutual authentication. Its overkill, the benny is the cert is sent inside a tunnel. If you do native TLS it is sent in the open, unless you select privacy.

But as Steve mentioned, the cert can be used. In fact, when you configure the supplicant you select what cert you want to use.

Deploying a secure internal wireless network

rajarora4 — Mon, 09 Apr 2012 20:33:54 GMT

Thanks for chiming in George.

Stephen, with machine level authentication, I'm assuming you mean that as long as the machine is a member of the domain, has a valid certificate and the user account is active in AD, that machine should be able to connect to the wireless network using the certificate.

George, PEAP/EAP-TLS sounds like a great option that I could present as well. Could you provide some additional details? I can look it up if not but thanks for the idea.

Can you guys point me to a good step by step guide to deploy EAP-TLS with windows NPS and RADIUS. I can find one as well but you guys seem to have good experience doing this.

Deploying a secure internal wireless network

George Stefanick — Mon, 09 Apr 2012 20:37:37 GMT

Here give a peek at these to get you started

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtml

http://www.mombu.com/microsoft/windows-server-security-general/t-peap-tls-vs-eap-tls-443617.html

Deploying a secure internal wireless network

Stephen Rodriguez — Mon, 09 Apr 2012 20:38:21 GMT

With Machine authentication the user doesn't matter. The machine certificate is the only 'credential' sent to be validated.

Steve

Deploying a secure internal wireless network

rajarora4 — Mon, 09 Apr 2012 20:42:07 GMT

Interesting, so am I correct in assuming that PEAP/EAP-TLS would utilize both methods of authentication. It would validate the machine credentials as well as the user credentials?

Re: Deploying a secure internal wireless network

George Stefanick — Mon, 09 Apr 2012 20:42:55 GMT

Steve, his users have a VPN cert, this is not a machine cert, correct ? So I am thinking he would need to config his client with EAP-TLS and select the cert in the client supplicant.

Also, "machine authentcaion" uses a SID (system id). This would not use a cert, correc? Rather it would use the SID that is unquie to the device and AD, which is used insetad of a AD ID for example ...

Deploying a secure internal wireless network

George Stefanick — Mon, 09 Apr 2012 20:47:50 GMT

I would not implement PEAP/TLS as not all clients will support it. However, most client support EAP/TLS. I just wanted to mention it becuase if you are new to TLS this will be one of those "oh i didnt know you could do that" ..

BTW --

The first EAP is the outter and the second eap is the inner

EAP/PEAP (Outter) - MsChapV2(Inner)

EAP/TLS (there is no tunnel unless you select "privacy")

EAP/PEAP (Outter) - TLS (inner)

Deploying a secure internal wireless network

rajarora4 — Mon, 09 Apr 2012 20:48:47 GMT

Actually I believe it's a machine certificate

Deploying a secure internal wireless network

Stephen Rodriguez — Mon, 09 Apr 2012 20:50:05 GMT

wow, started this 4 times now.....

Ok, TLS would use the certificate that was installed. Technically, it would not matter if the machine were part of the domain, so long as it had the certificate. The odds on getting the certificate while not being part of the domain is another story.....Now if you were doing PEAP with machine authentication, you could tell it to check that the machine is part of the domain or not.

@George IIRC adn I may not, when you do machine auth it looks at the GUID of the device that is in AD.

The VPN cert can be used for the TLS, just a matter of what/who it's issued to, the machine or the indivdual user.

Steve

Deploying a secure internal wireless network

George Stefanick — Mon, 09 Apr 2012 20:51:46 GMT

I have to say, the term "machine authentication", can mean a few different things.

Deploying a secure internal wireless network

George Stefanick — Mon, 09 Apr 2012 20:55:05 GMT

@ Steve -- Is there a good document that talks about that specifically .. I am a little rusty on that subject and need to sharpen up ...

Deploying a secure internal wireless network

rajarora4 — Tue, 10 Apr 2012 19:47:28 GMT

@Stephen, I have a question about PEAP and your statement

"Actually the user shouldn't need to input credentials beyond the windows login screen. If you use the WZC, and most supplicants, when you login to the machine with domain credentials, they will be transmitted across the wireless for the user login. That being said, if there is an issue, they could get prompted. "

Are the user creds sent encrypted or are they sent clear text?

Thanks!

Deploying a secure internal wireless network

George Stefanick — Tue, 10 Apr 2012 19:56:12 GMT

Raj,

If you use PEAP and WZC as your wireless supplicant, windows sends the inner identity as the outer identity, which is sent in the clear text.

So if your AD was say ADRAJ password ABC123.

If someone sniffed the network you would see ADRAJ in the clear. Other supplicants, like Intel for example, you can send a bogus outer id.

Deploying a secure internal wireless network

rajarora4 — Tue, 10 Apr 2012 20:00:14 GMT

Thanks for the reply George. So how can I send the creds in encrypted format, Do I select privacy or is there another way?