PEAP-MS-CHAP v2-based Authenticated Wireless Access Design

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2

Many organizations want to supply their network users with wireless access that meets the following goals:

  • Control wireless network access and protect wireless transmissions.

  • Centrally manage wireless client security and connectivity settings.

  • Centrally manage the 802.1X authentication and authorization of wireless access clients.

  • Provide wireless access that uses secure passwords for client authentication.

The authenticated wireless access design based on Protected Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) utilizes the user account credentials (user name and password) stored in Active Directory Domain Services (AD DS) to authenticate wireless access clients instead of using smart cards or user and computer certificates for client authentication.

The following diagram illustrates the core components of an 802.1X authentication infrastructure that uses secure passwords for client authentication.

You can deploy Institute of Electrical and Electronics Engineers (IEEE) 802.1X authenticated wireless access using Extensible Authentication Protocol (EAP) in conjunction with computers running Network Policy Server (NPS), and 802.1X-capable wireless access points (APs) to provide wireless access with strong security. By using EAP, you can support additional authentication schemes, known as EAP types. EAP, in conjunction with strong EPA types, is a critical technology component for secure 802.1X authenticated wireless connections. These schemes include token cards, user credentials, public key authentication using smart cards, and digital certificates.

PEAP-MS-CHAP v2 an EAP type that is easier to deploy than Extensible Authentication Protocol with Transport Level Security (EAP-TLS) or PEAP-TLS because user authentication is accomplished by using password-base credentials (user name and password) instead of digital certificates or smart cards. Only servers running Network Policy Server (NPS) or PEAP-MS-CHAP v2 are required to have a certificate. Successful PEAP-MS-CHAP v2 authentication requires that the client trust the NPS server after examining the server certificate. For the client to trust the NPS server, the certification authority (CA) that issued the server certificate must have its own different certificate in the Trusted Root Certification Authorities certificate store on the client computer. The server certificate used by NPS can be issued by your organization’s private trusted root CA deployed on your network, or by a public CA, such as VeriSign or Thawte, that is already trusted by the client computer.

The following diagram illustrates two alternatives for issuing server certificates to your NPS computers.

Starting infrastructure

The following sections provide brief overviews of the required technologies that must be in place before you can begin deploying wireless access on your network.

Active Directory Domain Services

Active Directory Domain Services (AD DS) is a hierarchical structure that stores information about objects on the network. AD DS provides the methods for storing directory data and making this data available to network users and administrators. For example, AD DS stores information about user accounts, such as names, passwords, phone numbers, and so on, and enables other authorized users on the same network to access this information.

Active Directory Certificate Services (optional)

When you deploy 802.1X authenticated wireless access that uses PEAP-MS-CHAP v2, RADIUS servers must have digital certificates in order to perform mutual authentication. To issue certificates to your NPS servers you have the option of deploying a private CA on your network, or purchasing a server certificate from a third party certification authority.

You can deploy AD CS, which is included in Windows Server 2008, as an enterprise root certification authority (CA) that is also an issuing CA. You can configure AD CS to deploy certificates to NPS servers and domain member client computers.

To deploy server certificates by using autoenrollment, AD CS requires the Windows Server 2008 Enterprise or Windows Server 2008 Datacenter operating systems. AD DS must be installed before AD CS is installed.

DNS

Domain Name System (DNS) is a name resolution protocol for TCP/IP networks, such as the Internet or an organization network. A DNS server hosts the information that enables client computers to resolve easily recognized, alphanumeric DNS names to the IP addresses that computers use to communicate with each other.

DHCP

Dynamic Host Configuration Protocol (DHCP) is an IP standard for simplifying management of host IP configuration. The DHCP standard provides for the use of DHCP servers as a way to manage dynamic allocation of IP addresses and other related configuration details for DHCP-enabled clients on your private network.

Every computer on a TCP/IP network must have a unique IP address. The IP address (together with its related subnet mask) identifies both the host computer and the subnet to which it is attached. When you move a computer to a different subnet, the IP address must be changed. DHCP allows you to dynamically assign an IP address to a client from a DHCP server IP address database on your local network.

For TCP/IP-based networks, DHCP reduces the complexity and amount of administrative work involved in reconfiguring computers.

To increase control over DHCP lease times, you can separate IPv4 subnets. By using different subnets for wired and wireless clients, you must configure separate DHCP scopes. Because wireless clients can easily roam from one wireless subnet to another, configure the DHCP scopes for wireless subnets to have a shorter lease duration than for wired subnets. The typical lease duration for a DHCP scope for wired networks is a specified number of days. Because wireless clients do not release their addresses when roaming to a new subnet, shorten the lease duration to several hours for DHCP scopes corresponding to wireless subnets. By setting a shorter lease duration for wireless subnets, the DHCP server automatically makes expired IPv4 addresses available for reuse throughout the day instead of leaving the addresses unavailable for days.

Network Policy Server

Network Policy Server (NPS) allows you to centrally configure and manage network policies with the following three components: Remote Authentication Dial-In User Service (RADIUS) server, RADIUS proxy, and Network Access Protection (NAP) policy server.

You must install NPS if to deploy 802.1X wired or wireless access.

NPS server certificates

Authenticated wireless access based on PEAP-MS-CHAP v2 gives you two server certificate options:

  1. Purchasing certificates from a public CA, such as VeriSign, that is already trusted by Windows-based clients. This option is typically recommended for smaller networks.

    • Advantages:

      • Installing purchased certificates does not require as much specialized knowledge as deploying a private CA on your network, and can be easier to deploy in networks that have only a few NPS servers.

      • Using purchased certificates can prevent specific security vulnerabilities that can exist if the proper precautions are not taken when deploying a private CA on your network.

    • Disadvantages:

      • This solution does not scale as well as deploying a private CA on your network. Because you must purchase a certificate for each NPS server, your deployment costs increase with each NPS server you deploy.

      • Purchased certificates have recurring costs, because you must renew certificates prior to their expiration date.

  2. Deploying a private CA on your network by using AD CS.

    • Advantages:

      • AD CS is included with Windows Server 2008.

      • This solution scales very well. After you have deployed a private CA on your network, AD CS automatically issues certificates to all NPS servers in your domain with no incremental increases in cost, even if you later add NPS servers to your network.

      • AD CS automatically issues a server certificate to new NPS servers that you add to your network.

      • If you later decide to change your authentication infrastructure from secure password authentication using PEAP to one that requires client certificates and uses either EAP-TLS or PEAP-TLS, you can do so by using your AD CS-based private CA.

    • Disadvantages:

      • Deploying a private CA on your network requires more specialized knowledge than purchased certificates, and can be more difficult to deploy.

      • It is possible to expose your network to specific security vulnerabilities if the proper precautions are not taken when deploying a private CA on your network.

TCP/IP

TCP/IP in Windows Server 2008 is the following:

  • Networking software based on industry-standard networking protocols.

  • A routable, enterprise networking protocol that supports the connection of your Windows-based computer to both local area network (LAN) and wide area network (WAN) environments.

  • Core technologies and tools for connecting your Windows-based computer with dissimilar systems for the purpose of sharing information.

  • A foundation for gaining access to global Internet services, such as the World Wide Web and File Transfer Protocol (FTP) servers.

  • A robust, scalable, cross-platform, client/server framework.

TCP/IP provides basic TCP/IP tools that enable Windows-based computers to connect and share information with other Microsoft and non-Microsoft systems.

802.1X capable wireless access points

Before configuring the Windows Server 2008 services for your 802.1X authenticated wireless access infrastructure, purchase and install 802.1X capable wireless APs on your network.