Control Wireless Network Access and Protect Wireless Transmissions
Applies To: Windows Server 2008, Windows Server 2008 R2
Although wireless LAN technologies provide numerous benefits, they introduce security issues that do not exist for wired networks. Unlike the closed cabling system of an Ethernet network, that can be physically secured, wireless computers send and receive data as radio transmissions that travel beyond the physical confines of your office. Any wireless-equipped computer within range of the wireless network can receive wireless transmissions and send its own. Without protecting your wireless network, malicious users can use your wireless network to access your private information or launch attacks against your computers or other computers across the Internet.
To protect your wireless network, you must use authentication and encryption, as described as follows:
Authentication requires that computers provide either valid account credentials (such as a user name and password) or proof that they have been configured with a specific digital certificate before being allowed to send or receive transmissions over the wireless network. Authentication prevents malicious users from being able to join your wireless network.
Encryption requires that the content of all wireless transmissions be encrypted so that only the receiver can interpret its contents. Encryption prevents malicious users from capturing wireless transmissions sent on your wireless network, in order to obtain sensitive data. Encryption also helps prevent malicious users from accessing your private network resources or the Internet.
For more information, see PEAP-MS-CHAP v2-based Authenticated Wireless Access Design and EAP-TLS-based Authenticated Wireless Access Design.
To illustrate, Example Company (Example.com) currently allows user with mobile computers to set up ad hoc wireless networks for peer-to-peer file sharing. To respond to growing concerns that a malicious user might capture data that their employees send over ad hoc wireless networks, Example Company has determined that they need a wireless network solution that prevents unwanted peer-to-peer networks and strong encryption to provide security for their wireless data transmissions.
The following features and components are required to encrypt wireless transmissions and authenticate wireless users:
One or more 802.1X-capable 802.11 wireless access points (APs). This scenario requires that you purchase and deploy one or more 802.1X-capable wireless APs that are compatible with the Remote Authentication Dial-In User Service (RADIUS) protocol.
Wi-Fi Protected Access version 2(WPA2)-Enterprise edition or WPA-Enterprise edition with Temporal Key Integrity Protocol (TKIP) or Advanced Encryption Standard (AES) to provide strong network encryption.
Active Directory Domain Services (AD DS). AD DS contains the user accounts, computer accounts, and account properties.
Group Policy Management. This design uses the Wireless Network (IEEE 802.11) Policies in Group Policy Management extension to configure the Extensible Authentication Protocol (EAP) and WPA settings on wireless client computers that are necessary to protect the network from unwanted wireless access, and to prevent the interception of wireless transmissions.
One or more servers running Network Policy Server (NPS). When you configure your 802.1X wireless access points as RADIUS clients in NPS, NPS processes the connection requests sent by the APs. During connection request processing, NPS performs authentication and authorization. Authentication determines whether the client has presented valid credentials. If NPS successfully authenticates the requesting client, then NPS determines whether the client is authorized to make the requested connection, and either allows or denies the connection.
Server certificates for computers running NPS, and one of the following:
Wireless client computers. This deployment provides 802.1X authenticated access to domain-member users who connect to the network by using wireless client computers running either Windows Vista or Windows XP with Service Pack 2 (SP2) or later versions. Computers must be members of the domain in order to successfully establish authenticated access.