[Dshield] Wireless MAC Authentication options.

Hernandez, Moses MHernandez3 at mercymiami.org
Thu Aug 25 16:53:31 GMT 2005


John,
  Thanks for the update on this. The links were very informative in
nature, especially the SANS paper you wrote. From everything we have
tested here between LEAP, PEAP (GTC and MS-CHAP) and also EAP-FAST. We
have chosen the PEAP (Ms-CHAP) because we did not want to manage the
Client Side Certificate Rollout. We thought it would be better however
we are able to solve the Group Policy using the Computer Authentication
and we only seem to loose 1-2 pings during the initial login; however
all of our GPO's and Scripting still works as designed. Although we see
the Advantage of a PKI (We have one installed and running to Microsoft /
SANS best practices), we felt that the management of client side
certificates would require more work and at a labor cost higher than
just having to use User and Computer Based Authentication. GPO's still
work, the client is hot on the Wireless without having logged in and we
able control still through Groups who is able to get onto our wireless
LANS.

  While PEAP GTC did come out first and is a more secure method of
authentication, we have maintained a full control over is one our wire.
Basically in our scenario we decided that any LAPTOP or PC could float
between the wired and wireless side of the connection. So in our group
mappings we decided to map the "Domain Computers" to the Wireless Group
inside of our RADIUS server. Additionally we created a Wireless Group
and only users inside of this group have access to the wireless network.
In Practice the Computer account is only used before login and only
because you want to apply full all of the Computer Policies and ensure
that a new user logging into  that machine for the first time (say a
desktop technician for IS) will be able to without having to necessarily
have done this through the Wired LAN. Lastly the machine will
re-authenticate with a User's profile after he submits his credentials
so it does re-authenticate on the MS-CHAP-v2 side. The difference I see
that you still have to deal with "weak" passwords, which makes the
"certificate" a tad bit more secure. If you can augment your "weak"
password issue with a One-Time-Password or some other method then I
think MS-CHAP-V2 for large organizations is the way to go. Over here
it's rather small at about 170 ap's with about 300 users.

Additionally the other reason we did it was because 802.1x is going to
be an enterprise wide (and is) deployment strategy that we wanted to
manage more easily. So just like the guide I am including the link for
we decided to implement this because the Risk / Cost Ratio was
acceptable.

http://www.microsoft.com/downloads/details.aspx?FamilyID=05951071-6b20-4
cef-9939-47c397ffd3dd&DisplayLang=en

As always I am so interested in hearing how other do it though because
of I am always looking for better ways to do everything.

Moses Hernandez, CISSP, CCNP, CCSA



-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of John B. Holmblad
Sent: Thursday, August 25, 2005 11:19 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Wireless MAC Authentication options.

Moses,

in a Microsoft environment you CAN if you choose support certificate 
based authentication of the client as well. I have tested this out and 
it does work. This is useful because, it is possible to configure the 
client (in a Microsoft network) to authenticate to the AP when the 
system is powered up so that the computer can authenticate to the AD 
domain controller and computer based (as opposed to user based AD/Group 
Policy profiles can be downloaded even before a user logs on. In fact, 
in such a scenario it is also possible to have a re-authentication to 
the AP occur once the user does log on. That way the sysadmin can make 
sure that not only is the computer allowed to enter the network via the 
wireless AP but also that the specific user is permitted to do so. 
Clearly MS-CHAP-V2 is easier for the sysadmin to set up, especially in a

Windows Workgroup network that does not have a server configured with, 
say Certificate Services, to easily create and issue computer 
certificates for the clients or. alternatively, have such client 
certificates requested by the clients..

Here is the url to the results of my research on this:

       http://www.sans.org/rr/whitepapers/honors/1494.php

and there is plenty of info available from the Microsoft www site on how

to set up certficate based authentication in an 802.11 wireless 
environment. Microsoft Press also has a Mictext, "Windiwos 2003 PKI 
Certificate Security" that has a section pertaining to wireless
networking.

-- 
Best Regards,

John Holmblad

Televerage International
GSEC Gold,GCWN Gold,GGSC-0100,NSA-IAM

(H) 703 620 0672
(M) 703 407 2278
(F) 703 620 5388

primary email address:     jholmblad at aol.com
backup email address:      jholmblad at verizon.net


_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
**********************************************************************************************
IMPORTANT: The contents of this email and any attachments are confidential. They are intended for the 
named recipient(s) only.
If you have received this email in error, please notify the system manager or the sender immediately and do 
not disclose the contents to anyone or make copies thereof.
*** eSafe scanned this email for viruses, vandals, and malicious content. ***
**********************************************************************************************




More information about the list mailing list