Securing Wireless Network w/ certificates and no user intervention?

I would like to setup a secure wireless network for about 300 users
across a high school campus, for the teachers only. The kids have
there own separate network. We do not have Active Directory
implemented. I also want to accomplish this goal with out utilizing
WEP w/ manual key. We would like very little user involvement in this
deployment. I realize that if we had AD then we could use WPA w/ a
Radius server or the user Win2k3 login credentials to authenticate them
to the WLAN, but we don't have AD. My ideal solution would be to have
someway of e-mailing or distributing a certificate to the authorize
user. It would be nice to package the certificate, so all they had to
do was double click on it and it would then automatically install
itself and then that would give them access to the WLAN. We are also
do not want to use a RADIUS server so we don't have to manage
usernames/passwords.

I would greatly appreciate any thoughts, suggestions or solutions.

Thanks
Jason

jsoupene@cox.net

I've done this by building single sever implementations. You can use
freeRADIUS and openSSL on linux, it you are willing to mess around a bit
with it. There are plenty of HOW-TO articles on it.

I prefer a single sever MS solution. You can create a CA and IAS server on
a workgroup server and use local accounts. Even better, make it your first
AD server even if its not used for other AD purposes. You'll get a little
more functionality out of that. It will allow you to create an enterprise
CA instead of standalone.

Provisioning the certs may require a bit of planning. You can generate
certs for each instructor and export them to PFX (P12)files. The will just
need to double click the cert and enter the password that it is protected
with.

The teachers will have to create the WPA wireless profile manually, but that
is pretty easy.

This of course doesn't allow for an offline root CA and machine
authentication, but it will get you started. This is by no means the best
way to approach WPA-RADIUS, but it works well based on your constraints.

Cheers,

--
Mark Gamache
Certified Security Solutions
http://www.css-security.com



<> wrote in message
news: oups.com...
>I would like to setup a secure wireless network for about 300 users
> across a high school campus, for the teachers only. The kids have
> there own separate network. We do not have Active Directory
> implemented. I also want to accomplish this goal with out utilizing
> WEP w/ manual key. We would like very little user involvement in this
> deployment. I realize that if we had AD then we could use WPA w/ a
> Radius server or the user Win2k3 login credentials to authenticate them
> to the WLAN, but we don't have AD. My ideal solution would be to have
> someway of e-mailing or distributing a certificate to the authorize
> user. It would be nice to package the certificate, so all they had to
> do was double click on it and it would then automatically install
> itself and then that would give them access to the WLAN. We are also
> do not want to use a RADIUS server so we don't have to manage
> usernames/passwords.
>
> I would greatly appreciate any thoughts, suggestions or solutions.
>
> Thanks
> Jason
>

Mark Gamache

Thanks alot Mark for all of your input. I do not know a whole lot
about Linux, however I will be interested in trying your MS solution.
A couple of questions though.

1. If I did make my server AD, would the workstations have to be a
memeber of the domain to authenicate?

2. What is the difference between an Enterprise CA and standalone?

3. What exactly do you mean by "This of course doesn't allow for an
offline root CA and machine
authentication"?

4. Do you have any good links for the setup and configuration of the
IAS and CA server? I will be utilizing Win2k3

5. Using your suggestions, will the user still have to authenicate each
time they attach to the WLAN or once they get the certificate
installed, will that aunthenicate for them without any more uesr
intervention?

Thanks again for your time and help!

Jason

SpiritBoy

There are to contexts that authentication can take place in that of the user
and that of the computer. Both have domain accounts. If you want the
computer to have access even when no one is logged in, you will need to
provision the computers with computer certificates. As long as the
certificates are tied to valid accounts, it won't matter that the laptops
aren't actually part of the domain. I often use this. I grant certs with
very short lifetimes to guests.

An enterprise CA is integrated with Active Directory. This is very user
friendly because it automatically associates the certificates with the
users. A stand alone is totally separate form AD. Nearly everything is
done manually.

If you are looking to set up a proper CA (high level of trust and following
best practices) you should have a root CA that is offline. You issue the
end user certs from a subCA. Functionally you will not see a difference not
having the offline root. Just don't get carried away and start using the
certs for a bunch of other uses. Machine certs are mentioned above. I'm
not sure if you will be able to acquire them with exportable keys. I'd have
to double check. Seeing that your laptops are in a workgroup, I see value
in them only having access when they have a user logged in.

This link http://support.microsoft.com/?scid=winsvr2003howtoguide has a ton
of great how-to
Also
http://www.microsoft.com/windowsserv...s/default.mspx
http://www.microsoft.com/windowsserv...i/default.mspx

Once the certificate is installed there will be no user intervention.
Remember that the certificate is stored in the user's account, so if someone
needs to borrow a laptop, they need to get their cert on it.

Cheers,

--
Mark Gamache
Certified Security Solutions
http://www.css-security.com



"SpiritBoy" <> wrote in message
news: ups.com...
> Thanks alot Mark for all of your input. I do not know a whole lot
> about Linux, however I will be interested in trying your MS solution.
> A couple of questions though.
>
> 1. If I did make my server AD, would the workstations have to be a
> memeber of the domain to authenicate?
>
> 2. What is the difference between an Enterprise CA and standalone?
>
> 3. What exactly do you mean by "This of course doesn't allow for an
> offline root CA and machine
> authentication"?
>
> 4. Do you have any good links for the setup and configuration of the
> IAS and CA server? I will be utilizing Win2k3
>
> 5. Using your suggestions, will the user still have to authenicate each
> time they attach to the WLAN or once they get the certificate
> installed, will that aunthenicate for them without any more uesr
> intervention?
>
> Thanks again for your time and help!
>
> Jason
>

Mark Gamache

We currently are having the teachers log in with a generic user account
w/ no password for simplicity. They have the responsibility to make
sure the laptop is in a secure location with no access by the students.
How would you suggest setting this up with machine based certificates?
We are trying not to use any usernames or password on the laptops.
Basically, our ideal situation would be to create some sort of machine
certificate that we could export form the CA Win2k3 server (w/ no
Active Directory) and then import somehow on to the laptops.

Thanks for your time and help

Jason

SpiritBoy

actually, I don't think you can use EAP-TLS on a workgroup server. You need
AD to associate the cert with a user account. Local user accounts don't
have a store for cert mapping.

As for the machine certs, that's a tricky one. I'm not sure if you can do
it easily. Seeing as there are not going to be actual machine accounts, you
will have to get the certs in some other fashion. You might be able to
import a user cert into the machine's personal store. certutil can do this,
but I'm not sure if the 802.1X supplicant will use the cert.

Additionally, the certs you are looking to use are going to allow the
private keys to be exported. This is almost always a bad idea, but its even
worse when there are no user names and passwords on the computers. You are
probably forced to support this policy and know how flawed it is, so I'm not
going abuse you, but you may want to push the "powers that be" to consider a
stronger security model.

Cheers,

--
Mark Gamache
Certified Security Solutions
http://www.css-security.com



"SpiritBoy" <> wrote in message
news: oups.com...
> We currently are having the teachers log in with a generic user account
> w/ no password for simplicity. They have the responsibility to make
> sure the laptop is in a secure location with no access by the students.
> How would you suggest setting this up with machine based certificates?
> We are trying not to use any usernames or password on the laptops.
> Basically, our ideal situation would be to create some sort of machine
> certificate that we could export form the CA Win2k3 server (w/ no
> Active Directory) and then import somehow on to the laptops.
>
> Thanks for your time and help
>
> Jason
>

Mark Gamache