Securing Wireless Network w/ certificates and no user intervention?

Discussion in 'Wireless Networking' started by jsoupene, Feb 17, 2005.

  1. jsoupene

    jsoupene Guest

    I would like to setup a secure wireless network for about 300 users
    across a high school campus, for the teachers only. The kids have
    there own separate network. We do not have Active Directory
    implemented. I also want to accomplish this goal with out utilizing
    WEP w/ manual key. We would like very little user involvement in this
    deployment. I realize that if we had AD then we could use WPA w/ a
    Radius server or the user Win2k3 login credentials to authenticate them
    to the WLAN, but we don't have AD. My ideal solution would be to have
    someway of e-mailing or distributing a certificate to the authorize
    user. It would be nice to package the certificate, so all they had to
    do was double click on it and it would then automatically install
    itself and then that would give them access to the WLAN. We are also
    do not want to use a RADIUS server so we don't have to manage

    I would greatly appreciate any thoughts, suggestions or solutions.

    jsoupene, Feb 17, 2005
    1. Advertisements

  2. jsoupene

    Mark Gamache Guest

    I've done this by building single sever implementations. You can use
    freeRADIUS and openSSL on linux, it you are willing to mess around a bit
    with it. There are plenty of HOW-TO articles on it.

    I prefer a single sever MS solution. You can create a CA and IAS server on
    a workgroup server and use local accounts. Even better, make it your first
    AD server even if its not used for other AD purposes. You'll get a little
    more functionality out of that. It will allow you to create an enterprise
    CA instead of standalone.

    Provisioning the certs may require a bit of planning. You can generate
    certs for each instructor and export them to PFX (P12)files. The will just
    need to double click the cert and enter the password that it is protected

    The teachers will have to create the WPA wireless profile manually, but that
    is pretty easy.

    This of course doesn't allow for an offline root CA and machine
    authentication, but it will get you started. This is by no means the best
    way to approach WPA-RADIUS, but it works well based on your constraints.

    Mark Gamache, Feb 17, 2005
    1. Advertisements

  3. jsoupene

    SpiritBoy Guest

    Thanks alot Mark for all of your input. I do not know a whole lot
    about Linux, however I will be interested in trying your MS solution.
    A couple of questions though.

    1. If I did make my server AD, would the workstations have to be a
    memeber of the domain to authenicate?

    2. What is the difference between an Enterprise CA and standalone?

    3. What exactly do you mean by "This of course doesn't allow for an
    offline root CA and machine

    4. Do you have any good links for the setup and configuration of the
    IAS and CA server? I will be utilizing Win2k3

    5. Using your suggestions, will the user still have to authenicate each
    time they attach to the WLAN or once they get the certificate
    installed, will that aunthenicate for them without any more uesr

    Thanks again for your time and help!

    SpiritBoy, Feb 18, 2005
  4. jsoupene

    Mark Gamache Guest

    There are to contexts that authentication can take place in that of the user
    and that of the computer. Both have domain accounts. If you want the
    computer to have access even when no one is logged in, you will need to
    provision the computers with computer certificates. As long as the
    certificates are tied to valid accounts, it won't matter that the laptops
    aren't actually part of the domain. I often use this. I grant certs with
    very short lifetimes to guests.

    An enterprise CA is integrated with Active Directory. This is very user
    friendly because it automatically associates the certificates with the
    users. A stand alone is totally separate form AD. Nearly everything is
    done manually.

    If you are looking to set up a proper CA (high level of trust and following
    best practices) you should have a root CA that is offline. You issue the
    end user certs from a subCA. Functionally you will not see a difference not
    having the offline root. Just don't get carried away and start using the
    certs for a bunch of other uses. Machine certs are mentioned above. I'm
    not sure if you will be able to acquire them with exportable keys. I'd have
    to double check. Seeing that your laptops are in a workgroup, I see value
    in them only having access when they have a user logged in.

    This link has a ton
    of great how-to

    Once the certificate is installed there will be no user intervention.
    Remember that the certificate is stored in the user's account, so if someone
    needs to borrow a laptop, they need to get their cert on it.

    Mark Gamache, Feb 19, 2005
  5. jsoupene

    SpiritBoy Guest

    We currently are having the teachers log in with a generic user account
    w/ no password for simplicity. They have the responsibility to make
    sure the laptop is in a secure location with no access by the students.
    How would you suggest setting this up with machine based certificates?
    We are trying not to use any usernames or password on the laptops.
    Basically, our ideal situation would be to create some sort of machine
    certificate that we could export form the CA Win2k3 server (w/ no
    Active Directory) and then import somehow on to the laptops.

    Thanks for your time and help

    SpiritBoy, Feb 22, 2005
  6. jsoupene

    Mark Gamache Guest

    actually, I don't think you can use EAP-TLS on a workgroup server. You need
    AD to associate the cert with a user account. Local user accounts don't
    have a store for cert mapping.

    As for the machine certs, that's a tricky one. I'm not sure if you can do
    it easily. Seeing as there are not going to be actual machine accounts, you
    will have to get the certs in some other fashion. You might be able to
    import a user cert into the machine's personal store. certutil can do this,
    but I'm not sure if the 802.1X supplicant will use the cert.

    Additionally, the certs you are looking to use are going to allow the
    private keys to be exported. This is almost always a bad idea, but its even
    worse when there are no user names and passwords on the computers. You are
    probably forced to support this policy and know how flawed it is, so I'm not
    going abuse you, but you may want to push the "powers that be" to consider a
    stronger security model.

    Mark Gamache, Feb 22, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.