Linksys Cisco wireless access point and adapter(2) – Security

Tags

access point, authentication, cisco, linksys, psk, radius, wep, wireless, wireless adapter, wpa, wpa2

Previously, I did a basic configuration to connect a client wirelessly to the network using a Cisco access point.

Now, I’ll be attempting to try out various authentication methods as well as using a Windows Server 2008 R2 to provide the ip addresses using DHCP.

Below is the topology of my network.

 

Wired Equivalent Privacy (WEP)

WEP is the most unsecured among all of the available methods for securing the wireless connection. It has been demonstrated to be unsecured as compared to the newer standards such as the WPA.

To set up WEP on the Access point, all we have to do is to go to the Wireless tab then go to the Wireless Security sub tab and select WEP for the Security Mode. Select 104 / 128-bit for better encryption. Enter the Passphrase, I’ll be using Fishcake for mine. The passphrase will be used to generate keys which will be used to connect to the AP. Click on generate and then Save Settings.

 

Input the generated key into the Security key prompt.

 

Wifi Protected Access/2 (WPA/WPA2)

The WPA was defined in response to serious weaknesses researchers had found in the previous system, WEP (Wired Equivalent Privacy). WPA provides.

WPA2 was then introduced in 2004 to provide an even more secure and complex solution.

Setting up WPA or WPA2 is very similar. First, go to the Wireless tab then go to the Wireless Security sub tab and select PSK Personal/PSK Personal 2 for the Security Mode.

Select the encryption method, I’m going to use TKIP or AES.

Insert the desired Pre-shared Key, I’ll be using Fishcake as my PSK. The pre-shared key will have to be used on the client later on for the authentication.

For key renewal, I’m going to leave it as the default(3600 seconds).

 

On the client PC, click on the network icon on the task bar and connect to the AP. The prompt for the PSK should pop up. Enter the PSK that we’ve configured on the AP, Fishcake in my case.

 

RADIUS

To configure your AP to do RADIUS authentication for the wireless clients, go to the Wireless tab then go to the Wireless Security sub tab and select WPA Enterprise for the Security Mode.

Select TKIP as for the encryption method.

Enter the IP address for the RADIUS server and the shared key. Leave the RADIUS port and Key Renewal as default.

 

Go to the RADIUS server and create a RADIUS client. Enter the Friendly name and the IP address of the wireless AP. Enter the Shared Secret, enter what you’ve entered for the shared key on the wireless AP.

 

Create the network policy using the NPS wizard. Click on NPS (local) on the side bar. Select RADIUS server for 802.1X Wireless or Wired Connections and then click on Configure 802.1X.

 

Select Secure Wireless Connections and click Next.

Select the RADIUS client that we’ve just created and click Next.

Select Microsoft: Protected EAT (PEAP) and click on Configure. I’ve previously obtained a self signed certificate from the local Certificate Authority. Select the server certificate and click OK.

 

Add the user group that will be used to authenticate the wireless connection. Click Next.

Click Next then Finish.

On the client, go to Control Panel and open up Network and Sharing Center. Select Manage wireless networks and click Add.

Select Manually create a network profile.

Enter the SSID into the Network name text box. Select WPA-Enterprise for the Security type and TKIP for the Encryption type.

Untick Connect automatically when this network is in range. This should be ticked after the connection is tested to be working.

 

Click Next then Change connection settings.

Go to the Security tab and make sure that the Security type and Encryption type is WPA-Enterprise and TKIP.

 

Select Microsoft: Protected EAP (PEAP) for the authentication method and select Settings.

Make sure that Validate server certificate, connect to these servers: and the root CA is ticked. The RADIUS server’s FQDN should be filled in the Connect to these servers: text box.

Ensure that Secured password (EAP-MSCHAP v2) is selected and click Configure. Untick Automatically use my Windows Logon name and password. Click OK, then OK.

 

Untick Remember my credentials for this connection each time i’m logged on.

Click on Advanced settings. Tick Specify authentication mode and select user authentication. Click OK.

Click OK.

Click on the network icon on the task bar and connect to the AP. The prompt for the username and password should pop up. Enter the allowed username and password and it should connect to the wireless AP.

 

 

 

 

 

Switch port based authentication dot1x with radius server

Tags

aaa, authentication, authorisation, cert authority, certificate, nap, peap, port based, radius, root ca, windows server 2008

This will be set up in a Active domain environment.

Installing the required roles and role services

First of all, install the Network Policy and Access Services and the Active Directory Certificate Services onto the the Windows Server 2008 R2. Make sure the Network Policy Server, Certification Authority and Certification Authority Web Enrollment is installed.

Make your Certificate Service a enterprise root CA.

 

Preparing the server certificate

After installation, we’ll have to issue ourselves a certificate by browsing to AD CS -> Certificate Templates.

Right click on RAS and IAS Server and select Duplicate Template.

Select Windows Server 2003 Enterprise and click OK.

Rename the certificate template to whatever you want and tick Publish certificate in Active Directory. Go to the Request Handling tab and tick Allow private key to be exported. Go to Subject Name tab and select Supply in the request. Go to the Security tab and make sure that Administrator or whatever user/user group that you’re going to use later to apply for the certificate has the permission to enroll.

Click OK.

Right click on AD CS -> SERVER-CA -> Certificate Templates and select New -> Certificate Template to Issue. Select your newly created certificate template and click OK.

 

Web enrollment

Open Internet Explorer and add http://YOURIPADDRESS/certsrv to your list of intranet and and set the security settings to low.

Browse to http://YOURIPADDRESS/certsrv and click on Request a certificate. Select advance certificate request then create and submit a request to this CA. Select the Certificate Template that we’ve created just now and use the server’s computer name for the name of the certificate. Tick Mark keys as exportable and click submit.

On the next page, click on Install this certificate.

After installing the certificate, we’ll have to move it into the correct directory. Go to run and open up mmc. Go to File -> Add/Remove Snap-in and add the Certificates for both Current User and Local Computer. Cut and paste the installed certificate from Certificate – Current User -> Personal -> Certificates to Certificates (Local Computer) -> Personal -> Certificates.

 

Setting up the radius client

Expand Network Policy and Access Services from Server Manager.

Browse to NPS (Local) -> RADIUS Clients. Right click and select New.

You can use whatever name you want to identify your switch but I’m going to use Cisco. Enter the Vlan interface’s ipaddress into the Address box and Verify. Enter your shared secret into the bottom two box which will be used later on the switch, I’m going to use cisco.

Click OK.

 

Creating the network access policy

Click on NPS (Local). Choose RADIUS server for 802.1X Wireless or Wired Connections for the drop down box and click Configure 802.1X.

Select Secure Wired (Ethernet Connections) and click Next.

Select the RADIUS client that we’ve created just now and click Next.

Select Microsoft: Protected EAP (PEAP) from the drop down box and click Configure. Select the certificate that we’ve created and installed just now and make sure that the Eap Types is Secured password (EAP-MSCHAP v2). Leave everything else as default. Click OK then Next.

Add the user groups that you want to use to for the authentication and click Next.

We don’t have to configure traffic controls. so, press Next then Finish.

That’s all we have to do for the Windows Server.

 

Cisco switch configuration

We’ll now move on to the Cisco switch. You should have your vlans configured.

These are the commands that we need to configure the switch to do port based dot1x authentication.

conf t
  aaa new-model
  radius-server host 195.10.20.3 auth-port 1645 acct-port 1646 key cisco
  aaa authentication dot1x default group radius
  dot1x system-auth-control

  int f0/4
     dot1x port-control auto

 

Windows client web enrollment

For the client,we’ll have to install the CA cert so that the client will be able to verify the server’s cert’s authencity. Go to internet explorer and browse to http://IPADDRESS/certsrv. Select Download a CA certificate, certificate chain, or CRL and then Download CA certificate. Once download, browse to the file location and install it into your computer.

Like before when we moved the location of the installed certs, open mmc and add the required certificate snap ins. Move the CA certificate from current user -> Immediate certification authorities to Local Computer -> Trusted Root Certification Authorities.

 

Setting up the authentication parameters

After installing the trusted CA cert, open properties of your network adapter. Go to the authentication tab and tick Enable IEEE 802.1X authentication. select PEAP for the authentication method and click settings.

Tick validate server certificate and select the root CA certificate that we’ve added.

Ensure that EAP-MSCHAP v2 is selected for the authentication method and fast reconnect is ticked. Click on configure and make sure that Automatically use my Windows logon name and password is unticked. Click OK.

Click on Advanced settings. Tick Specify authentication mode and select User authentication. Leave the rest unticked. Click OK, then OK.

Disable and enable the network adapter and the prompt for authentication informations should pop up.