Home > Articles > Home & Office Computing > Microsoft Windows Desktop

  • Print
  • + Share This
Like this article? We recommend

Like this article? We recommend

Security Considerations

The IEEE 802.1X authentication standard ensures that only authenticated users or devices are permitted on a wireless network. It also ensures the security of data. The default authentication method for 802.1X-authenticated wireless connections is EAP-Transport Layer Security (TLS) in Windows Server 2003 and Protected EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MSCHAP v2) in Windows Longhorn Server and Windows Vista.

EAP-TLS requires a public key infrastructure (PKI) to manage and issue computer certificates. Although EAP-TLS is a highly secure authentication method, Microsoft realized that most companies don’t want to deal with the complexities of computer certificates. They would rather use their existing Active Directory authentication method, which relies on an account and a password. Therefore, starting with Windows Vista and Longhorn Server, Microsoft has changed the default EAP authentication method for wireless connections to EAP-MSCHAP v2, because this authentication method only requires computer certificates on the RADUIS servers.

As I stated earlier, whether you use EAP-TLS or EAP-MSCHAP v2 method for authentication, you have to deal with the certificates. The only question is which Certificate Authority (CA) issued the certificates for your RADIUS server. You can use a PKI solution from a third party, such as a commercial solution from Thawte, or deploy your own PKI infrastructure using certificate services and Active Directory.

If you’re using a commercial certificate, most likely the root CA certificate for the RADIUS server’s computer is already installed on the wireless client. In this scenario, the client already has the computer certificate for the RADIUS server, so it doesn’t really matter whether the client has joined the Active Directory domain; the client easily will be able to authenticate with the RADIUS server. However, if you’re using your own private certificate server, the wireless client that hasn’t yet joined the domain won’t have the computer certificate for the RADIUS server, and therefore won’t be able to validate the RADIUS server’s computer certificate. Once the client successfully joins the domain, the root CA certificate of the RADIUS server’s computer will be installed automatically on the wireless client.

Manual Method

As mentioned earlier, end users can use a couple of methods to establish a secure wireless connection and then join their wireless clients to the domain: They can do it manually, or with an XML file. To configure a bootstrap wireless profile manually, you can use the following procedure:

  1. Log onto the network, using a local account. At this point, you haven’t joined the Active Directory domain, so you can’t use your domain account.
  2. Use the procedure described in the "Bootstrap Wireless Profile" section to configure your bootstrap wireless profile.
  3. When prompted, provide the domain account and password to connect to the wireless network.
  4. Now that you’ve established a connection to the network, go to Control Panel, open System, and click Advanced system settings. When prompted by User Account Control, click Continue, or provide credentials as necessary.
  5. Click the Computer Name tab.
  6. Click Change.
  7. Click the Domain button and enter the name of the domain that you want to join (for example, SeattlePro.com), as shown in Figure 3.
    Figure 3

    Figure 3 Joining Windows Vista client to the domain.

  8. Click OK and then provide your domain name and the password that will allow you to join the domain.
  9. Restart your computer to complete the process.

XML File Method

Another method for a user to join the domain is to configure a bootstrap wireless profile for the wireless client by utilizing an XML file and script provided by the network administrator. Similar to that of the manual method, the goal of this method is to establish a network connection and then join the wireless client to the domain.

The administrator can configure another Windows Vista computer with a bootstrap wireless profile that uses EAP-MSCHAP v2, while ensuring that the validation of the RADIUS server certificate has been disabled (refer to Figure 2). The profile can be extracted to an XML file by using a netsh wlan command similar to the following:

netsh wlan export profile name=xml_profile_name folder=profile_location interface=connection_name

where xml_profile_name is the name of the bootstrap wireless profile, profile_location is the path to which you want the file copied, and connection_name is the name of the wireless connection that you want to use. (Use quotes if the names contain spaces.)

Here’s an example:

netsh wlan export profile name=SeattlePro folder=c:\profiles

When you use this command, the exported profile will be called interface name-profile name.xml, such as Wireless Network Connection-SeattlePro.xml. This is just one example; you can customize the netsh wlan command if you want. Type help within the netsh prompt for more options.

The administrator can also create a script file containing a netsh command similar to the following:

netsh wlan add profile filename=xml_profile_name interface=connection_name

where xml_profile_name is the name of the bootstrap wireless profile and connection_name is the name of the wireless connection to use.

For our example, we’ll use the following command for the script:

netsh wlan add profile filename="Wireless Network Connection-SeattlePro.xml" interface="wireless network connection"

The administrator can provide the user with both the script and the extracted XML file that contains the bootstrap wireless profile.

The user can use the following method to join the domain:

  1. Obtain the XML file and the script from the administrator.
  2. Log onto the computer locally. At this point, you haven’t joined the Active Directory domain, so you can’t use your domain account.
  3. Run the script to add the bootstrap wireless profile to your computer.
  4. When prompted, provide the domain account and password to connect to the wireless network.
  5. Now that you’ve established a connection to the network, go to Control Panel, open System, and click Advanced system settings. When prompted by User Account Control, click Continue, or provide credentials as necessary.
  6. Click the Computer Name tab.
  7. Click Change.
  8. Click the Domain button and enter the name of the domain that you want to join (for example, SeattlePro.com).
  9. Click OK and then provide your domain name and the password that will allow you to join the domain.
  10. Restart your computer to complete the process.

In addition to the methods described above, as a network administrator or member of the Help Desk staff you can also join wireless clients to the domain on the client’s behalf and configure what’s known as a single sign-on (SSO) bootstrap wireless profile. You can join the user’s computer to the domain before handing the computer over to the user by using a wired Ethernet connection. You can either use group policies or the netsh wlan options to configure SSO profiles on wireless clients. You should configure the bootstrap wireless profile that uses PEAP-MSCHAP v2, while ensuring that the validation of the RADIUS server certificate has been disabled (refer to Figure 2). You should also ensure that SSO is enabled.

  • + Share This
  • 🔖 Save To Your Account