Access Denied: Mitigating a Problem with Computer-Only Authentication to a WLAN

I realize that using 802.1x and Wi-Fi Protected Access (WPA) is the best approach for securing a wireless LAN (WLAN). But are there alternative approaches that mitigate the risk of an attacker capturing information sent between legitimate wireless clients or connecting to our network and attacking computers on it?

There are alternatives to 802.1x and WPA. One approach is to set up an internal VPN server and connect it to your wireless Access Points (APs). Then, configure your wireless clients with a VPN connection and train your users to initiate the VPN connection after they obtain a wireless connection to your LAN.

A quicker, more transparent alternative uses the Microsoft Management Console (MMC) IP Security Policies snap-in and a trick with your DHCP addresses. First, reserve a range of IP addresses for your wireless clients and configure your DHCP servers to skip that range. Next, enable your AP's DHCP server feature and configure the AP to dole out addresses from that range. Then, open a Group Policy Object (GPO) that's applied to all your computers, such as the Default Domain Policy GPO. Navigate to Computer Configuration\Windows Settings\Security Settings\IP Security Policies and open the properties of the Secure Server (Require Security) GPO. This default GPO intercepts all traffic and requires it to be encrypted and authenticated via Kerberos using the computer's domain account. Change the GPO's IP filter so that instead of catching all IP traffic, the filter catches only packets to and from IP addresses that are in the range assigned to your wireless clients. Close the GPO, then right-click it and select Assign.

Now, all your computers will reject connections from wireless clients unless the clients can authenticate via Kerberos using the computer's domain account. Computers on the wired LAN will be able to use IP Security (IPSec) to communicate as before. Computers that aren't part of your domain but that try to access one of your servers will fall flat on their face. As an added precaution, consider configuring your switch to block wireless clients that try to use an IP address that's outside the range of addresses you've assigned to your wireless clients.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.