We use Windows XP workstations in an Active Directory (AD) domain. We'd like to go wireless but are aware of the security problems with Wired Equivalent Privacy (WEP). What are our options for securing a wireless network and integrating it with Windows security?
Assuming your wireless Access Points (APs) support 802.1x authentication, you can use a Windows Server 2003 server to integrate your wireless network's security with your Windows environment. Windows 2003 supports 802.1x clients through Internet Authentication Service (IAS), the OS's built-in Remote Authentication Dial-In User Service (RADIUS) server. The 802.1x protocol not only provides secure authentication and access control for your wireless network but also addresses WEP's encryption-key weaknesses.
Windows 2003's IAS server provides the necessary technology to link your wireless AP to your AD domain. You can then control access to your wireless network by using either a user account name and password or computer certificates. Before implementing either option, you must configure your wireless AP (usually through a Web browser) to use 802.1x and to function as a RADIUS client of your IAS server.
The first option lets you control access based on your users' existing AD domain accounts. When a user comes within range of your wireless APs, his or her workstation uses the domain credentials the user entered when logging on to the workstation to automatically authenticate to the wireless AP. The AP passes the credentials to the Windows 2003 RADIUS server, which checks them against a domain controller (DC) in the domain. If rogue users come within range of your AP and try to connect to your wireless network, they fail unless they can guess the password of one of your domain user accounts.
For stronger security, you can opt to use computer certificates. To take this approach, you need to configure your IAS server so that it requires every wireless client to authenticate by using the private key of a certificate that's signed by a specified Certification Authority (CA). This option requires you to deploy a CA on a Windows 2003 or Windows 2000 server, then deploy computer certificates to each wireless client workstation. After you do so, no one can access your network without a valid certificate and private key.
As you can see, using certificates requires more work than using domain credentials—you must configure each wireless client to trust your CA, and you must enroll each client that needs a computer certificate with your CA. You can use Group Policy to automatically perform these certificate-related tasks, but you need to initially connect each new client to your network through a wired connection so that Group Policy can process the client.
Windows support for 802.1x authentication provides some great options for securing your wireless network by leveraging the Windows and AD infrastructures you've already built. Just make sure that your wireless APs support 802.1x. For help in setting up a secure wireless network, download the Microsoft white paper "Step-by-Step Guide for Setting Up Secure Wireless Access in a Test Lab" at http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5.
