+ Post New Thread
Results 1 to 15 of 15
Wireless Networks Thread, Securing Wireless in Technical; Afternoon all I have run into a problem when a Y11 has managed to get hold of the WPA2 key ...
  1. #1
    cmpwat's Avatar
    Join Date
    Dec 2011
    Location
    Gloucester
    Posts
    42
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Securing Wireless

    Afternoon all

    I have run into a problem when a Y11 has managed to get hold of the WPA2 key for the Wireless Network (not my choice, I inhertited it!). This has meant that I am having to look at something more secure.

    So, I have install NPS on a W2K8r2 Server, with AD Certificate Services, created the access policy to use a certificate and AD Username and Password, tested on my laptop (connected to the domain) and iPad and both connected and are authenticated.

    Now comes the issue, we use laptops and netbooks as 'dumb' terminals to connect to out Xendesktop solution. These devices are not connected to the domain, just connect to the network. This means that the Wireless cards cannot authenticate to the certificate server as it is not trusted.

    The question is this, if I purchase a certificate from a trusted company (godaddy, symantec etc.) will this allow the devices to connect if i put the same cert in to NPS? or will i have issues with using AD usernames and passwords as the devices are not on the domain?

    Finally, does anyone else have any other ideas as to how to secure these devices to the wireless? I was thinking of using MAC Authentication as well as WPA2 but concerned about spoofing.

  2. #2

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,229
    Thank Post
    894
    Thanked 1,780 Times in 1,534 Posts
    Blog Entries
    12
    Rep Power
    462
    MAC Authentication is pointless. With the right software people can see the mac addresses of wireless devices and spoof them. I wouldn’t bother with that to be honest

  3. #3

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,266
    Thank Post
    242
    Thanked 1,575 Times in 1,254 Posts
    Rep Power
    341
    Why is it a security issue if someone has the WPA2 key? Providing everything else is locked down using NTFS permissions, there's nothing to worry about.

    As for the other devices you can deploy a new SSID along with a new key using the netsh wlan command (search this forum). This'll work on Windows Vista and later only and not on XP.

  4. #4
    cmpwat's Avatar
    Join Date
    Dec 2011
    Location
    Gloucester
    Posts
    42
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by Michael View Post
    Why is it a security issue if someone has the WPA2 key? Providing everything else is locked down using NTFS permissions, there's nothing to worry about.

    As for the other devices you can deploy a new SSID along with a new key using the netsh wlan command (search this forum). This'll work on Windows Vista and later only and not on XP.
    The issue is that whilst the rest of the network is secure as I have had it tested, I do not want to have students connecting to the wireless network with phones and iPods.

    Will the netsh wlan work when the devices do not log on to the domain? I know it will work with ones that do, but the devices we use are standalone.

    Finally, I do not want to just use WPA2 as it is not very secure.

  5. #5

    Join Date
    Dec 2009
    Location
    Woking
    Posts
    97
    Thank Post
    0
    Thanked 17 Times in 17 Posts
    Rep Power
    12
    What OS do your "dumb" terminals run? Do they support 802.1x authentication?

    The only ways to secure a 802.1x for corporate assets only is to deploy PEAP with Machine Authentication (requires everything to be in the domain) - otherwise anyone with a valid AD account will be able to connect (server certificate validation is an optional component)
    Or deploy a full EAP-TLS mutual authentication with certificates

  6. #6

    m25man's Avatar
    Join Date
    Oct 2005
    Location
    Romford, Essex
    Posts
    1,644
    Thank Post
    49
    Thanked 467 Times in 339 Posts
    Rep Power
    141
    Quote Originally Posted by cmpwat View Post
    Finally, I do not want to just use WPA2 as it is not very secure.
    WPA2 (along with WEP and WPA for that matter) is meant to be used to encrypt the data. It is not nor was it intended to be used as a method of securing access to your networks, only to prevent the data from being read as it traverses the airwaves.

    Any smart 12 year old will compromise your WPA key by reading it off of the label on your router, unmasking the pass phrase dialog box or just looking over your shoulder.
    @paulfinlay has already described the correct procedure.
    You can use a valid public 3rd party SSL cert and a valid Domain Account or Guest User Account in the Domain that your NPS can use to authenticate the clients.
    You could use MAC Addresses as users via NPS so known MAC addresses are automatically authenticated and a specific policy applied to them.
    Yes, Mac addresses can be spoofed but the chances of that happening at a mobile device level is less likely than your WPA key being leaked.

  7. #7
    cmpwat's Avatar
    Join Date
    Dec 2011
    Location
    Gloucester
    Posts
    42
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by m25man View Post
    WPA2 (along with WEP and WPA for that matter) is meant to be used to encrypt the data. It is not nor was it intended to be used as a method of securing access to your networks, only to prevent the data from being read as it traverses the airwaves.

    Any smart 12 year old will compromise your WPA key by reading it off of the label on your router, unmasking the pass phrase dialog box or just looking over your shoulder.
    @paulfinlay has already described the correct procedure.
    You can use a valid public 3rd party SSL cert and a valid Domain Account or Guest User Account in the Domain that your NPS can use to authenticate the clients.
    You could use MAC Addresses as users via NPS so known MAC addresses are automatically authenticated and a specific policy applied to them.
    Yes, Mac addresses can be spoofed but the chances of that happening at a mobile device level is less likely than your WPA key being leaked.
    Yes, a 12 year old may read it off the label but it won't work as:

    A) the APs are attached to the ceiling
    B) I put a strong pass phrase into the SSID
    c) there is no label on the APs

    So not sure what you meant by that comment. Thanks also for the insight into WPA2 as I will sleep easier knowing I have been corrected.

    My op was not for people to pick hole in my knowledge or my ability to explain properly, more to try and gain some help form other experts as to the best possible way of securing my WLAN. Having had experience of installing a WLAN with machine certificate on the server, PC and PKI smart card, I was merely asking for advise with regards to devices that have not been joined to the domain.

  8. #8
    cmpwat's Avatar
    Join Date
    Dec 2011
    Location
    Gloucester
    Posts
    42
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by paulfinlay View Post
    What OS do your "dumb" terminals run? Do they support 802.1x authentication?

    The only ways to secure a 802.1x for corporate assets only is to deploy PEAP with Machine Authentication (requires everything to be in the domain) - otherwise anyone with a valid AD account will be able to connect (server certificate validation is an optional component)
    Or deploy a full EAP-TLS mutual authentication with certificates
    The dumb terminals run windows 7 as a base, but the problem we had was when a student since in, it was pulling the full profile down, hence why they are not joined to the domain.

  9. #9


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,681
    Thank Post
    279
    Thanked 783 Times in 610 Posts
    Rep Power
    224
    Quote Originally Posted by cmpwat View Post
    The dumb terminals run windows 7 as a base, but the problem we had was when a student since in, it was pulling the full profile down, hence why they are not joined to the domain.
    You can still have a domain logon and force a local user profile via GPO. You can also (via loopback) say "hey, if this end-user is logging into the dumb terminals OU, don't apply the usual user GPOs". Assuming you've got a sensible AD layout, that's trivial to implement.

  10. #10
    Pottsey's Avatar
    Join Date
    Apr 2006
    Location
    Nottinghamsire
    Posts
    766
    Thank Post
    3
    Thanked 52 Times in 42 Posts
    Rep Power
    30
    Quote Originally Posted by Michael View Post
    Why is it a security issue if someone has the WPA2 key? Providing everything else is locked down using NTFS permissions, there's nothing to worry about.

    As for the other devices you can deploy a new SSID along with a new key using the netsh wlan command (search this forum). This'll work on Windows Vista and later only and not on XP.
    There is an issue now that smartphones/tablets and apps are all common. We had a student find out the wireless key via unmasking the pass phrase, add there smartphone then use apps to browse Facebook even though Facebook is blocked in the filters.
    Last edited by Pottsey; 19th December 2012 at 09:44 AM.

  11. #11

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,818
    Thank Post
    110
    Thanked 588 Times in 509 Posts
    Blog Entries
    1
    Rep Power
    226
    Any rooted android phone can fake it's MAC address in about 20s. There are apps on the market to make it idiot proof.

  12. #12

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,266
    Thank Post
    242
    Thanked 1,575 Times in 1,254 Posts
    Rep Power
    341
    Quote Originally Posted by cmpwat View Post
    The issue is that whilst the rest of the network is secure as I have had it tested, I do not want to have students connecting to the wireless network with phones and iPods.

    Will the netsh wlan work when the devices do not log on to the domain? I know it will work with ones that do, but the devices we use are standalone.

    Finally, I do not want to just use WPA2 as it is not very secure.
    It depends if you consider connecting iPods or iPads or other devices a problem. I believe most people want to connect to access the internet, rather than attempt to access data on your domain.

    As for your other standalone workstations - yes netsh wlan is scripted, but I'm guessing you'd have to go round each machine manually or set it as a Startup script for example.

  13. #13

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,266
    Thank Post
    242
    Thanked 1,575 Times in 1,254 Posts
    Rep Power
    341
    Quote Originally Posted by Pottsey View Post
    There is an issue now that smartphones/tablets and apps are all common. We had a student find out the wireless key via unmasking the pass phrase, add there smartphone then use apps to browse Facebook even though Facebook is blocked in the filters.
    I would say it's more so a problem with your filtering solution rather than whether pupils can access your wireless network. If facebook is blocked, it shouldn't make any difference what device is being used to access it.

  14. #14
    Pottsey's Avatar
    Join Date
    Apr 2006
    Location
    Nottinghamsire
    Posts
    766
    Thank Post
    3
    Thanked 52 Times in 42 Posts
    Rep Power
    30
    Quote Originally Posted by Michael View Post
    I would say it's more so a problem with your filtering solution rather than whether pupils can access your wireless network. If facebook is blocked, it shouldn't make any difference what device is being used to access it.
    We use Nottscc Netsweeper and although it’s fully blocked from desktops PC’s and laptops Facebook apps on phones have full access even without a proxy.

  15. #15

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,592
    Thank Post
    109
    Thanked 770 Times in 598 Posts
    Rep Power
    183
    Quote Originally Posted by cmpwat View Post
    The dumb terminals run windows 7 as a base, but the problem we had was when a student since in, it was pulling the full profile down, hence why they are not joined to the domain.
    You could just import your Root CA's certificate on your laptops to save you needing to purchase the certificate.

    Depending upon how you have things configured, you could also limit access for certain machines to certain places. For instance, you could limit your dumb clients to a VLAN that can only access an Access Gateway so that they only have access to the XenDesktop environment. You could even allow your students to connect this way with their own devices if you have sufficient licensing.

    You could also limit the available bandwidth on a less secure guest SSID so that if people connected to it, it would be unlikely to affect the performance of your more important traffic.

SHARE:
+ Post New Thread

Similar Threads

  1. Windows Mobile 6, web and secured wireless
    By OverWorked in forum Windows
    Replies: 4
    Last Post: 31st March 2010, 08:21 PM
  2. Wireless AP security
    By dezt in forum Wireless Networks
    Replies: 7
    Last Post: 18th June 2007, 01:12 PM
  3. Which secure wireless vendor do you use
    By plexer in forum Wireless Networks
    Replies: 15
    Last Post: 23rd January 2007, 07:16 PM
  4. Security Vulnerabilty in Centrino wireless laptops
    By ITWombat in forum Wireless Networks
    Replies: 10
    Last Post: 21st August 2006, 08:23 AM
  5. securing wireless network
    By adamyoung in forum Wireless Networks
    Replies: 22
    Last Post: 1st February 2006, 09:26 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •