Surely a quick example on http://www.russdev.com/edugeek/doku.php?id=wifisetup isn't too much to ask for ;)
Printable View
Surely a quick example on http://www.russdev.com/edugeek/doku.php?id=wifisetup isn't too much to ask for ;)
Ric_
That is exactly what i would like to see. Some examples of what admins have already configured and setup and the methods in which they went about it. Possible pitfalls to avoid as problems arose from issues undocumented (how often does this happen?) , and things like that.
I am not the greatest technician in the world as i am more or less a newb, but would like to get better and more experienced, learning from other peoples experiences as much as possible.
I could be missing something here, but surely if you just use WEP encryption and ensure that only the IT techs have the WEP key, then they are the only people who can join a pc/laptop to the wireless network.
If a pupil/staff member brings in their own laptop, then without the WEP key (and without the rights to join a computer to the domain) the laptop can't connect to your network
Apart from the fact that there are a number of sniffers out there (one has been mentioned in a previous thread) that can get the WEP key in around 1 1/2 hours ... and then other software that can sniff traffic and can get permissions to join a domain in around 8-12 hours.
Each level of security is an additional detterrent ... the same way that locks on your windows, burglar alarms, padlocks and chains, etc are a detterent.
A determined person will get in ...
Already mentioned is ACLs ... only allowing certain MAC addresses to have access to your WLAN. This is another level of security but you have to remember that you MAC address can be spoofed with reasonable ease.
We have to remember that there are certain comanies and public organisiations out there that, for the number of wireless devices you may come across in schools now, actually have a person in their Network team dedicated to looking after the wireless side of things.
For a number of years the NSA documents were standards in securing windows networks (especially in a multi-platform environment) but even they went externally to sort out wireless security (2003, Certicom gain contract for writing advanced encryption technology. A certain chunk of this is now develpoed in house by NSA at the moment but still also written by several other groups, including 2 British companies)
@Richie_OLSJ: As Grumbledook says, there are sniffers out there that can easily crack a WEP key with NO technical knowldge. Grumbledook mentions 1 1/2 hours but it can be done much quicker if you do it in a more brutal fashion ;)
Intel has some documentation at http://www.intel.com/cd/ids/develope...700.htm?page=1 that may be of interest to people.
BECTA say WPA2 and RADIUS for wireless
Good luck with WPA2. Given that windows doesn't support it. (Linux does though!). :)
?
http://support.microsoft.com/?id=893357Quote:
SUMMARY
This article describes the Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) Update. A link to download this update is included. You can install this update on a computer that is running Windows XP with Service Pack 2. The update supports the additional mandatory security features of the IEEE 802.11i standard that are not already included for products that support WPA. Additionally, after you install the update, Windows XP will display previously hidden Service Set Identifiers (SSIDs) in the Choose A Wireless Network dialog box. This functionality makes it easier for you to connect to public Wi-Fi networks to which you have not previously connected.
Ah, yes, now go try and make it work. :)
We are have setup a mini test network for this and have managed to get the WPA access using RADIUS (Windows 2003 IAS). I got my colleague writing the step by step instructions for this at the moment. I will post it here when he's completed it.
The guide is intended at setting up a wireless network where clients authenticates using RADIUS. The two things we tested were using the username and password authentication i.e. PEAP and the other was certificates and both worked.
It is recommended to do both user and machine authentication to restrict user access and also computer authentication so GPO and startup scripts runs during the bootup.
Few things that are required:
- 802.1x supplicant support on the client, Windows XP SP1 and over has this already, Windows 2000 Pro - you can download hotfix which enables this functionality, linux,mac - don't know, never used it
- Access points which support 802.1x ideally with WPA/TKIP or AES
- RADIUS server (Windows server ships with IAS
- Certificate Authority (this can be on the same machine as the RADIUS server)
- Some time to test the damn thing
HTH,
Ash.
@Ashok: There's also the WPA2 supplement available for download from MS to enhance your security - this is what I will be using with my Bluesocket setup.
@ashok,
How far off is that guide mate? I have to implement some wireless stuff and am also looking at what you have set already set up.
I could do with the help that your guide will bring me :)
@Hodgehi,
My collegue is still working on the guide at the moment, he's completed the PEAP setup on the client and server, he's documenting the certificate authentication at the moment.
The reason why we decided to document both is that the PEAP method is easily the flexible when it comes to deploying wireless but certificate based is more secure.
You may want to start off with using PEAP. I personally think its secure enough for schools.
I will post the guide here when he's completed it.
Ash.
OK thanks. sorry if i sounded a little pushy
We got this working properly at our place this week. Having never touched the certificate authority stuff in anger before it took a lot longer then it should, 90% of which was head-scratching time. I am in the middle of writing this up and I'll wikify it as soon as humanly possible.
Our setup:
WS2003 on a DC with IAS and Certificate Authority & a standalone Root Certificate Authority (CA) set up
XPSP2 on the laptops
Linksys WRT54GL with DD-WRT v23 SP1 firmware (I can't express how good these are for under £40 each)
We are using PEAP - the clients trust the server because of its secure certificate; the server trusts the clients because they are domain members (MSCHAPv2 auth). As mentioned earlier, you can limit which computers are allowed in by putting the allowed PCs into a security group.
We push out our Root CA's certificate to the laptops via group policy (connected over a wire) so when they connect they trust the server certificate we push out straight away.
Some comments on the rest of this thread:
If you need to authenticate users as well then yes, but I'm assuming that anyone logging on to one of our laptops with a domain account should be allowed access. If a laptop gets nicked, I'll take it off the domain. The problem with doing the dual authentication is the timing:Quote:
It is recommended to do both user and machine authentication to restrict user access and also computer authentication so GPO and startup scripts runs during the bootup.
It logs on as a computer at first
Applies computer GPOs
The user logs in
It starts applying user GPOs AND It disconnects and tries to reauthenticate as the user at roughly the same time!
I've read a few posts suggesting that this makes a balls up of GPO application. Long story short: if you don't need user auth as well, set the policy to computer auth only.
Then they aren't recommending Windows Server 2003 SP1. You can set all this stuff up using WS2003 SP1, but the one thing you can't do is tell the clients to use WPA2 via your wireless group policy - WPA is the best you can do until SP2. There may be a reghack for this: I might phone BECTA to ask ;) . WPA is "secure enough" for now though, and when WPA2 is added to Group Policy it's just a quick policy change to deploy it, assuming your router allows WPA and WPA2 at the same time.Quote:
BECTA say WPA2 and RADIUS for wireless
EDIT: sorry for the long post!