Two years ago, Wyomissing Area School District (WASD), Wyomissing, PA, was faced with the issue of how to manage its growing wireless infrastructure. For years, we had relied on the WPA Personal protocol to secure our wireless networks. With the addition of laptops and mobile devices, WASD had more than doubled the current deployment. It was quickly becoming obvious that we had a huge security risk on our hands. The passwords were only known by the IT staff and not shared with others, which added to the difficulty of management as more and more users requested wireless network access for their personal devices. The passwords were being stored on master images as well. Our passwords were quickly being stored on more and more devices and making us vulnerable to a breach. At this point we realized how detrimental a breach of one these passwords would be. It would mean changing the password on 1,000+ devices in order to secure the network again. We needed to find a new way to both manage and secure our wireless networks.
In the search for a solution, we had two questions. What will we use? And how will we implement it? The “what” question was easily answered. The “how” question was answered over a period of trial and error, until refined to an acceptable solution that met our needs.
Once we recognized WPA Personal was no longer an acceptable means of security, we knew we needed to move to WPA Enterprise. We laid out a plan of what we wanted to accomplish with 802.1x. We needed to meet the following criteria with our deployment:
With these goals in mind, we were ready to begin our deployment, but first a little background information. Both our wired and wireless infrastructure is entirely in a Cisco Active Directory environment. Our wireless deployment consists of a Cisco 5760 Wireless Controller with a mix of Cisco 1142n and 3502i access points. Now that you understand our environment, let’s dive in!
The first hurdle we faced was choosing with which protocols we wanted our users and devices to authenticate. The simplest solution was to use PEAP. However, the drawback to using this solution was that our laptops would only be connected to the network when a user was logged in. Because of this, we decided we also needed to implement certificate-based authentication. This would allow laptops to be authenticated to the network even while at the login window. The first step in achieving our goal was to set up a Windows Certificate Authority (CA). A quick trip to Google provided numerous step by step how-tos which made this setup very easy. I have included the links to the sites I used at the end of this article. With our CA set up and Group Policy set to automatically issue certificates to all our computers, step one of our deployment was complete.
The next hurdle we faced was choosing a RADIUS server. I will spare you all the trouble we went through choosing a RADIUS server, and just tell you we chose Cisco Access Control Server (ACS). We found this solution to be the best fit for our environment. Windows Network Policy Server (NPS) is also an acceptable solution, but ACS had a few more bells and whistles that made the deployment more complete. With a RADIUS server in place, we now had a fully working 802.1x deployment.
Back at the beginning of the article, I said that this solution had to be universal and work on a variety of platforms and devices. Group Policy allowed us to automatically issue certificates to the Windows machines, but what about Macs, iOS devices, and Android? Macs are capable of automatic certificate enrollment as well, but they require an MDM solution such as Apple Profile Manager or the JAMF Casper Suite. From the MDM solution it is quite simple to create a profile with three payloads that will automate the entire process, from obtaining a certificate to adding the wireless network.
Finally, iOS and Android devices, because they cannot be bound to Active Directory, are going to require a user-based certificate. While we cannot automatically issue a user certificate to a device, we can provide a way for users to automatically obtain a certificate they can install on their device. This comes in the form of Simple Certificate Enrollment Protocol (SCEP). In the process of setting up our Windows CA, we also installed the role for Network Device Enrollment. All the options available to configure here are too numerous to go into in this article, but I have provided a couple useful links at the end.
One last note about iPads, user-based certificates work great when the device is assigned to one user all the time. But what about those of us who have mobile carts of iPads and want to implement certificate-based authentication? There is a solution, but it is not for the faint of heart. If you are interested in hearing about this solution, please email me or leave a comment below and I will be sure to discuss it with you.
After one full year of this solution working in production, we could not be happier. Before implementing 802.1x, we were trying to find ways to script a wireless profile to machines after imaging. We also spent unnecessary time adding a wireless network to a device because we were unwilling to share the WPA Personal key. Both of these problems were resolved by using 802.1x. In the ever changing world of IT, it is nice to have a solution that works for you and does not add work. The process and work we put into this was, at times, difficult and stressful, but the end result was well worth the effort!
Watch Mike’s complete Tech Talk Live presentation, 802.1x Wireless Authentication Deployment, here.
Mike Matz is a graduate of Albright College with a Bachelor of Science in Computer Science and a Bachelor of Arts in Digital Media. He has worked for the Wyomissing Area School District as a Systems Engineer for the past 10+ years.
Tech Talk Live is the only conference of its kind in the region specifically designed for IT pros in education.
1020 New Holland Avenue, Lancaster, PA 17601