Loading...

Tech Talk Live Blog

802.1x Wireless Authentication Deployment

Mike Matz


The Problem

Two years ago, Wyomissing Area School District (WASD), Wyomissing, PA, was faced with the issue of how to manage its growing wireless infrastructure. For years, we had relied on the WPA Personal protocol to secure our wireless networks. With the addition of laptops and mobile devices, WASD had more than doubled the current deployment. It was quickly becoming obvious that we had a huge security risk on our hands. The passwords were only known by the IT staff and not shared with others, which added to the difficulty of management as more and more users requested wireless network access for their personal devices. The passwords were being stored on master images as well. Our passwords were quickly being stored on more and more devices and making us vulnerable to a breach. At this point we realized how​​ detrimental a breach of one these passwords would be. It would mean changing the password on 1,000+ devices in order to secure the network again. We needed to find a new way to both manage and secure our wireless networks.

The Solution

In the search for a solution, we had two questions. What will we use? And how will we implement it?  The “what” question was easily answered. The “how” question was answered over a period of trial and error, until refined to an acceptable solution that met our needs.

Once we recognized WPA Personal was no longer an acceptable means of security, we knew we needed to move to WPA Enterprise. We laid out a plan of what we wanted to accomplish with 802.1x.  We needed to meet the following criteria with our deployment:

  • The RAIDUS server needed to be able to authorize specific groups of users to specific wireless networks.
  • Laptops needed to remain on the network even when users were not logged in to allow remote access.
  • The solution had to be universal to work on all devices (Windows, Mac OS X, iPads, and Android devices).
  • A way to automate the deployment of the solution must be found to minimize the work the IT staff needed to do.
  • The same reliability and ease of use as the previous solution must be provided.

With these goals in mind, we were ready to begin our deployment, but first a little background information. Both our wired and wireless infrastructure is entirely in a Cisco Active Directory environment. Our wireless deployment consists of a Cisco 5760 Wireless Controller with a mix of Cisco 1142n and 3502i access points. Now that you understand our environment, let’s dive in!

The first hurdle we faced was choosing with which protocols we wanted our users and devices to authenticate. The simplest solution was to use PEAP. However, the drawback to using this solution was that our laptops would only be connected to the network when a user was logged in. Because of this, we decided we also needed to implement certificate-based authentication. This would allow laptops to be authenticated to the network even while at the login window. The first step in achieving our goal was to set up a Windows Certificate Authority (CA).  A quick trip to Google provided numerous step by step how-tos which made this setup very easy. I have included the links to the sites I used at the end of this article. With our CA set up and Group Policy set to automatically issue certificates to all our computers, step one of our deployment was complete.

The next hurdle we faced was choosing a RADIUS server. I will spare you all the trouble we went through choosing a RADIUS server, and just tell you we chose Cisco Access Control Server (ACS). We found this solution to be the best fit for our environment. Windows Network Policy Server (NPS) is also an acceptable solution, but ACS had a few more bells and whistles that made the deployment more complete. With a RADIUS server in place, we now had a fully working 802.1x deployment.

Back at the beginning of the article, I said that this solution had to be universal and work on a variety of platforms and devices. Group Policy allowed us to automatically issue certificates to the Windows machines, but what about Macs, iOS devices, and Android? Macs are capable of automatic certificate enrollment as well, but they require an MDM solution such as Apple Profile Manager or the JAMF Casper Suite. From the MDM solution it is quite simple to create a profile with three payloads that will automate the entire process, from obtaining a certificate to adding the wireless network.

Finally, iOS and Android devices, because they cannot be bound to Active Directory, are going to require a user-based certificate. While we cannot automatically issue a user certificate to a device, we can provide a way for users to automatically obtain a certificate they can install on their device. This comes in the form of Simple Certificate Enrollment Protocol (SCEP). In the process of setting up our Windows CA, we also installed the role for Network Device Enrollment. All the options available to configure here are too numerous to go into in this article, but I have provided a couple useful links at the end.

One last note about iPads, user-based certificates work great when the device is assigned to one user all the time. But what about those of us who have mobile carts of iPads and want to implement certificate-based authentication? There is a solution, but it is not for the faint of heart. If you are interested in hearing about this solution, please email me or leave a comment below and I will be sure to discuss it with you.

The Result

After one full year of this solution working in production, we could not be happier. Before implementing 802.1x, we were trying to find ways to script a wireless profile to machines after imaging. We also spent unnecessary time adding a wireless network to a device because we were unwilling to share the WPA Personal key. Both of these problems were resolved by using 802.1x. In the ever changing world of IT, it is nice to have a solution that works for you and does not add work. The process and work we put into this was, at times, difficult and stressful, but the end result was well worth the effort!

Links

Watch Mike’s complete Tech Talk Live presentation, ​802.1x Wireless Authentication Deployment, here.

Mike Matz is a graduate of Albright College with a Bachelor of Science in Computer Science and a Bachelor of Arts in Digital Media.  He has worked for the Wyomissing Area School District as a Systems Engineer for the past 10+ years.

Tech Talk Live Blog Comment Guidelines:

One of our main goals at Tech Talk Live is to build a community. It is our hope that this blog can be a forum for discussion around our content. We see commenting as an integral part of this community. It allows everyone to participate, contribute, connect, and share relevant personal experience that adds value to the conversation. Respect counts. We believe you can disagree without being disagreeable. Please refrain from personal attacks, name calling, libel/defamation, hate speech, discriminatory or obscene/profane language, etc. Comments should keep to the topic at hand, and not be promotional or commercial in nature. Please do not link to personal blog posts, websites, or social media accounts that are irrelevant to the conversation. This is considered self-promotion. We welcome links that help further the conversation and reserve the right to delete those we deem unnecessary. The appearance of external links on this site does not constitute official endorsement on behalf of Tech Talk Live or Lancaster-Lebanon Intermediate Unit 13. You are solely responsible for the content that you post – please use your best judgment. We reserve the right to remove posts that do not follow these guidelines.

Leave a Reply

Your email address will not be published. Required fields are marked *

CONTACT

Tech Talk Live is the only conference of its kind in the region specifically designed for IT pros in education.


techtalklive@iu13.org
1020 New Holland Avenue, Lancaster, PA 17601

(717) 606-1770