Ultimate wireless security guide: Manual PEAP deployment for Windows Wireless Client

Enterprise wireless LAN security is a persistent concern for every system administrator and CIO. This article, part of the TechRepublic ultimate guide to enterprise wireless LAN security, describes how to deploy Microsoft's built in supplicant (Client) for wireless networking, Windows Wireless Client.

The complete TechRepublic Ultimate Wireless Security Guide is available as a download in PDF form.

Windows Wireless Client formerly known as the Wireless Zero Configuration (WZC) service is Microsoft's built in supplicant (Client) for Wireless Networking. This is the very same client that can be configured automatically by Active Directory Group Policy if you're running a minimum of Windows Server 2003 with SP1 or Windows Server 2003 R2. This section will be mostly demonstrated with Windows XP Service Pack 1 and 2. (Figure W) You should absolutely forget about Wireless networking before Service Pack 1 for security reasons and besides it doesn't support PEAP anyway.

Figure W

Network connections

In either SP1 or SP2, you can configure the Wireless Client by the right clicking on your Wireless Ethernet device under the "Network Connections" folder and then selecting properties. It will take you to the screen shown in Figure X.

Figure X

Connect to a wireless network

Service Pack 2 has the updated interface shown in Figure Y which you can get to by right clicking the Wireless Icon in your system tray on the bottom right of your screen and selecting "View Available Networks". Clicking on "Change advanced settings" will also take you to the screenshot shown in Figure X.

Figure Y

Choose a wireless network

Under XP SP2, you will need to create a profile from scratch by clicking on the "Add" button under the "Preferred networks" section. (Figure Z)After you click on "Add", you will see the screen to the left. You simply need to type in the SSID that you are using on your Access Points.

Figure Z

Add a wireless connection

For "Network Authentication", select "WPA"

WPA mode requires XP SP2 or Vista. WPA2 is also an option if you installed the additional WPA2 patch for Windows XP or if you're running Vista. Your Access Point also needs to be new enough or have a firmware that supports WPA mode and your Wi-Fi client adapter drivers supports WPA.

For "Data encryption", select "TKIP"

With WPA or WPA2 mode, you have to choose either TKIP or AES. AES is better but not all hardware on the access point or client side can support it so check your hardware capability. AES is clearly the preferred choice if you can get it to work but TKIP is now a minimum security requirement. WEP is no longer valid under ANY scenario even if you're using it with RADIUS and key rotation. This is because the attack methodology for WEP advanced dramatically in 2005.

Switch over to the "Authentication" tab as shown in Figure AA. Check the "Enable IEEE 802.1x authentication for this network" and select "Protected EAP (PEAP)".

Figure AA

Wireless Authentication properites

You will also need to check "Authenticate as computer when computer information is available" to enable "Machine Authentication" AKA "Computer Authentication". Machine Authentication allows your PC to connect to the network by authenticating as "Computer" before a legitimate user logs in. This allows a machine to obtain group policies just like it was connected to a wired network and this is a unique feature of the Windows Client.

If you don't have "Machine Authentication", your Group Policy will not function and non-cached users cannot log on to your machine even if they are given the proper permissions at the Domain level. "Machine Authentication" is needed to recreate the full "Wired" experience. In order for "Machine Authentication" to work, PEAP only requires that a Computer is joined to the domain. The computer will use its "Computer Password" to log on to the network. Note that for EAP-TLS or PEAP-EAP-TLS (stronger alternatives to PEAP) to work the computer must have a "Machine Certificate" installed from the Enterprise Root CA.

Click "Properties" under "EAP type" to continue to the screen shown in Figure BB.

Figure BB

Protected EAP Properties

Under this section, make sure that you check "Validate server certificate" because if you don't PEAP will be as weak as EAP-FAST anonymous DH mode.

Also select the "Trusted Root Certificate Authority" for this wireless connection. Note that with SP2, it has added a new security feature with the check box for "Do not prompt user to authorize new servers or trusted certification authorities". This whole window is a very important security feature because you want your Wireless LAN to be locked by your Certificate Authority and not anyone else's.

Choose "EAP-MSCHAP v2" which stands for PEAP-EAP-MSCHAPv2 mode which most people refer to as "PEAP" since this is the most common implementation. DO NOT check "Enable Fast Reconnect" since it will cause authentication problems with some Access Points like Cisco. I found this out the hard way when I had to spend time with a sniffer and Cisco tech support to figure out the problem.

If you had selected "Smart Card or other Certificate" here, it means you've set it to use PEAP-EAP-TLS mode which is a new EAP method that is suppose to be an alternative to EAP-TLS "classic" mode and maybe better but might cause compatibility problems with non-Windows Clients so I can't recommend it for now. EAP-TLS mode is configured from the previous section under "Wireless Network Properties" by choosing "Smart Card or other Certificate" instead of "Protected EAP (PEAP)". Both EAP-TLS or PEAP-EAP-TLS require client side "Machine Certificates" to work which makes them stronger two-factor authentication solutions but also much harder to deploy. If this naming scheme is confusing to you, you're not alone. I hope this explanation clears things up for you.

Click on "Configure" to continue to the screen shown in Figure CC. This mode automatically logs a user on using their current Windows Credentials. If you're trying to connect to a wireless network on a Windows Domain you're not joined to, automatic logon will not work so you must uncheck this and you'll be prompted for domain credentials of the network you're attaching to. Note that it will give you the chance to save those credentials.

Figure CC

Default configuration

As you can see, this is quite a complex procedure for something as simple as PEAP (PEAP-EAP-MSCHAPv2) was designed to be. Running in either EAP-TLS or PEAP-EAP-TLS mode would make this even more complex. You definitely will want to set these policies globally using Windows Server 2003 Active Directory Group Policy.

From a deployment and security standpoint, it always better to set and enforce all these client side settings automatically because the user is never given the opportunity to get this wrong. A wrong client side configuration can compromise your company's security. You also need to consider the expense of training your desktop support staff and the man-hours required to configure every machine in your organization using this long tedious procedure.