Wireless networking enables users to be more productive and helps organizations reduce the cost of their infrastructures. By itself, wireless networking is a potential boon for all organizations. Microsoft® Windows® XP adds even more value to wireless networking by making it easier to deploy, configure, and support. This paper describes the benefits of wireless networking with Windows XP and how you can leverage this combination in your own organization.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Microsoft Corporation • One Microsoft Way • Redmond, WA 98052-6399 • USA
Wireless Scenarios 5
Road Warriors 5
Corridor Warriors 5
Data Collectors 6
Wireless in the Enterprise 7
Wireless with Windows XP 9
Wireless Deployment 11
Roaming and Mobility 13
Wireless Security 15
IEEE 802.1X 16
Active Directory 17
For More Information 20
Mark Hassall, Microsoft Corporation
Bruce Kember, Microsoft Corporation
Warren Barkley, Microsoft Corporation
Anton Krantz, Microsoft Corporation
Drew Baron, Microsoft Corporation
Joseph Davies, Microsoft Corporation
David Talbott, Studio B
Elsa Rosenberg, Studio B
Wireless networking has revolutionized mobile computing. Mobile users are now more productive—they can access corporate network resources by using any public wireless network and can roam the building with their laptop computers and still have network access. Wireless networking means that mobile users can squeeze more work time out of their day, and it significantly enhances their quality of life.
IT professionals are more effective, too, and your IT dollar goes farther. Wireless networking reduces the cost of network infrastructure by making it more feasible and less time-consuming to add networking to unconventional locations, such as conference rooms, cafeterias, and community areas.
Wireless networking is better with Windows XP. For example, Windows XP reduces wireless deployment costs via automatic configuration. It also reduces Help desks’ call times for wireless networking questions due to simplified configuration, automatic roaming, and built-in Wi-Fi support. Windows XP makes wireless networking practical for the average mobile user for whom it wasn’t previously feasible.
This paper describes all of these benefits. It starts with a description of the different types of mobile users and their wireless requirements, describes the benefits of wireless networking so that you can consider them independently of Windows XP, and shows you the value that Windows XP adds. Lastly, it gives you an overview of how to deploy wireless networking with Windows XP and lays a foundation of best practices to guide you. If you’re not already familiar with terminology such as 802.11 wireless networking and WLAN, see the glossary. This paper also includes references to resources where you can find more information; most of these references are at Microsoft’s WiFi Web site.
In this paper, you find the following sections:
The four basic types of mobile users
Wireless in the Enterprise
How wireless benefits enterprise organizations
Wireless with Windows XP
The benefits of Windows XP wireless features
Issues concerning wireless networking deployment
Wireless Best Practices
Best practices deploying wireless with Windows XP
This section describes four basic types of mobile users and their wireless requirements:
Road Warriors. Professionals who travel frequently and require remote access
Corridor Warriors. Knowledge workers who spend most of their time in meetings
Telecommuters. Knowledge workers who work occasionally at home
Data Collectors. Field service employees who travel full-time and thus require remote access
Road warriors include executives, consultants, sales representatives, insurance agents, or pharmaceutical representatives. Their requirement is to keep the lines of communication flowing, so wireless connectivity is extremely important to this type of user. However, this relationship isn’t one-way (from sales representative to client) because, with the new connectivity that Windows XP Professional provides, a road warrior's relationship to a client can become a collaborative experience. Road warriors typically travel 80 percent or less of the time, and thus their connectivity to the corporate network is vital.
A road warrior's preferred equipment includes either a laptop or Tablet PC with both wired and wireless connections to the corporate network for maintaining essential corporate files. Preferred connectivity while on the road for the laptop is a wireless wide area network (WWAN) or 802.11b (Wi-Fi) if a wireless hotspot is available. A wireless Pocket PC or Smartphone to attend conference calls on the go and a handheld for email and calendar capability are also key tools that the road warrior carries. Preferred connectivity for a Pocket PC's Internet connectivity is General Packet Radio Service (GPRS).
Corridor warriors include executives and knowledge workers in an enterprise environment. In addition, mobile students in a campus environment can be considered corridor warriors. Their requirement is to have instant connectivity to applications and information whether in an enterprise environment or a campus environment. This type of user places more demands on a wireless network because not only do they need connectivity in the midst of structured meetings, but also corridor warriors demand connectivity on the way to the next meeting or class. Corridor warriors travel 20 percent or less of the time.
A corridor warrior's preferred equipment includes either a laptop or Tablet PC with both wired and wireless connections to the corporate or campus network. If corridor warriors have a laptop, they’ll most likely also need a docking station for their laptop or desktop PC at the office and a Pocket PC for mobile email and calendar checking. Their preferred connectivity when roaming wirelessly throughout the office is Wi-Fi.
Telecommuters include employees, consultants, and contractors who work at home at least one day per week and who perform their work from home or in the office. They require infrequent network access away from the office and travel (local to home or office) approximately 25 percent of the time between the office and their home office.
A telecommuter’s preferred equipment is a laptop or desktop PC in the office and a PC at home. Working at home requires corporate network access and might include smart card access via dial-up connections or virtual private network (VPN) connections via dial-up or cable/Digital Subscriber Line (DSL) access. Telecommuters will access their desktop PC/laptop at the office via a wired connection and the corporate network from home via the VPN.
Data collectors include field service employees from various vertical industries as diverse as manufacturing to emergency and rescue. Data collection can be a tedious and boring task, but with the improvements and new features of Windows XP and Office XP, you can collect data quicker and more securely than before.
Data collectors require access to data wherever they find themselves and must have enough resources on hand to deliver enhanced services on demand. Data collectors travel approximately 80 percent or more of the time. Their preferred equipment is a laptop or Tablet PC with wireless connection to the corporate network and a handheld or cell phone with data capabilities. Their preferred connectivity is WWAN; however, it’s possible to use Wi-Fi if a wireless hotspot is available to update data throughout the day.
Wireless in the Enterprise
According to Gartner Analyst, Andy Rolfe, in a study called “Wireless LAN Equipment Market: Strong Growth Set to Continue” (Gartner, Inc., October 2002), the needs of mobile users, including mobile PC and PDA users, will continue to drive the growth of wireless LAN (WLAN) equipment. Rolfe estimates that the penetration of WLAN technology into the professional mobile PC space will grow from 20 percent in 2001 to more than 90 percent in 2007. With an increase in performance, improved security, lower costs, and industry standardization, Rolfe expects wireless networking to increase at a compound annual growth rate of 42 percent through 2007. By the end of 2007, the price of wireless NICs will fall below $30 per unit, and more than two-thirds of mobile computers will ship with integrated WLAN adapters.
The Wireless LAN Association (WLANA) also studied the benefits of wireless networking. It surveyed users and IT professionals in 34 organizations from a cross section of industries (education, healthcare, manufacturing, and retail). The association’s study’s findings are intriguing. First, WLANA found that WLANs paid for themselves within the first 12 months in all of the industries it studied. Wireless networking paid for itself quickest in the office automation industry (6.3 months), followed by the education industry (7.1 months), manufacturing (7.2 months), retail (9.7 months), and healthcare (11.4 months). The surveys provided other interesting feedback, including the following points (see Wireless LAN ROI):
89 percent of the companies surveyed had successful deployments.
92 percent of the companies surveyed observed definite business benefits.
92 percent of the companies surveyed said they’d continue to deploy wireless technology based on the experience of their users and IT staff.
97 percent of the users surveyed said that they agree or strongly agree that wireless networking contributed to the speed at which they completed tasks that require real-time access to information.
All of these predictions paint a positive picture for mobile computing and wireless networking, but they don’t answer the important question, “What’s wireless networking going to do for my business?” The following sections describe how wireless networking benefits enterprises such as yours. It empowers users and makes them more productive, reduces the cost of the organization’s infrastructure, and reduces the cost of IT. The section “Wireless with Windows XP” describes additional benefits that Windows XP adds.
Wireless networking makes all types of mobile users, particularly road warriors, corridor warriors, and data collectors, more productive and improves their quality of life:
Users gain extra productive hours. Wireless networking can turn idle time into productive time by allowing mobile users to connect to corporate network resources where traditional wired network connections aren’t available. For example, an executive waiting for a delayed flight can connect to the corporate network using a public hotspot at the airport. Knowledge workers can connect to the network and collaborate during a meeting.
Decisions are made quicker as cycle times are reduced. Wireless networking enables immediate collaboration regardless of whether a wired network connection is available. For example, a technician on the manufacturing floor can send information to engineering without delay, and a doctor can check a patient’s record without ever leaving the room. Decisions are made quicker because the usual delay of users returning to their desktop computers is eliminated by an instant, wireless connection to the corporate network.
Users’ quality of life is better. Wireless networking makes mobile computing more convenient. Rather than the frustration of finding phones and dialing in to the network, many mobile users choose to wait until later because of the inconvenience. Frustration levels decrease as mobile users learn that they can connect to their resources without hassles.
Wireless networking is also beneficial to an enterprise’s infrastructure:
Temporary network connectivity is more practical and less expensive. Wireless networking makes it feasible to set up, use, and take down temporary networks as required. Microsoft is a good example of leveraging this benefit. The company configures temporary wireless networks at trade shows for the benefit of staff and attendees. A more general example is creating a temporary wireless network for the final crunch of a big project, which you can disassemble at the project’s completion.
Wireless networks are quicker to deploy than wired networks. Wireless networks are more flexible than wired networks. They’re quicker to deploy because you don’t have to run cable throughout your building, and Windows XP makes configuration easier.
Wireless networking is more feasible in locations where wired networks aren’t practical. Locations such as conference rooms and cafeterias aren’t practically wired, and wireless networking makes it easy to add a network to those rooms. Traditional wired networking isn’t practical outdoors, for example, but wireless networking is a perfect solution for an outdoor network. Additionally, older buildings and some types of construction prohibit pulling wires for a traditional network. Wireless networking significantly reduces the cost of networking in those scenarios and enables networking in environments that weren’t possible. For that matter, wireless networking is cheaper to deploy than cabling a building with Category-5, and it scales more easily.
Wireless with Windows XP
The combined Rapid Economic Justification (REJ) and various TCO studies show that when Windows XP Professional was installed, the increased reliability and stability directly influenced user productivity, efficiency, and support costs. Combined with wireless capability, the studies show a significant drop in the cost of ownership and a rise in productivity and efficiency. According to the studies, features such as Plug and Play (PnP), Warm Docking, Hibernation, and Advanced Power Management save organizations $259 per laptop computer each year. For more information about the benefits of using Windows XP in mobile scenarios, see Windows XP and Office XP for Mobile Users. The Windows XP wireless networking features themselves save organizations an astonishing $830 per laptop computer each year. For more information about REJ, see http://www.microsoft.com/value.
Windows XP Professional has new features and enhancements that make remote and wireless access simple for any wireless user, which in turn provides significant productivity gains for employers. Organizations considering Windows XP Professional find significant value in its ability to automatically enable wireless networking. Such cost reductions are directly related to features, such as the Wireless Zero Configuration service, which allow users to leverage the technology without involving IT support staff. The following list describes scenarios in which Windows XP and the Wireless Zero Configuration service make users more productive:
With a wireless network adapter installed, Windows XP Professional searches for available networks to which it can connect. When an available network matches a preferred network, Windows XP Professional connects to it. If there are no configured preferred networks or no preferred networks are found, users can also select a specific network to which they want to connect. Users can prioritize the list of preferred networks—Windows XP Professional stores the list and connects to the networks in the chosen order. Connection management is possible without user intervention, but user interaction is sometimes necessary to choose specific networks or prioritize connection order.
Automatic configuration makes wireless networking more practical for mobile users. Because configuring wireless network connections in Windows XP is much easier than in earlier versions of Windows using third-party device drivers, all types of mobile users can easily configure their wireless connections. Estimates are that simplified network configurations save organizations $68 per laptop each year. Wireless networking and simplified network configurations benefit IT professionals, too. Because users are more able to configure their own network connections, they become more self-sufficient. IT professionals no longer have to plan and configure every connection when they deploy the operating system to mobile users. And the Help desk gets fewer calls from mobile users as they change environments and thus need to configure new network connections.
As users physically move their wireless computers from room to room, Windows XP Professional automatically remains connected by finding the best wireless access point (AP) with which to communicate. When it finds a new wireless AP, it automatically negotiates authentication and authorization with that wireless AP without user intervention, which provides a great experience for the mobile user. A user can move anywhere within a given wireless network and remain connected to the network. You can also configure an ad hoc wireless network, which is convenient during meetings when users want to share and collaborate.
Windows XP makes wireless networking better in ways other than provided by the Wireless Zero Configuration service. For example, the operating system includes device drivers for most of the popular wireless adapters. And the device drivers that come with Windows XP fully support Wireless Zero Configuration. In many cases, IT professionals don’t need to deploy third-party device drivers for their wireless adapters, and mobile users don’t have to download and install device drivers on their own (check the Hardware Compatibility List—HCL—before purchasing wireless adapters). Also, Windows XP provides built-in support for IEEE 802.1X security. 802.1X mitigates some of the basic security flaws in Wi-Fi networking, making it possible to deploy wireless networks that use secure authentication methods and per-session encryption keys. For more information about Windows XP and 802.1X wireless security, see the section “Wireless Security.”
Microsoft has deployed wireless networking throughout its campuses, and the company’s experience is a good starting point for describing a deployment process. See Microsoft Wireless LAN Deployment and Best Practices for more information about this project. That paper is only an overview, however. For more information about deploying wireless networking, see Deploying Enterprise Mobility and Collaboration. The following steps describe the deployment process that Microsoft used during its own project:
Pre-installation. This phase of a wireless deployment involves three steps. The first is developing a wireless AP location plan, which is based on your own design guidelines. For example, Microsoft’s guidelines specified that 95 percent of the installations could not require specialized antennas. The second step is field verification of proposed wireless AP locations to check for physical interference. The last is to present the final locations for approval prior to beginning installation of the APs.
Installation. The physical installation of wireless APs involves three steps. First is enclosing the wireless APs and antennas in enclosures that meet fire safety codes. The next is configuring centralized, low-voltage power supplies on backup power using uninterruptible power supplies. The last is building out the authentication infrastructure (Internet Authentication Service—IAS—and a public key infrastructure—PKI—in Microsoft’s case).
Delivery. Delivery is a testing phase in which technicians spot-check wireless AP installation for conformance to the specifications. These technicians also verify RF coverage and network connectivity of each AP. Last, in this phase, technicians deliver as-built documentation, which reflects the final placement of each wireless AP.
Rollout. In Microsoft’s case, the rollout involved three steps. The first was to create a Cryptographic API Component Object Model (CAPICOM) script to install certificates. Then, Microsoft created a Web site to host information about instructions, updated drivers, and the CAPICOM script. Last, the company informed users about the Web site with information to obtain wireless access. To get the computer and user certificates required for wireless access, users must connect to the corporate network by using a wired Ethernet connection.
The sections following this describe issues your organization might face when you deploy wireless networking. They include performance; scalability; roaming and mobility; and security. These issues are based on Microsoft’s experience with its own large-scale deployment. These issues assume a configuration such as the following and shown in Figure 1 (for more information about these components and the processes of secure wireless authentication, see the article Windows XP Wireless Deployment Technology and Component Overview):
Wireless client computers running Windows XP. Windows XP has built-in support for Wi-Fi wireless networking and 802.1X authentication using Extensible Authentication Protocol (EAP). The section “IEEE 802.1X” contains more information about 802.1X and EAP.
At least two Windows 2000 IAS servers. At least two IAS servers (one primary and one secondary) are used to provide fault tolerance for Remote Authentication Dial-In User Service (RADIUS)-based authentication. If only one RADIUS server is configured and it becomes unavailable, wireless access clients cannot connect. By using two IAS servers and configuring all wireless APs, which are the RADIUS clients, for both the primary and secondary IAS servers, the RADIUS clients can detect when the primary RADIUS server is unavailable and automatically fail over to the secondary IAS server. The Windows 2000 IAS servers require Service Pack 3 (SP3). See the section “RADIUS” for more information.
Active Directory service domains. Active Directory® domains contain the user accounts, computer accounts, and dial-in properties that each IAS server requires to authenticate credentials and evaluate both authorization and connection constraints. While not a requirement, to both optimize IAS authentication and authorization response times and minimize network traffic, IAS should be installed on Active Directory domain controllers. The domain controllers require SP3. See the section “Active Directory” for more information.
A certificate infrastructure. The EAP-Transport Level Security (TLS) authentication protocol is used with locally installed computer and user certificates to authenticate wireless clients. A certificate infrastructure, also known as PKI, is needed to issue and provide validation for certificates. See the section “Certificates” for more information. Alternatively, you can purchase computer certificates from a third-party certification authority (CA) and use it for Protected EAP (PEAP) with Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) v2 authentication. See the paper PEAP with MS-CHAP Version 2 for Secure Password-based Wireless Access for more information.
Wireless remote access policy. A remote access policy is configured for wireless connections so that employees can access the organization’s intranet.
Multiple wireless APs. Multiple third-party wireless APs provide wireless access in different buildings of an enterprise. The wireless APs must support 802.1X and RADIUS.
Figure 1. Secure Wireless Configuration (The Certification Authority—CA—server is optional if you use third-party certificates with PEAP MS-CHAP v2 as described in the article PEAP with MS-CHAP Version 2 for Secure Password-based Wireless Access.)
For the best performance possible, use the following best practices:
Don’t overload your wireless APs with too many connected wireless clients. Although most wireless APs can support hundreds of wireless connections, the practical limit is 20–25 connected clients. An average of 2–4 users per wireless AP is a good average to maximize the performance while still effectively utilizing the WLAN.
For higher-density situations, lower the signal strength of the wireless APs to reduce the coverage area, thereby allowing more wireless APs to fit in a specific space and more wireless bandwidth to be distributed to more wireless clients.
For maximum scalability, use the following best practices:
To ensure redundant coverage against the potential failure of a single wireless AP and to provide a seamless roaming experience within a building, design your coverage areas carefully. Microsoft based the company’s WLAN on a 20-meter diameter coverage area for this reason. The company carefully verified coverage and network connectivity for each wireless AP. Microsoft tested for decreased coverage-area size, overlapping coverage areas via channel configuration, and mitigating Bluetooth (BT) interference.
For large amounts of authentication traffic within an Active Directory forest, use RADIUS proxies running Windows .NET Server 2003 IAS between the wireless APs and the RADIUS servers. By default, an IAS RADIUS proxy balances the load of RADIUS traffic across all the members of a remote RADIUS server group on a per-authentication basis and uses failover and failback mechanisms. Members of a remote RADIUS server group can also be individually configured with priority and weight settings so that the IAS proxy favors specific RADIUS servers.
Roaming and Mobility
For the best wireless roaming experience, configure all of the wireless APs in each building to be on the same IP subnet. Doing so makes wireless roaming seamless within each building. When wireless clients associate with different wireless APs, the DHCP renewal process just renews the lease on the existing TCP/IP configuration. Inter-building roaming and the DHCP renewal process cause a change in the TCP/IP configuration, which might cause problems for applications that cannot gracefully handle a change in the TCP/IP configuration. In either case, because EAP-TLS and certificates are used for authentication, the user is never prompted to authenticate to the WLAN.
Microsoft chose EAP-TLS using registry-based user and computer certificates as the authentication method for wireless connectivity for the reasons you’ll learn about in the section “Wireless Security.” EAP-TLS addresses secure authentication and key management.
EAP-TLS also helps protect against snooping on Microsoft’s WLAN. EAP messages for 802.1X negotiation are sent as clear text. However, the use of EAP-TLS and public-key encryption prevents the eavesdropper from obtaining the information needed to masquerade as either the wireless client or the authenticating server. After EAP-TLS negotiation is complete, all traffic sent between an authenticated wireless client and its associated wireless AP is encrypted with the Wired Equivalent Privacy (WEP) session key, which is changed for each authentication.
Protection from rogue wireless APs on the Microsoft WLAN is also done through the use of EAP-TLS, which provides mutual authentication of the wireless AP and the authenticating RADIUS server. To masquerade as a Microsoft corporate wireless AP, the AP must have a security relationship with a Microsoft RADIUS server. If a wireless AP doesn’t have this security relationship and configuration, it cannot exchange RADIUS messages with the RADIUS server and, therefore, cannot authenticate 802.1X wireless clients. It’s possible for the rogue wireless AP to be configured as the RADIUS client of a rogue RADIUS server. However, by default, Microsoft wireless clients validate the certificate of the RADIUS server. Therefore, if the RADIUS server of the wireless AP cannot provide a valid certificate and proof of knowledge of its corresponding private key, the wireless client terminates the connection. See the next section, “Wireless Security,” for more information about securing your wireless network.
This section describes security challenges and their solutions, including the following:
Securing the data passing through the wireless network against eavesdropping
Securing the wireless network against intrusion by using strong authentication
While the Wi-Fi standard has experienced a rapid growth in the WLAN marketplace, the industry has raised a number of security concerns. The Wi-Fi standard defines authentication and encryption services based on the WEP algorithm. The WEP algorithm uses a 40-bit shared-secret key for authentication and encryption, and many Wi-Fi implementations also support 104-bit secret keys. However, the standard doesn’t define a key management protocol and presumes that the secret, shared keys are delivered to the client via a secure channel independent of Wi-Fi. The bottom line is that WEP doesn’t scale to typical enterprise wireless deployments because key management is almost impossible.
The lack of a WEP key management protocol is the primary limitation with securing Wi-Fi, especially in a wireless infrastructure network (a wireless network built using APs to connect to the wired network) with a large number of stations. Some examples of this type of network include corporate campuses and public places such as airports and malls. When manually configured shared keys are used, the keys tend to remain in place for long periods of time, enabling hackers more time to use various attacks to gain access to the network. The lack of authentication and encryption services also effects operation in a wireless, ad hoc network (peer-to-peer wireless network) where users may wish to exchange files or collaborate wirelessly. An example is peers sharing files in conference rooms. As a result, the enhanced importance of authentication and encryption in a wireless environment proves the need for access control and security mechanisms that include a key management protocol specified in Wi-Fi.
Additional issues (besides the lack of a key management protocol) with WEP have been raised, causing concern with the level of security provided. Those concerns include the following:
Key Reuse. The technique that WEP uses to allocate keys can result in successful attacks to determine the keys. These attacks require a large number of packets (5 to 6 million) to actually fully derive the WEP key, but on a large, busy network, this can occur in a short time—as quickly as 10 minutes. Some of the largest corporate networks will likely require much more time than this to gather enough packets. In WEP-protected wireless networks, all or some of the stations often use the same shared key, and the network becomes insecure if the WEP keys aren’t changed often, which furthers the need for a WEP key management protocol.
Injecting Malicious Packets. If attackers know the structure of an encrypted packet (known protocol header fields and so on), they can modify the packet by flipping bits to create a malicious packet—changing commands and addresses. The encrypted packet has an integrity check to ensure it hasn’t been tampered with, but because of the way this is implemented in WEP, the integrity check can be modified so that it’s valid for the new packet and accepted at the destination. If the attacker knows the location of the destination address in this packet, the address can be changed on an otherwise unknown packet. The new destination can be a machine controlled by the attacker. If the packet is sent on the wireless network, the AP will decrypt the packet and send it to the rogue destination.
Realtime Decryption. The weaknesses of the WEP algorithm can allow an attacker to decrypt all traffic in realtime.
Other Weaknesses. Other security weaknesses that exist with Wi-Fi include the following:
No user identification and authentication
No central authentication, authorization, and accounting support
No per-packet authentication mechanism to identify the packet source
Implementations that derive WEP keys from passwords, making passwords vulnerable
No support for extended authentication; for example: token cards; certificates and smart cards; one-time passwords; and biometrics
Key management issues, such as rekeying global keys, and no dynamic, per-station, or session-key management
All of these issues fall into three categories: user administration, key management, and security. Microsoft has worked closely with other companies within the IEEE standards groups to define a port-based network access control (802.1X) draft standard that addresses these issues. Microsoft also worked in the IEEE to define how 802.1X can be applied to Wi-Fi wireless networks. The sections that follow describe the 802.1X solutions to these issues. For more technical information about the solutions for wireless security, see Microsoft Leads in Securing Wireless Networks and Wireless 802.11 Security with Windows XP.
802.1X addresses the key management and security issues. The 802.1X standard defines port-based, network access control that provides authenticated network access for Ethernet networks. This network access control uses the physical characteristics of the switched LAN infrastructure to authenticate devices attached to a LAN port. Access to the port can be denied if the authentication process fails. Although this standard was originally designed for wired Ethernet networks, IEEE has adapted it for use on Wi-Fi LANs.
To provide a standard authentication mechanism for 802.1X, IEEE chose EAP. EAP is based on a Point-to-Point Protocol (PPP) authentication mechanism but was adapted for use on point-to-point LAN segments. To adapt EAP messages to be sent over Ethernet or WLAN segments, the 802.1X standard defines EAP over LAN (EAPOL), a standard way to encapsulate EAP messages. For more detailed information about 802.1X, see Wireless Network Security with IEEE 802.1X.
EAP-TLS is an EAP type used in certificate-based security environments. If you’re using smart cards for remote access authentication, you must use the EAP-TLS authentication method. The EAP-TLS authentication process exchanges certificates installed on the access client and the authenticating server, providing mutual authentication, encryption, and secured-secret key exchange and determination. EAP-TLS provides a very strong authentication method.
Windows XP ships with support for 802.1X. All major NIC vendors also support 802.1X and most have released Windows drivers that support it. Likewise, all major enterprise AP vendors are supporting 802.1X. Contact your hardware vendor for more information on their support. To learn more about Microsoft Windows 2000, Windows Millennium Edition, Windows 98, and Windows NT® 4.0 Workstation support for 802.1X, see Microsoft 802.1X Authentication Client.
RADIUS is a widely deployed protocol enabling centralized authentication, authorization, and accounting for network access. Originally developed for dial-up remote access, RADIUS is now supported by wireless APs, authenticating Ethernet switches, VPN servers, DSL access servers, and other network access servers.
IAS provided with the Windows 2000 Server and Microsoft Windows .NET Server 2003 families is the Microsoft implementation of a RADIUS server and, for the Windows .NET Server 2003 family, RADIUS proxy. IAS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless, authenticating switch, dial-up, and VPN-based remote access and router-to-router connections. IAS enables the use of a heterogeneous set of wireless, switch, remote access, or VPN equipment and can be used with the Windows 2000 Server or Windows .NET Server 2003 Routing and Remote Access service.
When an IAS server is a member of an Active Directory -based domain, IAS uses Active Directory as its user account database and is part of a single sign-on (SSO) solution. The same set of credentials is used for network access control (authenticating and authorizing access to a network), logging on to an Active Directory -based domain, and accessing resources. This integration greatly simplifies the planning, configuration, and deployment of user administration for a wireless network.
The following are great resources to starting learning more about using RADIUS servers:
For an in-depth discussion about RADIUS servers and best practices for deploying them, see the paper RADIUS Protocol Security and Best Practices.
To learn more about IAS as used for wireless deployment, see the article Enterprise Deployment of IEEE 802.11 Using Windows XP and Windows 2000 Internet Authentication Service.
To learn more about how Microsoft deployed IAS in its own infrastructure and the best practices that resulted, see the paper Microsoft Wireless LAN Deployment and Best Practices.
Active Directory is a directory service designed for distributed computing environments. It allows organizations to centrally manage and share information about network resources and users while acting as the central authority for network security. In addition to providing comprehensive directory services to a Windows environment, Active Directory is designed to be a consolidation point for isolating, migrating, centrally managing, and reducing the number of directories that companies require. For wireless access, Active Directory domains contain the user and computer accounts for authentication and the Group Policy settings to deploy computer certificates. To learn more about how Microsoft deployed Active Directory for use with wireless networking and the best practices that resulted, see the paper Microsoft Wireless LAN Deployment and Best Practices.
A certificate is a digitally signed statement using public-key cryptography technology that binds the value of a public key to the identity of the person, device, or service that holds the corresponding private key. A certificate is issued by a certification authority (CA). Public-key cryptography uses public- and private-key pairs to encrypt or digitally sign messages. For more information about public-key cryptography and the Windows 2000 PKI, see the Windows 2000 Security Services Web page. To learn more about how Microsoft deployed certificates for use with wireless networking and the best practices that resulted, see the paper Microsoft Wireless LAN Deployment and Best Practices.
Windows XP Professional and Office XP provide extensive support for wireless networking and collaboration. Moving to Windows XP Professional and Office XP may be your first step in building a mobile solution, or it may be part of your ongoing strategy to build mobility into your business process. Either way, it’s technology that’s here today. It’s also technology that’s compatible with legacy systems, which means the Windows XP and Office XP business desktop is a stepping-stone from where you are to where you want to be with your wireless solution.
Upgrading enterprise-level network systems is a challenge, but as you have seen in this paper, capabilities built into Windows XP Professional greatly simplify the process of transitioning to a secure wireless network. Additional applications such as Systems Management Server (SMS) facilitate deployment and asset tracking. Features such as unattended installation and Wireless Zero Configuration make Windows XP Professional the choice for an unparalleled wireless network experience.
Empower and inspire your road warriors, corridor warriors, telecommuters, and data collectors to collaborate and work anywhere, anytime. Windows XP Professional and Office XP are powerful business tools that allow users to operate more productively through mobility and collaboration.
For More Information
Business Value of Microsoft Solutions
Enterprise Deployment of IEEE 802.11 Using Windows XP and Windows 2000 Internet Authentication Service
IEEE 802.1X Authentication for Wireless Connections
Microsoft 802.1X Authentication Client
Microsoft Leads in Securing Wireless Networks
Microsoft Wireless LAN Deployment and Best Practices
Microsoft's Wi-Fi Web Site
PEAP with MS-CHAP Version 2 for Secure Password-based Wireless Access
RADIUS Protocol Security and Best Practices
Windows 2000 Security Services
Windows XP Wireless Deployment Technology and Component Overview
Wireless 802.11 Security with Windows XP
Wireless Network Security with IEEE 802.1X
The Windows XP Wireless Zero Configuration Service
CDMA. The U.S. military first used Code Division Multiple Access (CDMA) technology during World War II. CDMA encodes radio signals by using a random sequence to define a channel and convert speech into digital signals. It reportedly is more reliable, saves battery life, and is more secure than other wireless transmission technologies. QUALCOMM provided the hardware for the military during WW II and is now applying for patents on the technology that was made public after the war.
GPRS. General Packet Radio Service (GPRS) offers high-speed Internet service over a Global System for Mobile Communication (GSM) network. This process sends packets in bursts so that the user experience is instant connectivity, faster data transmission, and faster response time for roaming users. It’s easy to set up and easy to install.
GSM. GSM was introduced in 1991 and came into service sometime in 1997. This packet technology provides high-speed wireless access over a GSM network for access by mobile devices and allows eight simultaneous calls per radio frequency. GSM is available in more than 100 countries, and the default service is available in Europe, Asia, and Australia. GSM is also available in the Americas at the 1900 MHz frequency.
IEEE 802.11. The IEEE 802.11 protocol is a standard in the wireless industry. It defines a physical layer and a sublayer that manages media access control (MAC). This protocol specifies two authentication methods. Open Systems authentication allows free access to the network, and Shared Key authentication provides security through a prearranged signature. For more information about Open System and Shared Key authentication, see 802.11 Authentication and Configuring Wireless Network Clients.
IEEE 802.11b (Wi-Fi). The IEEE 802.11b protocol enhances and standardizes the physical layer so that it can support higher bit rates, which allows wireless networking at higher speeds. This protocol supports bit rates of 5.5 Mbps and 11Mbps.
IEEE 802.1X. The 802.1X standard defines port-based, network access control used to provide authenticated network access for Ethernet (wired) and wireless networks. 802.1X support is included with Windows XP Professional. 802.1X support for Windows 2000, Windows Millennium Edition, Windows 98, and Windows NT 4.0 Workstation is available with Microsoft 802.1X Authentication Client.
IETF. Internet Engineering Task Force (IETF) is an open organization designed to promote communication among network developers, architects, designers, and basically anyone with an interest in promoting well-designed Internet applications and efficient development for Internet tools and applications.
ITU. International Telecommunication Union (ITU) is located in Geneva, Switzerland, and works with the United Nations to establish standards for global telecommunication networks and services. Its purpose is to act as a free international agent to work with governments to establish telephony and wireless standards worldwide.
TDMA. Time Division Multiple Access (TDMA) technology is used to transmit digital packets from a cell phone to a base station AP. TDMA works by breaking transmissions into smaller chunks and then stacking them into shorter time units so that more calls can be sent simultaneously. GSM is using TDMA to provide the eight calls per frequency as mentioned under “GSM” above.
Wi-Fi Alliance. The Wi-Fi Alliance is a nonprofit international association formed in 1999 to certify the interoperability of WLAN products based on the IEEE 802.11 specification. The goal of the Wi-Fi Alliance's members is to enhance the user experience through product interoperability. Microsoft's Wi-Fi site (Wi-Fi) contains links to a series of technical articles.
WLAN. Wireless local area networks (WLANs) provide wireless network access in a corporate environment. With roaming wireless connections, users can move from building to building and from room to room without disruption of service. Two types of WLANs are available: infrastructure and ad hoc networks. An infrastructure network connects individual PCs (known as stations) to a wired network via a wireless AP. Ad hoc networks allow individual users to form a temporary wireless network for sharing and collaborating without the need for a wireless AP.
WPAN. Wireless personal area networks (WPANs) are designed to provide an individual with wireless connectivity within a personal space. This space surrounds the user up to 10 meters (approximately 30 feet) and provides an ad hoc wireless connection. Typically used for cell phones, laptops, or PDAs, this ad hoc network uses either infrared technology to "squirt" data to another device within 1 meter (3 feet) or takes advantage of Bluetooth technology.
WWAN. Wireless wide area networks (WWANs) are designed to establish wireless connections over a large geographic area. Due to the size of the areas that a WWAN must transmit, WWAN technologies transfer data by using satellites or multiple antenna sites that wireless service providers maintain. Although wireless manufacturers and developers are working toward a wireless world standard, there isn't one today. GSM is widely predominant throughout the world; however, CDMA and its 1xRTT standard are also available.