Windows 7 / Networking

Planning and Design Considerations

When deploying a protected 802.11 wireless network solution, you need to consider the following for planning and design issues:

  • Wireless security technologies
  • Wireless authentication modes
  • Intranet infrastructure
  • Wireless AP placement
  • Authentication infrastructure
  • Wireless clients
  • PKI
  • 802.1X Enforcement with NAP

Wireless Security Technologies

Wireless security technologies are a combination of a wireless security standard (WPA2 or WPA) and an EAP authentication method. To authenticate the computer or the user that is attempting to make a protected wireless connection, Windows Vista and Windows Server 2008 support the following EAP authentication methods:

  • EAP-TLS
  • Protected EAP (PEAP)-TLS
  • PEAP-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MSCHAP v2)

EAP-TLS and PEAP-TLS are used in conjunction with a PKI and computer certificates, user certificates, or smart cards. With EAP-TLS, the wireless client sends its computer certificate, user certificate, or smart card certificate for authentication, and the RADIUS server sends its computer certificate for authentication. By default, the wireless client validates the RADIUS server's certificate. With PEAP-TLS, the wireless client and RADIUS server create an encrypted TLS session, and then the wireless client and RADIUS server exchange certificates. PEAP-TLS is the strongest authentication method because the certificate exchange between the wireless client and the RADIUS server is encrypted.

In the absence of computer certificates, user certificates, or smart cards, use PEAP-MSCHAP v2. PEAP-MS-CHAP v2 is a password-based authentication method in which the exchange of authentication messages is protected with an encrypted TLS session, making it much more difficult for a malicious user to determine the password of a captured authentication exchange with an offline dictionary attack.

Despite the encrypted TLS session, however, both EAP-TLS and PEAP-TLS are much stronger than PEAP-MS-CHAP v2 because they do not rely on passwords.

Design Choices for Wireless Security Technologies

Microsoft recommends that you use one of the following combinations of wireless security technologies (in order of most to least secure):

  • WPA2 with AES encryption, PEAP-TLS or EAP-TLS authentication, and both user and computer certificates
  • WPA2 with AES encryption, PEAP-MS-CHAP v2 authentication, and a requirement for users to set strong user passwords
  • WPA with EAP-TLS or PEAP-TLS authentication and both user and computer certificates
  • WPA with PEAP-MS-CHAP v2 authentication and a requirement for users to set strong user passwords

Requirements for Wireless Security Technologies

The requirements for wireless security technologies are the following:

  • For a protected wireless network, you must use either WPA or WPA2. If you use WEP, even dynamic WEP, your wireless network will not be secure. Dynamic WEP should not be used except temporarily when transitioning to a WPA2 or WPA-based security configuration.
  • EAP-TLS or PEAP-TLS requires the installation of a computer certificate on the RADIUS server and a computer certificate, user certificate, or smart card on all wireless client computers. To validate the RADIUS servers' computer certificates, the root CA certificate of the issuing CA of the RADIUS server computer certificates must be installed on all wireless client computers. To validate the wireless clients' computer or user certificates, the root CA certificate of the issuing CA of the wireless client certificates must be installed on each of the RADIUS servers.
  • PEAP-MS-CHAP v2 requires the installation of computer certificates on each of the RADIUS servers. It also requires that the root CA certificates of the RADIUS server computer certificates be installed on each of the wireless client computers.
  • For WPA2, some wireless equipment might have to be replaced. Older wireless equipment that supports only 802.11 can typically be upgraded to support WPA but not WPA2.
  • If you are planning to eventually deploy the 802.1X Enforcement method of NAP, you should use a PEAP-based authentication method such as PEAP-MS-CHAP v2 or PEAP-TLS.

Uses for Wireless Security Technologies

The best practices for wireless security technologies are the following:

  • Do not use SSID suppression. The SSID (also known as the wireless network name) is by default included in the Beacon frames sent by wireless APs. Configuring your wireless APs to suppress the advertising of the SSID information element in Beacon frames does prevent the casual wireless client from discovering your wireless network. However, SSID suppression does not prevent a more sophisticated hacker from capturing other types of wireless management frames sent by your wireless AP and determining your SSID. Wireless networks with SSID suppression enabled are known as non-broadcast or hidden networks.
    Besides being a weak form of wireless network name privacy, non-broadcast wireless networks also create problems for authorized wireless clients that want to automatically connect to the non-broadcast wireless network. For example, because the wireless network name is not being advertised, the wireless client must send Probe-Request messages containing the wireless network name in an attempt to locate a wireless AP for the wireless network. These messages advertise the name of the wireless network, reducing the privacy of the wireless configuration of the wireless client.
  • Do not use media access control (MAC) address filtering. MAC address filtering allows you to configure your wireless APs with the set of MAC addresses for allowed wireless clients. MAC address filtering adds administrative overhead in order to keep the list of allowed MAC addresses current and does not prevent a hacker from spoofing an allowed MAC address.
  • If you must use PEAP-MS-CHAP v2, require the use of strong passwords on your network. Strong passwords are long (longer than 8 characters) and contain a mixture of upper and lower case letters, numbers, and punctuation. In an Active Directory domain, use Group Policy settings in Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy to enforce strong user passwords requirements.
[Previous] [Contents] [Next]

In this tutorial:

  1. IEEE 802.11 Wireless Networks
  2. Support for IEEE 802.11 Standards
  3. Wireless Security
  4. WPA
  5. Planning and Design Considerations
  6. Wireless Authentication Modes
  7. Intranet Infrastructure
  8. Wireless AP Placement
  9. Authentication Infrastructure
  10. Wireless Clients
  11. Windows Vista Wireless Policy
  12. Windows XP Wireless Policy
  13. Command-Line Configuration
  14. PKI
  15. 802.1X Enforcement with NAP
  16. Deploying Protected Wireless Access
  17. Configuring Active Directory for Accounts and Groups
  18. Deploying Wireless APs
  19. Configuring Wireless Clients
  20. Configuring and Deploying Wireless Profiles
  21. Maintenance for a Protected Wireless
  22. Troubleshooting Wireless Connections
  23. Network Diagnostics Framework Support for Wireless Connections
  24. Wireless Diagnostics Tracing
  25. NPS Event Logging
  26. Troubleshooting the Windows Wireless Client
  27. Troubleshooting the Wireless AP
  28. Common Wireless AP Problems
  29. Troubleshooting the Authentication Infrastructure
  30. Troubleshooting Certificate-Based Validation
  31. Troubleshooting Password-Based Validation