tripledukes
asked on
Wireless security quandry.
Hello, I have a request for help and advice on the implementation of a secure wireless LAN. I work in IT at a high school with about 1100 students. All students use relatively homogenous laptops (575 IBM T-40’s, 300 T-41, 275 T-42).
Before every school year we perform a mass reimage on these computers, so we have the opportunity to make any client side changes necessary with relative ease. In order to allow the students to use their computers freely at home, while maintaining a virus/spyware free, controlled environment at school, we use a Windows XP/XP dual boot. One boot (school OS) is XP where they have domain user accounts with restricted rights and the computers are joined to the domain. Other boot is XP (Home OS) where they have full local admin rights but are not on the domain.
What I am looking for is a wireless solution whereby they will be able to securely access our WLAN from their school accounts only. We have been using PEAP with good security (and exclusion of non-domain computer access results), but instability in IAS authentication + PEAP have forced us to consider a new solution. The main result we are striving for in particular is a system that will allow ONLY computers that are joined to our Windows 2003 domain to have access to the wireless network. I have only been doing IT for a few years and our school relied completely on consultants to initially implement the current (broken) system. We would like to do this implementation ourselves. Obviously it’s going to take lots of research, but I would appreciate any advice or a shove off in the right direction that anyone can offer. Thanks for your time guys and gals.
Before every school year we perform a mass reimage on these computers, so we have the opportunity to make any client side changes necessary with relative ease. In order to allow the students to use their computers freely at home, while maintaining a virus/spyware free, controlled environment at school, we use a Windows XP/XP dual boot. One boot (school OS) is XP where they have domain user accounts with restricted rights and the computers are joined to the domain. Other boot is XP (Home OS) where they have full local admin rights but are not on the domain.
What I am looking for is a wireless solution whereby they will be able to securely access our WLAN from their school accounts only. We have been using PEAP with good security (and exclusion of non-domain computer access results), but instability in IAS authentication + PEAP have forced us to consider a new solution. The main result we are striving for in particular is a system that will allow ONLY computers that are joined to our Windows 2003 domain to have access to the wireless network. I have only been doing IT for a few years and our school relied completely on consultants to initially implement the current (broken) system. We would like to do this implementation ourselves. Obviously it’s going to take lots of research, but I would appreciate any advice or a shove off in the right direction that anyone can offer. Thanks for your time guys and gals.
Sorry for the bevity of my first post. A mac address ACL on your WAP's makes it so that only trusted Wnic's can obtain DHCP address's and access the Wlan. MAC address's can be spoofed even on wireless nic's, so you may need to go further, and you did by saying "What I am looking for is a wireless solution whereby they will be able to securely access our WLAN from their school accounts only"
With windows IPSEC it's easy to add the ipsec rules to your users who properly authenticate to the domain, here are some tutorials: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ipsecpolassign.mspx
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ipsecpolassign.mspx
http://www.microsoft.com/windowsserver2003/technologies/networking/wifi/default.mspx
http://support.microsoft.com/?kbid=815485
http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en
-rich
With windows IPSEC it's easy to add the ipsec rules to your users who properly authenticate to the domain, here are some tutorials: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ipsecpolassign.mspx
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ipsecpolassign.mspx
http://www.microsoft.com/windowsserver2003/technologies/networking/wifi/default.mspx
http://support.microsoft.com/?kbid=815485
http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en
-rich
ASKER
Rich, I appreciate your help so far, and have been doing some other research as well. So far, it has been generating more questions for me than giving answeres, but that is to be expected I suppose. I will certainly consider IPSEC, but I am no tsure I have seen what part of this protocol would allow domain joined operating systems to authenticate but not others. Would it be possible to give me a bit more info in this direction? I read through links you provided and may have overlooked this info. The last one is not what I thought I was looking for, but looks like it will be the perfect resource for setting up our test environments. It deals with specifically peap and eap-tls, though. Wihtout a thorough understanding of authentication and certificates, I believe what i need is a system that authenticates based on computer credentials only, or that uses the current user's logged in credentials but wont accpet manyal CHAPS submissions. Can the server make these distinctions? Thanks so much for your help and advice on this, I would like to give you points for this, but I wanted to make sure that wouldnt terminate the discussion by doing so. Can we continue a dialogue even after your answer is accepted? Thanks for tolerating a newb - I hope to be able to make contributions of my own before long.
Thanks,
Mike
Thanks,
Mike
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, your info is clear and direct, much appreciated!
http://www.cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/1327_pp.htm
http://www.us-cert.gov/cas/tips/ST05-003.html
-rich