Wireless security quandry.

Hello, I have a request for help and advice on the implementation of a secure wireless LAN.  I work in IT at a high school with about 1100 students.  All students use relatively homogenous laptops (575 IBM T-40’s, 300 T-41, 275 T-42).

Before every school year we perform a mass reimage on these computers, so we have the opportunity to make any client side changes necessary with relative ease.  In order to allow the students to use their computers freely at home, while maintaining a virus/spyware free, controlled environment at school, we use a Windows XP/XP dual boot.  One boot (school OS) is XP where they have domain user accounts with restricted rights and the computers are joined to the domain.  Other boot is XP (Home OS) where they have full local admin rights but are not on the domain.

What I am looking for is a wireless solution whereby they will be able to securely access our WLAN from their school accounts only.  We have been using PEAP with good security (and exclusion of non-domain computer access results), but instability in IAS authentication + PEAP have forced us to consider a new solution.  The main result we are striving for in particular is a system that will allow ONLY computers that are joined to our Windows 2003 domain to have access to the wireless network.  I have only been doing IT for a few years and our school relied completely on consultants to initially implement the current (broken) system.  We would like to do this implementation ourselves.  Obviously it’s going to take lots of research, but I would appreciate any advice or a shove off in the right direction that anyone can offer.  Thanks for your time guys and gals.
Who is Participating?
Rich RumbleConnect With a Mentor Security SamuraiCommented:
I typically do continue, others do also.
Each machine has a unique SID (system ID)- when that machine is joined to the domain, the SID is used (same with users names, it's really not the user name that is used, it's the UID- the ID's are just easy ways for us humans to type/use. I can't remember that my UID is S-1-5-21-191058668-193157475-1542849698-1000 User one)

During installation of Windows, a machine SID is computed to contain a statistically unique 96-bit number. The machine SID is the prefix of the user account and group account SID'S created on the computer. The machine SID is concatenated with the Relative ID (RID) of the account to create the account's unique identifier. (the RID of the administrator account is always 500) http://support.microsoft.com/default.aspx?scid=kb;en-us;163846

Even with a dual-boot system, and if the macine names were the same, as long as the system SID's are unique, then only the XP boot that is joined to the domain will be able to get domain access. You'd want a firewall, or a vpn solution to allow only users joined to the domain to be able to access the lan.

If I booted my laptop to the "home" version while at your school, the (wireless)mac address on the laptop remains the same no matter which boot I use, so I could definatly get an ip address, as DHCP requests are broadcast, and mac address is allowed. However, if I was not in the possesion of the proper certificate, which ipsec relies on to be present for authentication, I will not be able to authenticate to the lan, as the only ports you'll have open (if this is the solution you go with) are port 88, 500. Protocol 46 (not port 46) will also be open. With a vpn solution, basically all port's are closed, until you get authorized through a tunnel, that tunnel gives you access to the inside, where your free to roam about.
http://support.microsoft.com/kb/811832/  (these are FYI, I don't recommend using IPSEC firewalling (a secondary feature in M$ ipsec) to be used as the firewall)
http://support.microsoft.com/kb/810207/EN-US/ (again, IPSEC "firewalling" isn't something to concern yourself about)

Even before ipsec has been established, users are able to get the AD policies, and authenticate to the domain (as port 88 traffic is allowed to pass through M$ ipsec without the need for encryption) Again the certificates should be copied to the machines, as part of the image in your case, and you can test test test in your lab. Again, try to break in, try to misues the wireless test lab, find a hole and plug it ;) Easier said than done to be sure.

With reguard to radius, it is easier to setup. (sorry more reading)
http://www.wi-fiplanet.com/tutorials/article.php/3114511 (part1)
http://www.wi-fiplanet.com/tutorials/article.php/3287481 (part2)
Rich RumbleSecurity SamuraiCommented:
MAC address Acess Control LIst's and or IPSEC is probably the best method to achieve your goals. Here is an article on what I'm talking about.
Rich RumbleSecurity SamuraiCommented:
Sorry for the bevity of my first post. A mac address ACL on your WAP's makes it so that only trusted Wnic's can obtain DHCP address's and access the Wlan. MAC address's can be spoofed even on wireless nic's, so you may need to go further, and you did by saying "What I am looking for is a wireless solution whereby they will be able to securely access our WLAN from their school accounts only"
With windows IPSEC it's easy to add the ipsec rules to your users who properly authenticate to the domain, here are some tutorials: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ipsecpolassign.mspx
tripledukesAuthor Commented:
Rich, I appreciate your help so far, and have been doing some other research as well.  So far, it has been generating more questions for me than giving answeres, but that is to be expected I suppose.  I will certainly consider IPSEC, but I am no tsure I have seen what part of this protocol would allow domain joined operating systems to authenticate but not others.  Would it be possible to give me a bit more info in this direction?  I read through links you provided and may have overlooked this info.  The last one is not what I thought I was looking for, but looks like it will be the perfect resource for setting up our test environments.  It deals with specifically peap and eap-tls, though.  Wihtout a thorough understanding of authentication and certificates, I believe what i need is a system that authenticates based on computer credentials only, or that uses the current user's logged in credentials but wont accpet manyal CHAPS submissions.  Can the server make these distinctions?  Thanks so much for your help and advice on this, I would like to give you points for this, but I wanted to make sure that wouldnt terminate the discussion by doing so.  Can we continue a dialogue even after your answer is accepted?  Thanks for tolerating a newb - I hope to be able to make contributions of my own before long.

tripledukesAuthor Commented:
Thanks, your info is clear and direct, much appreciated!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.