How to deploy 802.1X in Windows XP

The 802.11 WLAN protocol is not very secure, and you cannot do anything. Fortunately, IEEE, Microsoft, Cisco, and other industry-leading companies have discovered 802.11 of defects. The result is that the IEEE 802.1x Standard is WLAN) and common LAN provides a much more robust authentication and security mechanisms. You can use a combination of Windows 2000 or Windows Server 2003 Domain Controller and Windows XP client to deploy 802.1x.
How 802.1x works

802.1x implements port-based access control. In WLAN, the port is the Access Point AP) and the workstation connection. There are two types of ports in 802.1x: uncontrolled and controllable. You may be using an uncontrolled port that allows devices to connect to the port and communicate with any other network device. On the contrary, the control port limits the network address that the device can communicate. You may be able to understand what is going on next: 802.1x allows all clients to connect to control ports, but these ports only send traffic to the authentication server. The non-control port can be used only after the client passes authentication. The secret of 802.1x is that non-control and control ports are logical devices that coexist on the same physical network port.

For identity authentication, 802.1x further defines two roles for the network device: applicant supplicant) and authenticator ). The applicant is a device requesting access to network resources, such as a laptop equipped with an 802.11b Nic ). The authenticator is a device that authenticates the applicant and determines whether to grant the applicant access permission. Wireless AP can be used as the authenticator, but it is more flexible to use the industry-standard Remote Authentication Dial-In User Service (RADIUS) protocol. This protocol is included in Windows 2000. Through RADIUS, the AP receives authentication requests and forwards the requests to the RADIUS server, which authenticates users Based on Active Directory.

802.1x does not use Wired Equivalent Privacy, WEP) for Authentication. It uses industry-standard Extensible Authentication Protocol (EAP) or an updated version. In either case, EAP/PEAP has its unique advantage: they allow you to select authentication methods. By default, 802.1x uses a EAP-TLS (EAP-Transport Layer Security) where all EAP-protected traffic is encrypted by TLS Protocol very similar to SSL. The entire authentication process is as follows:

1. the wireless workstation tries to connect to the AP through an uncontrolled port. Because the workstation has not yet passed authentication, it cannot use the control port ). The AP sends a plain text question to the workstation.

2. In response, the workstation provides its own proof of identity.

3. the AP forwards the identity information from the workstation to the authenticator using the RADIUS over a wired LAN.

4. the RADIUS server queries the specified account and determines the required credential. For example, you may configure your RADIUS server to accept only digital certificates ). This information is converted to a credential request and returned to the workstation.

5. the workstation sends its creden。 through the uncontrolled port on the AP.

6. the RADIUS server authenticates the credential. If the authentication succeeds, the authentication key is sent to the AP. This key is encrypted, so only the AP can decrypt it.

7. The AP decrypts the key and uses it to create a new key for the workstation. The new key will be sent to the workstation, which is used to encrypt the master global Authentication Key of the workstation.

Periodically, the AP generates a new master global authentication key and sends it to the client. This effectively solves the issue of 802.11 long-lived fixed keys. Attackers can easily use brute-force cracking to attack fixed keys.

Configure 802.1x on the client

It is very easy to configure the 802.1x client in Windows XP. Here I will briefly introduce some basic steps.

1. Open the network connection folder, right-click on the connection you want to use 802.1x, and select the attribute command.

2. Switch to the wireless network tab and select the WLAN connection that you want to use 802.1x. Click Configure.

3. In the wireless network Properties dialog box, switch to the authentication tab.

4. Make sure that the "enable IEEE 802.1x authentication for this network" check box is selected and select the appropriate EAP type. Typically, enterprise networks use a EAP-TLS with a smart card or local storage certificate, and small networks can use PEAP only after you have installed Windows XP Service Pack 1 .)

Deploy 802.1x for a small network

If you have a small network, you may think 802.1x is so esoteric. The good news is that you can deploy 802.1x even if you do not have a complete Public Key Infrastructure. This article describes the steps you need to complete. Simply put, you need to set up your Windows xp sp 1 or later client to use PEAP, and then set at least one computer to run Windows Internet Authentication Service (IAS ), this service provides RADIUS connectivity. Each IAS service must have a digital certificate signed by you or purchased from a third-party CA. You need to do so much-of course, you still need to install IAS first, but this process is very simple.

Deploy 802.1x for large enterprises

If you use a Windows 2000 network with at least one domain controller, you can set up a more flexible and powerful 802.1x infrastructure to make full use of Active Directory and Windows 2000 support for remote access policies. First, obtain a digital certificate for your client. Fortunately, you can easily obtain these certificates by creating group policies that automatically request machine certificates for computers in the domain. After completing this step, you can deploy the remaining parts of the required infrastructure, including IAS, and configure your Wireless AP to use RADIUS to communicate with the IAS server. Then you can rest assured that your WLAN traffic has been safely protected.