Wireless LAN 2300 Engineering

Wireless EAP-TLS Machine Authentication for WLAN Technical Configuration Guide

Avaya Data Solutions Document Date: July 2010 Document Number: NN48500-548 Document Version: 1.1

avaya.com

© 2010 Avaya Inc. All Rights Reserved.

Notices While reasonable efforts have been made to ensure that the information in this document is complete and accurate at the time of printing, Avaya assumes no liability for any errors. Avaya reserves the right to make changes and corrections to the information in this document without the obligation to notify any person or organization of such changes. Documentation disclaimer Avaya shall not be responsible for any modifications, additions, or deletions to the original published version of this documentation unless such modifications, additions, or deletions were performed by Avaya. End User agree to indemnify and hold harmless Avaya, Avaya’s agents, servants and employees against all claims, lawsuits, demands and judgments arising out of, or in connection with, subsequent modifications, additions or deletions to this documentation, to the extent made by End User. Link disclaimer Avaya is not responsible for the contents or reliability of any linked Web sites referenced within this site or documentation(s) provided by Avaya. Avaya is not responsible for the accuracy of any information, statement or content provided on these sites and does not necessarily endorse the products, services, or information described or offered within them. Avaya does not guarantee that these links will work all the time and has no control over the availability of the linked pages. Warranty Avaya provides a limited warranty on this product. Refer to your sales agreement to establish the terms of the limited warranty. In addition, Avaya’s standard warranty language, as well as information regarding support for this product, while under warranty, is available to Avaya customers and other parties through the Avaya Support Web site: http://www.avaya.com/support Please note that if you acquired the product from an authorized reseller, the warranty is provided to you by said reseller and not by Avaya. Licenses THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA WEBSITE, HTTP://SUPPORT.AVAYA.COM/LICENSEINFO/ ARE APPLICABLE TO ANYONE WHO DOWNLOADS, USES AND/OR INSTALLS AVAYA SOFTWARE, PURCHASED FROM AVAYA INC., ANY AVAYA AFFILIATE, OR AN AUTHORIZED AVAYA RESELLER (AS APPLICABLE) UNDER A COMMERCIAL AGREEMENT WITH AVAYA OR AN AUTHORIZED AVAYA RESELLER. UNLESS OTHERWISE AGREED TO BY AVAYA IN WRITING, AVAYA DOES NOT EXTEND THIS LICENSE IF THE SOFTWARE WAS OBTAINED FROM ANYONE OTHER THAN AVAYA, AN AVAYA AFFILIATE OR AN AVAYA AUTHORIZED RESELLER, AND AVAYA RESERVES THE RIGHT TO TAKE LEGAL ACTION AGAINST YOU AND ANYONE ELSE USING OR SELLING THE SOFTWARE WITHOUT A LICENSE. BY INSTALLING, DOWNLOADING OR USING THE SOFTWARE, OR AUTHORIZING OTHERS TO DO SO, YOU, ON BEHALF OF YOURSELF AND THE ENTITY FOR WHOM YOU ARE INSTALLING, DOWNLOADING OR USING THE SOFTWARE (HEREINAFTER REFERRED TO INTERCHANGEABLY AS "YOU" AND "END USER"), AGREE TO THESE TERMS AND CONDITIONS AND CREATE A BINDING CONTRACT BETWEEN YOU AND AVAYA INC. OR THE APPLICABLE AVAYA AFFILIATE ("AVAYA"). Copyright Except where expressly stated otherwise, no use should be made of the Documentation(s) and Product(s) provided by Avaya. All content in this documentation(s) and the product(s) provided by Avaya including the selection, arrangement and design of the content is owned either by Avaya or its licensors and is protected by copyright and other intellectual property laws including the sui generis rights relating to the protection of databases. You may not modify, copy, reproduce, republish, upload, post, transmit or distribute in any way any content, in whole or in part, including any code and software. Unauthorized reproduction, transmission, dissemination, storage, and or use without the express written consent of Avaya can be a criminal, as well as a civil offense under the applicable law. Third Party Components Certain software programs or portions thereof included in the Product may contain software distributed under third party agreements ("Third Party Components"), which may contain terms that expand or limit rights to use certain portions of the Product ("Third Party Terms"). Information regarding distributed Linux OS source code (for those Products that have distributed the Linux OS source code), and identifying the copyright holders of the Third Party Components and the Third Party Terms that apply to them is available on the Avaya Support Web site: http://support.avaya.com/Copyright. Trademarks The trademarks, logos and service marks ("Marks") displayed in this site, the documentation(s) and product(s) provided by Avaya are the registered or unregistered Marks of Avaya, its affiliates, or other third parties. Users are not permitted to use such Marks without prior written consent from Avaya or such third party which may own the Mark. Nothing contained in this site, the documentation(s) and product(s) should be construed as granting, by implication, estoppel, or otherwise, any license or right in and to the Marks without the express written permission of Avaya or the applicable third party. Avaya is a registered trademark of Avaya Inc. All non-Avaya trademarks are the property of their respective owners. Downloading documents For the most current versions of documentation, see the Avaya Support. Web site: http://www.avaya.com/support. Contact Avaya Support Avaya provides a telephone number for you to use to report problems or to ask questions about your product. The support telephone number is 1-800-242-2121 in the United States. For additional support telephone numbers, see the Avaya Web site: http://www.avaya.com/support.

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 2 avaya.com

Table of Contents

Document Updates ...... 4 Conventions ...... 4 1. Overview ...... 5 1.1 What is Computer Authentication...... 5 1.2 Windows XP Boot Process ...... 6 1.3 Pre-Requisites ...... 7 1.4 Topology ...... 7 2. Internet Authentication Service ...... 8 2.1 Add Radius Clients ...... 8 2.2 Create a Remote Access Policy...... 10 3. Wireless LAN Security Switch 2300 ...... 16 3.1 Create a WPA Service-Profile ...... 16 3.2 Create a WPA2 Service-Profile ...... 17 3.3 Create a RADIUS Server and Group ...... 18 3.4 Create a 802.1X Access Rule ...... 19 3.1 Bonded Authentication ...... 19 4. Windows XP Workstation ...... 21 4.1 Certificates ...... 21 4.2 Modify Local Area Connection Properties ...... 24 4.3 Modify Registry Settings ...... 29 5. Verification ...... 30 5.1 Windows System Event Logs ...... 30 5.2 Wireless LAN Security Switch ...... 32 6. Appendix ...... 33 6.1 EAP Users Active Directory Group ...... 33 6.2 Active Directory Remote Access Permissions ...... 34 6.3 Windows XP Registry Settings ...... 35 6.4 Wireless Zero Configuration Service ...... 36 6.5 Wireless LAN Security Switch ...... 38 6.6 Windows 2003 Server Details ...... 39 6.7 Windows XP Workstation Details ...... 39 7. Reference Documentation ...... 41 8. Customer service ...... 42

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 3 avaya.com

8.1 Getting technical documentation ...... 42 8.2 Getting product training ...... 42 8.3 Getting help from a distributor or reseller ...... 42 8.4 Getting technical support from the Avaya Web site ...... 42

Document Updates

July 30, 2010. Conventions

This section describes the text, image, and command conventions used in this document. Symbols:

 Tip – Highlights a configuration or technical tip.

 Note – Highlights important information to the reader.

Caution – Highlights important information about an action that may result in equipment  damage, configuration or data loss.

Text:

Bold text indicates emphasis.

Italic text in a Courier New font indicates text the user must enter or select in a menu item, button or command: ERS5520-48T# show running-config

Output examples from Avaya devices are displayed in a Lucida Console font: ERS5520-48T# show running-config

! Embedded ASCII Configuration Generator Script ! Model = Ethernet Routing Switch 5520-24T-PWR ! Software version = v5.0.0.011 enable configure terminal

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 4 avaya.com

1. Overview

This document provides an overview on how to configure Wireless PEAP computer and user authentication on Avaya Wireless LAN 2300 in a Microsoft environment. This document demonstrates configuring the Microsoft Internet Authentication Service on a Windows 2003 server, the Microsoft Windows XP 802.1X supplicant and the Avaya Wireless LAN Security Switch 2300. This document does not address installing Certificate Services or managing Active Directory as this is out of the scope of this document. 1.1 What is Computer Authentication

User authentication is a natural choice when considering identification to Wired or Wireless infrastructure. However, in most cases Enterprises will also want to also implement computer (or machine) authentication to ensure a complete solution. There are a number of features in Windows that will only work correctly with an active network connection. Leveraging 802.1X computer authentication ensures that this network connection is established during the Windows boot sequence and prior to end users seeing the initial Windows logon screen. The following table provides a list of some of the common Windows features that require such a connection:

Feature Scenario Requiring Computer Authentication

Active Directory computer Group Policies Computer–based Group Policy is applied during computer start up and at timed intervals — even when no one is logged in to Windows.

Network logon scripts Network logon scripts are run during initial user logon.

Systems management agents Systems management application agents such as those that come with Microsoft Systems Management Server (SMS) frequently need network access without user intervention.

Remote Desktop Connection Computers are accessible from Windows Remote Desktop Connection when no one is logged on to Windows.

Shared folders Files and folders shared from a computer are still available, even when no user is logged on to Windows.

Table 1.1 – Scenarios Requiring Machine Authentication

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 5 avaya.com

1.2 Windows XP Boot Process

Unlike 802.1X user authentication which occurs after the end user has logged into Windows, computer authentication occurs during the boot process before the end user is presented with the Windows Logon screen: 1. When machine authentication is enabled, the computer will authenticate to the Wireless LAN 2300 system using its machine credentials as soon as the Wireless link becomes active. If computer authentication is successful the user is placed in the appropriate VLAN which may be statically assigned by the service profile or provided dynamically from the authentication server. 2. When a user logs onto the computer, the user authentication will supersede the computer authentication. The Wireless LAN 2300 system will assign the user to the appropriate VLAN which may be statically assigned by the service profile or provided dynamically from the authentication server. 3. When a user logs off the computer, computer authentication will re-occur and the Wireless LAN will assign the computer to the appropriate VLAN which may be statically assigned or provided dynamically from the authentication server.

Figure 1.2.1 – Wireless Machine Authentication Process

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 6 avaya.com

1.3 Pre-Requisites

This document makes the following assumptions in regards to the Windows 2003 server, Windows XP workstation and Wireless LAN Security Switch 2300: 1. A Windows 2003 Advanced or Enterprise Server is installed with the following: a. Latest service pack and updates installed b. Configured as an Active Directory Domain Controller. i. One or more Active Directory User accounts have been created. ii. A unique Group such as Wireless EAP Users has been created with User and Computer accounts that will be performing EAP authentication and has been added as members to the Group (see Appendix 6.1) iii. The Remote Access Permission for each of the User and Computer accounts performing EAP authentication are set to Allowed Access (see Appendix 6.2). c. Certificate Services is installed as an Enterprise Root CA. d. Internet Authentication Service is installed. e. IP communication with the Wireless LAN Security Switch. 2. Windows XP Workstation with the following: a. Latest service pack and updates installed. b. Is a member of the Windows Domain. c. The Microsoft Wireless Zero Configuration service is running (see Appendix 6.4). 3. Wireless LAN Switch with the following: a. The default VLAN is used with a management IP address assigned (see Appendix 6.5). b. The default radio profile is used with one or more radios assigned (see Appendix 6.5). 1.4 Topology

Figure 1.4.1 – Topology

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 7 avaya.com

2. Internet Authentication Service

For the Microsoft Internet Authentication Service (IAS) to be able to authenticate PEAP computers and users connected to an Avaya Wireless LAN Security Switch 2300 the following configuration steps need to be performed: 1. The Avaya Wireless LAN Security Switch 2300 that will be forwarding RADIUS authentication requests to IAS will need to be defined as a RADIUS client. 2. A Remote Access Policy needs to be defined so that IAS knows how to authenticate the computers and users as well as which authentication protocols to support. 2.1 Add Radius Clients

To add an Avaya Wireless LAN Security Switch 2300 as a RADIUS client to IAS: 1. Open the IAS snap-in by clicking Start, Programs, Administrative Tools then Internet Authentication Service. 2. In the IAS snap-in, right click RADIUS Clients and then click New RADIUS Client.

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 8 avaya.com

3. In the Friendly name field specify the hostname of the Avaya Wireless LAN Security Switch 2300. In the Client address (IP or DNS) field specify the management IP address of the Avaya Wireless LAN Security Switch 2300. Click Next.

4. Select the default Client-Vendor option RADIUS Standard. Specify and confirm a Shared secret which will match the shared secret defined on the Avaya Wireless LAN Security Switch 2300 (for example Avaya). Click Next.

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 9 avaya.com

5. The Avaya Wireless LAN Security Switch 2300 has now been added to IAS as a RADIUS client.

2.2 Create a Remote Access Policy

To create a Remote Access Policy in IAS to authenticate computers and users using PEAP: 1. Open the IAS snap-in by clicking Start, Programs, Administrative Tools then Internet Authentication Service. 2. In the IAS snap-in right click Remote Access Policies and then click New Remote Access Policy.

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 10 avaya.com

3. Click Next.

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 11 avaya.com

4. Select the option Use the wizard to set up a typical policy for a common scenario. In the Policy name field enter in the name for the policy (for example Wireless EAP Users). Click Next.

5. Select the Access Method option Wireless then click Next. This sets the match criteria in the policy to only authenticate requests from Wireless LAN devices.

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 12 avaya.com

6. Specify the domain users or groups which the policy will apply to. For this example the domain group named Wireless EAP Users has been added. This sets the match criteria in the policy to only authenticate Users and Computers that are a member of this Domain Group. Click Next.

7. Select the EAP type Protected EAP (PEAP). Click Configure to specify a server certificate to be used by the policy.

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 13 avaya.com

8. In the Certificate issued to pull down menu, select the server certificate you wish to use for the policy. For this example the default server certificate installed on the Windows 2003 Advanced server named w3kserver.jclab.com is used. Check Enable Fast Reconnect. Click OK and then Next.

9. Verify the information is correct and then click Finish.

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 14 avaya.com

10. The Remote Access Policy Wireless EAP Users has now been created.

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 15 avaya.com

3. Wireless LAN Security Switch 2300

For an Avaya Wireless LAN Security Switch 2300 to be able to authenticate Wireless clients using PEAP the following configuration steps need to be performed: 1. Create a WPA or WPA2 service-profile that defines the SSID name, encryption type and authentication method. Add the service-profile to a radio-profile. 2. Create a RADIUS server and RADIUS Server Group. 3. Create an 802.1X authentication rule that will forward 802.1X computer and user authentication requests from the service-profile to the RADIUS server group. 3.1 Create a WPA Service-Profile

To create a WPA service-profile named Secure-Data on an Avaya Wireless LAN Security Switch 2300 using CLI:

1 Enter the User EXEC mode by issuing the following command:

wss2360-1> enable wss2360-1#

Create a new service-profile and SSID called Secure-Data using TKIP encryption and 802.1X 2 authentication and the default VLAN by issuing the following commands:

wss2360-1# set service-profile Secure-Data ssid-name Secure-Data wss2360-1# set service-profile Secure-Data wpa-ie enable wss2360-1# set service-profile Secure-Data attr vlan-name default

Add the service-profile Secure-Data to the default radio-profile by issuing the following 3 commands (note this will disrupt user connectivity for existing SSIDs):

wss2360-1# set radio-profile default mode disable wss2360-1# set radio-profile default service-profile Secure-Data wss2360-1# set radio-profile default mode enable

4 Verify the service-profile parameters by issuing the following command:

wss2360-1# show service-profile Secure-Data

ssid-name: Secure-Data ssid-type: crypto Beacon: yes Proxy ARP: yes DHCP restrict: no No broadcast: no Short retry limit: 5 Long retry limit: 5 Auth fallthru: none Sygate On-Demand (SODA): no Enforce SODA checks: yes SODA remediation ACL: Custom success web-page: Custom failure web-page:

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 16 avaya.com

Custom logout web-page: Custom agent-directory: Static COS: no COS: 0 CAC mode: none CAC sessions: 14 User idle timeout: 180 Idle client probing: yes Keep initial vlan: no Web Portal Session Timeout: 5 Web Portal ACL: WEP Key 1 value: WEP Key 2 value: WEP Key 3 value: WEP Key 4 value: WEP Unicast Index: 1 WEP Multicast Index: 1 Shared Key Auth: NO WPA enabled: ciphers: cipher-tkip authentication: 802.1X TKIP countermeasures time: 60000ms vlan-name = default

3.2 Create a WPA2 Service-Profile

To create a WPA2 service-profile named Secure-Data on an Avaya Wireless LAN Security Switch 2300 using CLI:

1 Enter the User EXEC mode by issuing the following command:

wss2360-1> enable wss2360-1#

Create a new service-profile and SSID called Secure-Data using CCMP encryption and 802.1X 2 authentication and the default VLAN by issuing the following commands:

wss2360-1# set service-profile Secure-Data ssid-name Secure-Data wss2360-1# set service-profile Secure-Data rsn-ie enable wss2360-1# set service-profile Secure-Data cipher-tkip disable wss2360-1# set service-profile Secure-Data cipher-ccmp enable wss2360-1# set service-profile Secure-Data attr vlan-name default

Add the service-profile Secure-Data to the default radio-profile by issuing the following 3 commands (note this will disrupt user connectivity for existing SSIDs):

wss2360-1# set radio-profile default mode disable wss2360-1# set radio-profile default service-profile Secure-Data wss2360-1# set radio-profile default mode enable

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 17 avaya.com

4 Verify the service-profile parameters by issuing the following command:

wss2360-1# show service-profile Secure-Data

ssid-name: Secure-Data ssid-type: crypto Beacon: yes Proxy ARP: yes DHCP restrict: no No broadcast: no Short retry limit: 5 Long retry limit: 5 Auth fallthru: none Sygate On-Demand (SODA): no Enforce SODA checks: yes SODA remediation ACL: Custom success web-page: Custom failure web-page: Custom logout web-page: Custom agent-directory: Static COS: no COS: 0 CAC mode: none CAC sessions: 14 User idle timeout: 180 Idle client probing: yes Keep initial vlan: no Web Portal Session Timeout: 5 Web Portal ACL: WEP Key 1 value: WEP Key 2 value: WEP Key 3 value: WEP Key 4 value: WEP Unicast Index: 1 WEP Multicast Index: 1 Shared Key Auth: NO WPA enabled: ciphers: cipher-tkip authentication: 802.1X TKIP countermeasures time: 60000ms vlan-name = default

3.3 Create a RADIUS Server and Group

To create a RADIUS server and RADIUS server group on an Avaya Wireless LAN Security Switch 2300 using CLI:

Specify the RADIUS server name, IP address and shared key and add the server to a RADIUS 1 server group by issuing the following commands:

wss2360-1# set radius server W3KServer address 192.168.1.5 key Nortel wss2360-1# set server group IAS members W3KServer

2 Verify the RADIUS server status and configuration by issuing the following command:

wss2360-1# show aaa

Default Values authport=1812 acctport=1813 timeout=5 acct-timeout=5

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 18 avaya.com

retrans=3 deadtime=0 key=(null) author-pass=(null)

Radius Servers Server Addr Ports T/o Tries Dead State ------W3KServer 192.168.1.5 1812 1813 0 0 0 UP

Server groups IAS: W3KServer

3.4 Create a 802.1X Access Rule

To create an 802.1X access rule on an Avaya Wireless LAN Security Switch 2300 using CLI:

Specify a 802.1X Access Rule that will forward all computer and user authentication requests 1 to RADIUS server group by issuing the following command:

wss2360-1# set authentication dot1x ssid Secure-Data ** pass-through IAS

2 Verify the 802.x Access Rule by re-issuing the show aaa command:

wss2360-1# show aaa

Default Values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=0 key=(null) author-pass=(null)

Radius Servers Server Addr Ports T/o Tries Dead State ------W3KServer 192.168.1.5 1812 1813 5 3 0 UP

Server groups IAS: W3KServer

Web Portal: enabled

set authentication dot1x ssid Secure-Data ** pass-through IAS

3.1 Bonded Authentication

Bonded authentication is a security feature that binds 802.1X user authentication to the machine authentication from which the user is attempting to log on. When bonded authentication is enabled, the WSS will only authenticate the user if the machine from which the user logs on has already been authenticated first. If machine authentication has not occurred the user will fail authentication.

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 19 avaya.com

To enable bonded authentication on an Avaya Wireless LAN Security Switch 2300 using CLI:

Specify a computer 802.1X Access Rule that will forward computer authentication requests 1 for the domain to RADIUS server group by issuing the following command:

wss2360-1# set authentication dot1x ssid Secure-Data host/*.jclab.com pass- through IAS

Specify a user 802.1X Access Rule that will forward user authentication requests for the 2 domain with bonded authentication enabled to RADIUS server group by issuing the following command:

wss2360-1# set authentication dot1x ssid Secure-Data JCLAB\* bonded pass- through IAS

Avaya recommends that you make the access rules as general as possible. For example, if the Active Directory domain is jclab.com, the following userglobs match on all machine names and users in the domain:  host/*.jclab.com (userglob for PEAP machine authentication) JCLAB\* (userglob for PEAP user authentication)

3 Verify the 802.x Access Rule by re-issuing the show aaa command:

wss2360-1# show aaa

Default Values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=0 key=(null) author-pass=(null)

Radius Servers Server Addr Ports T/o Tries Dead State ------W3KServer 192.168.1.5 1812 1813 5 3 0 UP

Server groups IAS: W3KServer

Web Portal: enabled

set authentication dot1x ssid Secure-Data host/*.jclab.com pass-through IAS set authentication dot1x ssid Secure-Data JCLAB\* bonded pass-through IAS

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 20 avaya.com

4. Windows XP Workstation

For Windows XP to be able to support computer and user authentication the following configuration steps need to be performed: 1. Install CA certificate. 2. IEEE 802.1X needs to be enabled on the Wireless Network Connection. 3. The Windows XP 802.1X supplicant default behavior needs to be modified by adding two registry entries. 4.1 Certificates

For PEAP computer and user authentication a CA certificate is recommended (but not required) to be installed on the Windows XP workstation:  CA Certificate – Allows all parties in the certificate chain to validate the identity of the certificates issued from the enterprise CA. It is recommended that a CA certificate be installed into the Users Personal Trusted Root Certification Authority certificate store to all Windows XP to validate the identity of the IAS authentication server. 4.1.1 Issuing CA Certificates Using Web Enrollment

 If a CA certificate is already present for users accounts this step may be skipped.

To issue a CA certificate using Web Enrollment: 1. On the Windows XP workstation open the web browser. 2. In the Address field type in the IP address or hostname of the Windows 2003 server that is running Certificate Services using the following format: http://server-ip-address/CertSrv or http://servername.domain.com/CertSrv.

3. Enter in the domain User name and Password for the user that will be requiring the certificate.

It is important that you login to the web enrollment tool using the username and  password of the user that will be using the user certificate. This ensures that the user certificate is issued to the correct username.

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 21 avaya.com

4. Click Download a CA certificate, certificate chain or CRL.

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 22 avaya.com

5. Click install this CA certificate chain.

6. You may see a Potential Scripting Violation and Security Warning dialog windows. Click Yes. 7. If successful you will see a CA Certificate Installation message displayed on the web page.

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 23 avaya.com

8. A CA certificate for the Enterprise CA should now be displayed in the Certificates - Current User Trusted Root Certification Authorities Certificates store.

4.2 Modify Local Area Connection Properties

To enable 802.1X EAP-TLS computer and user authentication on a Windows XP Workstation: 1. Within Windows XP open the Network Connections Window Properties by clicking Start, Control Panel, Network and Internet Connections then Network Connections. Right click on the Wireless Network Connection and click Properties. 2. In the Wireless Network Connection Properties window click on the Wireless Networks tab. 3. Add a new Preferred Wireless Network connection by clicking Add.

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 24 avaya.com

If the Wireless Networks tab is not displayed in the Wireless Network Connection Properties window the Microsoft Wireless Zero Configuration service is not running.  The Wireless Networks tab will only display if the Microsoft Wireless Zero Configuration service is running (see appendix 6.4).

4. In the Network name (SSID) field specify the SSID for the Wireless Network. Specify the Network Authentication type and Data encryption method. 5. Click on the Authentication tab.

6. Click on the Wireless Networks tab. In the EAP type pull-down menu select Protected EAP (PEAP). 7. Select the option Authenticate as computer when computer information is available which enables computer authentication. 8. Click Properties.

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 25 avaya.com

9. Select the Validate server certificate checkbox. This allows Windows to verify the validity of the server certificate on the IAS RADIUS server. 10. Select the Connect to these servers checkbox and in the field either type in the domain name upon which the RADIUS server must reside (example jclab.com) or the host and domain name of the IAS server (example w3kserver1.jclab.com). This tells Windows XP to only authenticate against the servers in a domain that you specify. Check the option Enable Fast Reconnect. 11. Click Configure.

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 26 avaya.com

12. Select the Automatically use my Windows logon name and password (and domain if any) checkbox. This tells Windows to use the domain credentials to authenticate the user which provides single sign-on for the user.

13. Click OK and then OK again. 14. Click on the Connection tab. 15. Check the option Connect when this network is in range. This tells Windows XP to connect to this wireless network when it’s detected. Click OK.

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 27 avaya.com

16. A new Preferred Wireless Network connection has been created.

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 28 avaya.com

4.3 Modify Registry Settings

By default the Windows XP 802.1X supplicant may not behave as expected when computer authentication is enabled. The Windows XP 802.1X supplicant behavior can be modified by adding the AuthMode and SupplicantMode registry entries: 4.3.1 AuthMode Registry Setting

Purpose Controls the computer and user authentication behavior on Windows XP Workstations.

HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\Auth Registry Path Mode

Values  0 - Computer authentication mode. If computer authentication is successful, no user authentication is attempted. If the user logon is successful before computer authentication, user authentication is performed. This is the default setting for Windows XP (prior to Service Pack 1).  1 - Computer authentication with re-authentication. If computer authentication is successful, a subsequent user logon results in a re-authentication with user credentials. The user logon has to complete in 60 seconds or the existing network connectivity is terminated. The user credentials are used for subsequent authentication or re-authentication. Computer authentication is not attempted again until the user logs off the computer. This is the default setting for Windows XP Service Pack 1 (SP1) and .  2 - Computer authentication only. When a user logs on, it has no effect on the connection. Only computer authentication is performed. The exception to this behavior is when a user successfully logs on, and then roams between wireless APs. In that case, user authentication is performed. For changes to this setting to take effect, restart the Wireless Zero Configuration service for Windows XP or Windows Server 2003.

4.3.2 SupplicantMode Registry Setting

Purpose Controls the EAPOL-Start message behavior on Windows XP Workstations.

HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\Supp Registry Path licantMode

Values  1 - Do not transmit. Specifies that EAPOL-Start messages are not sent.  2 - Transmit. Determines when to send EAPOL-Start messages and, if needed, sends an EAPOL-Start message.  3 - Transmit per 802.1X. Sends an EAPOL-Start message upon association to initiate the 802.1X authentication process.

4.3.3 Avaya Recommendations Avaya recommends that the AuthMode registry entry be set to 1 and the SupplicantMode registry entry be set to 3 (see Appendix 6.3).

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 29 avaya.com

5. Verification 5.1 Windows System Event Logs

When a Windows XP workstation boots or the user logs out of Windows, PEAP computer authentication will occur and the following log entry will be created in the Windows System Event Log:

Event Type: Information Event Source: IAS Event Category: None Event ID: 1 Date: 1/12/2007 Time: 10:41:47 AM User: N/A Computer: W3KSERVER1 Description: User host/obsat.jclab.com was granted access. Fully-Qualified-User-Name = jclab.com/Computers/OBSAT NAS-IP-Address = 192.168.1.17 NAS-Identifier = nortel Client-Friendly-Name = wss2360-1 Client-IP-Address = 192.168.1.17 Calling-Station-Identifier = 00-90-7A-03-DA-16 NAS-Port-Type = Wireless - IEEE 802.11 NAS-Port = Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows Authentication-Server = Policy-Name = Wireless EAP Users Authentication-Type = PEAP EAP-Type = Secured password (EAP-MSCHAP v2)

When a User logs into Windows XP PEAP user authentication will occur and the following log entry will be created in the Windows System Event Log:

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 30 avaya.com

Event Type: Information Event Source: IAS Event Category: None Event ID: 1 Date: 1/12/2007 Time: 10:31:53 AM User: N/A Computer: W3KSERVER1 Description: User JCLAB\marshal2 was granted access. Fully-Qualified-User-Name = jclab.com/Users/Kevin L. Marshall NAS-IP-Address = 192.168.1.17 NAS-Identifier = nortel Client-Friendly-Name = wss2360-1 Client-IP-Address = 192.168.1.17 Calling-Station-Identifier = 00-90-7A-03-DA-16 NAS-Port-Type = Wireless - IEEE 802.11 NAS-Port = Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows Authentication-Server = Policy-Name = Wireless EAP Users Authentication-Type = PEAP EAP-Type = Secured password (EAP-MSCHAP v2)

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 31 avaya.com

5.2 Wireless LAN Security Switch

5.2.1 Example Wireless Computer Session When a computer successfully authenticates to the Wireless LAN Security Switch 2300 using PEAP computer authentication, the user name for the session ID will be displayed as the computers name + domain name preceded with host/. Note that the session ID will be maintained if the workstation switches between computer and user authentication and vice versa.

wss2360-1# show sessions network ssid Secure-Data verbose

User Sess IP or MAC VLAN Port/ Name ID Address Name Radio ------host/obsat.jclab.com 319* 192.168.1.103 default dap 3/1 Client MAC: 00:90:7a:03:da:16 GID: SESS-319-309c32-607379-96170 State: ACTIVE (prev AUTHORIZED) now on: 192.168.1.17, dap 3, AP/radio stp1w211vd/1, as of 02:32:01 ago Host name: obsat Vlan-Name=VLAN110 (service-profile) Service-Type=2 (AAA)

1 sessions match criteria (of 1 total)

5.2.2 Example Wireless User Session When a user successfully authenticates to the Wireless LAN Security Switch 2300 using PEAP user authentication, the user name for the session ID will be displayed as the domain\user name. Note that the session ID will be maintained if the workstation switches between computer and user authentication and vice versa.

wss2350-1# show sessions network ssid Secure-Data verbose

User Sess IP or MAC VLAN Port/ Name ID Address Name Radio ------JCLAB\marshal2 319* 192.168.1.103 default dap 3/1 Client MAC: 00:90:7a:03:da:16 GID: SESS-319-309c32-607379-96170 State: ACTIVE (prev AUTHORIZED) now on: 192.168.1.17, dap 3, AP/radio stp1w211vd/1, as of 02:30:55 ago Host name: obsat Vlan-Name=VLAN110 (service-profile) Service-Type=2 (AAA)

1 sessions match criteria (of 1 total)

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 32 avaya.com

6. Appendix 6.1 EAP Users Active Directory Group

The example Remote Access Policy used in this document tells IAS to authenticate users that are a member of the Windows Domain Group called Wireless EAP Users. For EAP-TLS computer and user authentication to occur, the Kevin L. Marshall user account and OBSAT computer account were added as members to the Wireless EAP Users group as shown in Figure 6.1.1.

Figure 6.1.1 – Wireless EAP Users Group

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 33 avaya.com

6.2 Active Directory Remote Access Permissions

For EAP-TLS user and computer authentication to be successful, the remote access Dial-In Access Permissions for the user and computer accounts need to be set to Allow access. IAS cannot authenticate any user or computers unless the Dial-In permissions are set. Figure 6.1.1 & 6.1.2 show the Remote Access Permission settings for the user account Kevin L. Marshall and computer account OBSAT used in this document.

Figure 6.2.1 – Example Active Directory User Figure 6.2.2 – Example Active Directory Account Dial-In Permission Settings Computer Account Dial-In Permission Settings

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 34 avaya.com

6.3 Windows XP Registry Settings

To ensure the correct Windows XP 802.1X supplicant behavior when performing computer and user authentication, the AuthMode and SupplicantMode registry keys were added. Figure 6.3.1 shows the recommended registry keys and DWORD values:

Figure 6.3.1 – Registry Entries

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global] "AuthMode"=dword:00000001 "SupplicantMode"=dword:00000003

Figure 6.3.2 – Example Registry Entry File

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 35 avaya.com

6.4 Wireless Zero Configuration Service

The Microsoft Wireless Zero Configuration service provides native Windows support for 802.11 Wireless networking as well as 802.1X support for both Wired & Wireless networks. Before you can enable or configure 802.1X wired computer and user authentication within Windows XP, the Microsoft Wireless Zero Configuration service has to be running. If the service is not in a Started state you will not be able to enable or configure or enable native 802.1X authentication for the Local Area Network connection.

Figure 6.5.1 – Windows XP Services

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 36 avaya.com

By default the Microsoft Wireless Zero Configuration service is configured to automatically start and will have the service Startup type set to Automatic. If the service is disabled or stopped this may be due to a third-party 802.1X supplicant installed with a Wireless LAN NIC. Some third party 802.1X supplicants will disable or stop the Microsoft Wireless Zero Configuration service to eliminate conflict.

Figure 6.5.2 – Wireless Zero Configuration Service Properties If you have a third-party 802.1X supplicant installed you can disable the third-party 802.1X supplicant on the NIC by disabling it in the Local Area Connection properties for the NIC. This will allow the Microsoft Wireless Zero Configuration service to start and also allow Windows to control the 802.1X authentication.

Figure 6.5.3 – Disabling a Third-Party 802.1X Driver

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 37 avaya.com

6.5 Wireless LAN Security Switch

6.5.1 Example Configuration

# Configuration nvgen'd at 2007-1-12 11:03:44 # Image 5.0.7.1.0 # Model 2360 # Last change occurred at 2007-1-11 21:21:11 set ip route default 192.168.1.1 1 set dot1x quiet-period 10 set system name WSS2360-1 set system ip-address 192.168.1.17 set system countrycode US set system contact [email protected] set system location Johnson City TN set service-profile Secure-Data ssid-name Secure-Data set service-profile Secure-Data wpa-ie enable set service-profile Secure-Data attr vlan-name default set radius client system-ip set radius server W3KServer address 192.168.1.5 key Nortel set server group IAS members W3KServer set enablepass password Nortel set authentication dot1x ssid Secure-Data ** pass-through IAS set user admin password encrypted Nortel set radio-profile default service-profile Secure-Data set dap 1 serial-id stp1w20kc3 model 2330 set dap 1 name WLAN_AP_2330_1 set dap 1 radio 1 channel 1 tx-power 17 radio-profile default mode enable set dap 1 radio 2 radio-profile default mode enable set dap 2 serial-id stp1w211zj model 2330 set dap 2 name WLAN_AP_2330_2 set dap 2 radio 1 radio-profile default mode enable set dap 2 radio 2 channel 40 radio-profile default mode enable set dap 3 serial-id stp1w211vd model 2330 set dap 3 name WLAN_AP_2330_3 set dap 3 radio 1 channel 11 tx-power 17 radio-profile default mode enable set dap 3 radio 2 channel 44 radio-profile default mode enable set ip https server enable set port 1 name Uplink set vlan 1 port 1

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 38 avaya.com

set interface 1 ip 192.168.1.17 255.255.255.0

6.6 Windows 2003 Server Details

This table documents the software used for the Windows 2003 Server:

Operating System

Version Microsoft Windows Server 2003 Enterprise Edition

Service Pack Service Pack 1

Installed Windows Components

Active Directory (Installed as a Domain Controller) Internet Information Services (IIS) Certificate Services (Installed as a Enterprise Root CA) Domain Name System (DNS) Dynamic Host Configuration Protocol (DHCP) Internet Authentication Service

6.7 Windows XP Workstation Details

This table documents the hardware and software was used for the Windows XP Workstation:

Hardware

Manufacturer Toshiba

Model Satellite A105

Processor Intel® Celeron® M 1.7GHz Processor

RAM 512M

Operating System

Version Microsoft Windows XP Professional

Service Pack Service Pack 2

Wireless LAN

Model Atheros AR5005G (Mini PCI)

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 39 avaya.com

Driver Provider Atheros

Driver Version 4.1.2.108

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 40 avaya.com

7. Reference Documentation

Document Title Publication Number Description

This Microsoft article describes the deployment Deployment of IEEE 802.1X of IEEE 802.1X for Wired Networks Using for Wired Networks Using N/A Microsoft Windows and includes details on how Microsoft Windows to enable Auto-Enrollment for Computer certificates.

This Microsoft article describes User / Certificate Autoenrollment in Smartcard certificate Autoenrollment Auto- N/A Windows Server 2003 Enrollment in Windows Server 2003 server environment.

This article describes how to deploy IEEE 802.1X authentication for wired networks using authenticating switches, wired client computers running Microsoft® Windows® XP, Windows Deployment of IEEE 802.1X Server™ 2003, or , and a wired for Wired Networks Using N/A authentication infrastructure consisting of Microsoft Windows Windows Server 2003 or Windows 2000 Active Directory® directory service domain controllers, certification authorities, and Internet Authentication Service servers.

802.11 Wireless Tools and Microsoft TechNet article that includes details N/A Settings for modifying the 802.1X registry settings.

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 41 avaya.com

8. Customer service

Visit the Avaya web site to access the complete range of services and support that Avaya provides. Go to www.avaya.com or go to one of the pages listed in the following sections. 8.1 Getting technical documentation

To download and print selected technical publications and release notes directly from the Internet, go to www.avaya.com/support. 8.2 Getting product training

Ongoing product training is available. For more information or to register, you can access the Web site at www.avaya.com/support. From this Web site, you can locate the Training contacts link on the left-hand navigation pane. 8.3 Getting help from a distributor or reseller

If you purchased a service contract for your Avaya product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance. 8.4 Getting technical support from the Avaya Web site

The easiest and most effective way to get technical support for Avaya products is from the Avaya Technical Support Web site at www.avaya.com/support.

Wireless PEAP Machine Authentication for WLAN Technical Configuration Guide July 2010 42