Locking down 802.1X client settings

Locking down 802.1X client settings

By CWNP On 03/31/2010 - 16 Comments

A few months ago, I discussed the need for the Enterprise mode of WPA/WPA2 encryption in even small businesses and how outsourcing the RADIUS/802.1X server can save a great deal of time and money. Well now I'm going to show how to secure your 802.1X settings once you have a server or hosted service up and running.

Using 802.1X authentication with WPA2 (802.11i) encryption provides the best possible security for Wi-Fi these days. However, all your hard work in setting up the RADIUS server and network might be compromised if you don't properly configure the 802.1X settings on your client devices.

To make sure your clients aren't susceptible to man-in-the-middle attacks there are three key settings you should configure in Windows, on the PEAP or Smart Card/Certificate Properties window:

First, check the Validate server certificate option and select the Trusted Root Certificate Authority from the list. This helps make sure the client verifies it's talking to a legitimate RADIUS server before revealing its login credentials. More specifically, it ensures the server is loaded with a digital certificate verified by the Certification Authority (CA)  you select.

Secondly, check the Connect to these servers option and input the domain name or IP address of the RADIUS server. This makes the client verify you're talking to your specific server.
Lastly, you should check: Do not prompt user to authorize new servers or trusted certificate authorities. This will automatically reject RADIUS servers that aren't loaded with a certificate from the CA you selected and from the server you specified. Otherwise, the user could be prompted and possibly select to authorize a new server while not understanding what he or she is doing.

If you don't have a RADIUS product picked out yet, consider the hosted service from my company, called AuthenticateMyWiFi. We even offer a Free Edition with limited features. Use it to better understand the RADIUS protocol, get hands-on experience configuring 802.1X, or secure a small network.

Tagged with: security, 802.1X, 802.11i, peap, wpa/wpa2-enterprise

0 Responses to Locking down 802.1X client settings

Subscribe by Email
There are no comments yet.
<< prev - comments page 1 of 1 - next >>

Leave a Reply

Please login or sign-up to add your comment.
Success Stories

I literally just came out of the testing centre having taken the CWDP exam. The certification process opened my mind to different techniques and solutions. This knowledge can only broaden your perspective. Great job, CWNP, you have a great thing going on here.

-Darren
Read More

Working through the CWNP coursework and certifications helped not only to deepen my technical knowledge and understanding, but also it boosted my confidence. The hard work it took to earn my CWNE has been rewarding in so many ways.

-Ben
Read More

I want to commend you and all at CWNP for having a great organization. You really 'raise the bar' on knowing Wi-Fi well. I have learned a ton of information that is helping my job experience and personal career goals, because of my CWAP/CWDP/CWSP studies. Kudos to all at CWNP.

-Glenn
Read More