Locking down 802.1X client settingsBy CWNP On 03/31/2010 - 16 Comments
A few months ago, I discussed the need for the Enterprise mode of WPA/WPA2 encryption in even small businesses and how outsourcing the RADIUS/802.1X server can save a great deal of time and money. Well now I'm going to show how to secure your 802.1X settings once you have a server or hosted service up and running.
Using 802.1X authentication with WPA2 (802.11i) encryption provides the best possible security for Wi-Fi these days. However, all your hard work in setting up the RADIUS server and network might be compromised if you don't properly configure the 802.1X settings on your client devices.
To make sure your clients aren't susceptible to man-in-the-middle attacks there are three key settings you should configure in Windows, on the PEAP or Smart Card/Certificate Properties window:
First, check the Validate server certificate option and select the Trusted Root Certificate Authority from the list. This helps make sure the client verifies it's talking to a legitimate RADIUS server before revealing its login credentials. More specifically, it ensures the server is loaded with a digital certificate verified by the Certification Authority (CA) you select.
Secondly, check the Connect to these servers option and input the domain name or IP address of the RADIUS server. This makes the client verify you're talking to your specific server.
Lastly, you should check: Do not prompt user to authorize new servers or trusted certificate authorities. This will automatically reject RADIUS servers that aren't loaded with a certificate from the CA you selected and from the server you specified. Otherwise, the user could be prompted and possibly select to authorize a new server while not understanding what he or she is doing.
If you don't have a RADIUS product picked out yet, consider the hosted service from my company, called AuthenticateMyWiFi. We even offer a Free Edition with limited features. Use it to better understand the RADIUS protocol, get hands-on experience configuring 802.1X, or secure a small network.Tagged with: security, 802.1X, 802.11i, peap, wpa/wpa2-enterprise
Blog Disclaimer: The opinions expressed within these blog posts are solely the author’s and do not reflect the opinions and beliefs of the Certitrek, CWNP or its affiliates.