Deploying the Infrastructure
A significant amount of infrastructure is required to support
WPA when you are not using preshared keys. The effort required to set up the
infrastructure is, unfortunately, nontrivial. However, it is only a one-time
cost, and setting it up properly will save you time in the long run.
As with everything in security, the devil is in the details,
and setting up your infrastructure is no exception. Because vendor products
change, it is difficult to provide a step-by-step cookbook for you. So instead,
we describe in general what you must do and provide pointers to more detailed
guidance, usually on the Web.
Add a RADIUS Server for IEEE 802.1X Support
The central arbiter for all access and authentication decisions
in WPA is the organization's RADIUS server. It's likely that this is exactly how
your Internet service provider (ISP) makes access decisions when you dial up the
service. You can obtain a RADIUS server in many ways. For example, the software
package Microsoft Windows 2000 Server includes a RADIUS server, and several
vendors sell RADIUS servers for various operating systems. There is also an open
source RADIUS server available known as FreeRADIUS, which we describe later in
this chapter.
Managing a RADIUS server is an extremely important task because
the server makes all of the security-relevant decisions. As a result, improper
configuration can lead to breaches in your security. Fortunately, an excellent
text has been recently written that describes how to install and configure
FreeRADIUS (Hassell, 2003).
Use a Public Key Infrastructure for Client
Certificates
To use WPA to its fullest, you need to use EAP/TLS as an
authentication mechanism, and this requires using public key certificates based
on the X.509 standard. Issuing and managing these certificates requires that a
public key infrastructure (PKI) be established within your organization, if it
hasn't been already.
Setting up a PKI has been the subject of several books, and we
can't cover all of the nuances involved. We will, however, show how to use an
open source cryptographic package to make certificates suitable for testing
purposes or for use at home or in very small offices later in this
chapter.
Install Client IEEE 802.1X Supplicant Software
To gain the full benefit of WPA, you need to upgrade your
clients to use the IEEE 802.1X protocol for authentication and access control.
At the time of this writing Microsoft Windows XP is the only operating system to
include the client portion, the supplicant, as part of the operating system.
However, your vendor will probably provide software to support older versions of
Windows and the Apple Macintosh. For UNIX, you can use supplicant software
developed at the University of Maryland and released under both the GPL and BSD
style licenses. The software is located at www.open1x.org and
runs under FreeBSD, OpenBSD, and Linux.
To install the software, you have to review the documentation
for the clients you use, and you have to generate and add public key
certificates to each client. This is mandatory to support the EAP/TLS
protocol.
Sections
Archive
Syndication
