Wireless: Key Confusion

I have a win2003 domain using a wireless network with a Cisco AP, IAS and
PEAP and open authentication with WEP (802.11b)

In the GP settings for wireless there is a block to provide the key
automatically which I have done. This is also repeated on the client
workstation. What is confusing is on both the client and the AP there are
places to provide a WEP key- which apparently is not used.

I am confused about all these keys.

What is the key used for the connection between the client and the AP?
What is used between the AP and IAS?

I am missing something here?

Hello,

Thank you for posting here.

The Wired Equivalent Privacy (WEP) encryption in 802.11b standard provides
the secure wireless network access. WPA-PSK is a special mode of WPA users
without an enterprise authentication server and provides the same strong
encryption protection. You can configure WPA-PSK for the Router or Access
Point. Users that can provide the secure key will be able to access the
network. The option "key is provided Automatically" can be chosen for
network that AP router is set to dynamically provide network key for
clients. A network security key or passphrase can help protect your
wireless network from this type of unauthorized access.

For IAS server and the AP (remote access server), there is a shared secret
which is a text string that serves as a password between a RADIUS client
(AP) and RADIUS server (IAS server). You need to match the shared secret
between IAS server and AP for the proper authentication and authorization.
Shared secrets are used to verify that RADIUS messages, with the exception
of the Access-Request message, are sent by a RADIUS-enabled device that is
configured with the same shared secret. Shared secrets also verify that the
RADIUS message has not been modified in transit (message integrity). The
shared secret is also used to encrypt some RADIUS attributes, such as
User-Password and Tunnel-Password.

More information for your reference:

Set up a security key for a wireless network
http://windowshelp.microsoft.com/Win...b72-48c7-9515-
95d56f925fcb1033.mspx

How to Make Your 802.11b Wireless Home Network More Secure
http://support.microsoft.com/kb/309369

WPA Wireless Security
http://www.microsoft.com/windowsxp/u...man_03july28.m
spx

Configuring Wireless Network Policies
http://technet.microsoft.com/en-us/l.../cc776078.aspx

Shared secrets
http://technet.microsoft.com/en-us/l.../cc740124.aspx


I hope these will give you some help. If you have any questions or
concerns, please do not hesitate to let me know.


Best regards,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
================================================== ===
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks for the response.

I am still working at a lower level.

My basic question is what is the role of the AP (in my case a Cisco 1242G)
when you have group policy setting the attributes for 802.1x authentication?
Where does the key come from that is used to encrypt the commo with PEAP?
The shared password between the AP and IAS?

Right now my AP has the setting in "Encryption Manager" that WEP is
"Mandatory" and everything works. I just don't understand why it works.


"Miles Li [MSFT]" <v-(E-Mail Removed)> wrote in message
news:Cp9uEOU%(E-Mail Removed)...
> Hello,
>
> Thank you for posting here.
>
> The Wired Equivalent Privacy (WEP) encryption in 802.11b standard provides
> the secure wireless network access. WPA-PSK is a special mode of WPA users
> without an enterprise authentication server and provides the same strong
> encryption protection. You can configure WPA-PSK for the Router or Access
> Point. Users that can provide the secure key will be able to access the
> network. The option "key is provided Automatically" can be chosen for
> network that AP router is set to dynamically provide network key for
> clients. A network security key or passphrase can help protect your
> wireless network from this type of unauthorized access.
>
> For IAS server and the AP (remote access server), there is a shared secret
> which is a text string that serves as a password between a RADIUS client
> (AP) and RADIUS server (IAS server). You need to match the shared secret
> between IAS server and AP for the proper authentication and authorization.
> Shared secrets are used to verify that RADIUS messages, with the exception
> of the Access-Request message, are sent by a RADIUS-enabled device that is
> configured with the same shared secret. Shared secrets also verify that
> the
> RADIUS message has not been modified in transit (message integrity). The
> shared secret is also used to encrypt some RADIUS attributes, such as
> User-Password and Tunnel-Password.
>
> More information for your reference:
>
> Set up a security key for a wireless network
> http://windowshelp.microsoft.com/Win...b72-48c7-9515-
> 95d56f925fcb1033.mspx
>
> How to Make Your 802.11b Wireless Home Network More Secure
> http://support.microsoft.com/kb/309369
>
> WPA Wireless Security
> http://www.microsoft.com/windowsxp/u...man_03july28.m
> spx
>
> Configuring Wireless Network Policies
> http://technet.microsoft.com/en-us/l.../cc776078.aspx
>
> Shared secrets
> http://technet.microsoft.com/en-us/l.../cc740124.aspx
>
>
> I hope these will give you some help. If you have any questions or
> concerns, please do not hesitate to let me know.
>
>
> Best regards,
> Miles Li
>
> Microsoft Online Partner Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security
> ================================================== ===
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ================================================== ===
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>

Hello,

PEAP Authentication Process:

1. The client sends an EAP Start message to the access point

2. The access point replies with an EAP Request Identity message

3. The client sends its network access identifier (NAI), which is its
username, to the access point in an EAP Response message

4. The access point forwards the NAI to the RADIUS server encapsulated in a
RADIUS Access Request message

5. The RADIUS server will respond to the client with its digital
certificate

6. The client will validate the RADIUS server's digital certificate

7. The client and server negotiate and create an encrypted tunnel

8. This tunnel provides a secure data path for client authentication

9. Using the TLS Record protocol, a new EAP authentication is initiated by
the RADIUS server

10. The exchange will include the transactions specific to the EAP type
used for client authentication

11. The RADIUS server sends the access point a RADIUS ACCEPT message,
including the client's WEP key, indicating successful authentication

The Access point acts as the authentication forwarder (network access
identifier) between the client and the RADIUS server. For PEAP, the
computer certificates on the client and the IAS server are used for
generating the key for the encrypted tunnel.

Please also note that WEP is defined by 802.11 to provide data encryption
while PEAP is for the authentication.

For your reference:

802.11 Wireless LAN Security
http://www.cisco.com/warp/public/cc/...swpf_wp.htm#wp
39534

EAP Authentication Protocols for WLANs
http://www.ciscopress.com/articles/a...69223&seqNum=2

Hope this helps. Also, if you have any questions or concerns, please do not
hesitate to let me know.



Best regards,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
================================================== ===
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.

Thank you. Your last message filled in a lot of "blanks."

Is the process basically the same if the encryption is WPA?


"Miles Li [MSFT]" <v-(E-Mail Removed)> wrote in message
news:WJVZfk6%(E-Mail Removed)...
> Hello,
>
> PEAP Authentication Process:
>
> 1. The client sends an EAP Start message to the access point
>
> 2. The access point replies with an EAP Request Identity message
>
> 3. The client sends its network access identifier (NAI), which is its
> username, to the access point in an EAP Response message
>
> 4. The access point forwards the NAI to the RADIUS server encapsulated in
> a
> RADIUS Access Request message
>
> 5. The RADIUS server will respond to the client with its digital
> certificate
>
> 6. The client will validate the RADIUS server's digital certificate
>
> 7. The client and server negotiate and create an encrypted tunnel
>
> 8. This tunnel provides a secure data path for client authentication
>
> 9. Using the TLS Record protocol, a new EAP authentication is initiated by
> the RADIUS server
>
> 10. The exchange will include the transactions specific to the EAP type
> used for client authentication
>
> 11. The RADIUS server sends the access point a RADIUS ACCEPT message,
> including the client's WEP key, indicating successful authentication
>
> The Access point acts as the authentication forwarder (network access
> identifier) between the client and the RADIUS server. For PEAP, the
> computer certificates on the client and the IAS server are used for
> generating the key for the encrypted tunnel.
>
> Please also note that WEP is defined by 802.11 to provide data encryption
> while PEAP is for the authentication.
>
> For your reference:
>
> 802.11 Wireless LAN Security
> http://www.cisco.com/warp/public/cc/...swpf_wp.htm#wp
> 39534
>
> EAP Authentication Protocols for WLANs
> http://www.ciscopress.com/articles/a...69223&seqNum=2
>
> Hope this helps. Also, if you have any questions or concerns, please do
> not
> hesitate to let me know.
>
>
>
> Best regards,
> Miles Li
>
> Microsoft Online Partner Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security
> ================================================== ===
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ================================================== ===
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>

Hello,

Yes, the process for WPA/PEAP (a combination of encryption and
authentication) should be the same.

Wi-Fi Protected Access (WPA) is used to resolve the problems in WEP
encryption and data integrity methods. Like the WEP, WPA provide the data
encryption between the wireless client and wireless AP (RADIUS client)
while EAP (PEAP) gives a secure authentication method between the wireless
server (RADIUS server). With the TKIP or AES encryption methods for WPA,
WPA provides a secure channel between the wireless client and wireless AP.


Best regards,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
================================================== ===
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.

I appreciate your help it has been most valuable.

I can now see the problems we have with our wlan at the hospital I work at.
For example we are using PEAP but individual users cannot logon using
MS-CHAP V2. Also I cannot administer the wireless stations using group
policy or update them.

From what I have learned on this newgroup I can use wireless group policy
and computer certificates to improve our wlan operation.

Thanks again.

"Miles Li [MSFT]" <v-(E-Mail Removed)> wrote in message
news:JxyIpcH$(E-Mail Removed)...
> Hello,
>
> Yes, the process for WPA/PEAP (a combination of encryption and
> authentication) should be the same.
>
> Wi-Fi Protected Access (WPA) is used to resolve the problems in WEP
> encryption and data integrity methods. Like the WEP, WPA provide the data
> encryption between the wireless client and wireless AP (RADIUS client)
> while EAP (PEAP) gives a secure authentication method between the wireless
> server (RADIUS server). With the TKIP or AES encryption methods for WPA,
> WPA provides a secure channel between the wireless client and wireless AP.
>
>
> Best regards,
> Miles Li
>
> Microsoft Online Partner Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security
> ================================================== ===
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ================================================== ===
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>

Hello,

Yes, we can use the group policy wireless extension to configure the
settings on clients. For a detailed steps, you can refer to the Chapter 6:
Configuring the Wireless LAN Clients in the reference paper below:

Securing Wireless LANs with PEAP and Passwords
http://www.microsoft.com/downloads/d...0a1-9820-480e-
aa38-63485eca8b9b&displaylang=en#filelist

If this problem continues, to troubleshoot the wireless PEAP authentication
issues, please try to collect the following information that may help to
clearly understanding the issue£º

1. The IAS event log the IAS server.
2. Capture the network traffic when the clients attempt to authenticate
with IAS server.

You can get the NetMon3.1 from the following link:
http://www.microsoft.com/downloads/d...59d-f4d8-4213-
8d17-2f6dde7d7aac&DisplayLang=en

3. Enable the tracing on the IAS server with the following command:

a) On the command line, please run the following command: netsh ras set
tracing *enabled
b) Please enable Start "Wireless Diagnostic" under Computer Management-
Reliability and Performance- Data Collector Set- System- Wireless Diagnostic
c) Then please try to connect to the network
d) Once you get the failure, please stop repro with netsh ras set tracing *
disabled
e) Please stop wireless diagnostics
f) Please send me the output folder \Windows\tracing,


Best regards,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
================================================== ===
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.

Using the info from this newsgroup I was able to get PEAP working on the
WLAN where I work. This is will save us money from consultants and much busy
work with certificates.

Thanks again!!

"Miles Li [MSFT]" <v-(E-Mail Removed)> wrote in message
news:hdgrKuT$(E-Mail Removed)...
> Hello,
>
> Yes, we can use the group policy wireless extension to configure the
> settings on clients. For a detailed steps, you can refer to the Chapter 6:
> Configuring the Wireless LAN Clients in the reference paper below:
>
> Securing Wireless LANs with PEAP and Passwords
> http://www.microsoft.com/downloads/d...0a1-9820-480e-
> aa38-63485eca8b9b&displaylang=en#filelist
>
> If this problem continues, to troubleshoot the wireless PEAP
> authentication
> issues, please try to collect the following information that may help to
> clearly understanding the issue£º
>
> 1. The IAS event log the IAS server.
> 2. Capture the network traffic when the clients attempt to authenticate
> with IAS server.
>
> You can get the NetMon3.1 from the following link:
> http://www.microsoft.com/downloads/d...59d-f4d8-4213-
> 8d17-2f6dde7d7aac&DisplayLang=en
>
> 3. Enable the tracing on the IAS server with the following command:
>
> a) On the command line, please run the following command: netsh ras set
> tracing *enabled
> b) Please enable Start "Wireless Diagnostic" under Computer Management-
> Reliability and Performance- Data Collector Set- System- Wireless
> Diagnostic
> c) Then please try to connect to the network
> d) Once you get the failure, please stop repro with netsh ras set tracing
> *
> disabled
> e) Please stop wireless diagnostics
> f) Please send me the output folder \Windows\tracing,
>
>
> Best regards,
> Miles Li
>
> Microsoft Online Partner Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security
> ================================================== ===
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ================================================== ===
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>

Hi,

I am gald to know that you have got the information you wanted in our
partner newsgroup. If you have any other questions or concerns, please do
not hesitate to let me know.

Thanks.

Best regards,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
================================================== ===
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.