In this edition of Chuck's Corner we’ll talk a little bit about using certificate based security for wireless networks.  

Everyone that uses a web browser has used a certificate, you just may not have realized it. Anytime you access a web site that turns on that little padlock at the bottom of your screen, you’re using SSL (Secure Sockets Layer). SSL uses certificates not only to make sure the host the browser is talking to is the right one, it also uses the certificate to generate a set of keys for encrypting the actual data.  

Certificates have been around for a while and now they’re becoming a central part of many wireless security solutions.  

Many large e-commerce companies rely on vendors such as VeriSign and RSA to generate certificates that can be used for mutual authentication and encryption for web users that buy products over the Internet. These companies (called Certificate Authorities) charge a yearly subscription fee for this service. These certificates have a set lifespan and must be renewed each year. They also provide a guarantee of authenticity. This is important for companies that do business over the Internet. 

But what about the enterprise or small business user that needs only to ensure security on their internal networks?:

Fortunately Microsoft server class operating systems such as Windows 2000 Server and Windows Server 2003 have an optional Certificate Authority component that can be installed. The component is free and is installed with Add/Remove Windows Components in the Add/Remove Programs dialog within Control Panel. In turn the company can then issue it’s own certificates that can be used within it’s network. For TLS a certificate must be issued for the RADIUS server as well as each client. For TTLS and PEAP, only the server needs a certificate. 

Certificates make up a central part of several of the new 802.1x port based authentication mechanisms. The most robust is called EAP-TLS (Transport Level Security). With TLS, both the client device and the authentication server (RADIUS) have their own unique certificates. This means the client must have its certificate installed prior to actually attempting to connect to the network. Usually this is done via “sneakernet”. Managing client side certificates is a non-trivial task and most enterprises stay away from it because it’s so difficult. TLS doesn’t use usernames or passwords. If the client computer is lost or stolen, the CA can “revoke” its certificate, thus blocking the device from connecting.

There are alternatives to EAP-TLS. The two most popular are EAP-TTLS and EAP-PEAP. These are very similar in function. TTLS (Tunneled TLS) is a joint development between Certicom and Funk Software. It attempts to use some of the robustness of the certificate system without the need to actually have a certificate on the client device. TTLS also uses a username and password. For TTLS to be at it’s most robust, the client device must obtain the “signature” of the CA and place it into it’s “Trusted Root Authority” table. This can be done via a simple web based request. This system doesn’t require a unique certificate for each client, just the signature or “thumbprint” of the CA. TTLS will then check to make sure the servers (RADIUS) certificate matches the signature then builds an encrypted tunnel (just like TLS). The username and password can be passed. Microsoft and Cisco have also worked together on a similar approach called PEAP (Protected EAP). PEAP works the same way except the inner authentication can be either Generic Token Card (Cisco) or MS-Chap-V2 (Microsoft).  Microsoft has a downloadable version of PEAP for Windows 2000 and Windows XP. It’s part of the WPA update from the Windows Update web site. Most RADIUS vendors such as Funk, Cisco and Interlink support both versions of PEAP as well as TTLS and TLS. For wireless devices, Funk Software’s Odyssey client runs under all major windows operating systems including PocketPC2002 and Windows Mobile 2003.  

Odyssey has the ability to have multiple authentication types and networks so it can be used in multiple locations that have slightly different security rules. For example, it can use PEAP first, and if that doesn’t work it can fall back to LEAP for example.  

These mechanisms are called mutual authentication systems. That is, both the client and the server verify the identity of the other.  

Setting up a Certificate Authority can be intimidating, but for basic wireless security along with RADIUS it can be straightforward and will take only a few hours of work if you’re setting up a new server.