In the first part of this series on wireless LAN authorization, we explored how to secure guest wireless networks. In part two, we discuss methods for wireless LAN
access control, including policy creation, device fingerprinting and integration with other network access control solutions.
When it comes to network security and wireless LAN (WLAN) access control, enterprises have made great strides. Long gone are static crackable WEP keys, and mostly gone are the third-party Wi-Fi clients and OS patches once needed to deploy stronger authentication and encryption. Today, WPA2-Enterprise is supported by Wi-Fi devices and off-the-shelf operating systems, even in small footprint devices like phones.
Yet even with these advances, WPA2-Enterprise (with 802.1X authentication and AES encryption) is still no slam dunk. 802.1X requires integrating many components, sourced from multiple vendors and often managed by different groups. Success means planning and coordination, including user account management, device provisioning and network integration. Fortunately, better tools have emerged to assist with the challenges of wireless LAN access control.
Start with group policy for WLAN access control
Enterprises using 802.1X often have a good grip on corporate-procured laptops, but that's not always the case with other wireless devices, especially when they're not purchased by IT.
IT usually adds laptops to Active Directory before they're issued, using Group Policy Objects to auto-configure 802.1X parameters to reflect each user's group memberships. Windows 7, Vista and XP all support 802.1X group policy extensions for wired and wireless clients, described by these Microsoft Windows Server 2008 R2 guidelines:
- Access Group Policy Extensions for 802.1X Wired and Wireless
- Configure 802.1X Wired Access Clients by using Group Policy Management
- Configure 802.1X Wireless Access Clients by using Group Policy Management
But now most workers carry several wireless devices that often don't run Windows and are not even purchased by IT. Some IT shops deal with this explosion of employee-purchased smartphones and tablets by treating them as guests. For example, when CFOs log onto the wireless LAN from their laptops, they may be required to connect to the corporate SSID and supply their 802.1X login to receive access based on their identity and role. However, when CFOs log onto the wireless LAN with their personal iPads, they may connect to the guest SSID for Internet-only access. This can be a "quick fix" for companies that have not yet embraced employee-owned devices, but it is not an ideal long-term strategy.
Enforce WLAN access control policy with device fingerprinting
To deal with this problem, a number of network and security products now use device fingerprinting. By observing MAC address, protocols, requests and responses, one can guess (with some confidence) a device's manufacturer, model and OS. This "fingerprint" can then be used to map devices into groups for access control, provisioning and policy purposes.
The Amigopod Visitor Management Appliance (VMA), now owned by Aruba Networks, is one example of a device fingerprinting tool. This appliance can monitor DHCP and HTTP sent by devices using a corporate network. By inspecting this traffic, the VMA could, for example, differentiate between the CFO's corporate laptop and his personal iPad, mapping each fingerprinted device to the right access policy. The CFO's laptop might be given broad access due to its trusted status, while the iPad might be limited to enterprise email and Intranet sites. However, all data sent by either device would be protected by WPA2-Enterprise, using 802.1X to control access to the corporate SSID.
Automated Wi-Fi client provisioning and configuration profiles
But this example begs the question: How was the CFO's iPad configured to access the corporate SSID? Manual configuration is one possibility, but automated provisioning is clearly preferable.
In this example, our CFO could have first connected his iPad to the guest SSID and visited a VMA-supplied self-enrollment page. The VMA would have generated a configuration profile for our CFO's iPad, delivered via email or SMS. By clicking a contained URL, the CFO could have installed 802.1X parameters and credentials, enabling iPad access to the corporate SSID.
In fact, many products now offer this type of automated Wi-Fi client provisioning. For the iPad and other iOS devices, Apple's iPhone Configuration Utility can generate (optionally locked and encrypted) Wi-Fi configuration profiles that can be sent to users, placed on websites, or installed over-the-air by mobile device managers that support iOS4 native MDM.
The latter, available from AirWatch, BoxTone, MobileIron, Sybase and others, can integrate with enterprise Active Directory enrollment and generate certificates for each approved iPad. If an iPad is lost, all MDM-installed profiles (including Wi-Fi settings) can be removed. However, MDMs are not limited to provisioning Apple devices— many can be used to enroll and provision Androids, BlackBerrys, and employee-owned laptops and netbooks.
Integrating 802.1X authentication with Network Access Control
Given an efficient way to identify new wireless devices, enroll them without IT assistance and apply access policies appropriate for each worker, WPA2-Enterprise is not nearly as daunting. But by integrating WPA2 with Network Access Control, policy enforcement will be even better.
Access points (APs) and controllers are easily configured to relay connect requests to 802.1X authentication servers— many even have built-in authentication servers that use local account databases. To ease interoperability in multivendor deployments, the Wi-Fi Alliance now tests all WPA2-Enterprise certified products for Extensible Authentication Protocol (EAP) types, including EAP-TLS, EAP-TTLS/MSCHAPv2, PEAPv0/EAP-MSCHAPv2, PEAPv1/EAP-GTC, EAP-SIM, EAP-AKA, and EAP-FAST.
However, used without NAC, 802.1X operates as a simple switch: Fail and you're off the wireless LAN; pass and receive access rights appropriate for your user/group (usually via RFC 3580 VLAN tags). But when used in combination with NAC, 802.1X can enforce policy decisions based on user/group identity and device security posture. Although NAC can be done without 802.1X, together this duo can provide a more powerful one-two punch for strong enterprise wireless LAN access control.
About the author: Lisa A. Phifer is president of Core Competence Inc. She has been involved in the design, implementation and evaluation of data communications, internetworking, security and network management products for more than 20 years and has advised companies large and small regarding security needs, product assessment and the use of emerging technologies and best practices.
This was first published in April 2011