Tuesday, October 30, 2007

Microsoft IAS & PEAP. What fun...

I started deploying my first large(r) Microsoft Internet Authentication Service implementation at a client a couple weeks ago, and it's been a work in progress. At first, the client was using RADIUS as a second set of authentication for their remote VPN client connections. After their wireless security was tested (and rated poorly), they decided to go with a PEAP/WPA2 auth/encryption architecture. Sounds good! Unbelievably, Microsoft has an entire certificate solution laid out for this sort of thing, with Verisign. Stop the world!

All in all, it's working out well. There's roughly 70 devices using AAA now; I have a primary IAS box, with a secondary IAS box for redundancy at the same physical site. I wish IAS config was replicated automatically, but the manual process is pretty easy. And what's with IAS proxies? WHEN DO YOU ACTUALLY NEED TO USE THEM? Are there any benchmarks to go off of?

The one area I found to be challenging was the creating specific profiles with the Remote Access Policies. Getting the right attributes as "match" criteria within the policies, AND putting the policies in the correct order for application can be difficult. Lots of trial and error. Unfortunately there isn't a ton of documentation out there on the subject, especially if you want to use the same IAS box to authenticate wireless users, VPN users, and network administrators gaining access to LAN/WAN hardware.

George Ou from TechRepublic posted his "Ultimate Guide to to Enterprise Wireless LAN Security" earlier this year, and there are a number of step-by-step guides on deploying PEAP using MS IAS as the RADIUS server. I don't know about you, but using the word "Ultimate" in a title of anything info/net sec related just makes me sweaty. Seriously, "Ultimate"? Maybe if Joshua Wright wrote it. Then again, "ultimate" is a strong word in our field.

PEAP w/ MS-CHAPv2. Secure? Sure. Most secure? Obviously not. But, if a weak password policy was a problem before implementing a wireless PEAP auth strategy, it'll always be a problem.

So there you go. My first post. Don't hate! Respect it.


No comments: