Windows logon in wireless networks implementing 802.11i
The windows domain logon procedure starts by the user providing login and password information to the operating system through the login interface. The credentials are used by the operating system to build a Kerberos authentication request which is then sent to the domain controller. The domain controller authenticates the request and issues authorization materials (Ticket Granting Ticket) which the operating system of the local device stores in memory for later use. The operating system then initiates a new session and the user can access the available applications (shares, printers, mail servers, etc…).
One of the advantages offered by Kerberos authentication is that once the user has obtained a TGT she can access various services without requiring the input of the same login/password again. For this reason, the domain logon process is usually referred a single sign on.
To perform a domain logon, the device must be able to communicate with the domain controller. For this purpose, the device must be (1) registered in the domain, and (2) an network connection is available.
Windows logon in 802.1x protected network
As explained in the previous section, devices used to perform domain logon must have a network connection available. In enterprise wireless infrastructures, network access is usually protected at the data link layer (before the device obtains an IP address) using the Extensible Authentication Protocol (EAP). Wireless devices gain network access control using their domain credentials provisioned when the device joined the domain. The credentials stored in wireless devices can be used to perform a PEAP0-MSCHAPv2 authentication to the authentication server in the local access network. Once network access is granted, the wireless station can now authenticate the user by contacting the domain controller.
If the user is authenticated successfully, the operating system performs a new EAP authentication using the user's credentials. This optional behavior is allowed in most versions of the Windows OS.
The figure below illustrates the windows logon process in secured wireless access networks.
In order for the Windows logon process as described above to succeed. The following requirements must be met :
- The station must be granted network access privilege. This requires manual configuration on the RADIUS authentication server controlling the wireless access network.
- The user must be granted network access privilege. Since the station uses the user credentials for network access control procedures. If the user is not allowed network access. She will only be able to use local applications provided by the wireless station. In order to grant network access privilege. The RADIUS authentication server managing the wireless access network must be configured accordingly.
- The RADIUS authentication server must be configured to authenticate wireless clients using PEAPv0/MSCHAP2. This requires the installation of a public key certificate and a private key on the RADIUS server.
- Since in PEAPv0/MSCHAP2 wireless stations must be able to verify public key signatures issued by the RADIUS server. The wireless stations must trust the issuer of public key certificate of the RADIUS server, and it must be able to validate the RADIUS server's certificate against revocations lists of the issuing CA.
All these requirements make the deployment and maintenance of windows logon in wireless devices a costly and strenuous task. In forthcoming articles, I will discuss risk and cost analysis of implementing windows logon on wireless devices in large scale access networks.
Update: Note that windows logon on wireless clients running Vista is slightly different, see references for more details
References
how_interactive_logon_works.pdf
Wireless Single Sign-On in Vista
How to join a windows wireless client to a domain**
| Labels: wireless, security, kerberos, windows |
|