ProCurve Networking Secure Access Configuration Guide For Wireless Clients Part Two: Wireless Data Privacy and Monitored Logon Secure Access Configuration Guide For Wireless Clients ....................2 Introduction ......................................................................................................... 2 Configuration Scenarios ......................................................................................... 2 Required Network Services ...........................................
Secure Access Configuration Guide For Wireless Clients Introduction This document is Part Two of a guide that details the configuration steps for building Secure Access Solutions for Wireless Clients. Part Two of this guide creates solutions for clients using wireless data privacy or monitored logons. Part One creates solutions for clients using a browser-based logon.
Basic Setup and Topology This basic setup and topology is used in this guide to configure the above scenarios. Figure A – Basic Topology © Copyright 2005 Hewlett-Packard Company, LP.
Software Versions The table below details the software versions used for the ProCurve network equipment in this guide. For the latest software versions or more info, visit the ProCurve Networking by HP Web site (http://www.procurve.com). Device Version Switch 5300xl E.09.21 Access Control xl Module 4.1.3.93 Access Control Server 740wl 4.1.3.93 Access Point 420 2.0.
Step 2: Configuring the Access Control Server 740wl This example uses an Access Control Server 740wl. The configuration steps are the same if you are using an Integrated Access Manager 760wl. Power up the ACS, connect a serial console cable and configure the following at the ACS CLI: 1. 2. Configure an IP address, subnet mask and default gateway. Configure the shared secret (secret). HP 700wl Series@[42.0.0.1]: set ip 10.24.3.50 255.255.255.0 HP 700wl Series@[10.24.3.50]: set gateway 10.24.3.
• • Enable the Access Point radio Wireless SSID (x52800cb2) and channel (6). HP ProCurve Access Point 420# configure Enter configuration commands, one per line. End with CTRL/Z HP ProCurve Access Point 420(config)# int eth Enter Ethernet configuration commands, one per line. HP ProCurve Access Point 420(if-ethernet)# no ip dhcp HP ProCurve Access Point 420(if-ethernet)# ip addr 10.24.3.62 255.255.255.0 10.24.3.
b) Browse to Rights -> Identity Profiles and Select Network Equipment. Click on New Equipment, input a descriptive name (AP 420-1) and paste the MAC address into the MAC Address field. Select the Access Point Identify Profile and save changes. Figure C – New Equipment Page c) Browse to Status -> Client Status and click Refresh User Rights Now. The AP 420 is now recognized by the ACS as “Network Equipment”. Figure C – Client Status - Refresh User Rights Now © Copyright 2005 Hewlett-Packard Company, LP.
Configuring Scenario 4: Wireless Data Privacy Logon using VPN Authentication (PPTP) Scenario 4 consists of a wireless, Windows XP client authenticating via a VPN. The VPN used in this example will be a PPTP VPN. Since VPN authentication requires a RADIUS backend, we will configure the ACS to authenticate VPN users against Internet Authentication Service (IAS), Microsoft’s RADIUS implementation.
b. On the ACS, browse to Rights -> Access Policies and select the Unauthenticated Access Policy. Configure the following parameters and save changes. • • • • • • • Network Address Translation: Always IP Addressing: Require DHCP Encryption: Allowed, but not required Encryption Protocol: PPTP MPPE: Stateless Key Length: 128 bits All other parameters in the default state. Figure 4.2 – Unauthenticated Access Policy c.
a. Follow the instructions using Configuring Scenario 3 to define a RADIUS Authentication Service and associate it to the System Authentication Policy. In addition, click the Supports Microsoft Attribute (RFC-2548) checkbox to enable the RADIUS server to authenticate the user during PPTP session negotiation. Figure 4.3 – RADIUS Authentication Service b. On the ACS, browse to Status -> Client Status and click Refresh User Rights Now. 3) On the AP 420, configure open authentication wireless parameters.
4) On the Windows XP client, connect the wireless client, configure PPTP client software (Windows XP native) and verify authentication. a. b. Connect the wireless Windows XP client to the AP 420 using open authentication/no encryption. On the Windows XP client, open the Network connections window and click Create a new connection. Figure 4.4 – Network Connections c. Click Next to start the New Connection Wizard. © Copyright 2005 Hewlett-Packard Company, LP.
Figure 4.5 – New Connection Wizard d. For the Network Connection type, select the Connect to the network at my workplace radio button and click next. Figure 4.6 – New Connection Wizard © Copyright 2005 Hewlett-Packard Company, LP.
e. Select the Virtual Private Network connection and click next. Figure 4.7 – New Connection Wizard f. Configure a Connection Name (PPTP VPN) and click next. © Copyright 2005 Hewlett-Packard Company, LP.
Figure 4.8 – New Connection Wizard g. Enter 42.0.0.1 as the IP address of the VPN Server and click next. Figure 4.9 – New Connection Wizard © Copyright 2005 Hewlett-Packard Company, LP.
h. Chose a Connection Availability and click next. Figure 4.10 – New Connection Wizard i. Click Finish to complete the New Connection Wizard. © Copyright 2005 Hewlett-Packard Company, LP.
Figure 4.11 – New Connection Wizard j. At the VPN connection window, click the Properties button. Figure 4.12 – VPN Connection Dialog Box © Copyright 2005 Hewlett-Packard Company, LP.
k. On the Security tab, select the Advanced (custom settings) security option radio button and click the Settings button. Figure 4.13 – VPN Properties l. In the Advanced Security Settings window, configure the following and click OK. • Data encryption: Maximum strength encryption (disconnect if server declines) • Allow these protocols: configure to use MS-CHAP v2 only; deselect MS-CHAP if selected. © Copyright 2005 Hewlett-Packard Company, LP.
Figure 4.14 – VPN Advanced Settings m. On the Networking tab, select PPTP VPN in the drop-down menu as the Type of VPN. Click OK to exit connection properties. © Copyright 2005 Hewlett-Packard Company, LP.
Figure 4.15 – VPN Properties n. Enter the username (juser) and password (password) at the connection dialog box and click Connect to establish the PPTP VPN. © Copyright 2005 Hewlett-Packard Company, LP.
Figure 4.16 – VPN Connection Dialog Box o. Validate PPTP VPN connection in the Network Connections window. Figure 4.17 – Network Connections p. Double-click the Virtual Private Network Connection and select the Details tab to connection status details. © Copyright 2005 Hewlett-Packard Company, LP.
Figure 4.18 – VPN Status Details q. Back on the ACS, browse to Status -> Client Status and click the Refresh User Rights Now button to validate the client in now logged in (authenticated). Figure 4.19 – Client Status Page © Copyright 2005 Hewlett-Packard Company, LP.
r. Click on the client (juser) to get Client details. Click the View User Rights button to validate that the user is authenticated correctly. Figure 4.20 – Client Details © Copyright 2005 Hewlett-Packard Company, LP.
Configuring Scenario 5: Wireless Data Privacy Logon using VPN Authentication (L2TP/IPSec) Scenario 5 consists of a wireless, Windows XP client authenticating via a VPN. The VPN used in this example will be an L2TP/IPSec VPN. Since VPN authentication requires a RADIUS backend, we will configure an ACS to authenticate VPN users against Internet Authentication Service (IAS), Microsoft’s RADIUS implementation. The steps required are: • • • • • • • On the ACS, enable L2TP and IPSec VPN support globally.
2) On the ACS, enable L2TP/IPSec VPN support in both the Unauthenticated and Authenticated Access Policies. a. On the ACS, browse to Rights -> Access Policies and select the Unauthenticated Access Policy. Configure the following and Save changes. ¾ ¾ ¾ ¾ ¾ Network Address Translation: When Necessary (this allows Real IP addressing for inner tunnel). IP addressing: Require DHCP Encryption: Allowed, but not required Encryption Protocols: L2TP+IPSec Keep the default on all other settings Figure 5.
c. On the ACS, browse to Status -> Client Status and click Refresh User Rights Now. 3) On the ACS, define a RADIUS Authentication Service and associate it to the System Authentication Policy. Note: This assumes that the RADIUS server is configured and ready to authenticate clients. See Scenario 3 for more details. a. On the ACS, browse to Rights -> Authentication Policies and click the New Service button.
Figure 5.4 – System Authentication Policy c. On the ACS, browse to Status -> Client Status and click Refresh User Rights Now. 4) From the ACS, configure the ProCurve Access Control xl Module with the DHCP Server IP Address to allow clients to use Real IP addresses for the inner VPN tunnel. Note: This assumes that the DHCP server is configured and ready to provide IP addresses to clients. a. On the ACS, browse to Network -> Network Setup and select the ACM used for authenticating client.
Figure 5.5 – Network Setup b. On the ACS, browse to Status -> Client Status and click Refresh User Rights Now. 5) On the AP 420, configure open authentication wireless parameters. a. From the AP 420 CLI, configure security suite 1 (open authentication, no encryption). HP ProCurve Access Point 420# configure HP ProCurve Access Point 420(config)# int wireless g Enter Wireless configuration commands, one per line.
6) On the wireless Windows XP client, configure the ProCurve VPN and Windows XP VPN client software for L2TP/IPSec. Note: This assumes that the Access Point 420 is connected to the Access Control xl Module as “Network Equipment” and the client is associated. Using L2TP/IPSec in this scenario is a three step process. First, the ProCurve VPN client is installed and configured. Second the Windows XP (native) VPN client software is configured.
¾ ¾ ¾ ¾ Remote Party Identity ID Type: Any IP Address: 42.0.0.1 Protocol: UDP Port: L2TP (1701) Figure 5.7 – Security Policy Editor e. Expand the New Connection and click My Identity. In the Select Certificate drop-down window, select “None”. Configure the following: ¾ ¾ ¾ Click the Pre-shared Key button and configure the IPSec preshared key to match the key used on the ACS. ID type: IP Address Port: L2TP © Copyright 2005 Hewlett-Packard Company, LP.
Figure 5.8 – Pre-Shared Key © Copyright 2005 Hewlett-Packard Company, LP.
Figure 5.9 – Security Policy Editor f. Click Security Policy and expand to select Authentication (Phase1) and configure the following for Proposal 1: ¾ ¾ ¾ ¾ ¾ Authentication Method: Pre-Shared Key Encryp(tion) Alg(orithm): Triple DES Hash Alg(orithm): SHA-1 SA Life: Unspecified Key Group: Diffe-Hellman group 2 Figure 5.10 – Security Policy Editor g.
Figure 5.11 – Security Policy Editor h. Exit and Save changes. Step 2: Configuring the Windows XP (native) VPN client a. On the Windows XP Client, open the Network Connection window and click the Create New Connection icon to the left. © Copyright 2005 Hewlett-Packard Company, LP.
Figure 5.12 – Network Connections b. Click next to start the New Connection Wizard. © Copyright 2005 Hewlett-Packard Company, LP.
Figure 5.13 – New Connection Wizard c. Click the radio button to Connect to the network at my workplace and click next. Figure 5.14 – New Connection Wizard © Copyright 2005 Hewlett-Packard Company, LP.
d. Click the radio button to create a Virtual Private Network connection and click next. Figure 5.15 – New Connection Wizard e. Name the connection and click next. © Copyright 2005 Hewlett-Packard Company, LP.
Figure 5.16 – New Connection Wizard f. Configure the IP address of the VPN Server (42.0.0.1) and click next. Figure 5.17 – New Connection Wizard © Copyright 2005 Hewlett-Packard Company, LP.
g. Select a Connection Availability and click next. Click Finish to complete the New Connection Wizard. Figure 5.18 – New Connection Wizard h. At the VPN connection dialog box, click the Properties button. Figure 5.19 – VPN Connection Dialog Box © Copyright 2005 Hewlett-Packard Company, LP.
i. In the VPN connection properties, select the Security tab and click the radio button to select Advanced (custom settings). Figure 5.20 – VPN Connection Properties j. Click the Settings button and configure the following and click OK. ¾ ¾ ¾ Data Encryption: Require encryption (disconnect if server declines) Protocols: MS-CHAP v2 only If MS-CHAP is selected, be sure to DESELECT it. © Copyright 2005 Hewlett-Packard Company, LP.
Figure 5.21 – Advanced Security Settings k. Click the IPSec Settings button, configure the preshared key and click OK. Figure 5.22 – IPSec Settings l. On the Networking tab, configure the Type of VPN to L2TP IPSec VPN and click OK. © Copyright 2005 Hewlett-Packard Company, LP.
Figure 5.23 – VPN Connection Properties Step 3: Connect the L2TP/IPSec VPN using the Windows (native) VPN client a. Back at the VPN connection dialog box, input the username and password and click connect. Note: The username and password are configured on the RADIUS sever for authentication. © Copyright 2005 Hewlett-Packard Company, LP.
Figure 5.24 – VPN Connection Dialog Box b. Validate a successful VPN connection is established in the Network connections window. © Copyright 2005 Hewlett-Packard Company, LP.
Figure 5.25 – Network Connections c. Validate a successful VPN connection is established in the ProCurve VPN Connection Monitor. Figure 5.26 – ProCurve VPN Client d. Validate a user login/authentication on the ACS. © Copyright 2005 Hewlett-Packard Company, LP.
Figure 5.27 – Client Status © Copyright 2005 Hewlett-Packard Company, LP.
Configuring Scenario 6: Monitored Logon 802.1x Authentication Scenario 6 consists of a wireless, Dynamic WEP, Windows XP client authenticating via 802.1x Monitored logon. In this example, the AP 420 is the authenticator for the client and the ACS monitors the logon process. 802.1 x logon authentications require both a RADIUS server (with authentication policy) and an LDAP database of users. In this example, we will be using Microsoft’s IAS (RADIUS) and Active Directory to accomplish this.
Figure 6.1 – Internet Authentication Service b. Configure a Friendly name (AP 420-1) and enter the IP address of the Access Point (10.24.3.62). Click Next. © Copyright 2005 Hewlett-Packard Company, LP.
Figure 6.2 – New RADIUS Client c. Ensure RADIUS Standard is selected as the Client-Vendor and configure a shared secret (secret). Click Finish. Figure 6.3 – New RADIUS Client 3) On the Enterprise Server, create a Remote Access Policy for authentication. a. To create a Remote Access Policy on the Enterprise Server, open IAS (Start Æ Administrative Tools Æ Internet Authentication Service). Right click on Remote Access Policies and select New Remote Access Policy.
Figure 6.4 – Internet Authentication Service b. In the Policy Wizard, select the radio button to Set up a custom policy, configure a Policy name (Wireless EAP Policy) and click next. © Copyright 2005 Hewlett-Packard Company, LP.
Figure 6.5 – New Remote Access Policy Wizard c. Click Add to add policy conditions. Figure 6.6 – New Remote Access Policy Wizard © Copyright 2005 Hewlett-Packard Company, LP.
d. Select the Day-And-Time-Restrictions attribute and click add. Figure 6.7 – Select Attribute e. Click the Permitted radio button to allow access anytime and click OK. © Copyright 2005 Hewlett-Packard Company, LP.
Figure 6.8 – Time of Day constraints f. Click OK and Next to accept the Policy Conditions. Select the Grant remote access permission radio button and click next. Figure 6.9 – New Remote Access Policy Wizard g. Select the Edit Profile button. © Copyright 2005 Hewlett-Packard Company, LP.
Figure 6.10 – New Remote Access Policy Wizard h. Select the Authentication tab in the Edit Dial-in Profile window and click the EAP Methods button. © Copyright 2005 Hewlett-Packard Company, LP.
Figure 6.11 – Edit Dial-in-Profile i. Select the Add button and add the Smart Card of other certificate EAP type and click OK. © Copyright 2005 Hewlett-Packard Company, LP.
Figure 6.12 – Add EAP type j. Click OK and Next to finish the New Remote Access Policy Wizard. Figure 6.13 – New Remote Access Policy Wizard © Copyright 2005 Hewlett-Packard Company, LP.
4) On the ACS, define a RADIUS Authentication Service and associate it to the System Authentication Policy. a. Refer to Scenario 3 in Part One of this guide for details on defining a RADIUS Authentication Service and Associating is to the System Authentication Policy. 5) On the ACS, configure an 802.1x Authentication Service and associate it to the System Authentication Policy. a. On the ACS, browse to Rights -> Authentication Policies -> Authentication Services and click the 802.1x Logons Service.
Figure 6.15 – System Authentication Policy 6) On the ACS, configure the Authenticated Access Policy to allow clients to use Real IP addresses (via DHCP). a. Refer to Configuring Scenario 2 in Part One of this guide to configure the Authenticated Access Policy to allow clients to use Real IP addresses. b. On the ACS, browse to Status -> Client Status and click Refresh User Rights Now. 7) On the AP 420, configure Dynamic WEP/802.1x and add the RADIUS Server IP address and RADIUS Key. a.
8) On the wireless Windows XP client, configure the client for 802.1x authentication, connect and verify authentication. Note: Connecting the client in Scenario 6 requires that the client have the appropriate client certificates for EAP-TLS Authentication and be a member of the Domain (in this case “samcorp.com”). See related documentation for more information. This example uses the Proxim Client Utility (version 3.1.2.19) for wireless Dynamic WEP/802.1x connectivity. a.
Figure 6.17 – Profile Management c. Select the Security Tab and click the radio button to select 802.1x and set the 802.1x EAP Type to EAP-TLS. Click the Configure button. Figure 6.18 – Profile Management d. Select the appropriate Certificate parameters and click OK. © Copyright 2005 Hewlett-Packard Company, LP.
Figure 6.19 – Define Certificate e. Verify wireless client authentication and IP addressing using the Proxim Client Utility. Figure 6.20 – Proxim Client Utility f. On the ACS Management interface, verify successful authentication by browsing to Status -> Client Status. © Copyright 2005 Hewlett-Packard Company, LP.
Figure 16.21 – Client Status Figure 6.22 – Client Detail © Copyright 2005 Hewlett-Packard Company, LP.
To find out more about ProCurve Networking products and solutions, visit our Web site at www.procurve.com ©Copyright 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
