Monday, February 22, 2010

802.1x and Remote Desktop in Windows XP

Well apparently there are known issues with Remote Desktop and 802.1x wireless security. I kept wondering why on earth every time I connect to my machine here at work via RDP my wireless dropped off. Wasn't a huge issue because I was hardwired in anyway but I started doing some looking (googling) and found this:

http://technet.microsoft.com/en-us/network/dd727529.aspx

FTA:

Q. Do Remote Desktop connections work to Windows wireless clients that use 802.1X authentication?

A. Not at this time. All 802.1X-based wireless connections are affected, including those using EAP-TLS or PEAP-MS-CHAP v2. Connections using a static WEP key or WPA-PSK are not affected. Microsoft has addressed this issue in Windows Vista and Windows Server 2008.

Well, apparently it's not going to be fixed and you need to update to Windows 7/Server 2008. Not that I'm complaining, I really am liking Windows 7!

Friday, February 19, 2010

Wireless Upgrades

Wow, I haven't updated in a while! Where to start? I am currently in the process of upgrading our firms wireless infrastructure from a series of Linksys AP's to a Cisco 2106 Controller with 1100 series lightweight POE AP's. I had borrowed an AP to perform the initial wireless survey to determine the location of the new AP's. I used a few free tools outlined here with great results: here

I have been reading up on WPA-PEAP for authentication and it seems like it is a clear winner over traditional WEP/WPA based methods. Our domain users can connect transparently in the background so there is no passphrase or key to pass around. As for guest users, I plan to implement a guest wifi on a seperate VLAN which will be firewalled. This serves two purposes; one obviously being that our guests and clients will be able to use the internet while in our office and be unable to touch our internal network and the second being that it provides something for the mobile devices to connect to.

I already have the controller in place and it has already been configured. Next I needed to set up certificate services on our PDC (Primary Domain Controller) as an enterprise root certification authotiry and configure Internet Authentication Services. IAS whitepaper here After setting this up and configuring RADIUS connectivity I plugged up an AP and pulled down the config from the 2106 controller and attempted to connect my laptop. Of course, since I am using a self-signed certificate I needed to obtain the certificate first. This would have been easy to do via group policy however I still have to update the Active Directory Schema to allow WPA-PEAP to be configured with the default domain policy. So a reboot sufficed while connected via CAT5. Once the domain controller cert was trusted and the Dial-In properties were enabled for my domain account I was able to easily connect to the new wifi.

Now that testing is complete I still need to configure the guestwifi and place the lightweight AP's in their predetermined locations. These will be running off Power Over Ethernet switches so no power adapter will be needed. They are the 1130 AG model Access Points which are aesthetically pleasing as they will be within view. Cisco 1130AG

Can't wait to see this system fully functional! Sure is a step up from typical WPA encryption!