Chapter 5: Windows Recommendations And Best Practices; Security; Pki - Extreme Networks Summit WM Technical Reference Manual

Version 5.1

Hide thumbs Also See for Summit WM:

Installation instructions (1 page)

Getting started manual (126 pages)

Maintenance manual (130 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

page of 222

/ 222
Contents
Table of Contents
Bookmarks

Table of Contents

Windows Recommendations and Best Practices

The following are recommendations and best practices for deploying an IEEE 802.11 WLAN in a large

enterprise.

Security

Microsoft recommends that you use one of the following combinations of security technologies (in order

of most to least secure):

WPA2 with EAP-TLS and both user and computer certificates - EAP-TLS is the strongest 802.1X

●

authentication method supported by Windows-based wireless clients. For the highest security,

configure your PKI to issue both user and computer certificates for wireless access.

WPA2 with PEAP-MS-CHAP v2 and require strong user passwords - If a PKI deployment is not

●

possible or desirable, you can use PEAP-MS-CHAP v2. PEAP-MS-CHAP v2 can be used to provide

strong password-based authentication of wireless clients, but only when used in conjunction with

the requirement of strong user password policies on your network.

WPA with EAP-TLS and both user and computer certificates - If your wireless equipment supports

●

WPA but not WPA2, use WPA with EAP-TLS.

WPA with PEAP-MS-CHAP v2 and require strong user passwords - If your wireless equipment

●

supports WPA but not WPA2 and you do not want to deploy a PKI, use WPA with PEAP-MS-CHAP

v2.

The following combinations of security technologies (in order of most to least secure) are discouraged

from use except if used temporarily when transitioning to a WPA2 or WPA-based security

configuration:

WEP with 802.1X authentication, EAP-TLS with both user and computer certificates, and periodic

●

reauthentication - If your wireless equipment does not support WPA2 or WPA, you can use WEP

with EAP-TLS-based 802.1X authentication and both user and computer certificates. To change the

per-client WEP encryption key for a wireless client session, force your wireless clients to periodically

reauthenticate by configuring your wireless APs or RADIUS-based authentication servers.

WEP with 802.1X authentication, PEAP-MS-CHAP v2, periodic reauthentication, and enforce

●

strong user passwords - If your wireless equipment does not support WPA2 or WPA and you are

not deploying a PKI, you can use the combination of WEP, 802.1X, and PEAP-MS-CHAP v2.

However, you must also require strong user passwords and force your wireless clients to

periodically reauthenticate.

PKI

For the certificates used for wireless access, use the following best practices:

To install computer certificates, use auto-enrollment - This requires the use of a Windows 2000 or

●

Windows Server 2003 Certificate Services server as an enterprise CA at the issuer CA level.

Summit WM Technical Reference Guide, Software Version 5.1

Table of Contents

Chapter 5: Windows Recommendations And Best Practices; Security; Pki - Extreme Networks Summit WM Technical Reference Manual

Security

PKI

Related Manuals for Extreme Networks Summit WM

Related Content for Extreme Networks Summit WM

Table of Contents