Enabling Server Validation for Windows and Android 802.1X Clients
Using 802.1X authentication for your network improves its security. On the wireless side, it enables use of the Enterprise mode of Wi-Fi Protected Access (WPA) or WPA2. This allows users to receive unique usernames and passwords to log in to the Wi-Fi network, thus enabling admins to better manage access to the Wi-Fi.
802.1X requires the use of an authentication server, which is usually referred to as a Remote Authentication Dial-In User Service (RADIUS) server. Though most of the 802.1X authentication protocols are secure, they're still prone to some vulnerabilities.
PEAP, the most popular protocol, for instance is susceptible to man-in-the-middle attacks. A nearby hacker can set up a fake wireless network and RADIUS server in the hopes of users connecting and trying to authenticate, which is one step required in the process of hacking the wireless network.
Today we'll discuss server validation for 802.1X clients. This validation helps clients verify that they are speaking to the correct RADIUS server during the authentication process and not a fake server as previously mentioned.
Server Validation in Windows
In Windows Vista and later, Server Validation should be automatically enabled by Windows. However, you may want to double-check this setting:
- Open the network profile, select the Security tab, and click the Settings button.
- Ensure the Validate server certificate checkbox is marked.
- Verify that the Connect to these servers checkbox is marked and the proper address of the server is entered.
- In the list of Trusted Root Certificate Authorities, verify the correct name is chosen for the CA your RADIUS server uses.
Consider enabling some settings that aren't enabled by default as well to further prevent man-in-the-middle attacks:
- Check the Do not prompt user to authorize new servers or trusted certificate authorities checkbox so users don't accidently authorize a fake server.
- Check the Enable Identity Privacy checkbox and enter any random text to disguise the username when it's sent over the network the first time in clear-text, which still allows proper authentication.
Server Validation in Android
When connecting to an 802.1X-enabled wireless network with an Android phone or tablet for the first time you'll be prompted to enter the authentication settings. The only required settings are Identity (the username) and Password.
For increased security, however, you should manually enable server verification:
- Obtain the root CA certificate the RADIUS server uses and put it onto the device's storage, which can be accomplished by downloading from the web on the device, downloading from an email on the device, or downloading on a PC and then transferring to the device via USB.
- On the Android device, go to the Security or Location & Security settings and in the Credential Storage section tap Install from SD card or install from phone storage. If you haven't already, it will prompt you to create a password for credential storage.
- Go to the Wi-Fi or Wireless & Network settings, long tap your wireless network name and select to modify it. For the CA Certificate field, select the CA certificatefile and save the settings.
Eric Geier is a freelance tech writer — keep up with his writings on Facebook. He's also the founder of NoWiresSecurity, a cloud-based Wi-Fi security service, and On Spot Techs, an on-site computer services company.
Read more on "Server OS Spotlight" »