This project is a little more advanced than some of the other pieces I've done on here. Not because it's technically difficult, but because of the software requirements are a little beyond what a regular home user would normally have...
Before diving into this, the requirements for this project is:
The friendly name is simply what'll show up in the IAS management console.
The client-vendor attribute is best set at RADIUS Standard unless your access point are one of the relatively few vendors in the list.
Message Authenticator must be checked. This is required for the authentication piece which we will come back to in the Policies later.
Even with RADIUS, you'll need a shared secret. This secret is used by the Radius server and the client, which is the WAP(s) and not by the actual wireless clients, so it's transmitted on the wired network only. Still, it should be a decent key using the same recommendations as for a strong password.
But, if you don't, you'll need the following settings:
The policy conditions should be "NAS-Port-Type matches 'Wireless - IEEE 802.11 OR Wireless - Other'". You're better off starting here, and remove the "Other" later to test if your setup will work without it.
Click the Edit Profile button to configure authentication methods and other settings. Most of these can be left as is, and you can made modifications to things like Dial-In Constraints to restrict login times and disconnect times once you got everything up and running.
To start with, nothing on the Dial-in Constraints tab should be checked. On the IP Tab, "Server settings determine IP address assignment" should be selected. On the Multilink tab, "Server determines multilink usage" should be selected.
On the Advanced tab, the only attribute should be "Service-Type" with Vendor "Radius standard" and a value of "Framed".
On the Encryption tab, check all the boxes. Once you have verified that your wireless network works, you can go back and uncheck the "No Encryption" option and test if it's still working.
The last tab is the Authentication tab, and this is where it's all done. First, uncheck everything! Then click the "EAP Methods" box. This will open the "Select EAP Providers" window, which lists the EAP types used during authentication. The only item that should be listed in the "EAP types" list box is "Protected EAP (PEAP)". If it's already there, select it, if it's not, then add it, then click the Edit button. This will bring up the "Protected EAP Properties" window, which will show you which server issued the certificate you're using, the name of the issuer, and also the EAP types used.
There's only a couple of things to ensure are set, including checking the "Enable Fast Reconnect", and the EAP type should be "Secured Password (EAP-MSCHAP v2). If it's not there, add it, selected it, and hit the "Edit" button. Check the box for "Automatically use my Windows logon name", and close out of everything...
There's one more thing that needs to be done on the AD server. The user accounts that will need to use the wireless network needs to have "Allow Access" for "Remote Access Permission" set in the dial-in tab of the user properties.
Before diving into this, the requirements for this project is:
- Microsoft Windows Server 2000 or 2003 w/AD.
- Certification server (or, you could buy a certificate from a third party certificate authority).
- RADIUS server (comes with Windows server).
- Wireless Access point that supports WPA with Radius authentication.
- Wireless network card.
- Windows XP clients with WPA patch.
- NOTE: I have gotten some questions regarding the installation and configuration of the CA server, specifically about having to issue a Server Authentication Certificate to the IAS server before authentication will work. I didn't intentionally leave anything out; my setup as described here worked without having to issue any certificates. I don't want to say it "worked out of the box", because I did spend many hours reading sometimes contradicting information about how to configure this.
- UPDATE: If you are having issues with the Certificate requirement of the configuration, please check out this article at TechRepublic for information on how to create a self-signed certificate for your server. Basically, it tells you to download the IIS 6.0 resource kit, and then install the SelfSSL 1.0 component, and walks you through the process of creating the certificate. I will be testing this in the near future, hopefully by the end of July 2007.
- Windows 2003 server standard with AD, CA and IAS.
- Linksys WAP54G wireless access point running firmware 2.06 or 2.07
- Linksys WPC54G wireless network card, driver version 3.30.15
- Windows XP Pro SP1 with WPA patch.
Creating RADIUS Client for Wireless Access point(s).
Once these two services have been installed, open the IAS management console. Step one is to create a RADIUS Client in IAS for your access point, and give it the IP address (or DNS name) of your access point. If you have more than one WAP, you can enter in an address range for the access points using using the format a.b.c.d/p, where p is the prefix length, i.e. 192.168.15.0/24. With proper planning, you should be able to reserve a range of addresses for the wireless access points and narrow down the range.The friendly name is simply what'll show up in the IAS management console.
The client-vendor attribute is best set at RADIUS Standard unless your access point are one of the relatively few vendors in the list.
Message Authenticator must be checked. This is required for the authentication piece which we will come back to in the Policies later.
Even with RADIUS, you'll need a shared secret. This secret is used by the Radius server and the client, which is the WAP(s) and not by the actual wireless clients, so it's transmitted on the wired network only. Still, it should be a decent key using the same recommendations as for a strong password.
Creating a Remote Access Policy.
To create a new Remote Access Policy, select "Remote Access Policies" in the IAS management console, right-click in the blank area in the right column, and select "New Remote Access Policy". I initially used the wizard to create the policy. Even if you choose "custom profile" during the creation of the new policy, you'll still get a lot of help in the process, so you might as well let the wizard do most of the work.But, if you don't, you'll need the following settings:
The policy conditions should be "NAS-Port-Type matches 'Wireless - IEEE 802.11 OR Wireless - Other'". You're better off starting here, and remove the "Other" later to test if your setup will work without it.
Click the Edit Profile button to configure authentication methods and other settings. Most of these can be left as is, and you can made modifications to things like Dial-In Constraints to restrict login times and disconnect times once you got everything up and running.
To start with, nothing on the Dial-in Constraints tab should be checked. On the IP Tab, "Server settings determine IP address assignment" should be selected. On the Multilink tab, "Server determines multilink usage" should be selected.
On the Advanced tab, the only attribute should be "Service-Type" with Vendor "Radius standard" and a value of "Framed".
On the Encryption tab, check all the boxes. Once you have verified that your wireless network works, you can go back and uncheck the "No Encryption" option and test if it's still working.
The last tab is the Authentication tab, and this is where it's all done. First, uncheck everything! Then click the "EAP Methods" box. This will open the "Select EAP Providers" window, which lists the EAP types used during authentication. The only item that should be listed in the "EAP types" list box is "Protected EAP (PEAP)". If it's already there, select it, if it's not, then add it, then click the Edit button. This will bring up the "Protected EAP Properties" window, which will show you which server issued the certificate you're using, the name of the issuer, and also the EAP types used.
There's only a couple of things to ensure are set, including checking the "Enable Fast Reconnect", and the EAP type should be "Secured Password (EAP-MSCHAP v2). If it's not there, add it, selected it, and hit the "Edit" button. Check the box for "Automatically use my Windows logon name", and close out of everything...
There's one more thing that needs to be done on the AD server. The user accounts that will need to use the wireless network needs to have "Allow Access" for "Remote Access Permission" set in the dial-in tab of the user properties.