Before trying to connect to your wireless network from a workstation, first make sure that the AD user account you're going to test is configured to let the IAS server determine the RAP. Open the MMC Active Directory Users and Computers snap-in, find the user account, open its Properties dialog box, and select the Dial-in tab. Verify that Remote Access Permission is set to Control access through Remote Access Policy, as Figure 4 shows. The wireless network would also work fine if you selected Allow access, but Control access through Remote Access Policy provides much more control and eases maintenance. Remote Access Permission governs the various types of remote access (dial-in, VPN, wireless), and you might not want to grant all types of remote access to a user. When you select Control access through Remote Access Policy, you can configure RAPs such as the one we created earlier on the IAS server that control each type of remote access through group memberships and other variables. Then, when a user tries to connect to the wireless network, the AP will query the IAS server. The IAS server will check the user's name and password against AD, verify that the user belongs to the group you specified in your RAP, and reply to the AP. The IAS server will instruct the AP to let the user access the network only if his or her credentials are authentic, he or she matches the criteria for a RAP that allows wireless access, and his or her AD user account doesn't explicitly deny remote access permission.
Configuring a Workstation
To configure a workstation's wireless network connection to authenticate by using 802.1x and PEAP, you need XP with SP1 or you need Win2K with the Microsoft 802.1x Authentication Client for Win2K, which you can download from http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/8021xclient.asp. If you have Microsoft Premier and Alliance Support contracts, you can also obtain 802.1x clients for NT and Win98. The workstation doesn't need to be a member of the domain, although that can simplify the connection process, as I'll explain later.
Open the Control Panel Network Connections applet. Open the wireless network connection's Properties dialog box, and select the Wireless Networks tab. In the drop-down box under Available networks, you should see the SSID from the AP you just set up. Select it and click Configure to open the Wireless network properties dialog box. On the Association tab, select Open for the Network Authentication field and WEP for the Data encryption field, select The key is provided for me automatically (because providing the key is one of 802.1x's main functions), and clear This is a computer-to-computer (ad hoc) network; wireless access points are not used.
Switch to the Authentication tab, which Figure 5 shows. Select Enable IEEE 802.1x authentication for this network, and select Protected EAP (PEAP) as the EAP type. Clear the remaining two check boxes. (The first of these, Authenticate as computer when computer information is available, is applicable only when you're using certificates instead of PEAP.) Click Properties to display the Protected EAP Properties dialog box. You have a choice here. The Validate server certificate check box lets you configure this client so that it will connect to the wireless network only if the IAS server's certificate checks out as valid. This option gives you strong defense against impostor APs that an attacker might set up in your vicinity, but it requires you to import the certificate of your root CA into the workstation's Trusted Root Certification Authorities store, which increases the amount of setup work necessary on each client. Going without the certificate check leaves open the possibility of someone setting up an impostor AP, but MSCHAP v2 does provide mutual authentication (meaning that both the client and the server must prove knowledge of the password). For this example, I cleared the Validate server certificate option.
For the Select Authentication Method drop-down box in the Protected EAP Properties dialog box, select Secured password (MSCHAPv2) and click Configure. You'll see the EAP MSCHAPv2 Properties dialog box. Again, you have an option. The default setting is Automatically use my Windows logon name and password (and domain if any). This setting causes the workstation to use whatever username and password the user entered when he or she logged on to the workstation, as well as the domain name if the user logged on with a domain account. For users who don't have a domain account in the same domain as the IAS server (or a trusted domain), clear this check box. When the box is cleared and the user tries to access the network, the workstation displays a pop-up notification that asks for the user's credentials. Also, remember to clear this option on the computer of a visitor who needs to access your network. You can create a temporary account for the visitor that provides only network access.
Now click OK in all the dialog boxes. Within a few seconds, the workstation should ask you for your credentials. After entering them correctly, you should be able to access the network. If you can't access the network, make sure the workstation has obtained an IP address from your DHCP server. If you receive a message informing you that the logon failed, check the System log on your IAS server for IAS source messages, which are useful for troubleshooting RADIUS problems.
We're done! With one Windows 2003 system, an AP with 802.1x support, your existing AD domain, and XP, Win2K, NT, or Win98 workstations, you can build a secure wireless network. Using PEAP, you can leverage your existing AD user accounts for controlling access to the network and avoid creating redundant credentials for each user or rolling out an extensive PKI. The 802.1x standard takes care of WEP's worst encryption-key-handling problems. After the initial IAS and AP setup, all you have to do is enable 802.1x authentication on your client workstations. Then everyone can enjoy the benefits of wireless networking without losing sleep over security.
Great article, but has anyone tried to enable WPA on a 2003 server computer? I know it works on XP with the appropriate patches, but no luck with just a 2003 server.
Bill O'Sullivan May 07, 2004
I must be missing something. I am getting a message "A certificate could not be found that can be used with this Extesible Authentication Protocol" when I click on the configure button when adding the RAP. Am I supposed to be creating a certificate prior to this? I am logged on as a domain and enterprise admin. Thanks.
gibby111 June 01, 2004
I followed the article to the letter and I get the same error message as gibby111. I checked in the CA and the certificate was created, the RAP doesn't seem to know where to look for it. I would like to get this to work so more information would be helpful.
Kat Zumbach June 02, 2004
I am having the same problem that Gibby111 has. As far as I know, we created the certificate already, but for some reason it doesn't seem to work. Anyone has any ideas? Thanks
Hector Matos June 07, 2004
gibby111 - you're not alone. I'm getting the *same* error! Tried searching TechNet, got nothing. I'm stumped. Anyone know how to get around this? I've verified that a cert. does exist!
Now, I installed as an enterprise sub-CA. Already have Root CA (Win2K). Does the root need to be 2K3?
omslaw June 08, 2004
Great article, but I too must be missing something. I couldn't locate a certicate while configuring the EAP.
ZumbachKat June 09, 2004
I enjoyed this article but found that it wasn't nearly as simple as the article made it out to be. I still have not been able to get the AP to talk to the radius server. The wireless router can ping the radius but the radius cannot ping the wireless router.
Stephen Ben June 11, 2004
Am I reading this right?............ that WEP is not needed here?
Oje Alexis June 16, 2004
I am getting the same error as above. I followed the instructions. What am i missing?
bobo June 22, 2004
The certificate error is stopping a lot of people from being able to implement this wonderful plan. C'mon, Randy. Post us a fix!
You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor?
Register now
An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...
Let Your Users Reset Their Own Passwords: Free Download Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.
Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!
Deep Dive into VMware vSphere, eLearning Series Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
)
Register
Bill O'Sullivan May 07, 2004