XP computers that have Service Pack 1 (SP1) and an 802.11b NIC have built-in support for 802.1x networks, and 802.1x-compliant APs are common. The only other component that needs to support 801.1x is the RADIUS server, support that the Internet Authentication Service (IAS) RADIUS server in Windows 2003 provides. (Win2K Server SP3 provides 802.1x client support but doesn't provide IAS.) Windows 2003 IAS can verify credentials stored in a Windows 2003 or Win2K AD domain, the server's local SAM, or an NT domain. Unless you choose to purchase a third-party certificate for your RADIUS server from a commercial Certificate Authority (CA) or you already have an in-house CA, you need one more component: Microsoft Certificate Services, which you can install on the same Windows 2003 computer that's running IAS. Why do you need a CA in this scenario that uses password-based rather than certificate-based client authentication? Because PEAP requires the RADIUS server to possess a certificate for server-to-client authentication. In this scenario, we'll use Certificate Services to issue one certificate to the IAS server. Figure 1 shows all the components involved in our secure wireless network.
To build our secure wireless network, we install Windows 2003, then install and configure Certificate Services and IAS. Next, we set up the wireless AP and configure it to use RADIUS to contact the IAS server to handle client connection requests. In this particular example, I use D-Link Systems' AirPremier Enterprise DWL-1000AP+ AP, but many other APs from Cisco Systems, Linksys, NETGEAR, and others support 802.1x. Last, we configure a client workstation to authenticate to our wireless network.
Setting Up Windows 2003
After installing Windows 2003 with default settings, you need to make a few adjustments. If you haven't already joined the server to your AD domain during installation, do so now. Next, bear in mind that your APs need to be able to find your IAS RADIUS server, so make sure the server has a static IP address or that its DNS name is being correctly updated in your DNS by pinging the server from some other computer on the network. I prefer a static IP address for crucial servers such as RADIUS servers because failure can affect many users.
Next, install Microsoft IIS, which Certificate Services requires. When you install it, be sure to enable support for Active Server Pages (ASP), which Certificate Services also requires. To install IIS, open the Control Panel Add/Remove Programs applet. At the Add or Remove Programs dialog box, select Add/Remove Windows Components. In the Windows Components Wizard, select Application Server (aka IIA) and click Details. Select Application Server Console and Internet Information Services (IIS), as Figure 2 shows. When you select Internet Information Services (IIS), click Details so that you can select which IIS components to install. In the Internet Information Services (IIS) dialog box, disable everything except Common Files, Internet Information Services Manager, and World Wide Web Service. When you select World Wide Web Service, click Details to specify which components of World Wide Web Service should be installed. At the World Wide Web Service window, select only Active Server Pages and World Wide Web Service. During this process, you'll notice that—in keeping with Microsoft's new emphasis on security—IIS isn't installed automatically, and that when you do install IIS, all dynamic-content components, such as ASP, are disabled. Now click OK in all the dialog boxes and complete the Windows Components Wizard.
Now that IIS is installed, you can install Certificate Services. Start the Windows Components Wizard again and select Certificate Services. Click Details and verify that both Certificate Services CA and Certificate Services Web Enrollment Support are selected. Click OK and complete the wizard. The wizard will ask you what type of CA to configure this computer as. You definitely want an enterprise CA so that it will integrate with AD, but you need to choose between a Root Enterprise CA and a Subordinate Enterprise CA. If you currently have no enterprise CA in your domain, you must make this new enterprise CA a root CA. But if you already have a root enterprise CA, you can make the new CA a subordinate of the existing root. Using root and subordinate CAs facilitates large, maximum-security PKIs that include special measures for protecting CAs from compromise. In this article, we'll keep things simple and make our new CA a root enterprise CA. Continue with the wizard and accept all the default settings proposed for Certificate Services. After your CA is installed, you'd typically need to use a certificate issued by your CA to enroll your IAS server, but because our IAS server is on the same computer as Certificate Services, IAS will be able to use the signed certificate issued by the Certificate Services server to itself.
An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...
Let Your Users Reset Their Own Passwords: Free Download Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.
Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!
Deep Dive into VMware vSphere, eLearning Series Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Register
