Installing IAS
Now you're ready to install IAS. Return to the Windows Components Wizard, select Networking Services, and click Details. Enable Internet Authentication Service and complete the wizard. To configure IAS, open the Microsoft Management Console (MMC) Internet Authentication Service snap-in under Administrative Tools. Then, right-click the root of the tree pane and select Register Server in Active Directory.
Next, create a new RADIUS client account for the AP. The AP will use this account to authenticate itself to the IAS server and subsequently request authentication on behalf of wireless clients. Right-click the RADIUS Clients folder in the tree pane and select New RADIUS Client, which displays the first window of the New RADIUS Client Wizard. Enter the "friendly" name you use for the AP as well as its IP address or DNS address and click Next. On the next wizard page, make sure that Client-Vendor is set to RADIUS Standard so that IAS and the AP will successfully communicate. Also, enter a complex string of characters into the two shared-secret fields. Make a note of this secret because you'll need to enter the same information on your AP. Finally, select the Request must contain the Message Authenticator attribute check box to require full authentication from the RADIUS client (for your AP) by using the shared secret. Click Finish.
Your IAS server is now ready to accept RADIUS messages from your AP, except for one thing. IAS's default Remote Access Policy (RAP) automatically rejects any clients that try to connect, even if their authentication credentials are good. Therefore, you need to create a new RAP that grants access to wireless clients that properly authenticate. In the Internet Authentication Service snap-in, right-click Remote Access Policies in the tree pane. Select New Remote Access Policy and click Next on the first page of the New Remote Access Policy Wizard. On the next page, select Use the wizard to set up a typical policy for a common scenario, enter a name such as Allow Domain Users to connect wirelessly for this new RAP, then click Next. The next page asks you to select the access type—select Wireless and click Next.
The wizard then asks which groups the user must belong to in order to gain access through this RAP. You can create a group and populate it with any subset of users to whom you wish to grant wireless access. If you want all users in the domain to have wireless access, add the Domain Users group. Click Next.
The wizard asks which authentication method you want to require for this RAP. Select Protected EAP (PEAP) and click Configure. In the Protected EAP Properties dialog box, you can select which certificate the IAS server should use to authenticate itself to clients and which EAP types should be allowed. Make sure the server's certificate issued by your CA is selected. Also ensure that the only item in the EAP Types list is Secure password (EAP-MSCHAP V2). Click OK in the Protected EAP Properties dialog box, click Next in the wizard, and click Finish to close the wizard.
Configuring the AP
Now you're ready to set up your AP. This step is one of the easiest because the AP has little to do in 802.1x communications—it's just a middleman. The specific steps required to configure an AP differ from product to product, but you configure the same settings regardless of the AP model. You must configure the AP to use 802.1x and provide the IP address of your RADIUS server as well as the shared secret you entered in the AP client account on the RADIUS server. For this example, I perform these steps on a D-Link AirPremier Enterprise DWL-1000AP+.
I'll assume that you've already configured the AP with the same static IP address that you specified when creating the AP client account on the IAS server, a Service Set Identifier (SSID), and an administrator password, and I'll focus on the 802.1x settings. You don't need to configure any actual WEP encryption keys on the AP because WEP is the very problem that 802.1x solves, but you should still configure other AP encryption settings, such as key length and lifetime. After opening my browser and logging on to the AP, I select the Advanced tab, which Figure 3 shows. All I need to do is enter the IP address of my IAS server and the shared secret that I specified when I created this AP's client record in IAS. I leave the port at its default of 1812. Notice that I can specify a second RADIUS (IAS) server. Most APs provide this option so that you can build a fault-tolerant wireless network. For more information about doing so, see the sidebar "Adding Fault Tolerance." Finally, I click Apply to save my changes. After the AP resets itself, it won't let anyone connect to the network unless he or she successfully authenticates to the IAS server.
Register
