Setting Up APs
Next, you need to configure IAS to communicate with your RADIUS clients (i.e., your APs). In the IAS snapin, right-click RADIUS Clients and select New RADIUS Client from the drop-down list. Enter a friendly name for the RADIUS client and its hostname or IP address. Click Next.
In the Client-Vendor field, select RADIUS Standard. In the Shared secret and Confirm shared secret fields, enter a strong secret. You'll share this secret with the AP, and it will be used to authenticate and encrypt traffic between the AP and RADIUS servers. Next, select the Request must contain the Message Authenticator attribute, which causes the RADIUS server to require the AP to use the shared secret. Repeat these steps to configure each of your RADIUS servers.
Finally, configure your AP according to the manufacturer's instructions. At a minimum, you'll need to enter the AP's Service Set Identifier (SSID), configure it to use WPA with 802.1x or WPA2 with 802.1x (not PSK) authentication, and select TKIP (for WPA) or AES (for WPA2) as appropriate, then enter the RADIUS server information and the shared key.
Testing and Troubleshooting WLAN Connectivity
After you configure your RADIUS servers and APs, you need to test connectivity and troubleshoot any problems. To test for connectivity, disable all but one AP (alternatively, test connectivity after installing your first RADIUS server and AP). On your wireless client, right-click the wireless NIC and select Properties. If you're not logged on as a member of the local Administrators group, you'll receive a warning about disabled controls. Ignore the message and click OK to dismiss it. In the Wireless Network Connection Properties dialog box, select the Wireless Networks tab. Under Preferred Networks, click Add to open the Wireless Network Properties. Enter the SSID of your wireless LAN in the Network name (SSID) field; select WPA or WPA2, as appropriate, from the Network Authentication drop-down list; then select TKIP or AES from the Data Encryption drop-down list. Click the Authentication tab and from the EAP type drop-down list, select Protected EAP (PEAP), and Click OK. Click View Wireless Networks in the Wireless Network Connection Properties screen, select the SSID for the network you just added, then click Connect. You should now be connected to your WLAN. (You won't have to repeat these steps each time you want to connect; the network is now configured to connect you automatically.)
If you're unable to connect to your WLAN, multiple sources of diagnostic information are available. Most APs maintain activity logs that show whether connectivity problems with RADIUS servers are preventing wireless clients from authenticating. IAS also maintains logs in the %systemroot%\system32\logfiles folder, which you can use to check for authentication and authorization failures. And IAS writes events to the System log that you can use to debug connectivity problems.
Using Group Policy to Distribute Wireless Settings
If you're using WPA, you can use Group Policy to distribute settings to wireless clients, saving you from having to configure each client manually. (Currently, Group Policy doesn't support WPA2.) If you're running a Win2K-based AD, you'll need to install a Windows 2003 DC to update your AD schema and run Group Policy Editor (GPE) on that DC to leverage support for wireless networks.
To use Group Policy to configure access to a wireless network, log on to a DC and run the MMC Active Directory Users and Computers snap-in. I recommend that you create an organizational unit (OU) and place the computer accounts of your wireless network clients into it. Then you can apply a Group Policy Object (GPO) specific for wireless settings to the OU without affecting other systems in your forest. Launch GPE, and navigate to the Wireless Network (IEEE 802.11) Policies, which are stored under Computer Configuration, Windows Settings, Security Settings. Right-click in the MMC's right pane and select Create Wireless Network Policy to launch the Wireless Network Policy Wizard. Enter a name for the policy and a description. When you click Finish, the wizard asks whether you want to go back and edit the policy. Select Yes.
From the New Network Policy Properties dialog box, select the General tab, which displays the policy name and description. On this page, you configure the amount of time that clients should wait before they check for a policy update (180 minutes by default) and specify the networks to access. Under Networks to access, you'll see a drop-down list containing three options: Any available network (access point preferred), Access point (infrastructure) networks only, and Computer-to-computer (ad hoc) networks only. I recommend that you select Access point ( infrastructure) networks only. This prevents your wireless clients from attempting to connect to other wireless clients that might be broadcasting the same SSID as one of your wireless networks—a common trick employed by hackers to try to capture data. There are two other policy settings you need to configure here. The first setting—Use Windows to configure wireless network settings for clients—stipulates that you can't use third-party software (e.g., manufacturers' utilities) to configure wireless NICs. You should select this option. The second setting—Automatically connect to non-preferred networks—determines whether clients to which the policy is applied can connect to wireless networks other than the ones listed on the Preferred Networks tab. I recommend that you don't select this option, which will prevent clients from connecting to unknown networks when they can't find a preferred network.
Next, select the Preferred Networks tab to specify the networks to which you want your clients to be able to connect. To add a network, click Add, which opens the New Preferred Setting Properties dialog box. Select the Network Properties tab and enter the network's SSID and description. You'll also see two drop-down lists. Select WPA from the Network Authentication drop-down list and TKIP or AES from the Data Encryption drop-down list. Next, open the IEEE 802.1x tab and select Protected EAP (PEAP) from the EAP Type dropdown list. Click Settings and select from the list of CAs only those you trust. Trusted CAs are those that issue certificates to your RADIUS servers. Next, select Secured Password (EAPMSCHAP v2) from the list under Select Authentication Method. Select Enable Fast Reconnect, and click OK to save the policy.
To verify the new policy, open a command line on a wireless client, and run
gpupdate /target:computer
/force
This command fetches the new policy and applies it to the wireless client. After applying the policy, you should see the wireless networks configured in your GPO listed in the Wireless Networks tab of the Wireless Network Connection Properties dialog box.
Other Options, Other Resources
If you're still using WEP to secure your wireless networks, it's time to upgrade to a more secure environment. Using 802.1x technology and PEAP authentication with WPA or WPA2 can provide a strong security infrastructure, and I hope I've simplified the configuration process for you a bit. However, there are alternatives you might want to consider for building a secure wireless network. You can check out some other options on Microsoft's site dedicated to Wi-Fi and security at http://www.microsoft.com/wifi, and find detailed guidance for securing WLANS at http://www.microsoft.com/technet/security/topics/
NetworkSecurity.mspx. Another good wireless security resource is "A Secure Wireless Network is Possible," May 2004, InstantDoc ID 42273. With all these resources available and new wireless security developments appearing all the time, securing your wireless network is a goal within reach.
)
)
Register
yet one of the steps is "Obtain certificates for RADIUS servers". Isn't this a contradiction?
MLopez May 19, 2006 (Article Rating: