Microsoft Knowledge Base article Q816589 contains:
IN THIS TASK
SUMMARYThis step-by-step article describes how to configure a Windows Server 2003 domain to support Microsoft Windows XP Professional-based client computers that are using Institute of Electrical and Electronics Engineers, Inc. (IEEE) 802.11 access with IEEE 802.1x authentication in a wireless network.
802.1X is an IEEE standard for authenticated network access to wired Ethernet networks and wireless 802.11 networks. IEEE 802.1X supports centralized user identification, authentication, dynamic key management, and accounting. 802.1X supports the following Extensible Authentication Protocol (EAP) authentication methods for wireless clients and servers:
- EAP-MS-CHAP v2
EAP-TLS is an EAP type that is used in certificate-based security environments, and it provides the strongest authentication and key determination method. EAP-TLS provides mutual authentication, negotiation of the encryption method, and encrypted key determination between the client and the authenticating server. If you want to use certificates or smart cards for user and client computer authentication, you must use EAP-TLS.
back to the top
- Install and configure the primary Internet Authentication Service (IAS).
- Install a computer certificate on the IAS server computers.
- Add Wireless Access Points (WAP) that support IEEE 802.1x authentication.
- Add the wireless access points as Remote Authentication Dial-In User Service (RADIUS) clients on the primary IAS server.
- Use the New Remote Access Policy Wizard to create a common policy for wireless access.
- Turn on guest authentication. To do so, create a group named Guests, and then add the Guest account as a member to support the installation of user certificates on your wireless clients over a wireless connection.
- Use the New Remote Access Policy Wizard to create a custom policy for new wireless clients that do not have user certificates.
- Copy the IAS configuration from the primary IAS server to the backup IAS server
- Register the primary servers and the backup IAS servers in the appropriate Active Directory domains.
- Configure Windows XP Professional client computers that are using wireless network adapters.
Note You may want to configure two IAS servers, one primary and one secondary, to provide fault tolerance for RADIUS-based authentication. If you configure only one RADIUS server, and it becomes unavailable, wireless access clients cannot connect. If you configure two IAS servers and configuring all the wireless access points (RADIUS clients) for both the primary and the secondary IAS servers, the RADIUS clients can detect when the primary RADIUS server is unavailable and automatically use the secondary IAS server.
- Install and configure a primary IAS on a Windows Server 2003 domain controller. For additional information about how to do this, click the following article numbers to view the articles in the Microsoft Knowledge Base:
816586 HOW TO: Configure a Primary Internet Authentication Service Server on a Domain Controller in Windows Server 2003
- Configure the IAS server computer (the domain controller) to read the properties of user accounts in the domain. For more information, see the "To enable the IAS server to read user accounts in Active Directory" topic in the Windows Server 2003 Help and Support Center.
- Turn on file logging for accounting and authentication events. For more information, see the "To configure log file properties" topic in the Windows Server 2003 Help and Support Center.
- If you must do so, configure additional UDP ports for authentication and accounting messages that the RADIUS clients send. For more information, see the "To configure IAS port information" topic in the Windows Server 2003 Help and Support Center.
Note By default, IAS uses UDP ports 1812 and 1645 for authentication and ports 1813 and 1646 for accounting.
- Add the wireless access points as RADIUS clients of the IAS server. For more information, see the "To add RADIUS clients" topic in the Windows Server 2003 Help and Support Center.
- Use the New Remote Access Policy Wizard to create a common wireless policy with the following settings:
- Policy name: Wireless access.
- Access Method: Wireless access.
- User or Group: Select Group, and then specify the group you are using for wireless users.
- Authentication methods: Select Smart Card or other Certificate. If you have multiple computer certificates, click Configure, and then select the appropriate computer certificate.
- Policy Encryption Level: Select the Strongest encryption check box, and then clear all the other check boxes.
- Optionally, create a custom wireless policy to support new wireless users using the New Remote Access Policy Wizard. To do so, use the following settings:
- Policy name: New wireless access.
- NAS-Port-Type matches Wireless-Other or Wireless-IEEE 802.11.
- Windows-Groups matches Guests.
- Permission: Grant remote access permission.
- Profile settings, Dial-in Constraints tab:
- Select the Delete, and then click Yes when you are prompted to confirm the deletion.
back to the top
- Make sure that all the users who are making wireless connections have a corresponding user account in Active Directory.
- You can manage your wireless access by users or groups. To manage your wireless access by user, set the remote access permission on user accounts to Allow access or Deny access. To manage your wireless access by group, set the remote access permission on user accounts to Control access through Remote Access Policy. For more information about configuring remote permissions, see the "To configure remote access permission for a user" topic in the Windows Server 2003 Help and Support Center.
- Organize your wireless access users into the appropriate universal and nested group to use group-based remote access policies. For example, create a universal group named WirelessUsers that contains global groups of wireless user accounts.
- Configure the Guest account to permit guest access for new wireless clients. Enable reversibly encrypted password storage on the Guest account. For more information, see the "To enable reversibly encrypted passwords in a domain" topic in the Windows Server 2003 Help and Support Center.
- Create a group named Guests, and add the Guest account as a member.
- Configure the domain where the IAS server computers will be members for auto-enrollment of computer certificates. For more information, see the "To configure automatic certificate allocation from an enterprise CA" topic in the Windows Server 2003 Help and Support Center.
For information about how to contact computer hardware manufacturers, click the appropriate article number in the following list to view the article in the Microsoft Knowledge Base:
back to the top
Certificate Services provides customizable services for issuing and managing certificates that are used in software security systems that use public key technology. Certificate Services is available on computers running Microsoft Windows Server 2003, Standard Edition, Microsoft Windows Server 2003, Enterprise Edition, and Microsoft Windows Server 2003, Datacenter Edition.
Note You must also install a computer certificate on the IAS server so that the IAS server has a certificate to send to the wireless client computer for mutual authentication during the EAP-TLS authentication.
In a simple implementation, configure a single enterprise root certification authority (CA) to issue both the computer and the user certificates. If you install the computer or the user certificate on the wireless client computer, the root CA certificate for the issuing CA is also installed.
When you install the computer certificate on the IAS server, the root CA certificate for the issuing CA is also installed. Both the wireless client and the IAS server have the certificates that you must have to perform EAP-TLS authentication.
Note When an enterprise CA is installed, the installation includes the Smart Card Enrollment station. This gives the administrator the ability to act on behalf of a user to request and install a Smart Card Logon certificate or Smart Card User certificate on the user's smart card.
For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
323342 HOW TO: Install a Certificate for Use with IP Security in Windows Server 2003For more information, see the "To install a stand-alone root certification authority" topic in the Windows Server 2003 Help and Support Center.
back to the top
- For smart card authentication, use the Smart Card Enrollment station to permit you, the administrator, to act on behalf of a user, and to request and to install a Smart Card Logon certificate or Smart Card User certificate on the user's smart card. Then, issue smart cards to the users.
- For user certificate-based authentication, the computer must request a user certificate from a Windows Server 2003 CA on the internal network. If you configured the domain to automatically allocate certificates to computers that are connected to the domain, you can connect the client computer to the domain by using a wired connection and a computer certificate is automatically issued.
For information about enabling smart card and certificate authentication, see the "To enable smart card or other certificate authentication" topic in the Windows Server 2003 Help and Support Center. For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
323342 HOW TO: Install a Certificate for Use with IP Security in Windows Server 2003
back to the top