Welcome to Sign in | Join | Help
in
Home Blog Forums

The Lazy Admin

Securing Wifi with IAS Pt.1 - Server Configuration

Sponsor

Wireless network connectivity is everywhere from the local coffee shop to larger corporate enviroments. It is easy to use, easy to configure and the convenience makes it a wanted item. Security isn't something that Wifi is famous for, but with the use of Internet Authentication Services (IAS) and the Extensible Authentication Protocol (EAP) we can make it secure.

You are going to need a few things to get started. First you will need a Windows 2003 server with IAS and Certificate Authority (CA) services installed and running. You could purchase a 3rd party certificate instead of installing a CA if you like. You will also need a wireless access point (WAP) that supports RADIUS authentication as well as WPA (I use a D-Link DWL-2200AP). You will need a Wireless NIC (WNIC) that supports WPA (I use a D-Link DWL-G680) and Windows XP SP2. With that out of the way let's get to it. To begin we will need to configure a RADIUS client. Open the Internet Authentication Service MMC and right-click RADIUS Clients and then click New RADIUS Client. On the first page, enter a friendly name with which you can recognize the client by, and the IP address of the client.

Click Next. Choose the RADIUS Standard option in the drop down list next to Client-Vendor and enter a shared secret. Check the box next to "Request must contain the Message Authenticator attributre" and click Finish to create the RADIUS Client.

Next we must create a Remote Access Policy (RAP). You can configure a RAP from the IAS MMC as well. Right-click Remote Access Policy and select New Remote Access Policy. Again, enter a friendly name to recognize the policy by, and select Set up a custom policy before clicking next.

 

On the Policy Conditions page, click Add. Select NAS-Port-Type from the list of attributes and click Add. On the NAS-Port-Type properties, choose Wireless - IEEE 802.11 and Wireless - Other.

Click OK. On the Permissions page, click Grant remote access permissions and then click Next.

Click Next again to finish the wizard. The last thing we need to set up is authentication using EAP. Right-click the Remote Access Policy you just configured and select Properties. On the properties page, click the Edit button to edit the policies profile. Under the Authentication tab press the EAP Methods button. Click Add on the Select EAP Providers page and choose Protected EAP (PEAP).

This will bring up the "Protected EAP Properties" window, which will show you which server issued the certificate you're using, the name of the issuer, and also the EAP types used.

Ensure that "Enable Fast Reconnect" is checked, and the EAP type should be "Secured Password (EAP-MSCHAP v2). Selected the EAP type and press the Edit button. Check the box for "Automatically use my Windows logon name", and exit all the windows. Finally, configure the Active Directory user accounts by checking Allow Access for Remote Access Permissions under the Dial-In tab.





Published Wednesday, January 04, 2006 6:35 AM by rodney.buike
Filed under: ,

Comments

No Comments
Anonymous comments are disabled

This Blog

Powered By

 

Syndication

Sponsors

 
 
Get a free 5GB e-mail account @isalazyadmin.com

Affiliates

Canadian IT Professionals

Canadian IT Managers

Certifications & Awards


All postings are provided "AS IS" with no warranties, and confer no rights.
Microsoft product screen shot(s) reprinted with permission from Microsoft Corporation.
Copyright TheLazyAdmin Inc. All Rights Reserved 2004-2008