Secure Wireless Networking with IAS and RADIUS
Pages: 1, 2
Unfortunately, configuring IAS isn't nearly as simple as installing it. First you need to set up support for the RADIUS clients we established earlier. Open the IAS administration tool from the Administrative Tools folder. Then right-click the "RADIUS Clients" folder in the left pane and click "New RADIUS Client." Using one of the access points we configured for RADIUS authentication earlier, type in a friendly name for the access point so that it is easily recognizable. (See Figure 4.) Then type in its IP address and click "Next." On the next screen, type in the shared secret you used in the earlier configuration. This must match exactly what you entered into each access point. Once you are done, click "Finish."
Figure 4. Configuring your RADIUS client
The next step is to configure a wireless access policy for the IAS server. Begin the process by right-clicking "Remote Access Policies" in the left pane of the IAS management window, and then clicking "New Remote Access Policy." On the first screen of the wizard, select "Use the wizard to set up a typical policy for a common scenario" and type in a policy name. The policy name should usually be something descriptive, so "Wireless Access Policy" is often a good choice. Once you have done this, click "Next." On the following screen, choose "Wireless" as your access method, and click "Next" once again. On the next screen, you will be prompted to select the users or groups from Active Directory who you wish to have wireless access. This can be all of your domain users or a select few, depending on your needs. The final step is to select an authentication method. The most common and secure way to do this is through the use of a certificate issued to the computer running IAS. The acquisition and configuration of certificates is a little beyond the scope of this article, but documentation on this subject is readily available with a quick Internet search. Once you have selected the appropriate option and configured your certificate type, click "Next," and then click "Finish."
The last thing that remains before configuring group policy is to modify the user accounts that will be in the wireless access group. In order for the users of this group to be able to successfully utilize the policy created on the IAS server, you must configure each account's dial-in properties. This is done by viewing the properties of a specific account, going to the "Dial-in" tab, and selecting "Allow Access," as shown in Figure 5.
Figure 5. Configuring a user account for dial-in access
Configuring the Wireless Clients
The last step is to configure settings for the individual computers that will be connecting to the wireless network. In some networks there will be quite a few that connect, so luckily it can be done using Group Policy. Begin by opening the Group Policy Management Console and creating a new GPO. Again, name it something descriptive like "Wireless Access Policy." Also, make sure that the version of Windows Server 2003 you are running has been upgraded to Service Pack 1 so that the settings we are about to configure are accessible.
Once you have created your new GPO, edit it and browse to Computer Configuration\Windows Settings\Security Settings and double-click "Wireless Network Policies." Right-click that, select "Create Wireless Network Policy," and go ahead and breeze through the wizard, accepting the defaults.
Once you have finished with the wizard, the properties of the policy should pop up and allow you to make changes. The first thing to do is to name the policy. Once again, something simple but descriptive is always your best bet. After doing this, change to the "Preferred Networks" tab and click "Add." The first screen will require you to type in the SSID of your wireless network and select the authentication and encryption types used. If you are following this guide exactly, those will be WPA and TKIP, respectively, as you can see in Figure 6.
Figure 6. Configuring the basic SSID and encryption information
The final step in setting up this policy is to configure the IEEE 802.1x tab. It is important to make these settings match what we set up previously because this step relates to the use of certificate services. Most of the top half of the screen can be left alone, but make sure you have selected "Protected EAP (PEAP)" as your EAP type. Once you make this change, click on "Settings" and configure the policy to enable certificate verification with your organization's certificate server. Click the "configure" button to the right of the authentication method section and make sure that the box there is checked. This ensures that the username/password information for the user is transmitted to the authentication server so that the end user does not have to enter it twice. Finally, make sure "enable fast reconnect" is enabled, and your wireless policy is ready to go.
All that you have to do now is apply the GPO to the OUs containing your wireless workstations, wait for the policy to propagate, and you are now using a secure enterprise wireless network!
Summing It Up
Although it may seem complicated to set up a RADIUS secured wireless network, it is one of the best ways to go for an enterprise wireless security solution. A little time spent now could very easily prevent sensitive data from eventually finding its way into the wrong hands.
Return to the Windows DevCenter.