Wireless Group Policy WLAN Radius Part 3 WLAN Radius Config WLAN Client Config Linksys BEFSR41 Firmware Linksys BEFSR41 101 Linksys WAP54G config More Linksys BEFSR config Security how-to Writing DNS Zonefiles Is ZoneAlarm Spyware? Linksys Wishlist Sendmail spamblock Bind


Privacy Feedback

Integrating Wireless Access Points with RADIUS and AD.

This project is a little more advanced than some of the other pieces I've done on here. Not because it's technically difficult, but because of the software requirements are a little beyond what a regular home user would normally have...

Before diving into this, the requirements for this project is:

  1. Microsoft Windows Server 2000 or 2003 w/AD.
  2. Certification server (or, you could buy a certificate from a third party certificate authority).
  3. RADIUS server (comes with Windows server).
  4. Wireless Access point that supports WPA with Radius authentication.
  5. Wireless network card.
  6. Windows XP clients with WPA patch.

If you got #1, then you automatically have #2 and #3, as these are services that comes with Windows Server (with the possible exception of Windows 2003 web edition). Installing the Internet Authentication Service (IAS) and the Certificate Authority service is easy enough. IAS is installed without any questions of any kind, the CA service installation is also painless yet it does ask you to name the certificate authority.

My setup:

Creating RADIUS Client for Wireless Access point(s).Radius Client Configuration - Click for full size image.

Once these two services have been installed, open the IAS management console. Step one is to create a RADIUS Client in IAS for your access point, and give it the IP address (or DNS name) of your access point. If you have more than one WAP, you can enter in an address range for the access points using using the format a.b.c.d/p, where p is the prefix length, i.e. With proper planning, you should be able to reserve a range of addresses for the wireless access points and narrow down the range.

The friendly name is simply what'll show up in the IAS management console.

The client-vendor attribute is best set at RADIUS Standard unless your access point are one of the relatively few vendors in the list.

Message Authenticator must be checked. This is required for the authentication piece which we will come back to in the Policies later.

Even with RADIUS, you'll need a shared secret. This secret is used by the Radius server and the client, which is the WAP(s) and not by the actual wireless clients, so it's transmitted on the wired network only. Still, it should be a decent key using the same recommendations as for a strong password.

Creating a Remote Access Policy.Wireless Access Policy - Click for Full-size image.

To create a new Remote Access Policy, select "Remote Access Policies" in the IAS management console, right-click in the blank area in the right column, and select "New Remote Access Policy". I initially used the wizard to create the policy. Even if you choose "custom profile" during the creation of the new policy, you'll still get a lot of help in the process, so you might as well let the wizard do most of the work.

But, if you don't, you'll need the following settings:

The policy conditions should be "NAS-Port-Type matches 'Wireless - IEEE 802.11 OR Wireless - Other'". You're better off starting here, and remove the "Other" later to test if your setup will work without it. 

Click the Edit Profile button to configure authentication methods and other settings. Most of these can be left as is, and you can made modifications to things like Dial-In Constraints to restrict login times and disconnect times once you got everything up and running.

To start with, nothing on the Dial-in Constraints tab should be checked. On the IP Tab, "Server settings determine IP address assignment" should be selected. On the Multilink tab, "Server determines multilink usage" should be selected.

On the Advanced tab, the only attribute should be "Service-Type" with Vendor "Radius standard" and a value of "Framed".

On the Encryption tab, check all the boxes. Once you have verified that your wireless network works, you can go back and uncheck the "No Encryption" option and test if it's still working.Select EAP Providers - Click for full-sized image.

The last tab is the Authentication tab, and this is where it's all done. First, uncheck everything! Then click the "EAP Methods" box. This will open the "Select EAP Providers" window, which lists the EAP types used during authentication. The only item that should be listed in the "EAP types" list box is "Protected EAP (PEAP)". If it's already there, select it, if it's not, then add it, then click the Edit button. This will bring up the "Protected EAP Properties" window, which will show you which server issued the certificate you're using, the name of the issuer, and also the EAP types used.

There's only a couple of things to ensure are set, including checking the "Enable Fast Reconnect", and the EAP type should be "Secured Password (EAP-MSCHAP v2). EAP Properties - Click for Full-sized image.If it's not there, add it, selected it, and hit the "Edit" button. Check the box for "Automatically use my Windows logon name", and close out of everything...

There's one more thing that needs to be done on the AD server. The user accounts that will need to use the wireless network needs to have "Allow Access" for "Remote Access Permission" set in the dial-in tab of the user properties.

Configuring the Wireless Access Point.

Before we move on to the wireless clients, the Access Point have to be configured. For the Linksys access point, this is a small matter. Just click the "Edit Security Settings", and select "WPA Radius" from the dropdown list. Then select, the encryption algorithm (AES if you got it), enter the IP address of the Radius server and the shared key that was entered during the creation of the Radius client for the WAP. That's it, now move on to the wireless client.

Part 2: Configuring the client.

1999 - 2005 Lars M. Hansen