Ramping the Windows 2003 Server and Enabling PEAP and EAP-TLS Capabilities

From OMAPpedia

(Difference between revisions)
Jump to: navigation, search
(Enable EAP-TLS and PEAP Authentication Capability)
(Having the Domian Controller(DC) and Domain Name System(DNS) on Windows 2003 Server)
 
(33 intermediate revisions not shown)
Line 1: Line 1:
-
=Ramping the Windows 2003 Server and Enabling PEAP and EAP-TLS Capabilities: Description=
+
=Setting Windows 2003 Server and Enabling PEAP and EAP-TLS Capabilities: Description=
This page describes how to build up a secure LAN, using one server and an 802.1x compatible Access Point. The server is running Microsoft Windows Server 2003 standard edition with service pack 2. The 802.1x compatible Access Point here we are using is Linksys WRT160N v2. There are two clients waiting for intranet access; one is a client computer, running Windows XP, with PEAP-MS-CHAP v2 security. The other is an OMAP handset device, running Android 2.3, with EAP-TLS security. Before the clients can access the resource, they need to pass the PEAP-MS-CHAP v2 and EAP-TLS authentications.   
This page describes how to build up a secure LAN, using one server and an 802.1x compatible Access Point. The server is running Microsoft Windows Server 2003 standard edition with service pack 2. The 802.1x compatible Access Point here we are using is Linksys WRT160N v2. There are two clients waiting for intranet access; one is a client computer, running Windows XP, with PEAP-MS-CHAP v2 security. The other is an OMAP handset device, running Android 2.3, with EAP-TLS security. Before the clients can access the resource, they need to pass the PEAP-MS-CHAP v2 and EAP-TLS authentications.   
Line 9: Line 9:
secure LAN with enterprise authentication.
secure LAN with enterprise authentication.
-
You can also use this fragment in a lab, for testing 802.1x configurations.
+
You can use this in a lab for testing 802.1x configurations.
<pre>
<pre>
Line 27: Line 27:
-
'''<Figure.1 Infarstructure of Security LAN>'''
+
 
 +
 
 +
 
 +
[[File:Infarstructure.PNG]]
 +
 
 +
 
 +
 
Line 44: Line 50:
== Having the Domian Controller(DC) and Domain Name System(DNS) on Windows 2003 Server ==
== Having the Domian Controller(DC) and Domain Name System(DNS) on Windows 2003 Server ==
-
Before enabling the enterprise security capabilities on Windows Server, three servers are need to install first.
+
Before enabling the enterprise security capabilities on Windows Server, three (virtual) servers are need to install first.
-
* A '''domain controller (DC)''' for the wcgwifilabs.local domain, including Active Directory.
+
* A '''domain controller (DC)''' for the wcgwifilabs.local (for example) domain, including Active Directory.
* The enterprise root '''certification authority (CA)''' for the wcgwifilabs.local domain.
* The enterprise root '''certification authority (CA)''' for the wcgwifilabs.local domain.
* A '''DNS server''' for the wcgwifilabs.local DNS domain.
* A '''DNS server''' for the wcgwifilabs.local DNS domain.
Line 52: Line 58:
'''Note:'''  
'''Note:'''  
-
# <b style="color:blue"> It is necessary for the server to join as a member of one domain, if you are going to enable EAP-TLS authentication. Here we build up the Domain Controller on the server computer which allows us to create local domain, wcgwifilabs.local, in our lab. </b>   
+
# <b style="color:blue"> In this example the local domain is called ''wcgwifilabs.local''. This is an example name. You can use a similar name for your own local domain. If you are connecting to the company network (or a production network) use a name which doesn't conflict with any of the other domain names in your company.</b>
 +
# <b style="color:blue"> It is necessary for the server to join as a member of one domain, if you are going to enable EAP-TLS authentication. Here we build up the Domain Controller on the server computer which allows us to create local domain, wcgwifilabs.local. </b>   
# This PC uses Windows Server 2003, Standard Edition, so that you can configure autoenrollment of user and workstation certificates for EAP-TLS authentication, as described as following. Certificate autoenrollment and autorenewal make it easier to deploy certificates and improve the security by automatically expiring and renewing certificates.
# This PC uses Windows Server 2003, Standard Edition, so that you can configure autoenrollment of user and workstation certificates for EAP-TLS authentication, as described as following. Certificate autoenrollment and autorenewal make it easier to deploy certificates and improve the security by automatically expiring and renewing certificates.
Line 160: Line 167:
-
[[File:8021xUsers_Properties.jpg]]
+
[[File:8021xUsers_group_8021xuer.png]]
==== Add the Computer to the Group ====
==== Add the Computer to the Group ====
Line 235: Line 242:
* Type <b style="color:blue"> Example CA </b> in the Common name for this '''CA field''', and then click '''Next'''. Accept the default '''Certificate Database''' Settings. This is shown in the following figure. Click '''Next'''.
* Type <b style="color:blue"> Example CA </b> in the Common name for this '''CA field''', and then click '''Next'''. Accept the default '''Certificate Database''' Settings. This is shown in the following figure. Click '''Next'''.
 +
 +
 +
[[File:CA_identification_info.PNG]]
 +
[[File: Certificate_Database_Settings.jpg]]
[[File: Certificate_Database_Settings.jpg]]
 +
Line 250: Line 262:
* Open the '''Active Directory Users and Computers''' snap-in (from administrative tools).
* Open the '''Active Directory Users and Computers''' snap-in (from administrative tools).
* In the console tree, double-click '''Active Directory Users and Computers''', right-click the '''wcgwifilabs.local''' domain, and then click '''Properties'''.
* In the console tree, double-click '''Active Directory Users and Computers''', right-click the '''wcgwifilabs.local''' domain, and then click '''Properties'''.
-
* On the '''Group Poli'''cy tab, click '''Default Domain Policy''', and then click '''Edit'''. This opens the '''Group Policy Object Editor''' snap-in.
+
* On the '''Group Policy''' tab, click '''Default Domain Policy''', and then click '''Edit'''. This opens the '''Group Policy Object Editor''' snap-in.
 +
 
 +
 
 +
[[File:Group_policy.PNG]]
 +
 
 +
 
 +
 
* In the console tree, expand '''Computer Configuration''' --> '''Windows Settings'''--> '''Security Settings''' --> '''Public Key Policies''', and then click '''Automatic Certificate Request Settings'''. This is shown in the following figure.
* In the console tree, expand '''Computer Configuration''' --> '''Windows Settings'''--> '''Security Settings''' --> '''Public Key Policies''', and then click '''Automatic Certificate Request Settings'''. This is shown in the following figure.
 +
 +
 +
[[File:Automatic_certificate_request.PNG]]
 +
 +
 +
* Right-click '''Automatic Certificate Request Settings''', point to '''New''', and then click '''Automatic Certificate Request'''.
* Right-click '''Automatic Certificate Request Settings''', point to '''New''', and then click '''Automatic Certificate Request'''.
* On the '''Welcome to the Automatic Certificate Request Setup Wizard''' page, click '''Next'''.
* On the '''Welcome to the Automatic Certificate Request Setup Wizard''' page, click '''Next'''.
* On the '''Certificate Template''' page, click Computer. This is shown in the following figure.
* On the '''Certificate Template''' page, click Computer. This is shown in the following figure.
 +
 +
 +
 +
[[File:Certificate_template.PNG]]
 +
 +
* Click '''Next'''. On the '''Completing the Automatic Certificate Request Setup Wizard''' page, click '''Finish'''. The <b style="color:blue"> Computer</b> certificate type now appears in the details pane of the '''Group Policy Object Editor''' snap-in. This is shown in the following figure.
* Click '''Next'''. On the '''Completing the Automatic Certificate Request Setup Wizard''' page, click '''Finish'''. The <b style="color:blue"> Computer</b> certificate type now appears in the details pane of the '''Group Policy Object Editor''' snap-in. This is shown in the following figure.
 +
 +
 +
[[File:Group policy object editor.PNG]]
==== Configure Autoenrollment for the Client Certificate ====
==== Configure Autoenrollment for the Client Certificate ====
* In the console tree, expand '''User Configuration'''--> '''Windows Settings'''-->'''Security Settings'''-->'''Public Key Policies'''. This is shown in the following figure.
* In the console tree, expand '''User Configuration'''--> '''Windows Settings'''-->'''Security Settings'''-->'''Public Key Policies'''. This is shown in the following figure.
-
* In the '''details''' pane, double-click '''Autoenrollment Settings'''.
+
 
 +
 
 +
 
 +
[[File:Public_key_policies.PNG]]
 +
 
 +
 
 +
 
 +
* In the '''details''' pane, double-click '''Autoenrollment Settings''', the window of '''Autoenrollment Settings Properties''' will show up.
 +
 
 +
 
 +
 
 +
[[File:Autoenrollment_settings.PNG]]
 +
 
 +
 
 +
 
* Click '''Enroll certificates automatically'''. Select the '''Renew expired certificates, update pending certificates, and remove revoked certificates''' check box.  
* Click '''Enroll certificates automatically'''. Select the '''Renew expired certificates, update pending certificates, and remove revoked certificates''' check box.  
* Select the '''Update certificates that use certificate templates''' check box. This is shown in the following figure. Click '''OK'''.
* Select the '''Update certificates that use certificate templates''' check box. This is shown in the following figure. Click '''OK'''.
Line 287: Line 334:
Autoenrollment of computer certificates for the RADIUS servers can be used to simplify a deployment. However, in this "PEAP-MS-CHAP v2 Authentication" section, a certificate is manually requested for the RADIUS computer because the autoenrollment of the certificates is not yet configured. This will be described in "Configure Autoenrollment for Certificates Issue" </b>
Autoenrollment of computer certificates for the RADIUS servers can be used to simplify a deployment. However, in this "PEAP-MS-CHAP v2 Authentication" section, a certificate is manually requested for the RADIUS computer because the autoenrollment of the certificates is not yet configured. This will be described in "Configure Autoenrollment for Certificates Issue" </b>
-
=== Manually Request Root Certificate ===
+
=== Manually Request Root Certificate on RADIUS Server===
* Right-click the '''Personal''' folder, click '''All Tasks''', click '''Request New Certificate''', and then click '''Next'''.
* Right-click the '''Personal''' folder, click '''All Tasks''', click '''Request New Certificate''', and then click '''Next'''.
Line 297: Line 344:
You may wish to save mmc console settings as "certificates_wcgwifilabslocal.msc".
You may wish to save mmc console settings as "certificates_wcgwifilabslocal.msc".
-
=== Request Root Certificate with Autoenrollment===
+
=== Autoenrollment of Client and CA Root Certificates on the Client Machine===
 +
 
 +
 
 +
# Ensure there is a wired connection (or wireless connection with open security) between client and server.
 +
# Open internet explore and go on: <nowiki>http://192.168.0.98/certsrv/</nowiki>
 +
# Refer to [[Autoenrollment_Client_Root_Certificates | Autoenrollment of Client and CA Root Certificates]]
== Enable EAP-TLS and PEAP Authentication Capability==
== Enable EAP-TLS and PEAP Authentication Capability==
-
In the '''Internet Authentication Service (IAS)''', there are two configurations, Radius Client (which means 802.1x AP) and Remote Access Policy, need to be customized for our authentication environment.  
+
In the '''Internet Authentication Service (IAS)''', there are two configurations, Radius Client (which means 802.1x AP) and Remote Access Policy, need to be customized for your authentication environment.  
=== Add the 802.1x Linksys AP as RADIUS client ===  
=== Add the 802.1x Linksys AP as RADIUS client ===  
Line 307: Line 359:
* Click '''Start''', select '''Admin Tools''', then select '''Internet Authentication Service'''.
* Click '''Start''', select '''Admin Tools''', then select '''Internet Authentication Service'''.
* In the console tree of the '''Internet Authentication Service''' snap-in, right-click '''RADIUS Clients''', and then click '''New RADIUS Client'''.
* In the console tree of the '''Internet Authentication Service''' snap-in, right-click '''RADIUS Clients''', and then click '''New RADIUS Client'''.
-
* In the '''Name and Address''' page of the New RADIUS Client wizard, for '''Friendly name''', type <b style="color:blue"> 8021xAP </b>. In '''Client address (IP or DNS)''', type <b style="color:blue"> 192.168.0.5</b>, and then click '''Next'''. This is shown in the following figure.
+
* In the '''Name and Address''' page of the New RADIUS Client wizard, for '''Friendly name''', type <b style="color:blue"> linksysAP </b>. In '''Client address (IP or DNS)''', type <b style="color:blue"> 192.168.0.5</b>, and then click '''Next'''. This is shown in the following figure.
 +
 
 +
 
 +
[[File:New_RADIUS_Client.PNG]]
 +
 
 +
 
 +
 
* Click '''Next'''. In the '''Additional Information''' page of the New RADIUS Client wizard, for '''Shared secret''', type a '''shared secret''' for the 802.1x access point, and then type it again in '''Confirm shared secret'''. Tick '''Request must contain the Message Authenticator attribute'''. This is shown in the following figure. Click '''Finish'''.
* Click '''Next'''. In the '''Additional Information''' page of the New RADIUS Client wizard, for '''Shared secret''', type a '''shared secret''' for the 802.1x access point, and then type it again in '''Confirm shared secret'''. Tick '''Request must contain the Message Authenticator attribute'''. This is shown in the following figure. Click '''Finish'''.
Line 314: Line 372:
-
<b style="color:red"> Note: The shared secret entered here needs to match the shared secret on the configuration of the 802.1x access point. Refer to [[802.1x Access Point | Enable Linksys WRT160N Router have EAP-TLS and PEAP]]. </b>
+
<b style="color:red"> Note: The shared secret entered here needs to match the shared secret on the configuration of the 802.1x access point. Refer to [[802.1x Access Point | Enable Linksys WRT160N Router to have EAP-TLS and PEAP Capability]]. </b>
=== Create and Configure Remote Access Policy ===
=== Create and Configure Remote Access Policy ===
-
Inside of '''Remote Aceess Policy''', we are going to define the authentication part of Radius Server.  
+
Inside of the '''Remote Access Policy''', we define the authentication role of the Radius Server.  
-
There are highlights need for attention:
+
Following need attention:
-
# Acees Method
+
# Access Method
-
# Active Groups used for ID or password (Ex. EAP-TLS or PEAP)Authentication
+
# Active Groups used for secured password (Ex. EAP-TLS or PEAP)Authentication
-
# Authentication Methods(PEAP or EAP-TLS)  
+
# Authentication Methods (Ex. EAP-TLS)  
-
==== Acees Method ====  
+
==== Access Method ====  
* In the console tree of the '''Internet Authentication Service''' snap-in, right-click '''Remote Access Policies''', and then click '''New Remote Access Policy'''.
* In the console tree of the '''Internet Authentication Service''' snap-in, right-click '''Remote Access Policies''', and then click '''New Remote Access Policy'''.
* On the '''Welcome to the New Remote Access Policy Wizard''' page, click '''Next'''.
* On the '''Welcome to the New Remote Access Policy Wizard''' page, click '''Next'''.
Line 339: Line 397:
[[File:AccessMethod_Wireless.png]]
[[File:AccessMethod_Wireless.png]]
-
 
==== Active Groups ====
==== Active Groups ====
Line 350: Line 407:
-
* Click '''OK'''. The '''8021xUsers''' group in the '''WCGWIFILABS''' domain (shown as '''WCGWIFILABS\8021xUsers''') is added to the list of '''Group name:'''. On the '''Users or Groups Acess''' page. This is shown in the following figure. Click '''Next'''.
+
* Click '''OK'''. The '''8021xUsers''' group in the '''WCGWIFILABS''' domain (shown as '''WCGWIFILABS\8021xUsers''') is added to the list of '''Group name:'''. On the '''Users or Groups Access''' page. This is shown in the following figure. Click '''Next'''.
Line 357: Line 414:
==== Authentication Methods ====
==== Authentication Methods ====
-
* On the '''Authentication Methods''' page, here is the way we define the enterprise security.(EAP-TLS/PEAP or both)  
+
* On the '''Authentication Methods''' page, here is the way we define the enterprise security. (Ex. EAP-TLS/PEAP or both)  
===== PEAP(secured password) authentication =====
===== PEAP(secured password) authentication =====
-
If the 802.1x security LAN only have PEAP(secured password) authentication, then
+
If the 802.1x security LAN only have PEAP (secured password) authentication, then
   
   
* Select <b style="color:blue"> Protected EAP (PEAP)</b> from the '''Type''' drop down list.
* Select <b style="color:blue"> Protected EAP (PEAP)</b> from the '''Type''' drop down list.
Line 371: Line 428:
# Click '''Configure...''' to configure the '''Protected EAP Properties'''.
# Click '''Configure...''' to configure the '''Protected EAP Properties'''.
# Select '''ti-wcg-radius.wcgwifilabs.local''' to be the certificate issued; this is the server certificate used for PEAP-MSCHOP v2.
# Select '''ti-wcg-radius.wcgwifilabs.local''' to be the certificate issued; this is the server certificate used for PEAP-MSCHOP v2.
-
# Check on '''Enable Fast Connect'''.
+
# Check on '''Enable Fast Reconnect'''.
# Click '''OK'''. On the '''Completing the New Remote Access Policy''' page, click '''Finish'''.
# Click '''OK'''. On the '''Completing the New Remote Access Policy''' page, click '''Finish'''.
Line 381: Line 438:
If the 802.1x security LAN have '''EAP-TLS (client/root certificates) authentication''', then
If the 802.1x security LAN have '''EAP-TLS (client/root certificates) authentication''', then
-
# Select <b style="color:blue">Smart Card or other Certificate Properties </b> from the '''Type''' drop down list.
+
# select <b style="color:blue">Smart Card or other Certificate Properties </b> from the '''Type''' drop down list.
-
# Click '''Configure...'''. The '''Smart Card or other Certificate Properties''' dialog box is displayed. This is shown in the following figure.
+
# click '''Configure...'''. The '''Smart Card or other Certificate Properties''' dialog box is displayed. This is shown in the following figure.
-
# The properties of the computer certificate issued to the RADIUS computer are displayed. <b style="color:red"> This step verifies that IAS has an acceptable computer certificate installed to perform '''EAP-TLS authentication'''. Click '''OK'''</b>.
+
# the properties of the computer certificate issued to the RADIUS computer are displayed. <b style="color:red"> This step verifies that IAS has an acceptable computer certificate installed to perform '''EAP-TLS authentication'''. Click '''OK'''</b>.
# Click '''OK''' to save changes to EAP providers. Click '''OK''' to save changes to the profile settings.
# Click '''OK''' to save changes to EAP providers. Click '''OK''' to save changes to the profile settings.
Line 396: Line 453:
This will allow the wireless access to intranet remote access policy to authorize 802.1x connections using the EAP-TLS authentication method.
This will allow the wireless access to intranet remote access policy to authorize 802.1x connections using the EAP-TLS authentication method.
-
===== 802.1x with Both PEAP(secured password) and EAP-TLS authentication =====
+
===== 802.1x with Both PEAP (secured password) and EAP-TLS authentication =====
-
Of course, you can add either of them later to have both of the authentication methods. You might want to set EAP-TLS to be higher piority authentication in remote access policy. Then you need to do '''Move Up''' here. This is the case we are going to have in our lab.
+
Of course, you can add either of them later to support both of the authentication methods on the RADIUS Server. You might want to set EAP-TLS to be at a higher priority authentication in the remote access policy. In that case, you need to do a '''Move Up''' here.  
-
* Click '''Move Up''' to make the Smart Card or other certificate EAP provider the first in the list. This is shown in the following figure.
+
* Click '''Move Up''' to make the '''Smart Card or other certificate''' EAP provider the first in the list. This is shown in the following figure.
[[File:Move_Up.jpg]]
[[File:Move_Up.jpg]]
-
 
-
 
==== Configure Remote Access Policy Properties ====
==== Configure Remote Access Policy Properties ====
-
Let's continue the configuration of remote access policy properties. After we selected access method, active group and authentication method, the '''Policy conditions''' as shown in the figure.
+
Let's continue the configuration of '''remote access policy properties'''. After we created remote access policy by selecting access method, active group and authentication method, the '''policy conditions''' inside of the '''wireless access to intranet Properties''' is shown in the figure.
-
# Click on '''Grant remote access permission '''
 
-
# Then click on '''Edit Profile''' to do rest of the configuration. Click on '''IP''' tab, in the filed of '''IP address assignment''', choose the item of <b style="color:blue"> Client may request an IP address </b>, then leave the other settings to be default.
 
-
# Click '''OK''' to finish the creation of new remote access policy for 802.1x.
 
 +
[[File:Settings_remote_access_policy_properties.jpg]]
-
 
-
[[File:Settings_remote_access_policy_properties.jpg]]
 
 +
* Tick '''Grant remote access permission '''
 +
* then click on '''Edit Profile''' to do rest of the configuration.
 +
* Click on '''IP''' tab, in the filed of '''IP address assignment''', choose the item of <b style="color:blue"> Client may request an IP address </b>, then leave the other settings to be default.
 +
* Click '''OK''' to finish the creation of new remote access policy, wireless access to intranet, for 802.1xUsers.
Line 427: Line 482:
= Configure 802.1x Access Point with Enterprise Security =
= Configure 802.1x Access Point with Enterprise Security =
-
Here is the example of configuration we have done in the lab. If you want to the details, please refer to [[802.1x Access Point | Enable Linksys WRT160N Router to have EAP-TLS and PEAP]].
+
Here is the example of configuration. If you want to the details, please refer to [[802.1x Access Point | Enable Linksys WRT160N Router to have EAP-TLS and PEAP]].
-
 
+
-
 
+
= Connect Windows XP Client Computer with PEAP Authentication =
= Connect Windows XP Client Computer with PEAP Authentication =

Latest revision as of 18:25, 12 May 2011

Contents

[edit] Setting Windows 2003 Server and Enabling PEAP and EAP-TLS Capabilities: Description

This page describes how to build up a secure LAN, using one server and an 802.1x compatible Access Point. The server is running Microsoft Windows Server 2003 standard edition with service pack 2. The 802.1x compatible Access Point here we are using is Linksys WRT160N v2. There are two clients waiting for intranet access; one is a client computer, running Windows XP, with PEAP-MS-CHAP v2 security. The other is an OMAP handset device, running Android 2.3, with EAP-TLS security. Before the clients can access the resource, they need to pass the PEAP-MS-CHAP v2 and EAP-TLS authentications.


This "How To" page takes you step-by-step through the configuration required for PEAP-MS-CHAP v2 authentication, then through the steps required for EAP-TLS authentication.

By showing you how to configure each device, this "How To" note goes through building blocks to create a secure LAN with enterprise authentication.

You can use this in a lab for testing 802.1x configurations.



PEAP-MS-CHAP v2: Protected Extensible Authentication Protocol
                 —Microsoft Challenge Handshake Authentication Protocol version 2

        EAP-TLS: Extensible Authentication Protocol
                 —Transport Layer Security

[edit] Infrastructure of Security LAN

The infrastructure for this example 802.1x secure LAN consists of four devices performing the following roles:



Infarstructure.PNG



Additionally, a Linksys Access Point acts as an 802.1x authenticator to provide connectivity to the Ethernet intranet network segment for the 802.1x clients (or supplicant).

The four devices represent a network segment in a corporate intranet. In this example, both wireless devices on the LAN are associated with a common 802.1x authenticating Linksys AP and will get the dynamic IP addresses from DHCP server. In this test, AP and sever are configured with fixed IP.

[edit] Setup RADIUS Server and Enable PEAP and EAP-TLS Capabilities

[edit] Having the Domian Controller(DC) and Domain Name System(DNS) on Windows 2003 Server

Before enabling the enterprise security capabilities on Windows Server, three (virtual) servers are need to install first.


Note:

  1. In this example the local domain is called wcgwifilabs.local. This is an example name. You can use a similar name for your own local domain. If you are connecting to the company network (or a production network) use a name which doesn't conflict with any of the other domain names in your company.
  2. It is necessary for the server to join as a member of one domain, if you are going to enable EAP-TLS authentication. Here we build up the Domain Controller on the server computer which allows us to create local domain, wcgwifilabs.local.
  3. This PC uses Windows Server 2003, Standard Edition, so that you can configure autoenrollment of user and workstation certificates for EAP-TLS authentication, as described as following. Certificate autoenrollment and autorenewal make it easier to deploy certificates and improve the security by automatically expiring and renewing certificates.

[edit] Perform Basic Installation and Configuration

  1. Install Windows Server 2003, Standard Edition with SP3, as a stand-alone server with all of default configurations and security updates.
  2. Click Start , right click My Computer , select Properties , click the Computer Name tab and type RADIUS SERVER in Computer Name. Click OK .
  3. Configure the TCP/IP protocol with the IP address of 192.168.0.98 and the subnet mask of 255.255.255.0.

[edit] Configure the Computer as a Domain Controller

During the Active Directory you may accept defaults (as shown below) or specify your own preferences. You may be asked to insert the Windows Server 2003, CD ROM, and to restart the machine.


Active Directory Installtion Wizard.jpg



Domain in a new forest.png



DNS Registration Diagnostics.jpg



Permissions compatible only.jpg


[edit] Add Users and Computers to the Domain

[edit] Add Computers to the Domain


New Object - Computer.jpg


[edit] Allow 802.1x Access to the Computers

[edit] Add users to the Domain


New Object - 8021xuser.jpg



New Object - 8021xuser-pwd.jpg


[edit] Allow 802.1x Access to Users

[edit] Add Groups to the Domain

and then click Group.


New Object - 8021xUsers.jpg

[edit] Add Users and Computers to the Group

[edit] Add Users to the Group


Select Users 8021xuser.jpg



8021xUsers group 8021xuer.png

[edit] Add the Computer to the Group

Note: Adding client computers to the 8021xUsers group allows computer authentication. Computer authentication is needed so that the computer can attach to the 8021x network, obtain an IP address configuration (if DHCP is being used), locate Active Directory domain controllers, download the latest Computer Configuration Group Policy settings, and other computer startup processes.


Select Users CLIENT1.jpg



Object Type CLIENT1.png



8021xUsers group-CLIENT1.jpg

[edit] Having the RADIUS Server on Windows 2003

RADIUS is a computer running Windows Server 2003, Standard Edition, that provides RADIUS authentication and authorisation for the 802.1x Linksys access point. During this process, the server PC named RADIUS is the member of wcgwifilabs.local domain.

Whenever you restart the PC, remember to log into the WCGWIFILABS domain.

To configure RADIUS as a RADIUS server, perform the following steps:

[edit] Perform basic installation and configuration

[edit] Install and configure Internet Authentication Service

Note: To install individual parts of Networking Services, click on the Details button, and select the elements you require. You may be required to insert the Windows Server 2003, CD-ROM.


Register Internet Authentication Server.jpg


A message should confirm registration and authorisation to refer to users properties. If you see the following error, you need to make sure you are logged in as the wcgwifilabs.local administrator.


IAS Error.jpg

[edit] Install Certificate Services on Windows Server


CA Type.jpg



CA identification info.PNG


Certificate Database Settings.jpg


Note: You might get the warning message because of lacking Internet Information Service (IIS). If you are going to use the web enrollemnt segment of certificate service, IIS is necessary to be installed in the server computer.

[edit] Autoenrollment for Certificates

[edit] Configure Autoenrollment for the Root Certificate


Group policy.PNG



Automatic certificate request.PNG



Certificate template.PNG



Group policy object editor.PNG

[edit] Configure Autoenrollment for the Client Certificate


Public key policies.PNG



Autoenrollment settings.PNG


[edit] Request root Certificates for Radius Server

The Microsoft Management Console (MMC) lets system administrators create much more flexible user interfaces and customize administration tools. For the guide of new features, please refer to Microsoft Management Console (MMC). Use the following steps to create a console on your RADIUS server that contains the Certificates (Local Computer) snap-in.

[edit] Create the Certificates (Local Computer) console

The Certificates (Local Computer) snap-in is shown in the following figure. Next we are going to request for root certificate for the RADIUS server.


Console-Certificate.jpg


Note: PEAP with MS-CHAP v2 requires certificates on the RADIUS servers but not on the 802.1x clients. Autoenrollment of computer certificates for the RADIUS servers can be used to simplify a deployment. However, in this "PEAP-MS-CHAP v2 Authentication" section, a certificate is manually requested for the RADIUS computer because the autoenrollment of the certificates is not yet configured. This will be described in "Configure Autoenrollment for Certificates Issue"

[edit] Manually Request Root Certificate on RADIUS Server

You may wish to save mmc console settings as "certificates_wcgwifilabslocal.msc".

[edit] Autoenrollment of Client and CA Root Certificates on the Client Machine

  1. Ensure there is a wired connection (or wireless connection with open security) between client and server.
  2. Open internet explore and go on: http://192.168.0.98/certsrv/
  3. Refer to Autoenrollment of Client and CA Root Certificates

[edit] Enable EAP-TLS and PEAP Authentication Capability

In the Internet Authentication Service (IAS), there are two configurations, Radius Client (which means 802.1x AP) and Remote Access Policy, need to be customized for your authentication environment.

[edit] Add the 802.1x Linksys AP as RADIUS client


New RADIUS Client.PNG



New RADIUS Client wizard.jpg


Note: The shared secret entered here needs to match the shared secret on the configuration of the 802.1x access point. Refer to Enable Linksys WRT160N Router to have EAP-TLS and PEAP Capability.

[edit] Create and Configure Remote Access Policy

Inside of the Remote Access Policy, we define the authentication role of the Radius Server. Following need attention:

  1. Access Method
  2. Active Groups used for secured password (Ex. EAP-TLS or PEAP)Authentication
  3. Authentication Methods (Ex. EAP-TLS)


[edit] Access Method


New Remote Access Policy wireless access to intranet.jpg



AccessMethod Wireless.png

[edit] Active Groups


Select Groups.jpg



WIFILABS 8021xUsers.jpg

[edit] Authentication Methods

[edit] PEAP(secured password) authentication

If the 802.1x security LAN only have PEAP (secured password) authentication, then


EPA Providers-TLS.jpg


  1. Click Configure... to configure the Protected EAP Properties.
  2. Select ti-wcg-radius.wcgwifilabs.local to be the certificate issued; this is the server certificate used for PEAP-MSCHOP v2.
  3. Check on Enable Fast Reconnect.
  4. Click OK. On the Completing the New Remote Access Policy page, click Finish.


PEAP-MSCHOP2-Properties.jpg

[edit] EAP-TLS authentication

If the 802.1x security LAN have EAP-TLS (client/root certificates) authentication, then

  1. select Smart Card or other Certificate Properties from the Type drop down list.
  2. click Configure.... The Smart Card or other Certificate Properties dialog box is displayed. This is shown in the following figure.
  3. the properties of the computer certificate issued to the RADIUS computer are displayed. This step verifies that IAS has an acceptable computer certificate installed to perform EAP-TLS authentication. Click OK.
  4. Click OK to save changes to EAP providers. Click OK to save changes to the profile settings.


EPA Providers-TLS.jpg


Smart card certificate.jpg


This will allow the wireless access to intranet remote access policy to authorize 802.1x connections using the EAP-TLS authentication method.

[edit] 802.1x with Both PEAP (secured password) and EAP-TLS authentication

Of course, you can add either of them later to support both of the authentication methods on the RADIUS Server. You might want to set EAP-TLS to be at a higher priority authentication in the remote access policy. In that case, you need to do a Move Up here.


Move Up.jpg

[edit] Configure Remote Access Policy Properties

Let's continue the configuration of remote access policy properties. After we created remote access policy by selecting access method, active group and authentication method, the policy conditions inside of the wireless access to intranet Properties is shown in the figure.


Settings remote access policy properties.jpg



Edit Dial-in profile.jpg

[edit] Configure 802.1x Access Point with Enterprise Security

Here is the example of configuration. If you want to the details, please refer to Enable Linksys WRT160N Router to have EAP-TLS and PEAP.

[edit] Connect Windows XP Client Computer with PEAP Authentication

CLIENT1 is a computer running Windows XP Professional SP3 that is acting as an 8021x client. It will obtain access to intranet resources through the 8021x Access Point. To configure CLIENT1 as an 8021x client, refer to Connect Wireless Windows XP Client with EAP and perform the steps.

[edit] Client User with EAP-TLS Authentication

Example of EAP-TLS Configuration in Gingerbread please refers to Configure Android Device to Test Enterprise Security.

Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox