Ramping the Windows 2003 Server and Enabling PEAP and EAP-TLS Capabilities

From OMAPpedia

Revision as of 15:35, 10 May 2011 by ElizaK (Talk | contribs)
Jump to: navigation, search


Ramping the Windows 2003 Server and Enabling PEAP and EAP-TLS Capabilities: Description

This page describes how to build up a secure LAN, using one server and an 802.1x compatible Access Point. The server is running Microsoft Windows Server 2003 standard edition with service pack 2. The 802.1x compatible Access Point here we are using is Linksys WRT160N v2. There are two clients waiting for intranet access; one is a client computer, running Windows XP, with PEAP-MS-CHAP v2 security. The other is an OMAP handset device, running Android 2.3, with EAP-TLS security. Before the clients can access the resource, they need to pass the PEAP-MS-CHAP v2 and EAP-TLS authentications.

This "How To" page takes you step-by-step through the configuration required for PEAP-MS-CHAP v2 authentication, then through the steps required for EAP-TLS authentication.

By showing you how to configure each device, this "How To" note goes through building blocks to create a secure LAN with enterprise authentication.

You can also use this fragment in a lab, for testing 802.1x configurations.

PEAP-MS-CHAP v2: Protected Extensible Authentication Protocol
                 —Microsoft Challenge Handshake Authentication Protocol version 2

        EAP-TLS: Extensible Authentication Protocol
                 —Transport Layer Security

Infrastructure of Security LAN

The infrastructure for this example 802.1x secure LAN consists of four devices performing the following roles:

<Figure.1 Infarstructure of Security LAN>

Additionally, a Linksys Access Point acts as an 802.1x authenticator to provide connectivity to the Ethernet intranet network segment for the 802.1x clients (or supplicant).

The four devices represent a network segment in a corporate intranet. In this example, both wireless devices on the LAN are associated with a common 802.1x authenticating Linksys AP and will get the dynamic IP addresses from DHCP server. In this test, AP and sever are configured with fixed IP.

Setup RADIUS Server and Enable PEAP and EAP-TLS Capabilities

Having the Domian Controller(DC) and Domain Name System(DNS) on Windows 2003 Server

Before enabling the enterprise security capabilities on Windows Server, three servers are need to install first.


  1. It is necessary for the server to join as a member of one domain, if you are going to enable EAP-TLS authentication. Here we build up the Domain Controller on the server computer which allows us to create local domain, wcgwifilabs.local, in our lab.
  2. This PC uses Windows Server 2003, Standard Edition, so that you can configure autoenrollment of user and workstation certificates for EAP-TLS authentication, as described as following. Certificate autoenrollment and autorenewal make it easier to deploy certificates and improve the security by automatically expiring and renewing certificates.

Perform Basic Installation and Configuration

  1. Install Windows Server 2003, Standard Edition with SP3, as a stand-alone server with all of default configurations and security updates.
  2. Click Start , right click My Computer , select Properties , click the Computer Name tab and type RADIUS SERVER in Computer Name. Click OK .
  3. Configure the TCP/IP protocol with the IP address of and the subnet mask of

Configure the Computer as a Domain Controller

During the Active Directory you may accept defaults (as shown below) or specify your own preferences. You may be asked to insert the Windows Server 2003, CD ROM, and to restart the machine.

Active Directory Installtion Wizard.jpg

Domain in a new forest.png

DNS Registration Diagnostics.jpg

Permissions compatible only.jpg

Add Users and Computers to the Domain

Add Computers to the Domain

New Object - Computer.jpg

Allow 802.1x Access to the Computers

Add users to the Domain

New Object - 8021xuser.jpg

New Object - 8021xuser-pwd.jpg

Allow 802.1x Access to Users

Add Groups to the Domain

and then click Group.

New Object - 8021xUsers.jpg

Add Users and Computers to the Group

Add Users to the Group

Select Users 8021xuser.jpg

8021xUsers Properties.jpg

Add the Computer to the Group

Note: Adding client computers to the 8021xUsers group allows computer authentication. Computer authentication is needed so that the computer can attach to the 8021x network, obtain an IP address configuration (if DHCP is being used), locate Active Directory domain controllers, download the latest Computer Configuration Group Policy settings, and other computer startup processes.

Select Users CLIENT1.jpg

Object Type CLIENT1.png

8021xUsers group-CLIENT1.jpg

Having the RADIUS Sever on Windows 2003

RADIUS is a computer running Windows Server 2003, Standard Edition, that provides RADIUS authentication and authorisation for the 802.1x Linksys access point. During this process, the server PC named RADIUS is the member of wcgwifilabs.local domain.

Whenever you restart the PC, remember to log into the WCGWIFILABS domain.

To configure RADIUS as a RADIUS server, perform the following steps:

Perform basic installation and configuration

Install and configure Internet Authentication Service

Note: To install individual parts of Networking Services, click on the Details button, and select the elements you require. You may be required to insert the Windows Server 2003, CD-ROM.

Register Internet Authentication Server.jpg

A message should confirm registration and authorisation to refer to users properties. If you see the following error, you need to make sure you are logged in as the wcgwifilabs.local administrator.

IAS Error.jpg

Install Certificate Services on Windows Sever

CA Type.jpg

Certificate Database Settings.jpg

Autoenrollment for Certificates

Configure Autoenrollment for the Root Certificate

Configure Autoenrollment for the Client Certificate

Request root Certificates for Radius Server

The Microsoft Management Console (MMC) lets system administrators create much more flexible user interfaces and customize administration tools. For the guide of new features, please refer to . Use the following steps to create an Microsoft Management Console (MMC) on your RADIUS server that contains the Certificates (Local Computer) snap-in.

Create the Certificates (Local Computer) console

The Certificates (Local Computer) snap-in is shown in the following figure.


Note: PEAP with MS-CHAP v2 requires certificates on the RADIUS servers but not on the 802.1x clients. Autoenrollment of computer certificates for the RADIUS servers can be used to simplify a deployment. However, in this "PEAP-MS-CHAP v2 Authentication" section, a certificate is manually requested for the RADIUS computer because the autoenrollment of the certificates is not yet configured. This is described in "Configure Autoenrollment for Certificates Issue"

Manually Request Root Certificate

You may wish to save mmc console settings as "certificates_wcgwifilabslocal.msc".

Request Root Certificate with Autoenrollment

Enable EAP-TLS and PEAP Authentication Capability

In the Internet Authentication Service(IAS), there are two configurations, Radius Client(which means 802.1x AP) and Remote Aceess Policy, we need to customize for our authentication environment.

Add the 802.1x Linksys AP as RADIUS client

New RADIUS Client wizard.jpg

Note: The shared secret entered here needs to match the shared secret on the configuration of the 802.1x access point. Refer to Enable Linksys WRT160N Router have EAP-TLS and PEAP.

Create and Configure Remote Access Policy

Inside of Remote Aceess Policy, we are going to define the authentication part of Radius Server. There are highlights need for attention:

  1. Acees Method
  2. Active Groups used for ID or password (Ex. EAP-TLS or PEAP)Authentication
  3. Authentication Methods(PEAP or EAP-TLS)

Acees Method

New Remote Access Policy wireless access to intranet.jpg

AccessMethod Wireless.png

Active Groups

Select Groups.jpg

WIFILABS 8021xUsers.jpg

Authentication Methods

PEAP(secured password) authentication

If the 802.1x security LAN only have PEAP(secured password) authentication, then

EPA Providers-TLS.jpg

  1. Click Configure... to configure the Protected EAP Properties.
  2. Select ti-wcg-radius.wcgwifilabs.local to be the certificate issued; this is the server certificate used for PEAP-MSCHOP v2.
  3. Check on Enable Fast Connect.
  4. Click OK. On the Completing the New Remote Access Policy page, click Finish.


EAP-TLS authentication

If the 802.1x security LAN have EAP-TLS (client/root certificates) authentication, then

  1. Select Smart Card or other Certificate Properties from the Type drop down list.
  2. Click Configure.... The Smart Card or other Certificate Properties dialog box is displayed. This is shown in the following figure.
  3. The properties of the computer certificate issued to the RADIUS computer are displayed. This step verifies that IAS has an acceptable computer certificate installed to perform EAP-TLS authentication. Click OK.
  4. Click OK to save changes to EAP providers. Click OK to save changes to the profile settings.

EPA Providers-TLS.jpg

Smart card certificate.jpg

This will allow the wireless access to intranet remote access policy to authorize 802.1x connections using the EAP-TLS authentication method.

802.1x with Both PEAP(secured password) and EAP-TLS authentication

Of course, you can add either of them later to have both of the authentication methods. You might want to set EAP-TLS to be higher piority authentication in remote access policy. Then you need to do Move Up here. This is the case we are going to have in our lab.

Move Up.jpg

Configure Remote Access Policy Properties

Let's continue the configuration of remote access policy properties. After we selected access method, active group and authentication method, the Policy conditions as shown in the figure.

  1. Click on Grant remote access permission
  2. Then click on Edit Profile to do rest of the configuration. Click on IP tab, in the filed of IP address assignment, choose the item of Client may request an IP address , then leave the other settings to be default.
  3. Click OK to finish the creation of new remote access policy for 802.1x.

Settings remote access policy properties.jpg

Edit Dial-in profile.jpg

Configure 802.1x Access Point with Enterprise Security

Here is the example of configuration we have done in the lab. If you want to the details, please refer to Enable Linksys WRT160N Router to have EAP-TLS and PEAP.

Connect Windows XP Client Computer with PEAP Authentication

CLIENT1 is a computer running Windows XP Professional SP3 that is acting as an 8021x client. It will obtain access to intranet resources through the 8021x Access Point. To configure CLIENT1 as an 8021x client, refer to Connect Wireless Windows XP Client with EAP and perform the steps.

Client User with EAP-TLS Authentication

Example of EAP-TLS Configuration in Gingerbread please refers to Configure Android Device to Test Enterprise Security.

Personal tools