Ramping the Windows 2003 Server and Enabling PEAP and EAP-TLS Capabilities
Ramping the Windows 2003 Server and Enabling PEAP and EAP-TLS Capabilities: Description
This page describes how to build up a secure LAN, using one server and an 802.1x compatible Access Point. The server is running Microsoft Windows Server 2003 standard edition with service pack 2. The 802.1x compatible Access Point here we are using is Linksys WRT160N v2. There are two clients waiting for intranet access; one is a client computer, running Windows XP, with PEAP-MS-CHAP v2 security. The other is an OMAP handset device, running Android 2.3, with EAP-TLS security. Before the clients can access the resource, they need to pass the PEAP-MS-CHAP v2 and EAP-TLS authentications.
This "How To" page takes you step-by-step through the configuration required for PEAP-MS-CHAP v2 authentication, then through the steps required for EAP-TLS authentication.
By showing you how to configure each device, this "How To" note goes through building blocks to create a secure LAN with enterprise authentication.
You can also use this fragment in a lab, for testing 802.1x configurations.
PEAP-MS-CHAP v2: Protected Extensible Authentication Protocol —Microsoft Challenge Handshake Authentication Protocol version 2 EAP-TLS: Extensible Authentication Protocol —Transport Layer Security
Infrastructure of Security LAN
The infrastructure for this example 802.1x secure LAN consists of four devices performing the following roles:
<Figure.1 Infarstructure of Security LAN>
- A computer running Microsoft Windows Server 2003, Standard Edition, named RADIUS, that acts as a domain controller, a Domain Name System (DNS) server, a certification authority(CA) , and a Remote Authentication Dial-in User Service (RADIUS) server.
- A computer running Microsoft Windows XP 2002 Professional Service Pack 1 (SP3), named CLIENT1, that acts as an 802.1x client computer.
- A OMAP handset device, Blaze, running Android 2.3 (Gingerbread) with kernel 126.96.36.199, named 8021xuser, that acts as an 802.1x user.
Additionally, a Linksys Access Point acts as an 802.1x authenticator to provide connectivity to the Ethernet intranet network segment for the 802.1x clients (or supplicant).
The four devices represent a network segment in a corporate intranet. In this example, both wireless devices on the LAN are associated with a common 802.1x authenticating Linksys AP and will get the dynamic IP addresses from DHCP server. In this test, AP and sever are configured with fixed IP.
Setup RADIUS Server and Enable PEAP and EAP-TLS Capabilities
Having the Domian Controller(DC) and Domain Name System(DNS) on Windows 2003 Server
Before enabling the enterprise security capabilities on Windows Server, three servers are need to install first.
- A domain controller (DC) for the wcgwifilabs.local domain, including Active Directory.
- The enterprise root certification authority (CA) for the wcgwifilabs.local domain.
- A DNS server for the wcgwifilabs.local DNS domain.
- It is necessary for the server to join as a member of one domain, if you are going to enable EAP-TLS authentication. Here we build up the Domain Controller on the server computer which allows us to create local domain, wcgwifilabs.local, in our lab.
- This PC uses Windows Server 2003, Standard Edition, so that you can configure autoenrollment of user and workstation certificates for EAP-TLS authentication, as described as following. Certificate autoenrollment and autorenewal make it easier to deploy certificates and improve the security by automatically expiring and renewing certificates.
Perform Basic Installation and Configuration
- Install Windows Server 2003, Standard Edition with SP3, as a stand-alone server with all of default configurations and security updates.
- Click Start , right click My Computer , select Properties , click the Computer Name tab and type RADIUS SERVER in Computer Name. Click OK .
- Configure the TCP/IP protocol with the IP address of 192.168.0.98 and the subnet mask of 255.255.255.0.
Configure the Computer as a Domain Controller
During the Active Directory you may accept defaults (as shown below) or specify your own preferences. You may be asked to insert the Windows Server 2003, CD ROM, and to restart the machine.
- Click Start , click Run , type dcpromo.exe , and then click OK to start the Active Directory Installation Wizard.
- In the Domain Controller Type page, select Domain controller for a new domain . Click Next .
- Select Domain in a new forest . Click Next .
- In New Domain Name, the Full DNS name for new domain: wcgwifilabs.local . Click Next .
- In NetBIOS Domain name , NetBIOS Domain name : wcgwifilabs . Click Next .
- In Database and Log Folders , specify where you want to store the Active Directory database. Click Next .
- In the Shared System Volume window, specify the folder and its location to be shared as the SYSVOL folder. Click Next.
- In the DNS Registration Diagnostics window, select Install and configure the DNS server on this computer to use this DNS server as its preferred DSN server. Click Next.
- In the Permissions window, select Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems. Click Next.
- In the Directory Services Restore Mode Administrator Password window, enter passwords for the Administrator account. Click Next twice.
Add Users and Computers to the Domain
Add Computers to the Domain
- Open the Active Directory Users and Computers snap-in (available from administrative tools).
- In the console tree, expand wcgwifilabs.local.
- Right-click Computers, click New, and then click Computer.
- In the New Object - Computer dialog box, type RADIUS in Computer name. This is shown in the following figure. Click Next.
- Repeat steps to create the additional computer account: CLIENT1 (with no spaces).
Allow 802.1x Access to the Computers
- In the Active Directory Users and Computers console tree, click the Computers folder, right-click CLIENT1, click Properties, and then click the Dial-in tab.
- Select Allow access and then click OK.
Add users to the Domain
- In the Active Directory Users and Computers console tree, right-click Users, click New,and then click User.
- In the New Object - User dialog box, type 8021xuser in First name and type 8021xuser in User logon name. This is shown in the following figure. Click Next.
- In the New Object - User dialog box, type a password of your choice in Password and Confirm password. Clear the User must change password at next logon check box. This is shown in the following figure. Click Next to continue the installation. Strictly speaking, you should give the 802.1x account an email address. However, if you are simply setting up for a test, that is not necessary.
- Upon completion of the installation, click Finish.
Allow 802.1x Access to Users
- In the Active Directory Users and Computers console tree, click the Users folder, rightclick 8021xUser, click Properties, and then click the Dial-in tab.
- Select Allow access and then click OK.
Add Groups to the Domain
- In the Active Directory Users and Computers console tree, right-click Users, click New,
and then click Group.
- In the New Object - Group dialog box, type 8021xUsers in Group name, and then click OK. This is shown in the following figure.
Add Users and Computers to the Group
Add Users to the Group
- In the details pane of the Active Directory Users and Computers, double-click 8021xUsers.
- Click the Members tab, and then click Add.
- In the Select Users, Contacts, or Computers dialog box, type 8021xUser in Enter the object names to select. This is shown in the following figure. Click OK.
- The 8021xuser user account is added to the 8021xUsers group. This is shown in 8021xUsers Properteies. Click OK to save changes to the 8021xUsers group.
Add the Computer to the Group
Note: Adding client computers to the 8021xUsers group allows computer authentication. Computer authentication is needed so that the computer can attach to the 8021x network, obtain an IP address configuration (if DHCP is being used), locate Active Directory domain controllers, download the latest Computer Configuration Group Policy settings, and other computer startup processes.
- Repeat steps in the preceding "Add Users to the Group" procedure.
- In the Select Users, Contacts, or Computers dialog box, type CLIENT1 in Enter the object names to select. This is shown in the following figure.
- Click Object Types.
- Clear the Users check box, and then select the Computers check box. This is shown in the following figure.
- Click OK twice. The CLIENT1 computer account is added to the 8021xUsers group. Click OK to finish.
Having the RADIUS Server on Windows 2003
RADIUS is a computer running Windows Server 2003, Standard Edition, that provides RADIUS authentication and authorisation for the 802.1x Linksys access point. During this process, the server PC named RADIUS is the member of wcgwifilabs.local domain.
Whenever you restart the PC, remember to log into the WCGWIFILABS domain.
To configure RADIUS as a RADIUS server, perform the following steps:
Perform basic installation and configuration
- Install Windows Server 2003, Standard Edition with default configuration.
- For the intranet local area connection, configure the TCP/IP protocol with the IP address of 192.168.0.98 and the subnet mask of 255.255.255.0.
- Click Start, right click My Computer, select Properties, type RADIUS in Computer Name.
- Click the Change button.
- Type wcgwifilabs.local in the Member of Domain field.
- Click OK.
- Enter the Administrator User name and password.
- Click OK
- Restart the machine.
- Logout and login to the RADIUS server as "administrator" in the wcgwifilabs.local domain. Domain selection is available under login options
Install and configure Internet Authentication Service
- From Control Panel select Add or Remove Programs, click Add/Remove Windows Component and install the part of Networking Services called Internet Authentication.
Note: To install individual parts of Networking Services, click on the Details button, and select the elements you require. You may be required to insert the Windows Server 2003, CD-ROM.
- In the Administrative Tools folder, open the Internet Authentication Service snap-in.
- Right-click Internet Authentication Service, and then click Register Server in Active Directory. When the Register Internet Authentication Server in Active Directorydialog box appears, click OK. This is shown in the following figure.
A message should confirm registration and authorisation to refer to users properties. If you see the following error, you need to make sure you are logged in as the wcgwifilabs.local administrator.
Install Certificate Services on Windows Server
- In the Control Panel, open Add or Remove Programs, and then click Add/Remove Windows Components.
- In the Windows Components Wizard page, select Certificate Services , and then click Next.
- In the CA Type page, select Enterprise root CA . This is shown in the following figure. Click Next.
- Type Example CA in the Common name for this CA field, and then click Next. Accept the default Certificate Database Settings. This is shown in the following figure. Click Next.
- Upon completion of the installation, click Finish. You may be asked to insert the Windows Server 2003 CD-ROM.
Note: You might get the warning message because of lacking Internet Information Service (IIS). If you are going to use the web enrollemnt segment of certificate service, IIS is necessary to be installed in the server computer.
Autoenrollment for Certificates
Configure Autoenrollment for the Root Certificate
- Open the Active Directory Users and Computers snap-in (from administrative tools).
- In the console tree, double-click Active Directory Users and Computers, right-click the wcgwifilabs.local domain, and then click Properties.
- On the Group Policy tab, click Default Domain Policy, and then click Edit. This opens the Group Policy Object Editor snap-in.
- In the console tree, expand Computer Configuration --> Windows Settings--> Security Settings --> Public Key Policies, and then click Automatic Certificate Request Settings. This is shown in the following figure.
- Right-click Automatic Certificate Request Settings, point to New, and then click Automatic Certificate Request.
- On the Welcome to the Automatic Certificate Request Setup Wizard page, click Next.
- On the Certificate Template page, click Computer. This is shown in the following figure.
- Click Next. On the Completing the Automatic Certificate Request Setup Wizard page, click Finish. The Computer certificate type now appears in the details pane of the Group Policy Object Editor snap-in. This is shown in the following figure.
Configure Autoenrollment for the Client Certificate
- In the console tree, expand User Configuration--> Windows Settings-->Security Settings-->Public Key Policies. This is shown in the following figure.
- In the details pane, double-click Autoenrollment Settings, the window of Autoenrollment Settings Properties will show up.
- Click Enroll certificates automatically. Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box.
- Select the Update certificates that use certificate templates check box. This is shown in the following figure. Click OK.
Request root Certificates for Radius Server
The Microsoft Management Console (MMC) lets system administrators create much more flexible user interfaces and customize administration tools. For the guide of new features, please refer to Microsoft Management Console (MMC). Use the following steps to create a console on your RADIUS server that contains the Certificates (Local Computer) snap-in.
Create the Certificates (Local Computer) console
- Click Start, click Run, type mmc, and then click OK.
- On the Console File menu, click Add/Remove Snap-in, and then click Add.
- Under Snap-in, double-click Certificates, click Computer account, and then click Next.
- Select Local computer, click Finish, click Close, and then click OK.
The Certificates (Local Computer) snap-in is shown in the following figure. Next we are going to request for root certificate for the RADIUS server.
Note: PEAP with MS-CHAP v2 requires certificates on the RADIUS servers but not on the 802.1x clients. Autoenrollment of computer certificates for the RADIUS servers can be used to simplify a deployment. However, in this "PEAP-MS-CHAP v2 Authentication" section, a certificate is manually requested for the RADIUS computer because the autoenrollment of the certificates is not yet configured. This will be described in "Configure Autoenrollment for Certificates Issue"
Manually Request Root Certificate
- Right-click the Personal folder, click All Tasks, click Request New Certificate, and then click Next.
- Click Domain Controller for the Certificate types, and then click Next.
- Type RADIUS Certificate in Friendly name. This is shown in the following figure.
- Click Next. On the Completing the Certificate Request Wizard page, Click Finish.
- A "The certificate request was successful" message is displayed. Click OK.
You may wish to save mmc console settings as "certificates_wcgwifilabslocal.msc".
Request Root Certificate with Autoenrollment
Enable EAP-TLS and PEAP Authentication Capability
In the Internet Authentication Service (IAS), there are two configurations, Radius Client (which means 802.1x AP) and Remote Access Policy, need to be customized for our authentication environment.
Add the 802.1x Linksys AP as RADIUS client
- Click Start, select Admin Tools, then select Internet Authentication Service.
- In the console tree of the Internet Authentication Service snap-in, right-click RADIUS Clients, and then click New RADIUS Client.
- In the Name and Address page of the New RADIUS Client wizard, for Friendly name, type linksysAP . In Client address (IP or DNS), type 192.168.0.5, and then click Next. This is shown in the following figure.
- Click Next. In the Additional Information page of the New RADIUS Client wizard, for Shared secret, type a shared secret for the 802.1x access point, and then type it again in Confirm shared secret. Tick Request must contain the Message Authenticator attribute. This is shown in the following figure. Click Finish.
Note: The shared secret entered here needs to match the shared secret on the configuration of the 802.1x access point. Refer to Enable Linksys WRT160N Router to have EAP-TLS and PEAP Capability.
Create and Configure Remote Access Policy
Inside of the Remote Access Policy, we define the authentication role of the Radius Server. Following need attention:
- Access Method
- Active Groups used for secured password (Ex. EAP-TLS or PEAP)Authentication
- Authentication Methods (Ex. EAP-TLS)
- In the console tree of the Internet Authentication Service snap-in, right-click Remote Access Policies, and then click New Remote Access Policy.
- On the Welcome to the New Remote Access Policy Wizard page, click Next.
- On the Policy Configuration Method page, type wireless access to intranet in Policy name. This is shown in the following figure.
- Click Next. On the Access Method page, select Wireless. This is shown in the following figure.
- Click Next. On the User or Group Access page, select Group.
- Click Add. In the Select Groups dialog box, type 8021xUsers in the Enter the object names to select box. Verify that wcgwifilabs.local is listed in the From this location field. This is shown in the following figure. If it’s not listed - click on the Locations button to select a location.
- Click OK. The 8021xUsers group in the WCGWIFILABS domain (shown as WCGWIFILABS\8021xUsers) is added to the list of Group name:. On the Users or Groups Access page. This is shown in the following figure. Click Next.
- On the Authentication Methods page, here is the way we define the enterprise security. (Ex. EAP-TLS/PEAP or both)
PEAP(secured password) authentication
If the 802.1x security LAN only have PEAP (secured password) authentication, then
- Select Protected EAP (PEAP) from the Type drop down list.
- Click Configure... to configure the Protected EAP Properties.
- Select ti-wcg-radius.wcgwifilabs.local to be the certificate issued; this is the server certificate used for PEAP-MSCHOP v2.
- Check on Enable Fast Reconnect.
- Click OK. On the Completing the New Remote Access Policy page, click Finish.
If the 802.1x security LAN have EAP-TLS (client/root certificates) authentication, then
- select Smart Card or other Certificate Properties from the Type drop down list.
- click Configure.... The Smart Card or other Certificate Properties dialog box is displayed. This is shown in the following figure.
- the properties of the computer certificate issued to the RADIUS computer are displayed. This step verifies that IAS has an acceptable computer certificate installed to perform EAP-TLS authentication. Click OK.
- Click OK to save changes to EAP providers. Click OK to save changes to the profile settings.
This will allow the wireless access to intranet remote access policy to authorize 802.1x connections using the EAP-TLS authentication method.
802.1x with Both PEAP (secured password) and EAP-TLS authentication
Of course, you can add either of them later to support both of the authentication methods on the RADIUS Server. You might want to set EAP-TLS to be at a higher priority authentication in the remote access policy. In that case, you need to do a Move Up here.
- Click Move Up to make the Smart Card or other certificate EAP provider the first in the list. This is shown in the following figure.
Configure Remote Access Policy Properties
Let's continue the configuration of remote access policy properties. After we created remote access policy by selecting access method, active group and authentication method, the policy conditions inside of the wireless access to intranet Properties is shown in the figure.
- Tick Grant remote access permission
- then click on Edit Profile to do rest of the configuration.
- Click on IP tab, in the filed of IP address assignment, choose the item of Client may request an IP address , then leave the other settings to be default.
- Click OK to finish the creation of new remote access policy, wireless access to intranet, for 802.1xUsers.
Configure 802.1x Access Point with Enterprise Security
Here is the example of configuration we have done in the lab. If you want to the details, please refer to Enable Linksys WRT160N Router to have EAP-TLS and PEAP.
Connect Windows XP Client Computer with PEAP Authentication
CLIENT1 is a computer running Windows XP Professional SP3 that is acting as an 8021x client. It will obtain access to intranet resources through the 8021x Access Point. To configure CLIENT1 as an 8021x client, refer to Connect Wireless Windows XP Client with EAP and perform the steps.
Client User with EAP-TLS Authentication
Example of EAP-TLS Configuration in Gingerbread please refers to Configure Android Device to Test Enterprise Security.