Ramping the Windows 2003 Server and Enabling PEAP and EAP-TLS Capabilities

From OMAPpedia

Jump to: navigation, search


[edit] Setting Windows 2003 Server and Enabling PEAP and EAP-TLS Capabilities: Description

This page describes how to build up a secure LAN, using one server and an 802.1x compatible Access Point. The server is running Microsoft Windows Server 2003 standard edition with service pack 2. The 802.1x compatible Access Point here we are using is Linksys WRT160N v2. There are two clients waiting for intranet access; one is a client computer, running Windows XP, with PEAP-MS-CHAP v2 security. The other is an OMAP handset device, running Android 2.3, with EAP-TLS security. Before the clients can access the resource, they need to pass the PEAP-MS-CHAP v2 and EAP-TLS authentications.

This "How To" page takes you step-by-step through the configuration required for PEAP-MS-CHAP v2 authentication, then through the steps required for EAP-TLS authentication.

By showing you how to configure each device, this "How To" note goes through building blocks to create a secure LAN with enterprise authentication.

You can use this in a lab for testing 802.1x configurations.

PEAP-MS-CHAP v2: Protected Extensible Authentication Protocol
                 —Microsoft Challenge Handshake Authentication Protocol version 2

        EAP-TLS: Extensible Authentication Protocol
                 —Transport Layer Security

[edit] Infrastructure of Security LAN

The infrastructure for this example 802.1x secure LAN consists of four devices performing the following roles:


Additionally, a Linksys Access Point acts as an 802.1x authenticator to provide connectivity to the Ethernet intranet network segment for the 802.1x clients (or supplicant).

The four devices represent a network segment in a corporate intranet. In this example, both wireless devices on the LAN are associated with a common 802.1x authenticating Linksys AP and will get the dynamic IP addresses from DHCP server. In this test, AP and sever are configured with fixed IP.

[edit] Setup RADIUS Server and Enable PEAP and EAP-TLS Capabilities

[edit] Having the Domian Controller(DC) and Domain Name System(DNS) on Windows 2003 Server

Before enabling the enterprise security capabilities on Windows Server, three (virtual) servers are need to install first.


  1. In this example the local domain is called wcgwifilabs.local. This is an example name. You can use a similar name for your own local domain. If you are connecting to the company network (or a production network) use a name which doesn't conflict with any of the other domain names in your company.
  2. It is necessary for the server to join as a member of one domain, if you are going to enable EAP-TLS authentication. Here we build up the Domain Controller on the server computer which allows us to create local domain, wcgwifilabs.local.
  3. This PC uses Windows Server 2003, Standard Edition, so that you can configure autoenrollment of user and workstation certificates for EAP-TLS authentication, as described as following. Certificate autoenrollment and autorenewal make it easier to deploy certificates and improve the security by automatically expiring and renewing certificates.

[edit] Perform Basic Installation and Configuration

  1. Install Windows Server 2003, Standard Edition with SP3, as a stand-alone server with all of default configurations and security updates.
  2. Click Start , right click My Computer , select Properties , click the Computer Name tab and type RADIUS SERVER in Computer Name. Click OK .
  3. Configure the TCP/IP protocol with the IP address of and the subnet mask of

[edit] Configure the Computer as a Domain Controller

During the Active Directory you may accept defaults (as shown below) or specify your own preferences. You may be asked to insert the Windows Server 2003, CD ROM, and to restart the machine.

Active Directory Installtion Wizard.jpg

Domain in a new forest.png

DNS Registration Diagnostics.jpg

Permissions compatible only.jpg

[edit] Add Users and Computers to the Domain

[edit] Add Computers to the Domain

New Object - Computer.jpg

[edit] Allow 802.1x Access to the Computers

[edit] Add users to the Domain

New Object - 8021xuser.jpg

New Object - 8021xuser-pwd.jpg

[edit] Allow 802.1x Access to Users

[edit] Add Groups to the Domain

and then click Group.

New Object - 8021xUsers.jpg

[edit] Add Users and Computers to the Group

[edit] Add Users to the Group

Select Users 8021xuser.jpg

8021xUsers group 8021xuer.png

[edit] Add the Computer to the Group

Note: Adding client computers to the 8021xUsers group allows computer authentication. Computer authentication is needed so that the computer can attach to the 8021x network, obtain an IP address configuration (if DHCP is being used), locate Active Directory domain controllers, download the latest Computer Configuration Group Policy settings, and other computer startup processes.

Select Users CLIENT1.jpg

Object Type CLIENT1.png

8021xUsers group-CLIENT1.jpg

[edit] Having the RADIUS Server on Windows 2003

RADIUS is a computer running Windows Server 2003, Standard Edition, that provides RADIUS authentication and authorisation for the 802.1x Linksys access point. During this process, the server PC named RADIUS is the member of wcgwifilabs.local domain.

Whenever you restart the PC, remember to log into the WCGWIFILABS domain.

To configure RADIUS as a RADIUS server, perform the following steps:

[edit] Perform basic installation and configuration

[edit] Install and configure Internet Authentication Service

Note: To install individual parts of Networking Services, click on the Details button, and select the elements you require. You may be required to insert the Windows Server 2003, CD-ROM.

Register Internet Authentication Server.jpg

A message should confirm registration and authorisation to refer to users properties. If you see the following error, you need to make sure you are logged in as the wcgwifilabs.local administrator.

IAS Error.jpg

[edit] Install Certificate Services on Windows Server

CA Type.jpg

CA identification info.PNG

Certificate Database Settings.jpg

Note: You might get the warning message because of lacking Internet Information Service (IIS). If you are going to use the web enrollemnt segment of certificate service, IIS is necessary to be installed in the server computer.

[edit] Autoenrollment for Certificates

[edit] Configure Autoenrollment for the Root Certificate

Group policy.PNG

Automatic certificate request.PNG

Certificate template.PNG

Group policy object editor.PNG

[edit] Configure Autoenrollment for the Client Certificate

Public key policies.PNG

Autoenrollment settings.PNG

[edit] Request root Certificates for Radius Server

The Microsoft Management Console (MMC) lets system administrators create much more flexible user interfaces and customize administration tools. For the guide of new features, please refer to Microsoft Management Console (MMC). Use the following steps to create a console on your RADIUS server that contains the Certificates (Local Computer) snap-in.

[edit] Create the Certificates (Local Computer) console

The Certificates (Local Computer) snap-in is shown in the following figure. Next we are going to request for root certificate for the RADIUS server.


Note: PEAP with MS-CHAP v2 requires certificates on the RADIUS servers but not on the 802.1x clients. Autoenrollment of computer certificates for the RADIUS servers can be used to simplify a deployment. However, in this "PEAP-MS-CHAP v2 Authentication" section, a certificate is manually requested for the RADIUS computer because the autoenrollment of the certificates is not yet configured. This will be described in "Configure Autoenrollment for Certificates Issue"

[edit] Manually Request Root Certificate on RADIUS Server

You may wish to save mmc console settings as "certificates_wcgwifilabslocal.msc".

[edit] Autoenrollment of Client and CA Root Certificates on the Client Machine

  1. Ensure there is a wired connection (or wireless connection with open security) between client and server.
  2. Open internet explore and go on:
  3. Refer to Autoenrollment of Client and CA Root Certificates

[edit] Enable EAP-TLS and PEAP Authentication Capability

In the Internet Authentication Service (IAS), there are two configurations, Radius Client (which means 802.1x AP) and Remote Access Policy, need to be customized for your authentication environment.

[edit] Add the 802.1x Linksys AP as RADIUS client


New RADIUS Client wizard.jpg

Note: The shared secret entered here needs to match the shared secret on the configuration of the 802.1x access point. Refer to Enable Linksys WRT160N Router to have EAP-TLS and PEAP Capability.

[edit] Create and Configure Remote Access Policy

Inside of the Remote Access Policy, we define the authentication role of the Radius Server. Following need attention:

  1. Access Method
  2. Active Groups used for secured password (Ex. EAP-TLS or PEAP)Authentication
  3. Authentication Methods (Ex. EAP-TLS)

[edit] Access Method

New Remote Access Policy wireless access to intranet.jpg

AccessMethod Wireless.png

[edit] Active Groups

Select Groups.jpg

WIFILABS 8021xUsers.jpg

[edit] Authentication Methods

[edit] PEAP(secured password) authentication

If the 802.1x security LAN only have PEAP (secured password) authentication, then

EPA Providers-TLS.jpg

  1. Click Configure... to configure the Protected EAP Properties.
  2. Select ti-wcg-radius.wcgwifilabs.local to be the certificate issued; this is the server certificate used for PEAP-MSCHOP v2.
  3. Check on Enable Fast Reconnect.
  4. Click OK. On the Completing the New Remote Access Policy page, click Finish.


[edit] EAP-TLS authentication

If the 802.1x security LAN have EAP-TLS (client/root certificates) authentication, then

  1. select Smart Card or other Certificate Properties from the Type drop down list.
  2. click Configure.... The Smart Card or other Certificate Properties dialog box is displayed. This is shown in the following figure.
  3. the properties of the computer certificate issued to the RADIUS computer are displayed. This step verifies that IAS has an acceptable computer certificate installed to perform EAP-TLS authentication. Click OK.
  4. Click OK to save changes to EAP providers. Click OK to save changes to the profile settings.

EPA Providers-TLS.jpg

Smart card certificate.jpg

This will allow the wireless access to intranet remote access policy to authorize 802.1x connections using the EAP-TLS authentication method.

[edit] 802.1x with Both PEAP (secured password) and EAP-TLS authentication

Of course, you can add either of them later to support both of the authentication methods on the RADIUS Server. You might want to set EAP-TLS to be at a higher priority authentication in the remote access policy. In that case, you need to do a Move Up here.

Move Up.jpg

[edit] Configure Remote Access Policy Properties

Let's continue the configuration of remote access policy properties. After we created remote access policy by selecting access method, active group and authentication method, the policy conditions inside of the wireless access to intranet Properties is shown in the figure.

Settings remote access policy properties.jpg

Edit Dial-in profile.jpg

[edit] Configure 802.1x Access Point with Enterprise Security

Here is the example of configuration. If you want to the details, please refer to Enable Linksys WRT160N Router to have EAP-TLS and PEAP.

[edit] Connect Windows XP Client Computer with PEAP Authentication

CLIENT1 is a computer running Windows XP Professional SP3 that is acting as an 8021x client. It will obtain access to intranet resources through the 8021x Access Point. To configure CLIENT1 as an 8021x client, refer to Connect Wireless Windows XP Client with EAP and perform the steps.

[edit] Client User with EAP-TLS Authentication

Example of EAP-TLS Configuration in Gingerbread please refers to Configure Android Device to Test Enterprise Security.

Personal tools