Wireless access
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Wireless access
This topic describes how IAS can be used to support authentication, authorization, and accounting for wireless connections to an organization. This topic describes a typical configuration for an organization that uses:
Two IAS servers.
Two IAS servers (one primary and one secondary) are used to provide fault tolerance for RADIUS-based authentication. If only one RADIUS server is configured and it becomes unavailable, wireless access clients cannot connect. By using two IAS servers and configuring all wireless access points (RADIUS clients) for both the primary and secondary IAS servers, the RADIUS clients can detect when the primary RADIUS server is unavailable and automatically fail over to the secondary IAS server.
Active Directory domains.
Active Directory domains contain the user accounts, passwords, and dial-in properties that each IAS server requires to authenticate user credentials and evaluate both authorization and connection constraints. To both optimize IAS authentication and authorization response times and minimize network traffic, IAS is installed on domain controllers.
A certificate infrastructure.
The Extensible Authentication Protocol-Transport Level Security (EAP-TLS) authentication protocol is used with locally installed user certificates to authenticate wireless clients.
Wireless remote access policies.
Remote access policies are configured for wireless connections so that authenticated wireless users obtain unrestricted access to the organization intranet and guest wireless users obtain restricted access to a virtual LAN (VLAN) that contains a certificate server.
Multiple wireless access points.
Multiple third-party wireless access points provide wireless access in different buildings of an organization.
A certificate server on a separate VLAN for new wireless clients
To accommodate new wireless clients, a certificate server is placed on a separate virtual local area network (VLAN). The certificate server is used by a new wireless client to obtain a user certificate for subsequent wireless access. After 10 minutes of receiving a guest connection, the wireless client is disconnected. When the wireless client computer reconnects, it authenticates by using the newly installed user certificate and obtains authenticated wireless access to the network.
The following illustration shows a wireless configuration.
When you configure IAS so that wireless clients can access the certificate server on the VLAN, it is important to note that the term guest refers to user identity and the term unauthenticated refers to user credentials. The following rules illustrate the differences between the Guest account and remote access policy unauthenticated access:
User identity rules
Condition | IAS action |
---|---|
If the wireless client has a UserID |
IAS maps to the corresponding Windows account. |
If the wireless client does not have a UserID or uses a null UserID |
IAS attempts to default to the Guest account (in the domain in which the IAS server is a member). |
Credential rules
Condition | IAS action |
---|---|
If the wireless client provides credentials |
The authentication method in use specifies whether to accept the connection attempt. EAP-MD5 guest authentication is standard user authentication with a UserID and password (which can be null). However, secure channel (Schannel) does not support authentication to a Windows account that is based on a NULL certificate. |
If the wireless client does not provide credentials |
IAS checks the remote access policy to determine whether unauthenticated access is allowed. EAP-TLS supports one-way authorization, such as unauthenticated access where the wireless client does not send credentials. However, EAP-MD5 does not support one-way authorization. |
Notes
This topic only describes how to configure IAS. It does not describe the configuration of Active Directory domains, the certificate infrastructure, or the wireless access points. For more information about how to deploy these components, see the appropriate Help topics.
This topic describes the bootstrapping of wireless clients by using a VLAN that contains a certificate server. You can also bootstrap wireless clients by using an unauthenticated Ethernet connection or a certificate that has been extracted to a floppy disk.
To configure IAS for this example, complete the following steps:
Configure Active Directory for user accounts and groups.
Configure the primary IAS server on a domain controller.
Configure the secondary IAS server on a different domain controller.
Configure RADIUS accounting and authentication on wireless access points.
Configuring user accounts and groups
To configure user accounts and groups, do the following:
Ensure that all users that are making wireless connections have a corresponding user account.
Manage your wireless access by user by setting the remote access permission on user accounts to Allow access or Deny access. To manage your wireless access by group, set the remote access permission on user accounts to Control access through Remote Access Policy. For more information, see Configure remote access permission for a user.
Organize your wireless access users into the appropriate universal and nested groups in order to take advantage of group-based remote access policies. For example, create a universal group named WirelessUsers that contains global groups of wireless user accounts. For more information, see Group scope.
Configure the Guest account to allow guest access for new wireless clients. For more information, see Guest authentication. Enable reversibly encrypted password storage on the Guest account. For more information, see User and computer accounts.
Create a group named Guests, and add the Guest account as a member. For more information, see Create a new group.
Configure the domain in which the IAS server computers will be members for auto-enrollment of computer certificates. For more information, see Configure automatic certificate allocation from an enterprise CA.
Configuring the primary IAS server on a domain controller
To configure the primary IAS server on a domain controller, do the following:
On the domain controller, install IAS as an optional networking component. For more information, see Install IAS.
Configure the IAS server computer (the domain controller) to read the properties of user accounts in the domain. For more information, see Enable the IAS server to read user accounts in Active Directory.
If the IAS server authenticates connection attempts for user accounts in other domains, verify that the other domains have a two-way trust with the domain in which the IAS server computer is a member. Next, configure the IAS server computer to read the properties of user accounts in other domains. For more information, see Enable the IAS server to read user accounts in Active Directory. For more information about trust relationships, see Trust direction.
If the IAS server authenticates connection attempts for user accounts in other domains, and those domains do not have a two-way trust with the domain in which the IAS server computer is a member, see Authentication across forests.
Enable file logging for accounting and authentication events. For more information, see Configure log file properties.
If needed, configure additional UDP ports for authentication and accounting messages that are sent by RADIUS clients. For more information, see Configure IAS port information. By default, IAS uses UDP ports 1812 and 1645 for authentication and ports 1813 and 1646 for accounting.
Add the wireless access points as RADIUS clients of the IAS server. For more information, see Add RADIUS clients. Verify that you are configuring the correct name or IP address and shared secrets. For more information, see Shared secrets. Enable the use of the Message Authenticator attribute only when it is supported by the wireless access point.
Use the New Remote Access Policy Wizard to create a common wireless policy with the following settings:
Policy name: Wireless access
Access Method: Wireless access
User or Group: Select Group, and then specify the WirelessUsers group (example).
Authentication methods: Select Smart Card or other Certificate. If you have multiple computer certificates, click Configure, and then select the appropriate computer certificate.
Policy Encryption Level: Select the Strongest encryption check box, and then clear all other check boxes.
Use the New Remote Access Policy Wizard to create a custom wireless policy with the following settings:
Policy name: New wireless access
Conditions:
NAS-Port-Type matches Wireless-Other or Wireless-IEEE 802.11
Windows-Groups matches Guests
Permission: Grant remote access permission
Profile settings, Dial-in Constraints tab:
Select the Minutes client can be connected check box, and then type 10.
Profile settings, Advanced tab:
Add the Tunnel-Type attribute with the value of Virtual LANs (VLAN).
Add the Tunnel-Pvt-Group-ID attribute with the value of the VLAN ID of the VLAN that contains the certificate server for new wireless clients.
For additional examples of remote access policies, see Remote Access Policies Examples.
- Delete the default remote access policies. For more information, see Delete a remote access policy.
Configuring the secondary IAS server on a different domain controller
To configure the secondary IAS server on a different domain controller, do the following:
On the other domain controller, install IAS as an optional networking component. For more information, see Install IAS.
Configure the secondary IAS server computer (the other domain controller) to read the properties of user accounts in the domain. For more information, see Enable the IAS server to read user accounts in Active Directory.
If the secondary IAS server authenticates connection attempts for user accounts in other domains, verify that the other domains have a two-way trust with the domain in which the secondary IAS server computer is a member. Next, configure the secondary IAS server computer to read the properties of user accounts in other domains. For more information, see Enable the IAS server to read user accounts in Active Directory. For more information about trust relationships, see Trust direction.
If the secondary IAS server authenticates connection attempts for user accounts in other domains, and those domains do not have a two-way trust with the domain in which the secondary IAS server computer is a member, see Authentication across forests.
Copy the configuration of the primary IAS server to the secondary IAS server. For more information, see Copy the IAS configuration to another server.
Configuring RADIUS authentication and accounting on wireless access points
Configure your third-party wireless access point as a RADIUS client with two RADIUS servers (the primary and secondary IAS servers). For more information, see the documentation for the wireless access point.