Build a Secure Wi-Fi LAN with PEAP 

In our last month’s issue we talked about the techniques that can be used to implement security in a wireless LAN (How to Secure your Wi-Fi LAN, page 30, PCQuest January 2004). In this article we will take you through a step-by-step process of setting up a secure wireless LAN using PEAP (Protected Extensible Authentication Protocol). 

Configute the Domain Controller

Create Active Directory Domain running DHCP 



Create an Active Directory domain, for example, wireless.net on DC1. Install and configure DHCP and DNS services on it and assign DC1 a static IP address (for example, 192.168.0.1). 

Configure the DHCP service to provide DC1’s IP address (192.168.0.1) as the DNS server to DHCP clients. Also configure it to provide the gateway IP address on the clients.

Raise domain functional level



Raise the domain functional level of the server to Windows Server 2003. To do this, open the Active Directory Domains and Trusts snap-in from the Administrative Tools folder, and right-click on the domain computer DC1.wireless. net. Click on Raise Domain Functional Level and then select Windows Server 2003 on the Raise Domain Functional Level page. Click on Raise and then on OK.

Create Certification Authority



Make the domain controller a CA (Certification Authority) by installing Certificate Services on it. To do so, go to Control Panel>Add or Remove Programs>Add/Remove Windows Components. On the Windows Components Wizard page, select Certificate Services and click on Next. On the next Windows Components Wizard page, select Enterprise root CA and click on Next. Type Wireless CA in the Common Name for this CA field and click on Next. Accept the default Certificate

Database Settings and click on Next.

Add client users and computers to domain



Add the RADIUS server IAS1 and a client computer, which will be called CLIENT1, to the wireless.net domain’s computer list using the Active Directory Users and Computers snap-in. Create a new domain user and name it (for example, WirelessTest). Next, to allow wireless access to client users and computers, in the Active Directory Users and Computers console tree, click on the Computers folder, right-click on CLIENT1, click on Properties and then on the Dial-in tab. Select Allow Access and then click on OK. Similarly, allow Dial-in access to the WirelessTest user. Create a new group called WirelessUsers. Then add the CLIENT1 computer and the WirelessTest user to the WirelessUsers group.

CONFIGURE THE  RADIUS SERVER 

Requesting computer certificate

Do basic installation and configuration



Install a Windows Server 2003 computer as a member server named IAS1 in the wireless.net domain. Assign it a static IP address, 192.168.0.11. Configure the DNS server IP address as 192.168.0.1. Install IAS (Internet Authentication Service) as a Networking Services component by using Add or Remove Programs from the Control Panel. The IAS server supports the RADIUS protocol for authentication.

Configure IAS



In the Administrative Tools folder, open the Internet Authentication Service snap-in. Right-click on Internet Authentication Service and then click on Register Server in Active Directory. When the Register Internet Authentication Server in Active Directory dialog box appears, click on OK.

Create certificates console



Create an MMC (Microsoft Management Console) console on your IAS server that contains the Certificates (Local Computer) snap-in. Click on Start>Run and type mmc and then click on OK. On the File menu, click on Add/Remove snap-in and then on Add. Under snap-in, double-click on Certificates, click on Computer account, and then click on Next. Click on Local computer>Finish>Close>OK.






Request computer certificate




In the Certificates (Local Computer) console created above, right-click on the Personal folder and click on All Tasks>Request New Certificate>Next. Click on Computer for the Certificate types and then on Next. Type IAS1 Server Certificate in Friendly name and click on Next. On the Completing the Certificate Request Wizard page, Click on Finish. A “The certificate request was successful” message will be displayed. Click on OK. 

Add wireless access point as RADIUS client



In the console tree of the IAS snap-in, right-click on RADIUS Clients and then click on New RADIUS Client. In the Name and Address page of the New RADIUS Client wizard, for Friendly name, type WirelessAP (as an example). In Client address (IP or DNS), type the IP address of the access point (192.168.0.12 in our setup), and then click on Next. In the Additional Information page of the New RADIUS Client wizard, for Shared secret, type a shared secret for the wireless access point and then type it again in Confirm shared secret. The shared secret entered here needs to match the shared secret on the configuration of the wireless access point. Click Finish.

Create and configure remote access policy



In the console tree of the IAS snap-in, right-click on Remote Access Policies and then click on New Remote Access Policy. On the Welcome to the New Remote Access Policy Wizard page, click on Next. On the Policy Configuration Method page, type Wireless access to intranet in Policy name. Click on Next. On the Access Method page, select Wireless. Click on Next. On the User or Group Access page, select Group. Click on Add. In the Select Groups dialog box, type WirelessUsers in the Enter the object names to select box. Verify that wireless.net is listed in the From this location field. Click on OK. The WirelessUsers group in the wireless.net domain is added to the list of groups on the Users or Groups page. Click on Next. On the Authentication Methods page, PEAP authentication is selected by default and configured to use PEAP-MS-CHAP v2. Click on Next. On the Completing the New Remote Access Policy page, click on Finish.

Configuring the wireless access point

CONFIGURE THE WIRELESS ACCESS POINT



The wireless access point or router that can be used with this setup must support the IEEE 802.1x protocol. We used the D-Link DWL-900AP+ access point, which supports it. Using the Web interface of the access point assign it an IP address (192.168.0.12 in our setup). Provide a SSID (Service Set Identifier) and WEP (Wired Equivalent Privacy) key for the access point. Go to the 802.1x configuration page of the access point. Assign the IP address of the IAS1 computer, 192.168.0.11, in the RADIUS server IP address. Use the default port number 1812. In the shared secret column type the shared secret assigned in the configuration of the RADIUS client on the IAS1 server. Apply the changes.

CONFIGURE THE CLIENT COMPUTER 



CLIENT1 is a computer running Win XP Professional SP1 that is acting as a wireless client and obtaining access to wireless LAN resources through the wireless access point.

Do basic installation and configuration



Connect CLIENT1 to the LAN using an Ethernet cable connected to your Lan’s hub or switch. On CLIENT1, install Win XP Professional as a member computer named CLIENT1 of the wireless.net domain. Install Win XP SP1. This must be installed in order to have PEAP support. Next install a wireless network adapter on the client system. You may disconnect the Ethernet cable from the client if you want.

Configure wireless network connection



Log on to the CLIENT1 computer using the WirelessTest account in the wireless.net domain. In the Available wireless networks field of the Wireless Network Connection page, select the SSID of the wireless access point, and then click on Advanced. In the Wireless Network Connection Properties dialog box, select the SSID and then click on Configure. On the Association tab, verify that Data encryption (WEP enabled) is selected and type the WEP key assigned during the access point configuration. On the Authentication tab, select Enable IEEE 802.1x authentication for this network. Select the EAP type to PEAP. Click on OK to close the page. Click on OK again to close the previous page.

CHECK THE WIRELESS SETUP



After the authentication is successful, check the TCP/IP configuration of the wireless adapter. It should have an IP address from the DHCP scope of the domain controller DC1. Now try to ping the DC1 system. If the ping succeeds the wireless client has been successfully authenticated to access your network resources. In this setup even if somebody manages to crack the wireless network WEP key, he will not get connected to the wireless network until and unless he logs on with a valid domain account from a client domain computer.

Anoop Mangla