by January 6, 2004 0 comments



In the Wi-Fi security setup here, we have a Windows 2003 server Domain Controller – DC1, also a certification authority for the Active Directory Domain. The domain users and the computers you want to provide wireless access to should be allowed for dial-in access through their properties. 

There’s another Windows 2003 server, a member of the domain, running the IAS (Internet Authentication Service) server, which is built in the OS. IAS supports the RADIUS protocol and will be used to authenticate wireless domain users. The IAS service has to be registered in the active directory so that it can read the dial-in properties of the domain users when they want to connect to the network wirelessly.

The PEAP protocol, discussed in the previous article, requires the RADIUS server to prove its identity to the wireless client, before the client passes its encrypted username and password to it. For this the IAS server has to obtain a certificate from DC1, of which it will get a private key. The clients will then use the public key of the certificate to encrypt their username and password, which can only be decrypted by the IAS server using its private key.

Next, select users who are allowed wireless connections. Create a new remote access policy in the IAS snap-in, and in the method of access, select wireless. Next, select the domain users and computers you want to provide wireless access to. On the Authentication methods type use
PEAP.

The wireless AP or router that can be used with this setup must support the IEEE 802.1x protocol, like the D-Link DWL-900AP+AP. Now the AP and the RADIUS server have to be configured, so that the AP uses it for authentication. First in the IAS server, the AP should be added as a RADIUS client and a shared secret has to be provided. This can be done through IAS snap-in. Most APs support Web-based configuration, so open the Web configuration page of the AP and put the address of the RADIUS server and the shared secret to be used by the AP. Only after providing the correct shared key, the AP will be allowed by the RADIUS server to forward user information to it.

Now the client computers are to be configured. Let’s take the example of WinXP with SP1 clients. First make the client system a member of the domain. This has to be done over a wired Ethernet LAN card. You can now remove the Ethernet LAN card and use only the wireless LAN card. Log on to the client machine using the Domain username and password, allowed for wireless access, then on the Wireless Network Properties page enable IEEE 802.1x authentication and select the EAP type to PEAP. You may also have to enter a WEP key before this, if the access point is configured to use a WEP key. After these steps, the PEAP client will authenticate your username and password from the IAS server and the system will get connected to the network. But of course, this will not happen if the username/and password is incorrect.

Anoop Mangla

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<