On This PageIntroductionThis chapter covers the operational procedures involved in managing the Securing Wireless LANs with PEAP and Passwords solution. The chapter contains guidance on the key operational and support tasks that you need to perform to maintain the wireless local area network (WLAN) security infrastructure, including the Internet Authentication Service (IAS) servers, certification authority (CA), wireless access points (APs), and the WLAN clients. However, this chapter does not include guidance on general network management or the management of aspects other than security services; for example, network traffic analysis and optimization. OverviewThe major sections in this chapter are: | • | Essential Maintenance Tasks: This section lists the key tasks that you need to perform to set up the management system (for example, configuring backup jobs) and the list of tasks that you need to perform regularly to maintain the system (for example, weekly housekeeping tasks). | | • | Operating the WLAN Infrastructure: This section is primarily a reference section that details the different types of tasks you need to perform to maintain the WLAN security infrastructure. Subsections include information about standard operational tasks, implementing changes, support tasks, and optimization tasks. | | • | Troubleshooting: This section contains procedures and flowcharts that can help you troubleshoot common problems you may encounter with your WLAN infrastructure. It also includes descriptions of useful troubleshooting tools and procedures to enable logging for different components. | | • | References: This section lists sources of supplementary information referred to in the text. |
Chapter PrerequisitesYou should be familiar with the administration of Microsoft Windows Server™ 2003 or Windows 2000 Server. The following areas are especially relevant: | • | Basic operations and maintenance of Microsoft Windows Server 2003, including the use of tools such as Event Viewer, Computer Management, and NTBackup. | | • | IAS. | | • | Certificate Services. | | • | The Microsoft Active Directory directory service (including Active Directory structure and tools), management of users, groups, and other Active Directory objects, and use of Group Policy. | | • | Windows system security concepts such as users, groups, auditing, access control lists (ACL), the use of security templates, and the application of security templates using Group Policy or command-line tools. | | • | Wireless LAN and general network concepts. | | • | An understanding of Windows Script Host and knowledge of the Microsoft Visual Basic Scripting Edition (VBScript); this knowledge will help you to understand and use the scripts supplied with the solution. |
In addition, you should have read the following chapters and have a thorough understanding of the architecture and design of the solution: | • | Chapter 2, "Planning a Wireless LAN Security Implementation" | | • | Chapter 3, "Preparing Your Environment" | | • | Chapter 4, "Building the Network Certification Authority" | | • | Chapter 5, "Building the Wireless LAN Security Infrastructure" | | • | Chapter 6, "Configuring the Wireless LAN Clients" |
Essential Maintenance TasksThis section lists the key tasks that you must perform to successfully operate your WLAN infrastructure. These tasks can be divided into two categories: | • | Initial setup tasks | | • | Ongoing maintenance tasks |
This section also lists the tools and technologies used in the procedures in this chapter. Initial Setup TasksThe following table shows the tasks that must be performed to put the WLAN security infrastructure into production. Table 8.1: Initial Setup Tasks Configuring the IAS Backup | Operational Tasks | Configuring Alert Types | Monitoring | Enabling Monitoring of IAS | Monitoring | Enabling Monitoring of the CA | Monitoring |
Maintenance TasksThe following table shows the tasks that must be performed regularly to keep your LAN security infrastructure operating correctly. You can use this table for planning the required resources and the operational schedule for administering the system. Table 8.2: Maintenance Tasks Testing the Backups | 6 months | Operational Tasks |
Tools and Technology RequiredThe following table lists the tools or technologies required for the procedures described in this chapter. Table 8.3: Required Technology Active Directory Users and Computers Management Console (MMC) | Windows Server 2003 | Certification Authority MMC | Windows Server 2003 | Certutil.exe | Windows Server 2003 | DCDiag.exe | Windows Server 2003 Support Tools | DSquery.exe | Windows Server 2003 | Event Viewer | Windows Server 2003 | Group Policy Management Console (GPMC) | Web download from Microsoft.com | MSS WLAN Tools | Scripts installed as part of this solution | Netdiag.exe | Windows Server 2003 Support Tools | Performance Monitor | Windows Server 2003 | PKI Health | Windows Server 2003 Resource Kit | Removable media for backing up Root CA | CD-RW or Tape | SchTasks.exe | Windows Server 2003 | Text editor | Notepad — Windows Server 2003 | Windows Backup | Windows Server 2003 | Windows Task Scheduler Service | Windows Server 2003 |
Table 8.4: Recommended Technology E-mail infrastructure—for operational alerts | SMTP/POP3/IMAP server and client, such as Microsoft Exchange Server and Microsoft Outlook | Operational Alert Console | Microsoft Operations Manager or other service monitoring system | Operating system update distribution | Microsoft Systems Management Server (SMS) or Windows Server Update Services |
Operating the WLAN InfrastructureThis section includes the major tasks that you need to perform to maintain the WLAN security infrastructure. Operational TasksOperational tasks include jobs that need to be done at regular intervals to keep the WLAN infrastructure functioning correctly. Backing up IAS and the Certification AuthorityYou need to perform regular backups of the IAS servers, including the IAS server running the CA. IAS requires a special procedure to export its settings to a file, which can then be backed up with a normal file backup. You can back up Certificate Services using Windows system state backup, which is available in the Windows Backup tool. You should establish adequate backup procedures on all the servers on which IAS is running. The following two procedures are not mutually exclusive; you need to configure both an IAS backup and a server backup. Configuring the IAS BackupYou need to create a folder with restricted permissions into which the IAS configuration will be exported each night. You also need to create a scheduled job that will run the IAS configuration backup every night (the backup script does not require IAS to be shut down during the backup operation). If the backup succeeds, an event is written to the Windows Application log. An error event will be logged in the case of a backup failure. Caution: The IAS backup files include all of the RADIUS client secrets. This is highly sensitive information, so you should be careful to store this backup data securely. To configure the IAS backup 1. | Open a command shell on the server using the MSS WLAN Tools shortcut and use the following command to create a folder to save the IAS settings: mdc:\IASBackup (The IAS configuration is typically less than 100 KB and can be saved to the system drive, as shown.) | 2. | Use the following command to set permissions for the folder so that only administrators and backup operators can read and modify its contents: cacls c:\IASBackup /G system:F administrators:F "Backup Operators":C (This command may wrap to more than one line here, but you should enter it as a single line.) | 3. | Test the backup by issuing the following command: "C:\Program Files\Microsoft\Microsoft WLAN-PEAP Tools\msstools.cmd" BackupIAS /path:C:\IASBackup (This command may wrap to more than one line here, but you should enter it as a single line. "Microsoft WLAN-PEAP Tools" contains two embedded spaces; one after "Microsoft" and the other after "WLAN-PEAP.") Note: If the backup is successful, an event will be written to the Windows Application log and to the screen; otherwise, error events will be logged. | 4. | Create a scheduled task that will run the IAS configuration export every night. For example, the following command schedules the job to run at 10:00 P.M. every night: SCHTASKS /Create /RU system /SC Daily /TN "IAS Backup"/TR "\"C:\Program Files\Microsoft\Microsoft WLAN-PEAP Tools\msstools.cmd\" BackupIAS /path:C:\IASBackup" /ST 22:00 (This command may wrap to more than one line here, but you should enter it as a single line. "Microsoft WLAN-PEAP Tools" contains two embedded spaces; one after "Microsoft" and the other after "WLAN-PEAP.") Note: Enclosing the path to the msstools.cmd script file within backslashes (\) ensures that the double quotation marks (“) do not get interpreted and stripped from the command by the Windows command shell. The command that gets passed to and stored by the task scheduler is as shown in step 3. |
Taking Server BackupsHaving set up a scheduled task to back up IAS configuration to disk, you must also configure a regular backup of the server system state and the exported IAS configuration files to a removable medium or to a network location. The simplest way to do this is to use the built-in Windows Backup tool. If you use a different backup system, you must establish whether it includes the functionality equivalent to the Windows system state backup (you should be able to find this out from your backup system's documentation). A system state backup (or equivalent) is essential to properly back up Active Directory and Certificate Services keys and certificate databases. If your backup software does not have Windows system state backup functionality, you can perform the following steps: | • | Configure Windows Backup to perform a system state backup to a file on the server (you must ensure that you have enough disk space for this because a system state backup will be 500 MB or larger). See the Windows Backup online help for details on how to do this. | | • | Configure your backup software to copy the system state backup file as well as the IAS backup file described in the previous procedure. |
You should do the following to ensure safe and consistent backups: | • | Schedule the different backup operations so that they do not overlap; otherwise, you run the risk of corrupting the backup data. | | • | Start the server and system state backup at least 10 minutes after the start time of the IAS backup. | | • | If you are performing separate system state and server file backups, allow at least one hour for the system state backup to complete before starting the server file backup. | | • | Always store a recent copy of the backup data at a physical location other than that of the backed up server. This will help you recover the server in the event that all computer equipment at the site is destroyed or becomes inaccessible. Caution: This backup data is very sensitive because it contains the RADIUS secrets for all APs on this server, all of the private key material for the CA, and the Active Directory database. You must transport and store the backup media securely because unauthorized access to this data could compromise the security of your entire organization. |
Testing the BackupsYou can test system backups adequately only by restoring them to a test server and verifying that the restored server functions as expected. A system state backup must be restored to a system that has a disk layout identical to that of the backed up server. For example, Windows must be installed in the same path on the test restore server as on the backed up server and the drive layout for storing Windows files (such as paging files) should be identical for the two servers. Important: To help avoid name and IP address clashes between the test restore server and the original server, the test server should be kept offline from the time when the system state restore is started. To restore the server 1. | Prepare a restore server on to which you want to restore the backed up data. On the restore server, you need to use the same edition of Windows Server 2003 used on the backed up server. (You must also install the solution scripts on this server. For more information, see the "Installing the Solution Tools" section in Chapter 3, "Preparing Your Environment.") | 2. | If you are using a separate system state backup and file backup, use your backup software to restore the system state backup file and the IAS settings backup file from the backup medium to the server. The IAS settings should be restored to the same path: C:\IASBackup. | 3. | Run the Windows Backup utility and select the restored system state backup file. You need to be a member of a group that has Backup and Restore rights on the computer (such as Backup Operators or Administrators). | 4. | Click Restore. | 5. | Restart the system. | 6. | Verify that everything functions as expected after the restart and that the Active Directory and Certificate Services have started without error (you should expect to see errors in the event logs due to the fact that the server is not connected to the network). | 7. | Use the MSS WLAN Tools shortcut to open a command shell. Restore the IAS configuration by running the following command: MSSTools RestoreIAS /path:C:\IASBackup | 8. | Verify that the IAS settings have been restored by opening the IAS management console and checking the RADIUS clients and Remote Access Policies folders. |
MonitoringThis section describes monitoring the IAS and CA components of the WLAN security infrastructure. It does not include any guidance on monitoring the wireless APs or other network devices, nor does it include general advice on monitoring Windows servers. Information on monitoring Windows servers is available from the "References” section at the end of the chapter. Most of the procedures in this section use automated monitoring scripts supplied with the solution. If these scripts detect a failure, they will trigger an alert and, in some cases, attempt to recover from the failure. Configuring Alert TypesAny alerts from the monitoring scripts can be sent to the Windows Application event log or to one or more e-mail recipients (or both). Before enabling the monitoring tools, you need to specify the alert types that you want. In addition, if you have opted to send e-mail alerts, you need to provide the e-mail addresses of the recipients and the name of the e-mail server to which you want to send the messages. To specify these parameters, you need to edit the constants.vbs file. The relevant sections from this file are shown here, with items that you may want to change shown in Italics:
'Alerting parameters
CONST ALERT_EMAIL_ENABLED = FALSE 'set to enable/disable e-mail
CONST ALERT_EVTLOG_ENABLED = TRUE 'set to enable/disable eventlog entries
' set to comma–separated list of recipients to get e-mail alerts
CONST ALERT_EMAIL_RECIPIENTS = "Admin@woodgrovebank.com,Ops@woodgrovebank.com"
'SMTP server to use (use DNS name or IP address)
CONST ALERT_EMAIL_SMTP = "mail.woodgrovebank.com"
Monitoring IASIAS will record many different events in the Windows System log. These include service start and stop notifications (and any associated errors or warnings) and notifications of authentication attempts. (Authentication request log entries are described in detail in the "Troubleshooting” section later in this chapter.) Enabling Monitoring of IASThe solution includes a simple script that monitors the responsiveness of IAS. The script checks to see if IAS process is running. If it is, the script tries to query IAS using the Server Data Objects interface. If either of these checks fails, the script issues an alert. Note: The monitoring script does not check for successful RADIUS authentication—it only checks the general responsiveness of the IAS process. To check end-to-end RADIUS operations, you need a RADIUS client to emulate the wireless APs relaying the WLAN client request. The following procedure describes how to configure the monitoring script to run as a scheduled task so that it automatically alerts you if IAS stops responding. However, because the script is running on the server itself, it will obviously not alert you if the server as a whole has failed; therefore, you must also monitor your servers to ensure that they are alive and responding. You need to carry out the following procedure to configure the script to run as a scheduled task on each IAS server. Every time an error is detected, an alert is sent by e-mail (if e-mail alerts have been configured) and an event is written to the Application log (see the table in the next section for details of the event types logged). In contrast to the CA monitoring script, no attempt is made to correct problems by restarting IAS. Because IAS, unlike a CA, is needed continuously to authenticate WLAN clients, allowing the monitoring script to blindly restart IAS may cause problems rather than resolve them. Instead, you should watch for any alerts generated by the script and perform a proper diagnosis of the cause of the alert before attempting to repair the problem manually. To configure IAS monitoring 1. | Open a command shell using the MSS WLAN Tools shortcut. | 2. | Run the following command to schedule the script to run every hour starting at 1:30 A.M. (it runs 30 minutes past the hour to offset it from the IAS backup job). SCHTASKS /Create /RU system /SC Hourly /TN "IAS Check"/TR "\"C:\Program Files\Microsoft\Microsoft WLAN-PEAP Tools\msstools.cmd\" CheckIAS" /ST 01:30 (This command may wrap to more than one line here, but you should enter it as a single line. "Microsoft WLAN-PEAP Tools" contains two embedded spaces; one after "Microsoft" and the other after "WLAN-PEAP.") Note: Enclosing the path to the msstools.cmd script file within backslashes (\) ensures that the double quotation marks (“) do not get interpreted and stripped from the command by the Windows command shell. Using backslash (\) before the quotes (“) ensures that the command that gets passed to and stored by the task scheduler is as shown in step 2. |
IAS Events Logged by the MSS ScriptsThe monitoring script and the IAS backup script log the following types of events to the event log. Table 8.5: IAS Events Returned by IAS Tools Scripts in This Solution IAS Backup OK | Backup of IAS configuration to file succeeded. | Information | IAS Operations | 210 | IAS Invalid Backup Path | Backup failed because invalid destination path was specified. | Error | IAS Operations | 211 | IAS No Access to Backup Path | Backup failed because backup files could not be written to the destination path specified. | Error | IAS Operations | 212 | IAS Restore OK | IAS settings successfully restored from the saved configuration. | Information | IAS Operations | 220 | IAS Restore Failed | Restoration of IAS settings failed. | Warning | IAS Operations | 221 | IAS Policy Query Failed | IAS could not be contacted using Server Data Objects interface. IAS may not be running. | Error | IAS Operations | 230 | IAS No Policies Detected | IAS does not contain any remote access policies. This should never occur on a normally configured IAS server and probably indicates an IAS or a network problem. | Error | IAS Operations | 231 | IAS Not Installed | IAS is not installed on the computer. | Error | IAS Operations | 232 | IAS Had Stopped | The IAS service was not running but was started successfully. | Warning | IAS Operations | 233 | IAS Not Running | An attempt to start the IAS service failed. | Error | IAS Operations | 234 |
Monitoring the Certification AuthorityThe CA requires relatively little attention beyond monitoring for general server health and performing adequate backup. In this solution, the CA is only required for the relatively rare tasks of issuing certificates to new IAS servers and renewing existing certificates once a year. The CA, therefore, is not normally a critical service. The CA also publishes a list of certificates that have been revoked by the administrator. This list, known as a Certificate Revocation List (CRL), is published weekly to the Active Directory. This CA will only issue a small number of certificates, so the CRL will also be small and will typically be empty. Despite this, it is essential that the CRL is published to Active Directory in a timely manner so that the applications can check on the revocation status of any certificates issued by the CA. For example, the CA itself needs to check the revocation status of any certificate it issues before sending it to the certificate requestor. The CA monitoring script checks that the CA is responding to requests and that a valid CRL is available in Active Directory. If either of these checks fails, the script attempts to restart the CA. In case of a CRL failure, it also tries to publish a new CRL. If a failure is detected even after these recovery attempts, an alert is generated that is sent as an e-mail message to the configured e-mail account and is written to the event log. Enabling Monitoring of the Certification AuthorityThe following procedure describes how to configure the monitoring script to run as a scheduled task so that it will automatically alert you and attempt recovery if an error is encountered. This script needs to be run only on the CA server. To configure the CA monitoring script 1. | Open a command shell using the MSS WLAN Tools shortcut. | 2. | Run the following command to schedule the script to run every hour starting at 1:20 A.M. (it is scheduled to run 20 minutes past the hour to offset it from other scheduled tasks). SCHTASKS /Create /RU system /SC Hourly /TN "CA Check" /TR "\"C:\Program Files\Microsoft\Microsoft WLAN-PEAP Tools\msstools.cmd\" CheckCA" /ST 01:20 (This command may wrap to more than one line here, but you should enter it as a single line.) Note: Enclosing the full path of the msstools.cmd script file within backslashes (\) ensures that the double quotation marks (“) do not get interpreted and stripped from the command by the Windows command shell. The path stored by the task scheduler must be enclosed in quotes if it includes any embedded spaces (such as in "Program Files"). Using a backslash (\) before the quotes (“) ensures that the path stored by the task scheduler is enclosed in double quotation marks. |
Certification Authority Events Logged by the MSS ScriptsThe CA monitoring script logs the following events to the event log. Table 8.6: CA Events Returned by the CA Monitoring Script in This Solution CRL expired | A valid CRL is not accessible—this is currently causing a loss of service. | Error | CA Operations | 20 | CRL overdue | The CRL is still valid but a new one is overdue and should have been published. | Error | CA Operations | 21 | CRL cannot be retrieved from Active Directory | A CRL is not available at a published CRL distribution point. This may be causing loss of service. | Error | CA Operations | 22 | Certificate Services service not responding: Event ID 1—Client Interface offline Event ID 2—Admin Interface offline | Certificate Services remote procedure call (RPC) interface is offline—certificates cannot be issued. May require service restart. | Error | CA Operations | 1 and 2 | Other event | CA monitor script execution failure. | Error | CA Operations | 100 |
Managing ChangesThe tasks in this section relate to changes that you may need to make to the configuration of your WLAN security infrastructure. Windows Security Update ManagementBoth IAS and Certificate Services updates are included in the base service packs and patches for Windows Server 2003; you do not need to update these components separately. You should read through the guidance and follow the references given in the "Server Security Patching" section in Chapter 3, “Preparing Your Environment.” Managing Changes on Your IAS ServersChapter 5, “Building the Wireless LAN Security Infrastructure,” recommended that you nominate one of your IAS servers as the "master" server; the server on which you will make all IAS configuration changes (see the "Deploying Settings to Multiple IAS Servers" section in Chapter 5). These changes will then be replicated to the other servers in your organization, using automated export and import of the IAS configuration database to ensure consistent settings throughout your IAS infrastructure. The set of RADIUS clients (the wireless APs) configured on each IAS, however, are not normally replicated. The Wireless APs supported by each server may vary substantially and rarely will two IAS servers have exactly the same set of clients (this can be the case if you have two central IAS servers to service all wireless APs in your organization, for instance). Backing up IAS Settings Prior to Making ChangesEven though you have scheduled backups of your servers every night, it is a good idea to perform a manual backup of IAS prior to making changes on your servers. This will allow you to roll back any changes and restore the server state immediately prior to the changes made. The following procedure uses the backup script to export server configuration, policies, log settings, and RADIUS clients. To backup the IAS configuration 1. | Open a command shell on the server using the MSS WLAN Tools shortcut and use the following command to create a folder to save the IAS export file: md c:\IASSaveState (The IAS configuration is typically less than 100 KB and can be saved to the system drive, as shown in the example. However, any path can be used as long as it is used consistently in this and the subsequent commands.) | 2. | Run the following commant to set permissions for the folder so that only administrators and backup operators can read and modify its contents: cacls c:\IASSaveState /G system:F administrators:F "Backup Operators":C (This command may wrap to more than one line here, but you should enter it as a single line.) | 3. | Run the backup script to export the IAS settings by issuing the following command: MSSTools BackupIAS /path:C:\IASSaveState |
Replicating Settings to Other IAS ServersYou should establish your own repeatable procedure to ensure that the settings from your master server are replicated to all other IAS servers in your organization. This may involve instructing local support staff to import the settings. More often, this will be performed remotely by copying the configuration files and using a Remote Desktop session to run the configuration import script. To replicate the settings to other IAS servers, follow the procedures described in the "Replicating Settings from the First IAS Server" section in Chapter 5, “Building the Wireless LAN Security Infrastructure.” Note: You might find it useful to embed a version number in the Remote Access Policy name so that it is easy to check that all IAS servers have same settings version. Adding IAS Servers to Your EnvironmentBefore installing a new IAS server, you should identify the wireless APs that will be configured as clients of this server, following the guidelines provided in Chapter 2, “Planning a Wireless LAN Security Implementation.” You will also need another IAS server configured as the secondary RADIUS server to provide the APs with resilience in case of server failure. If you are reconfiguring the existing APs to use this new server, you must carefully plan the migration to avoid disruption of service for your users during the AP switchover. Normally, as long as an AP has at least one active authentication RADIUS server, there will be no disruption. To install IAS on a new server 1. | Follow the guidelines in Chapter 3, "Preparing Your Environment" to prepare your server. | 2. | Follow the instructions included in the "Installing IAS" and the "Registering IAS in Active Directory" sections in Chapter 5, "Building the Wireless LAN Security Infrastructure." | 3. | To replicate changes from your master IAS server to the new server, follow the "Replicating Settings from the First IAS Server" procedure described in Chapter 5, "Building the Wireless LAN Security Infrastructure." | 4. | Finally, add the RADIUS client entries for the wireless APs to IAS and configure the Wireless APs to use the new IAS server. |
Adding a Wireless Access Point to the NetworkTo add a new wireless AP, you need to complete the following two tasks: 1. | Add the AP as a RADIUS client to a primary and a secondary IAS server. | 2. | Configure the AP to use the IAS servers as primary and secondary RADIUS servers. |
The IAS servers you choose as primary and secondary RADIUS servers will depend on the network location of the AP. Ideally, choose a primary IAS server that is on the same LAN as the AP or at least has reliable connectivity to the AP. Choose a secondary IAS server that has reliable connectivity to the AP. For more information, see the guidance provided in the "Assignment of APs to RADIUS Servers" section in Chapter 2, “Planning a Wireless LAN Security Implementation.” Once you have identified suitable IAS servers for the AP, carry out the following procedures. These are the same as the procedures given for adding an AP to IAS in Chapter 5, "Building the Wireless LAN Security Infrastructure.” To add an AP to the network 1. | To add the AP as a RADIUS client to the primary IAS, follow the procedure described in the "Adding APs to the First IAS Server" section in Chapter 5, “Building the Wireless LAN Security Infrastructure.” | 2. | To add the AP as a RADIUS client to the secondary IAS, follow the procedure described in the "Importing the APs into the Second IAS Server" section in Chapter 5, “Building the Wireless LAN Security Infrastructure.” | 3. | Configure the AP by following the guidance provided in the “Configuring the Wireless Access Points" section in Chapter 5, "Building the Wireless LAN Security Infrastructure." |
Removing a Wireless Access PointYou might need to remove a wireless AP from the network if you are relocating or reorganizing your sites. You should always remove RADIUS client entries from IAS if they are no longer in use. To remove a wireless AP from the network 1. | Identify the primary and secondary IAS for the AP to be removed. | 2. | Use the Internet Authentication Service MMC to delete the RADIUS client entry for the AP. (Verify that the RADIUS client IP matches the IP address of the decommissioned AP; do not rely on the name of the RADIUS client.) | 3. | Repeat step 2 on the secondary IAS server. |
Granting WLAN Access to a User or ComputerIf you have followed the default setup for this solution, all users and computers in the domain in which you installed the IAS servers will automatically have access to the WLAN. This is because the Domain Users and Domain Computers groups are members of the Wireless LAN Users and Wireless LAN Computers groups, respectively. These groups are, in turn, members of the Wireless LAN Access group, which is used by the IAS remote access policy to grant access to the WLAN. Controlling Access for Members of the Same DomainIf you want to explicitly control which users and computers can connect to the WLAN, you should use security groups to manage their access. You should remove the Domain Users and Domain Computers groups from the Wireless LAN Users and Wireless LAN Computers groups, respectively. In their place, add the specific users and computers to which you want to grant access to the WLAN. This changes the solution default so that the WLAN is inaccessible to everyone unless access is explicitly granted by adding someone to a security group. This is a more precautious approach than "allow by default" and is normally preferred by organizations with high security needs. It may also be useful in other cases where only a limited number of people are allowed access to the WLAN; for example, during the pilot phase of a larger rollout. To enable WLAN access for a user or computer in the same domain 1. | Using Active Directory Users and Computers, add the user or computer account to the Wireless LAN Users or Wireless LAN Computers group. | 2. | If you are adding a user, ask the user to log off and log on again. If you are adding a computer, reboot the computer. | 3. | Verify that the user or computer can access the WLAN. |
Controlling Access for Members of Another DomainIf you have a multi-domain forest, you may want to enable users and computers from other domains to use the WLAN. For this, you need to be logged on using an account that is one of the following: | • | An administrator of both domains | | • | An account that has permissions to create groups in the other domains and permissions to modify the membership of the Wireless LAN Access group in your home domain (that is, the domain into which the IAS servers are installed). |
To grant WLAN access to the users and computers from other domains 1. | Log on with an account that has permissions to create groups in the domain containing the users and computers that you want to grant access to the WLAN (the target domain). | 2. | Open Active Directory Users and Computers and focus on a domain controller for the target domain. | 3. | Create a domain global group named Wireless LAN Users in the target domain. | 4. | Create a domain global group named Wireless LAN Computers in the target domain. | 5. | Log on with an account that has permissions to modify the membership of the Wireless LAN Access group in the home domain. Using Active Directory Users and Computers, find the Wireless LAN Access group and open it to edit its properties. From the Membership tab of the group properties, add the Wireless LAN Users and Wireless LAN Computers groups from the target domain as members of this group. | 6. | Identify the users from the target domain who require WLAN access. Add their accounts to the Wireless LAN Users group in that domain. Likewise, add the required computer accounts from the target domain to the Wireless LAN Computers group in that domain. Alternatively, you can add Domain Users and Domain Computers to these groups to allow all members of the target domain to access the WLAN. |
Denying WLAN Access to a User or ComputerThe default for this solution is to allow access to the WLAN to all users and computers in the domain into which you installed the IAS servers. They are granted access automatically because they are members of the Domain Users and Domain Computers groups, respectively. This can be problematic if you need to block WLAN access for individual users or computers. You must not remove users or computers from the built-in Domain Users and Domain Computers groups. Use one of the following strategies instead: | • | If the user has left the organization (or, in the case of a computer, it has been lost or stolen), you can disable the Active Directory account of that user or computer. | | • | Manage access by using the Remote Access Permissions on the user or computer account object to allow or deny access. This was discussed briefly in the "Allowing Users and Computers to Access the WLAN" section in Chapter 6, “Configuring the Wireless LAN Clients.” | | • | If you want to remove WLAN access from a user or computer but continue to allow the account to be used for normal domain access and other network access you need to either use a selective access WLAN model or implement a remote access "Deny" policy. The option you choose will depend on whether you want WLAN access to be granted by default or you want to deny access by default and grant WLAN access to only specified users. | • | Using specific group memberships to implement a selective access policy was described earlier in the chapter in the "Granting WLAN Access to a User or Computer" procedure. You can deny access to the WLAN simply by removing a user or computer from the relevant security group. | | • | Creating an IAS remote access policy to deny access to selected groups is described in the following procedure "Controlling WLAN Access Using a Deny Policy." Important: You should not remove users or computers from the Domain Users or Domain Computers groups, respectively. Although it is technically possible, doing this will prevent the user or computer account from functioning correctly in normal domain use. |
|
Controlling WLAN Access Using a Deny PolicyIf you want to allow access by default but be able to deny access to individual users and computers by exception, you need to create a "Deny" Remote Access Policy in IAS. To create a Deny Remote Access Policy 1. | In Active Directory Users and Computers, create a universal group named Deny Wireless LAN Access. | 2. | Create domain global groups Deny Wireless LAN Users and Deny Wireless LAN Computers and add them as members of the Deny Wireless LAN Access group. | 3. | Log on to the master IAS server that you use to edit global IAS settings (these settings will be replicated to the other IAS servers later). | 4. | In the Internet Authentication Service MMC, right-click the Remote Access Policies folder and select New Remote Access Policy... | 5. | Select Set up a Custom Policy and type Deny Wireless LAN Access for the policy name. Click Next to continue. | 6. | Click Add... to add a policy condition and select Windows–Groups from the list and click Add... | 7. | Click Add... to add a security group. Type (or browse for) the Deny Wireless LAN Access group and click OK. | 8. | Click Add... to add another policy condition and select NAS-Port-Type from the list and click Add... | 9. | From the list of Available types, select Wireless - IEEE 802.11 and click Add >>. Then select Wireless – Other and click Add >> to add them to the Selected types list. Click OK to complete and click Next to continue. | 10. | Select Deny remote access permission and click Next to continue. | 11. | At the Profile screen, click Next to skip and then click Finish to complete. | 12. | The Deny Wireless LAN Access policy should be created at the top of the list (highest priority) of policies (or at least above the Allow Wireless LAN Access policy). If it is not, right-lick the policy name and click Move Up until it is higher in the list than the Allow Wireless LAN Access policy. | 13. | Use the procedures described earlier to replicate the new settings to the other IAS servers in your organization. |
Any users or computers that you add to the Deny Wireless LAN Users or Deny Wireless LAN Computers groups will be refused access to the WLAN. However, this setting will only take effect the next time the denied user logs on or the denied computer is restarted. Support TasksThis section covers common tasks that you need to perform to recover from problems in your WLAN security infrastructure. Many of these tasks are referenced by the “Troubleshooting” section included in this chapter. Restoring an IAS Server Configuration from BackupIAS policies and settings are stored in the IAS configuration database. They can be restored independently of the rest of the system settings. You should schedule the IAS backup task to backup IAS settings to the C:\IASBackup folder every night. For more information on this topic, see the "Configuring the IAS Backup" procedure in the "Operational Tasks" section of this chapter. If you need to undo changes made that day, you can restore settings from the backup files (in C:\IASBackup) created the previous night or from the "rollback" backup made prior to the making changes. For further details, see the "Backing up IAS Settings Prior to Making Changes" procedure in the "Managing Changes" section. If you need to restore an earlier version of the settings, you must recover the exported IAS settings from the server backup. Warning: This procedure will restore all IAS settings including RADIUS clients, overwriting any existing settings on the server. The backup that you are attempting to restore should be one that was taken from the same server. To restore the IAS settings 1. | If the IAS setting backup files that you want to use are not on the server, you must restore them from backup media. Be sure to select only the files in the IASBackup folder to restore. Do not restore System State unless you also want to revert to earlier system-wide settings. | 2. | Use the MSS WLAN Tools shortcut to open a command shell. Restore the IAS configuration by running the following command: msstools RestoreIAS /path:C:\IASBackup | 3. | Verify that the IAS settings have been restored by opening the IAS management console and checking the RADIUS clients and Remote Access Policies folders. |
If, for some reason, you do not have a usable backup of this system, you can export the settings from another IAS server and import them to this server. Typically, IAS servers in the same role will share the same configuration settings but will have a different set of RADIUS clients, so you should not use this procedure to restore the settings from another server. Instead use the "Replicating Settings from the First IAS Server" procedure described in Chapter 5, “Building the Wireless LAN Security Infrastructure.” Important: You must ensure that the restored system is patched up to date. Restoring from an old backup may mean that patches previously applied have been rolled back. Restoring Full Server Configuration from BackupProcedures for restoring the server will vary depending on the choice of backup system. The following is based on the assumption that you have backed up the system by performing Windows system state backup to a file, followed by a file backup of this file and other required files. To restore the server 1. | Depending on the state of the server, you may need to prepare the server from scratch; for example, if a severe hardware failure has destroyed the server system disks. Otherwise, you can perform a restore directly to it without reinstalling the operating system. | 2. | If you are using separate system state backup and file backup, use your backup software to restore the system state backup file and the IAS settings backup file from the backup medium to the server. The IAS settings should be restored to the same path, which is C:\IASBackup. | 3. | Run the Windows Backup utility and select the restored system state backup file. You need to be a member of the group, that has Backup and Restore rights on the server (such as Backup Operators or Administrators). | 4. | Click Restore. | 5. | Restart the system. | 6. | Verify that everything performs as expected and that Active Directory and Certificate Services, if installed, have started without error. | 7. | Use the MSS WLANTools shortcut to open a command shell. Restore the IAS configuration by running the following command: MSSTools RestoreIAS /path:C:\IASBackup | 8. | Verify that the IAS settings have been restored by opening the IAS MMC and checking the RADIUS clients and Remote Access Policies folders. Important: If IAS is running on a domain controller, restoring a system state backup will also restore the backed up version of the Active Directory database on that server. However, any changes made to Active Directory after the backup was made will be replicated to the restored server at the next Active Directory replication cycle. |
Optimization TasksThis section covers the tasks that are relevant for optimizing the running of the IAS infrastructure. Determining Maximum Load on the IAS ServerThis section provides information on the likely maximum load on the IAS server. Performance is rarely an issue for IAS servers that are properly sized and configured. IAS servers are under most load during peak times such as morning hours when many users simultaneously log on, shortly after a major network outage, or during a RADIUS server failure when wireless APs failover to a backup server. The following table gives an indication of the WLAN authentication requirements for different sizes of organization. Table 8.7: WLAN Authentication Requirements 100 | > 0.1 | 0.1 | 0.1 | 1000 | 0.1 | 0.6 | 1.1 | 10,000 | 1.4 | 5.6 | 11.1 |
The New Authentications per Second column is a part of the steady load; you can assume an average of four new full authentications as users rove between wireless APs. The Peak New Authentications per Second column indicates the type of load expected when all users require authentication over a 30 minute period (for example, at the start of the day). The Re-authentications per Second column shows the number of authentications with fast reconnect caused by IAS forcing a session time-out after 15 minutes. (Although a 60 minute time-out is the solution default, 15 minutes is used here to give a worst-case figure.) You should assess these figures against your own organization's requirements to determine the type of load that you need to support. Internal tests by Microsoft show that IAS can handle a high load on modest server hardware. The load serviced by IAS is best represented by the number of Extensible Authentication Protocol (EAP) authentications per second. The following table shows the results from an IAS server running on an Intel Pentium 4 2GHz server running Windows Server 2003. The tests were conducted with RADIUS logging enabled (to a separate disk) and with IAS on a separate server from the Active Directory domain controller; therefore, these figures should be regarded as a worst case. The default configuration for this solution is to have logging disabled and IAS housed on the same server as the domain controller. Both of these items will improve authentication throughput. Note: This information is provided without warranty of accuracy and should only be used as a guideline for capacity planning purposes and not for performance comparisons. Table 8.8: Sample IAS Server Capacity Measurements New Protected Extensible Authentication Protocol (PEAP) authentications | 36 | New PEAP authentications with TLS/SSL offload card support | 50 | Authentications with fast reconnect | 166 |
IAS can be configured to generate disk-based RADIUS logs containing varying amounts of RADIUS request information. If you choose to enable RADIUS logging, you should consider the overhead that this will place on the servers, particularly on the disk subsystems. Slow disk throughput will act as a bottleneck on IAS performance and will delay IAS RADIUS responses to APs, leading to protocol time-outs and unnecessary failover of APs to secondary RADIUS servers. If you expect a high load (you can use the figures in the previous tables as a guideline) and are going to enable RADIUS logging, you should ensure that IAS is configured to write RADIUS logs to a high performance disk that is separate from the Windows system drive and page file drive. Enabling Windows Server 2003 IAS tracing features (as described in the "Enabling and Disabling Tracing on the IAS Server" section in this chapter) will also generate additional load on IAS servers. This may be required occasionally to troubleshoot network access issues but should not be enabled permanently. Nevertheless, you may want to ensure that your IAS servers have some additional headroom to allow tracing to be used for limited periods of time and still service the production load. Other Optimization MeasuresFor other IAS optimization guidelines, see the "Designing an Optimized IAS Solution" section in the "Deploying IAS" chapter of the Windows Server 2003 Deployment Kit. TroubleshootingThis section contains procedures and techniques that will help you diagnose and fix problems with the wireless LAN solution. Troubleshooting ProceduresThe following procedures help you identify the possible causes of a problem and the action to take to resolve the problem. This section is organized hierarchically. The first procedure "Determining the Kind of Problem” will point you to one of several procedures, each of which drills down into detailed troubleshooting steps. These procedures, in turn, may point you to further troubleshooting procedures that focus on particular components of the solution. Each of these procedures is described in detail later in this chapter (some are given in the pictorial form; others, for which the text description is too lengthy for a figure, are presented in tables or text). Some of the procedures make use of the "Troubleshooting Tools and Techniques" section of this chapter. You should familiarize yourself with that section to use the troubleshooting procedures effectively. Important: These diagnostic procedures do not cover every eventuality. Where the recommended investigation steps do not lead you to the source of the problem, you should backtrack and follow the other diagnostic procedures given here. Sometimes, the full extent or nature of symptoms is not apparent and may point you in the wrong direction. For example, a single user may be the only person in an office to report a problem that affects the whole office. Although the table points to diagnostic procedures related to a single client failure, other procedures are probably more appropriate. You should also consult the WLAN and IAS troubleshooting documents listed at the end of the chapter. Determining the Type of the ProblemStart by classifying the type of problem that you are experiencing, using the following flowchart. The diamonds represent questions or decision points and the rectangles represent the diagnosis of the problem and indicate the name of the procedure to follow.  Figure 8.1 Determining the type of problem Diagnosing Client Connection ProblemsThe following table categorizes different types of connection problems based on the number and location of clients affected. The Likely Problem(s) column indicates the factors that are most likely to produce the shown symptoms. The Diagnostic Procedures to Follow column lists the diagnostic procedures that you should try first to diagnose the problem. Each of these procedures is described in detail later in this chapter. Table 8.9: Who is Unable to Connect to the WLAN? A single client | Computer configuration or user/computer account. | Check User/Computer Account Check Client Computer | Several clients at one site | Misconfiguration of one or more APs. | Check Wireless AP configuration | Whole of a site (local IAS) | Misconfigured or malfunctioning IAS server onsite; Active Directory replication problems preventing local domain controller receiving correct information; malfunctioning IAS server coupled with WLAN connectivity problem. | Check Active Directory and Network Services Check IAS Check WAN Connectivity | Whole of a site (no local IAS) | WLAN connectivity problem; Active Directory replication problems (if local domain controller). | Check WAN Connectivity | All clients in all sites | Organization-wide configuration (client settings Group Policy object (GPO), RAP groups, certificate renewal failures. | Check Active Directory and Network Services ("Check WLAN settings GPO" and "Check Active Directory Groups" checks) Check the CA Check IAS |
Diagnosing Performance Problems This section focuses on performance problems associated with the WLAN security infrastructure. General wireless and wired network performance problems are not dealt with in this chapter. Table 8.10: Performance Problems Authentication delay affecting many users | IAS server heavily loaded, check performance monitor. | | Authentication across a slow WLAN link (even if you have a local IAS check that APs have not failed over to the remote IAS). | | Delays with a Dynamic Host Configuration Protocol (DHCP) server issuing an IP address can affect total connection time. | Re-authentication delay when roaming between APs | A delay of a few seconds is normal when switching between APs. | | If a client goes out of range of an AP (and stays out of range longer than 10 seconds), it can take up to 60 seconds for re-authentication to start after coming back in range of an AP. This happens because the Windows WLAN client, when disconnected from a WLAN, only polls for WLANs every 60 seconds. | WLAN network throughput is low | This symptom may be due to too many clients using too few APs, incorrect AP placement, weak radio signal caused by obstruction or excessive distance. All these are aspects of the WLAN network design and are outside the scope of this documentation. You should consult your vendor or solution provider for advice. For more information, see the "Deploying a Wireless LAN" chapter of the Windows Server 2003 Deployment Kit. |
User Authenticating but Computer FailingThis solution uses both user authentication and computer authentication to the WLAN. The computer domain credentials are used to authenticate to the WLAN when no user is logged on to the computer. When a user logs on, the user's credentials are then used to re-authenticate to the WLAN. This arrangement allows the computer to communicate with the WLAN when no one is logged on and enables the computer to be managed remotely, to download server GPO settings, and so forth. When a user logs on to a WLAN computer, there is a slight delay while the user is authenticating to the WLAN. Until the user is properly authorized to connect, the computer's authenticated WLAN session is still active. However, if the computer was unable to authenticate to the WLAN, this delay means that there is no network connectivity at the start of the user's logon session. This can cause a number of subtle problems. For example, roaming user profiles will fail to load, some computer GPO settings will not be applied, and user logon scripts and GPO-based software deployments (which run very early in the logon process) will fail. To determine the cause of the failure of computer authentication, you should follow the "Check User/Computer Account" procedure later in this guide. Computer Authenticating but User FailingUnlike the previous case, this problem is immediately obvious and will be reported by the affected users straight away. To determine the cause of failing user authentication, you should follow the "Check User/Computer Account" procedure. Diagnostic ProceduresThe following section provides the detailed troubleshooting steps referred to in the previous sections. Check User/Computer AccountThe following flowchart helps you in diagnosing the cause of a user or computer authentication failure. Note: The arrow shaped box in the flowchart indicates that you should refer to the "Check Client Computer" procedure, as specified in the box. Check Client ComputerThe following flowchart helps you diagnose problems with the client computer. Note: The arrow shaped box in the flowchart is a link from the "Check User/ Computer Account" procedure. The status of the WLAN card (as required by the "Disable/Enable WLAN card and watch status" step shown in the flowchart) can be seen in the Details pane of the Network Connections folder (in Control Panel). When you enable the card, you should see the card status stepping through the following phases: | • | Connecting | | • | Authenticating | | • | Acquiring IP Address (unless this is statically assigned) |
Monitoring the point at which this process fails is one of the most useful diagnostic procedures. Check IASThe following table lists a series of checks to be performed if you suspect that an IAS server is causing problems. Table 8.11: IAS Diagnostic Checks IAS is running | Open the Computer Management MMC and navigate to Services. Ensure that IAS is in the running state. | IAS basic network configuration | Run the netdiag command to check if there are any errors in the network configuration of the IAS sever. | IAS server has current server certificate | Open the Certificates MMC and look in the \Certificates (Local Computer)\Personal\Certificates folder. There should be a certificate for the server in this folder with the following characteristics: -Current date is within validity period of certificate. -Subject Alternative Name matches Domain Name System (DNS) name of server. -Server Authentication is present in Extended Key Usage -Certificate Issuer is trusted (in Trust Path tab). -The certificate has not been revoked. View the profile settings of the IAS Remote Access Policy, click the Authentication tab, and view the 802.1X settings. The server certificate just described should be selected. | IAS is a member of RAS and IAS Servers group in the domain | The server needs to be a member of this group (normally added when IAS is registered in Active Directory). | IAS Remote Access Policy or Connection Request Policy incorrect | Check that policy settings (and version number, if you have included it) matches what you expect. If you are in doubt, redeploy the configuration from the "master" IAS. | View IAS events in the system event log | Look for errors or warning events from IAS in the system event log. Authentication failures will have a reason code indicating the cause of the problem. | Enable IAS Tracing | See the "Enabling and Disabling Tracing on the IAS Server" procedure in the "Troubleshooting Tools and Techniques" section later in this chapter. | Enable Client Tracing | See the "Enabling and Disabling Tracing on the Client Computer" procedure in the "Troubleshooting Tools and Techniques" section later in this chapter. | Enable SChannel logging | To diagnose certificate-related and TLS problems enable SChannel logging. For more information, see the "Enabling SChannel Logging on the IAS Server" procedure in the "Troubleshooting Tools and Techniques" section later in this chapter. You can also enable SChannel logging on the client to acquire additional diagnostic information from the client side. |
Check the Certification AuthorityThe following table contains a series of checks, which you can perform to determine whether the CA is performing correctly. Table 8.12: CA Diagnostic Checks Certificate Services is running | Open the Computer Management MMC and navigate to Services. Ensure that Certificate Services is running. | If TLS fails (shown in RASTLS tracing log or SChannel logging) or the CA does not issue certificates, check the CRL | Run the command msstools CheckCA on the CA to check that a current CRL has been published and is accessible. If you are experiencing problems on particular IAS servers (or at particular sites), obtain the PKI Health Tool (from the Windows Server 2003 Resource Kit). This is an MMC tool that will show you if the server has any problems accessing a current CRL or CA certificate. | If no certificates have been enrolled/renewed, check the Certificate autoenrollment GPO | -Check that the Autoenrollment GPO is linked to the correct location (usually the domain). -Check that the GPO has the "Computer" template set as the type of certificate to be enrolled (in Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Automatic Certificate Request Settings). -Check that the RAS and IAS Servers group has Apply Policy and Read permissions on the GPO and check that no Deny permissions could be overriding these (for example, Authenticated Users—Deny Read). | Certificate templates | The Computer template should be assigned to the CA (look at the Templates folder in the Certification Authority MMC). The Computer template should have Enroll permission for RAS and IAS Servers group (check that no Deny permissions are overriding this). | CA DCOM interface remotely | Run the following command from a remote IAS server to check that DCOM/RPC is functioning between the server and the CA: certutil –ping–config CAHostName\CAName where, CAHostName is the computer name of the CA server and CAName is the descriptive name given to the CA when you set it up (it will be the name shown as Issued By: on the General tab of any certificate issued by this CA). |
Check Active Directory and Network ServicesThe following table lists a series of checks that you can perform on Active Directory and other network components to determine whether they are performing correctly. Table 8.13: Active Directory Diagnostic Checks Check communications with Active Directory from IAS | Run the command netdiag /test:ldap /test:trust on the IAS server. This command will also check for DNS problems. | Check WLAN security groups | Check the memberships of the security groups used in this solution to control access to the WLAN. The default memberships are shown in the "Creating Security Groups" section in Chapter 3, "Preparing Your Environment." | Check the client WLAN settings GPO | Check that the settings in the WLAN settings GPO are correct, the GPO is linked to the correct OU (or domain), and the correct permissions have been applied to it. (See the "Creating the WLAN Settings GPO" section of Chapter 6, " Configuring the Wireless LAN Clients.") | Check that Active Directory is replicating correctly | Run the command dcdiag /test:replications from the IAS server where you are experiencing problems. (Even if IAS is not running on a domain controller, the dcdiag tool will check the domain controller being used by that instance of IAS.) | Check DHCP Server | Check that the DHCP server is running, a valid scope for the WLAN clients has been created and is active, and there is connectivity between the wireless APs and the DHCP server (more precisely, connectivity is required between the default virtual local area network (VLAN) of the APs and the DHCP server to allow the WLAN clients to acquire an IP lease). |
Check Wireless Access Point ConfigurationThe following table lists a series of checks that you can perform on the wireless APs to determine whether they are performing correctly. Table 8.14: Wireless AP Diagnostic Checks Check AP IP configuration and connectivity with IAS | Many APs have a basic connectivity test facility (such as ping). Try to ping both the primary and secondary IAS servers (alternatively, try to ping the AP from the primary and secondary IAS servers). | Check AP RADIUS settings | Check the IP address and port settings configured on the AP for the primary and secondary RADIUS servers. Ensure that these match the configuration on the IAS servers. | Check RADIUS client entry on IAS server(s) | Verify that the primary and secondary IAS servers have a RADIUS client entry for this AP. IAS will log an error to the System log if it receives a RADIUS request from a device that is not configured as a client. | Check RADIUS client secret | It may be difficult to verify the RADIUS client secret visually because it is sometimes not possible to view the RADIUS secret after it has been entered into the AP. If the value configured in the IAS RADIUS client entry differs from that configured on the AP, IAS will log an error to the System event log. | Check AP Firmware revision | Verify that the firmware of the AP is up to date. Check the vendor Web site for updates. | Check DHCP server | Check that the DHCP server is running, a valid scope for the WLAN clients has been created and is active, and there is connectivity between the wireless APs and the DHCP server (more precisely, connectivity is required between the default VLAN of the APs and the DHCP server to allow the WLAN clients to acquire an IP lease). |
Check WAN ConnectivityWLAN failures may be caused by WAN connectivity problems between different components. The following table lists the items that are most likely to be the sources of problems. Table 8.15: WAN Diagnostic Checks Wireless APs authenticating to remote IAS Servers | Test simple connectivity between the AP and the primary and secondary IAS servers. Most APs have a simple ping or traceroute command for this purpose. If there are firewalls or routers filtering traffic between the sites in question, you must verify that RADIUS authentication and accounting traffic is permitted (requests plus replies on user datagram protocol (UDP) ports 1812 and 1813). | Domain Controllers replicating across a WAN | Replication problems between domain controllers may occur even where basic IP connectivity is present. Excessive latency may cause the RPC communications between the domain controllers to fail. You should test this using the dcdiag tool as described in the "Check Active Directory and Network Services" section earlier in this chapter. | WLAN Client and DHCP Server | Where the DHCP server is not on the same LAN as the APs and authenticated WLAN clients, you must configure a BOOTP/DHCP relay agent to forward the requests to the correct DHCP server on the remote network. |
Troubleshooting Tools and TechniquesThis section describes some of the techniques and tools that will be useful during troubleshooting. Checking Client Network Connections Folder StatusThe Network Connections folder and the Windows XP system tray notification icons provide information about the state of the WLAN authentication. In the Network Connections folder (in Control Panel), the status text under the wireless network adapter describes the current state of the connection. Highlighting the adapter displays additional information about the connection in the Details panel of the Network Connections folder. Disabling and then re-enabling the adapter will display the status of the adapter as it tries to connect to and authenticate to the WLAN; this information can be useful when debugging client connection problems. Right-click the adapter icon and click Status to see the WLAN signal strength (on the General tab) and the IP address details (on the Support tab). Viewing IAS Authentication Events in the Event LogClient authentication success and failure events, which are recorded in the System event log on the IAS servers, can be useful for troubleshooting. By default, event logging is enabled for successful and failed authentication requests. This setting can be changed from the Service tab for the IAS server properties in the Internet Authentication Service MMC. Looking at these events is useful for troubleshooting authentication failures. The event types produced by IAS are listed in the following table. Table 8.16: IAS Authentication Request Events Access Granted | A user or computer was successfully authenticated and granted access to the WLAN. | Information | IAS | 1 | Access Denied | An access attempt was denied (reason shown in text of event). | Warning | IAS | 2 | Discarded | The access attempt was discarded because it timed out. | Error | IAS | 3 |
Each event contains detailed information about the authentication request including: | • | Client name | | • | IP address and identifier of AP | | • | Client type (should be "Wireless-IEEE 802.11") | | • | Name of remote access policy | | • | Authentication and EAP type | | • | Reason code and description |
If the authentication fails, the reason codes and descriptions will often indicate the precise problem (although the reason given can sometimes be misleading or ambiguous). The available reason codes are given in the following table. Table 8.17: IAS Authentication Request Event Reason Codes 00 | Success | 01 | Internal error | 02 | Access denied | 03 | Malformed request | 04 | Global catalog unavailable | 05 | Domain unavailable | 06 | Server unavailable | 07 | No such domain | 08 | No such user | 16 | Authentication failure | 17 | Change password failure | 18 | Unsupported authentication type | 32 | Local users only | 33 | Password must change | 34 | Account disabled | 35 | Account expired | 36 | Account locked out | 37 | Invalid logon hours | 38 | Account restriction | 48 | No policy match | 64 | Dialin locked out | 65 | Dialin disabled | 66 | Invalid authentication type | 67 | Invalid calling station | 68 | Invalid dialin hours | 69 | Invalid called station | 70 | Invalid port type | 71 | Invalid restriction | 80 | No record | 96 | Session time-out |
In some cases, the information gleaned from the event log entries is not enough to diagnose the cause of the problem. In such cases you may need to enable tracing on the IAS client and the IAS server. These are described in the next procedures. Enabling and Disabling Tracing on Client ComputersWindows supports detailed tracing information on most components to help with diagnosis of problems that may arise. Enabling tracing for a component causes diagnostic output to be written to text log files and provides a level of detail beyond that found in event logs. To obtain detailed information about the WLAN authentication process, you must enable tracing for the EAP over LAN (EAPOL) and Remote Access Service-Transport Layer Security (RASTLS) components using the netsh command. After enabling tracing, try the authentication process again and examine the Eapol.log and Rastls.log files for indications of problems (these files are written to the %Systemroot%\Tracing folder). To enable tracing on client computers | • | Run the following commands: netsh ras set tracing eapol enabled netsh ras set tracing rastls enabled |
To disable tracing on client computers | • | Run the following commands: netsh ras set tracing eapol disabled netsh ras set tracing rastls disabled Note: Tracing consumes significant system resources and creates log files which can grow rapidly. Be sure to disable tracing when troubleshooting is complete. |
Enabling and Disabling Tracing on the IAS ServerEnabling tracing on IAS works in the same way as on the client. You can use the netsh command to enable and disable tracing for a variety of different components related to network authentication. The most useful components to enable for tracing of 802.1X with PEAP authentication issues are the following: | • | IASSAM (the Iassam.log file in the %Systemroot%\tracing folder): This is the most commonly used trace file for IAS issues as it describes functions related to cracking (translating between different formats) user names, binding to a domain controller, and verifying credentials. It is the "heart" of the IAS trace files and is usually required to debug any authentication related issues. | | • | RASTLS (the Rastls.log file in the %Systemroot%\tracing folder): This trace file is used for all EAP and PEAP related authentications. This log holds most of the vital debugging information; however, it is challenging to read and understand. Microsoft is planning to release documentation that will make this information easier to interpret. | | • | RASCHAP (the Raschap.log in the %Systemroot%\tracing folder): This trace file is used for all MS-CHAP v2 and other CHAP based password authentication operations. |
Enabling tracing on the following IAS components is normally not required for troubleshooting 802.1X authentication but may be useful for troubleshooting other problems: | • | IASRAD (the Iasrad.log file in the %Systemroot%\tracing folder): This logs all RADIUS protocol-related operations. It will describe the ports that the server is listening on and so forth. It may be useful for debugging wireless AP compatibility problems. | | • | IASSDO (the Iassdo.log file in the %Systemroot%\tracing folder): The IASSDO log deals with transactions from the user interface (UI) to the MDB files that store the server's configuration and dictionary. This log is used to troubleshoot any service or UI-related issues. |
To enable tracing on the IAS server 1. | Run the netsh command corresponding to the type of tracing information that you require. When troubleshooting 802.1X authentication issues, the IASSAM, RASTLS and RASCHAP logs will contain the most useful information. netsh ras set tracing iassam enabled netsh ras set tracing rastls enabled netsh ras set tracing raschap enabled netsh ras set tracing iasrad enabled netsh ras set tracing iassdo enabled Alternatively, to enable tracing for all categories of network components, run the following command: netshras set tracing * enabled |
To disable tracing on the IAS server 1. | Run one or more of the following netsh commands to disable tracing for the categories enabled in the previous procedure: netsh ras set tracing iassam disabled netsh ras set tracing rastls disabled netsh ras set tracing raschap disabled netsh ras set tracing iasrad disabled netsh ras set tracing iassdo disabled Alternatively, to disable tracing for all categories of network component, run the following command: netshras set tracing * disabled Note: Since tracing consumes significant system resources, you should use it sparingly to help identify network problems. After the trace is captured or the problem is identified, you should disable tracing. |
By default, IASSAM and RASTLS tracing logs are set to 1 MB only, which might cause valuable information to be overwritten in log files during heavy load. The following procedure sets the tracing logs to 10 MB. When a log file reaches the 10 MB limit is reached, it is renamed (to IASSAM.old and RASTLS.old) and a new log file created. This keeps a maximum of 20 MB of data on the server for each tracing type. You can repeat this for any of the tracing types by substituting the tracing category name (such as RASTLS and RASCHAP) for the "IASSAM" key name used in the procedure. To set the IASSAM tracing log file to 10 MB 1. | Start Regedit.exe. | 2. | Navigate to the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing | 3. | Find the subkey IASSAM. This should have a registry value MaxFileSize (a type of REG_DWORD). Edit this value and set the data value to be 0xA00000 (this is the hexadecimal representation of 10MB—the default being 0x100000). You can set this to a value other than 10 MB if you wish (although the logs will start to become unmanageable at sizes much larger than this). Warning: Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should backup any valuable data on the computer. |
Enabling SChannel Logging on the IAS ServerSChannel is a security support provider (SSP) that supports a set of Internet security protocols, such as Secure Sockets Layer (SSL) and Transport Level Security (TLS). If you suspect that there are problems related to the IAS server certificate, or if the RASTLS log indicates that there is some problem with creating the TLS session, you should enable SChannel logging on both the client and the server. Events are logged to the Security log. Follow the same procedure for both client and server. To enable SChannel logging 1. | Start Regedit.exe. | 2. | Navigate to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ | 3. | Enable detailed SChannel events by changing the value of EventLogging from 1 (REG_DWORD type, data 0x00000001) to 3 (REG_DWORD type, data 0x00000003). Warning: Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should backup any valuable data on the computer. |
When you finish troubleshooting, be sure to disable SChannel logging because this consumes significant system resources and will flood the event log with unwanted entries. Pocket PC Diagnostic ToolsWindows XP has a range of network diagnostic tools. Pocket PCs, by contrast, have relatively few built into the base system. Your Pocket PC vendor, Microsoft, and other companies provide different types of tools to help you diagnose Pocket PC problems. Some examples include: | • | IP configuration and diagnostic tools: Tools such as VXUtil or VXIPConfig from Cambridge Software. | | • | WLAN diagnostic tools p |
| 
