TechNet Home > TechNet Security > Library > Cryptography, Certificates, and Secure Communications

Securing Wireless LANs with PEAP and Passwords

Chapter 5: Building the Wireless LAN Security Infrastructure

Updated: April 2, 2004
On This Page
OverviewOverview
Chapter PrerequisitesChapter Prerequisites
Preparing for ImplementationPreparing for Implementation
Checking Readiness for InstallationChecking Readiness for Installation
Installing IASInstalling IAS
Registering IAS in Active DirectoryRegistering IAS in Active Directory
Configuring the Primary IAS ServerConfiguring the Primary IAS Server
Deploying Settings to Multiple IAS ServersDeploying Settings to Multiple IAS Servers
Configuring Wireless Access PointsConfiguring Wireless Access Points
SummarySummary
ReferencesReferences

Overview

This chapter provides guidance on the installation and configuration of Internet Authentication Service (IAS) to provide Remote Access Dial-In User Service (RADIUS) services to a wireless local area network (WLAN), and the configuration of wireless access points (APs) to use the IAS RADIUS services.

The principal topics in the chapter are as follows:

Preparing for and installing IAS

Configuring the first IAS server

Replicating settings to other IAS servers

Adding wireless APs as RADIUS clients of IAS

Configuring the wireless APs

The procedures in this chapter are less automated than the procedures in the earlier chapters. Although IAS is configurable programmatically, many settings cannot be configured using Windows Scripting Host or available command-line tools. Compiled application code is usually less accessible to non-developers than scripts. So, where a procedure was not scriptable, the manual steps to complete that procedure were used. If you want to automate the configuration of IAS using the Server Data Objects interface, refer to MSDN at http://msdn2.microsoft.com/default.aspx. For the exact location of the information on the subject, see the references at the end of this chapter.

The configuration steps in this chapter are largely manual; however, there are some positive aspects to this. First, the IAS administration interface is easy to use and is often driven by configuration wizards. Second, you will normally perform the configuration steps only on one server and then replicate these settings to the other IAS servers using simple commands. Third, performing these steps manually helps you to learn more about the installation and configuration of IAS. This last point is more relevant here than for the other components of the solution. IAS is the hub around which the rest of the solution revolves, so it is desirable to have some experience of administering and configuring it.

Chapter Prerequisites

Before implementing the instructions provided in this chapter, you should have read and implemented the procedures in Chapter 3, "Preparing Your Environment" and Chapter 4, "Building a Network Certification Authority." You should have also read Chapter 2, "Planning a Wireless LAN Security Implementation," and understood the architecture and design of this solution.

In addition, it will help if you are familiar with following topics:

IAS and RADIUS

WLAN concepts

Preparing for Implementation

Permissions Needed

To carry out the procedures in this chapter, you need to log on with an account that is a member of the Administrators group for the domain into which you are installing the IAS servers.

Note: If you are not installing IAS on domain controllers, you will only need to be a member of the local Administrators group on each IAS server to install and configure IAS. You will also need to have permissions to modify the membership of the RAS and IAS Servers group for the domain into which you are installing IAS server.

Tools Needed

The following tools are needed to perform the procedures in this chapter.

Table 5.1: Tools Needed

ToolDescriptionSource

MSS Secure WLAN Scripts

The set of scripts and tools supplied with this solution.

Provided in the Chapter3, "Preparing Your Environment."

Internet Authentication Service

Microsoft Management Console (MMC) tool used to manage IAS policies and settings.

Provided as part of Windows Server™ 2003.

Active Directory Users and Computers

MMC tool used to manage the Microsoft Active Directory directory service users, groups, computers, and other Active Directory objects.

Provided as part of Windows Server 2003.

IAS Parameters

The following table lists the main parameters used in the installation and configuration of the IAS server.

Table 5.2: IAS Server Configuration Parameters

Configuration ItemSetting

IAS Logging to Windows Event Log

Rejected Authentication Requests

Enabled

Successful Authentication Requests

Enabled

IAS RADIUS Logging

Disabled

Remote Access Policy

Remote Access Policy Name

Allow Wireless LAN Access

Security group to grant access to

Wireless LAN Access

EAP Type used

Protected Extensible Authentication Protocol (PEAP)

PEAP EAP type used

EAP MS-CHAP v2

Fast Reconnect

Enabled

Remote Access Policy Profile

Minutes clients can be connected (Session-Timeout)

60 minutes

This may be reduced to 15 minutes for 54 Mbps 802.11a/g WLANs

RADIUS Attributes

Ignore-User-Dialin-Properties = "True"

Termination Action = "RADIUS-Request"

Connection Request Policy

Policy Name

Use Windows authentication for all users

Policy Conditions

Day-and-Time-Restrictions = All times

Important: These settings were used in the internal testing of this solution and are known to work as documented. Although many of these can be set to other values, you should do this only if you are confident that you fully understand the purpose of a particular setting and the implications of changing it.

Checking Readiness for Installation

IAS is dependent on correct network and Active Directory configuration and connectivity. Several tools are required for the successful installation and maintenance of IAS.

Validating the IAS Environment

Before installing IAS on the server, you must run a series of checks to ensure that a domain controller is contactable and that all the required tools have been installed as per the procedures described in Chapter 3, "Preparing Your Environment." The following procedure uses a script to perform these checks automatically for you.

To check the IAS environment

1.

Open a command shell using the MSS WLAN Tools shortcut on the server on which you want to install IAS.

2.

Run the following command:

MSSSetup CheckIASEnvironment

3.

The script confirms the name of the domain to which this server belongs. Click OK to accept.

4.

After completing the checks, a dialog box displays indicating success or failure of each check. Click OK to close the dialog box.

5.

If all the checks completed successfully, continue with the next procedure. Otherwise, check the setup log (%systemroot%\debug\MSSWLAN-Setup.log) to investigate the cause of the failure and rectify the problem before rerunning the script.

Verifying DHCP Settings

Dynamic Host Configuration Protocol (DHCP) will be used to assign IP addresses to the WLAN clients automatically. Ensure that the DHCP scopes assigned at each site have enough IP addresses to cover the maximum number of WLAN clients that may be active at the site. If the scope is shared with wired clients, it must be large enough to accommodate both sets of clients.

Organizations with large numbers of WLAN clients or which have WLAN clients that regularly move from site to site, should configure separate scopes for WLAN clients. Having separate scopes allows you to specify very short lease times for these clients (for example, eight hours or less) and hence helps prevent transient WLAN clients quickly exhausting the available IP addresses. To do this, place the WLAN clients on a separate subnet from the rest of the site network, and configure a router or layer 3 switch to connect the subnets.

For smaller or relatively static environments, sharing an IP subnet and a single DHCP scope between wired and WLAN clients is quite acceptable.

For more information, see the "Deploying a Wireless LAN" chapter of the Windows Server 2003 Deployment Kit. The reference for this is given at the end of this chapter.

Installing IAS

This section describes how to install IAS on your server.

Installing the IAS Software Components

You can install the IAS software components using a script provided with this guidance. This script uses the Windows Optional Components Installation Manager to install IAS, and builds all the required configuration files as it runs.

To install IAS

1.

Open a command shell using the MSS WLAN Tools shortcut.

2.

Run the following command to install the IAS software components:

MSSSetup InstallIAS

3.

The script then builds the installation parameter file. When this is complete, you are prompted to continue with the installation. The Windows Server 2003 installation CD (or network path containing the Windows installation source) is required to complete the installation. Click OK to proceed or Cancel to stop the installation before it is finished.

Note: If you choose to cancel the installation, the IAS optional components parameter file (OC_IAS.txt) will be left in the current working folder. This can be modified and used in your custom installation if you do not want to accept the solution defaults.

4.

When the installation completes, a confirmation message will be displayed. Click OK.

Verifying the Installation

To verify the installation, click Start, point to All Programs, point to Administrative Tools, and click on Internet Authentication Service. IAS should be shown as installed and running on the server.

Registering IAS in Active Directory

Each IAS server needs to be registered in Active Directory. Registering means adding the IAS server computer account to the RAS and IAS Servers security group, which ensures that IAS servers have permission to read the remote access properties of user and computer accounts in Active Directory.

You can register your servers in one of the following ways:

By adding these servers manually into the group (using Active Directory Users and Computers).

By using the Register with Active Directory item on the Action menu of the Internet Authentication Service MMC.

By using the Netsh command.

The last method (using Netsh command) is shown here because it is simple to script and allows the server to be registered in other domains.

To register IAS in the default domain

1.

Log on to the IAS server and open a command shell using the MSS WLAN Tools shortcut.

2.

Run the following command:

netsh ras add registeredserver

If you have multiple domains, perform the following procedure for each domain that has users or computers that will be authenticated by this IAS server. For example, if your IAS servers are installed in domain A and you have WLAN users in domain B, you must register the IAS servers in domain B as well as domain A. To do this, you need to have permission to modify the RAS and IAS Servers group membership in the target domain.

To register IAS in domains other than the default domain

1.

At the command prompt, run the following command, replacing DomainName with the name of the domain in which the IAS server needs to be registered:

netsh ras add registeredserver domain = DomainName

Note: Alternatively, add the IAS server computer object directly into the RAS and IAS Servers security group in the target domain using Active Directory Users and Computers.

Configuring the Primary IAS Server

This section provides guidance on configuring the first IAS server. Subsequent IAS servers will be configured by replicating the settings from this server using the procedures described later in the chapter.

Automatically Enrolling for an IAS Server Certificate

Chapter 4, "Building the Network Certification Authority," provided the steps for installing a Group Policy object (GPO) to allow members of the RAS and IAS Servers group to enroll computer certificates automatically. The registration of the IAS server in Active Directory causes the server account to be added to this group. However, the server needs to be restarted for the computer to have this group membership added to its logon token and be able to enroll a certificate successfully.

Note: Just as with users, computers do not receive changed group membership in their logon session access token until they log on to the domain again. For computers, this occurs at boot time.

Before continuing with the next procedure, restart the server.

Warning: Before restarting the server, ensure that no tasks are being performed on this server. If the server is a domain controller, ensure that another domain controller is available to users before restarting this one. You should also avoid restarting during a critical system task such as server backup.

Verifying IAS Server Certificate Deployment

After restarting the server, ensure that the IAS server certificate has been successfully enrolled.

To verify the IAS server authentication certificate

1.

Open a command shell using the MSS WLAN Tools shortcut.

2.

Run the following command to open the Certificates MMC:

ComputerCerts.msc

3.

In the console tree, double-click Certificates (Local Computer) and then double-click Personal. Next, click Certificates.

4.

You should see at least one certificate with the name of this server in the Issued To column and the name of your certification authority (CA) in the Issued By column. Scroll across the list (to the right) to view the Certificate Template column. You should see the value Computer for this certificate in this column.

Note: If this is the first IAS server and it is being installed on the same server as the CA, you will also see another certificate with the name of the CA in both columns; this is the self-signed CA certificate.

5.

If the required certificate does not appear in the Certificates MMCsnap-in, select Certificates (Local Computer) from the console tree (in the left pane), click All Tasks from the Action menu, and then click Automatically Enroll Certificates. Then refresh the view of the Certificates MMC.

Configuring the First IAS Server

The configuration of all the IAS servers will be largely identical in this solution (though the set of wireless APs installed on each server will usually be different for each server). To keep the configuration synchronized between servers, and to minimize the effort of managing multiple servers, you will perform the majority of configuration tasks on the first installed IAS server and then replicate this server's settings to other IAS servers in the organization.

During the procedures in this section, you will configure the following types of setting on the first IAS server:

Logging of Requests

Remote Access Policy

Connection Request Settings

Later, these settings will be replicated to the other IAS servers. You must also add a RADIUS client entry to IAS for each wireless AP served by that IAS server (this is covered in the "Configuring Wireless Access Points" section, later in this chapter).

Configuring Logging to Windows Event Logs

IAS logs significant system-level events such as service startup and shutdown and problems such as configuration errors and service failures to the Windows system log. It can also optionally log successful and failed authentication attempts.

To enable IAS logging of authentication requests

1.

To open the Internet Authentication Service MMC, click Start, point to All Programs, point to Administrative Tools, and click Internet Authentication Service.

2.

Right-click Internet Authentication Service (local) and then select Properties.

3.

Ensure that the Rejected authentication requests and Successful authentication requests are both enabled.

4.

Click OK.

Configuring Logging of Authentication and Accounting Requests to RADIUS Logs

IAS can also log authentication and accounting information to RADIUS logs. IAS does not create RADIUS logs by default and RADIUS logging is not enabled in this solution in order to minimize management overhead.

If you require RADIUS logging for security auditing or accounting purposes, either or both types of request logs can be enabled. IAS can write these logs to text files or to a SQL database. You can use these logs as input to security monitoring systems to help you track potential security violations. More rarely, organizations use the accounting logs for billing purposes although this is typically confined to commercial Internet and other Network service providers. If you want to implement RADIUS logging or simply read more about it, see the references at the end of this chapter.

Note: You should not enable RADIUS authentication and account logging unless you have a specific need for it. It can degrade server performance and the log files also need regular housekeeping to ensure that they do not fill the server disks.

Creating an IAS Remote Access Policy for WLAN

Perform the following procedure to create a remote access policy on the IAS server.

To create a remote access policy in IAS

1.

Open the Internet Authentication Service MMC by clicking Start, pointing to All Programs, pointing to Administrative Tools, and clicking Internet Authentication Service.

2.

Right-click the Remote Access Policies folder and then click New Remote Access Policy. Click Next to continue.

3.

Select A typical policy for a common scenario as the way you want to set up the policy and name it Allow Wireless LAN Access. Click Next.

4.

Select Wireless for the access method.

5.

Select the Group option for Grant access based on, and type in (or browse for) the Wireless LAN Access security group. Click Next to continue.

6.

Select Protected EAP (PEAP) from the list of EAP types.

7.

Click the Configure... button. The IAS server certificate issued earlier should be displayed in the Certificate Issued field (if not, select it from the list of available certificates). Secured Password (EAP MSCHAPv2) should be displayed in the list of EAP Types. Check the EnableFast Reconnect check box.

Important: If you are using Pocket PC 2003 Wireless clients, you must not check the Enable Fast Reconnect check box unless you have a version of Pocket PC that supports this option (see the Knowledge Base article reference at the end of this chapter). If you enable Fast Reconnect, the Pocket PC clients will not be able to reconnect to the network after their initial authentication times out.

8.

Click OK and then Next. Click Finish to complete the procedure.

Important: The new AllowWirelessLANAccess policy can coexist with other remote access policies that you have created or with the default remote access policies. However, you must ensure that any other default remote access policies are either deleted or listed below (at a lower priority) the Allow Wireless LAN Access policy in the Remote Access Policies folder of IAS.

Modifying the WLAN Access Policy Profile Settings

The New Remote Access Policy wizard (as used in the previous procedure) creates a valid remote access policy but the following two settings need to be configured manually. The first setting adds the RADIUS attribute Ignore-User-Dialin-Properties. This tells IAS to ignore the remote access permission setting specified on the Dial-In tab of the Active Directory user object. It also prevents IAS from sending this information in the RADIUS responses to the wireless APs because this can sometimes cause compatibility problems.

The second category allows the IAS server to terminate the client connection after a specified time-out and force the client to re-authenticate. These settings are particularly important when using dynamic Wired Equivalent Privacy (WEP) data protection (the default for this solution). The session time-out controls the frequency at which new network data encryption keys are generated.

Note: Wi-Fi Protected Access (WPA) has its own mechanism to generate new keys for each transmitted packet. The following discussion is not applicable to WPA WLANs.

The session time-out value is a tradeoff between security and reliability. 60 minutes time-out gives adequate security for most circumstances and certainly for 11 Mbps 802.11b networks. Normally, wireless clients will never transmit enough data in 60 minutes to allow a dynamic WEP key to be recovered by an attacker. Faster WLANs using the 802.11a or 802.11g 54 Mbps standards allow more data to be transmitted in a given time; you should consider using a 15 minute time-out for faster WLANs. However, using a shorter value can reduce WLAN reliability and increase the load on the IAS servers.

You should read the section "Security Options for Dynamic WEP" in Chapter 2, “Planning a Wireless LAN Security Implementation” for a more detailed discussion on setting the client session time-out.

You must configure the value for client session timeout and the Termination-Action attribute of RADIUS to the required value so that the IAS server can force the client to re-authenticate at the required interval. For more information about remote access policy settings, see the "RADIUS Policies" section of Chapter 2, "Planning a Wireless LAN Security Implementation."

To modify the wireless access policy profile settings

1.

In the Internet Authentication Service MMC, right-click Allow Wireless LAN Access policy and select Properties. Then click Edit Profile.

2.

Click the Dial-in Constraints tab, then select the Minutes clients can be connected (Session-Timeout) option and type 60 (minutes) as the value if you are using an 802.11b (11 Mbps) WLAN or 15 (minutes) for a higher speed 802.11a or g (54 Mbps) WLAN.

Note: If you are using WPA WLAN protection in place of dynamic WEP, set this value to eight hours. A setting of eight hours will ensure that clients have valid up-to-date credentials for a reasonable length of time. At the same time, it ensures that a client cannot remain connected for excessive periods after its account has been disabled. However, in very high security environments where you need to minimize the delay between disabling an account and forcing the client off the network, this value may be reduced to one hour.

3.

Click the Advanced tab, add the Ignore-User-Dialin-Properties attribute, and set it to True. Then add the Termination-Action attribute and set it to RADIUS Request.

Verifying the Connection Request Policy for WLAN

The default IAS connection request policy is configured to instruct IAS to authenticate users and computers directly against Active Directory. Perform the following steps to verify the configuration of the default connection request policy.

To verify configuration of the default connection request policy

1.

Open the Internet Authentication Service MMC; navigate to the folder Connection Request Processing\Connection Request Policies and right-click Use Windows authentication for all users connection requestpolicy. Then select Properties.

2.

Verify that the policy conditions contains Date-And-Time-Restrictions matches“Sun 00:00-24:00; Mon 00:00-24:00; Tue 00:00-24:00; Wed 00:00-24:00; Thu 00:00-24:00; Fri 00:00-24:00; Sat 00:00-24:00.”

3.

Click the Edit Profile button and ensure that Authenticate requests on this server is selected on the Authentication tab.

4.

Ensure that no rules are specified on the Attribute tab.

Deploying Settings to Multiple IAS Servers

After configuring the primary IAS server, you can replicate this configuration to the other IAS servers.

Follow the procedures earlier in this chapter for "Installing IAS" and "Registering IAS in Active Directory" on each of your additional servers. You should also carry out the procedure for "Verifying IAS Server Certificate Deployment" to ensure that a certificate has been enrolled by each of the new servers. Having done this, you are ready to export the IAS settings from the first server and import them into your other servers as described in the procedures in the following section.

Important: You can only replicate settings to other Windows Server 2003 IAS servers. Using these procedures, you cannot replicate settings from Windows Server 2003 to Windows 2000 versions of IAS.

Replicating Settings from the First IAS Server

You can use the Netsh command to export portions of IAS configuration to text files. The scripts used in the following procedures make use of Netsh.exe to export settings from and import them into an IAS server.

The following categories of IAS settings can be separately exported from and imported into an IAS server:

Server settings

Logging configuration

Remote access policies

Connection request policies

RADIUS clients

Full configuration (this includes all the above)

Exported settings are stored in text files, however the data is encoded. These text files can be used to transfer common configuration settings across multiple IAS servers to ensure consistent configuration and speedy deployment.

Most of the configuration categories will be common to IAS servers in a similar role (the exception typically being the RADIUS clients' category). In this solution, the IAS servers will be authenticating only WLAN clients. If you are planning to use one or more of the IAS servers differently, (for example, to authenticate remote access clients) you need to configure and replicate settings of those servers independently or perform the configuration manually. Otherwise, you risk overwriting and losing policy and other configuration settings.

You should perform configuration of the following items only on the first IAS server (as described in the earlier section "Configuring IAS").

Server configuration

Logging settings

Remote access policies

Connection request polices

Using the procedures in this section will export these settings and replicate them to other IAS servers.

Tip: To help you track changes to the IAS configuration, include a version number in the name of the remote access policy. Each time you change the IAS settings, update the name to include a new version number. This will make it is easier to track changes across the IAS servers and see that they are all using the same settings.

Designate your first IAS server as the "master" IAS server. Then use the following procedures to replicate the settings from this server to the other IAS servers in your organization. The replication of RADIUS client settings is detailed in the "Replicating RADIUS Client Configuration to Other IAS Servers" section later in this chapter.

Note: The "Master" designation has no special meaning to IAS. It is only used to indicate which server you will use to make the initial configuration changes before they are replicated to the other IAS servers.

Exporting Settings from the Master IAS Server

This procedure saves the current IAS server settings to disk files.

To export the IAS configuration to disk files

1.

Log on to the primary IAS server and open a command shell using the MSS WLAN Tools shortcut.

2.

If required, identify a folder to store the output files or insert a blank, formatted floppy disk into the server's drive.

3.

Run the following command to export the IAS configuration:

MSSTools ExportIASSettings [/path:OutputFolder]

OutputFolder is an optional parameter used to specify the folder to which the exported files will be written. The path needs to be in quotes if it contains embedded spaces. This folder, if specified, must exist otherwise the files are written to the current directory.

4.

The script will create the following files:

IAS_Server_Settings.txt

IAS_Logging.txt

IAS_Rem_Access_Policies.txt

IAS_Con_Request_Policies.txt

5.

Store the files to import them into the other servers.

Importing Settings to Other IAS Servers

This procedure uses the settings files exported in the previous procedure to configure other IAS servers with identical settings. This procedure does not import the RADIUS clients, which is covered in a later section.

Warning: The import of IAS settings to an IAS server will overwrite all existing IAS settings on that server (with the exception of the RADIUS client information). If you have created different settings on any server (for example, different remote access policies to support virtual private network (VPN) clients), do not use this procedure to import the IAS WLAN settings to that server. Instead, configure the settings manually using the procedures described in the "Configuring the Primary IAS Server” section earlier in this chapter.

To import IAS configuration from disk files

1.

Log on to the target IAS server and open a command shell using the MSS WLAN Tools shortcut.

2.

Identify the folder containing the configuration files previously exported from the master IAS server.

3.

Run the following command to import the IAS configuration:

MSSTools ImportIASSettings [/path:IntputFolder]

InputFolder is an optional parameter used to specify the folder where the script will look for the settings files to import. The path needs to be in quotes if it contains embedded spaces. If no folder is specified, the files are expected to be in the current directory.

You should verify that the settings have been imported correctly by opening the Internet Authentication Service MMC and checking the remote access and connection request policy settings.

Configuring Wireless Access Points

This section describes how to add wireless APs as RADIUS clients of the IAS servers.

Adding the Access Points as RADIUS Clients to IAS

You must add wireless APs as RADIUS clients to IAS before they are allowed to use RADIUS authentication and accounting services. For more information on how to allocate wireless APs to different IAS servers, see the procedures in Chapter 2, "Planning a Wireless LAN Security Implementation."

The wireless APs at a given location will typically be configured to use an IAS server at the same location for their primary RADIUS server and another IAS server at the same or a different location as the secondary RADIUS server. The terms "primary" and "secondary" here do not refer to any hierarchical relationship, or difference in configuration, between the IAS servers themselves. The terms are relevant only to the wireless APs, each of which has a designated primary and secondary (or backup) RADIUS server. Before you configure your wireless APs, you must decide which IAS server will be the primary and which will be the secondary RADIUS server for each wireless AP.

The following procedures describe adding RADIUS clients to two IAS servers. During the first procedure, a RADIUS secret is generated for the wireless AP; this secret, or key, will be used by IAS and the AP to authenticate each other. The details of this client along with its secret are logged to a file. This file is used in the second procedure to import the client into the second IAS.

Important: You must not use this first procedure to add the same client to two IAS servers. If you do this, the client entries on each server will have different RADIUS secret configured and the wireless AP will not be able to authenticate to both servers.

Adding Access Points to the First IAS Server

This section describes the adding of wireless APs to the first IAS server. A script is supplied to automate the generation of a strong, random RADIUS secret (password) and add the client to IAS. The script also creates a file (defaults to Clients.txt) that logs the details of each wireless AP added. This file records the name, IP address, and RADIUS secret generated for each wireless AP. These will be required when configuring the second IAS server and wireless APs.

If you prefer to add the clients manually, follow the "Generating the client's entries for wireless APs" procedure later in this chapter, to generate secrets for the wireless APs.

Important: The RADIUS clients are added to IAS as "RADIUS Standard" clients. Although this is appropriate for most wireless APs, some APs may require that you configure vendor–specific attributes (VSA) on the IAS server. You can configure VSAs either by selecting a specific vendor device in the properties of the RADIUS clients in the Internet Authentication Service MMC or (if the device is not listed) by specifying the VSAs in the IAS remote access policy. For more information on configuring VSAs in IAS, see the references at the end of this chapter.

In addition, refer to your wireless AP documentation for information regarding VSA requirements on RADIUS servers.

To add a RADIUS client to the first IAS server

1.

Log on to the IAS server where you want to add the wireless APs and open a command shell using the MSS WLAN Tools shortcut.

2.

If there is an existing RADIUS–clients output file in the current directory (or if you specify an existing file in the path parameter), the new client entry will be appended to that file. If you do not want this to happen, please remove the existing file or specify an alternative file name in the command.

3.

Run the following command to add a wireless AP to IAS:

MSSTools AddRADIUSClient [/path:OutputFile.txt]

Note: The path parameter is optional. You can specify the name of the file (plus optional folder path) in which the output from the command will be stored. The path needs to be in quotes if it contains embedded spaces. If no path parameter is specified, the command will save the output in the file Clients.txt in the current directory.

4.

When prompted, type a name for the wireless AP. This should be a user-friendly reference in the Internet Authentication Service MMC; it does not need to be the name given to it in the wireless AP configuration. Use a Domain Name System (DNS) name or any other string.

5.

Type the IP address of the wireless AP (in decimal dotted notation, for example, 10.20.1.153).

6.

A password is automatically generated for the client (this password is a randomly generated cryptographic string of 23 printable characters used by IAS and the wireless AP to authenticate each other). These settings are used to add the RADIUS client to IAS. The name, IP address, and secret are also appended to the output file (default is Clients.txt) in the current directory. The output file is a comma–delimited text file with one RADIUS client on each line, so it can be easily used in scripts or imported and manipulated using a tool such as Microsoft Excel.

7.

Repeat steps 3 to 6 for all other wireless APs that you want to add to this IAS server.

Later, you will use the output file for reference while setting the RADIUS secrets on the wireless APs. For more information, see the "Configuring the Wireless Access Points" section later in this chapter.

Important: Do not leave the RADIUS clients output file on the server. It contains the RADIUS client secrets in unencrypted form. After adding the wireless APs, you should move the file to a floppy disk or other writable, removable media and store it in a secure place.

The "Adding a RADIUS client to the first IAS server" procedure described above uses a sample tool included with this solution (AddRADIUSClient.exe). This tool is a simple Visual Basic.NET application, which uses the Server Data Objects interface to configure an IAS server. You can use it to write your own script to add clients to IAS server.

This tool is not supported by Microsoft and has not been thoroughly tested. However, the source code of this application is included should you need to examine or modify it before using it.

Note: Unlike most of the scripts used in the setup procedures, this script does not write progress details to the MSSWLAN-setup.log log file. The reason for this is to prevent the RADIUS client secrets being stored there and posing a security risk. However, the progress details are logged to the screen.

Scripting the Addition of Access Points to IAS Server (Alternative Procedure)

If you do not want to add the wireless APs to the IAS server interactively using the previous procedure, you can just generate the RADIUS client entries output files for each wireless AP without adding them to IAS. You can then use the "Importing the RADIUS clients to the second IAS server" procedure described later in this section to import the RADIUS client entries into both the first IAS server and the second IAS server. Because you can script this whole operation, you may prefer to add your RADIUS clients this way if you have to add a large number of wireless APs.

Important: This procedure is an alternative method for adding RADIUS clients in a scripted rather than an interactive fashion. If you have followed the previous procedure "Adding a RADIUS client to the first IAS server," you do not need to follow this procedure.

Use the following procedure to generate strong RADIUS secrets. The script, like the previous procedure, uses a CryptoAPI function to generate a truly random value for each RADIUS secret. This ensures that the values are sufficiently strong to defeat password guessing or dictionary attacks.

To generate the clients entries file for wireless APs

1.

Open a command shell using the MSS WLAN Tools shortcut.

2.

Run the following command. Substitute a user-friendly name of the wireless AP for the ClientName parameter and the IP address of the wireless AP for IPAddress. (You can optionally provide an alternative file name and path to specify where the output is to be saved. If no path parameter is specified, the output is saved to the file Clients.txt in the current working folder.) If the output file already exists, the new value will be appended to it. If it does not exist, the file will be created.

MSSTools GenRADIUSPwd /client:ClientName/IP:IPaddress [/path:path\filename]

The "client" and the "path" parameters can include embedded spaces; if either does, you must enclose the parameter in quotes. The command may be shown wrapped on to multiple lines but you should type it on a single line.

3.

Repeat step 2 for all wireless APs for which you need to generate RADIUS secrets. Each client entry will be appended to the output file (default is Clients.txt). The file is a comma-delimited text file with one RADIUS client on each line, so it can be easily used in scripts or imported and manipulated using a tool such as Microsoft Excel.

Caution: Do not leave the output file on the server. It contains the RADIUS client secrets in plaintext. After adding the wireless APs, you should move the file to a floppy disk or other writable, removable media and store it in a secure place.

Note: Unlike most of the scripts used in the setup procedures, this script does not write progress details to the MSSWLAN-setup.log log file. This is to prevent the RADIUS client secrets being stored there and posing a security risk. However, the progress details are logged to the screen.

Importing the Access Points into the Second IAS Server

After adding the wireless APs to the first IAS server, you need to add them to a second server before configuring the wireless APs to use RADIUS.

To import the RADIUS clients to the second IAS server

1.

Copy the clients output file created in the previous procedures (for security reasons, remove this file from the first IAS server altogether—it is no longer required there).

2.

Verify that the file contains the correct entries by opening and viewing in Notepad or Microsoft Excel. (This is important because the file might contain old entries left over from a previous run of the procedure). Remove any unnecessary client entries.

3.

Run the following command to import these clients into the second IAS server:

MSSTools AddSecRADIUSClients [/path:InputFile.txt]

Note: The path parameter is optional. You can use a different path parameter to read the input from a different file or folder. The path needs to be in quotes if it contains embedded spaces. If no parameter is specified, the command will look for and read input from the file Clients.txt in the current directory.

4.

The script will reject any malformed client entries in the file and display the number of successful and failed entries when completed.

5.

Verify that the clients have been added correctly by opening the Internet Authentication Service MMC and looking at the RADIUS Clients folder.

Note: Unlike most of the scripts used in the installation and configuration of the solution, this script does not write progress details to the MSSWLAN-setup.log file. The reason for this is to prevent the RADIUS client secrets being stored there and posing a security risk. However, the progress details are logged to the screen.

Configuring the Wireless Access Points

Having added RADIUS clients entries for the wireless APs to IAS, you now need to configure the wireless APs themselves. You must add the IP addresses of the IAS servers and the RADIUS client secrets that each AP will use to communicate securely with the IAS servers. Every wireless AP will be configured with a primary and secondary (or backup) IAS server. You should perform the procedures in this section for the wireless APs at every site in your organization. For more information on how to allocate wireless APs to your IAS servers, please refer to Chapter 2, "Planning a Wireless LAN Security Implementation."

The procedure for configuring wireless APs varies depending on the make and model of the device. However, wireless AP vendors normally provide detailed instructions for configuring their devices. Depending on the vendor, these instructions may also be available online.

Prior to configuring the security settings for your wireless APs, you must configure the basic network settings. These will include but are not limited to:

IP Address and subnet mask of the wireless AP

Default gateway

Friendly name of the wireless AP

Wireless Network Name (SSID)

This list will include a number of other parameters that affect the deployment of multiple wireless APs: settings that control the correct radio coverage across your site for example, 802.11 Radio Channel, Transmission rate, and Transmission power, and so forth. Discussion of these parameters is outside the scope of this guidance. Use the vendor documentation as a reference when configuring these settings or consult a network services supplier. For more information on deploying wireless APs, see the references at the end of this chapter.

The guidance in this chapter assumes that you have set these items correctly and are able to connect to the wireless AP from a WLAN client using an unauthenticated connection. You should test this before configuring the authentication and security parameters listed in the following sections.

Enabling Secure WLAN Authentication on Access Points

You must configure each wireless AP with a primary and a secondary RADIUS server. The wireless AP will normally use the primary server for all authentication requests, and switch over to the secondary server if the primary server is unavailable. As discussed in Chapter 2, "Planning a Wireless LAN Security Implementation," it is important that you plan the allocation of wireless APs and carefully decide which server should be made primary and which should be made secondary. To summarize:

In a site with two (or more) IAS servers, balance your wireless APs across the available servers so that approximately half of the wireless APs use server 1 as primary and server 2 as secondary, and the remaining use server 2 as primary and server 1 as secondary.

In sites where you have only one IAS server, this should always be the primary server. You should configure a remote server (in the site with most reliable connectivity to this site) as the secondary server.

In sites where there is no IAS server, balance the wireless APs between remote servers using the server with most resilient and lowest latency connectivity. Ideally, these servers should be at different sites unless you have resilient wide area network (WAN) connectivity.

The following table lists the settings that you need to configure on your wireless APs. Although the names and descriptions of these settings may vary from one vendor to another, your wireless AP documentation helps you determine those that correspond to the items in the table.

Table 5.3: Wireless Access Point Configuration

ItemSetting

Authentication Parameters

Authentication Mode

802.1X Authentication

Re-authentication

Enable

Rapid/Dynamic Re-keying

Enable

Key Refresh Time-out

60 minutes

Encryption Parameters (these settings usually relate to static WEP encryption)

(Encryption parameters may be disabled or be overridden when rapid re–keying is enabled)

Enable Encryption

Enable

Deny Unencrypted

Enable

RADIUS Authentication

Enable RADIUS authentication

Enable

Primary RADIUS authentication server

Primary IAS IP Address

Primary RADIUS server port

1812 (default)

Secondary RADIUS authentication server

Secondary IAS IP Address

Secondary RADIUS server port

1812 (default)

RADIUS authentication shared secret

XXXXXX (replace with generated secret)

Retry Limit

5

Retry timeout

5 seconds

RADIUS Accounting

Enable RADIUS accounting

Enable

Primary RADIUS accounting server

Primary IAS IP Address

Primary RADIUS server port

1813 (default)

Secondary RADIUS accounting server

Secondary IAS IP Address

Secondary RADIUS server port

1813 (default)

RADIUS accounting shared secret

XXXXXX (replace with generated secret)

Retry Limit

5

Retry timeout

5 seconds

Important: The Key Refresh Time-out is set to 60 minutes for use with dynamic WEP. The Session Timeout value set in the IAS remote access policy is the same or shorter than this. For more information, see the earlier section "Modifying the WLAN Access Policy Profile Settings." Whichever of these has the lower setting will take precedence, so you only need to modify the setting in IAS. If you are using WPA, you should increase this setting in the AP to eight hours. Consult your vendor's documentation for more information.

Use the same RADIUS secrets generated in the "Adding a RADIUS client to the first IAS server" procedure to add wireless APs to IAS. Although you may have not yet configured a secondary IAS server as a backup to the primary server, you can still add the server's IP address to the wireless AP now (to avoid having to reconfigure it later). Configuring additional IAS servers is discussed in a later section of this chapter.

Depending on the wireless AP hardware model, you may not have separate configurable entries for Authentication and Accounting RADIUS servers. If you have separate configurable entries, set them both to the same server unless you have a specific reason for doing otherwise.

The RADIUS retry limit and timeout values given in the table are common defaults but these values are not mandatory.

Note: If you are currently using wireless APs with no security enabled or only static WEP, you need to plan your migration to an 802.1X–based WLAN. For more information about migration from an existing wireless network, see the "Migration from an Existing WLAN" section of Chapter 2, "Planning a Wireless LAN Security Implementation."

Additional Settings to Secure Wireless Access Points

In addition to enabling 802.1X parameters, you should also configure the wireless APs for highest security. Most network hardware is supplied with insecure management protocols enabled and administrator passwords set to well-known defaults, which poses a security risk. You should configure the settings listed in the following table; however, this is not an exhaustive list. You should consult your vendor's documentation for authoritative guidance on this topic. When choosing passwords and community names for Simple Network Management Protocol (SNMP), use complex values that include upper and lowercase letters, numbers, and punctuation characters. Avoid choosing anything that can be guessed easily from information such as your domain name, company name, and site address.    

Table 5.4: Wireless Access Point Security Configuration

ItemRecommended SettingNotes

General

Administrator password

XXXXXX

Set to complex password.

Other management passwords

XXXXXX

Some devices use multiple management passwords to help protect access using different management protocols; ensure that all are changed from the defaults to secure values.

Management Protocols

Serial Console

Enable

If no encrypted protocols are available, this is the most secure method of configuring wireless APs although this requires physical serial cable connections between the wireless APs and terminal and hence cannot be used remotely.

Telnet

Disable

All Telnet transmissions are in plaintext, so passwords and RADIUS client secrets will be visible on the network. If the Telnet traffic can be secured using Internet Protocol security (IPsec) or SSH, you can safely enable and use it.

HTTP

Disable

HTTP management is usually in plaintext and suffers from the same weaknesses as unencrypted telnet. HTTPS, if available, is recommended.

HTTPS (SSL or TLS)

Enable

Follow the vendor's instructions for configuring keys/certificates for this.

SNMP Communities

SNMP is the default protocol for network management. Use SNMP v3 with password protection for highest security. It is often the protocol used by GUI configuration tools and network management systems. However, you can disable it if you do not use it.

Community 1 name

XXXXXX

The default is usually "public.” Change this to a complex value.

Community 2 name

Disabled

Any unnecessary community names should be disabled or set to complex values.

You should not disable SSID (WLAN network name) broadcast since this can interfere with the ability of Windows XP to connect to the right network. Although disabling the SSID broadcast is often recommended as a security measure, it gives little practical security benefit if a secure 802.1X authentication method is being used. Even with SSID broadcast from the AP disabled, it is relatively easy for an attacker to determine the SSID by capturing client connection packets. If you are concerned about broadcasting the existence of your WLAN, you can use a generic name for your SSID, which will not be attributable to your organization.

Replicating RADIUS Client Configuration to Other IAS Servers

Typically, the wireless APs in a given site are serviced by an IAS server at that site. For example, the site A IAS server services wireless APs in site A, while the site B server services wireless APs in site B and so on. However, other server settings such as the remote access policies will often be common to many IAS servers. For this reason the export and import of RADIUS client information is handled separately by the procedures described in this section.

Although you will find relatively few scenarios where replicating RADIUS client information is relevant, it is useful in certain circumstances (for example, where you have two IAS servers on the same site acting as primary and secondary RADIUS servers for all wireless APs on that site).

To export the RADIUS client settings to a file

1.

Log on to the source IAS server and open a command shell using the MSS WLAN Tools shortcut.

2.

If required, identify a folder to store the output file or insert a blank, formatted floppy disk into the server's drive.

3.

Run the following command to export the RADIUS client configuration:

MSSTools ExportIASClients [/path:OutputFolder]

OutputFolder is an optional parameter used to specify the folder where the output file will be written. If this parameter is not supplied, the output file is written to the current directory. If this parameter is supplied, the folder must exist.

4.

The script creates the file IAS_Clients.txt.

Caution: You must remove this file from this server and store in a secure place since it contains the RADIUS secrets for all wireless APs configured on the server. After exporting the RADIUS client settings, you can import them into the other servers. You will typically do this to create a secondary server for a given set of wireless APs.

To import RADIUS client settings from a file:

1.

Log on to the target IAS server and open a command shell using the MSS WLAN Tools shortcut.

2.

Identify the folder (or floppy disk) where the exported RADIUS secrets file IAS_Clients.txt is stored.

3.

Run the following command to import the RADIUS client configuration:

MSSTools ImportIASClients [/path:InputFolder]

InputFolder is an optional parameter used to specify the folder where the file will be read from. This folder must exist if specified. If no folder is specified, the file is assumed to be in the current directory

Warning: If you have copied the IAS_Clients.txt file to the target server, you must remove it from this server and store in a secure place, because it contains the RADIUS secrets for all wireless APs configured on this server.

Importing RADIUS client information is not an additive process. The imported RADIUS client settings will overwrite any existing client entries that you have on the server.

You can create a more flexible method of importing RADIUS clients by using the AddRADIUSClient.exe tool supplied with this solution. This allows you to script the selective addition of RADIUS clients to different servers.

Summary

This chapter provided guidance on the following topics:

How to install and configure the first IAS server.

How to install additional IAS servers and how to replicate the configuration to them from the first server.

How to add wireless APs to IAS as RADIUS clients.

How to configure your wireless APs to use the IAS servers and how to change the default settings to improve their security.

You are now ready to configure your WLAN clients. Information on how to accomplish this is covered in Chapter 6, “Configuring the Wireless LAN Clients."

You should read Chapter 8, "Maintaining the Secure Wireless LAN Solution." This chapter contains essential information about keeping your RADIUS infrastructure running in a secure and reliable manner.

References

This section provides references to important supplementary information or other background material relevant to the content of this chapter.

The "Internet Authentication Service" section of the Windows Server 2003 product documentation at the following URL:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/serverhelp/D98EB914-258C-4F0B-AD04-DC4DB9E4EE63.mspx

For more information on deploying IAS, see the "Deploying IAS" chapter of the Windows Server 2003 Deployment Kit at the following URL:

http://go.microsoft.com/fwlink/?LinkId=4716

For more information on programming IAS using the Server Data Objects interface, see the "Server Data Objects" page on MSDN at the following URL:

http://msdn2.microsoft.com/en-us/library/ms717286

For more information on IAS and RADIUS logging, see the "Remote Access Logging" section in the IAS product documentation at the following URL:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/serverhelp/3188186F-907A-4316-A335-3995ED3C695D.mspx

For more information on Pocket PC support for PEAP Fast Reconnect, see the article 827824, "FIX: Wireless Clients Cannot Connect When the PEAP Fast Reconnect Authentication Option is Turned On" in the Microsoft Knowledge Base at the following URL:

http://support.microsoft.com/default.aspx?scid=kb;en-us;827824

For more information on configuring specific RADIUS support for APs, see the "Vendor-Specific Attributes" page in the IAS product documentation at the following URL:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/serverhelp/095FCE75-8BB1-481F-80AC-BE26087DC5CE.mspx

For more information on deploying a WLAN, see the "Deploying a Wireless LAN" chapter of the Windows Server 2003 Deployment Kit at the following URL:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/depkit/87383EA4-BFBB-47DA-8E4F-21145139780E.mspx

For more information on Windows XP wireless technology, see the Windows XP Wireless Deployment Technology and Component Overview white paper at the following URL:

http://www.microsoft.com/windowsxp/pro/techinfo/administration/
networking/default.asp


**
**

Download

Get the Securing Wireless LANs with PEAP and Passwords

Solution Accelerator Notifications

Sign up to stay informed

Feedback

Send us your comments or suggestions