Perhaps the biggest drawback to using wireless networks in a corporate environment is concerns about security. The last thing any network admin wants is someone who is not part of the company sniffing out sensitive documents and passwords from the comfort of the parking lot. If you have read anything about wireless security at all, I am sure you have heard mention of WEP encryption. Although this is a viable solution for small office/home office (SOHO) and personal wireless networks, it really just doesn't cut it in a large-scale environment. This being the case, what is a systems administrator to do?
Microsoft's answer to corporate wireless security is the use of RADIUS authentication through its Internet Authentication Services (IAS) product. IAS is included as a part of Windows 2003 Server and works in conjunction with Active Directory so that the authentication clients can be managed through remote access policies. In this article we'll walk through the process of creating a secure wireless infrastructure based on Active Directory and Microsoft IAS.
Before getting started, take a moment to examine Figure 1, which provides an overall view of how RADIUS authentication works.
Figure 1. Microsoft's solution to wireless security involves a lot of steps, but it's well worth it.
The first thing to do is configure your RADIUS clients. Keep in mind that there's a difference between RADIUS clients and wireless clients. A wireless client is a computer that will be connecting to a wireless network; a RADIUS client is an access point that connects to a RADIUS (or IAS, in our case) server.
Each model of access point is configured differently, so the way you configure each to be a RADIUS client differs. Generally, though, you will look under the access point's security settings to make sure it is enabled for WPA mode security with TKIP encryption, and that it is configured with a RADIUS server IP address that points to the computer on which you have IAS installed. Lastly, you will need to enter a "shared secret," which essentially serves as a password allowing the RADIUS client to interact with IAS. It is best to use something very long and complex for this so that it is not cracked easily. Figure 2 shows a Linksys access point being configured as a RADIUS client.
Figure 2. Configuring a Linksys Access Point as a RADIUS client
Repeat this process for every access point on your network so that they are able to register as RADIUS clients.
Now that you have RADIUS clients looking for a server to authenticate to, we can get IAS up and running. IAS, included as part of Windows Server 2003, ensures that only trusted access points can be placed on your network for wireless clients to connect to. It's quite simple to install. Go to the Add/Remove Programs applet in the Control Panel, select "Windows Components," browse to "Networking Services," click "Details," and place a check in the box next to "Internet Authentication Service" as shown in Figure 3. Finally, click OK and IAS will install onto the computer.
Figure 3. Installing IAS onto a computer
Unfortunately, configuring IAS isn't nearly as simple as installing it. First you need to set up support for the RADIUS clients we established earlier. Open the IAS administration tool from the Administrative Tools folder. Then right-click the "RADIUS Clients" folder in the left pane and click "New RADIUS Client." Using one of the access points we configured for RADIUS authentication earlier, type in a friendly name for the access point so that it is easily recognizable. (See Figure 4.) Then type in its IP address and click "Next." On the next screen, type in the shared secret you used in the earlier configuration. This must match exactly what you entered into each access point. Once you are done, click "Finish."
Figure 4. Configuring your RADIUS client
The next step is to configure a wireless access policy for the IAS server. Begin the process by right-clicking "Remote Access Policies" in the left pane of the IAS management window, and then clicking "New Remote Access Policy." On the first screen of the wizard, select "Use the wizard to set up a typical policy for a common scenario" and type in a policy name. The policy name should usually be something descriptive, so "Wireless Access Policy" is often a good choice. Once you have done this, click "Next." On the following screen, choose "Wireless" as your access method, and click "Next" once again. On the next screen, you will be prompted to select the users or groups from Active Directory who you wish to have wireless access. This can be all of your domain users or a select few, depending on your needs. The final step is to select an authentication method. The most common and secure way to do this is through the use of a certificate issued to the computer running IAS. The acquisition and configuration of certificates is a little beyond the scope of this article, but documentation on this subject is readily available with a quick Internet search. Once you have selected the appropriate option and configured your certificate type, click "Next," and then click "Finish."
The last thing that remains before configuring group policy is to modify the user accounts that will be in the wireless access group. In order for the users of this group to be able to successfully utilize the policy created on the IAS server, you must configure each account's dial-in properties. This is done by viewing the properties of a specific account, going to the "Dial-in" tab, and selecting "Allow Access," as shown in Figure 5.
Figure 5. Configuring a user account for dial-in access
The last step is to configure settings for the individual computers that will be connecting to the wireless network. In some networks there will be quite a few that connect, so luckily it can be done using Group Policy. Begin by opening the Group Policy Management Console and creating a new GPO. Again, name it something descriptive like "Wireless Access Policy." Also, make sure that the version of Windows Server 2003 you are running has been upgraded to Service Pack 1 so that the settings we are about to configure are accessible.
Once you have created your new GPO, edit it and browse to Computer Configuration\Windows Settings\Security Settings and double-click "Wireless Network Policies." Right-click that, select "Create Wireless Network Policy," and go ahead and breeze through the wizard, accepting the defaults.
Once you have finished with the wizard, the properties of the policy should pop up and allow you to make changes. The first thing to do is to name the policy. Once again, something simple but descriptive is always your best bet. After doing this, change to the "Preferred Networks" tab and click "Add." The first screen will require you to type in the SSID of your wireless network and select the authentication and encryption types used. If you are following this guide exactly, those will be WPA and TKIP, respectively, as you can see in Figure 6.
Figure 6. Configuring the basic SSID and encryption information
The final step in setting up this policy is to configure the IEEE 802.1x tab. It is important to make these settings match what we set up previously because this step relates to the use of certificate services. Most of the top half of the screen can be left alone, but make sure you have selected "Protected EAP (PEAP)" as your EAP type. Once you make this change, click on "Settings" and configure the policy to enable certificate verification with your organization's certificate server. Click the "configure" button to the right of the authentication method section and make sure that the box there is checked. This ensures that the username/password information for the user is transmitted to the authentication server so that the end user does not have to enter it twice. Finally, make sure "enable fast reconnect" is enabled, and your wireless policy is ready to go.
All that you have to do now is apply the GPO to the OUs containing your wireless workstations, wait for the policy to propagate, and you are now using a secure enterprise wireless network!
Although it may seem complicated to set up a RADIUS secured wireless network, it is one of the best ways to go for an enterprise wireless security solution. A little time spent now could very easily prevent sensitive data from eventually finding its way into the wrong hands.
Chris Sanders is the network administrator for one of the largest public school systems in the state of Kentucky. For more about Chris, you can view his personal blog at http://www.chrissanders.org.
Return to the Windows DevCenter.
Copyright © 2009 O'Reilly Media, Inc.