Setting up a wireless network with Windows Server 2003 and PEAP/EAP.
PEAP with IAS is a great way to setup wireless networks that require:
a)Their security to be top notch.
b)Lot\’s of Access Points (greater than 10 or so).
c)Minimal administrative maintenance overhead.
It brings your wireless security up to a level that is acceptable for use on a security sensitive domain. It is approximately as secure as domain logon is on a wired network.
The whole IAS management of your AP’s as Radius Clients makes it very simple to make changes to your infrastructure without having to reprogram every AP on site to reflect a simple change (which is the case in most WPA setups). You don’t need to worry about keeping WPA keys up to date as the encryption keys are generated dynamically each time a client connects.
Below I have detailed the steps that I take when setting on of these networks up. Screenshots are on their way (I will get them next time I set up one of these networks) but most of the steps are fairly self explanatory.
Install IAS from the Add/ Remove Windows Components area in the control panel.
Install Certificate Services from the Windows Components area in the control panel.
When prompted you want to install an “Enterprise Root CAâ€.
Load up the “Certificates†plugin for mmc and then submit a request for a new domain controller certificate.
Create a group in Active Directory called “WirelessUsersâ€.
Inside the administrative tools section load up the IAS plugin and create a “new remote access policyâ€. Call it “Wireless Access Policyâ€. Follow the wizard which is reasonably intuitive and when prompted for access restrictions you want to allow only computers and users that are a member of the “Wireless Users†group you created previously. Also make sure when prompted for the authentication method that you select EAP/PEAP.
Then right click on the policy you just created and goto “Propertiesâ€. Then click on the “Edit Profile†button and make the following changes:
1.Encryption tab: Make sure “No Encryption†is not ticked.
2.Authentication tab: Tick MSCHAP-V2.
3.Advanced tab: Add Ignore_User_Dial_In_Properties = true and also Terminate-Action = Radius-Request.
On the Access Point:
Use an access point that supports EAP/PEAP and 802.1X authentication (e.g. a DLink DWL 2100AP). Set up a DHCP reservation for it so that it is always on the same IP address.
Change the authentication mode to be WPA-EAP.
Put in the IP address of the radius server (the server you installed IAS on).
Put in the Radius server/ port numbers/ shared secret (make one up at this stage).
Remember to save/ restart the AP to make sure the settings have stuck.
Back to IAS:
Add a new Radius client. Put in the IP Address of your new AP and also the shared secret you came up with above.
Group Policy Setup:
Load up the group policy manager. Find the appropriate OU that you wish to distribute the wireless network settings to.
Create and link a new GPO here (by right clicking on it and choosing the obvious option). Then right click on the new GPO and click edit.
Goto Computer Configuration -> Windows Settings -> Security Settings -> Wireless Network.
From here you right click on the right hand window and click “Create Wireless Network Policyâ€.
1.Give the wireless network policy a name.
2.Select Access Point (infrastructure) networks only.
Once this is created edit the properties as follows:
1.Put in the SSID of the wireless network in to the “Network Name†box. Do not use any punctuation like (-,_,/) etc.
2.In the Wireless Network Key box. Set “Network Authentication†to WPA. with TKIP encryption.
On the IEEE 802.1X tab:
1.Set EAPOL start message to “Transmitâ€
2.In the parameters section you want to have : Max Start = 3 , Start Period = 10, Held Period=10, Authentication Period=10.
3.Make sure that “Authenticate as computer when computer information is available is ticked. Also make sure that computer authentication option is set to “With User Re-Authenticationâ€.
4.Make sure that EAP Type is set to Protected EAP. Click the settings button and make sure that:
“Validate server Certificate†is ticked, that your CA (that you created above) is also in the list of “Trusted Root Certification Authoritiesâ€, Fast Connect is enabled and that “Secured Password (EAP-MSCHAAP v2)†is the selected method, click on “Configure†and make sure that automatically send my username and password is ticked.
Setup is now complete.
Related posts:
No tags for this post.
i have recently set this up as well, it is pretty nifty to use with AD. im running mine thru wrt54g/s/l’s with DD-WRT firmware.
i have been testing and found a couple issue, perhaps you have encountered them as well:
1. when using GroupPolicy to set up WLAN and push settings automatically, cant seem to get connected, but when i set it up manually it does work on client (using standard windows wifi client, not 3rd party)
2. login scripts dont run and network drives are not connected, as they do perfectly fine when using WPA-PSK. I would think this would work with the WPA PEAP when setup manually and not pushed via group policy, but it doesnt.
any thoughts?
Hi Trey.
Thanks for the comment! Sorry for the late reply.
When you say that you can get it running if you configure it manually, does this mean that the wireless interface has an IP address and if you take out the ethernet cable of laptop you can ping another host on your network through the wireless?
I have seen several cases where a wireless client says that it is connected but it doesn’t actually have an IP address and authentication has failed.
Firstly I would check your IAS server’s event viewer for any IAS errors.
Hopefully this helps you, give this a try and get back to me with any errors you see in the event viewer.
I failed to enter the local certificate server when i did the GP settings…it’s always those tiny details we sometime overlook. i also found it helps to push the cert in GP as well.
as for network drives, i tried to authenticate by computer name only, but couldn’t get it working. adding both the user AND machine group would allow all the network script/drives, etc to run.
i’ve been meaning to setup peap for over a year, and now i am glad i finally did as it works really well and i dont have to worry about anyone handing out WPA keys.
my next step is to enable a similar policy for wired machines so employees and guests cant plug in random computers and access the network.
thanks for the reply!
I have tried to follow the above settings but find my GPO is applied but the EAP type is not set. ie defaulting to ‘Smart Card or Other Certificate’
Anyone come across this problem? Or offer any suggestions.
thanks in advance.
I have a problem with mapping of network drives. Problem is that the network drives won’t map on startup. However if I remove “validate server certificate” on the client everything maps up fine at startup?
Anyone got a solution to this problem? Thanks!
Yes I have seen this on a couple of laptops… it is very strange indeed but I have simply manually set these one’s to alleviate the problem.
Is this happening on more than 10% of your wireless clients? If not just manually set them and it seems to stick when you do a:
gpupdate /force
If anyone else can shed any light on this that would be awesome. Do you have the latest service packs etc installed on the clients and server? I did find some problems with group policies and PEAP and XP SP1.
Hi Arild.
Sounds like you may not have generated a certificate for the domain controller perhaps in the certificate authority applet…
Also in the Trusted Root Certification Authorities dialog box in the group policy settings.. Which is in the dialog that appears when you click the “EAP Type” -> “Settings” Button is your CA ticked as trusted?
Have a look and get back to me.
Regards.
John.
Great Article!
Regards,
Dario
I wish I could get my paranoid employer to believe me that this method is very secure. Wireless is still outlawed here and people are mad. Any others articles to add to my argument that you can make wirleless very secure?
Yes it can certainly be difficult to bring around management to the idea that wireless is secure given the media hype surrounding wireless break ins etc. We typically face a this type of user resistance when setting such projects up.
Basically it comes down to whether or not they trust Windows security, which they obviously do because they are trusting their sensitive files etc with it. There is just as much chance as someone plugging their laptop into a spare network port in your business and being able to crack your Windows Server security and get onto your file shares.
I personally believe that wireless (when set up correctly) is more secure than wired networks these days. When was the last time you heard of anyone bothering to set up 802.1x on their wired network to prevent unauthenticated access?
There are no doubt a ton of articles pushing both for and against wireless security.
I was testing assigning WPA2 SSIDs settings via GPO and it works great.
1 concern is that if I create other SSID i’m unable to Move UP or Down from my preffered networks. Any way I can enable this?
Thanks,
Jose.
When you set up the wireless policies you can move the priority of the various SSIDs up and down.
Is this what you meant?
If you don’t have this facility I wonder is your Windows Server upgraded to the latest service packs etc?
Or did you mean is there any way to enable users to be able to change this order perhaps?
to get your wifi clients processing login scripts, there is a setting in GPO that will make sure it pretty much always works.
“Run logon scripts synchronously” under userConfig/adminTemplate/System-scripts trey enabling that. believe that fixed that issues for me.
Thanks for your guide to setting up a Wifi network with Windows Server 2003.
After many attempts to make a connection between a laptop and the network I found the only solution was Method 1 in MS KB article 838502. This was to disable certificate validation on the client computer.
OK, it works, but (a) what have I missed in your method, and (b) is my wireless network now less secure now that I have disabled certificate validation?
I had a few issues with this . First of all Im a little bit of a novice , but Ill tell you where it went wrong . when loading the Certificates snapin , I could not request a Domain controller Certificate . Only a user certificate or administrator. I am logged into the Server as the Domain Administrator.
Problem # 2 when setting up the GPO Policy. Im not sure what you mean by the appropprite OU. Id this an Ou that I am creating and putting the users in that will be authenticated or is this an OU that you specified to create?
problem # 3 (realeted to # 2) if I try to create a new GPO in any ou ( even one i just create I get an error when saving that says “the Following error occured when saving Wireles Data (GPO NAME) The specified directory service attribute or value does not exist ( 8007200a) .
Any suggestion will be apprieated
Scott.
hello,
I just used your instructions to setup a wireless network on our LAN using windows 2003 server which is configured as a Domain Controller. I had no problems at all setting up the server side or the access point side. I followed the instructions to a “T”. However, I am having some trouble connecting to the wireless network with my laptop that has been previously joined to the domain. I setup the laptop wireless profile to use WPA, PEAP and MSCHAPv2. I entered my domain credentials and for some reason I am unable to connect to the new wireless network. Do you have any recommendations? Please help.
Thank you!
Brian
Today we installed a similar configuration, but ran into some problems with smart or ‘not so very’ smart devices. It seems that most of the smaller devices had issues when authenticating in this setup. Does anyone have results about the usage of Nokia telephones of the N-series (or Business E-series)… and even Windows Mobile devices???
I posted a small message about our findings at:
http://blog.gbraad.nl/2007/08/when-not-to-use-wpa-and-peap.html
wow - i’ve just changed my SSID at our institution (boarding school), and I see a similar pattern at the clients to what jose said:
—
I was testing assigning WPA2 SSIDs settings via GPO and it works great.
1 concern is that if I create other SSID i’m unable to Move UP or Down from my preffered networks. Any way I can enable this?
—
I had my clients work with a radius last term, but now we’ve upgraded to a controllerbased system from Zyxel with 8 antennas, and now I cannot make them connect to the server, although I have the same setup as at the former APs. Will I have to reconfigure the certificate - or is it in the AP, something is wrong??
A big thanks for the article. I’ve spent ages configuring certificate servers and IAS servers with no luck, this article took 10 minutes to follow, and worked first time
Oops
Hi KWS.
In the group policy applet under wireless networks you can move the order of the networks up and down. This allows you to prioritise which SSIDs your clients will “prefer” to connect to.
Hope this helps don’t hesitate to contact me for more help!
No worries Matt! Glad to help.
i think the issue of moving networks up/down is a client side issue. since the policy is pushed via GPO those networks are always at the top of the list. so, for instance, my home SSID cannot be moved above the ones at work being pushed from GPO.
the only reason i can see this being a real issue is if your personal (non-GPO pushed) are in that close a proximity that you are consistently connecting to the GPO networks instead.
sir my setup is like this a RAdius server then the router d-link. From server i have 1 cable through the router which port that i use the lan port or the ethernet port, thanks
Please explain a little more and I will be glad to help you.
A LAN port is normally an ethernet port… do you mean internet or LAN perhaps…in that case you want the network cable to be on the LAN side of the router.
Sir patient with my english,
im little bit confuse which socket in the router i use to plug coming from the server, the wan or the lan.
And is it working that i use only one server and a router, My purpose is everyone who want to access the wifi have their own user name and password..
until now sir im not finish already,, hoping you can help me,,thanks
No worries about english!
I would think that in your situation you would plug it into the LAN port.
Sounds like you are on the right track to getting people logging onto internet with their own username/ password.
If you need any more help perhaps we could converse via email? (john “at” thegreenroom “d0t” org “d0t” nz)