Setting Up 802.1x Authentiaction
Setting Up 802.1x Authentiaction
Setting Up 802.1x Authentiaction
Create a copy of the Computer certificate template called 802.1x in the Certificate Templates MMC snap-in that: i. Gives everyone Read and Enroll permission on the Security tab ii. Uses the Fully Distinguished Name in the Subject Name Format section on the Subject Name tab. b. Import the template into the Certificate Templates folder within the Certification Authority MMC snap-in. c. Enroll for an 802.1x certificate using the Certificates (Local Computer) MMC snap-in (right click Personal Certificates). 2. Install the Network Policy Server (NPS) role in Server Manager. 3. In the NPS console, ensure that: a. A RADIUS Client has been created for the WAP using the WAPs IP Address, RADIUS Standard protocol and the Message Authenticator Attribute. You must supply a password (i.e. Secret555). b. A Network Policy has been created (called 802.1x Policy for example) that uses PEAP. You must manually add the PEAP protocol and Edit its configuration to ensure that you have an adequate PEAP certificate from Step 1. c. (Optional) In the Network Policy you created in the previous step, ensure that the Session-Timeout is set to 5 minutes. This will force the RADIUS server to regenerate the symmetric keys used by WEP/WPA every 5 minutes (good security). 4. Configure the WAP (using the web interface) to use WEP/WPA and RADIUS. Ensure that you enter the IP address of your RADIUS server (the IAS server) as well as the same password from Step 3a (i.e. Secret555). 5. Ensure that the Trusted Root certificate for your CA has been installed on the client computer. You can do this by: a. Importing the Trusted Root certificate (from the root of C:\ on your CA) into the Trusted Root Certification Authorities folder within the Certificates (Local Computer) MMC snap-in or b. Importing the Trusted Root certificate into a GPO (Computer Configuration Windows Settings Security Settings Public Key Policies Trusted Root Certification Authorities).
6. Configure the properties of your wireless NIC (Wireless Networks tab) to use PEAP authentication. In the PEAP properties, you can configure your system to use the Trusted Root of the CA to validate the server certificate as well as ensure that MSCHAPv2 is used to protect the username/password that is automatically passed to the RADIUS server. All of this configuration may also be done with a GPO (Computer Configuration Windows Settings Security Settings Wireless Network (IEEE 802.11) Policies) 7. Connect to the SSID of the WAP by browsing for available networks (Right-click your wireless NIC). Once you are connected, you can run the getmac command on the command line to verify that you were authenticated by RADIUS.
Setting up 802.1x Authentication using PEAP on Windows Server 2003: 1. Install an Enterprise CA and perform the following: a. Create a copy of the Computer certificate template called 802.1x in the Certificate Templates MMC snap-in that: i. Gives everyone Read and Enroll permission on the Security tab ii. Uses the Fully Distinguished Name in the Subject Name Format section on the Subject Name tab. b. Import the template into the Certificate Templates folder within the Certification Authority MMC snap-in. c. Enroll for an 802.1x certificate using the Certificates (Local Computer) MMC snap-in (right click Personal Certificates). 2. Install the Internet Authentication Service (IAS) from Add/Remove Programs in Control Panel. 3. In the IAS console, ensure that: a. The IAS Server is registered in AD b. A RADIUS Client has been created for the WAP using the WAPs IP Address, RADIUS Standard protocol and the Message Authenticator Attribute. You must supply a password (i.e. Secret555). c. A Remote Access Policy has been created (called 802.1x Policy for example) that uses PEAP. Ensure that you press the Configure button beside PEAP to ensure that you have an adequate PEAP certificate from Step 1. d. (Optional) In the Profile section of the Remote Access Policy you created in the previous step, ensure that the Session-Timeout is set to 5 minutes. This will force the RADIUS server to regenerate the symmetric keys used by WEP/WPA every 5 minutes (good security). 4. Configure the WAP (using the web interface) to use WEP/WPA and RADIUS. Ensure that you enter the IP address of your RADIUS server (the IAS server) as well as the same password from Step 3b (i.e. Secret555). 5. Ensure that the Trusted Root certificate for your CA has been installed on the client computer. You can do this by: a. Importing the Trusted Root certificate (from the root of C:\ on your CA) into the Trusted Root Certification Authorities folder within the Certificates (Local Computer) MMC snap-in or b. Importing the Trusted Root certificate into a GPO (Computer Configuration Windows Settings Security Settings Public Key Policies Trusted Root Certification Authorities).
6. Configure the properties of your wireless NIC (Wireless Networks tab) to use PEAP authentication. In the PEAP properties, you can configure your system to use the Trusted Root of the CA to validate the server certificate as well as ensure that MSCHAPv2 is used to protect the username/password that is automatically passed to the RADIUS server. All of this configuration may also be done with a GPO (Computer Configuration Windows Settings Security Settings Wireless Network (IEEE 802.11) Policies) 7. Connect to the SSID of the WAP by browsing for available networks (Right-click your wireless NIC). Once you are connected, you can run the getmac command on the command line to verify that you were authenticated by RADIUS.