Configure Wireless Networking on Windows Small Business Server 2003


This document provides detailed steps for implementing 802.11a/b/g authenticated wireless network access on the Microsoft® Windows® Small Business Server 2003 server software (Windows SBS) Standard Edition with Service Pack 1 (SP1) or on Windows SBS 2003 R2 Standard Edition. It includes all of the configuration steps that you need to complete to add wireless services to a newly constructed wired network that has limited or no services configured. If you are adding wireless services to an existing network, you may have already performed some of the procedures. In that case, you should review the information within the related procedures, and then modify your services or components as necessary.

ImportantImportant
The procedures in this document are specific to Windows SBS 2003 Standard Edition with SP1 and to Windows SBS 2003 R2 Standard Edition. The procedures for implementing wireless networking on Windows SBS 2003 Premium Edition with SP1 or on Windows SBS 2003 R2 Premium Edition may be different, and you may experience different results.

Before You Begin

Skill Level

The skill level required to complete the steps in this document assumes general knowledge of how to physically set up a local area network (LAN), and a basic understanding of the concepts of computer and user accounts, groups, and Group Policy settings in a client/server environment.

Terminology

Remote Authentication Dial-In User Service (RADIUS): A security authentication protocol that is based on a client/server model and that is widely used by Internet service providers (ISPs). RADIUS is the most popular means of authenticating and authorizing dial-up, virtual private network (VPN), wireless, and authenticating switch clients today. A RADIUS client is included in the Routing and Remote Access service, and a RADIUS server and proxy, named Internet Authentication Service (IAS), ships with Windows SBS 2003 with SP1 and with Windows SBS 2003 R2.
Server certificate: A digital identification that contains information about your Web server and about the organization that sponsors the server's Web content. A server certificate enables users to authenticate your server and to establish a connection. The server certificate also contains a public key, which is used to create an encrypted connection between the client computer and the server.
Wi-Fi Protected Access (WPA): A security protocol designed for use with wireless networks. WPA encrypts the information that is sent between computers on a wireless network, and it authenticates users to help ensure that only authorized people can access the network.
Wired Equivalent Privacy (WEP): A security protocol designed for use with wireless networks. WEP encrypts the information that is sent between computers on a wireless network. WEP is not as secure as the more recent protocol, Wi-Fi Protected Access (WPA).

Small Business Wireless Network

The following figure shows the main components of the wireless infrastructure used for this document:
Wireless Local Area Network drawingThis infrastructure relies on one server that is running Windows SBS, and it consists of the following:
  • Internet Authentication Service (IAS).
  • A server certificate (either the one provided in Windows SBS or one obtained from a third party).
  • Protected Extensible Authentication Protocol (PEAP) with Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2), also called PEAP-MS-CHAP v2. PEAP-MS-CHAP v2 is the authentication method used by client computers that are running Windows XP with Service Pack 2 (SP2) and by the IAS Remote Access Policy.
  • Client computers with IEEE 802.11 wireless adapters.
  • Additional hardware that includes one or more wireless access points.

    noteNote
    This document is not intended for use in a network environment that is based on the Microsoft Windows Server® 2003 operating system. For more information about wireless deployment and Windows Server 2003, see "Wireless Networking" at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=66197).

Prerequisites

  • Before you set up a wireless network, you must complete the following:
  • Physically set up the wired portion of your network.
  • Perform a basic installation of Windows SBS, with TCP/IP configured on the private interface for static IP addressing.
  • Upgrade your server by installing either SP1 for Windows SBS or Windows SBS 2003 R2.
  • Upgrade your wireless computers that are running Windows XP Professional by installing SP2 for Windows XP Professional.
The following sections provide preparation information and recommendations to help you deploy your wireless network.

Wireless access points

The wireless access points (APs) that you deploy must meet the following requirements:
  • Support for the IEEE standard 802.1X authentication.
  • Support for Wi-Fi Protected Access (WPA) is preferred. WPA is supported by Windows XP with SP2. To deploy WPA, use wireless network adapters and wireless access points that also support WPA.
  • Support for RADIUS authentication and RADIUS accounting.
In addition, there are some filtering features that the access points must support in order to help provide enhanced security for the network. These filtering options include the following:
  • DHCP filtering. The access point must filter on IP ports to prevent the transmission of DHCP broadcast messages in the instance that the client computer is a DHCP server. The access point must block the client computer from sending IP packets from port 68 onto the network.
  • DNS filtering. The access point must filter on IP ports to prevent a client computer from performing as a DNS server. The access point must block the client computer from sending IP packets from port 53 onto the network.
For consistency and to simplify wireless implementation, it is recommended that you use wireless APs of the same brand and model.

Server certificates

This infrastructure relies on the following:
  • PEAP-MS-CHAP v2: Provides wireless user authentication with password-based credentials.
  • Server certificate: Installed on your server that is running IAS, for server authentication.
To use PEAP-MS-CHAP v2, the server that is running IAS and that is authenticating wireless connections must have a server certificate that is issued by an enterprise root certification authority. The server must also be trusted by your wireless client computers.

Internet Authentication Service

Internet Authentication Service (IAS) is the Microsoft implementation of the RADIUS protocol. IAS manages authentication, authorization, and accounting for VPN, dial-up, 802.1X wireless, and Ethernet switch connection attempts that are compatible with the Internet Engineering Task Force (IETF) RADIUS protocol.
In this scenario, IAS is used to authenticate and to authorize wireless connection requests. Each wireless access point is configured in IAS as a RADIUS client. An IAS Remote Access Group Policy setting, which you create, defines who can connect to your network through wireless APs.
  • IAS Wireless Remote Access Group Policy setting: A Remote Access Group Policy setting is configured for wireless connections so that employees can access the organization's intranet.
  • Wireless APs as IAS RADIUS clients: Wireless APs must be configured as IAS RADIUS clients in order to communicate with the RADIUS server.
  • Vendor Specific Attributes: Some wireless APs require Vendor Specific Attributes (VSAs), which provide functionality that is not supported within the standard RADIUS attributes. VSAs are configured in the IAS Remote Access Group Policy setting. IAS includes VSAs from a number of vendors in its dictionary; however, not all VSAs for all vendors are included. For required VSAs that are not in the IAS VSA dictionary, you can create a new Remote Access Group Policy profile and manually create a new VSA within each Group Policy object.
  • Logging: Enable logging to store authentication and accounting information. This information can be used to analyze network connections and to investigate possible security issues. Windows SBS IAS can log information to a local database file or to a Microsoft SQL Server™ database.

Wireless access points (RADIUS clients)

Your must have one or more wireless access points that are compatible with the RADIUS protocol and with 802.1X and that are connected to your wired network.

Wireless client computers

Windows XP with SP2 requires the least amount of manual configuration because it has built-in support for IEEE 802.1X authentication using the Extensible Authentication Protocol (EAP), a built-in trusted root certification authority, Wireless Auto Configuration, as well as support for WPA and WEP. For ease of configuration and enhanced security, this paper documents configuration to support client computers that are running Windows XP with SP2.
noteNote
Wireless Auto Configuration is the feature that Windows XP and Windows SBS use to detect available wireless networks and to automatically connect to them.

Process for Setting Up a Wireless Network

Step 1: Configure Wireless Access Points. Physically install the wireless access points on your network, and configure them according to the manufacturer's directions.
Step 2: Configure a Wireless Security Group. Configure the wireless security group that will be used to grant permissions for users and for wireless computers to access the network.
Step 3: Configure Wireless Computer Accounts. Add a computer template, and use it to add wireless network computer accounts.
Step 4: Configure Wireless User Accounts. Add a user template, and use it to add wireless network user accounts.
Step 5: Install Internet Authentication Service and Windows Internet Name Service. Configure Windows Internet Name Service for name resolution.
Step 6: Install a Certificate for Your Server. Install the certificate that is included with Windows SBS 2003.
Step 7: Configure Internet Authentication Service (IAS). Configure wireless APs as IAS RADIUS clients, configure the Remote Access Group Policy setting for wireless access, and configure Remote Access Logging (database-compatible format).
Step 8: Configure Wireless Network Group Policy Settings. Configure the Group Policy setting for your wireless network.
Step 9: Configure Wireless Client Computers. Verify that each of your wireless client computers are configured for dynamic addressing, and then connect them to the wireless network.

Step 1: Configure Wireless Access Points

To configure wireless access points
  1. Physically install the wireless APs.
  2. Using the guidelines in Table 1: Wireless AP Configuration, follow the configuration steps included in the product documentation for your wireless AP.
  3. Determine whether your wireless APs require the configuration of VSAs in the IAS Remote Access Group Policy setting. If they do, keep the VSA configuration information readily available as a reference when configuring IAS.
  4. Keep the AP configuration information readily available when configuring APs as RADIUS clients in the IAS console. Make a record of the settings that you configure on your APs, including the following:
    • Wireless AP IP address (static)
    • DNS name, wireless AP name
    • Wireless AP subnet mask
    • RADIUS shared secret. Be certain to record the shared secret that you use on each AP.
The following table lists some of the common wireless AP configuration items. Introductory configuration information and recommendations are provided for each configuration item, if applicable.
noteNote
The names of the configuration items for wireless access points can vary by brand and model, and they might be different than those listed in the table below. See your wireless AP documentation for configuration-specific details.

Table 1: Wireless AP Configuration

Wireless AP Configuration ItemsConfiguration Item Information
SSID
The SSID is the name of the wireless network. In Windows XP, the SSID is the name displayed in View available wireless networks, when the computer running Windows XP detects the wireless AP broadcast.
Recommendation: In cases where multiple wireless APs are used as part of the same wireless network, configure each AP with the same SSID.
Wireless AP IP address (static)
For each AP, configure a unique static IP address that falls within the exclusion range that is set up on your server. The default range that is configured when you install Windows SBS is 192.168.16.1 - 192.168.16.9. If you have manually set up a different exclusion range, use an IP address that falls within that range.
DNS name
Some wireless APs can be configured with a DNS name. The DNS service on the network can resolve AP DNS names to an IP address.
On each wireless AP that supports this feature, enter a unique name for DNS resolution.
IEEE 802.1X authentication
Configure IEEE 802.1X authentication with either WPA or WEP enabled, depending on which authentication is supported by all of your wireless devices.
noteNote
WPA2 is not documented in this scenario because it is not supported in the unsigned certificate for Windows SBS 2003 with SP1 or Windows SBS 2003 R2. WAP2 support requires that you purchase a trusted certificate from a third-party certification authority.
Wireless AP subnet mask
Configure this to match the subnet mask setting on your Server Local Area Connection network adapter. The default subnet mask that is configured when you install Windows SBS is 255.255.255.0. If you have manually set up a different subnet mask, use that one.
Disable wireless AP DHCP Service
If your wireless AP has a built-in DHCP service, disable the service on the wireless AP.
RADIUS shared secret
A shared secret is configured between a RADIUS client computer and the RADIUS server to help protect communication between them. The same shared secret is configured on both devices.
Use a unique RADIUS shared secret for each wireless AP. For security purposes, each shared secret should be a random sequence of uppercase and lowercase letters, numbers, and punctuation that is at least 22 characters long. To ensure randomness, use a random-character generation program to create shared secrets to configure on the IAS server and the wireless AP. You need to know the shared secret for each wireless AP when configuring RADIUS client computers in the IAS procedures that follow.
ImportantImportant
It is recommended that you record the shared secret for each wireless AP and store that record in a secure location, such as an office safe.
RADIUS server IP address
Enter the network IP address of your IAS server. Because IAS is installed on your server, use the same IP address as the server.
UDP ports
By default, IAS uses UDP ports 1812 and 1645 for authentication messages and UDP ports 1813 and 1646 for accounting messages.
It is recommended that you do not change the default RADIUS UDP port settings unless there is a specific reason to do so.
Vendor Specific Attributes (VSAs)
Some wireless APs require that the IAS RADIUS server be configured with specific attributes in order to provide full wireless AP functionality. VSAs are added in the IAS Remote Access Group Policy setting.
DHCP filtering
Configure wireless APs to block wireless client computers from sending IP packets from port 68 onto the network, as documented by the wireless AP manufacturer.
DNS filtering
Configure wireless APs to block wireless client computers from sending IP packets from port 53 onto the network, as documented by the wireless AP manufacturer.
Use the following table to record your wireless AP configuration:

 

Wireless AP Configuration ItemsYour Wireless AP Configuration
SSID
Wireless AP IP address (static)
DNS name
IEEE 802.1X authentication
Wireless AP subnet mask
Disable wireless AP DHCP service
RADIUS shared secret
RADIUS server IP address
UDP ports
Vendor Specific Attributes (VSAs)
DHCP filtering
DNS filtering
For more information about wireless APs, see the documentation for your specific wireless AP.

Step 2: Configure a Wireless Security Group

Before setting up user accounts for users, create a wireless access security group by using the Add a Security Group Wizard. The security group is then used to grant appropriate permissions to the users of the wireless network.
To create a security group
  1. Click Start, and then click Server Management.
  2. In the console tree, click Security Groups.
  3. From the taskpad in the details pane, click Add a Security Group. The Add a Security Group Wizard starts.
  4. On the Welcome to the Add Security Group Wizard page, click Next.
  5. On the Security Group Information page, enter the name (for example, Wireless Access Users) and description of the security group, and then click Next.
    Security Group Information page
  6. On the Group Membership page, click Next.
  7. Click Finish.
  8. Click Close on the Add Security Group Wizard page.

Step 3: Configure Wireless Computer Accounts

noteNote
If you have already configured computer accounts for all of your network computers, go to the next procedure, "To allow wireless client computers access to the network."
To set up computer accounts
  1. Click Start, and then click Server Management.
  2. In the console tree, click Client Computers.
  3. From the taskpad in the details pane, click Set Up Client Computers. The Set Up Computer Wizard starts.
  4. On the Welcome to the Set Up Computer Wizard page, click Next.
  5. On the Client Computer Names page, do the following:
    1. Enter a unique name for a wireless client computer in the Client Computer Name text box, and then click Add. The wireless client computer name is added to theAccounts will be created for text box.
    2. Repeat step (a) until all wireless client computer names have been added to the list.
    3. Click Next.

      Adding client computer names
  6. On the Client Applications page, do the following:
    1. Click to deselect any applications that you do not want to install the first time the wireless client computer logs on to the network.
    2. Select the After Client Setup is finished, log off the client computer check box.
    3. Click Next.
  7. Depending on the type of client computer, do one of the following, but not both:
    • For laptop computers, on the Mobile Client and Offline Use page, select the Install Connection Manager check box, and then click Next.
    • For desktop computers, on the Mobile Client and Offline Use page, click Next.
  8. Click Finish.
  9. Click OK in the Finishing Your Installation alert box.
  10. Verify that all the computers that you added are listed in the Manage Client Computers details pane.
After setting up the wireless computer accounts on your server, you need to grant permission by allowing access the wireless network and placing the computer in the wireless group.
To allow wireless client computers access to the network
  1. In the Client Computer details pane of the Server Management console, right-click any computer account, and then click Properties.
  2. Click the Dial-in tab, and then select Allow access.
    Allow dial-in access
  3. Click the Member of tab, and then click Add.
    Add client to group membership
    1. On the Select Groups page, click Advanced to expand the page.
    2. Click Find Now. All user and group accounts appear in the Search results text box.
    3. Scroll down and then double-click to select the wireless group that you set up.
    4. Verify that the wireless group name appears in the Enter the object names to select text box, and then click OK.
  4. Click OK to apply the changes and to close the Properties page.
  5. Repeat steps 1 - 4 of this procedure for every computer that you want to permit wireless connections to your network.

Step 4: Configure Wireless User Accounts

After creating a security group, you need to create a new template that can be used for creating wireless access user accounts.
To create a wireless user template
  1. Click Start, and then click Server Management.
  2. In the console tree, click User Templates.
  3. In the details pane, click Add a Template. The Add Template Wizard starts.
  4. On the Welcome to the Add Template Wizard page, click Next.
  5. On the Template Account Information page, do the following:
    1. Type a name for the new template in the Template name box, (for example, Wireless Access Users Template).
    2. Type a description of the default user account properties in the Description box that this template sets up.
    3. Clear the This template should be the default option in the Add User Wizard check box, and then click Next.

      Template account information page
  6. On the Security Groups page, scroll down, double-click the wireless security group that you created in "Step 2: Configure a Wireless Security Group" to add it to the Users will be members of column, and then click Next.
    Add security groups to the template
  7. If you want members of the wireless security group to receive organization-wide e-mail and they are not already members of a distribution group, on the Distribution Groups page double-click the distribution group in the All distribution groups text box to add it to the Users will be members of text box. Click Next.
  8. On the SharePoint Access page, click Next.
  9. Adding information on the Address Information page is optional. Enter any information that is appropriate, and then click Next.
  10. On the Disk Quota page, accept the default for both Disk space limits in megabytes and Warning level in megabytes, and then click Next.
  11. Click Finish, and then click Close to close the Add Template Wizard.
ImportantImportant
If you have existing user accounts that you want to set up as wireless user accounts, you do not need to recreate those accounts. Follow the instructions in the procedure "To add user accounts to the wireless group" later in this Step.
To create user accounts by using the new user template
  1. Click Start, and then click Server Management.
  2. In the console tree, click Users.
  3. In the details pane, click Add Multiple Users. The Add User Wizard starts.
  4. On the Welcome to the Add User Wizard page, click Next.
  5. On the Template Selection page, select the new template that you created in the previous procedure, and then click Next.
    Select template to use for adding new user account
  6. On the User Information page, click Add.
  7. On the Specify the user information page, do the following:
    1. Enter a user's first and last names in the appropriate text boxes. The Logon name and E-mail alias boxes will be filled in automatically.
    2. You may change the Logon name either by selecting a different naming standard from the drop-down list or by typing a different logon name. The E-mail alias will also change.

      Specify new user account information
    3. Type a password for the user.
    4. Click OK.

      Multiple user information page
  8. Repeat steps 6 and 7 of this procedure to add additional external user accounts. When you have added all of the external user accounts, click Next.
  9. On the Set Up Client Computers page, select the Do not set up computers at this time check box, and then click Next.
  10. Click Finish.
  11. Click Close after the Add User Wizard finishes processing the new user accounts.
ImportantImportant
Complete the following procedure only if there are existing user accounts that you want to make members of the wireless group.
To add user accounts to the wireless group
  1. Click Start, and then click Server Management.
  2. In the console tree, click Security Groups.
  3. In the details pane, click the wireless group that you set up in "Step 2: Configure a Wireless Security Group," and then click Change Group Properties on the taskpad. TheProperties page opens.
  4. Click the Members tab, and then click Add.
  5. On the Select Users, Contacts, Computers, or Groups page, click Advanced to expand the page, and then do the following:
    1. Click Find Now. All user and group accounts are displayed in the Search results text box.
    2. Scroll down and then double-click to select the user account that you want to add to the wireless group.

      noteNote
      If you are adding multiple user accounts to the wireless group, hold down the CTRL key while clicking each user account that you want to add, and then click OK.
    3. Verify that the account name appears in the Enter the object names to select text box, and then click OK.
  6. Click OK to apply the changes and to close the Properties page.

Step 5: Install Internet Authentication Service and Windows Internet Name Service

To install Internet Authentication Service (IAS) and Windows Internet Name Service (WINS)
  1. Click Start, click Control Panel, click Add Remove Programs, and then click Add Remove Windows Components. The Windows Components Wizard starts.
  2. In Components, select Networking Services, and then click Details.
    Windows components wizard page
  3. In Subcomponents of Network Services, select the Internet Authentication Service (IAS) and the Windows Internet Name Service (WINS) check boxes.
    Install IAS in Networking Services
  4. Click OK, and then click Next. If the Insert Disk pop-up window appears, insert the requested CD in the CD-ROM drive, and then click OK.
  5. On the Completing the Windows Components Wizard page, click Finish.

Step 6: Install a Certificate for Your Server

You must use a certification authority (CA) to issue the certificate that you need for your wireless LAN. For more information about certificates and their uses, see "Certificates Overview" at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=66534).
ImportantImportant
The certificate that Windows SBS generates includes the non-critical Enhanced Key Usage property for Server. The certificate currently does not include a critical X.509 V3 extension Key Usage property, which provides more information about its purpose and use, such as Digital Signature, Non-Repudiation, Key Encipherment, or Data Encipherment.
Microsoft maintains a list of trusted, third-party, commercial CAs to help enable secure and usable e-commerce for Windows users. For a list of CAs, see "Microsoft Root Certification Members" at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkID=59547).
To install a certificate
  1. Click Start, click Control Panel, and then click Add or Remove Programs.
  2. Click Add/Remove Windows Components to start the Windows Component Wizard.
  3. On the Windows Components page, select the Certificate Services check box. Review the warning about the computer name and domain membership, and then click Yesto continue.
    Install certificate of authority component
  4. Click Next on the Windows Components page.
  5. On the CA Type page, click Enterprise-root CA, and then click Next.
  6. On the CA Identifying Information page, type a common name for the CA, leave the rest of the default settings as they are, and then click Next.
    CA Identifying Information page
  7. On the Certificate Database Settings page, click Next.
  8. In the Microsoft Certificate Services alert box, click Yes.
  9. If the Insert Disk pop-up window appears, insert the requested CD in the CD-ROM drive, and then click OK.
  10. On the Completing the Windows Components Wizard page, click Finish.
  11. Close the Add or Remove Programs window.
For it to work correctly, you must install the certificate in the correct location.
To request and install the server certificate
  1. Open Internet Explorer.
  2. In the Address box, type http://YourServerName/certsrv
  3. On the Welcome page, click Request a certificate.
    Request a wireless access certificate
  4. On the Request a Certificate page, click Advanced Certificate Request.
  5. On the Advanced Certificate Request page, click Create and submit a request to this CA.
  6. On the Advanced Certificate Request Web form, in the Certificate Template list, click Basic EFS.
    Install Cert Services in IE (top of page)
  7. In Key Options, select the Store Certificate in the local computer certificate store check box.
  8. You are requesting a wildcard certificate. To do this, in the Friendly Name box in Additional Options, type *.YourDomainName, such as *.contoso.com. Leave the remaining default settings as they are, and then click Submit.
    Install cert services in IE (bottom of page)
  9. In the Potential Scripting Violation alert box, click Yes.
  10. On the Certificate Issued page, click Install this certificate.
  11. In the Potential Scripting Violation alert box, click Yes.
  12. A message appears that says, "Your new certificate was successfully installed." Close Internet Explorer. You now have a WLAN Server Certificate in theYourServerName\Personal\Certificates folder.
    Successfully install certificate of authority
  13. To view the certificate, you must add the Certificates snap-in to the Microsoft Management Console (MMC). To add the snap-in, do the following:
    1. Click Start, click Run, type mmc, and then click OK.
    2. On the File menu, click Add/Remove Snap-In.
    3. In the Add/Remove Snap-In window, click Add.
    4. Under Snap-In, double-click Certificates, click Computer Account, and then click Next.
    5. Select Local Computer, and then click Finish.
    6. Click Close, and then click OKCertificates (Local Computer) appears on the list of selected snap-ins for the new console.
    7. In the console tree, expand Certificates (Local Computer), expand Personal, and then click Certificates.
    8. In the details pane, a certificate appears, with the Issued To name set to the name that you specified during the enrollment process.

      Cert of Authority Snap-In
  14. To view the details of the certificate, double click the certificate in the details pane.
  15. Click Close to save the settings.

Step 7: Configure Internet Authentication Service (IAS)

You must connect one or more wireless APs to the wired portion of your network and configure them as IAS RADIUS clients, so that they can communicate with the server. The wireless APs must be compatible with the RADIUS protocol and with 802.1x. To add all wireless APs as RADIUS clients of IAS, you need to know the IP address or DNS name of each wireless AP.
To configure wireless APs as IAS RADIUS clients
  1. Click Start, click All Programs, click Administrative Tools, and then click Internet Authentication Service.
  2. In the console tree, right-click RADIUS Clients, and then click New RADIUS Client.
  3. On the New RADIUS Client dialog box, in Friendly name, type a descriptive name for your wireless AP. In Client address (IP or DNS), do the following:
    1. If you are using the IP address of the wireless AP, type the IP address you used to configure your wireless AP.
    2. If you are using the DNS name of the wireless AP, type the DNS name, and then click Verify.

      New Radius client name and IP address
    3. Click Next.
  4. On the Additional Information dialog box, do the following:
    1. If you plan to set wireless AP-specific remote access Group Policy attributes in Client Vendor, select the AP manufacturer from the list. If you do not know the manufacturer or it is not in the list, click RADIUS Standard.
    2. In Shared secret, type the shared secret that you used to configure the wireless AP, and then type it again in Confirm shared secret. In the following figure, RADIUS Standard is selected, representing an unknown or unlisted AP vendor.

      noteNote
      Make sure that you enter the correct shared secret for each wireless AP. The shared secret must exactly match the shared secret that you entered when you configured the AP, or else the server will not authenticate the wireless AP.
      New Radius client additional information page
  5. Click Finish.
  6. Repeat steps 1 - 5 of this procedure for every wireless AP that you want to add to your network as an IAS RADIUS client.
To configure an IAS Remote Access Group Policy setting for wireless
  1. If you are not already at the root Internet Authentication Service console, click Start, click All Programs, click Administrative Tools, and then click Internet Authentication Service.
  2. Right-click Remote Access Policies, and then click New Remote Access Policy.
  3. On the Welcome to the New Remote Access Policy Wizard page, click Next.
  4. On the Policy Configuration Method page, click Use the wizard to set up a typical policy for a common scenario. Type a name for the new policy in Policy name, and then click Next.
    Wireless policy configuration method page
  5. On the Access Method page, click Wireless, and then click Next.
  6. On the User or Group Access page, click Group, and then click Add.
  7. In the Select Groups dialog box, do the following:
    1. Click Advanced, and then click Find Now. All user and group accounts appear in the Search results text box.
    2. Scroll down and then double-click the group that you created in "Step 2: Configure a Wireless Security Group."
    3. Verify that the group name is listed in the Enter the object names to select text box, and then click OK.
    Remote access policy group access
  8. On the User or Group Access page, click Next.
    noteNote
    Perform the next step only if this is the first Remote Access Group Policy setting for wireless that you create.
  9. On the Authentication Methods page, make sure that the EAP type Protected EAP (PEAP) authentication is selected, and then do the following:
    1. Click Configure. The Edit Protected EAP Properties dialog opens.
    2. Select the Enable Fast Reconnect check box.
    3. In Certificate issued, select the server certificate that you installed in "Step 5: Install Internet Authentication Service and Windows Internet Name Service."
    4. Click OK.

      Protected EAP Properties
    5. On the Authentication Methods page, click Next. The Completing the New Remote Access Policy page displays a summary of the Wireless Access Group Policy setting.
  10. Click Finish to close the wizard.
To delete default remote access Group Policy settings
  1. If you are not already at the root Internet Authentication Service console, click Start, click All Programs, click Administrative Tools, and then click Internet Authentication Service.
  2. In the console tree, click Remote Access Policies.
  3. In the details pane, identify your new Wireless Access Group Policy setting and the two default Remote Access Group Policy settings:
    • Connections to Microsoft Routing and Remote Access server
    • Connections to other access servers
    Delete default remote access policies
  4. Delete the two default Remote Access Group Policy settings:
    1. Right click Connections to Microsoft Routing and Remote Access server, and then click Delete.
    2. In the Delete Policy alert box, click Yes.
    3. Right-click Connections to other access servers, and then click Delete.
    4. In the Delete Policy alert box, click Yes.

      ImportantImportant
      Do not delete the new Group Policy setting.
    noteNote
    You do not need to configure Connection Request Processing.
To set attributes for the Wireless Access Group Policy setting
  1. If you are not already at the root of the Internet Authentication Service console, click Start, click All Programs, click Administrative Tools, and then click Internet Authentication Service.
  2. In the Internet Authentication Service console tree, click Remote Access Policies
  3. In the details pane, right-click your new Wireless Access Group Policy setting, and then click Properties.
  4. On the Properties page, click Add.
    Wireless access policy conditions
  5. On the Select Attribute dialog box, in Attribute type, select the attribute you want to configure.
    noteNote
    Do not configure wireless AP Vendor Specific Attributes at this time. Configure Vendor Specific Attributes in the next procedure, "To configure Vendor Specific Attributes for an IAS Remote Access Group Policy setting."
  6. For example, to restrict the hours when wireless users are allowed to connect to the network, do the following:
    1. Select Day and Time Restrictions.

      Enable access policy attributes
    2. Click Add. On the Time of day constraints dialog, select the times you want to permit wireless access, and then click Permitted.

      Time of day policy constraints
    3. Click OK.
  7. To configure additional attributes of the Group Policy setting, click Add, choose the desired attribute from the list, and configure it as appropriate.
  8. When you are finished, click OK to close all the dialog boxes down to the IAS console.
ImportantImportant
You may add only one wireless AP model VSA to a Remote Access Group Policy setting. Before you add a new VSA, check to see if the required VSA is in the IAS dictionary. If it is present, you can use it. If it is not, you must add it, as specified by the wireless AP manufacturer.
Use the following table to determine the most appropriate action for this step.

Table 2: Wireless AP Vendor Specific Attributes (VSAs)

Wireless AP VSAAction
Your wireless AP does not require VSA configuration in IAS Remote Access Policy.
Skip the following procedure, and complete the procedure "To configure Remote Access logging."
You have only one model of wireless AP that requires VSA configuration.
Complete the following procedure, "To configure Vendor Specific Attributes for an IAS Remote Access Group Policy setting."
You have multiple wireless AP models that require VSA configuration, and you must configure a new IAS Remote Access Group Policy setting for each model of wireless AP.
For each wireless AP model that requires VSA configuration, create a new IAS Remote Access Group Policy setting that is identical to the setting you created in the procedure "To configure an IAS Remote Access Group Policy setting for wireless," with the following two exceptions:
  • The name of each Group Policy setting must be different.
  • The VSA required for each wireless AP model is configured in the IAS Remote Access Group Policy profile according to the steps in this procedure.
To configure Vendor Specific Attributes for an IAS Remote Access Group Policy setting
  1. If you are not already at the root Internet Authentication Service console, click Start, click All Programs, click Administrative Tools, and then click Internet Authentication Service.
  2. In the Internet Authentication Service console, click Remote Access Policies, and then select the Group Policy setting for the wireless AP that requires VSA configuration.
  3. Right-click the Group Policy setting, and then click Properties.
  4. In the If a connection request matches the specified conditions section, ensure Grant remote access permission is selected.
  5. On the Properties dialog box of the Remote Access Group Policy setting, click Edit Profile, and then click the Advanced tab.
    Edit Radius dial-in profile
  6. Click Add. Review the complete list to see whether your vendor-specific attribute is already in the list of attributes. A portion of this list is shown in the following figure.
    Add IAS vendor-specific attribute
  7. If the required VSA is in the list of attributes, do the following:
    1. Click the attribute, click Add, and, in the Multivalued Attribute Information dialog box, click Add.
    2. Configure the attribute as specified in your wireless AP documentation.
    3. Continue to step 9 of this procedure.
  8. If the vendor-specific attribute is not in the list of attributes:
    1. Select Vendor-Specific from the list.
    2. Click Add. The Multivalued Attribute Information dialog box opens.
    3. Use the information in Table 3 to help you complete this step.
  9. Click OK or Close to close all open dialog boxes.

Table 3: Vendor Specific Attributes

AttributeAction
Specify the network access server vendor for your wireless AP
  • To specify the vendor by selecting the name from the list, click Select from list, and then in the drop-down list click the name of the vendor of the wireless AP for which you are configuring the VSA.
  • If the vendor is not listed, specify the vendor by typing the vendor code. Click Enter Vendor Code, and then type the vendor code. See RFC 1007 for a list of Structure and Identification of Management Information for TCP/IP-based Internets (SMI) Network Management Private Enterprise Codes.
Specify whether the attribute conforms to the RADIUS RFC specification for Vendor Specific Attributes
  • If your attribute conforms, click Yes. It conforms, and then click Configure Attribute. The Configure VSA (RFC compliant) dialog box opens. In Vendor-assigned attribute number, type the number assigned to the attribute (this should be an integer from 0 to 255). In Attribute format, specify the format for the attribute, and then in Attribute value, type the value you are assigning to the attribute.
  • If the attribute does not conform, click No. It does not conform, and then click Configure Attribute. In Hexadecimal attribute value, type the value for the attribute, as specified in your wireless AP documentation.
To configure Remote Access Logging
  1. If you are not already at the root Internet Authentication Service console, click Start, click All Programs, click Administrative Tools, and then click Internet Authentication Service.
  2. Right-click Internet Authentication Service, and then click Properties.
  3. On the General tab, verify that Rejected authentication requests and Successful authentication requests are selected, and then click OK.
  4. In the Internet Authentication Service console tree, click Remote Access Logging.
  5. In the details pane, double-click Local File.
    Setup remote access logging
  6. On the Local File Properties dialog box, on the Settings tab, select the following:
    1. Accounting requests
    2. Authentication requests
    3. Periodic status

      Remote access logging local files properties
  7. On the Log File tab, in the Format section, click Database-compatible.
  8. In Create a new log file, choose the log-file frequency that you prefer.
  9. Click OK to close all open dialog boxes.
  10. Close the Internet Authentication Service console.

Step 8: Configure Wireless Network Group Policy Settings

To configure Wireless Network (IEEE 802.11) Group Policy settings
  1. Click Start, click Server Management, double-click Advanced Management, and then double-click Group Policy Management.
  2. In the details pane, double-click Forest:DomainName, double-click Domains, and then double-click YourDomainName.
  3. In the details pane, right-click Default Domain Policy, and then click Edit. Group Policy Object Editor opens.
  4. In the console tree of Group Policy Object Editor, expand Computer Configuration, expand Windows Settings, and then expand Security Settings.
    Group policy object editor
  5. Right-click Wireless Network (IEEE 802.11) Policies, and then click Create Wireless Network Policy. The Wireless Network Policy Wizard starts.
  6. On the Welcome to the Wireless Network Policy Wizard page, click Next.
  7. On the Wireless Network Policy Name page, in the Name text box, type a name for your wireless Group Policy setting. In Description, type a brief description of the setting, and then click Next.
  8. On the Completing the Wireless Network Policy Wizard page, ensure Edit properties is selected, and then click Finish. The Wireless Group Policy Properties dialog box opens.
    Wireless Group Policy Properties
  9. On the General tab, from the drop-down list in Networks to access, select one of the following:
    • Any available network (wireless AP preferred): Specifies that wireless computers try to connect to a wireless AP (infrastructure) network before they try computer-to-computer (ad hoc) connections. Recommended only for wireless Group Policy settings in which either infrastructure or ad hoc connections are desirable.
    • Wireless AP (infrastructure) networks only: Specifies that wireless computers try to connect only to a wireless AP (infrastructure) network. This is the recommended wireless Group Policy settings for networks in which ad hoc connections are not desirable.
    • Computer-to-computer (ad hoc) networks only: Specifies that wireless computers try only computer-to-computer (ad hoc) connections. Recommended only for wireless Group Policy settings in which it is not desirable for wireless devices to connect wirelessly to the network infrastructure.

      ImportantImportant
      If you select the Computer-to-computer (ad hoc) networks only option, connection attempts to your wireless infrastructure may fail.
  10. Ensure that Use Windows to configure wireless network settings for clients is selected, and then click the Preferred Networks tab.
  11. Click Add to add a preferred network. The New Preferred Settings Properties window opens.
  12. On the Network Properties tab, do the following:
    1. In Network Name, type the network name (SSID) of your wireless network.
    2. In Description, enter a description for the New Preferred Setting Properties.
    3. From the drop-down list in Network authentication, select WPA to specify the network key that is used to authenticate to the wireless network.
    4. To specify that a network key is used to encrypt the data that is sent over the network, from the drop-down list in Data encryption, select WEP.

      New preferred setting properties
  13. Click the IEEE 802.1X tab.
  14. In EAP type, select Protected EAP (PEAP), and then click Settings.
  15. On the Protected EAP Properties dialog box, do the following:
    1. Verify that Validate Server certificate is selected.
    2. In Trusted Root Certification Authorities, select the Microsoft Root Certificate Authority.
    3. In Select Authentication Method, select Secured password (EAP-MS-CHAP v2), and then click Configure.

      Protected EAP properties
  16. In the EAP MSCHAPv2 Properties dialog box, ensure that When connecting, automatically use my Windows logon name and password (and domain if any) is selected.
  17. Click OK to close all the dialog boxes, and then close Group Policy Object Editor.
The next time your wireless client computers that are running Windows XP with SP1, Windows XP with SP2, or Windows SBS update their computer configuration Group Policy settings, their wireless network configuration will be automatically configured.

Step 9: Configure Wireless Client Computers

ImportantImportant
You must perform the procedures in this step on each of your wireless client computers. If any of your wireless laptop computers are equipped with a switch to turn the wireless adapter on or off, ensure the switch is turned on.
Ensure the wireless adapters for all of your wireless computers are configured for dynamic addressing.
To configure TCP/IP for dynamic addressing
  1. Click Start, click Connect to, click Show all connections, to open Network Connections.
  2. Right-click your wireless network connection, and then click Properties.
  3. On the General tab, in This connection uses the following items, click Internet Protocol (TCP/IP), and then click Properties.
  4. On the Internet Protocol (TCP/IP) Properties dialog box, on the General tab, select Obtain an IP address automatically. Click OK two times, and then close Network Connections.
Connect a wireless computer to the network
  1. Open Internet Explorer.
  2. In the Address bar, type http://ServerName/ConnectComputer, and then click Go.
  3. Choose the name of a client computer from the list, and then follow the instructions.

No comments: