RADIUS

RADIUS

When deploying your RADIUS infrastructure for wireless access, use the following best practices:

  • If supported by your wireless APs, use Internet Protocol security (IPSec) and Encapsulating Security Payload (ESP) to provide data confidentiality for RADIUS traffic between the wireless AP and the Internet Authentication Service (IAS) servers and between IAS servers. Use Triple Data Encryption Standard (3DES) encryption and, if possible, certificates for Internet Key Exchange (IKE) main mode authentication. IPSec settings for RADIUS traffic sent between IAS servers can be configured using Group Policy and assigned at the Active Directory system container level. For more information about IPSec, see the Help and Support Center for Windows Server 2003.

  • To provide the maximum security for unprotected RADIUS traffic, choose RADIUS shared secrets that are random sequences of upper- and lowercase letters, numbers, and punctuation marks at least 22 keyboard characters long.

    If possible, use a random character-generation program to determine shared secrets to configure on the IAS server and the wireless AP.

  • Use as many different RADIUS shared secrets as possible. The actual number of RADIUS shared secrets depends on configuration constraints and management considerations.

    For example, IAS allows the configuration of RADIUS shared secrets on a per-client or per-server basis. However, many wireless APs allow for the configuration of a single RADIUS shared secret for both primary and secondary RADIUS servers. In this case, a single RADIUS shared secret is used for two different RADIUS client RADIUS server pairs: the wireless AP with its primary RADIUS server and the wireless AP with its secondary RADIUS server. Additionally, if you are using the netsh aaaa show and netsh exec commands to copy the configuration of one IAS server (designated as the primary configuration server) to another (designated as the secondary configuration server), the RADIUS shared secret for each wireless AP/primary IAS server pair must be the same as the RADIUS shared secret for each wireless AP/secondary IAS server pair.

    Because the Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, versions of IAS allows you to configure a range of IP addresses to define a single RADIUS client (for example, all the wireless APs on a single subnet in a single building), all the wireless AP/IAS server pairs defined by this single RADIUS client are configured with the same RADIUS shared secret.

  • When there are separate account databases, such as different Active Directory forests or domains that do not have two-way trusts, you must use a RADIUS proxy between the wireless APs and the RADIUS servers providing the authentication and authorization processing.

    Windows Server 2003 IAS supports RADIUS proxy functionality through the configuration of connection request policies and remote RADIUS server groups. For this example, connection request policies are created to match different portions of the User-Name RADIUS attribute corresponding to each account database (such as different Active Directory forests). RADIUS messages are forwarded to a member of the corresponding remote RADIUS server group matching the connection request policy.

  • To balance the load of RADIUS traffic between the primary and secondary IAS servers (regardless of whether they are acting as a RADIUS server or RADIUS proxy), configure half of the wireless APs with the primary IAS server as their primary RADIUS server and the secondary IAS server as their secondary RADIUS server; configure the other half with the secondary IAS server as their primary RADIUS server and the primary IAS server as their secondary RADIUS server.

  • Investigate whether the wireless APs need RADIUS vendor-specific attributes (VSAs) and configure them during the configuration of the remote access policy on the Advanced tab of the remote access policy profile.

  • If you manage the remote access permission of user and computer accounts on a per-account basis, use remote access policies that specify a connection type. If you manage the remote access permission through the remote access policy (the recommended method), use remote access policies that specify a connection type and group.

  • If you change the IAS server configuration in any way, use the Internet Authentication Service snap-in to change the configuration of the IAS server that is designated as the primary configuration server and then copy the configuration of the primary configuration server to the secondary IAS server.



Deploying Secure 802.11 Wireless Networks with Microsoft Windows
Deploying Secure 802.11 Wireless Networks with Microsoft Windows
ISBN: 0735619395
EAN: 2147483647
Year: 2000
Pages: 123
Authors: Joseph Davies

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net