PEAP-MS-CHAP v2 Authentication

PEAP-MS-CHAP v2 Authentication

The infrastructure for the wireless test lab network consists of four computers performing the following roles:

  • A computer running Microsoft Windows Server 2003, Enterprise Edition, named DC1 that is acting as a domain controller, a DNS server, a DHCP server, and a CA.

  • A computer running Microsoft Windows Server 2003, Standard Edition, named IAS1 that is acting as a RADIUS server.

  • A computer running Windows Server 2003, Standard Edition, named IIS1 that is acting as a Web and file server.

  • A computer running Microsoft Windows XP Professional and Windows XP Service Pack 1 (SP1) named CLIENT1 that is acting as a wireless client.

Additionally, a wireless AP is present that provides connectivity to the Ethernet intranet network segment for the wireless client.

Figure C-1 shows the configuration of the wireless test lab.

figure c-1 configuration of the wireless test lab.

Figure C-1. Configuration of the wireless test lab.

The wireless test lab represents a network segment in a corporate intranet. All computers on the corporate intranet, including the wireless AP, are connected to a common hub or Layer 2 switch. Private addresses of 172.16.0.0/24 are used on the intranet network segment.

IIS1 and CLIENT1 obtain their IP address configuration using DHCP. The following sections describe how to configure each of the components in the test lab. To reconstruct this test lab, configure the computers in the order presented.

DC1

DC1 is a computer running Windows Server 2003, Enterprise Edition, which is performing the following roles:

  • A domain controller for the example.com domain.

  • A DNS server for the example.com DNS domain.

  • A DHCP server for the intranet network segment.

  • The enterprise root certification authority (CA) for the example.com domain.

NOTE
Windows Server 2003, Enterprise Edition, is used so that autoenrollment for both user and computer certificates for EAP-TLS authentication can be configured. This is described in the EAP-TLS Authentication section of this appendix.

To configure DC1 for these services, do the following:

  • Perform basic installation and configuration

  • Configure the computer as a domain controller

  • Raise the domain functional level

  • Install and configure DHCP

  • Install Certificate Services

  • Add computers to the domain

  • Add users to the domain

  • Add groups to the domain

  • Add users to WirelessUsers group

  • Add client computers to WirelessUsers group

To perform basic installation and configuration

  1. Install Windows Server 2003, Enterprise Edition, as a standalone server.

  2. Configure the TCP/IP protocol with the IP address of 172.16.0.1 and the subnet mask of 255.255.255.0.

To configure the computer as a domain controller

  1. Click Start, click Run, type dcpromo.exe, and then click OK to start the Active Directory Installation Wizard.

  2. Run the Active Directory Installation Wizard (Dcpromo.exe) to create a new domain named example.com in a new forest. Install the DNS service when prompted.

To raise the domain functional level

  1. Open the Active Directory Domains And Trusts snap-in from the Administrative Tools folder, and then right-click the domain computer dc1.example.com.

  2. Click Raise Domain Functional Level, and then select Windows Server 2003 on the Raise Domain Functional Level page.

    graphic

  3. Click Raise, click OK, and then click OK again.

To install and configure DHCP

  1. Install Dynamic Host Configuration Protocol (DHCP) as a Networking Services component by using Add Or Remove Programs in Control Panel.

  2. Open the DHCP snap-in from the Administrative Tools folder and then highlight the DHCP server, dc1.example.com.

  3. Click Action, and then click Authorize to authorize the DHCP service.

  4. In the console tree, right-click dc1.example.com, and then click New Scope.

  5. On the Welcome page of the New Scope Wizard, click Next.

  6. On the Scope Name page, type CorpNet in Name.

    graphic

  7. Click Next. On the IP Address Range page, type 172.16.0.10 in Start IP Address, type 172.16.0.100 in End IP Address, and type 24 in Length.

    graphic

  8. Click Next. On the Add Exclusions page, click Next.

  9. On the Lease Duration page, click Next.

  10. On the Configure DHCP Options page, click Yes, I Want To Configure These Options Now.

    graphic

  11. Click Next. On the Router (Default Gateway) page, click Next.

  12. On the Domain Name and DNS Servers page, type example.com in Parent Domain. Type 172.16.0.1 in IP Address, and then click Add.

    graphic

  13. Click Next. On the WINS Servers page, click Next.

  14. On the Activate Scope page, click Yes, I Want To Activate This Scope Now.

    graphic

  15. Click Next. On the Completing the New Scope Wizard page, click Finish.

To install Certificate Services

  1. In Control Panel, open Add Or Remove Programs, and then click Add/Remove Windows Components.

  2. In the Windows Components Wizard page, select Certificate Services, and then click Next.

  3. On the next Windows Components Wizard page, select Enterprise root CA.

    graphic

  4. Click Next. Type Example CA in the Common Name For This CA field, and then click Next. On the Certificate Database Settings page, make no changes.

    graphic

  5. Click Next. Upon completion of the installation, click Finish.

To add computers to the domain

  1. Open the Active Directory Users And Computers snap-in.

  2. In the console tree, expand example.com.

  3. Right-click Users, click New, and then click Computer.

  4. In the New Object Computer dialog box, type IAS1 in Computer Name.

    graphic

  5. Click Next. In the Managed dialog box, click Next. In the New Object Computer dialog box, click Finish.

  6. Repeat steps 3-5 to create additional computer accounts with the following names: IIS1 and CLIENT1.

To add users to the domain

  1. In the Active Directory Users And Computers console tree, right-click Users, click New, and then click User.

  2. In the New Object User dialog box, type WirelessUser in First Name and type WirelessUser in User Logon Name.

    graphic

  3. Click Next.

  4. In the New Object User dialog box, type a password of your choice in Password and Confirm Password. Clear the User Must Change Password At Next Logon check box.

    graphic

  5. In the New Object User dialog box, click Finish.

To add groups to the domain

  1. In the Active Directory Users And Computers console tree, right-click Users, click New, and then click Group.

  2. In the New Object Group dialog box, type WirelessUsers in Group Name, and then click OK.

    graphic

To add users to WirelessUsers group

  1. In the details pane of the Active Directory Users And Computers, double-click WirelessUsers.

  2. Click the Members tab, and then click Add.

  3. In the Select Users, Contacts, Computers, Or Groups dialog box, type wirelessuser in Enter The Object Names To Select.

    graphic

  4. Click OK. In the Multiple Names Found dialog box, click OK. The WirelessUser user account is added to the WirelessUsers group.

    graphic

  5. Click OK to save changes to the WirelessUsers group.

To add client computers to WirelessUsers group

  1. Repeat steps 1 and 2 in the preceding To add users to WirelessUsers group procedure.

  2. In the Select Users, Contacts, Computers, or Groups, type client1 in Enter The Object Names To Select.

    graphic

  3. Click Object Types. In the Object Types dialog box, clear the Users check box and the Groups check box, and then select the Computers check box.

    graphic

  4. Click OK twice. The Client1 computer account is added to the WirelessUsers group.

    NOTE
    Adding client computers to the WirelessUsers group allows computer authentication. Computer authentication is needed so that the computer can attach to the wireless network, obtain an IP address configuration, locate Active Directory domain controllers, download the latest Computer Configuration Group Policy settings, and perform other computer startup processes.

IAS1

IAS1 is a computer running Windows Server 2003, Standard Edition that is providing RADIUS authentication and authorization for the wireless AP. To configure IAS1 as a RADIUS server, do the following:

  • Perform basic installation and configuration

  • Install and configure Internet Authentication Service

  • Create the Certificates (Local Computer) console

  • Request a computer certificate

  • Add the wireless AP as a RADIUS client

  • Create and configure remote access policy

To perform basic installation and configuration

  1. Install Windows Server 2003, Standard Edition, as a member server named IAS1 in the example.com domain.

  2. For the intranet local area connection, configure the TCP/IP protocol with the IP address of 172.16.0.2, the subnet mask of 255.255.255.0, and the DNS server IP address of 172.16.0.1.

To install and configure Internet Authentication Service

  1. Install Internet Authentication Service as a Networking Services component by using Add Or Remove Programs in Control Panel.

  2. In the Administrative Tools folder, open the Internet Authentication Service snap-in.

  3. Right-click Internet Authentication Service, and then click Register Server in Active Directory. When the Register Internet Authentication Server In Active Directory dialog box appears, click OK.

    graphic

To create the Certificates (Local Computer) console

  1. Click Start, click Run, type mmc, and then click OK.

  2. On the File menu, click Add/Remove Snap-in, and then click Add.

  3. Under Snap-in, double-click Certificates, click Computer account, and then click Next.

  4. Click Local Computer, click Finish, click Close, and then click OK. The Certificates (Local Computer) snap-in is shown in the following figure.

    graphic

    NOTE
    PEAP with MS-CHAP v2 requires computer certificates on the IAS servers but not on the wireless clients. Autoenrollment of computer certificates for the IAS servers can be used to simplify a deployment. However, in this section, a certificate is manually requested for the IAS1 computer because the autoenrollment of the certificates is not yet configured. This is described in the EAP-TLS Authentication section of this appendix.

To request a computer certificate

  1. Right-click the Personal folder, click All Tasks, click Request New Certificate, and then click Next.

  2. Click Computer for the Certificate Types, and then click Next.

  3. Type IAS Server1 Certificate in Friendly Name.

    graphic

  4. Click Next. On the Completing The Certificate Request Wizard page, Click Finish.

  5. A The certificate request was successful message is displayed. Click OK.

To add the wireless AP as a RADIUS client

  1. In the console tree of the Internet Authentication Service snap-in, right-click RADIUS Clients, and then click New RADIUS Client.

  2. In the Name And Address page of the New RADIUS Client wizard, for Friendly Name, type WirelessAP. In Client Address (IP Or DNS), type 172.16.0.3, and then click Next.

    graphic

  3. In the Additional Information page of the New RADIUS Client Wizard, for Shared Secret, type a shared secret for the wireless AP, and then type it again in Confirm Shared Secret.

    graphic

  4. Click Finish.

To create and configure remote access policy

  1. In the console tree of the Internet Authentication Service snap-in, right-click Remote Access Policies, and then click New Remote Access Policy.

  2. On the Welcome To The New Remote Access Policy Wizard page, click Next.

  3. On the Policy Configuration Method page, type Wireless access to intranet in Policy Name.

    graphic

  4. Click Next. On the Access Method page, select Wireless.

    graphic

  5. Click Next. On the User Or Group Access page, select Group.

    graphic

  6. Click Add. In the Select Groups dialog box, type wirelessusers in the Enter The Object Names To Select box. Verify that example.com is listed in the From This Location field.

    graphic

  7. Click OK. The WirelessUsers group in the example.com domain is added to the list of groups on the User Or Group Access.

    graphic

  8. Click Next. On the Authentication Methods page, the Protected EAP (PEAP) authentication is selected by default and configured to use PEAP-MS-CHAP v2.

    graphic

  9. Click Next. On the Completing The New Remote Access Policy page, click Finish.

IIS1

IIS1 is a computer running Windows Server 2003, Standard Edition, and Internet Information Services (IIS). It provides Web and file server services for intranet clients. To configure IIS1 as a Web and file server, do the following:

  • Install and configure IIS

  • Configure a shared folder

To install and configure IIS

  1. On IIS1, install Windows Server 2003, Standard Edition, as a member server named IIS1 in the example.com domain.

  2. Install Internet Information Services (IIS) as a subcomponent of the Application Server component by using the Windows Components Wizard of Add or Remove Programs.

To configure a shared folder

  1. On IIS1, use Windows Explorer to create a new share for the root folder of the C drive using the share name ROOT with the default permissions.

  2. To determine whether the Web server is working correctly, start Internet Explorer on IAS1. If the Internet Connection Wizard prompts you, configure Internet connectivity for a LAN connection. In Internet Explorer, in Address, type http://IIS1/iisstart.htm. You should see an under construction Web page.

  3. To determine whether file sharing is working correctly, on IAS1, click Start, Run, type \\IIS1\ROOT, and then click OK. You should see the contents of the root folder of the C drive on IIS1.

Wireless AP

Configure the wireless AP for the following:

  1. The network name, also known as the Service Set Identifier (SSID), of WIR_TST_LAB.

  2. The IP address of 172.16.0.3 with the subnet mask of 255.255.255.0 on the Ethernet interface.

  3. IEEE 802.1X authentication with WEP enabled.

  4. For the primary RADIUS server: the IP address 172.16.0.2, the UDP port of 1812, and the shared secret, which must match the shared secret previously configured on the IAS server for the RADIUS client corresponding to the wireless AP.

CLIENT1

CLIENT1 is a computer running Windows XP Professional SP1 that acts as a wireless client and obtains access to intranet resources through the wireless AP. To configure CLIENT1 as a wireless client, do the following:

  • Perform basic installation and configuration

  • Install a wireless network adapter

  • Configure a wireless network connection

To perform basic installation and configuration

  1. Connect CLIENT1 to the intranet network segment using an Ethernet cable connected to the hub.

  2. On CLIENT1, install Windows XP Professional as a member computer named CLIENT1 of the example.com domain.

  3. Install Windows XP SP1. SP1 must be installed in order to have PEAP support.

If you have not yet installed the wireless network adapter, then complete the steps in the next section, To install a wireless network adapter. If your computer already has a wireless network adapter installed, go to the next section titled To configure a wireless network connection.

To install a wireless network adapter

  1. Shut down the CLIENT1 computer.

  2. Disconnect the CLIENT1 computer from the intranet network segment.

  3. Restart the CLIENT1 computer, and then log on using the local administrator account.

  4. Install the wireless network adapter.

To configure a wireless network connection

  1. Log off and then log on by using the WirelessUser account in the example.com domain.

  2. Wait until you are prompted to select the wireless network in the notification area of the desktop.

  3. In the Available Wireless Networks field, select WIR_TST_LAB, and then click Advanced.

  4. In the Wireless Network Connection Properties dialog box, select WIR_TST_LAB, and then click Configure.

  5. On the Association tab, verify that both Data Encryption (WEP Enabled) and The Key Is Provided For Me Automatically are selected.

    graphic

  6. On the Authentication tab, configure the WIR_TST_LAB wireless network for PEAP-MS-CHAP v2 authentication.

    graphic

  7. Click OK. After authentication is successful, check the TCP/IP configuration for the wireless adapter by using Network Connections. It should have an address from the DHCP scope 172.16.0.10-172.16.0.100.

  8. To test functionality to the Web server between CLIENT1 and IIS1 over the wireless connection, start Internet Explorer on CLIENT1.

  9. If prompted by the Internet Connection Wizard, configure it for a LAN connection. In Address, type http://IIS1/iisstart.htm. You should see an under construction Web page.

  10. On CLIENT1, click Start, click Run, type \\IIS1\ROOT, and then click OK. You should see the contents of the root folder of the C drive on IIS1.



Deploying Secure 802.11 Wireless Networks with Microsoft Windows
Deploying Secure 802.11 Wireless Networks with Microsoft Windows
ISBN: 0735619395
EAN: 2147483647
Year: 2000
Pages: 123
Authors: Joseph Davies

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net