Configuring the IAS Servers

Configuring the IAS Servers

To configure the IAS servers for EAP-TLS authentication, you must do the following (discussed in more detail in the following sections):

• Configure the primary IAS server.

• Configure a remote access policy for wireless access.

• Configure the secondary IAS server.

Configuring the Primary IAS Server

To configure the primary IAS server on a computer, complete these steps as discussed in the following sections:

• Obtain and install a computer certificate.

• Install IAS and configure IAS server properties.

• Configure IAS with RADIUS clients.

Obtaining and Installing a Computer Certificate

If you use computer certificate autoenrollment and Windows 2000 IAS, force a refresh of computer configuration Group Policy by typing secedit /refreshpolicy machine_policy from a command prompt. If you use computer certificate autoenrollment and Windows Server 2003 IAS, force a refresh of computer configuration Group Policy by typing gpupdate /target:computer from a command prompt.

If you use a Windows 2000 or Windows Server 2003 enterprise CA and you are not using autoenrollment for computer certificates, you can request one, as described in the following procedure.

To request a computer certificate

1. Click Start, click Run, type mmc, and then click OK.

2. On the File menu, click Add/Remove Snap-In and then click Add.

3. Under Snap-In, double-click Certificates, click Computer Account, and then click Next.

4. Do one of the following:

   • To manage certificates for the local computer, click Local Computer and then click Finish.

   • To manage certificates for a remote computer, click Another Computer and type the name of the computer, or click Browse to select the computer name and click Finish.

5. Click Close. Certificates (Local Computer or Computer Name) appears on the list of selected snap-ins for the new console.

6. Click OK.

7. In the console tree, open Certificates (Local Computer or Computer Name) and then click Personal.

8. On the Action menu, point to All Tasks and then click Request New Certificate to start the Certificate Request Wizard.

9. On the Welcome to the Certificate Request Wizard page, click Next.

10. On the Certificate Template page, click Computer and then click Next.

11. On the Certificate Friendly Name and Description page, type a name in Friendly Name and a description in Description and then click Next. (The configuration of a friendly name and description for the certificate is optional.)

12. Click Next.

13. On the Completing the Certificate Request Wizard page, click Finish.

If your PKI does not support autoenrollment of computer certificates, obtain the computer certificate as a saved file and use the following procedure to import the computer certificate on the primary IAS server.

NOTE
To perform the next procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority.

To import the computer certificate on the primary IAS server

1. Click Start, click Run, type mmc, and then click OK.

2. On the File menu, click Add/Remove Snap-In and then click Add.

3. Under Snap-In, double-click Certificates, click Computer Account, and then click Next.

4. Do one of the following:

   • If you logged on to the IAS server, click Local Computer and then click Finish.

   • If you are configuring the IAS server from a remote computer, click Another Computer and type the name of the computer, or click Browse to select the computer name and then click Finish.

5. Click Close.

   Certificates (Local Computer or Computer Name) appears on the list of selected snap-ins for the new console.

6. In the console tree, double-click Certificates (Local Computer or Computer Name).

7. Right-click Personal, point to All Tasks, and then click Import.

8. On the Welcome To The Certificate Import Wizard page, click Next.

9. On the File To Import page, type the filename of the certificate file provided by the commercial CA in File Name, or click Browse and use the Browse dialog box to locate it.

10. Click Next. On the Certificate Store page, click Place All Certificates In The Following Store. By default, the Personal folder should display as the import location.

11. Click Next.

12. Click Finish on the Completing The Certificate Import Wizard page.

It is also possible to import a certificate by double-clicking a certificate file that is stored in a folder or sent in an email message. Although this works for certificates created with Windows CAs, this method might not work for third-party CAs. The recommended method of importing certificates is to use the Certificates snap-in.

Installing IAS and Configuring IAS Server Properties

To install IAS, do the following:

1. Open Add Or Remove Programs in Control Panel.

2. Click Add/Remove Windows Components.

3. In the Windows Components Wizard dialog box, double-click Networking Services under Components.

4. In the Networking Services dialog box, select Internet Authentication Service. The Networking Services dialog box is shown in the following figure.

   

5. Click OK and then click Next.

6. If prompted, insert your Windows product compact disc.

7. After IAS is installed, click Finish and then click Close.

This procedure is the same for Windows 2000 Server IAS and Windows Server 2003 IAS.

NOTE
If you use Windows 2000 IAS, you must install Windows 2000 SP3 or later. You can obtain Windows 2000 SP3 or later from http://www.microsoft.com/windows2000/downloads/servicepacks/.

The primary IAS server computer must be able to access account properties in the appropriate domains. If IAS is being installed on a domain controller, no additional configuration is required in order for IAS to access account properties in the domain to which it belongs. If IAS is not installed on a domain controller, you must configure the primary IAS server computer to read the properties of user accounts in the domain, as described in the following procedure.

To configure the primary IAS server computer to read the properties of user accounts in the domain

1. Click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.

2. In the console tree, right-click Internet Authentication Service (Local) and then click Register Server in Active Directory.

   A Register Internet Authentication Server In Active Directory dialog box appears.

3. Click OK.

Alternately, you can do one of the following:

• Use the netsh ras add registeredserver command.

Or

• Add the computer account of the IAS server to the RAS and IAS servers security group with the Active Directory Users And Computers snap-in.

If the IAS server authenticates and authorizes wireless connection attempts for user accounts in other domains, verify that the other domains have a two-way trust with the domain in which the IAS server computer is a member. Next, configure the IAS server computer to read the properties of user accounts in other domains by using the netsh ras add registeredserver command or the Active Directory Users And Computers snap-in.

If there are accounts in other domains, and the domains do not have a two-way trust with the domain in which the IAS server computer is a member, you must configure a RADIUS proxy between the two untrusted domains. If there are accounts in other untrusted Active Directory forests, you must configure a RADIUS proxy between the forests. For more information, see Chapter 11, Additional Intranet Wireless Deployment Configurations.

If you want to store authentication and accounting information for connection analysis and security investigation purposes, enable logging for accounting and authentication events. Windows 2000 IAS can log information to a local file; Windows Server 2003 IAS can log information to a local file and to a Structured Query Language (SQL) Server database.

To enable and configure logging for Windows 2000 IAS

1. In the console tree of the Internet Authentication snap-in, click Remote Access Logging.

2. In the details pane, double-click Local File.

3. On the Settings tab, select one or more check boxes for recording authentication and accounting requests in the IAS log files:

   • To capture accounting requests and responses, select the Log Accounting Requests check box.

   • To capture authentication requests, access-accept packets, and access-reject packets, select the Log Authentication Requests check box.

   • To capture periodic status updates, such as interim accounting packets, select the Log Periodic Status check box.

4. On the Local File tab, select the log file format and new log time period, and type the log file directory as needed.

To enable and configure local file logging for Windows Server 2003 IAS

1. In the console tree of the Internet Authentication snap-in, click Remote Access Logging.

2. In the details pane, double-click Local File.

3. On the Settings tab, select one or more check boxes for recording authentication and accounting requests in the IAS log files:

   • To capture accounting requests and responses, select the Accounting Requests check box.

   • To capture authentication requests, access-accept packets, and access-reject packets, select the Authentication Requests check box.

   • To capture periodic status updates, such as interim accounting packets, select the Periodic Status check box.

4. On the Log File tab, type the log file directory as needed and select the log file format and new log time period.

To enable and configure SQL Server database logging for Windows Server 2003 IAS

1. In the console tree of the Internet Authentication snap-in, click Remote Access Logging.

2. In the details pane, double-click SQL Server.

3. On the Settings tab, select one or more check boxes for recording authentication and accounting requests in the IAS log files:

   • To capture accounting requests and responses, select the Accounting Requests check box.

   • To capture authentication requests, access-accept packets, and access-reject packets, select the Authentication Requests check box.

   • To capture periodic status updates, such as interim accounting packets, select the Periodic Status check box.

4. In Maximum Number of Connections, type the maximum number of simultaneous sessions that IAS can create with the SQL Server.

5. To configure a SQL data source, click Configure.

6. On the Data Link Properties dialog box, configure the appropriate settings for the SQL Server database.

If needed, configure additional User Datagram Protocol (UDP) ports for authentication and accounting messages that are sent by RADIUS clients (the wireless APs). By default, IAS uses UDP ports 1812 and 1645 for authentication messages and UDP ports 1813 and 1646 for accounting messages.

To configure Windows 2000 IAS for different UDP ports

1. In the console tree of the Internet Authentication snap-in, right-click Internet Authentication Service and then click Properties.

2. Click the RADIUS tab; configure the UDP port numbers for your RADIUS authentication traffic in Authentication and the UDP port numbers for your RADIUS accounting traffic in Accounting.

To configure Windows Server 2003 IAS for different UDP ports

1. In the console tree of the Internet Authentication snap-in, right-click Internet Authentication Service and then click Properties.

2. Click the Ports tab; configure the UDP port numbers for your RADIUS authentication traffic in Authentication and the UDP port numbers for your RADIUS accounting traffic in Accounting.

   To use multiple port settings for authentication or accounting traffic, separate the port numbers with commas. You can also specify an IP address to which the RADIUS messages must be sent with the following syntax: IPAddress:UDPPort. For example, if you have multiple network adapters and you want to receive RADIUS authentication messages sent only to the IP address of 10.0.0.99 and UDP port 1812, type 10.0.0.99:1812 in Authentication. However, if you specify IP addresses and copy the configuration of the primary IAS server to the secondary IAS server, you must modify the ports on the secondary IAS server to either remove the IP address of the primary IAS server or change the IP address to that of the secondary IAS server.

Configuring IAS with RADIUS Clients

You must configure the primary IAS server with the wireless APs as RADIUS clients.

To add a RADIUS client corresponding to a wireless AP for Windows 2000 IAS

1. In the console tree of the Internet Authentication snap-in, right-click Clients and then click New Client.

2. In the Add Client dialog box, type a name for the wireless AP in Friendly Name.

3. Click Next. In the Add RADIUS Client dialog box, type the IP address or DNS name of the wireless AP in Client Address (IP Or DNS). If you type a DNS domain name, click Verify to resolve the name to the correct IP address for the wireless AP. Type the RADIUS shared secret for this combination of IAS server and wireless AP in Shared Secret and then type it again in Confirm Shared Secret.

4. Click Finish.

To add a RADIUS client for Windows Server 2003 IAS

1. Right-click RADIUS Clients and then click New RADIUS Client.

2. On the Name and Address page, type a name for the wireless AP in Friendly Name. In Client Address (IP Or DNS), type the IP address or DNS domain name. If you type a DNS domain name, click Verify to resolve the name to the correct IP address for the wireless AP.

3. Click Next.

4. On the Additional Information page, type the shared secret for this combination of IAS server and wireless AP in Shared Secret and then type it again in Confirm Shared Secret.

5. Click Finish.

If you use IAS on a computer running Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition, and you have multiple wireless APs on a single subnet (for example, in an Extended Service Set [ESS] configuration), you can simplify RADIUS client administration by specifying an address range instead of specifying the IP address or DNS name of a single RADIUS client. All the RADIUS clients in the range must be configured to use the same RADIUS server and shared secret. The address range for RADIUS clients is expressed in the network prefix length notation w.x.y.z/p, where w.x.y.z is the dotted decimal notation of the address prefix and p is the prefix length (the number of high-order bits that define the network prefix). This is also known as Classless Inter-Domain Routing (CIDR) notation. An example is 192.168.21.0/24, which indicates all addresses from 192.168.21.1 to 192.168.21.255. To convert from subnet mask notation to network prefix length notation, p is the number of high-order bits set to one in the subnet mask. If you are not using this feature, use a different shared secret for each wireless AP.

Use as many RADIUS shared secrets as you can. Each shared secret should be a random sequence of upper- and lowercase letters, numbers, and punctuation that is at least 22 characters long. To ensure randomness, use a random character-generation program to determine shared secrets.

Using IPSec to Secure RADIUS Traffic

To ensure the maximum security for RADIUS messages, it is recommended that you use Internet Protocol security (IPSec) with certificate authentication and Encapsulating Security Payload (ESP) to provide data confidentiality, data integrity, and data origin authentication for RADIUS traffic sent between the IAS servers and the wireless APs. Windows 2000 and Windows Server 2003 support IPSec. To secure RADIUS traffic sent from wireless APs, the wireless APs must also support IPSec.

Configuring a Wireless Remote Access Policy

The procedure for configuring a wireless remote access policy is different for Windows 2000 IAS and Windows Server 2003 IAS.

Configuring Windows 2000 IAS

To create a new remote access policy for wireless intranet access for Windows 2000 IAS, do the following:

1. In the console tree of the Internet Authentication snap-in, right-click Remote Access Policies and then click New Remote Access Policy.

2. On the Policy Name page, type the name of the policy in Policy Friendly Name.

3. On the Conditions page, click Add.

4. On the Select Attribute dialog box, double-click NAS-Port-Type.

5. In the Available Types list, add Wireless-IEEE 802.11 and Wireless-Other to the list of Selected Types and then click OK.

   If SP3 or later is not installed on the IAS server, you do not see the Wireless-IEEE 802.11 and Wireless-Other NAS port types.

6. In the Select Attribute dialog box, double-click Windows-Groups.

7. In the Groups dialog box, click Add.

8. In the Select Groups dialog box, click the names of your wireless groups and click Add.

9. Click OK to close the Select Groups dialog box.

10. Click OK to close the Groups dialog box. An example of the resulting Conditions page is shown in the following figure.

    

11. Click Next.

12. On the Permissions page, click Grant Remote Access Permission.

13. Click Next.

14. On the User Profile page, click Edit Profile.

15. On the Authentication tab, select the Extensible Authentication Protocol check box and click the Smart Card Or Other Certificate EAP type.

16. Click Configure. In the Smart Card Or Other Certificate Properties dialog box, ensure that the name of the computer certificate installed on the IAS server is visible in Certificate Issued. If there are multiple computer certificates installed on the IAS server, select the correct one in Certificate Issued.

    If you cannot select the certificate, the cryptographic service provider for the certificate does not support SChannel. SChannel support is required for IAS to use the certificate for EAP-TLS authentication.

17. Click OK.

18. Clear the Microsoft Encrypted Authentication Version 2 (MS-CHAP v2) and Microsoft Encrypted Authentication (MS-CHAP) check boxes. The resulting configuration is shown in the following figure.

    

19. On the Encryption tab, clear the No Encryption check box.

20. Click OK.

21. When prompted with a Dial-In Settings message box, click No.

22. On the User Profile page, click Finish.

By default, adding a new remote access policy for Windows 2000 IAS places the new remote access policy at the bottom of the list of existing remote access policies. Therefore, to ensure that the new wireless remote access policy is used, move the new wireless remote access policy so that it is the first in the list (by using the up arrow in the toolbar).

Configuring Windows Server 2003 IAS

To create a remote access policy for wireless access for Windows Server 2003 IAS, do the following:

1. From the console tree of the Internet Authentication Service snap-in, right-click Remote Access Policies and then click New Remote Access Policy.

2. On the Welcome To The New Remote Access Policy Wizard page, click Next.

3. On the Policy Configuration Method page, type the name of the policy in Policy Name.

4. Click Next.

5. On the Access Method page, select Wireless.

6. Click Next.

7. On the User Or Group Access page, select Group.

8. Click Add.

9. In the Select Groups dialog box, type the names of your universal or global wireless groups in Enter The Object Names To Select.

10. Click OK. Your wireless groups are added to the list of groups on the User or Group Access page.

11. Click Next. On the Authentication Methods page, click the Smart Card Or Other Certificate EAP Type.

12. In the Smart Card Or Other Certificate Properties dialog box, ensure that the name of the computer certificate installed on the IAS server is visible in Certificate Issued. If there are multiple computer certificates installed on the IAS server, select the correct one in Certificate Issued.

    If you cannot select the certificate, the cryptographic service provider for the certificate does not support SChannel. SChannel support is required for IAS to use the certificate for EAP-TLS authentication.

13. Click OK.

14. Click Next.

15. On the Completing The New Remote Access Policy page, click Finish.

If the wireless APs require vendor-specific attributes (VSAs), you must add the VSAs to the remote access policy.

To add a VSA to the wireless remote access policy

1. In the console tree of the Internet Authentication Service snap-in, click Remote Access Policies.

2. Double-click the wireless remote access policy.

3. Click Edit Profile, click the Advanced tab and then click Add. A list of predefined attributes displays in the Add Attribute dialog box.

4. Look at the list of available RADIUS attributes to determine whether your vendor-specific attribute is already present. If it is, double-click it and configure it as specified in your wireless AP documentation.

5. If the vendor-specific attribute is not in the list of available RADIUS attributes, double-click Vendor-Specific. The Multivalued Attribute Information dialog box displays.

6. Click Add. The Vendor-Specific Attribute Information dialog box displays.

7. To specify the network access server vendor for your wireless AP from the list, click Select From List and then select the wireless AP vendor for which you are configuring the VSA.

8. If the vendor is not listed, click Enter Vendor Code and then type the vendor code in the space provided.

   More Info
   If you do not know the vendor code for your wireless AP, see RFC 1007 for a list of SMI Network Management Private Enterprise Codes.

9. Specify whether the attribute conforms to the RFC 2865 VSA specification. If you are not sure, see your wireless AP documentation. If your attribute conforms, click Yes. It Conforms and then click Configure Attribute. The Configure VSA (RFC-Compliant) dialog box displays.

10. In Vendor-Assigned Attribute Number, type the number that is assigned to the attribute (the numbers available are 0 through 255). In Attribute Format, specify the format for the attribute; in Attribute Value, type the value that you are assigning to the attribute.

11. If the attribute does not conform, click No. It Does Not Conform and then click Configure Attribute. The Configure VSA (Non-RFC-Compliant) dialog box displays.

12. In Hexadecimal Attribute Value, type the value for the attribute.

This procedure is the same for Windows 2000 IAS and Windows Server 2003 IAS.

If you manage the remote access permission of user and computer accounts on a per-account basis, use remote access policies that specify a connection type. If you manage the remote access permission through the remote access policy (the recommended method), use remote access policies that specify a connection type and group.

Configuring the Secondary IAS Server

To configure the secondary IAS server on a computer, do the following (described in the following sections):

1. Obtain and install a computer certificate.

2. Copy the configuration of the primary IAS server to the secondary IAS server.

Obtaining and Installing a Computer Certificate

If you use computer certificate autoenrollment and Windows 2000 IAS, force a refresh of computer Group Policy by typing secedit /refreshpolicy machine_policy from a command prompt. If you use computer certificate autoenrollment and Windows Server 2003 IAS, force a refresh of computer Group Policy by typing gpupdate /target:computer from a command prompt.

If you use a commercial CA or your PKI does not support autoenrollment of computer certificates, obtain the computer certificate and use the certificate import procedure (described in the Configuring the Primary IAS Server section of this chapter) to install the computer certificate on the secondary IAS server.

NOTE
Refer to the Configuring the Primary IAS Server section of this chapter for a description of how to install IAS.

If you use Windows 2000 IAS, you must also install Windows 2000 SP3 or later, which you can download from http://www.microsoft.com/windows2000/downloads/servicepacks/.

The secondary IAS server computer must be able to access account properties in the appropriate domains. If IAS is being installed on a domain controller, no additional configuration is required in order for IAS to access account properties in the domain of the IAS server. If IAS is not installed on a domain controller, you must configure the secondary IAS server computer to read the properties of user accounts in the domain.

To configure the secondary IAS server computer to read the properties of user accounts in the domain

1. Click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.

2. In the console tree, right-click Internet Authentication Service (Local) and then click Register Server In Active Directory. When the Register Internet Authentication Server In Active Directory dialog box appears, click OK.

Alternately, you can do one of the following:

• Use the netsh ras add registeredserver command.

Or

• Add the computer account of the IAS server to the RAS and IAS servers security group with the Active Directory Users And Computers snap-in.

If the IAS server authenticates and authorizes wireless connection attempts for user accounts in other domains, verify that the other domains have a two-way trust with the domain in which the IAS server computer is a member. Next, configure the IAS server computer to read the properties of user accounts in other domains by using the netsh ras add registeredserver command or the Active Directory Users And Computers snap-in.

Copying the Configuration of the Primary IAS Server to the Secondary IAS Server

To copy the configuration of the primary IAS server to the secondary IAS server, do the following:

1. On the primary IAS server computer, type netsh aaaa show config > path\file.txt at a command prompt, which stores the configuration settings, including registry settings, in a text file. The path can be a relative, an absolute, or a network path.

2. Copy the file created in step 1 to the secondary IAS server.

3. On the secondary IAS server computer, type netsh exec path\file.txt at a command prompt, which imports all the settings configured on the primary IAS server into the secondary IAS server.

You cannot copy the IAS settings from an IAS server running Windows Server 2003 to an IAS server running Windows 2000 Server.

If you change the IAS server configuration in any way, use the Internet Authentication Service snap-in to change the configuration of the IAS server that is designated as the primary configuration server and then use the previous procedure to synchronize those changes on the secondary IAS server.