Configuring the IAS Servers

Configuring the IAS Servers

To configure the IAS servers for PEAP-MS-CHAP v2 authentication, you must do the following, as described in the following sections:

• Configure the primary IAS server.

• Configure a remote access policy for wireless access.

• Configure the secondary IAS server.

Configuring the Primary IAS Server

To configure the primary IAS server on a computer, do the following tasks:

1. Obtain and install a computer certificate.

2. Install IAS and configure IAS server properties.

3. Configure IAS with RADIUS clients.

These tasks are described in the following sections.

Obtaining and Installing a Computer Certificate

If you are using computer certificate autoenrollment and Windows 2000 IAS, you can force a refresh of computer configuration Group Policy by typing secedit /refreshpolicy machine_policy from a command prompt on the primary IAS computer. If you are using computer certificate autoenrollment and Windows Server 2003 IAS, force a refresh of computer configuration Group Policy by typing gpupdate /target:computer from a command prompt.

If you are using a commercial CA or your PKI does not support autoenrollment of computer certificates, obtain the computer certificate and then follow the procedure described below.

To install a computer certificate on the primary IAS server

1. Click Start, click Run, type mmc, and then click OK.

2. On the File menu, click Add/Remove Snap-In and then click Add.

3. Under Snap-In, double-click Certificates, click Computer Account, and then click Next.

4. Do one of the following:

   • If you logged on to the IAS server, click Local Computer and then click Finish.

   • If you are configuring the IAS server from a remote computer, click Another Computer and type the name of the computer, or click Browse to select the computer name and then click Finish.

5. Click Close.

   Certificates (Local Computer or Computer Name) appears on the list of selected snap-ins for the new console.

6. In the console tree, double-click Certificates (Local Computer or Computer Name) and then double-click Personal.

7. Point to All Tasks, and then click Import.

8. The Welcome To The Certificate Import Wizard page of the Certificate Import Wizard displays. Click Next.

9. On the File To Import page, type the filename of the certificate file provided by the commercial CA in File Name, or click Browse and use the Browse dialog box to locate it.

10. Click Next. On the Certificate Store page, click Place All Certificates in the Following Store. By default the Personal folder should be displayed as the import location.

11. Click Next. On the Completing the Certificate Import Wizard page, click Finish.

It is also possible to import a certificate by double-clicking a certificate file that is stored in a folder or sent in an email message. Although this works for certificates created with Windows CAs, this method might not work for third-party CAs. The recommended method of importing certificates is to use the Certificates snap-in.

Installing IAS and Configuring IAS Server Properties

To install IAS, do the following:

1. Open Add Or Remove Programs in Control Panel.

2. Click Add/Remove Windows Components.

3. In the Windows Components Wizard dialog box, double-click Networking Services under Components.

4. In the Networking Services dialog box, select Internet Authentication Service, shown in the following figure.

   

5. Click OK and then click Next.

6. If prompted, insert your Windows product compact disc.

7. After IAS is installed, click Finish and then click Close.

This procedure is the same for Windows 2000 Server IAS and Windows Server 2003 IAS. If you are using Windows 2000 IAS, you must also do the following:

1. Install Windows 2000 SP3 or later.

2. Install Microsoft 802.1X Authentication Client.

   More Info
   You can obtain Windows 2000 SP3 or later from http: //www.microsoft.com/windows2000/downloads/servicepacks/.

   You can obtain Microsoft 802.1X Authentication Client from http: //support.microsoft.com/default.aspx?scid=kb;en-us;313664.

The primary IAS server computer must be able to access account properties in the appropriate domains. If IAS is being installed on a domain controller, no additional configuration is required in order for IAS to access account properties in the domain to which it belongs. If IAS is not installed on a domain controller, you must configure the primary IAS server computer to read the properties of user accounts in the domain. You can do this by following the procedure described below.

To configure the primary IAS server computer to read the properties of user accounts in the domain

1. Click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.

2. In the console tree, right-click Internet Authentication Service (Local), and then click Register Server in Active Directory.

   A Register Internet Authentication Server In Active Directory dialog box appears.

3. Click OK.

Alternately, you can do either of the following:

• Use the netsh ras add registeredserver command.

Or

• Add the computer account of the IAS server to the RAS and IAS servers security group with the Active Directory Users And Computers snap-in.

If the IAS server authenticates and authorizes wireless connection attempts for user accounts in other domains, verify that the other domains have a two-way trust with the domain in which the IAS server computer is a member. Next, configure the IAS server computer to read the properties of user accounts in other domains by using the netsh ras add registeredserver command or the Active Directory Users And Computers snap-in.

If there are accounts in other domains and those domains do not have a two-way trust with the domain in which the IAS server computer is a member, you must configure a RADIUS proxy between the two untrusted domains. If there are accounts in other Active Directory forests, you must configure a RADIUS proxy between the forests. For more information, see Chapter 11, Additional Intranet Wireless Deployment Configurations.

TIP
You do not need to use a RADIUS proxy if you are using PEAP-MS-CHAP v2 and Windows NT 4.0-style user names (for example, microsoft\user1).

If you want to store authentication and accounting information for connection analysis and security investigation purposes, enable logging for accounting and authentication events. Windows 2000 IAS can log information to a local file. Windows Server 2003 IAS can log information to a local file and to a Structured Query Language (SQL) Server database.

To enable and configure logging for Windows 2000 IAS

1. In the console tree of the Internet Authentication snap-in, click Remote Access Logging.

2. In the details pane, double-click Local File.

3. On the Settings tab, select one or more check boxes for recording authentication and accounting requests in the IAS log files:

   • To capture accounting requests and responses, select the Log Accounting Requests check box.

   • To capture authentication requests, access-accept packets, and access-reject packets, select the Log Authentication Requests check box.

   • To capture periodic status updates, such as interim accounting packets, select the Log Periodic Status check box.

4. On the Local File tab, select the log file format and new log time period and then type the log file directory as needed.

To enable and configure local file logging for Windows Server 2003 IAS

1. In the console tree of the Internet Authentication snap-in, click Remote Access Logging.

2. In the details pane, double-click Local File.

3. On the Settings tab, select one or more check boxes for recording authentication and accounting requests in the IAS log files:

   • To capture accounting requests and responses, select the Accounting Requests check box.

   • To capture authentication requests, access-accept packets, and access-reject packets, select the Authentication Requests check box.

   • To capture periodic status updates, such as interim accounting packets, select the Periodic Status check box.

4. On the Log File tab, type the log file directory as needed and select the log file format and new log time period.

To enable and configure SQL Server database logging for Windows Server 2003 IAS

1. In the console tree of the Internet Authentication snap-in, click Remote Access Logging.

2. In the details pane, double-click SQL Server.

3. On the Settings tab, select one or more check boxes for recording authentication and accounting requests in the IAS log files:

   • To capture accounting requests and responses, select the Accounting Requests check box.

   • To capture authentication requests, access-accept packets, and access-reject packets, select the Authentication Requests check box.

   • To capture periodic status updates, such as interim accounting packets, select the Periodic Status check box.

4. In Maximum Number Of Connections, type the maximum number of simultaneous sessions that IAS can create with the SQL Server.

5. To configure a SQL data source, click Configure.

6. On the Data Link Properties dialog box, configure the appropriate settings for the SQL Server database.

If needed, configure additional UDP ports for authentication and accounting messages that are sent by RADIUS clients (the wireless APs). By default, IAS uses UDP ports 1812 and 1645 for authentication messages and UDP ports 1813 and 1646 for accounting messages.

To configure Windows 2000 IAS for different UDP ports

1. In the console tree of the Internet Authentication snap-in, right-click Internet Authentication Service and then click Properties.

2. Click the RADIUS tab, configure the UDP port numbers for your RADIUS authentication traffic in Authentication and the UDP port numbers for your RADIUS accounting traffic in Accounting.

To configure Windows Server 2003 IAS for different UDP ports

1. In the console tree of the Internet Authentication snap-in, right-click Internet Authentication Service and then click Properties.

2. Click the Ports tab and then configure the UDP port numbers for your RADIUS authentication traffic in Authentication and the UDP port numbers for your RADIUS accounting traffic in Accounting.

   To use multiple port settings for authentication or accounting traffic, separate the port numbers with commas. You can also specify an IP address to which the RADIUS messages must be sent with the following syntax: IPAddress:UDPPort. For example, if you have multiple network adapters and you want to receive only RADIUS authentication messages sent to the IP address of 10.0.0.99 and UDP port 1812, you type 10.0.0.99:1812 in Authentication. However, if you specify IP addresses and copy the configuration of the primary IAS server to the secondary IAS server, you must modify the ports on the secondary IAS server to either remove the IP address of the primary IAS server or change the IP address to that of the secondary IAS server.

Configuring IAS with RADIUS Clients

You must configure the primary IAS server with the wireless APs as RADIUS clients.

To add a RADIUS client corresponding to a wireless AP for Windows 2000 IAS

1. In the console tree of the Internet Authentication snap-in, right-click Clients, and then click New Client.

2. On the Add Client dialog box, type a name for the wireless AP in Friendly Name.

3. Click Next. On the Add RADIUS Client dialog box, type the IP address or DNS name of the wireless AP in Client Address (IP or DNS). If you type a DNS domain name, click Verify to resolve the name to the correct IP address for the wireless AP. Type the RADIUS shared secret for this combination of IAS server and wireless AP in Shared Secret, and then type it again in Confirm Shared Secret.

4. Click Finish.

To add a RADIUS client for Windows Server 2003 IAS

1. Right-click RADIUS Clients and then click New RADIUS Client.

2. On the Name And Address page, type a name for the wireless AP in Friendly Name.

3. In Client Address (IP Or DNS), type the IP address or DNS host name. If you type a DNS host name, click Verify to resolve the name to the correct IP address for the wireless AP.

4. Click Next. On the Additional Information page, type the shared secret for this combination of IAS server and wireless AP in Shared Secret and then type it again in Confirm Shared Secret.

5. Click Finish.

If you are using IAS on a computer running Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, and you have multiple wireless APs on a single subnet (for example, in an Extended Service Set [ESS] configuration), you can simplify RADIUS client administration by specifying an address range instead of specifying the IP address or DNS name of a single RADIUS client. All the RADIUS clients in the range must be configured to use the same RADIUS server and shared secret.

The address range for RADIUS clients is expressed in the network prefix length notation w.x.y.z/p, in which w.x.y.z is the dotted decimal notation of the address prefix and p is the prefix length (the number of high-order bits that define the network prefix). This notation is also known as Classless Inter-Domain Routing (CIDR) notation. An example is 192.168.21.0/24, which indicates all addresses from 192.168.21.1 to 192.168.21.255. To convert from subnet mask notation to network prefix length notation, p is the number of high-order bits set to one in the subnet mask. If you do not use this feature, it is a good security practice to use a different shared secret for each wireless AP.

Use as many RADIUS shared secrets as you can. Each shared secret should be a random sequence of upper- and lowercase letters, numbers, and punctuation that is at least 22 characters long. To ensure randomness, use a random character-generation program to determine shared secrets.

Using IPSec to Secure RADIUS Traffic

To ensure the maximum security for RADIUS messages, it is recommended that you use Internet Protocol security (IPSec) with certificate authentication; and Encapsulating Security Payload (ESP) to provide data confidentiality, data integrity, and data origin authentication for RADIUS traffic sent between the IAS servers and the wireless APs. Windows 2000 and Windows Server 2003 support IPSec. To secure RADIUS traffic sent from wireless APs, the wireless APs must also support IPSec.

Configuring a Wireless Remote Access Policy

The procedure for configuring a wireless remote access policy is different for Windows 2000 IAS and Windows Server 2003 IAS.

Configuring Windows 2000 IAS

To create a new remote access policy for wireless intranet access for Windows 2000 IAS, do the following:

1. In the console tree of the Internet Authentication snap-in, right-click Remote Access Policies and then click New Remote Access Policy.

2. On the Policy Name page, type the name of the policy in Policy Friendly Name.

3. On the Conditions page, click Add.

4. On the Select Attribute dialog box, double-click NAS-Port-Type.

5. In the Available Types list, add Wireless-IEEE 802.11 and Wireless-Other to the list of Selected Types, and then click OK.

   If SP3 or later is not installed on the IAS server, you do not see the Wireless-IEEE 802.11 and Wireless-Other NAS port types.

6. On the Select Attribute dialog box, double-click Windows-Groups.

7. On the Groups dialog box, click Add.

8. On the Select Groups dialog box, click the names of your wireless groups and click Add.

9. Click OK to close the Select Groups dialog box.

10. Click OK to close the Groups dialog box. An example of the resulting Conditions page is shown in the following figure.

    

11. Click Next. On the Permissions page, click Grant Remote Access Permission.

12. Click Next. On the User Profile page, click Edit Profile.

13. On the Authentication tab, select the Extensible Authentication Protocol check box and click the Protected EAP (PEAP) EAP type.

    If Microsoft 802.1X Authentication Client is not installed on the IAS server, Protected EAP (PEAP) does not appear in the list of EAP types.

14. Click Configure. In the Protected EAP Properties dialog box, ensure that the name of the computer certificate installed on the IAS server is visible in Certificate Issued.

    NOTE
    If you cannot select the certificate, the cryptographic service provider for the certificate does not support SChannel. SChannel support is required for IAS to use the certificate for EAP-TLS authentication.

    If there are multiple computer certificates installed on the IAS server, select the correct one in Certificate Issued. The Secured Password (EAP-MSCHAPv2) PEAP type is selected by default.

15. Click OK.

16. Clear the Microsoft Encrypted Authentication Version 2 (MS-CHAP v2) and Microsoft Encrypted Authentication (MS-CHAP) check boxes. The resulting configuration is shown in the following figure.

    

17. On the Encryption tab, clear the No Encryption check box.

18. Click OK.

19. When prompted with a Dial-In Settings message box, click No.

20. On the User Profile page, click Finish.

By default, adding a new remote access policy for Windows 2000 IAS places the new remote access policy at the bottom of the list of existing remote access policies. Therefore, to ensure that the new wireless remote access policy is used, move the new wireless remote access policy so that it is the first in the list (using the up arrow in the toolbar).

Configuring Windows Server 2003 IAS

To create a remote access policy for wireless access for Windows Server 2003 IAS, do the following:

1. From the console tree of the Internet Authentication Service snap-in, right-click Remote Access Policies and then click New Remote Access Policy.

2. On the Welcome To The New Remote Access Policy Wizard page, click Next.

3. On the Policy Configuration Method page, type the name of the policy in Policy Name.

4. Click Next. On the Access Method page, select Wireless.

5. Click Next. On the User Or Group Access page, select Group.

6. Click Add. In the Select Groups dialog box, type the names of your wireless groups in Enter The Object Names to Select.

7. Click OK. Your wireless groups are added to the list of groups on the Users Or Groups page.

8. Click Next. On the Authentication Methods page, the Protected EAP (PEAP) authentication is selected by default and configured to use PEAP-MS-CHAP v2.

9. Click Next. On the Completing The New Remote Access Policy page, click Finish.

If the wireless APs require vendor-specific attributes (VSAs), you must add the VSAs to the remote access policy.

To add a VSA to the wireless remote access policy

1. In the console tree of the Internet Authentication Service snap-in, click Remote Access Policies.

2. Double-click the wireless remote access policy.

3. Click Edit Profile, click the Advanced tab, and then click Add. A list of predefined attributes displays in the Add Attribute dialog box.

4. Look at the list of available RADIUS attributes to determine whether your vendor-specific attribute is already in it. If it is, double-click it and then configure it as specified in your wireless AP documentation.

5. If the vendor-specific attribute is not in the list of available RADIUS attributes, double-click Vendor-Specific. The Multivalued Attribute Information dialog box displays.

6. Click Add. The Vendor-Specific Attribute Information dialog box displays.

7. To specify the network access server vendor for your wireless AP from the list, click Select From List and then select the wireless AP vendor for which you are configuring the VSA.

8. If the vendor is not listed, click Enter Vendor Code and then type the vendor code in the space provided.

   More Info
   If you do not know the vendor code for your wireless AP, see RFC 1007 for a list of SMI Network Management Private Enterprise Codes.

9. Specify whether the attribute conforms to the RFC 2865 VSA specification. If you are not sure, see your wireless AP documentation. If your attribute conforms, click Yes. It Conforms and then click Configure Attribute. The Configure VSA (RFC Compliant) dialog box displays.

10. In Vendor-Assigned Attribute Number, type the number that is assigned to the attribute (the numbers available are 0 through 255). In Attribute Format, specify the format for the attribute; in Attribute Value, type the value that you assign to the attribute.

11. If the attribute does not conform, click No. It Does Not Conform and then click Configure Attribute. The Configure VSA (Non-RFC-Compliant) dialog box displays.

12. In Hexadecimal Attribute Value, type the value for the attribute.

This procedure is the same for Windows 2000 IAS and Windows Server 2003 IAS.

If you manage the remote access permission of user and computer accounts on a per-account basis, use remote access policies that specify a connection type. If you manage the remote access permission through the remote access policy, use remote access policies that specify a connection type and group. The recommended method is to manage remote access permission through the remote access policy.

Configuring the Secondary IAS Server

To configure the secondary IAS server on a computer, do the following, as described in the following sections:

1. Obtain and install a computer certificate.

2. Install IAS and configure the secondary IAS server computer to read the properties of user accounts.

3. Copy the configuration of the primary IAS server to the secondary IAS server.

Obtaining and Installing a Computer Certificate

If you use computer certificate autoenrollment and Windows 2000 IAS, force a refresh of computer Group Policy by typing secedit /refreshpolicy machine_policy from a command prompt. If you use computer certificate autoenrollment and Windows Server 2003 IAS, force a refresh of computer Group Policy by typing gpupdate /target:computer from a command prompt.

If you use a commercial CA or if your PKI does not support autoenrollment of computer certificates, obtain the computer certificate and use the certificate import procedure in the Configuring the Primary IAS Server section of this chapter to install the computer certificate on the secondary IAS server.

Installing IAS and Configuring the Secondary IAS Server Computer to Read the Properties of User Accounts

For a description of how to install IAS on the secondary IAS server computer and to configure it to read the properties of user accounts in the appropriate domains, see the Configuring the Primary IAS Server section of this chapter.

Copying the Configuration of the Primary IAS Server to the Secondary IAS Server

To copy the configuration of the primary IAS server to the secondary IAS server, do the following:

1. On the primary IAS server computer, type netsh aaaa show config > path\file.txt at a command prompt. This command stores the configuration settings, including registry settings, in a text file. The path can be relative, absolute, or a network path.

2. Copy the file created in step 1 to the secondary IAS server.

3. On the secondary IAS server computer, type netsh exec path\file.txt at a command prompt. This command imports all the settings configured on the primary IAS server into the secondary IAS server.

You cannot copy the IAS settings from an IAS server running Windows Server 2003 to an IAS server running Windows 2000 Server.

If you change the IAS server configuration in any way, use the Internet Authentication Service snap-in to change the configuration of the IAS server that is designated as the primary configuration server and then use the previous procedure to synchronize those changes on the secondary IAS server.