Wireless ISP Configuration

Previous page
Table of content
Next page

Wireless ISP Configuration

The WISP must configure the following, as discussed in the next sections:

  • Wireless APs

  • Primary IAS RADIUS proxy

  • Secondary IAS RADIUS proxy

Configuring the Wireless APs

Configure the RADIUS client on your wireless APs by using the following settings:

  • The IP address or name of a primary RADIUS server, the shared secret, User Datagram Protocol (UDP) ports for authentication and accounting, and failure detection settings.

  • The IP address or name of a secondary RADIUS server, the shared secret, UDP ports for authentication and accounting, and failure detection settings.

To balance the load of RADIUS traffic between the primary and secondary IAS RADIUS proxies, configure half the wireless APs with the primary IAS RADIUS proxy as their primary RADIUS server and the secondary IAS RADIUS proxy as their secondary RADIUS server. Configure the other half of the wireless APs with the secondary IAS RADIUS proxy as their primary RADIUS server and the primary IAS RADIUS proxy as their secondary RADIUS server.

Configuring the Primary IAS RADIUS Proxy

To configure the primary IAS RADIUS proxy on a computer, perform the following, as discussed in the next sections:

  • Install IAS and configure IAS server properties

  • Configure the primary IAS RADIUS proxy with RADIUS clients

  • Configure connection request policies on the primary IAS RADIUS proxy

Installing IAS and Configuring IAS Server Properties

To install Windows Server 2003 IAS, do the following:

  1. Open Add Or Remove Programs in Control Panel.

  2. Click Add/Remove Windows Components.

  3. In the Windows Components Wizard dialog box, double-click Networking Services under Components.

  4. In the Networking Services dialog box, select Internet Authentication Service.

  5. Click OK and then click Next.

  6. If prompted, insert your Windows product compact disc.

  7. After IAS is installed, click Finish and then click Close.

If the IAS RADIUS proxy computer is not acting as a RADIUS server performing authentication, authorization, and accounting for WISP customers, it does not have to belong to a domain or be registered in any domains it can be a standalone server. If the IAS RADIUS proxy computer is acting as a RADIUS server, follow the instructions in Chapter 10, Intranet Wireless Deployment Using PEAP-MS-CHAP v2 (for PEAP-MS-CHAP v2 authentication) or Chapter 8, Intranet Wireless Deployment Using EAP-TLS (for EAP-TLS authentication) to register it in the appropriate domains and configure an appropriate remote access policy.

If you want to store authentication and accounting information for connection analysis and security investigation purposes, enable logging for accounting and authentication events. Windows Server 2003 IAS can log information to a local file and to a Microsoft SQL (Structured Query Language) Server database.

To enable and configure local file logging for Windows Server 2003 IAS

  1. Click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.

  2. In the console tree of the Internet Authentication snap-in, click Remote Access Logging.

  3. In the details pane, double-click Local File.

  4. On the Settings tab, select one or more check boxes for recording authentication and accounting requests in the IAS log files:

    • To capture accounting requests and responses, select the Accounting Requests check box.

    • To capture authentication requests, Access-Accept packets, and Access-Reject packets, select the Authentication Requests check box.

    • To capture periodic status updates, such as interim accounting packets, select the Periodic Status check box.

  5. Click Apply to save your changes to the Settings tab.

  6. On the Log File tab, type the log file directory as needed and select the log file format and new log time period. Click OK.

To enable and configure SQL Server database logging for Windows Server 2003 IAS

  1. In the console tree of the Internet Authentication snap-in, click Remote Access Logging.

  2. In the details pane, double-click SQL Server.

  3. On the Settings tab, select one or more check boxes for recording authentication and accounting requests in the IAS log files:

    • To capture accounting requests and responses, select the Accounting Requests check box.

    • To capture authentication requests, Access-Accept packets, and Access-Reject packets, select the Authentication Requests check box.

    • To capture periodic status updates, such as interim accounting packets, select the Periodic Status check box.

  4. In Maximum Number Of Connections, type the maximum number of simultaneous sessions that IAS can create with the SQL Server.

  5. To configure a SQL data source, click Configure.

  6. In the Data Link Properties dialog box, configure the appropriate settings for the SQL Server database.

If needed, configure additional UDP ports for authentication and accounting messages that are sent by RADIUS clients (the wireless APs). By default, IAS uses UDP ports 1812 and 1645 for authentication messages and UDP ports 1813 and 1646 for accounting messages.

To configure Windows Server 2003 IAS for different UDP ports

  1. In the console tree of the Internet Authentication snap-in, right-click Internet Authentication Service and then click Properties.

  2. Click the Ports tab; configure the UDP port numbers for your RADIUS authentication traffic in Authentication and the UDP port numbers for your RADIUS accounting traffic in Accounting.

    To use multiple port settings for authentication or accounting traffic, separate the port numbers with commas. You can also specify an IP address to which the RADIUS messages must be sent with the following syntax: IPAddress:UDPPort. For example, if you have multiple network adapters and you want to receive only RADIUS authentication messages sent to the IP address of 10.0.0.99 and UDP port 1812, type 10.0.0.99:1812 in Authentication. However, if you specify IP addresses and copy the configuration of the primary IAS RADIUS proxy to the secondary IAS RADIUS proxy, you must modify the ports on the secondary IAS RADIUS proxy to either remove the IP address of the primary IAS RADIUS proxy or change the IP address to that of the secondary IAS RADIUS proxy. After configuring the port numbers, click OK.

Configuring the Primary IAS RADIUS Proxy with RADIUS Clients

You must configure the primary IAS RADIUS proxy with the wireless APs as RADIUS clients. To add a RADIUS client for Windows Server 2003 IAS, do the following:

  1. In the console tree of the Internet Authentication snap-in, right-click RADIUS Clients and then click New RADIUS Client.

  2. On the Name and Address page, type a name for the wireless AP for Friendly Name. In Client Address (IP Or DNS), type the IP address or DNS domain name. If you type a DNS domain name, click Verify to resolve the name to the correct IP address for the wireless AP.

  3. Click Next. On the Additional Information page, type the shared secret for this combination of IAS RADIUS proxy and wireless AP in Shared Secret; then type it again in Confirm Shared Secret.

  4. Click Finish.

If you are using IAS on a computer running either Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition, and you have multiple wireless APs on a single subnet (for example, in an Extended Service Set [ESS] configuration), you can simplify RADIUS client administration by specifying an address range instead of specifying the IP address or DNS name of a single RADIUS client. All RADIUS clients in the range must be configured to use the same RADIUS server and shared secret.

The address range for RADIUS clients is expressed in the network prefix length notation w.x.y.z/p, where w.x.y.z is the dotted decimal notation of the address prefix and p is the prefix length (the number of high-order bits that define the network prefix). This is also known as Classless Inter-Domain Routing (CIDR) notation. An example is 192.168.21.0/24, which indicates all addresses from 192.168.21.1 to 192.168.21.255. To convert from subnet mask notation to network prefix length notation, p is the number of high-order bits set to one in the subnet mask. If you are not using this feature, use a different shared secret for each wireless AP.

Use as many RADIUS shared secrets as you can. Each shared secret should be a random sequence of upper- and lowercase letters, numbers, and punctuation that is at least 22 characters long. To ensure randomness, use a random character generation program to determine shared secrets.

Configuring Connection Request Policies on the Primary IAS RADIUS Proxy

To provide a temporary connection to the WISP s network for signup purposes or to forward RADIUS traffic to the RADIUS servers at a service provider or private organization, you must configure the following connection request policies:

  • A connection request policy that allows unauthenticated access.

    This connection request policy allows wireless users, who are not customers of the WISP and who do not have a known benefactor, to have access to a closed alternate subnet that contains the network services (such as DHCP, DNS, Web, CA) that allow the user to sign up with the WISP. When the sign-up process is complete, the user has credentials to obtain an authenticated connection and to access the Internet.

  • A connection request policy to forward RADIUS messages for each service provider.

    For each service provider with which the WISP has an agreement, a separate connection request policy must be created. The connection request policy is configured to forward requests to the RADIUS servers of the service provider based on the name of the service provider in the realm portion of the wireless client s account name. For information about realm names, see Chapter 4, RADIUS, IAS, and Active Directory.

  • A connection request policy to forward RADIUS messages for each private organization.

    For each private organization with which the WISP has an agreement, a separate connection request policy must be created. The connection request policy is configured to forward requests to the RADIUS servers of the private organization based on the name of the private organization in the realm portion of the wireless client s account name.

Authenticated connections for wireless clients that are customers of the WISP will use the default connection request policy named Use Windows Authentication For All Users.

To configure a connection request policy for unauthenticated access

  1. From the console tree of the Internet Authentication Service snap-in, open Connection Request Processing, right-click Connection Request Policies, and then click New Connection Request Policy.

  2. On the Welcome To The New Connection Request Policy Wizard page, click Next.

  3. On the Policy Configuration Method page, select A Custom Policy and type the name of the policy in Policy Name.

  4. Click Next. On the Policy Conditions page, click Add.

  5. In Select Attribute, click Day And Time Restrictions and then click Add.

  6. In Time of Day Constraints, click Permitted, and then click OK. Click Next.

  7. On the Request Processing Method page, click Edit Profile.

  8. On the Authentication tab, click Accept Users Without Validating Credentials.

  9. On the Advanced tab, add the desired RADIUS attributes and configure their values for the method used to provide access to the alternate subnet. For example, WISPs commonly use either packet filtering or virtual LANs.

  10. On the Edit Profile page, click OK.

  11. On the Request Processing Method page, click Next.

  12. On the Completing The New Connection Request Processing Policy Wizard page, click Finish.

  13. If the WISP IAS RADIUS proxy computers are only acting as RADIUS proxies and not as RADIUS servers, right-click the connection request policy named Use Windows Authentication For All Users in the details pane and then click Delete. In Delete Connection Request Policy, click Yes.

To configure a connection request policy for a service provider

  1. From the console tree of the Internet Authentication Service snap-in, open Connection Request Processing, right-click Connection Request Policies, and then click New Connection Request Policy.

  2. On the Welcome To The New Connection Request Policy Wizard page, click Next.

  3. On the Policy Configuration Method page, select A Typical Policy For A Common Scenario and type the name of the policy in Policy Name.

  4. Click Next. On the Request Authentication page, click Forward Connection Requests To A Remote RADIUS Server For Authentication.

  5. Click Next. On the Realm Name page, type the realm name for the service provider in Realm Name and clear the Before Authentication, Remove Realm Name From The User Name check box.

  6. Click New Group.

  7. On the Welcome To The New Remote RADIUS Server Group Wizard page, click Next.

  8. On the Group Configuration Method page, type the name of the remote RADIUS server group in Group Name.

  9. Click Next. On the Add Servers page, type the IP address or DNS domain name of the service provider s primary RADIUS server in Primary Server, the IP address or DNS domain name of the service provider s secondary RADIUS server in Backup Server, and the RADIUS shared secret in both Shared Secret and Confirm Shared Secret.

  10. Click Next. On the Completing The New Remote RADIUS Server Group Wizard page, click Finish.

  11. On the Realm Name page, click Next.

  12. On the Completing The New Connection Request Processing Policy Wizard, click Finish.

To configure a connection request policy for a private organization

  1. From the console tree of the Internet Authentication Service snap-in, open Connection Request Processing, right-click Connection Request Policies, and then click New Connection Request Policy.

  2. On the Welcome To The New Connection Request Policy Wizard page, click Next.

  3. On the Policy Configuration Method page, select A Typical Policy For A Common Scenario and type the name of the policy in Policy Name.

  4. Click Next. On the Request Authentication page, click Forward Connection Requests To A Remote RADIUS Server For Authentication.

  5. Click Next. On the Realm Name page, type the realm name for the private organization in Realm Name and clear the Before Authentication, Remove Realm Name From The User Name check box.

  6. Click New Group.

  7. On the Welcome to the New Remote RADIUS Server Group Wizard page, click Next.

  8. On the Group Configuration Method Page, type the name of the remote RADIUS server group in Group Name.

  9. Click Next. On the Add Servers page, type the IP address or DNS domain name of the private organization s primary RADIUS server or proxy in Primary Server, the IP address or DNS domain name of the private organization s secondary RADIUS server or proxy in Backup Server, and the RADIUS shared secret in both Shared Secret and Confirm Shared Secret.

  10. Click Next. On the Completing The New Remote RADIUS Server Group Wizard page, click Finish.

  11. On the Realm Name page, click Next.

  12. On the Completing The New Connection Request Processing Policy Wizard, click Finish.

Configuring the Secondary IAS RADIUS Proxy

To install IAS, use the IAS installation procedure found in the Configuring the Primary IAS RADIUS Proxy section of this chapter. Like the primary IAS RADIUS proxy, the secondary IAS RADIUS proxy does not have to belong to a domain or be registered in any domains because it is not performing authentication and authorization. It can be a standalone server.

To copy the configuration of the primary IAS RADIUS proxy to the secondary IAS RADIUS proxy

  1. On the primary IAS RADIUS proxy computer, type netsh aaaa show config > path\file.txt at a command prompt. This command stores the configuration settings, including registry settings, in a text file. The path can be a relative, absolute, or network path.

  2. Copy the file created in step 1 to the secondary IAS RADIUS proxy.

  3. On the secondary IAS RADIUS proxy computer, type netsh exec path\file.txt at a command prompt. This command imports all the settings configured on the primary IAS RADIUS proxy into the secondary IAS RADIUS proxy.

If you change the IAS server configuration in any way, use the Internet Authentication Service snap-in to change the configuration of the IAS RADIUS proxy that is designated as the primary configuration server and then use this procedure to synchronize those changes on the secondary IAS RADIUS proxy.


Previous page
Table of content
Next page
Deploying Secure 802.11 Wireless Networks with Microsoft Windows
Deploying Secure 802.11 Wireless Networks with Microsoft Windows
ISBN: 0735619395
EAN: 2147483647
Year: 2000
Pages: 123
Authors: Joseph Davies
BUY ON AMAZON
Kanban Made Simple: Demystifying and Applying Toyotas Legendary Manufacturing Process
The CISSP and CAP Prep Guide: Platinum Edition
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
Systematic Software Testing (Artech House Computer Library)
The Complete Cisco VPN Configuration Guide
C++ How to Program (5th Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy