Internet Access for Business Partners

Internet Access for Business Partners

Most wireless access points (APs) in use today exhibit the following behaviors:

  • When the wireless AP receives an Access-Accept message, the connection is allowed.

  • When the wireless AP receives an Access-Reject message, the connection is denied.

To allow a business partner, vendor, or other non-employee (we will use the term business partner throughout this chapter to include all three types of users) to gain access to a separate network (such as the Internet) by using the same wireless infrastructure that allows employees access to the organization s intranet, the connection request must result in an Access-Accept message from the RADIUS server. It must also contain information that informs the wireless AP that traffic for this wireless connection must be handled differently. Typically, this information is in the form of RADIUS attributes that specify IP packet filtering or a virtual LAN (VLAN) ID.

NOTE
A VLAN is the grouping of traffic by a Layer 2 or Layer 3 network device to form a logical link or subnet, regardless of the physical configuration of the nodes attached to the device. Wireless APs use VLANs to group the traffic of wireless clients for specific physical or logical links attached to the wireless AP. Each grouping of traffic is assigned a VLAN ID. For example, VLAN ID 0 is assigned to all authenticated user connections and the organization intranet; VLAN ID 1 is assigned to business partner connections and the Internet.

Because IP packet filtering is specific to the wireless AP and requires the configuration of RADIUS vendor-specific attributes (VSAs), we describe only VLAN IDs as the mechanism by which the wireless AP separates intranet traffic from Internet traffic.

To get an Access-Accept message from the RADIUS server, you must use guest access, or the business partner must have a valid account and use valid credentials, as discussed in the following sections.

Using Guest Access

Guest access occurs when wireless clients are connected without sending a user identity. The wireless client does not provide a username or credentials to the wireless AP, so the wireless AP does not include user identity (the User-Name attribute) or credential attributes in the Access-Request message. When the IAS server receives an Access-Request message that contains no user identity attributes, it verifies whether unauthenticated access is enabled for the remote access policy that matches the connection attempt. If a user identity attribute is not included, the IAS server uses the Guest account to obtain user account dial-in properties and group membership to evaluate authorization.

As previously mentioned, restricted or alternate network access for guest access clients is typically supported by wireless APs through the use of VLANs. For example, to the wireless AP, VLAN 0 is for the organization intranet and VLAN 1 is for the Internet. To specify a VLAN identifier for unauthenticated access, you must configure the Tunnel-Type and Tunnel-Pvt-Group-ID attributes on the advanced properties of the appropriate remote access policy.

Guest access for wireless connections uses EAP-TLS to perform a one-way authentication of the IAS server certificate. The IAS server sends its computer certificate for validation by the wireless client. The wireless client does not send a username or a certificate.

NOTE
PEAP-MS-CHAP v2 does not allow one-way authentication or guest access.

The following processes enable guest access for wireless clients, as described in the next sections:

  • Configuring a wireless guests group that contains the guest account.

  • Configuring your wireless APs for the VLAN attached to the Internet.

  • Configuring a wireless remote access policy for guest access.

  • Configuring Windows wireless clients for unauthenticated access.

Configuring a Wireless Guests Group that Contains the Guest Account

To configure a wireless guests group, do the following:

  1. From the console tree of the Active Directory Users And Computers snap-in, open the domain container and then open the Users folder.

  2. In the details pane, double-click the Guest account.

  3. On the Account tab, clear the Account Is Disabled check box in Account Options.

  4. On the Dial-In tab, click either Allow Access or Control Access Through Remote Access Policy for the remote access permission. Click OK.

  5. In the console tree, right-click Users, point to New, and then click Group.

  6. In the New Object Group dialog box, type the name of the wireless guests group in Group name (for example: WirelessGuests), and then click OK.

  7. In the details pane, double-click the newly created group.

  8. Click the Members tab and then click Add.

  9. In the Select Users, Contacts, Users, Or Groups dialog box, type guest in Enter The Object Names To Select.

  10. Click OK. The Guest user account is added to the wireless guests group.

  11. Click OK to save changes to the wireless guests group.

TIP
If you want to enable guest access and use another account that serves the same purpose for guest access, create a user account and set the remote access permission to either Allow Access or Control Access Through Remote Access Policy and then set the registry value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy\Default User Identity on each IAS server to the name of the account. Changes to this registry setting do not take effect until the Internet Authentication Service restarts. Add this account to the wireless guests group.

Configuring Wireless APs for the VLAN Attached to the Internet

Configure your switching infrastructure to create a VLAN that is attached to the Internet. On the wireless AP, configure the VLAN ID of the VLAN that is attached to the Internet. For more information, see your switch and wireless AP documentation. VLANs are not supported by all wireless APs.

Configuring a Wireless Remote Access Policy for Guest Access

To configure a wireless remote access policy for unauthenticated Internet access for business partners, create a new custom remote access policy with the following settings:

  • Policy name.

    Unauthenticated wireless access to Internet (example).

  • Conditions.

    NAS-Port-Type=Wireless-Other or Wireless-IEEE 802.11, Windows-Groups=WirelessGuests (example).

  • Permissions.

    Select Grant Remote Access Permission.

  • Profile, Authentication tab.

    For Windows 2000 IAS, select Extensible Authentication Protocol and the Smart Card Or Other Certificate EAP Type. If you have multiple computer certificates installed on the IAS server, click Configure and then select the appropriate computer certificate. Select the Allow Remote PPP Clients To Connect Without Negotiating Any Authentication Method check box. Clear all other check boxes.

    For Windows Server 2003 IAS, click EAP Methods and add the Smart Card Or Other Certificate EAP Type. If you have multiple computer certificates installed on the IAS server, click Edit and then select the correct computer certificate. Select the Allow Clients to Connect Without Negotiating An Authentication Method check box. Clear all other check boxes.

  • Profile, Encryption tab.

    Clear the No Encryption check box. Select all other check boxes.

  • Profile, Advanced tab (if the wireless AP supports VLANs).

    Add the Tunnel-Type attribute with the value of Virtual LANs (VLAN) .

    Add the Tunnel-Pvt-Group-ID attribute with the value of the VLAN ID of the VLAN that is connected to the Internet.

If the wireless APs require additional VSAs, you must add them to the remote access policy. For more information, see the Configuring a Wireless Remote Access Policy section of Chapter 8 or Chapter 10.

Configuring Windows Wireless Clients for Unauthenticated Access

The procedure for configuring a Windows wireless client depends on whether the Windows wireless client supports the Wireless Zero Configuration (WZC) service (Windows XP, Windows Server 2003) or not (Windows 2000).

NOTE
The Wireless Zero Configuration service is known as the Wireless Configuration service in Windows Server 2003.

For Windows wireless clients that support the WZC service, unauthenticated access is configured as follows:

  1. When the business partner starts the computer, the WZC service scans for preferred networks. Assuming that the user does not already have your wireless network in the list of preferred networks, a prompt displays to select a wireless network from the notification area of the desktop.

  2. When the business partner selects your wireless network, the initial authentication fails because the user does not have a valid set of certificates to perform EAP-TLS two-way authentication.

  3. When the business partner clicks the notification of authentication failure, the settings of your wireless network display. The user must now configure the 802.1X settings to allow for unauthenticated access:

    • For computers running Windows XP, the business partner must select the Authenticate As Guest When User Or Computer Information Is Unavailable check box on the Authentication tab of the properties of the wireless network adapter in Network Connections.

    • For computers running Windows XP (SP1 and later) and Windows Server 2003, the business partner user must select the Authenticate As Guest When User Or Computer Information Is Unavailable check box on the Authentication tab of the properties of your wireless network.

For Windows wireless clients running Windows 2000, use the following steps to configure unauthenticated access:

  1. When the computer starts, the business partner must use the wireless configuration software supplied with the wireless adapter to configure an association to your wireless network. Because the default EAP type for 802.1X authentication is EAP-TLS, authentication fails because no valid certificate is installed.

  2. The business partner user must obtain the properties of the wireless network adapter in Network And Dial-Up Connections.

  3. From the Authentication tab, the business partner user must select the Authenticate As Guest When User Or Computer Information Is Unavailable check box.

When the changes to the wireless network adapter or wireless network are saved, Windows attempts a new authentication using unauthenticated access and can access the Internet.

NOTE
The preceding procedure assumes that the business partner computer has a root certification authority (CA) certificate installed that can validate the certificate of the authenticating IAS server. If not, you must provide a copy of the root CA certificate to the business partner to be installed in the Trusted Root Certification Authorities Local Computer store. Otherwise, unauthenticated access does not work.

The advantage of guest access is that there is no administrative overhead for managing user and computer accounts. The disadvantage is that anyone within range of your wireless network can use your wireless network to access the Internet, unless they are required to install a root CA certificate.

Using Validated Access

For validated access for business partners, you must create computer and user accounts and issue certificates user and computer certificates for EAP-TLS authentication and root CA certificates for PEAP-MS-CHAP v2 authentication (if needed) to each business partner. Next, create a global group with these accounts as members so that you can manage wireless access using a group-based remote access policy. For example, create a WirelessInternetUsers universal group that contains global groups of business partner user and computer accounts.

To configure a wireless remote access policy for validated Internet access for business partners, create a new custom remote access policy for wireless Internet access with the following settings:

  • Policy name.

    Wireless access to Internet (example).

  • Conditions.

    NAS-Port-Type=Wireless-Other or Wireless-IEEE 802.11, Windows-Groups=WirelessInternetUsers (example).

  • Permissions.

    Select Grant Remote Access Permission.

  • Profile, Authentication tab.

    Configure the EAP type for EAP-TLS (as described in Chapter 8) or PEAP-MS-CHAP v2 (as described in Chapter 10), as needed. Clear all other check boxes.

  • Profile, Encryption tab.

    Clear the No Encryption check box. Select all other check boxes.

  • Profile, Advanced tab (if the wireless AP supports VLANs).

    Add the Tunnel-Type attribute with the value of Virtual LANs (VLAN) .

    Add the Tunnel-Pvt-Group-ID attribute with the value of the VLAN ID of the VLAN that is connected to the Internet.

If the wireless APs require additional VSAs, you must add them to the appropriate remote access policies. For more information, see the Configuring a Wireless Remote Access Policy section of Chapter 8 or Chapter 10.

The advantage of using validated access is that only specific business partners can access the Internet using your wireless network. The disadvantage is that there is more administrative overhead in managing user and computer accounts and issuing certificates.



Deploying Secure 802.11 Wireless Networks with Microsoft Windows
Deploying Secure 802.11 Wireless Networks with Microsoft Windows
ISBN: 0735619395
EAN: 2147483647
Year: 2000
Pages: 123
Authors: Joseph Davies

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net