Cross-Forest Authentication

Cross-Forest Authentication

Because IAS uses Active Directory to validate credentials and obtain user and computer account properties, a RADIUS proxy must be placed between the wireless APs and the IAS server computers when the user and computer accounts for wireless client computers and users exist in the following authentication databases:

  • Two different Active Directory forests that do not trust each other.

  • Two different domains that do not trust each other.

  • Two different domains that have a one-way trust.

If you are using EAP-TLS authentication, you must use a RADIUS proxy, even if the forests have a two-way, transitive trust relationship.

NOTE
You do not need to use a RADIUS proxy if you use PEAP-MS-CHAP v2 and Windows NT 4.0-style usernames (for example: microsoft\user1).

When an access client sends user credentials, a username is often included, which includes two elements:

  • Identification of the user account name

  • Identification of the user account location

For example, for the username user1@example.com, user1 is the user account name, and example.com is the location of the user account. The identification of the location of the user account is known as a realm, which has different forms:

  • The realm name can be a prefix.

    For example\user1, example is the name of a Windows NT 4.0 domain.

  • The realm name can be a suffix.

    For user1@example.com, example.com is either a DNS domain name or the name of an Active Directory-based domain.

The username is passed from the wireless client to the wireless AP during the authentication phase of the connection attempt. This username becomes the User-Name RADIUS attribute in the Access-Request message sent by the wireless AP to its configured RADIUS server, which is a RADIUS proxy in this configuration. When the RADIUS proxy receives the Access-Request message, configured policies on the RADIUS proxy determine the RADIUS server to which the Access-Request message is forwarded based on the realm name.

Figure 11-1 shows IAS RADIUS proxies forwarding RADIUS messages between wireless APs and multiple IAS servers in two different Active Directory forests.

figure 11-1 using ias radius proxies for cross-forest authentication.

Figure 11-1. Using IAS RADIUS proxies for cross-forest authentication.

The following configuration is for an organization that uses the following:

  • Active Directory domains.

    Active Directory domains contain the user accounts, passwords, and dial-in properties that each IAS server requires to authenticate user credentials and evaluate authorization.

  • At least two IAS servers in each forest.

    At least two IAS servers (one primary and one secondary) can provide fault tolerance for RADIUS-based authentication, authorization, and accounting in each forest. If only one RADIUS server is configured and it becomes unavailable, wireless clients for that forest cannot be authenticated. By using at least two IAS servers and configuring the IAS RADIUS proxies for both the primary and secondary IAS servers, the IAS RADIUS proxies can detect when the primary IAS server is unavailable and then automatically fail over to the secondary IAS server.

  • A wireless remote access policy.

    A wireless remote access policy is configured to authorize wireless connections based on group membership.

  • At least two IAS RADIUS proxies.

    At least two IAS RADIUS proxies can provide fault tolerance for RADIUS requests that are sent from the wireless APs.

To deploy the configuration just described

  1. Configure the certificate infrastructure.

  2. Configure the Active Directory forests for accounts and groups.

  3. Configure the primary IAS server on a computer in the first forest.

  4. Configure the secondary IAS server on another computer in the first forest.

  5. Configure the primary IAS server on a computer in the second forest.

  6. Configure the secondary IAS server on another computer in the second forest.

  7. Configure the primary IAS RADIUS proxy.

  8. Configure the secondary IAS RADIUS proxy.

  9. Configure RADIUS authentication and accounting on wireless APs.

  10. Configure wireless client computers.

Windows 2000 IAS does not support RADIUS proxy functionality. You must use Windows Server 2003 IAS for the RADIUS proxies needed for cross-forest authentication.

This configuration requires creating at least five RADIUS shared secrets:

  • Because typical wireless APs allow the configuration of only a single RADIUS shared secret for both their primary and secondary RADIUS servers, one shared secret is needed for each wireless AP and the primary and secondary IAS RADIUS proxies.

  • Because we copy the configuration of the primary IAS proxy to the secondary IAS RADIUS proxy, the following additional RADIUS shared secrets are needed:

    • Between the primary and secondary IAS RADIUS proxies and the primary IAS server in the first forest.

    • Between the primary and secondary IAS RADIUS proxies and the secondary IAS server in the first forest.

    • Between the primary and secondary IAS RADIUS proxies and the primary IAS server in the second forest.

    • Between the primary and secondary IAS RADIUS proxies and the secondary IAS server in the second forest.

Configuring the Certificate Infrastructure

For EAP-TLS authentication, follow the instructions in the Configuring the Certificate Infrastructure section of Chapter 8.

Configuring the Active Directory Forests for Accounts and Groups

Follow the instructions in the Configuring Active Directory for Accounts and Groups section of either Chapter 8 or Chapter 10 for each forest. Configuring the accounts and groups is the same when using either EAP-TLS or PEAP-MS-CHAP v2.

Configuring the Primary IAS Server on a Computer in the First Forest

To configure the primary IAS server on a computer in the first forest for EAP-TLS authentication, perform the steps described in the following sections of Chapter 8 on a computer in the first forest:

  • Obtaining and Installing a Computer Certificate

  • Installing IAS and Configuring IAS Server Properties

  • Configuring Windows 2000 IAS or Configuring Windows Server 2003 IAS sections of Configuring a Wireless Remote Access Policy

To configure the primary IAS server on a computer in the first forest for PEAP-MS-CHAP v2 authentication, perform the steps described in the following sections of Chapter 10 on a computer in the first forest:

  • Obtaining and Installing a Computer Certificate

  • Installing IAS and Configuring IAS Server Properties

  • Configuring Windows 2000 IAS or Configuring Windows Server 2003 IAS sections of Configuring a Wireless Remote Access Policy

Next, configure the primary IAS server in the first forest with the primary and secondary IAS RADIUS proxies as RADIUS clients. To do this, perform the steps in the Configuring IAS with RADIUS Clients section of Chapter 8 or Chapter 10 (instead of the wireless APs, add the primary and secondary IAS RADIUS proxies as RADIUS clients).

Configuring the Secondary IAS Server on Another Computer in the First Forest

To configure the secondary IAS server on another computer in the first forest, follow the instructions in the Configuring the Secondary IAS Server section of Chapter 8 (for EAP-TLS authentication) or Chapter 10 (for PEAP-MS-CHAP v2 authentication).

Configuring the Primary IAS Server on a Computer in the Second Forest

To configure the primary IAS server on a computer in the second forest for EAP-TLS authentication, perform the steps in the following sections of Chapter 8 on a computer in the second forest:

  • Obtaining and Installing a Computer Certificate

  • Installing IAS and Configuring IAS Server Properties

  • Configuring Windows 2000 IAS or Configuring Windows Server 2003 IAS sections of Configuring a Wireless Remote Access Policy

To configure the primary IAS server on a computer in the second forest for PEAP-MS-CHAP v2 authentication, perform the steps in the following sections of Chapter 10 on a computer in the second forest:

  • Obtaining and Installing a Computer Certificate

  • Installing IAS and Configuring IAS Server Properties

  • Configuring Windows 2000 IAS or Configuring Windows Server 2003 IAS sections of Configuring a Wireless Remote Access Policy

Next, configure the primary IAS server in the second forest with the primary and secondary IAS RADIUS proxies as RADIUS clients. To do this, follow the instructions in the Configuring IAS with RADIUS Clients section of Chapter 8 or Chapter 10 (instead of the wireless APs, add the primary and secondary IAS RADIUS proxies as RADIUS clients).

Configuring the Secondary IAS Server on Another Computer in the Second Forest

To configure the secondary IAS server on another computer in the second forest, perform the steps in the Configuring the Secondary IAS Server section of Chapter 8 (for EAP-TLS authentication) or Chapter 10 (for PEAP-MS-CHAP v2 authentication).

Configuring the Primary IAS RADIUS Proxy

To configure the primary IAS RADIUS proxy, do the following:

  1. On a computer running Windows Server 2003, install IAS as an optional networking component. The computer on which IAS is installed is not required to be dedicated to forwarding RADIUS messages. For example, you can install IAS on a file server. Because the primary IAS RADIUS proxy computer is not performing authentication or authorization of wireless connections, it can be a member of a domain of either forest.

  2. If needed, configure additional UDP ports for RADIUS messages that are sent by the wireless APs. By default, IAS uses UDP ports 1812 and 1645 for authentication and UDP ports 1813 and 1646 for accounting.

  3. Add the wireless APs as RADIUS clients of the IAS RADIUS proxy using the instructions described in the Configuring IAS with RADIUS Clients section of Chapter 8 or Chapter 10.

  4. In the console tree of the Internet Authentication Service snap-in, open Connection Request Processing.

  5. Right-click Remote RADIUS Server Groups and then click New Remote RADIUS Server Group.

  6. On the Welcome To The New Remote RADIUS Server Group Wizard page, click Next.

  7. On the Group Configuration page, click Custom and type the group name for the IAS servers in the first forest in Group Name (for example: RADIUS Servers in Forest1). Click Next.

  8. On the Add Servers page, click Add.

  9. On the Address tab, type the IP address or name of the primary IAS server in the first forest. If you specify a name, click Verify to resolve the name to an IP address.

  10. On the Authentication/Accounting tab, type the shared secret between the primary and secondary IAS RADIUS proxies and the primary IAS server in the first forest.

  11. Click OK to add the server to the list of servers in the group.

  12. On the Add Servers page, click Add.

  13. On the Address tab, type the IP address or name of the secondary IAS server in the first forest.

  14. On the Authentication/Accounting tab, type the shared secret between the primary and secondary IAS RADIUS proxies and the secondary IAS server in the first forest.

  15. Click OK to add the server to the list of servers in the group.

  16. Click Next.

  17. On the Completing The New Remote RADIUS Server Group page, click Finish. The New Connection Request Policy Wizard automatically runs.

  18. On the Welcome To The New Connection Request Policy Wizard page, click Next.

  19. On the Policy Configuration Method page, click A Typical Policy For A Common Scenario and then type the name for the connection request policy in Policy Name (for example: Forward Requests to RADIUS Servers in Forest1). Click Next.

  20. On the Request Authentication Page, click Forward Connection Requests To A Remote RADIUS Server For Authentication. Click Next.

  21. On the Realm Name page, type the realm name for all names in the first forest (for example: forest1.example.com). Select the newly created remote RADIUS server group for the IAS servers in the first forest in Server Group. Click Next.

  22. On the Completing The New Connection Request Policy Wizard page, click Finish.

  23. Right-click Remote RADIUS Server Groups and then click New Remote RADIUS Server Group.

  24. On the Welcome To The New Remote RADIUS Server Group Wizard page, click Next.

  25. On the Group Configuration page, click Custom and type the group name for the IAS servers in the second forest in Group Name (for example: RADIUS Servers in Forest2). Click Next.

  26. On the Add Servers page, click Add.

  27. On the Address tab, type the IP address or name of the primary IAS server in the second forest. If you specify a name, click Verify to resolve the name to an IP address.

  28. On the Authentication/Accounting tab, type the shared secret between the primary and secondary IAS RADIUS proxies and the primary IAS server in the second forest.

  29. Click OK to add the server to the list of servers in the group.

  30. On the Add Servers page, click Add.

  31. On the Address tab, type the IP address or name of the secondary IAS server in the second forest.

  32. On the Authentication/Accounting tab, type the shared secret between the primary and secondary IAS RADIUS proxies and the secondary IAS server in the second forest.

  33. Click OK to add the server to the list of servers in the group.

  34. Click Next.

  35. On the Completing The New Remote RADIUS Server Group page, click Finish.

  36. On the Welcome To The New Connection Request Policy Wizard page, click Next.

  37. On the Policy Configuration Method page, click A Typical Policy For A Common Scenario and then type the name for the Connection Request Policy in Policy Name (for example: Forward Requests to RADIUS Servers in Forest2). Click Next.

  38. On the Request Authentication Page, click Forward Connection Requests To A Remote RADIUS Server For Authentication. Click Next.

  39. On the Realm Name page, type the realm name for all names in the second forest (for example: forest2.example.com). Select the newly created remote RADIUS server group for the IAS servers in the second forest in Server Group. Click Next.

  40. On the Completing The New Connection Request Policy Wizard page, click Finish.

Configuring the Secondary IAS RADIUS Proxy

To configure the secondary IAS RADIUS proxy on another computer, do the following:

  1. On a computer running Windows Server 2003, install IAS as an optional networking component.

    The computer on which IAS is installed is not required to be dedicated to forwarding RADIUS messages. For example, you can install IAS on a file server. Like the primary IAS RADIUS proxy, the secondary IAS RADIUS proxy computer can be a member of a domain of either forest because it is not performing authentication or authorization of wireless connections.

  2. On the primary IAS RADIUS proxy computer, type netsh aaaa show config > path\file.txt at the command prompt.

    This command stores the configuration settings, including registry settings, in a text file. The path can be relative, absolute, or a network path.

  3. Copy the file created in step 2 to the secondary IAS RADIUS proxy.

  4. On the secondary IAS RADIUS proxy computer, type netsh exec path\file.txt at a command prompt.

    This command imports all the settings configured on the primary IAS RADIUS proxy into the secondary IAS RADIUS proxy.

The default load-balancing settings of the RADIUS servers in the two remote RADIUS server groups allow each IAS RADIUS proxy to distribute the authentication request load equally to the two IAS servers in each forest.

Configuring RADIUS Authentication on the Wireless APs

Deploy your wireless APs to provide coverage for all the areas that require access to your wireless network. For more information, see Chapter 7, Wireless AP Placement.

Configure your wireless APs to support Wired Equivalent Policy (WEP) or Wi-Fi Protected Access (WPA) encryption and 802.1X authentication. Additionally, configure the RADIUS client on your wireless APs with the following settings:

  • The IP address or name of a primary RADIUS server, the shared secret, UDP ports for authentication and accounting, and failure-detection settings.

  • The IP address or name of a secondary RADIUS server, the shared secret, UDP ports for authentication and accounting, and failure-detection settings.

To balance the load of RADIUS traffic between the primary and secondary IAS RADIUS proxies, configure half of the wireless APs with the primary IAS RADIUS proxy as their primary RADIUS server and the secondary IAS RADIUS proxy as their secondary RADIUS server. Configure the other half of the wireless APs with the secondary IAS RADIUS proxy as their primary RADIUS server and the primary IAS RADIUS proxy as their secondary RADIUS server.

Configuring Wireless Client Computers

To configure the wireless client computer, follow the instructions in the Configuring Wireless Client Computers section of Chapter 8 (for EAP-TLS) or Chapter 10 (for PEAP-MS-CHAP v2).



Deploying Secure 802.11 Wireless Networks with Microsoft Windows
Deploying Secure 802.11 Wireless Networks with Microsoft Windows
ISBN: 0735619395
EAN: 2147483647
Year: 2000
Pages: 123
Authors: Joseph Davies

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net