Latest Articles related to all categories. Microsoft, Twitter, Xbox, Autos and much more

Full width home advertisement

Post Page Advertisement [Top]

This guide provides detailed information about how you can use four computers and a wireless access point (AP) to create a test lab with which to configure and test secure wireless access with the Microsoft® Windows® XP Professional with Service Pack 2 (SP2) and the 32-bit versions of the Windows Server™ 2003 with Service Pack 1 (SP1) operating systems. The instructions in this guide are designed to take you step-by-step through the configuration required for Protected Extensible Authentication Protocol with Microsoft Challenge-Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) authentication, then through the steps required for EAP-TLS authentication.

Note:

The following instructions are for configuring a test lab using a minimum number of computers. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. This configuration is neither designed to reflect best practices nor is it designed to reflect a desired or recommended configuration for a production network. For more information about deploying secure wireless, see the Microsoft Wi-Fi Web site.


PEAP-MS-CHAP v2 Authentication


The infrastructure for the wireless test lab network consists of four computers performing the following roles:

·      A computer running Microsoft Windows Server 2003 with Service Pack 1 (SP1), Enterprise Edition, named DC1 that is acting as a domain controller, a Domain Name System (DNS) server, a Dynamic Host Configuration Protocol (DHCP) server, and a certification authority (CA).

·      A computer running Microsoft Windows Server 2003 with SP1, Standard Edition, named IAS1 that is acting as a Remote Authentication Dial-In User Service (RADIUS) server.

·      A computer running Windows Server 2003 with SP1, Standard Edition, named IIS1 that is acting as a Web and file server.

·      A computer running Windows XP Professional with SP2 named CLIENT1 that is acting as a wireless client.

Before You Begin


Installing the Windows Server 2003 with SP1 operating system on each of the servers in this test lab also installs Windows Firewall, which is turned off by default. After the IAS and IIS servers are configured, you will turn on and configure Windows Firewall exceptions allowing for communication between the computers on the network. On the domain controller, Windows Firewall should stay off. On each of the client computers, Windows Firewall is turned on automatically when you install Windows XP Professional with SP2. Windows Firewall will remain turned on for each of the client computers.

Additionally, make sure there is a wireless AP that provides connectivity to the Ethernet intranet network segment for the wireless client. The firewall for the wireless AP is controlled by the manufacturer's software. For this test lab, do not turn on the firewall on the wireless AP.

Important:

Before configuring the test lab, make sure that you have downloaded the most recent drivers for the wireless adapter on CLIENT1 to ensure that the adapter performs correctly while running under Windows XP Professional with SP2.

The following figure shows the configuration of the wireless test lab.




The wireless test lab represents a network segment on a corporate intranet. All computers on the corporate intranet, including the wireless AP, are connected to a common hub or Layer 2 switch. Private addresses of 172.16.0.0/24 are used on the intranet network segment.

IIS1 and CLIENT1 obtain their IP address configuration using DHCP. The following sections describe how to configure each of the test lab components. To create this test lab, configure the computers in the order presented.

DC1


DC1 is a computer running Windows Server 2003 with SP1, Enterprise Edition, that is performing the following roles:

·      A domain controller for the example.com domain

·      A DNS server for the example.com DNS domain

·      A DHCP server for the intranet network segment

·      The enterprise root CA for the example.com domain

Note:

Windows Server 2003 with SP1, Enterprise Edition, is used so that autoenrollment of user and workstation certificates for EAP-TLS authentication can be configured. This is described in the "EAP-TLS Authentication" section of this guide. Certificate autoenrollment and autorenewal make it easier to deploy certificates and improve security by automatically expiring and renewing certificates.

To configure DC1 for these services, perform the following steps.

Perform basic installation and configuration

1.   Install Windows Server 2003 with SP1, Enterprise Edition, as a stand-alone server.
2.   Configure the TCP/IP protocol with the IP address of 172.16.0.1 and the subnet mask of 255.255.255.0.

Configure the computer as a domain controller

1.   To start the Active Directory Installation Wizard, click Start, click Run, type dcpromo.exe, and then click OK.
2.   In the Welcome to the Active Directory Installation Wizard dialog box, click Next.
3.   In the Operating System Compatibility dialog box, click Next.
4.   Verify that Domain controller for a new domain option is selected, and then click Next.
5.   Verify that Domain in a new forest is selected, and then click Next.
6.   Verify that No, just install and configure DNS on this computer is selected, and then click Next.
7.   On the New Domain Name page, type example.com, and then click Next.
8.   On the NetBIOS Domain Name, confirm that the Domain NetBIOS name is EXAMPLE, and then click Next.
9.   Accept the default Database and Log Folders directories as shown in the following figure, and then click Next.

10.  In the Shared System Volume dialog box, as shown in the following figure, verify that the default folder location is correct. Click Next.

11.  On the Permissions page, verify that the Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems check box is selected, as shown in the following figure. Click Next.

12.  On the Directory Services Restore Mode Administration Password page, leave the password boxes blank, and then click Next.
13.  Review the information on the Summary page, and then click Next.

14.  On the Completing the Active Directory Installation Wizard page, click Finish.
15.  When prompted to restart the computer, click Restart Now.

Raise the domain functional level

1.   Open the Active Directory Domains and Trusts snap-in from the Administrative Tools folder, and then right-click the domain computer dc1.example.com.
2.   Click Raise Domain Functional Level, and then select Windows Server 2003 on the Raise Domain Functional Level page. This is shown in the following figure.

3.   Click Raise, click OK, and then click OK again.

Install and configure DHCP

1.   Install Dynamic Host Configuration Protocol (DHCP) as a Networking Services component by using Add or Remove Programs in Control Panel.
2.   Open the DHCP snap-in from the Administrative Tools folder, and then highlight the DHCP server, dc1.example.com.
3.   Click Action, and then click Authorize to authorize the DHCP service.
4.   In the console tree, right-click dc1.example.com, and then click New Scope.
5.   On the Welcome page of the New Scope Wizard, click Next.
6.   On the Scope Name page, type CorpNet in Name. This is shown in the following figure.

7.   Click Next. On the IP Address Range page, type 172.16.0.10 in Start IP address, type 172.16.0.100 in End IP address, and type 24 in Length. This is shown in the following figure.

8.   Click Next. On the Add Exclusions page, click Next.
9.   On the Lease Duration page, click Next.
10.  On the Configure DHCP Options page, click Yes, I want to configure these options now. This is shown in the following figure.

11.  Click Next. On the Router (Default Gateway) page, click Next.
12.  On the Domain Name and DNS Servers page, type example.com in Parent domain. Type 172.16.0.1 in IP address, and then click Add. This is shown in the following figure.

13.  Click Next. On the WINS Servers page, click Next.
14.  On the Activate Scope page, click Yes, I want to activate this scope now. This is shown in the following figure.

15.  Click Next. On the Completing the New Scope Wizard page, click Finish.

Install Certificate Services

1.   In Control Panel, open Add or Remove Programs, and then click Add/Remove Windows Components.
2.   In the Windows Components Wizard page, select Certificate Services, and then click Next.
3.   On the CA Type page, select Enterprise root CA. This is shown in the following figure.

4.   Click Next. Type Example CA in the Common name for this CA box, and then click Next. Accept the defaults on the Certificate Database Settings page. This is shown in the following figure.

5.   Click Next. Upon completion of the installation, click Finish.
6.   Click OK after reading the warning about installing IIS.

Verify Administrator permissions for certificates

1.   Click Start, click Administrative Tools, and then click Certification Authority.
2.   Right-click Example CA, and then click Properties.
3.   On the Security tab, click Administrators in the Group or user names list.
4.   In the Permissions for Administrators list, verify that the following options have been set to Allow: Issue and Manage Certificates, Manage CA, Request Certificates.
If any of these are set to Deny or are not selected, set the permission to Allow, as shown in the following example.

5.   Click OK to close the Example CA Properties dialog box, and then close Certification Authority.

Add computers to the domain

1.   Open the Active Directory Users and Computers snap-in.
2.   In the console tree, expand example.com.
3.   Right-click Users, click New, and then click Computer.
4.   In the New Object – Computer dialog box, type IAS1 in Computer name. This is shown in the following figure.

5.   Click Next. In the Managed dialog box, click Next. In the New Object – Computer dialog box, click Finish.
6.   Repeat steps 3-5 to create additional computer accounts with the following names: IIS1 and CLIENT1.

Allow wireless access to computers

1.   In the Active Directory Users and Computers console tree, click the Computers folder, right-click CLIENT1, click Properties, and then click the Dial-in tab.
2.   Select Allow access, and then click OK.

Add users to the domain

1.   In the Active Directory Users and Computers console tree, right-click Users, click New, and then click User.
2.   In the New Object – User dialog box, type wirelessuser in First name and type WirelessUser in User logon name. This is shown in the following figure.

3.   Click Next. In the New Object – User dialog box, type a password of your choice in Password and Confirm password. Clear the User must change password at next logon check box, and then click Next. This is shown in the following figure.

4.   In the final New Object – User dialog box, click Finish.

Allow wireless access to users

1.   In the Active Directory Users and Computers console tree, click the Users folder, right-click WirelessUser, click Properties, and then click the Dial-in tab.
2.   Select Allow access, and then click OK.

Add groups to the domain

1.   In the Active Directory Users and Computers console tree, right-click Users, click New, and then click Group.
2.   In the New Object – Group dialog box, type WirelessUsers in Group name, and then click OK. This is shown in the following figure.


Add users to the WirelessUsers group

1.   In the details pane of the Active Directory Users and Computers, double-click WirelessUsers.
2.   Click the Members tab, and then click Add.
3.   In the Select Users, Contacts, Computers, or Groups dialog box, type wirelessuser in Enter the object names to select. This is shown in the following figure.

4.   Click OK. In the Multiple Names Found dialog box, click OK. The WirelessUser user account is added to the WirelessUsers group. This is shown in the following figure.

5.   Click OK to save changes to the WirelessUsers group.

Add client computers to the WirelessUsers group

1.   Repeat steps 1 and 2 in the preceding “Add users to the WirelessUsers group” procedure.
2.   In the Select Users, Contacts, or Computers dialog box, type client1 in Enter the object names to select. This is shown in the following figure.

3.   Click Object Types, clear the Users check box, and then select the Computers check box. This is shown in the following figure.

4.   Click OK twice. The CLIENT1 computer account is added to the WirelessUsers group.

IAS1


IAS1 is a computer running Windows Server 2003 with SP1, Standard Edition, that is providing RADIUS authentication and authorization for the wireless AP. To configure IAS1 as a RADIUS server, perform the following steps.

Perform basic installation and configuration

1.   Install Windows Server 2003 with SP1, Standard Edition, as a member server named IAS1 in the example.com domain.
2.   For the intranet local area connection, configure the TCP/IP protocol with the IP address of 172.16.0.2, the subnet mask of 255.255.255.0, and the DNS server IP address of 172.16.0.1.

Perform basic installation and configuration

1.   Install Internet Authentication Service as a Networking Services component by using Add or Remove Programs in Control Panel.
2.   In the Administrative Tools folder, open the Internet Authentication Service snap-in.
3.   Right-click Internet Authentication Service, and then click Register Server in Active Directory. When the Register Internet Authentication Server in Active Directory dialog box appears, click OK. This is shown in the following figure.


Create the Certificates (Local Computer) console

1.   Create an MMC console on your IAS server that contains the Certificates (Local Computer) snap-in.
2.   Click Start, click Run, type mmc, and then click OK.
3.   On the File menu, click Add/Remove Snap-in, and then click Add.
4.   Under Snap-in, double-click Certificates, click Computer account, and then click Next.
5.   Click Local computer, click Finish, click Close, and then click OK. The Certificates (Local Computer) snap-in is shown in the following figure.

Note:
PEAP with MS-CHAP v2 requires certificates on the IAS servers but not on the wireless clients. Autoenrollment of computer certificates for the IAS servers can be used to simplify a deployment. However, in this section, a certificate is manually requested for the IAS1 computer because the autoenrollment of the certificates is not yet configured. This is described in the following "EAP-TLS Authentication" section of this guide.

Request a computer certificate

1.   Right-click the Personal folder, click All Tasks, click Request New Certificate, and then click Next.
2.   Click Computer for the Certificate types, and then click Next.
3.   Type IAS Server1 Certificate in Friendly name. This is shown in the following figure.

4.   Click Next. On the Completing the Certificate Request Wizard page, click Finish.
5.   A The certificate request was successful message appears. Click OK.

Add WirelessAP as RADIUS client

1.   In the console tree of the Internet Authentication Service snap-in, right-click RADIUS Clients, and then click New RADIUS Client.
2.   On the Name and Address page of the New RADIUS Client wizard, in Friendly name, type WirelessAP. In Client address (IP or DNS), type 172.16.0.3, and then click Next. This is shown in the following figure.

3.   Click Next. On the Additional Information page of the New RADIUS Client wizard, for Shared secret, type a RADIUS shared secret for the wireless AP, and then type it again in Confirm shared secret. This is shown in the following figure. The shared secret entered here needs to match the RADIUS shared secret on the configuration of the wireless AP.

4.   Click Finish.

Create and configure remote access policy

1.   In the console tree of the Internet Authentication Service snap-in, right-click Remote Access Policies, and then click New Remote Access Policy.
2.   On the Welcome to the New Remote Access Policy Wizard page, click Next.
3.   On the Policy Configuration Method page, type Wireless access to intranet in Policy name. This is shown in the following figure.

4.   Click Next. On the Access Method page, select Wireless. This is shown in the following figure.

5.   Click Next. On the User or Group Access page, select Group. This is shown in the following figure.

6.   Click Add. In the Select Groups dialog box, click Locations, select example.com, and then click OK.
7.   Type wirelessusers in the Enter the object names to select box. This is shown in the following figure.

8.   Click OK. The WirelessUsers group in the example.com domain is added to the list of groups on the User or Group Access page. This is shown in the following figure.

9.   Click Next. On the Authentication Methods page, the Protected EAP (PEAP) authentication is selected by default and configured to use PEAP-MS-CHAP v2. This is shown in the following figure.

10.  Click Next. On the Completing the New Remote Access Policy page, click Finish.

Configure Windows Firewall on IAS1

1.   Click Start, point to Control Panel, and then click Windows Firewall.
2.   In the Windows Firewall dialog box, click On, and then click the Exceptions tab.
3.   Click Add Port, and in the Add a Port dialog box type RADIUS Accounting for the Name, type 1812 for the Port number, and select UDP as the type of traffic processed by the port. Click OK.
4.   Click Add Port again, and in the Add a Port dialog box, type RADIUS Authentication for the Name, type 1813 for the Port number, and select UDP as the type of traffic processed by the port. Click OK.
5.   On the Exceptions page, verify that the two port exceptions you added are selected.
6.   Click the Advanced tab, and then click Settings for Security Logging.
7.   In the Log Setting dialog box, select Log dropped packets and Log successful connections. Note the path and file name in Name.
Please refer to the log file in case you need to add more ports to the exception list. The log file also allows you to view packets dropped by Windows Firewall and successful TCP connections.
8.   Click OK twice to close Windows Firewall.

IIS1


IIS1 is a computer running Windows Server 2003 with SP1, Standard Edition, and Internet Information Services (IIS). It is providing Web and file server services for intranet clients. To configure IIS1 as a Web and file server, perform the following steps:

Install and configure IIS

1.   On IIS1, install Windows Server 2003 with SP1, Standard Edition, as a member server named IIS1 in the example.com domain.
2.   Install Internet Information Services (IIS) as a subcomponent of the Application Server component by using the Windows Components wizard of Add or Remove Programs.

Configure a shared folder

1.   On IIS1, use Windows Explorer to create a new share for the root folder of drive C using the share name ROOT with the default permissions.
2.   To determine whether the Web server is working correctly, start Internet Explorer on IAS1. If the Internet Connection Wizard prompts you, configure Internet connectivity for a LAN connection. In Internet Explorer, in Address, type http://IIS1/iisstart.htm. You should see an "under construction" Web page.
3.   To determine whether file sharing is working correctly, on IAS1 click Start, click Run, and then type \\IIS1\ROOT. You should see the contents of the root folder of drive C on IIS1.

Configure Windows Firewall on IIS1

1.   Click Start, point to Control Panel, and then click Windows Firewall.
2.   Select On, and then click the Exceptions tab.
3.   In Programs and Services, select File and Print Sharing.
4.   On the Exceptions tab, click Add Port.
5.   In the Add a Port dialog box, type World Wide Web Publishing Service for the Name, type 80 for the Port number, select TCP as the protocol, and then click OK.
6.   On the Exceptions tab, make sure World Wide Web Publishing Service and File and Print Sharing are selected.
7.   Click the Advanced tab, and then click Settings in the Security Logging box.
8.   On the Log Settings tab, select Log dropped packets and Log successful connections, and keep the default path and file name in Name.
Please refer to the log file in case you need to add more ports to the exception list. The log file also allows you to view packets dropped by Windows Firewall and successful TCP connections.
9.   Click OK twice to close Windows Firewall.

Wireless AP


You can access and configure the wireless AP from any computer in the network; however, you will need to know in advance the wireless AP's default IP address in order to access it.

Configure the wireless AP

1.   From any server in this network, in Internet Explorer type the wireless AP's IP address in the Address bar.
2.   Configure the wireless AP for the following:
·      The network name (SSID) of WIR_TST_LAB.
·      The IP address of 172.16.0.3 with the subnet mask of 255.255.255.0 on the Ethernet interface.
·      IEEE 802.1X authentication with WEP enabled.
·      For the primary RADIUS server: the IP address 172.16.0.2, the UDP port of 1812, and the shared secret, which must match the shared secret previously entered on the IAS server.

CLIENT1


CLIENT1 is a computer running Windows XP Professional with SP2 that is acting as a wireless client and obtaining access to intranet resources through the wireless AP. To configure CLIENT1 as a wireless client, perform the following steps.

Perform basic installation and configuration

1.   Connect CLIENT1 to the intranet network segment using an Ethernet cable connected to the hub.
2.   On CLIENT1, install Windows XP Professional with SP2 as a member computer named CLIENT1 of the example.com domain.
3.   Install Windows XP Professional with SP2. This must be installed in order to have PEAP support.
Note   Windows Firewall is automatically turned on in Windows XP Professional with SP2. Do not turn the firewall off.

Install the wireless network adapter

1.   Shut down the CLIENT1 computer.
2.   Disconnect the CLIENT1 computer from the intranet network segment.
3.   Restart the CLIENT1 computer, and then log on using the local administrator account.
4.   Install the wireless network adapter.
Important   Do not install the manufacturer's configuration software for the wireless adapter. Install the wireless network adapter drivers using the Add Hardware Wizard, and when prompted, provide the CD provided by the manufacturer or a disk with updated drivers for use with Windows XP Professional with SP2.

Configure the wireless network connection

1.   Log off and then log on by using the WirelessUser account in the example.com domain.
2.   Wait until you are prompted to select the wireless network in the notification area of the desktop.
3.   Right-click the wireless network connection icon, and then click View Available Wireless Networks.
4.   On the Choose a wireless network page, click WIR_TST_LAB, and then click the Connect button. When connected, the Choose a wireless network page will display the status of the WIR_TST_Lab connection as Connected, as shown in the following figure:

5.   Once connected, click Change advanced settings under Related Tasks.
6.   In the Wireless Network Connection Properties dialog box, click the Wireless Networks tab, as shown in the following figure.

7.   Click Properties. On the Association tab, verify that Network Authentication is set to Open, Data encryption is set to WEP, and The key is provided for me automatically is selected, as shown in the following diagram.

8.   On the Authentication tab, make sure that Enable IEEE 802.1x authentication for this network is selected, the EAP type is Protected EAP (PEAP), and Authenticate as computer when computer information is available is selected, as shown in the following diagram.

9.   On the Connection tab, make sure that Connect when this network is in range is selected.
10.  After authentication is successful, check the TCP/IP configuration for the wireless adapter by using Network Connections. It should have an address range of 172.16.0.10-172.16.0.100 from the DHCP scope.
11.  To test functionality to the Web server between CLIENT1 and IIS1 over the wireless connection, start Internet Explorer on CLIENT1.
12.  If prompted by the Internet Connection Wizard, configure it for a LAN connection. In Address, type http://IIS1/iisstart.htm. You should see an "under construction" Web page.
13.  On CLIENT1, click Start, click Run, type \\IIS1\ROOT, and then click OK. You should see the contents of the local drive (drive C) on IIS1.

EAP-TLS Authentication


Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication requires computer and user certificates on the wireless client, the addition of EAP-TLS as an EAP type to the remote access policy for wireless access, and a reconfiguration of the wireless network connection.

DC1


To configure DC1 to provide autoenrollment for computer and user certificates, perform the following steps.

Install the Certificate Templates snap-in

1.   Click Start, click Run, type mmc, and then click OK.
2.   On the File menu, click Add/Remove Snap-in, and then click Add.
3.   Under Snap-in, double-click Certificate Templates, click Close, and then click OK.
4.   In the console tree, click Certificate Templates. All of the certificate templates will appear in the details pane. This is shown in the following figure.


Create the certificate template for wireless users

1.   In the details pane of the Certificate Templates snap-in, click the User template.
2.   On the Action menu, click Duplicate Template.
3.   In the Template name box, type Wireless User Certificate Template. This is shown in the following figure.


Configure the certificate template

1.   In the Properties of New Template dialog box, verify that the Publish certificate in Active Directory check box is selected.
2.   Click the Security tab.
3.   In the Group or user names list, click Domain Users.
4.   In the Permissions for Domain Users list, select the Read, Enroll, and Autoenroll check boxes. This is shown in the following figure.

5.   Click the Subject Name tab and verify that Include e-mail name in subject name and E-mail name boxes are cleared. This is shown in the following figure.

Important:
These two options are disabled in this example because an e-mail name was not entered for the WirelessUser account in the Active Directory Users and Computers snap-in. If you do not disable these two options, autoenrollment will attempt to use email, which will result in an autoenrollment error.
6.   Click OK.

Enable the certificate template

1.   Open the Certification Authority snap-in.
2.   In the console tree, expand Example CA, and then click Certificate Templates. This is shown in the following figure.

3.   On the Action menu, point to New, and then click Certificate to Issue.
4.   Click Wireless User Certificate Template. This is shown in the following figure.

5.   Click OK. Open the Active Directory Users and Computers snap-in.
6.   In the console tree, double-click Active Directory Users and Computers, right-click the example.com domain, and then click Properties.
7.   On the Group Policy tab, click Default Domain Policy, and then click Edit. This opens the Group Policy Object Editor snap-in.
8.   In the console tree, expand Computer Configuration, Windows Settings, Security Settings, and Public Key Policies, and then click Automatic Certificate Request Settings. This is shown in the following figure.

9.   Right-click Automatic Certificate Request Settings, point to New, and then click Automatic Certificate Request.
10.  On the Welcome to the Automatic Certificate Request Setup Wizard page, click Next.
11.  On the Certificate Template page, click Computer. This is shown in the following figure.

12.  Click Next. On the Completing the Automatic Certificate Request Setup Wizard page, click Finish. The Computer certificate type now appears in the details pane of the Group Policy Object Editor snap-in. This is shown in the following figure.

13.  In the console tree, expand User Configuration, Windows Settings, Security Settings, and Public Key Policies. This is shown in the following figure.

14.  In the details pane, double-click Autoenrollment Settings.
15.  Click Enroll certificates automatically. Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box. Select the Update certificates that use certificate templates check box. This is shown in the following figure.

16.  Click OK.

IAS1


Configure IAS1 to use EAP-TLS authentication

1.   Open the Internet Authentication Service snap-in.
2.   In the console tree, click Remote Access Policies.
3.   In the details pane, double-click Wireless access to intranet. The Wireless access to intranet Properties dialog box appears. This is shown in the following figure.

4.   Click Edit Profile, and then click the Authentication tab. This is shown in the following figure.

5.   On the Authentication tab, click EAP Methods. The Select EAP Providers dialog box appears. This is shown in the following figure.

6.   Click Add. The Add EAP dialog box appears. This is shown in the following figure.

7.   Click Smart Card or other certificate, and then click OK. The Smart Card or other certificate type is added to the list of EAP providers. This is shown in the following figure.

8.   Click Edit. The Smart Card or other Certificate Properties dialog box appears. This is shown in the following figure.

9.   The properties of the computer certificate issued to the IAS1 computer are displayed. This step verifies that IAS has an acceptable computer certificate installed to perform EAP-TLS authentication. Click OK.
10.  Click Move Up to make the Smart Card or other certificate EAP provider the first in the list. This is shown in the following figure.

11.  Click OK to save changes to EAP providers. Click OK to save changes to the profile settings.
12.  Click OK to save changes to the remote access policy. This will allow the Wireless access to intranet remote access policy to authorize wireless connections using the EAP-TLS authentication method.

CLIENT1


Configure CLIENT1 to use EAP-TLS authentication

1.   Update computer and user configuration Group Policy settings and obtain a computer and user certificate for the wireless client computer immediately, by typing gpupdate at a command prompt; otherwise, logging off and then logging on performs the same function as gpupdate. You must be logged on to the domain, by using your previously-created wireless PEAP connection or by connecting over the wire.
2.   To obtain properties for the WIR_TST_LAB wireless network click Start, click Control Panel, double-click Network Connections, and then right-click Wireless Network Connection.
3.   Click Properties, click the Wireless Networks tab, click WIR_TST_LAB, and then click Configure.
4.   On the Association tab, accept the default Network Authentication as Open, select WEP as the Data encryption type and The key is provided for me automatically check box. This is shown in the following figure:

5.   On the Authentication tab, select Smart Card or other Certificate for the EAP type. This is shown in the following figure.

6.   On the Connections tab, verify that Connect when this network is in range is selected.

7.   Click OK to exit the WIR_TST_LAB properties dialog box, and then click OK to close the Wireless Network Connection dialog box. The wireless network connection reconnects using EAP-TLS authentication.

Summary


This guide described in detail the steps required to configure secure wireless access using PEAP-MS-CHAP v2 and EAP-TLS in a test lab with a wireless AP and four computers.

No comments:

Post a Comment

Bottom Ad [Post Page]