PEAP with IAS is a great way to setup wireless networks that require:
a)Their security to be top notch.
b)Lot's of Access Points (greater than 10 or so).
c)Minimal administrative maintenance overhead.
It brings your wireless security up to a level that is acceptable for use on a security sensitive domain. It is approximately as secure as domain logon is on a wired network.
The whole IAS management of your APâ€™s as Radius Clients makes it very simple to make changes to your infrastructure without having to reprogram every AP on site to reflect a simple change (which is the case in most WPA setups). You donâ€™t need to worry about keeping WPA keys up to date as the encryption keys are generated dynamically each time a client connects.
Below I have detailed the steps that I take when setting on of these networks up. Screenshots are on their way (I will get them next time I set up one of these networks) but most of the steps are fairly self explanatory.
Install IAS from the Add/ Remove Windows Components area in the control panel.
Install Certificate Services from the Windows Components area in the control panel.
When prompted you want to install an â€œEnterprise Root CAâ€.
Load up the â€œCertificatesâ€ plugin for mmc and then submit a request for a new domain controller certificate.
Create a group in Active Directory called â€œWirelessUsersâ€.
Inside the administrative tools section load up the IAS plugin and create a â€œnew remote access policyâ€. Call it â€œWireless Access Policyâ€. Follow the wizard which is reasonably intuitive and when prompted for access restrictions you want to allow only computers and users that are a member of the â€œWireless Usersâ€ group you created previously. Also make sure when prompted for the authentication method that you select EAP/PEAP.
Then right click on the policy you just created and goto â€œPropertiesâ€. Then click on the â€œEdit Profileâ€ button and make the following changes:
1.Encryption tab: Make sure â€œNo Encryptionâ€ is not ticked.
2.Authentication tab: Tick MSCHAP-V2.
3.Advanced tab: Add Ignore_User_Dial_In_Properties = true and also Terminate-Action = Radius-Request.
On the Access Point:
Use an access point that supports EAP/PEAP and 802.1X authentication (e.g. a DLink DWL 2100AP). Set up a DHCP reservation for it so that it is always on the same IP address.
Change the authentication mode to be WPA-EAP.
Put in the IP address of the radius server (the server you installed IAS on).
Put in the Radius server/ port numbers/ shared secret (make one up at this stage).
Remember to save/ restart the AP to make sure the settings have stuck.
Back to IAS:
Add a new Radius client. Put in the IP Address of your new AP and also the shared secret you came up with above.
Group Policy Setup:
Load up the group policy manager. Find the appropriate OU that you wish to distribute the wireless network settings to.
Create and link a new GPO here (by right clicking on it and choosing the obvious option). Then right click on the new GPO and click edit.
Goto Computer Configuration -> Windows Settings -> Security Settings -> Wireless Network.
From here you right click on the right hand window and click â€œCreate Wireless Network Policyâ€.
1.Give the wireless network policy a name.
2.Select Access Point (infrastructure) networks only.
Once this is created edit the properties as follows:
1.Put in the SSID of the wireless network in to the â€œNetwork Nameâ€ box. Do not use any punctuation like (-,_,/) etc.
2.In the Wireless Network Key box. Set â€œNetwork Authenticationâ€ to WPA. with TKIP encryption.
On the IEEE 802.1X tab:
1.Set EAPOL start message to â€œTransmitâ€
2.In the parameters section you want to have : Max Start = 3 , Start Period = 10, Held Period=10, Authentication Period=10.
3.Make sure that â€œAuthenticate as computer when computer information is available is ticked. Also make sure that computer authentication option is set to â€œWith User Re-Authenticationâ€.
4.Make sure that EAP Type is set to Protected EAP. Click the settings button and make sure that:
â€œValidate server Certificateâ€ is ticked, that your CA (that you created above) is also in the list of â€œTrusted Root Certification Authoritiesâ€, Fast Connect is enabled and that â€œSecured Password (EAP-MSCHAAP v2)â€ is the selected method, click on â€œConfigureâ€ and make sure that automatically send my username and password is ticked.
Setup is now complete.