Setting up a wireless network with Windows Server 2003 and PEAP/EAP.

PEAP with IAS is a great way to setup wireless networks that require:

a)Their security to be top notch.
b)Lot's of Access Points (greater than 10 or so).
c)Minimal administrative maintenance overhead.

It brings your wireless security up to a level that is acceptable for use on a security sensitive domain. It is approximately as secure as domain logon is on a wired network.

The whole IAS management of your AP’s as Radius Clients makes it very simple to make changes to your infrastructure without having to reprogram every AP on site to reflect a simple change (which is the case in most WPA setups). You don’t need to worry about keeping WPA keys up to date as the encryption keys are generated dynamically each time a client connects.

Below I have detailed the steps that I take when setting on of these networks up. Screenshots are on their way (I will get them next time I set up one of these networks) but most of the steps are fairly self explanatory.

Install IAS from the Add/ Remove Windows Components area in the control panel.

Install Certificate Services from the Windows Components area in the control panel.

When prompted you want to install an “Enterprise Root CA”.

Load up the “Certificates” plugin for mmc and then submit a request for a new domain controller certificate.

Create a group in Active Directory called “WirelessUsers”.

Inside the administrative tools section load up the IAS plugin and create a “new remote access policy”. Call it “Wireless Access Policy”. Follow the wizard which is reasonably intuitive and when prompted for access restrictions you want to allow only computers and users that are a member of the “Wireless Users” group you created previously. Also make sure when prompted for the authentication method that you select EAP/PEAP.

Then right click on the policy you just created and goto “Properties”. Then click on the “Edit Profile” button and make the following changes:

1.Encryption tab: Make sure “No Encryption” is not ticked.
2.Authentication tab: Tick MSCHAP-V2.
3.Advanced tab: Add Ignore_User_Dial_In_Properties = true and also Terminate-Action = Radius-Request.

On the Access Point:

Use an access point that supports EAP/PEAP and 802.1X authentication (e.g. a DLink DWL 2100AP). Set up a DHCP reservation for it so that it is always on the same IP address.

Change the authentication mode to be WPA-EAP.
Put in the IP address of the radius server (the server you installed IAS on).
Put in the Radius server/ port numbers/ shared secret (make one up at this stage).
Remember to save/ restart the AP to make sure the settings have stuck.

Back to IAS:

Add a new Radius client. Put in the IP Address of your new AP and also the shared secret you came up with above.

Group Policy Setup:

Load up the group policy manager. Find the appropriate OU that you wish to distribute the wireless network settings to.

Create and link a new GPO here (by right clicking on it and choosing the obvious option). Then right click on the new GPO and click edit.

Goto Computer Configuration -> Windows Settings -> Security Settings -> Wireless Network.

From here you right click on the right hand window and click “Create Wireless Network Policy”.

1.Give the wireless network policy a name.
2.Select Access Point (infrastructure) networks only.

Once this is created edit the properties as follows:

1.Put in the SSID of the wireless network in to the “Network Name” box. Do not use any punctuation like (-,_,/) etc.
2.In the Wireless Network Key box. Set “Network Authentication” to WPA. with TKIP encryption.

On the IEEE 802.1X tab:

1.Set EAPOL start message to “Transmit”
2.In the parameters section you want to have : Max Start = 3 , Start Period = 10, Held Period=10, Authentication Period=10.
3.Make sure that “Authenticate as computer when computer information is available is ticked. Also make sure that computer authentication option is set to “With User Re-Authentication”.
4.Make sure that EAP Type is set to Protected EAP. Click the settings button and make sure that:

“Validate server Certificate” is ticked, that your CA (that you created above) is also in the list of “Trusted Root Certification Authorities”, Fast Connect is enabled and that “Secured Password (EAP-MSCHAAP v2)” is the selected method, click on “Configure” and make sure that automatically send my username and password is ticked.

Setup is now complete.