Re: problems with RADIUS and PEAP witha WG302 WAP and a Dell laptop

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

TC <travelclarkie@xxxxxxxxx> wrote in
news:eIIKSevxFHA.4032@xxxxxxxxxxxxxxxxxxxx:

> Hello,
>
> So I am trying to set up Radius on a home test network. I am
> running
> Win2003 Server and an XP Pro Laptop. My WAP is a Netgear WG302.
>
> I'd like to use PEAP with MSCHAPv2 at the strongest level of
> security.
>
> I have the WG302 pointing to the 2003 Box which has IAS on it for
> all
> Radius Functions. I have a very simple rule in place.
>
> The rule pretty much says. You need to be in a certain group
> within the
> domain and must be using MSCHAPv2 or MSCHAPv2 CPW (what is MSChapv2
> CPW?). You need to be coming from a wireless device (either 802.11 or
> other wireless).
>
> I also edited the profile. Saying this rule only counts for
> Wireless
> connections. Encryption will only be 128 bit and that authentication
> will be MSCHAPv2 and to allow password changes.
>
> Now, I'd like to set the WG302 to WPA with Radius.
>
> My laptop is a Dell and the WNIC is a 1450 I am using the Dell
> WNIC
> utility instead of the microsoft one because it works better.
>
> Right now my thinking is the problem lies with not knowing what
> settings to set with the WAP and the WNIC utility.
>
> I was hoping maybe someone might be able to help me out those
> settings
> so that I can move on to see if I am making some other stupid mistake.
>
> Thank you in advance.
>
> TC
>

Hi TC --

When you go into the remote access policy profile, on the Authentication
tab, you should *not* have any authentication methods selected at all --
all of the checkboxes should be cleared. If you check one of these
checkboxes, like MS-CHAP v2, you are not configuring PEAP -- you are
allowing clients to use a less secure authentication method (such as MS-
CHAP v2 without PEAP).

To configure PEAP, click on the "EAP Methods" button.

Then in the Select EAP Providers dialog box, click the Add button and
select "Protected EAP (PEAP)" and click OK. Next, configure the certificate
the server is going to use by clicking Edit. You can then pick the
Certificate issued, and enable Fast Reconnect if you want to (although it
doesn't sound like you need this). You will note that by default, at the
bottom of the "Edit Protected EAP Properties" dialog box, the EAP type is
Secured password (EAP-MSCHAP v2).

You can click the Edit button to review or change the number of
authentication retries or to alter whether the client can change password
after password expiration.

Obviously, in order to configure the server certificate for PEAP, you must
have a properly configured server cert. You can find info on this in the
product Help and on the Web:

Help topic "Network access authentication and certificates" in Windows
Server 2003 IAS or VPN Help, or on the web at
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
erHelp/9d8b61c9-a870-4627-a8f2-148625fd7fba.mspx.

"Enterprise Deployment of Secure 802.11 Networks Using Microsoft Windows"
at http://www.microsoft.com/windowsserver2003/technologies/ias/default.mspx

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
.

Quantcast