Re: Dummies Guide for RADIUS/Certs

=?Utf-8?B?bmVzZG9n?= <nesdog@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
news:EFA5E640-E34E-4310-9565-0D949154564D@xxxxxxxxxxxxx:

I've got a wireless network with up to 25 AP's in place using Free
Radius. We used the MAC address as the username/password so it's
pretty tight.

I'd like to switch to MSFT's implementation of RADIUS. I've got a
stack of white papers and theory. It appears that PEAP/TLS is the way
to go but after bleary eyes and tons of reading, I still feel
completely like an idiot! I have set up IAS. I can see how to create
groups from AD as part of the access policies. I want to set up our
own CA as we have no budget (being non-profit). I don't quite get
what/how to use the templates.

So, is there a step by step dummies guide to setting up certs and the
accompanying RADIUS? I saw one regarding wired networks. This is truly
making me feel insane!

Thanks :)

Sheldon



Hi Sheldon --

There is no "dummies" type of guide, because setting up EAP-TLS or PEAP-TLS
and a public key infrastructure is not a trivial operation.

For an overview of deploying certificates and understanding how to use them
with IAS, I can recommend two documents:

-- The Help topic "Network access authentication and certificates." This
provides minimum certificate requirements and how domain membership of
client computers impacts certificate enrollment.

-- And this is the key whitepaper that will help you deploy the solution:
"Enterprise Deployment of Secure 802.11 Networks Using Microsoft Windows"
at http://www.microsoft.com/windowsserver2003/technologies/ias/default.mspx

(This is a security note you should be aware of:

When you deploy both PEAP and EAP unprotected by PEAP, do not use the same
EAP authentication type with and without PEAP. For example, if you deploy
PEAP with EAP-TLS (PEAP-EAP-TLS), do not also deploy EAP-TLS without PEAP.
Deploying authentication methods with the same type - one with and the
other without the protection of PEAP - creates a security vulnerability. )

A *very* basic overview, off the top of my head, of the actions you need to
take is this:

-- Install Certificate Services.
-- Open the Certificate Templates snap-in, locate the appropriate template
(based on the recommendations in the Help topic named above), copy the
template and then modify the copy of the template with the minimum server
or client certificate requirements (as described in the Help topic).
Configure the template for autoenrollment to domain member computers.
-- If desired, configure Group Policy for domain member wireless clients so
that the correct configuration is pushed down automatically to clients when
GP is refreshed.
-- On IAS servers and client computers, refresh group policy.
-- Configure IAS remote access policy for wireless with PEAP-TLS as
authentication method, and select the server certificate you configured in
Cert Templates that is now enrolled on the IAS server. (Note: if you
configured the cert correctly, IAS will auto-select it. If you did not
configure it correctly, it will not be available for selection and you need
to reconfigure the cert and reissue it. See Certificate Services Help and
PKI info for more info).
-- Once GP is refreshed on clients, the following certs should be available
for viewing in the client's Certificates snap-in: In the Trusted Root
Certification Authorities store for the Local Computer and the Current
User, your CA cert. If the cert is there, it means that the client computer
trusts certificates issued by this CA. This means that when your IAS server
sends its cert to clients to prove its identity, the clients will trust the
IAS server because they trust the CA that issued the IAS server's cert. And
the client should have a cert issued to it by the CA too.

Note that for this deployment, your RADIUS clients (the APs) must be
compatible with RADIUS, 802.1X, and EAP.

Hope that helps.



--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
.

Relevant Pages

  • Re: Multiple vulnerabilites in vendor IKE implementations, including Cisco,
    ... > in a concentrator and configure the clients to only talk ... > to a server with that certificate. ... I've seen clients that support it, so I assume concentrators from the ... You _could_ dole out a single cert to all clients, ...
    (Bugtraq)
  • Re: certificate authority
    ... Should the Certificate Service be running? ... > Just FYI, in SBS2003, CEICW will auto generate a cert without CA. ... > (Assuming you setup the clients via the SBS client seutp wizard). ...
    (microsoft.public.windows.server.sbs)
  • Re: authentication (SRP*, DH, TLS)
    ... B masternode offers core services and every nodeconnects to ... C as long as all clients connect to the master node only ... Make a CA that issues itself a self-signed certificate (CA root ... Install the CA root cert on all nodes and on all clients. ...
    (sci.crypt)
  • Re: Mobile 2003 Radius authentication requirements
    ... > So where does the cert com from "using TLS"? ... I implemented 802.1x RADIUS> authentication on my domain and did not have a CA installed. ... So you are saying that IAS creates its own> Certificate ...
    (microsoft.public.internet.radius)
  • Creating 802.1X Workstation Authentication Certificates for NON-domain XP/W2KSP4 clients...
    ... Workstation Authentication certificates to clients via autoenrollment. ... IAS RADIUS Policies or Certificate Templates. ... Create a new V2 Machine Authentication certificate that is modified ...
    (microsoft.public.internet.radius)