Re: 802.1X Setup using Server 03 and Aironet 1200 Series WAP help

On Aug 21, 3:13 pm, "James McIllece [MS]"
<james...@xxxxxxxxxxxxxxxxxxxx> wrote:
Hi there --

WPA is recommended over WEP, that's correct.

IMO these two guides are the ones to follow to deploy wireless with WS03:

"Enterprise Deployment of Secure 802.11 Networks Using Microsoft Windows"
athttp://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.....

"Step-by-Step Guide for Secure Wireless Deployment for Small Office/Home
Office or Small Organization Networks" athttp://www.microsoft.com/downloads/details.aspx?familyid=269902e8-fc41-
4eb1-9374-44612e64f0fb&displaylang=en

These two guides were actually written by the wireless writers of the
Windows Server documentation team.

CoolerThenZero <sja...@xxxxxxxxxxx> wrote innews:2c013166-d5c6-4786-898b-b0979fb20501@xxxxxxxxxxxxxxxxxxxxxxxxxxxx:





On Aug 21, 2:54 pm, CoolerThenZero <sja...@xxxxxxxxxxx> wrote:
Hello all,

I'd really appreciate some direction as I tried to setup a Cisco 1242
Series WAP as a Radius Client with 802.1x authentication on a Windows
Server 2003 R2 DC running IAS/RADIUS,DNS,DHCP.

Scenario:

I have 2 machines running Windows XP Pro SP2 and a Windows Tablet
portable that I need to authenticate to a Windows Server 2003 R2 DC
(This is the only server in the infrastructure) via a Cisco Aironet
1242AG Wireless Access Point.  These 2 tablet PC’s will need to acces
s
resources on the server.  The Cisco Aironet WAP does support Radius
authentication.  There are also some wired PC’s on the network that
will communicate directly via the switched network.  The Aironet is
also plugged into the switched network.

 It seemed that we were getting close to authenticating via IAS but
just would not connect to the Cisco Wireless Access point.  At one
time IAS was logging an error message but even the IAS errors
disappeared after a while, leading me to believe that the
communication between the wireless client and IAS just was not there
anymore.

Steps I took following Microsoft's 170 page pdf and a Cisco post
which showed he got it working:

 I went the Securing WLANS with PEAP-MSCHAPV2 route after reading
most of the 170 pg Microsoft pdf located at the link below.

http://www.microsoft.com/downloads/details.aspx?FamilyID=60c5d0a1-982..
.
.
.

1.  The wireless clients were hardwired and promoted to the domain
first so that the computer accounts were generated.

2. A Global security group called WLAN Access was created in AD.

3. The user accounts and machine accounts were added to this group.

4. The user accounts had their Active Directory Dial-In user Property
set to Allow Access.

5.  The Windows Server 2003 server was added to the RAS and IAS
Server group in AD.

Microsoft provided an msi package filled with scripts along with the
document above that automated alot of the process.  Although the
Microsoft Document was based on WEP, it highly advised against going
the WPA route if the client's supported WPA which they did.

6. I installed the CA successfully using the script, setup the CA for
an IAS certificate template successfully using the script, and also
linked up an IAS server Certificated enrollment GPO to the domain
successfully using their script.

 At this point, I did not use any more of their automated scripts as
I was going to setup the Wireless clients manually since there were
only two of them.  Atleast I hope I didn't have too as I understood
that when going the PEAP route, the server is the only machine that
requires a certificate.

7. On the Windows 2003 R2 Standard Ed Server, I added the Cisco 1242
Aironet WAP as a Radius Client and provided the Shared Key.

8. Consoled into the Cisco Aironet 1242 WAP and configured the SSID,
the Radius Server's IP, the shared secret,etc.  Config for both the
Cisco 1200 Aironet:

http://tekchicago.com/Aironet1242_IASTrouble.htm

I created an HTML page
herehttp://tekchicago.com/Aironet1242_IASTrouble.h
tm
with most of my configuration except for the Wireless Client Setup.
Since there were only two Wireless clients that needed to
authenticate, I understood that I can set the Wireless clients
manually.  I believe they had automatically picked up that it was an
802.1x setup and pre-configured itself.

Questions:

Has anybody setup 802.1x using a Cisco Aironet 1200 series and
Windows server 2003 before and got it too work?  If so,
pleaaaaaaaaaaaaassssssse provide some documentation.

Since there are only two machines, should I follow the rest of
Microsoft's documentation and push out the wireless client settings
using a GPO?

Based on my configs and needs, how should the wireless clients be
setup?

I'll be checking this post throughout the day and will appreciate any
expertise or previous experience.  Thanks alot!

Best Regards,

CoolerThenZero

sorry guys, I made a typo in the paragraph below.

Microsoft provided an msi package filled with scripts along with the
document above that automated alot of the process.  Although the
Microsoft Document was based on WEP, it highly advised against going
the WPA route if the client's supported WPA which they did.

in line 3 of this paragraph I meant to say   ,it highly advised going
the WPA route NOT against going the WPA route

Thanks.

--
James McIllece, Microsoft

Please do not send email directly to this alias.  This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.- Hide quoted text -

- Show quoted text -

Hello James,

Thanks for your input. WPA is the way to go. Now that your referring
me to a different like, are you saying that the 170 pg Microsoft Guide
that I followed along with their Securing Tools and Scrips located
here at

http://www.microsoft.com/technet/security/guidance/cryptographyetc/peap_1.mspx

are bogus. Please advise. Thanks!

.

Relevant Pages

  • Re: 802.1X Setup using Server 03 and Aironet 1200 Series WAP help
    ... WPA is recommended over WEP, ... IMO these two guides are the ones to follow to deploy wireless with WS03: ... Server 2003 R2 DC running IAS/RADIUS,DNS,DHCP. ... I was going to setup the Wireless clients manually since there were ...
    (microsoft.public.internet.radius)
  • Re: Access Points optimal schützen
    ... Die wireless Clients müssen sich sicher mit dem AP ... Dazu benutzt Du entweder WPA mit einem sehr guten, ... Daniel Melanchthon - MVP Exchange Server ...
    (microsoft.public.de.german.windows.server.networking)
  • Re: password change via wireless
    ... > Have wireless clients which when they change passwords, ... > 2003 Premium server ...
    (microsoft.public.windows.server.sbs)
  • Re: Industry Standard Security and guest wifi access best practice
    ... It's always "wireless isolation" or "AP ... These are wireless clients but LAN ... least use WPA with a simple published pass-phrase in order to encrypt ... decrypt encrypted wireless traffic. ...
    (alt.internet.wireless)
  • Aironet 1200/MS Radius Help - Yet Again
    ... Your collective help thus far has made me understand more about wireless ... RADIUS/IAS Server. ... I also got a certificate from verisign to install on one of the two IAS ... there are communications between the client and access ...
    (microsoft.public.internet.radius)
Loading