Re: 802.1X Setup using Server 03 and Aironet 1200 Series WAP help
- From: CoolerThenZero <sjamal@xxxxxxxxxxx>
- Date: Fri, 22 Aug 2008 14:29:00 -0700 (PDT)
On Aug 22, 2:15 pm, "James McIllece [MS]"
<james...@xxxxxxxxxxxxxxxxxxxx> wrote:
CoolerThenZero <sja...@xxxxxxxxxxx> wrote innews:6eb94097-2357-40cd-8408-021cf3f3e8ee@xxxxxxxxxxxxxxxxxxxxxxxxxxxx:
On Aug 21, 3:13 pm, "James McIllece [MS]"
<james...@xxxxxxxxxxxxxxxxxxxx> wrote:
Hi there --
WPA is recommended over WEP, that's correct.
IMO these two guides are the ones to follow to deploy wireless with
WS03:
"Enterprise Deployment of Secure 802.11 NetworksUsingMicrosoft.
Windows"
athttp://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211
...
"Step-by-Step Guide for Secure Wireless Deployment for Smallds/details.aspx?familyid=269902e8-fc41-
Office/Home Office or Small Organization Networks"
athttp://www.microsoft.com/downloa
4eb1-9374-44612e64f0fb&displaylang=en
These two guides were actually written by the wireless writers of the
WindowsServerdocumentation team.
CoolerThenZero <sja...@xxxxxxxxxxx> wroteb0979fb20...@xxxxxxxxxxxxxxxxxxxxxxxxxxxx:
innews:2c013166-d5c6-4786-898b-
On Aug 21, 2:54 pm, CoolerThenZero <sja...@xxxxxxxxxxx> wrote:
Hello all,
I'd really appreciate some direction as I tried tosetupa Cisco
1242SeriesWAPas a Radius Client with802.1xauthentication on a
WindowsServer2003 R2 DC running IAS/RADIUS,DNS,DHCP.
Scenario:
cesI have 2 machines running Windows XP Pro SP2 and a Windows Tablet
portable that I need to authenticate to a WindowsServer2003 R2
DC (This is the onlyserverin the infrastructure) via a Cisco
Aironet1242AG Wireless Access Point. These 2 tablet PC’s will
need to ac
ts
resources on theserver. The CiscoAironetWAPdoes support
Radius authentication. There are also some wired PC’s on the
network tha
will communicate directly via the switched network. TheAironet
is also plugged into the switched network.
It seemed that we were getting close to authenticating via IAS
but just would not connect to the Cisco Wireless Access point. At
one time IAS was logging an error message but even the IAS errors
disappeared after a while, leading me to believe that the
communication between the wireless client and IAS just was not
there anymore.
Steps I took following Microsoft's 170 page pdf and a Cisco post
which showed he got it working:
I went the Securing WLANS with PEAP-MSCHAPV2 route after reading
most of the 170 pg Microsoft pdf located at the link below.
.http://www.microsoft.com/downloads/details.aspx?FamilyID=60c5d0a1-98
2
..
.
1. The wireless clients were hardwired and promoted to the domain
first so that the computer accounts were generated.
2. A Global security group called WLAN Access was created in AD.
3. The user accounts and machine accounts were added to this
group.
4. The user accounts had their Active Directory Dial-In user
Property set to Allow Access.
5. The WindowsServer2003serverwas added to the RAS and IAS
Servergroup in AD.
Microsoft provided an msi package filled with scripts along with
the document above that automated alot of the process. Although
the Microsoft Document was based on WEP, it highly advised against
going the WPA route if the client's supported WPA which they did.
6. I installed the CA successfullyusingthe script,setupthe CA
for an IAS certificate template successfullyusingthe script, and
also linked up an IASserverCertificated enrollment GPO to the
domain successfullyusingtheir script.
At this point, I did not use any more of their automated scripts
as I was going tosetupthe Wireless clients manually since there
were only two of them. Atleast I hope I didn't have too as I
understood that when going the PEAP route, theserveris the only
machine that requires a certificate.
7. On the Windows 2003 R2 Standard EdServer, I added the Cisco
1242AironetWAPas a Radius Client and provided the Shared Key.
8. Consoled into the CiscoAironet1242WAPand configured the
SSID, the RadiusServer'sIP, the shared secret,etc. Config for
both the Cisco1200Aironet:
http://tekchicago.com/Aironet1242_IASTrouble.htm
I created an HTML pagetm
herehttp://tekchicago.com/Aironet1242_IASTrouble.h
with most of my configuration except for the Wireless Client
Setup. Since there were only two Wireless clients that needed to
authenticate, I understood that I can set the Wireless clients
manually. I believe they had automatically picked up that it was
an802.1xsetupand pre-configured itself.
Questions:
Has anybodysetup802.1xusinga CiscoAironet1200seriesand
Windowsserver2003 before and got it too work? If so,
pleaaaaaaaaaaaaassssssse provide some documentation.
Since there are only two machines, should I follow the rest of
Microsoft's documentation and push out the wireless client
settingsusinga GPO?
Based on my configs and needs, how should the wireless clients be
setup?
I'll be checking this post throughout the day and will appreciate
any expertise or previous experience. Thanks alot!
Best Regards,
CoolerThenZero
sorry guys, I made a typo in the paragraph below.
Microsoft provided an msi package filled with scripts along with
the document above that automated alot of the process. Although
the Microsoft Document was based on WEP, it highly advised against
going the WPA route if the client's supported WPA which they did.
in line 3 of this paragraph I meant to say ,it highly advised
going the WPA route NOT against going the WPA route
Thanks.
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my onlineount
acc
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers nos.- Hide quoted text -
right
- Show quoted text -
Hello James,
Thanks for your input. WPA is the way to go. Now that your referring
me to a different like, are you saying that the 170 pg Microsoft Guide
that I followed along with their Securing Tools and Scrips located
here at
http://www.microsoft.com/technet/security/guidance/cryptographyetc/peap
_1.mspx
are bogus. Please advise. Thanks!
No, of course they aren't bogus; I am not speaking against that guide, I am
just saying that I am familiar with the people who wrote the guides I
recommended and that I know the guides work, because I've used them and
I've recommended them to others who deployed the technology successfullyusingthe guides. And I know that the authors of the guides I recommended
were or are on the WindowsServerUA team (as I am), which is the primary
reliable source for documentation for WindowsServertechnologies.
Our content for WindowsServeris here:
http://technet.microsoft.com/en-us/library/bb625087.aspx
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online
account name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no
rights.- Hide quoted text -
- Show quoted text -
sounds good. Thanks for clarifying. I read through the reference
document that you provided "Deployment of Protected 802.11 Networks
Using Microsoft Windows" and the one I personally went on from
Microsoft called "Securing WLANS using PEAP and Passwords" (this is
the one provided with scripts to automate the setup of the IAS CA,
GPO's,etc.).
In the "Deployment of Protected 802.11 Networks Using Microsoft
Windows" documentation http://technet.microsoft.com/en-us/library/bb457068(printer).aspx
it says that for PEAP-MSCHAP V2 to obtain a certificate from a third
party such as verisign. However the "Securing WLANS using PEAP and
Passwords" document claimed that for PEAP-MSCHAP V2 you could setup
the root CA yourself provided with their scripts which I did and did
work.
Since you have used them, is it true that if I'm going the PEAP-MSCHAP
V2 route that I DO NOT have to obtain a third party certificate and it
should work with the CA and IAS setup that the scripts provided for
me.
.
- References:
- 802.1X Setup using Server 03 and Aironet 1200 Series WAP help
- From: CoolerThenZero
- Re: 802.1X Setup using Server 03 and Aironet 1200 Series WAP help
- From: James McIllece [MS]
- Re: 802.1X Setup using Server 03 and Aironet 1200 Series WAP help
- From: CoolerThenZero
- Re: 802.1X Setup using Server 03 and Aironet 1200 Series WAP help
- From: James McIllece [MS]
- 802.1X Setup using Server 03 and Aironet 1200 Series WAP help
- Prev by Date: Re: 802.1X Setup using Server 03 and Aironet 1200 Series WAP help
- Next by Date: RADIUS IAS CRL CHECK
- Previous by thread: Re: 802.1X Setup using Server 03 and Aironet 1200 Series WAP help
- Next by thread: 802.1x MD5-Challege authenticated failure
- Index(es):
Relevant Pages
|
