Re: Wireless AP wants Radius Server, advice?
From: Gary V. (GaryV_at_discussions.microsoft.com)
Date: 01/12/05
- Next message: Marina Roos [SBS-MVP]: "Re: Time Settings"
- Previous message: Piet Janssen: "Backup job starts but its doing nothing"
- In reply to: Stuart Mackie [MCP, MSP]: "Re: Wireless AP wants Radius Server, advice?"
- Next in thread: Stuart Mackie [MCP, MSP]: "Re: Wireless AP wants Radius Server, advice?"
- Reply: Stuart Mackie [MCP, MSP]: "Re: Wireless AP wants Radius Server, advice?"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 12 Jan 2005 07:57:07 -0800
Very Cool! Thanks for all your help and direction pointing. Now I got lots to
read on my lunch break.
"Stuart Mackie [MCP, MSP]" wrote:
> Hi Gary, no problem, if everyone knew everything it wouldn't be any fun :)
>
> EAP-PEAP, EAP-TLS, EAP-TTLS all provide secure authentication between the
> client and server. PEAP and TTLS are the best two options of the three.
> TLS transmits parts of the authentication in clear text making it
> vulnerable. PEAP and TTLS were both developed to resolve this problem by
> first creating an encrypted tunnel before any communications take place.
> Radius accomodates the various authentication protocols.
>
> EAP-PEAP and EAP-TTLS require your server to have a Certificate which is
> installed on each client. It is optional whether you install a certificate
> on each client. EAP-TLS required both the client and server to have
> certificates. The links below (the O'Reilly link should have most of the
> information you need) covers the various authentication types and explains
> their differences.
>
> Personally I would use EAP-PEAP or EAP-TTLS with a Server Certificate, avoid
> TLS. The second link on my last email
> (http://wireless.dweezle.org/Docs/IAS2003config.pdf) includes configuring
> PEAP as part of the test lab environment.
>
>
> O'Reilly Explanation of the three above protocols :
> http://www.oreillynet.com/pub/a/wireless/2002/10/17/peap.html
>
> iLabs Comparison (very similar to O'Reilly)
> http://www.ilabs.interop.net/WLANSec/TTLS-PEAP-lv03.pdf
>
> Microsoft Document explaining Authentication Protocols
> http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prcg_cnd_pysl.asp
>
> Cisco Presentation (Very basic information)
> http://www.cisco.com/application/pdf/en/us/guest/products/ps430/c1161/ccmigration_09186a00800fb7db.pdf
>
>
> --
> Hth,
> Stuart Mackie [MCP, MSP]
> www.stu.uk.com
>
>
> "Gary V." <GaryV@discussions.microsoft.com> wrote in message
> news:870A398C-E304-495D-B279-A45B1B439C83@microsoft.com...
> > You know that is a very good question, and brings to light that I have no
> > idea! Now that is a bad thing for the admin to say. What would you
> > suggest? I
> > though that is what the IAS/Radius server did? or are you talking about
> > the
> > auth between the terminals and AP? But I honestly dont know, someone
> > please
> > help. Thanks for your help. I'll read both links. Thanks.
> >
> > "Stuart Mackie [MCP, MSP]" wrote:
> >
> >> Hi Gary. Yes you can use IAS for Radius, and as you've said it would be
> >> more efficient to use IAS since you wouldn't have to reproduce all you
> >> users
> >> accounts on the Dlink AP. The first link below has a basic run through
> >> of
> >> configuring IAS as a Radius Server for Wireless clients. The second link
> >> is
> >> an MS document which has a full explanation on creating a secure wireless
> >> environment using ISA on Win2k3 (test lab example) [second link is best]
> >>
> >> http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_ias_depl_wap.asp
> >>
> >> http://wireless.dweezle.org/Docs/IAS2003config.pdf
> >>
> >>
> >> What are you planning on using for authentication e.g. PEAP, EAP-TTLS etc
> >> ?
> >>
> >> --
> >> Hth,
> >> Stuart Mackie [MCP, MSP]
> >> www.stu.uk.com
> >>
> >>
> >> "Gary V." <GaryV@discussions.microsoft.com> wrote in message
> >> news:90F32484-7E94-417B-A6DE-A35CDE50134D@microsoft.com...
> >> > Got some questions. Our SBS 2003 server is in our warehouse. I'm
> >> > putting
> >> > some
> >> > wireless AP in the rafters to cover the warehouse and some mobile
> >> > terminals.
> >> > Reading through the AP's manual they recommend for the best security,
> >> > WPA
> >> > with Radius CCMP (AES) and TKIP. The AP (Dlink DWL-2210AP) has an
> >> > onboard
> >> > Radius server but that would require me to add users to the AP, I don't
> >> > want
> >> > to have to do that. However you can also specify the ip address of your
> >> > Radius server. My question, does/is SBS 2003 Prem a Radius server? Does
> >> > IAS
> >> > (Not ISA) count as a Radius server? There is also a WPA-PSK that is the
> >> > 2nd
> >> > recommendation for security on the wireless network, but they recommend
> >> > using
> >> > the built in Radius server over the PSK option. Thanks for any input or
> >> > any
> >> > setups that you all have used for security on a wireless network.
> >> >
> >> > PS. I would rather have it all be wired but they do want the mobility
> >> >
> >> > Thanks Gary V.
> >>
> >>
> >>
> >>
>
>
>
- Next message: Marina Roos [SBS-MVP]: "Re: Time Settings"
- Previous message: Piet Janssen: "Backup job starts but its doing nothing"
- In reply to: Stuart Mackie [MCP, MSP]: "Re: Wireless AP wants Radius Server, advice?"
- Next in thread: Stuart Mackie [MCP, MSP]: "Re: Wireless AP wants Radius Server, advice?"
- Reply: Stuart Mackie [MCP, MSP]: "Re: Wireless AP wants Radius Server, advice?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
