Re: Wireless AP wants Radius Server, advice?

From: Stuart Mackie [MCP, MSP] (newsgroups_at_--REMOVE_THIS-NO_SPAM--stu.uk.com)
Date: 01/12/05

Next message: samuel.mathew_at_softsys.com: "Granting Local Admin Rights to Domain Users"
Previous message: NickR: "RE: IE File Ext Config and TIF files"
In reply to: Gary V.: "Re: Wireless AP wants Radius Server, advice?"
Next in thread: Gary V.: "Re: Wireless AP wants Radius Server, advice?"
Reply: Gary V.: "Re: Wireless AP wants Radius Server, advice?"
Messages sorted by: [ date ] [ thread ]

Date: Wed, 12 Jan 2005 17:24:34 -0000

No problem. I'll watch this topic so if you have any problems or aren't
sure of something please post back and I'll try and help.

--
Stuart Mackie [MCP, MSP]
www.stu.uk.com
"Gary V." <GaryV@discussions.microsoft.com> wrote in message 
news:65D6CD13-91A6-4150-B7E1-754E4D487D2F@microsoft.com...
> Very Cool! Thanks for all your help and direction pointing. Now I got lots 
> to
> read on my lunch break.
>
> "Stuart Mackie [MCP, MSP]" wrote:
>
>> Hi Gary, no problem, if everyone knew everything it wouldn't be any fun 
>> :)
>>
>> EAP-PEAP, EAP-TLS, EAP-TTLS all provide secure authentication between the
>> client and server.  PEAP and TTLS are the best two options of the three.
>> TLS transmits parts of the authentication in clear text making it
>> vulnerable.  PEAP and TTLS were both developed to resolve this problem by
>> first creating an encrypted tunnel before any communications take place.
>> Radius accomodates the various authentication protocols.
>>
>> EAP-PEAP and EAP-TTLS require your server to have a Certificate which is
>> installed on each client.  It is optional whether you install a 
>> certificate
>> on each client.  EAP-TLS required both the client and server to have
>> certificates.  The links below (the O'Reilly link should have most of the
>> information you need) covers the various authentication types and 
>> explains
>> their differences.
>>
>> Personally I would use EAP-PEAP or EAP-TTLS with a Server Certificate, 
>> avoid
>> TLS.  The second link on my last email
>> (http://wireless.dweezle.org/Docs/IAS2003config.pdf) includes configuring
>> PEAP as part of the test lab environment.
>>
>>
>> O'Reilly Explanation of the three above protocols :
>> http://www.oreillynet.com/pub/a/wireless/2002/10/17/peap.html
>>
>> iLabs Comparison (very similar to O'Reilly)
>> http://www.ilabs.interop.net/WLANSec/TTLS-PEAP-lv03.pdf
>>
>> Microsoft Document explaining Authentication Protocols
>> http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prcg_cnd_pysl.asp
>>
>> Cisco Presentation (Very basic information)
>> http://www.cisco.com/application/pdf/en/us/guest/products/ps430/c1161/ccmigration_09186a00800fb7db.pdf
>>
>>
>> --
>> Hth,
>> Stuart Mackie [MCP, MSP]
>> www.stu.uk.com
>>
>>
>> "Gary V." <GaryV@discussions.microsoft.com> wrote in message
>> news:870A398C-E304-495D-B279-A45B1B439C83@microsoft.com...
>> > You know that is a very good question, and brings to light that I have 
>> > no
>> > idea! Now that is a bad thing for the admin to say. What would you
>> > suggest? I
>> > though that is what the IAS/Radius server did? or are you talking about
>> > the
>> > auth between the terminals and AP? But I honestly dont know, someone
>> > please
>> > help. Thanks for your help. I'll read both links. Thanks.
>> >
>> > "Stuart Mackie [MCP, MSP]" wrote:
>> >
>> >> Hi Gary.  Yes you can use IAS for Radius, and as you've said it would 
>> >> be
>> >> more efficient to use IAS since you wouldn't have to reproduce all you
>> >> users
>> >> accounts on the Dlink AP.  The first link below has a basic run 
>> >> through
>> >> of
>> >> configuring IAS as a Radius Server for Wireless clients.  The second 
>> >> link
>> >> is
>> >> an MS document which has a full explanation on creating a secure 
>> >> wireless
>> >> environment using ISA on Win2k3 (test lab example) [second link is 
>> >> best]
>> >>
>> >> http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_ias_depl_wap.asp
>> >>
>> >> http://wireless.dweezle.org/Docs/IAS2003config.pdf
>> >>
>> >>
>> >> What are you planning on using for authentication e.g. PEAP, EAP-TTLS 
>> >> etc
>> >> ?
>> >>
>> >> --
>> >> Hth,
>> >> Stuart Mackie [MCP, MSP]
>> >> www.stu.uk.com
>> >>
>> >>
>> >> "Gary V." <GaryV@discussions.microsoft.com> wrote in message
>> >> news:90F32484-7E94-417B-A6DE-A35CDE50134D@microsoft.com...
>> >> > Got some questions. Our SBS 2003 server is in our warehouse. I'm
>> >> > putting
>> >> > some
>> >> > wireless AP in the rafters to cover the warehouse and some mobile
>> >> > terminals.
>> >> > Reading through the AP's manual they recommend for the best 
>> >> > security,
>> >> > WPA
>> >> > with Radius CCMP (AES) and TKIP. The AP (Dlink DWL-2210AP) has an
>> >> > onboard
>> >> > Radius server but that would require me to add users to the AP, I 
>> >> > don't
>> >> > want
>> >> > to have to do that. However you can also specify the ip address of 
>> >> > your
>> >> > Radius server. My question, does/is SBS 2003 Prem a Radius server? 
>> >> > Does
>> >> > IAS
>> >> > (Not ISA) count as a Radius server? There is also a WPA-PSK that is 
>> >> > the
>> >> > 2nd
>> >> > recommendation for security on the wireless network, but they 
>> >> > recommend
>> >> > using
>> >> > the built in Radius server over the PSK option. Thanks for any input 
>> >> > or
>> >> > any
>> >> > setups that you all have used for security on a wireless network.
>> >> >
>> >> > PS. I would rather have it all be wired but they do want the 
>> >> > mobility
>> >> >
>> >> > Thanks Gary V.
>> >>
>> >>
>> >>
>> >>
>>
>>
>>

Next message: samuel.mathew_at_softsys.com: "Granting Local Admin Rights to Domain Users"
Previous message: NickR: "RE: IE File Ext Config and TIF files"
In reply to: Gary V.: "Re: Wireless AP wants Radius Server, advice?"
Next in thread: Gary V.: "Re: Wireless AP wants Radius Server, advice?"
Reply: Gary V.: "Re: Wireless AP wants Radius Server, advice?"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: Create a wireless domain?
... > windows server and create a domain controller. ... For details on this authentication method, ... Authentication for IEEE 802.11 Wireless Network Access" ...
(microsoft.public.windows.server.networking)
HELP! Error /w Wireless Client Connecting to Win2003 Server /w IAS, CA
... The wireless client system goes to authenticate with windows ... 2003 server and it looks like the authentication is making it to the server ... "The client could not be authenticated because the Extensible Authentication ...
(microsoft.public.windows.server.general)
HELP! Error /w Wireless Client Connecting to Win2003 Server /w IAS, CA
... The wireless client system goes to authenticate with windows ... 2003 server and it looks like the authentication is making it to the server ... "The client could not be authenticated because the Extensible Authentication ...
(microsoft.public.windows.server.setup)
HELP! Error /w Wireless Client to Win2003 Server /w IAS, CA
... The wireless client system goes to authenticate with windows ... 2003 server and it looks like the authentication is making it to the server ... "The client could not be authenticated because the Extensible Authentication ...
(microsoft.public.internet.radius)
Re: Error: Unknown Username or password
... > This is my domain Server, it is running AD, IAS, CA. ... It says authentication has failed and prompts me again. ... > I have created a "Wireless" Group in AD and added myself to this group. ...
(microsoft.public.internet.radius)