Re: Wireless AP wants Radius Server, advice?

From: Gary V. (GaryV_at_discussions.microsoft.com)
Date: 01/13/05 

Date: Thu, 13 Jan 2005 08:05:04 -0800

THANK YOU! Check out Stuart with the big brain! This really helps. I didn't
know about a wireless network but now no problem. Thanks again for your help
and thanks to everyone that posts help to this newsgroup.
Gary V.

"Stuart Mackie [MCP, MSP]" wrote:

> Hi. Answers in-line.
>
> > 1st thanks! I read the Windows Server 2003 wireless test lab guild. Simple
> > enough, I could walk through the server, ap, and cleint part then that
> > would
> > secure the wireless network, both client to server and client to ap?
>
> Yes that is correct. Unless you have any specific additional requirements,
> the Test Lab guide will get you up and running.
>
> > Also SBS is based on server 03 std, is all the ias and cert install miss
> > with anything
> > with the wizards and SBS stuff?
>
> The addition of the Certificate Authority and IAS will not affect any of the
> SBS Wizards. There are some policies included in IAS after installation
> which may have been created because its SBS and not just Win2k3. But you
> won't have any problems with any of these, and similarly with the SBS
> Wizards.
>
> > I would also expect I would inable WPA and not WEP?
>
> Yes, definately use WPA and not WEP because of the security issues.
> WPA2/802.11i implementation if possible.
>
> > In the setup with PEAP, does the windows domain logon take care of
> > the wireless authintication? I don't want the end user to have to logon
> > twice.
>
> Yes. You can configure this in the client network settings so that when the
> user logs on as normal this is all done through the wireless connection,
> everything is the same as wired. This also means if you were using Roaming
> Profiles etc they all work just like a wired connection. The only
> consideration here is whether DLink provide their own WIreless Client
> configuration software. Some manufacturers provide their own software which
> is used instead of the Windows equivalent Wireless software. In terms of
> logging onto the domain, some 3rd party software will handle the wireless
> settings for making a wireless connection, but will not support domain
> logon. If this is the case then you will have to make sure Windows handles
> the wireless network settings rather than the 3rd party software otherwise
> logon to the domain will not work.
>
> > What about WPA2 if the ap can upgrad firmware to support it does that
> > affect the server setup or is that a ap to client security messure?
>
> If your AP and client adapters support WPA2 (IEEE Name is 802.11i) then that
> would be the better choice. The configuration would be no different that
> the Test Lab since as you say WPA or WPA2 is between the client and the AP.
> I've had a quick look at the current spec and firmware of your 2200AP and it
> doesn't seem as though it is officially supported, but it looks as though
> they have taken a similar course to other Wireless manufacturers. They
> appear to have included a WPA with TKIP/AES implementation which based on
> other manufacturers such as Cisco is a pre-release implementation of the
> 802.11i standard. If this is the case a firmware update should eventually
> appear with official support. Your best configuration at the minute will be
> 128 or 152bit WPA with TKIP/AES and PEAP or TTLS using IAS Radius.
>
> > One last one for now, I don't want the end users to have to pick what
> > wireless network
> > to conect to, can I configure it so it the wireless network is there it
> > just
> > conects just like being pluged into a wired lan?
>
> Yes. The can be configured on the client network settings.
>
> > For background info the wireless clients are going to be in our warehouse
> > running a pricing application i have made for them. They are touch monitor
> > driving and therefore do not have keyboards or mice. So the users don't
> > have
> > to know anything at all about computers or logins, they just touch a price
> > and out pops the tag. I'm haveing the puter auto login on bootup into a
> > very
> > tightly secured user profile.
> >
> > Thanks again for all your time and help.
>
> No problem, glad to help.
>
> --
> Stuart Mackie [MCP, MSP]
> www.stu.uk.com
>
>
>
> > "Stuart Mackie [MCP, MSP]" wrote:
> >
> >> I'll watch this topic so if you have any problems or aren't
> >> sure of something please post back and I'll try and help.
> >>
> >> --
> >> Stuart Mackie [MCP, MSP]
> >> www.stu.uk.com
> >>
> >>
> >> "Gary V." <GaryV@discussions.microsoft.com> wrote in message
> >> news:65D6CD13-91A6-4150-B7E1-754E4D487D2F@microsoft.com...
> >> > Very Cool! Thanks for all your help and direction pointing. Now I got
> >> > lots
> >> > to
> >> > read on my lunch break.
> >> >
> >> > "Stuart Mackie [MCP, MSP]" wrote:
> >> >
> >> >> Hi Gary, no problem, if everyone knew everything it wouldn't be any
> >> >> fun
> >> >> :)
> >> >>
> >> >> EAP-PEAP, EAP-TLS, EAP-TTLS all provide secure authentication between
> >> >> the
> >> >> client and server. PEAP and TTLS are the best two options of the
> >> >> three.
> >> >> TLS transmits parts of the authentication in clear text making it
> >> >> vulnerable. PEAP and TTLS were both developed to resolve this problem
> >> >> by
> >> >> first creating an encrypted tunnel before any communications take
> >> >> place.
> >> >> Radius accomodates the various authentication protocols.
> >> >>
> >> >> EAP-PEAP and EAP-TTLS require your server to have a Certificate which
> >> >> is
> >> >> installed on each client. It is optional whether you install a
> >> >> certificate
> >> >> on each client. EAP-TLS required both the client and server to have
> >> >> certificates. The links below (the O'Reilly link should have most of
> >> >> the
> >> >> information you need) covers the various authentication types and
> >> >> explains
> >> >> their differences.
> >> >>
> >> >> Personally I would use EAP-PEAP or EAP-TTLS with a Server Certificate,
> >> >> avoid
> >> >> TLS. The second link on my last email
> >> >> (http://wireless.dweezle.org/Docs/IAS2003config.pdf) includes
> >> >> configuring
> >> >> PEAP as part of the test lab environment.
> >> >>
> >> >>
> >> >> O'Reilly Explanation of the three above protocols :
> >> >> http://www.oreillynet.com/pub/a/wireless/2002/10/17/peap.html
> >> >>
> >> >> iLabs Comparison (very similar to O'Reilly)
> >> >> http://www.ilabs.interop.net/WLANSec/TTLS-PEAP-lv03.pdf
> >> >>
> >> >> Microsoft Document explaining Authentication Protocols
> >> >> http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prcg_cnd_pysl.asp
> >> >>
> >> >> Cisco Presentation (Very basic information)
> >> >> http://www.cisco.com/application/pdf/en/us/guest/products/ps430/c1161/ccmigration_09186a00800fb7db.pdf
> >> >>
> >> >>
> >> >> --
> >> >> Hth,
> >> >> Stuart Mackie [MCP, MSP]
> >> >> www.stu.uk.com
> >> >>
> >> >>
> >> >> "Gary V." <GaryV@discussions.microsoft.com> wrote in message
> >> >> news:870A398C-E304-495D-B279-A45B1B439C83@microsoft.com...
> >> >> > You know that is a very good question, and brings to light that I
> >> >> > have
> >> >> > no
> >> >> > idea! Now that is a bad thing for the admin to say. What would you
> >> >> > suggest? I
> >> >> > though that is what the IAS/Radius server did? or are you talking
> >> >> > about
> >> >> > the
> >> >> > auth between the terminals and AP? But I honestly dont know, someone
> >> >> > please
> >> >> > help. Thanks for your help. I'll read both links. Thanks.
> >> >> >
> >> >> > "Stuart Mackie [MCP, MSP]" wrote:
> >> >> >
> >> >> >> Hi Gary. Yes you can use IAS for Radius, and as you've said it
> >> >> >> would
> >> >> >> be
> >> >> >> more efficient to use IAS since you wouldn't have to reproduce all
> >> >> >> you
> >> >> >> users
> >> >> >> accounts on the Dlink AP. The first link below has a basic run
> >> >> >> through
> >> >> >> of
> >> >> >> configuring IAS as a Radius Server for Wireless clients. The
> >> >> >> second
> >> >> >> link
> >> >> >> is
> >> >> >> an MS document which has a full explanation on creating a secure
> >> >> >> wireless
> >> >> >> environment using ISA on Win2k3 (test lab example) [second link is
> >> >> >> best]
> >> >> >>
> >> >> >> http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_ias_depl_wap.asp
> >> >> >>
> >> >> >> http://wireless.dweezle.org/Docs/IAS2003config.pdf
> >> >> >>
> >> >> >>
> >> >> >> What are you planning on using for authentication e.g. PEAP,
> >> >> >> EAP-TTLS
> >> >> >> etc
> >> >> >> ?
> >> >> >>
> >> >> >> --
> >> >> >> Hth,
> >> >> >> Stuart Mackie [MCP, MSP]
> >> >> >> www.stu.uk.com
> >> >> >>
> >> >> >>
> >> >> >> "Gary V." <GaryV@discussions.microsoft.com> wrote in message
> >> >> >> news:90F32484-7E94-417B-A6DE-A35CDE50134D@microsoft.com...
> >> >> >> > Got some questions. Our SBS 2003 server is in our warehouse. I'm
> >> >> >> > putting
> >> >> >> > some
> >> >> >> > wireless AP in the rafters to cover the warehouse and some mobile
> >> >> >> > terminals.
> >> >> >> > Reading through the AP's manual they recommend for the best
> >> >> >> > security,
> >> >> >> > WPA
> >> >> >> > with Radius CCMP (AES) and TKIP. The AP (Dlink DWL-2210AP) has an
> >> >> >> > onboard
> >> >> >> > Radius server but that would require me to add users to the AP, I
> >> >> >> > don't
> >> >> >> > want
> >> >> >> > to have to do that. However you can also specify the ip address
> >> >> >> > of
> >> >> >> > your
> >> >> >> > Radius server. My question, does/is SBS 2003 Prem a Radius
> >> >> >> > server?
> >> >> >> > Does
> >> >> >> > IAS
> >> >> >> > (Not ISA) count as a Radius server? There is also a WPA-PSK that
> >> >> >> > is
> >> >> >> > the
> >> >> >> > 2nd
> >> >> >> > recommendation for security on the wireless network, but they
> >> >> >> > recommend
> >> >> >> > using
> >> >> >> > the built in Radius server over the PSK option. Thanks for any
> >> >> >> > input
> >> >> >> > or
> >> >> >> > any
> >> >> >> > setups that you all have used for security on a wireless network.
> >> >> >> >
> >> >> >> > PS. I would rather have it all be wired but they do want the
> >> >> >> > mobility
> >> >> >> >
> >> >> >> > Thanks Gary V.
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >>
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>

Relevant Pages

  • Re: Wireless AP wants Radius Server, advice?
    ... > secure the wireless network, both client to server and client to ap? ... the wireless network settings rather than the 3rd party software otherwise ...
    (microsoft.public.windows.server.sbs)
  • Re: Wireless connects but only partially
    ... client IPv4 as the server. ... the correct settings for Internet connection in IE, ... DHCP should be enabled on your wireless NIC. ... go into the router configuration and set ...
    (microsoft.public.windows.server.sbs)
  • Re: Wireless connects but only partially
    ... not set fix IP for the wireless NIC. ... the wireless client. ... We do not know which NIC IP configuration you refer to ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: Wireless problem with WPA
    ... access point - the laptop won't even see wireless at all until he leaves the ... the same DHCP configuration when you had WEP? ... At the time you lose the connection, if you hover over the wireless icon ... We successfully ran a wireless network for several years using WEP ...
    (microsoft.public.windows.server.sbs)
  • Re: [fw-wiz] Locking down public wireless access
    ... the computer science department would like to offer ... > wireless access to computer science students ... put on a client the helpdesk already knows how to support. ... the client before allowed through) when on the wireless network, ...
    (Firewall-Wizards)