Re: RADIUS server setup
- From: "Andrew H" <ajhpms@xxxxxxxxxxx>
- Date: Mon, 7 Nov 2005 12:48:09 +0200
Hi Owen
Thanks for taking the time to respond to my queries.
I'm still playing around with the wireless configuration, so I'll continue
to experiment with the issues I discussed. The PPC issue is of personal
interest, since I'd like to get the most out of my own device.
In the meantime, however, your article was extremely helpful, so thanks
again.
Regards
Andrew
"Owen Williams" <Owen@xxxxxxxxxxxxxxxxxx> wrote in message
news:MPG.1dd4414e5e66c78e9896bb@xxxxxxxxxxxxxxxxxxxxx
> Andrew:
>
> RE: My compliments on a professional presentation, in both the Word and
> PowerPoint formats. I hope you can make them available to the broader
> community.
>
> Thanks for your kind words. The documents were posted on the
> Washington, DC (USA) SBS Users' Group Sharepoint site in June and quite
> a few people (>100) have gotten them from that site. Unfortunately, my
> understanding is that the site has been experiencing technical problems
> for a while, which is why I e-mailed the docs to you.
>
> RE: How would you incorporate Windows Mobile and other non-PC devices
> into the system? In particular, since the mobiles won't use the new
> Group Policy, how would you get the new certificates installed in
> addition to the ones the CEICW creates?
>
> It is important to understand that this methodology will NOT solve ALL
> RADIUS / wireless issues. My purpose was to document a prescriptive,
> step-by-step technique targeted at a common scenario: (full) Windows
> computers using wireless to connect to an SBS server. The methodology
> may also serve as a starting point for other types of connectivity, such
> as what you are asking about. I welcome improvements and additions to
> what I have written!
>
> With that understanding ...
>
> [1] If the device does not support certificates, this method won't work.
> You might want to try EAP-MSCHAPv2 instead of EAP-TLS as the former does
> not require certificates. There are negatives to this approach, which
> are documented in the Powerpoint deck.
>
> This is one instance where using multiple SSIDs might make sense,
> either via a single WAP that supports multiple SSIDs or by using two (or
> more) WAPs. You would then set up two different Remote Access Policies,
> one as shown requiring a certificate and the other using MSCHAPv2.
> Devices which don't support certificates would use the latter SSID to
> connect, and the wireless config for that SSID would have to be set up
> on the device manually since, as you point out, it does not support
> GPOs.
>
> If you take this approach, keep in mind that your security is only as
> good as the weakest link. An attacker could try to use the SSID
> configured for MSCHAPv2 authentication, which, in my opinion, opens a
> hole when compared with staying strictly with certificates.
>
> [2] It is my [very limited] understanding that Windows Mobile 5 will
> support certificates, although it may still not support GPOs. In this
> case, a certificate could be manually deployed to the device, probably
> using the device's version of Internet Explorer and browsing to http://
> <sbsserver>/certsrv. The wireless configuration on the device could
> also be setup manually. After that, it should work the same as a PC.
> However, this is largely speculation on my part: I have not tried it, so
> I don't know for sure.
>
> RE: I know some people recommend installing wireless APs on the external
> segment ( i.e. attached to the external NIC in a two-NIC configuration,
> along with the Internet router), so that wireless users may use the
> Internet without going through the SBS, while requiring them to use a
> VPN to connect to the SBS. Can your system incorporate a WAP on the
> external LAN? If ISA is installed, what firewall rules are required for
> the RADIUS server (IAS) and client (WAP) to exchange data? In ISA
> 2004, must VPN authentication be configured to use the RADIUS server?
>
> The key driver behind the configuration I document is to make it as
> similar as possible to a secure wired LAN. It does not support
> unauthenticated use of an Internet connection. (I have had some
> discussions with several folks about providing Internet access to
> wireless visitors / guests and needed to emphasize the problem the
> configuration is intended to solve: wired equivalency). In this
> context, adding a VPN requirement to connect to SBS is not equivalent:
> it adds another "hoop" for the user to jump through. There is also the
> issue that the external NIC / segment is not the same (from an SBS and
> LAN perspective) as the internal segment. For example, the SBS DHCP
> server does not hand out IP addresses to devices connected to the
> external NIC. So, the configuration specifies the WAP be connected to
> the internal NIC / segment.
>
> One might also ask: If you are using a VPN connection which is
> sufficiently secure to allow connection to the SBS from the external
> segment, is there any incremental value of the configuration I document?
> The VPN is already authenticated and encrypted, so even an open,
> unencrypted wireless connection should not be a security risk.
>
> Again, with that understanding ...
>
> I am not an ISA expert and I have not talked to anyone who has actually
> tried this on an external segment. I would GUESS that ISA needs to be
> configured to pass (at minimum) port 1812, the RADIUS port. ISA
> probably does not require a VPN configuration to support RADIUS /
> wireless security, but as I said, I am not an expert here and I have not
> tried it.
>
> You might consider using two independent WAPS set to two different
> SSIDs: one on the internal segment for secure SBS connectivity and one
> on the external segment for unsecured Internet access.
>
> I hope this helped. I am very interested in feedback which will expand
> the applicability of the methodology I document.
>
> Thanks,
>
> -- Owen
.
- References:
- Re: RADIUS server setup
- From: Owen Williams
- Re: RADIUS server setup
- From: Owen Williams
- Re: RADIUS server setup
- From: Andrew H
- Re: RADIUS server setup
- Prev by Date: Re: Clientapps\wxpsp2?
- Next by Date: Re: Remote Shutdown
- Previous by thread: Re: RADIUS server setup
- Next by thread: Re: RADIUS server setup
- Index(es):
Relevant Pages
|
