Re: 802.1x wireless lan how to?
- From: "Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 13 Mar 2006 13:08:08 -0500
Hi Owen - that's interesting about the logging. I'm working on a 2-week old
clean install of SBS 2003 SP1 (swing migration from older hardware). I
installed IAS, and the first two logging options were enabled by default.
It's logging Accounting Requests and Authentication Requests. I never
thought about logging until I started troubleshooting that the laptop
couldn't connect, and I was happy to see that it was on because it verified
that the AP was getting past RADIUS auth. I wonder if it's enabled because
IAS was installed on a box with ISA - there's an "ISA Server Default Policy"
installed in IAS that I can't imagine would be there without ISA, so
apparently the IAS installer knows it's on there.
As for RPC, I turned the strict compliance back on in the protected networks
rule. Auto enrollment failed on a laptop that just got included in the
wireless GPO. Turned it back off in the protected networks rule, and auto
enrollment then worked. So it does apparently need to be disabled in both
places, even with the patch. What I'm not sure about is the need for the
patch, but most of the ISA community seems to be strongly pro-SP2, so people
are going to have the patch either way.
RADIUS: I have RADIUS authentication configured in ISA for VPN. Although
it could use IAS, it's using Cryptocard installed on a member server. We
use 2-factor authentication for RADIUS, with Cryptocard Smart Card tokens.
I configured ISA for this using the simple instructions from Crytpocard -
it's actually pretty obvious - so I'm using IAS for wireless and Cryptocard
for 2-factor remote access authentication. I never stopped to think about
using Cryptocard for wireless, but anyway I don't want local users of domain
PCs to have to use a Smart Card, so the certificate way is better in this
case. ISA didn't have to be configured for anything with IAS/wireless.
(I'm running IAS and ISA both on the SBS and Cryptocard on the member
server. Cryptocard can run fine on the SBS if you don't do AD integration,
which IMO is not necessary in a small business).
I went with your advice about the group policy, and just applied it to the
whole SBS Computers OU. I have a Test OU that I use for trying things out,
and I don't want it applied there, so I didn't do it domain wide. I avoid
that as a rule anyway for most things. I'll probably want to learn the
security filtering anyway at some point, but I just migrated two servers and
added/upgraded just about all the apps, so if I don't get off computer
projects pretty soon my boss is going to be upset.
I'm not sure ISA is a dealbreaker, especially for Premium users who have not
upgraded. So far, it seems easier and more intuitive than ISA 2000. It's
just configuration tweaking - this RPC thing, I had an issue where it would
not allow MOM agents to work normally, etc. It's a lot more involved in LAN
traffic than 2K was, which is what's taking me some getting used to. For
example, I was amazed that it blocked MOM on the internal NIC. (For all you
MOM on SBS users, there's a setting in system policy to make it work
normally). It's been out for long enough that there's plenty of good how-to
and troubleshooting help available.
That web site works fine for the documents. If you're looking for wider
exposure, I can ask some of the MVPs if they're interested in putting it on
their web sites.
"Owen Williams" <Owen@xxxxxxxxxxxxxxxxxx> wrote in message
news:MPG.1e7f49b8b8d4e202989735@xxxxxxxxxxxxxxxxxxxxx
Dave:
Here is what I have found so far. This is based on my virtual SBS2003
SP1 with ISA2004 SP2 (so I did not need to separatly apply KB897716).
RE: I think Owen's paper is incorrect and IAS logging is enabled by
default.
IAS was not installed on the virtual SBS. After I installed it I opened
the IAS MMC, clicked Remote Access Logging and right-clicked Local File.
On the Settings tab, none of the three check-boxes were checked.
Conclusion: I think my original statement is correct and IAS (remote
access) logging is not enabled by default.
FYI, IAS Help mentions three types of logging: [1] Event logging for
IAS, [2] Logging user authentication and accounting requests, and [3]
SQL Server database logging.
#1 *is* enabled by default; what is logged is determined by a Registry
setting. IAS Help says "It is used primarily for auditing and
troubleshooting connection attempts."
#2 (described in my docs) is not enabled by default, but it's trivial to
turn on and provides useful information about what devices are using the
wireless LAN.
#3 logs the same info as #2 but requires more work to set up - probably
not needed for SBS customers, although I completely understand how it
would be useful for an enterprise.
RE: Here's what I did with ISA ... First, I cleared the strict RPC check
box in the system policy ... I turned off strict RPC in the protected
networks policy ...
I found both of these. Should not be a problem getting screen shots.
RE: It's possible that it's not necessary to turn off RPC in the
protected networks policy.
Now that you have applied KB897716, have you tried re-enabling strict
RPC and testing whether certificate auto-enrollment still works? I ask
because since I'm only running ISA with a virtual SBS, it's difficult
for me to test that. Before I update my docs, it would be helpful to
know whether strict RPC *must* be disabled or whether *only* KB897716 or
SP2 is required. It obviously works when you do both, but I wouldn't
want to specify lowering an ISA security setting unless it's really
required. (As you said, "I'm not sure whether or not there are security
implications around strict RPC compliance.")
RADIUS: Something you didn't bring up. While I was exploring ISA2004, I
found two places specifically referencing a RADIUS server. First, under
Configuration | General | <right pane> Additional Security Policy, you
can Define RADIUS Servers. (The definition works similarly to
configuring a WAP to use RADIUS, and IAS can define ISA as a RADIUS
client, using the SBS internal IP address and a Shared Secret.) Second,
under <server> | Firewall Policy, if you right-click Firewall Policy and
select View | Show System Policy Rules, additional rules are displayed.
System Policy Rule #5 says "Allow RADIUS authentication from ISA Server
to trusted RADIUS servers." It appears the RADIUS stuff is mostly
intended to support authentication with VPNs. I was just wondering
whether you had to do anything with these to get the WAP to communicate
with IAS for RADIUS authentication. (Perhaps it is a moot point when
IAS and ISA run on the same server - just a guess.)
FINALLY: I take it you did all of this with ISA2004. Do you have any
idea whether ISA2000 causes any issues?
Thanks for working with me on this!!
-- Owen Williams
.
- Follow-Ups:
- Re: 802.1x wireless lan how to?
- From: Owen Williams
- Re: 802.1x wireless lan how to?
- References:
- 802.1x wireless lan how to?
- From: Gary V.
- Re: 802.1x wireless lan how to?
- From: Dave Nickason [SBS MVP]
- Re: 802.1x wireless lan how to?
- From: Owen Williams
- Re: 802.1x wireless lan how to?
- From: Dave Nickason [SBS MVP]
- Re: 802.1x wireless lan how to?
- From: Owen Williams
- 802.1x wireless lan how to?
- Prev by Date: Re: PC's not getting IP address from DHCP
- Next by Date: Re: Windows SharePoint Service - Fails
- Previous by thread: Re: 802.1x wireless lan how to?
- Next by thread: Re: 802.1x wireless lan how to?
- Index(es):
Relevant Pages
|
