Step Secure Wireless Acc
This guide describes how to configure secure wireless access using IEEE 802.1X
authentication using Protected Extensible Authentication Protocol with Microsoft
Challenge-Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) and
Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) in a test lab using
a wireless access point (AP) and four computers.
Step-by-Step Guide for Setting Up Secure
Wireless Access in a Test Lab
Microsoft Corporation
Published: April, 2005
Author: Microsoft Corporation
Abstract
This guide describes how to configure secure wireless access using IEEE 802.1X
authentication using Protected Extensible Authentication Protocol with Microsoft
Challenge-Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) and
Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) in a test lab using
a wireless access point (AP) and four computers. Of the four computers, one is a
wireless client; one is a domain controller that is also a certification authority (CA),
Dynamic Host Configuration Protocol (DHCP) server, and Domain Name System (DNS)
server; one is a Web and file server; and one is an Internet Authentication Service (IAS)
server that is acting as a Remote Authentication Dial-In User Service (RADIUS) server.
Information in this document, including URL and other Internet Web site references, is
subject to change without notice. Unless otherwise noted, the example companies,
organizations, products, domain names, e-mail addresses, logos, people, places, and
events depicted herein are fictitious, and no association with any real company,
organization, product, domain name, e-mail address, logo, person, place, or event is
intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other
intellectual property rights covering subject matter in this document. Except as expressly
provided in any written license agreement from Microsoft, the furnishing of this document
does not give you any license to these patents, trademarks, copyrights, or other
intellectual property.
© 2005 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, MS-DOS, Windows, Windows NT, and Windows Server are
either registered trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries.
All other trademarks are property of their respective owners.
Contents
Step-by-Step Guide for Setting Up Secure Wireless Access in a Test Lab........................1
Abstract.......................................................................................................................1
Contents.............................................................................................................................4
Step-by-Step Guide for Setting Up Secure Wireless Access in a Test Lab........................5
PEAP-MS-CHAP v2 Authentication................................................................................5
Before You Begin.....................................................................................................6
DC1.............................................................................................................................7
IAS1...........................................................................................................................28
IIS1............................................................................................................................38
Wireless AP...............................................................................................................39
CLIENT1....................................................................................................................40
EAP-TLS Authentication...............................................................................................45
DC1...........................................................................................................................45
IAS1...........................................................................................................................53
CLIENT1....................................................................................................................58
Summary......................................................................................................................61
See Also........................................................................................................................61
5
Step-by-Step Guide for Setting Up Secure
Wireless Access in a Test Lab
This guide provides detailed information about how you can use four computers and a
wireless access point (AP) to create a test lab with which to configure and test secure
wireless access with the Microsoft® Windows® XP Professional with Service Pack 2
(SP2) and the 32-bit versions of the Windows Server™ 2003 with Service Pack 1 (SP1)
operating systems. The instructions in this guide are designed to take you step-by-step
through the configuration required for Protected Extensible Authentication Protocol with
Microsoft Challenge-Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2)
authentication, then through the steps required for EAP-TLS authentication.
Note:
The following instructions are for configuring a test lab using a minimum number
of computers. Individual computers are needed to separate the services provided
on the network and to clearly show the desired functionality. This configuration is
neither designed to reflect best practices nor is it designed to reflect a desired or
recommended configuration for a production network. For more information
about deploying secure wireless, see the Microsoft Wi-Fi Web site.
PEAP-MS-CHAP v2 Authentication
The infrastructure for the wireless test lab network consists of four computers performing
the following roles:
• A computer running Microsoft Windows Server 2003 with Service Pack 1 (SP1),
Enterprise Edition, named DC1 that is acting as a domain controller, a Domain Name
System (DNS) server, a Dynamic Host Configuration Protocol (DHCP) server, and a
certification authority (CA).
• A computer running Microsoft Windows Server 2003 with SP1, Standard Edition,
named IAS1 that is acting as a Remote Authentication Dial-In User Service (RADIUS)
server.
• A computer running Windows Server 2003 with SP1, Standard Edition, named
IIS1 that is acting as a Web and file server.
• A computer running Windows XP Professional with SP2 named CLIENT1 that is
acting as a wireless client.
6
Before You Begin
Installing the Windows Server 2003 with SP1 operating system on each of the servers in
this test lab also installs Windows Firewall, which is turned off by default. After the IAS
and IIS servers are configured, you will turn on and configure Windows Firewall
exceptions allowing for communication between the computers on the network. On the
domain controller, Windows Firewall should stay off. On each of the client computers,
Windows Firewall is turned on automatically when you install Windows XP Professional
with SP2. Windows Firewall will remain turned on for each of the client computers.
Additionally, make sure there is a wireless AP that provides connectivity to the Ethernet
intranet network segment for the wireless client. The firewall for the wireless AP is
controlled by the manufacturer's software. For this test lab, do not turn on the firewall on
the wireless AP.
Important:
Before configuring the test lab, make sure that you have downloaded the most
recent drivers for the wireless adapter on CLIENT1 to ensure that the adapter
performs correctly while running under Windows XP Professional with SP2.
The following figure shows the configuration of the wireless test lab.
The wireless test lab represents a network segment on a corporate intranet. All
computers on the corporate intranet, including the wireless AP, are connected to a
7
common hub or Layer 2 switch. Private addresses of 172.16.0.0/24 are used on the
intranet network segment.
IIS1 and CLIENT1 obtain their IP address configuration using DHCP. The following
sections describe how to configure each of the test lab components. To create this test
lab, configure the computers in the order presented.
DC1
DC1 is a computer running Windows Server 2003 with SP1, Enterprise Edition, that is
performing the following roles:
• A domain controller for the example.com domain
• A DNS server for the example.com DNS domain
• A DHCP server for the intranet network segment
• The enterprise root CA for the example.com domain
Note:
Windows Server 2003 with SP1, Enterprise Edition, is used so that
autoenrollment of user and workstation certificates for EAP-TLS authentication
can be configured. This is described in the "EAP-TLS Authentication" section of
this guide. Certificate autoenrollment and autorenewal make it easier to deploy
certificates and improve security by automatically expiring and renewing
certificates.
To configure DC1 for these services, perform the following steps.
Perform basic installation and configuration
1. Install Windows Server 2003 with SP1, Enterprise Edition, as a stand-alone
server.
2. Configure the TCP/IP protocol with the IP address of 172.16.0.1 and the
subnet mask of 255.255.255.0.
Configure the computer as a domain controller
1. To start the Active Directory Installation Wizard, click Start, click Run, type
dcpromo.exe, and then click OK.
2. In the Welcome to the Active Directory Installation Wizard dialog box, click
Next.
8
3. In the Operating System Compatibility dialog box, click Next.
4. Verify that Domain controller for a new domain option is selected, and then
click Next.
5. Verify that Domain in a new forest is selected, and then click Next.
6. Verify that No, just install and configure DNS on this computer is selected,
and then click Next.
7. On the New Domain Name page, type example.com, and then click Next.
8. On the NetBIOS Domain Name, confirm that the Domain NetBIOS name is
EXAMPLE, and then click Next.
9. Accept the default Database and Log Folders directories as shown in the
following figure, and then click Next.
10. In the Shared System Volume dialog box, as shown in the following figure,
verify that the default folder location is correct. Click Next.
9
11. On the Permissions page, verify that the Permissions compatible only with
Windows 2000 or Windows Server 2003 operating systems check box is
selected, as shown in the following figure. Click Next.
10
12. On the Directory Services Restore Mode Administration Password page,
leave the password boxes blank, and then click Next.
13. Review the information on the Summary page, and then click Next.
11
14. On the Completing the Active Directory Installation Wizard page, click
Finish.
15. When prompted to restart the computer, click Restart Now.
Raise the domain functional level
1. Open the Active Directory Domains and Trusts snap-in from the
Administrative Tools folder, and then right-click the domain computer
dc1.example.com.
2. Click Raise Domain Functional Level, and then select Windows Server
2003 on the Raise Domain Functional Level page. This is shown in the
following figure.
12
3. Click Raise, click OK, and then click OK again.
Install and configure DHCP
1. Install Dynamic Host Configuration Protocol (DHCP) as a Networking Services
component by using Add or Remove Programs in Control Panel.
2. Open the DHCP snap-in from the Administrative Tools folder, and then
highlight the DHCP server, dc1.example.com.
3. Click Action, and then click Authorize to authorize the DHCP service.
4. In the console tree, right-click dc1.example.com, and then click New Scope.
5. On the Welcome page of the New Scope Wizard, click Next.
6. On the Scope Name page, type CorpNet in Name. This is shown in the
following figure.
13
7. Click Next. On the IP Address Range page, type 172.16.0.10 in Start IP
address, type 172.16.0.100 in End IP address, and type 24 in Length. This is
shown in the following figure.
14
8. Click Next. On the Add Exclusions page, click Next.
9. On the Lease Duration page, click Next.
10. On the Configure DHCP Options page, click Yes, I want to configure these
options now. This is shown in the following figure.
15
11. Click Next. On the Router (Default Gateway) page, click Next.
12. On the Domain Name and DNS Servers page, type example.com in Parent
domain. Type 172.16.0.1 in IP address, and then click Add. This is shown in the
following figure.
16
13. Click Next. On the WINS Servers page, click Next.
14. On the Activate Scope page, click Yes, I want to activate this scope now.
This is shown in the following figure.
17
15. Click Next. On the Completing the New Scope Wizard page, click Finish.
Install Certificate Services
1. In Control Panel, open Add or Remove Programs, and then click
Add/Remove Windows Components.
2. In the Windows Components Wizard page, select Certificate Services, and
then click Next.
3. On the CA Type page, select Enterprise root CA. This is shown in the following
figure.
18
4. Click Next. Type Example CA in the Common name for this CA box, and then
click Next. Accept the defaults on the Certificate Database Settings page. This is
shown in the following figure.
19
5. Click Next. Upon completion of the installation, click Finish.
6. Click OK after reading the warning about installing IIS.
Verify Administrator permissions for certificates
1. Click Start, click Administrative Tools, and then click Certification
Authority.
2. Right-click Example CA, and then click Properties.
3. On the Security tab, click Administrators in the Group or user names list.
4. In the Permissions for Administrators list, verify that the following options
have been set to Allow: Issue and Manage Certificates, Manage CA, Request
Certificates.
If any of these are set to Deny or are not selected, set the permission to Allow,
as shown in the following example.
20
5. Click OK to close the Example CA Properties dialog box, and then close
Certification Authority.
Add computers to the domain
1. Open the Active Directory Users and Computers snap-in.
2. In the console tree, expand example.com.
3. Right-click Users, click New, and then click Computer.
4. In the New Object – Computer dialog box, type IAS1 in Computer name.
This is shown in the following figure.
