Secure Wireless Networking with IAS and RADIUSby Chris Sanders
Perhaps the biggest drawback to using wireless networks in a corporate environment is concerns about security. The last thing any network admin wants is someone who is not part of the company sniffing out sensitive documents and passwords from the comfort of the parking lot. If you have read anything about wireless security at all, I am sure you have heard mention of WEP encryption. Although this is a viable solution for small office/home office (SOHO) and personal wireless networks, it really just doesn't cut it in a large-scale environment. This being the case, what is a systems administrator to do?
Microsoft's answer to corporate wireless security is the use of RADIUS authentication through its Internet Authentication Services (IAS) product. IAS is included as a part of Windows 2003 Server and works in conjunction with Active Directory so that the authentication clients can be managed through remote access policies. In this article we'll walk through the process of creating a secure wireless infrastructure based on Active Directory and Microsoft IAS.
Before getting started, take a moment to examine Figure 1, which provides an overall view of how RADIUS authentication works.
Figure 1. Microsoft's solution to wireless security involves a lot of steps, but it's well worth it.
Configuring a RADIUS Client
The first thing to do is configure your RADIUS clients. Keep in mind that there's a difference between RADIUS clients and wireless clients. A wireless client is a computer that will be connecting to a wireless network; a RADIUS client is an access point that connects to a RADIUS (or IAS, in our case) server.
Each model of access point is configured differently, so the way you configure each to be a RADIUS client differs. Generally, though, you will look under the access point's security settings to make sure it is enabled for WPA mode security with TKIP encryption, and that it is configured with a RADIUS server IP address that points to the computer on which you have IAS installed. Lastly, you will need to enter a "shared secret," which essentially serves as a password allowing the RADIUS client to interact with IAS. It is best to use something very long and complex for this so that it is not cracked easily. Figure 2 shows a Linksys access point being configured as a RADIUS client.
Figure 2. Configuring a Linksys Access Point as a RADIUS client
Repeat this process for every access point on your network so that they are able to register as RADIUS clients.
Installing and Configuring IAS
Now that you have RADIUS clients looking for a server to authenticate to, we can get IAS up and running. IAS, included as part of Windows Server 2003, ensures that only trusted access points can be placed on your network for wireless clients to connect to. It's quite simple to install. Go to the Add/Remove Programs applet in the Control Panel, select "Windows Components," browse to "Networking Services," click "Details," and place a check in the box next to "Internet Authentication Service" as shown in Figure 3. Finally, click OK and IAS will install onto the computer.
Figure 3. Installing IAS onto a computer
Pages: 1, 2