802.1X Wireless Test Setup

Don Berry Microsoft Corporation Phone 425.936.8418 Microsoft One Microsoft Way [email protected] Redmond, WA 98052

802.1x Wireless Test Setup

Implementing and testing of 802.1x using Microsoft Windows XP

DC DHCP DNS RRAS IIS IAS Client CA

Server

 Figure 1: Test Setup Configuration without AP

Chapter 1 Overview

Note: Please ensure that client and server computer make and model are listed on the Windows 2000 Hardware Compatibility List. http://www.microsoft.com/hcl

Creating Parent Domain

Install Windows XP Server Family: 1. Cycle through different OS versions: (srv, dtc, ent) 2. Select different file systems on install (FAT, FAT32, NTFS) Note: If you are using anything other that NTFS you must convert the file system before you promote this computer to a Domain Controller (ex. Convert c: /fs:ntfs)

Promote your computer to a Domain Controller: 1. Open a command window and type dcpromo; this will invoke the Active Directory Installation Wizard Click NEXT.

802.1X SETUP INSTRUCTIONS

2. Select: Domain Controller for new domain. Click NEXT.

2 802.1X SETUP INSTRUCTIONS

3. Select: Create a new domaintree. Click NEXT.

4. Select: Create a new forest of domain trees. Click NEXT.

5. Installing DNS (if required)

6. Enter the FQDN: (ex. MyDomain.nttest.Microsoft.com). Click NEXT. Note: The domains NETBIOS name will be displayed. Click NEXT.

7. The installation wizard will now prompt for an Active Directory database and log file location. Click NEXT.

8. The installation wizard will now require a Shared System Volume Location. Note: This location must be on an NTFS Partition. Click NEXT.

9. Select: Permissions compatible with pre-Windows 2000 servers. Click NEXT.

10. Enter a Directory Services Restore Mode Administrator Password. Click NEXT. Click NEXT. Click FINISH. Note: The computer will now begin configuring and promoting your computer to a domain controller.

11. Active Directory Wizard will display database and log file settings. Click NEXT to continue.

12. Active Directory Installation complete. Click FINISH.

13. Active Directory Installation requires reboot. Click RESTART NOW.

Configuring DHCP server

1. Get a server with Whistler Server Build 2438, or higher on it. 2. Assign the server a static IP address. Example:10.0.0.1 3. Install DHCP server. 4. Create a single scope. – e.g. 10.0.0.10 through 10.0.0.254 5. Ensure that the DHCP server is authorized and scope is activated. 6. This ensures DHCP server is up and running fine and giving out addresses.

Ensure clients on the private wired network get addresses from the server.

Configuring Active Directory

For the Domain Controller, we need to configure so that passwords are stored in reversible encrypted format for all users. This is required for EAP-MD5 login.

Go to Active Directory for Users and Computers Start > Programs > Administrative Tools > Active Directory Users and Computers > Domain name > Action > Properties

From the properties screen, click the Group Policies tab. Highlight the “Default Domain Policy” and click edit.

Create a user. Be sure to allow dial up access, and on the account tab, check the box to store passwords reversibly encrypted. Make the user an administrator on the client, also. Configuring Certificate Server Templates

INSTALLING, CONFIGURING ENTERPRISE CERTIFICATE TEMPLATES

Installing Enterprise Certificate Templates for the first time

Invoke Certificate Template Management Console. 1. Click: Start  Run  Enter: certtmpl.msc. Click OK.

2. You must be either the Enterprise Administrator or the Parent Domain Administrator in order to propagate templates to the Active Directory. Click YES.

3. If you have the correct credentials you will receive confirmation of Certificate Templates installation. Click OK.

Note: Once the Administrator clicks OK, the Certificate Templates Management Console will open.

Configuring Enterprise Certificate Templates

Setting Computer Template to allow authenticated users enroll permissions.

Double-click Computer Template above, to expose Properties.

Click on the Security tab.

Check Enroll for Authenticated Users. Click OK.

Do the same thing for Users.

INSTALLING AND CONFIGURING SERVICES

Once this is done, we need to install other necessary services on the server machine. Thru My Computer->Control Panel->Add/Remove Programs, add the following components: Services to be installed

1. Certificate services 2. Internet Information Services - IIS 3. Internet Authentication Service (IAS)

Certificate Services

1. Select Enterprise Root CA

2. Enter the CA Identifying Information..

3. Accept the default, or enter data storage locations. These paths can be PATH or UNC. Click NEXT. FINISH Note: At this point the component wizard will complete the CS configuration.

4. Select: Certificate Services, under Details select both: Certificate Services CA and Certificate Services Web Enrollment Support. Note: I will refer to Web Enrollment Support as a “Web Proxy”. Click OK.

Configuring Certificate Authority to issue Certificate Templates

1. Click Start  Programs  Administrative tools  Certificate Authority 2. Rclick: certificate template-- new certificate template to issue

3. Select all Certificate Templates. Click OK.

Create a computer certificate for the server machine.

Type the command gpupdate /force at the command prompt.

Configuring Internet Authentication Service

Setup IAS server

Create RADIUS client Create a client for RAS server, which needs to authenticate using IAS.

Since the RAS server will exist on the same machine as the IAS server, create a client with the server’s IP address.

Create Remote Access policies Create a new profile for every authentication mechanism that we need i.e., EAP-MD5, EAP-TLS.

In the profile for each policy, set the appropriate authentication mechanism and set the Session-Timeout attribute to the desired value. Be sure to allow dial in permissions.

Create Connections Policy

INTERNET AUTHENTICATION SERVICE > CONNECTION REQUEST POLICIES > ACTION > NEW > CONNECTION REQUEST POLICY

Create a Connection Request policy using custom set up. The policy name is assigned by the user and should include only Day-And-Time-Restrictions

Testing IAS Services

IAS VPN Test Procedure

1. Ensure that on IAS, the EAP-MD5 profile is the first one from top in order.

2. Ensure that RRAS has "RADIUS Authentication" and "RADIUS Accounting" as the providers.

Routing and Remote Access > “Server name (Local)” > Action> Properties > Security Tab

Client Test configuration

1. Create VPN connectoid on a client machine in the network for VPNing into the RRAS server. 2. Choose “Advanced (custom setting)” under the security tab for connectoid properties. 3. Set the authentication mechanism on the connectoid as EAP-MD5 – “MD5-Challenge”. 4. Connect to the VPN server, by double-clicking on the connectoid. 5. Use user credentials of the user created above.

Ensure MD5 login is fine using VPN from client machine.

From the client machine, log onto the domain as the user that you created above.

Downloading Certificates

1. Ensure that on IAS, the EAP-TLS profile is the first one from top in order. 2. In internet explorer type: http:///certsrv This will connect via the web-interface to the certificate server. Request a certificate for the current user and install it on the client machine. To ensure that a certificate was loaded on the client machine using the "certificate services" mmc snapin.

Configuring Wireless Access

From network connections, right click your wireless connection. Click properties. On the WLAN tab you should see a list of all visible networks, if the driver and firmware support all the required OIDs. Click on the Access point you want to associate with and click copy.

Configure the properties. It will appear in the list of preferred networks. Click on the Authentication tab, and check the EAP authentication using smartcard, or other certificate. Testing TLS Authentication Services – Wireless

The client should use the certificate that was downloaded above to authenticate the user . If you set up reply messages on your remote access policies, and check the box to show the network connection icon on the taskbar, on your network connection properties, you will see this as soon as it happens. Check the event viewer, System events, for verification of access, and/or error messages from IAS.