Microsoft

Ultimate wireless security guide: Microsoft IAS RADIUS for wireless authentication

Enterprise wireless LAN security is a persistent concern for every system administrator and CIO. This article, part of the TechRepublic ultimate guide to enterprise wireless LAN security, describes how to configure Microsoft's IAS RADIUS server, provided free with Windows Server 20003, for wireless authentication.

The complete TechRepublic Ultimate Wireless Security Guide is available as a download in PDF form.

Windows Server 2003 comes bundled with a very capable RADIUS (also known as AAA) server that's extremely stable, secure, and robust. When you search on Internet security databases for Microsoft IAS vulnerabilities, you won't find any. The IAS service just runs for years without the need to patch IAS. If your Windows Server 2003 box is hardened to only accept IAS requests with host-based firewall restrictions on all other ports and you install no other services on a Windows 2003 box, you can literally keep an IAS RADIUS server up for years of zero downtime or reboots.

IAS competitors

One of IAS' biggest competitors in the Enterprise market is Cisco ACS which people often assume they must use if they're using Cisco networking equipment which simply isn't true. Your Cisco network equipment works perfectly fine so long as you avoid proprietary, less-secure harder-to-deploy protocols, like LEAP or EAP-FAST.

Furthermore, the stability of ACS is questionable and there is an endless patch cycle for it since it has been plagued with security vulnerabilities and bugs. I've spent my share of time troubleshooting ACS and many hours on tech support. I have had a lot of hands-on experience with Cisco ACS. The latest version of Cisco ACS 4.x currently has two unpatched security vulnerabilities one of which is critical. Version 3.x and 2.x also have their share of critical vulnerabilities some of which are unpatched as of December 10, 2006.

Cisco ACS also lacks the ability to act as a relay RADIUS server which limits its ability to serve in a more robust multi-tier RADIUS environment. You need that ability to link to multiple Active Directories or other user directories that are not tied to each other. ACS also costs around $8000 per copy whereas Microsoft IAS comes with Windows Server 2003. Two redundant RADIUS servers would add up pretty quickly. Cisco ACS also comes on a dedicated appliance but that's even harder to use in my experience since you don't even get a Windows console graphical interface to work with.

Funk software (acquired by Juniper) has a pretty good solution with Steel-belted RADIUS at around $4000 per copy but that is still a significant cost especially when you need two RADIUS servers for redundancy. Funk is a great solution for companies which don't run a Windows Active Directory environment because IAS is tightly wound in to Microsoft Active Directory and doesn't support non-Microsoft databases.

Linux users have FreeRADIUS available to them. FreeRADIUS has had critical flaws (0.x and 1.x) in the past but they're all patched now unlike Cisco. FreeRADIUS still isn't as clean as the Funk or Microsoft RADIUS solutions but it's completely free if you're rolling your own Linux distribution or you don't need enterprise Linux support. If you're talking about SuSE or Red Hat and you want enterprise support, then the annual support contracts is double the cost of a perpetual Windows Server 2003 license. It all depends on usage model and some people will prefer Linux and some will prefer Microsoft.

Install IAS

Windows Server 2003 doesn't come with any extra services installed by default for security reasons so you'll need to manually install IAS. It's fairly simple if you have the Windows Server 2003 install CD. To install IAS, simply open "Add remove programs" from your control panel and select "Add remove windows components". You will see the following window (Figure OO) so you'll need to scroll down to "Network Services". You don't want to just check it because you don't want all Network Services installed, just highlight it and hit the "Details" button.

Figure OO

Networking services

Once you get to the screen shown in Figure PP, scroll down and just check off "Internet Authentication Service" IAS for short.

Figure PP

Internet Authentication

Once you've installed IAS, you'll be able to launch IAS from your Administrative Tools either from the control panel or from the start menu. You'll see the following interface. (Figure QQ)

Figure QQ

Service

Set logging policies

The first thing we'll do is look at and set the logging policies (Figure RR). Right click on "Internet Authentication Service (Local)" and click Properties.

Figure RR

IAS Properties

You will now see the screen in Figure SS. If you check off the two checkmarks here, you will force IAS to log successful and reject authentication requests to the Windows Event Viewer. If you're intending to use text or SQL based logging, you don't need to check these unless you want the logs showing up in both places.

Figure SS

Local Properties

If you click on the "Ports" tab, you'll see the screen shown in Listing TT. These are the default RADIUS ports and you should generally leave them alone for standardized RADIUS conventions. Microsoft IAS will actually listen on two sets of ports. The lower number ports are the more traditional port numbers, Microsoft applications prefer the higher number ports. You should generally leave this setting alone as is.

Listing TT

Ports

This next part lets you set the standalone text and SQL logging capability of Microsoft IAS. You right click on "Local File" under "Remote Access Logging" page and hit "Properties". (Figure UU)

Figure UU

Remote Access Logging

The first "settings" tab lets you set what events you want to log. (Figure VV)

Figure VV

Local file properties

The "Log File" tab lets you set the file format and the log size limits. (Figure WW)

Figure WW

Log file

We won't go in to SQL logging in this article because it gets rather complex to set up a SQL database. You have to manually create the accounts and tables in SQL in order for this to work. Furthermore, IAS under Windows Server 2003 insists on stopping the RADIUS service if logging doesn't work so if the SQL server doesn't respond, all of your RADIUS servers stop working. Unfortunately, Microsoft doesn't give you any way to override this "fail-shut" behavior because they claim customers want it this way because it's more secure but every customer I've talked to wants a choice on this behavior.

There is no security risk because the Authentication and Authorization component of Microsoft IAS is working perfectly fine, it's merely unable to make a record of the transaction. I've spoken with Microsoft and they're telling me they will correct this with Windows Server 2007 (or whatever it's going to be called when it's released next year). Hopefully they'll automate the SQL database creation process with a script too.

Add RADIUS clients

A RADIUS "client" is not what you would typically think of as a "client" as in a user. A RADIUS client is something like a wireless access point, a router, a switch, a firewall, or a VPN concentrator. Any device that provides network access that needs to delegate AAA (Access, Authorization, and Accounting) to a RADIUS server is considered a RADIUS client. For the purpose of this tutorial, we'll set up a single access point as a client.

To start, we'll right click on "RADIUS Clients" and select "New RADIUS Client" as shown in Figure XX.

Figure XX

Radius Client

You then get the screen shown in Figure YY where we give the device its name and set the IP address of the access device which in this case is an access point. Be aware that if you're talking about a router or firewall that has multiple IP addresses because it has multiple interfaces, you must configure the IP address that is closes to the RADIUS server. This is because the RADIUS request is seen as coming from the closest interface on a multi-homed access device and if you configure the wrong IP, it will not be able to communicate with the RADIUS server.

Figure YY

New RADIUS client name and IP

Then we set the RADIUS type and RADIUS secret. The RADIUS type is almost always set to "RADIUS Standard". Cisco devices are the exception and you must select "Cisco" for the "Client-Vendor" field if you want your Cisco devices to work. There are exceptions like Cisco wireless switches because the switches were acquired from Airespace in 2005.

Airespace wireless switches use "RADIUS Standard" like everyone else in the industry. The "shared secret" is the secret shared between the RADIUS server and the access device (Figure ZZ). Try to make the secret 10 characters or more comprised of random numbers and letters. Avoid spaces and special characters since that might have incompatibilities in some devices and software and you'll have a rough time troubleshooting.

Figure ZZ

Setting the shared secret

Click "Finish" to complete. You'll need to repeat this for all of your access devices.

Add remote access policies

Now we need to create a remote access policy to authenticate and authorize the user trying to access our access devices. To do this, right click on "Remote Access Policies" and click "New Remote Access Policy". (Figure AAA)

Figure AAA

New Remote Access Policy

Click "Next" to move to the next screen (Figure BBB).

Figure BBB

Policy Wizard

Give your policy a name and use the wizard. Hit "Next". (Figure CCC)

Figure CCC

Policy Name

Choose "Wireless" and hit "Next". (Figure DDD)

Figure DDD

Wireless

Here you'll need to grant access to your users and computers. Hit "Add". (Figure EEE)

Figure EEE

Group Access

Here you'll need to adjust the location to your domain. Hit "Locations". (Figure FFF)

Figure FFF

Select Groups

Choose the domain you're trying to authenticate to and hit "Ok". Note that the IAS server must be joined to the domain you're authenticating to or a trusted domain. (Figure GGG)

Figure GGG

Select Location

Type "Domain Users" and "Domain Computers and separate them with a semicolon. (Figure HHH) Then click on "Check Names" to force it to underline and validate your entries. You may of course restrict access to a smaller group of users and computers since the following option allows all domain users and all domain computers to connect to your wireless LAN. Hit "Ok".

Figure HHH

Enter domain

Note that "Domain Computers" is used to authenticate your computer for "machine authentication" which connects your wireless PC before the user even logs in. This is a very useful and unique benefit of the Windows Wireless Client since it emulates the full wired experience for wireless users.

If "machine authentication" isn't implemented, group policies and login scripts won't fire off. Furthermore, only cached users can login to the wireless computer, because users who have never signed on to that PC can't authenticate with the domain. For this reason alone is enough for me to always recommend using the Windows Wireless client for Windows users not to mention the auto-deployment capability.

Now you see the screen shown in Figure III with a summary of the user and computer groups you're allowing access. Note that this is an OR operator between these two group names. Either one true registers a success. Hit "Next".

Figure III

Group access defined

Choose "Protected EAP (PEAP)" authentication. Then hit "Configure". (Figure JJJ)

Figure JJJ

Authentication

Before you get to this page, you must either have a valid Machine Certificate from a Certificate Authority or you have already self-signed one yourself. Leave the rest of the settings like you see in Figure KKK and click OK.

Figure KKK

PEAP Properties

Finalize the remaining dialog box and you're finished making a new wireless authentication profile. Now we'll move on to fine tuning the configuration.

Tweak remote access policies

Once you complete the previous steps, you'll see a new Remote Access Policy called whatever name you gave it. The two default policies you see in Figure LLL the one we created are just there as samples and are disabled by default. We'll right click on it and hit "Properties".

Figure LLL

Remote Access Properties

You'll notice there are two "Policy conditions" shown in Figure MMM. Note that there is an AND operator operating between the two conditions. That means both conditions must be true or else the policy spits out a rejection and it moves on to the next "Remote Access Policy". The first policy forces "Wi-Fi Policy" to only permit users coming in from 802.11 connections. The second policy is the permissible user or computer groups we set earlier. Click on "Edit Profile" to continue.

Figure MMM

WiFi Policy Properties

The "Dial-in Constraints" tab lets you set the dial-in and session limit restrictions (Figure NNN). It also lets you restrict the times people are allowed to log in.

Figure NNN

Dial-in Profile

The "Encryption" tab is important for security (Figure OOO). You must uncheck the three insecure checkmarks to enforce maximum strength encryption.

Figure OOO

Encryption

The "Advanced" tab (Figure PPP) is something we won't go in to now, but note that this is a very powerful tab for advanced features. With special RADIUS attributes configured on this page, you can do things like tell your Cisco VPN concentrator what user group a user belongs to so that the concentrator will set VLAN and firewall policies on that user matching their group rights. You can also do things like set VLANs or group association for an Aruba wireless switch which has a built-in firewall. We'll leave the details for a future advanced RADIUS configuration article.

Figure PPP

Advanced tab

Under the "Authentication" tab, you can tweak the EAP methods (Figure QQQ). For wireless LAN PEAP authentication, you actually leave all the checkmarks alone. These settings are for more traditional RADIUS applications like a modem dialup service provider that proxies to your RADIUS server. Let's click on the "EAP Methods" button to see what it has.

Figure QQQ

Authentication

Here you can edit the PEAP configuration. (Figure RRR) We already set these settings during the initial policy wizard. Click "OK".

Figure RRR

EAP Providers

You'll need to click OK one more time to get out of the Dial-in profile window.

This final section in the IAS interface is something we won't do in this article. (Figure SSS) I just wanted to give you a preview of what it does. The "Connection Request Processing" section lets you set advanced RADIUS relaying features. You have granular control of what kind of RADIUS requests you want to relay off to a different RADIUS server and which RADIUS requests you want to handle in the local "Remote Access Policy" engine.

You can even configure groups of RADIUS servers that you want to forward to. This allows IAS to participate in a multi-tier RADIUS environment. For example, if you have a user that isn't in your domain belonging to a business partner's network that needs guest access to your environment, you can forward to the RADIUS request to your business partner for them to process. There are even Universities that honor each other's students and staff by allowing a student to securely log in to any campus participating in the network.

Figure SSS

Connection Request

Backup and restore IAS policy

Finally, after all this work we want to be able to backup our RADIUS configuration and maybe even restore it on to a redundant RADIUS server. Microsoft gives you a simple command line tool for exporting and importing the RADIUS configuration.

To perform the backup operation, simply run the following command.

netsh aaaa show config c:\IAS.txt

Note that you can use any name for the file. You can use that file locally if you ever screw up the IAS configuration and you want to rapidly recover or if you want to copy the IAS setting to another IAS RADIUS server. To restore the IAS settings from the text file you created, simply run the following command assuming the correct path and file name.

netsh exec c:\IAS.txt

This makes it easy to rapidly deploy multiple redundant IAS RADIUS servers and it also gives you the peace of mind to rapidly repair an IAS server.


120 comments
MajBarny
MajBarny

Hi I have followed these steps and setup Radius on server and WiFi AP, but unable to connect wix xp just says "Validating ID' win 7 just gives error. Have checked log. please find log can you please assist. Fully-Qualified-User-Name = rockwell.local/Rockwell User Groups/Mail Group 4/NC Ops/Inet Group 4/Control 2/Kevin van Rensburg NAS-IP-Address = 192.168.1.122 NAS-Identifier = 0024a56f130d Called-Station-Identifier = 0024a56f130d Calling-Station-Identifier = 88532ed39636 Client-Friendly-Name = WF_BW_BOARDROOM Client-IP-Address = 192.168.1.122 NAS-Port-Type = Wireless - IEEE 802.11 NAS-Port = 51 Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows Authentication-Server = Policy-Name = Rockwell WiFi Authentication-Type = PEAP EAP-Type = Reason-Code = 16 Reason = Authentication was not successful because an unknown user name or incorrect password was used. For more information, see Help and Support Center at Please assist

ken.diekemper
ken.diekemper

Thanks so much for explaining all the different EAP protocols.

sheldonpittman
sheldonpittman

I am having trouble finding this PDF. Maybe not familar enough with how your site works but any help would be great. Thanks

sureshvkumar
sureshvkumar

Hi I am a visual person, anyone have a network diagram of this setup? I am trying to put the IAS on the DC to have a minimal setup for my lab. Anyone throw some idea, appreciated. Thank you

marc.laflamme
marc.laflamme

I've tried searching for the Complete TechRepublic Ultimate Wireless Security Guide PDF that's listed as available at the top of the article but can't seem to locate it. Is this only available for paid subscriptions?

robo_dev
robo_dev

SBR gives you a lot more authentication options, and it's much simpler to configure and support. In terms of simplicity, a Cisco ACS appliance or a Juniper SBR appliance is much much easier to support and maintain than a Windows server setup with ICS or SBR. The 'best' solution depends on what WLAN hardware you are using, what authentication types you need, and even what clients you are using. If ALL your WLAN clients are Windows PCs, then IAS would work fine. But if you have a whole mix of different devices and client OSs, IAS does not play well with everybody, and if your requirement is, for example, to authenticate against a Sun LDAP server versus Active Directory, or bring in RSA ClearTrust for authentication, you need a solution that's more extensible, such as SBR or ACS.

shaungun
shaungun

just wondering if its possible to have wireless authed by active directory, without the need for certificates. i want people to be able to connect just by selecting the wireless network, and enterting there AD credentials.

computer
computer

Yeah, I'm late to this party (ok, really late but I just found this page) but I was wondering, can the server be set up for both wireless and wired Ethernet connections? in the Access Method page I get a "one or the other" feeling but I'd like to set things up for both the wired and wireless connections. SO, do I need one server for wireless and another for Ethernet/Wired? Thanks, Joe B

OzRK
OzRK

This is a great article and helped me setup the system. I do however have one question for anyone still listening.... Can IAS on server 2003 do both machine and user authentication in this setup? I have IAS set up with Domain users and Domain COmputer in the policy but users on my network can get in with any device as long as they use their AD credentials... I want to be able to limit users to only coming invia work laptops. Any Suggestions ??

pellja
pellja

This article was awesome! Exactly what I needed to go through and get setup for about 300 laptops. Wireless and Radius are new for my company. Now my question is how do you use the Windows Wireless utility to authenticate to the Radius server? What I have are Dell laptops that have a Dell Wireless utility that allow me the option to select "Use Windows username and password" and "Include Windows domain" as well as Authenticate prior to Windows domain logon" and when I go to login using a domain account, it pops up saying it's authenticating and getting an ip address using the Dell utility. When I turn off this Dell utility and try to use the Windows Wireless utility, it won't connect at all! My Radius server is setup exactly as this article describes. The only thing that you probably need to know is that I have a Cisco access points controlled by a Cisco 5508 WLAN Controller. Like I said it all works great with the Dell Wireless utility so I know all settings are right. I just don't see how to get this to work with the Windows utility. Also, if you have suggestions for this, I need for it to authenticate before login so it can load network drives during the login. Thanks!!!

milindbableshwar
milindbableshwar

After following the above steps, how do i configure the RADIUS clients, having a really hard time getting support over the net, I have an Edimax 6574n AP, please help me out!!!

naveen.a
naveen.a

how to configure wireless authentication 2008 server

jengels
jengels

for me. I have tested this and even spoke with Microsoft and they can't figure this out. Any help would be greatly appreciated. Thanks in advance for your assistance. :)

stant0s
stant0s

...or can it function without doing this? I'm curious as there was no mention of this in the tutorial.

Sratostat
Sratostat

Which EAP should I use to authenticate wireless users without using a certificate? I've got a lot of various devices in my wireless network (a university campus), so I need a universal and relatively secure way of authorization using the Cisco WLC with LWAPP access points, IAS and AD. Thanks.

niemeyerstein
niemeyerstein

Interesting and comprehensive, but not too much wireless, eh?

padayaw
padayaw

is this possible im using dlink wifi router dir 615 model?

Thierrypenning
Thierrypenning

Hi, if this authentication is based on authorized domain computers criteria, then why are local users denied on such an authorized computer? is this because there is no GPO applied to the local user? and is there also a possibility for using computer authentication in wired networks? thanks in advance

joekoerambala55
joekoerambala55

Hi, I have a problem when running the computer startup scripts. If i enable "verify servercertificate" in the wireless profile then my startup scripts won't run. If i uncheck this checkbox there is no problem. The strange thing is that it only happens with computer authentication, with user authentication i can use this option. Anyone a solution I use a self signed certificate.

baskarguha
baskarguha

This is quite helpful, thanks. One question: Does Win2003 IAS or Win2007 equivalent allow relaying of just the accounting records. The idea is to just do the accounting on a remote server without requiring that server to be part of the authentication. The proxy feature seems like all or nothing.

colin.laurie
colin.laurie

I must have missed a step or screwed up. At step KKK i dont see an option to select the Self Signed cert i created in the other guide. I have imported that cert in to the Trusted Root certs on the IAS server. Can you advise please? Thanks.

Mortain
Mortain

Hi. Thanks for a good tutorial, but It Is not working for me. There are some problem authcenthing users. In event Viewer the IAS comes with this error message: Domain/User/Username Access denied. Errorcode 260, some problems with the Certificate, after manual installed the certificate I get an 262 error. "This Supplied message is incomplete. The signature was not verified" Some good explantions to what I could do? I'm curently using Win2k3 32bit Microsoft IAS Server Linksys/Cisco SBS, WAP4400N Edit: Got It to work, when manualy installed the cert as a root cert on the computer. But why is it not working automatacly? have done the tutorial just as told.

erkan102
erkan102

This is very usefull article, many thanks to the author. I build this 802.1x IAS authentication infrastructure with HP Procurve 420 AP and HP Procurve 2610 switch. It is running very good for domain users but sometimes our customers coming to our factory and they want to connect to internet. This is my problem. I should allow unauthenticated users to access vlan2(only internet). Is there anyone know how to allow unauthenticated guest users? Which type of RAP policy i should build? I tried many different methods but can not solve this problem.

scott.french
scott.french

I am wondering if you can authenticate users who are not members of the domain so they may get access to the wireless network and then be able to route them only to the internet?

neftali.reyes
neftali.reyes

Outstanding article! Very clear and concised. You are doing better than Microsoft and they should be paying you royalties. Any more articles like this, swing them my way.

ericwf1
ericwf1

Great walkthru, Thanks!

Naveed A
Naveed A

I have found out on few occasions that if the user's password expires,(We have a policy of 30 day password) he is not able to login because the wireless client says user or password wrong because windows has the old credentials cached. Has anyone had this problem? or does anyone know the solution to this?

schadow1
schadow1

Is there a way using IAS to limit the number of logins a single user can make at the same time? I can easily do this with Steel Belted Radius but it is too expensive for me.

alex.valenzuela
alex.valenzuela

Is IAS capable of sending Access control lists to deny/grant access to single ports, protocols to "radius clients" as Cisco ACS is? Or in that case, we are stuck with Cisco?

jickfoo
jickfoo

We are desparate for a system that will authenticate the machine as well as the user. For a particular SSID, we want only domain authenticated machines to get access to it. We took a laptop off of our domain, removed the computer account from Domain Computers, rebooted, and were easily still able to authenticate. We tried dozens of different ways. This system doesnt provide machine auth. We're baffled as to why this is so difficult to do, we would have thought that the IT industry would have demanded this kind of authentication. We've been through multiple vendors. If anyone has the answer to this, please let us know where to look.

bboswell
bboswell

Excellent article. I got this working in under two hours. However, I have one question: is it possible to authenticate non-Windows WiFi clients this way? Thanks for the answer!

robert.vangent
robert.vangent

This has been a great article and it has finally put me on the right direction to setup a safe WLAN network. I wonder if the machine authentication works as describe though. In the logfiles I can see only user authentications and when I take out the 'Domain Users' as group membership then authentication fails and no machines connect to the WLAN network. Also the description of the 'Windows-Groups' attribute says litteraly that this "Specifies the Windows groups that the _user_ belongs to" What I would actually want is only to authenticate when both conditions are met: user belongs to a certain group and machine belongs to a certain group, so I had set both conditions joined with AND but the authentication fails in that situation. I have machine authentication set and pushed to the clients using GPO.

me19562
me19562

Great article. Just want to clarify something, Cisco devices(like switches, routers and firewalls) will work with "RADIUS Standard" settings in the "RADIUS type/Client vendor". But if Cisco proprietary attributes are need then it must be set as Cisco.

mhuff
mhuff

I have followed the guide to the letter but cannot successfully authenticate through RADIUS. I am using the following: -Win2003 IAS -3COM 8760 AP -Self-signed certificate distributed via GP at the root of the domain. -XP SP2 laptops with intel centrino wireless hardware (tried this on multiple machines) -Windows WZC client The AP is talking to the RADIUS server, because I can go into the log file on the Windows server and see my name when I try to connect. I can also go into the event log on the AP and it shows that the RADIUS server is sending a "STOP" message. I made sure fast reconnect was not enabled. I added the policy to ignore the dialin tab properties. I set everything else according to the guide exactly, but when I try to connect, the Windows wireless client shows that it connects but is trying to "validate identity". It shows that for about a minute, then just never connects. I'm at my wit's end on what to try, because I've played with many many combinations of settings with the same result. I've always come back to the settings specified in George's guide, but I'm about to give up on ever getting this working. Matt

gueromusic789
gueromusic789

I followed everything the way it said in the articles am using server 2003 and ad and a wireless n gigabit security router from linksys and when my clients try to connect all it says is validating identity for ever and thats all that happens any help here?

hamlet505a
hamlet505a

hello, George great article! However, my situation is a little different. I have Windows XP, MacOS10, and Linux wireless clients. Initially, I'd like to only provide login authentication to these wireless clients. After I have proved this works, I'd like for these clients to join the active directory domain even the MAC and Linux Clients. I tried following the instruction for Windows XP clients, but I am getting stuck at the certificate point. Do I need certificates for only granting network access? I guess, I really only want 802.1X network authentication initially, then I want to use PEAP to join Active Directory. thanks, Scott

Naveed A
Naveed A

Great article. I was getting an error "Failed attempted to show the aaaa configuration". I just added the > after config so the whole command is like this: netsh aaaa show config > c:\ias.txt

Haywood.Udume
Haywood.Udume

Is it possible to log to both, and if so, with logging to a local log file help avoid any problems if there is a problem with a connection to the SQL server? I thought I had read this somewhere, but I can't seem to find it. I would like to experiment with the SQL logging and creating some reports, but I don't want to take down the network if there are problems with my SQL server (eg: loses connection, takes too long to process, runs out of space, etc). On a side note - if you have 1500-2500 wireless users connecting on a daily basis, how big can you expect the log files and SQL database files to get? I need to make sure I plan for the correct space requirements. Thanks!

tang.francis
tang.francis

I have two separate Active Directory domain, which do not have trust relationship between them. Can I install a single IAS which then connects to both the Active Directory? If so, how?

Haywood.Udume
Haywood.Udume

I'm not able to get this working: C:\>netsh aaaa show config c:\IAS.txt Failed attempting to show the aaaa configuration. Dumps aaaa configuration info in script form. Running IAS on Server 2003 Enterprise. Right now I only have 2 clients configured, but eventually I'll have several hundred. I need to make sure I'm able to backup and restore the configuration before I spend anymore time getting it setup.

andychown
andychown

Many thanks for this guide it is spot on. I do have a question though. I have this working like a charm with access points that are on the same subnet as the Radius Server (IAS), but as soon as i put an access point on a different subnet clients fail to authenticate. I have tried all the normal things from the second subnet. - pinging the server works - tracert shows the routing is as it should be Any insight you have is more than welcome (hopefully its some thing simple i have missed!) Andy

tob2dam
tob2dam

This is a lovely tech note but this did not include, configuration and importation of domain users to the radius server femi

pierre3388
pierre3388

this is the great website!the explaination is detail and easy to understand.but i'm using fedora core 2 and install with freeradius 1.1.6. may i know where can i get the guidelines/configuration such as this website for the linux free radius? thank you:)

Amphitryon
Amphitryon

It works, but then...it doesn't. At first, using my old Atheros based 5001x internal NIC with the WZC, I get auth rejects. I am capturing traffic from a SPAN on my switch, so I can see the wired traffic. The IAS server rejects my client- not sure if I am missing a setup step for the client side...then I thought the chipset may not support higher level security features... After obtaining a card that supports 802.1x and AES (NetGear WAG511) I was able to connect to the AP and authenticate, but now I can't get an address from my DHCP server...AND I had to use the NetGear utility- the WZC doesn't authenticate according to login credentials. I have a 2003 server running all services for this test (I wouldn't bog this server down in production, it is just for testing that I loaded all services). AD for DC, IIS, IAS, DHCP, DNS/WINS...I have a Cisco 1131AP (tried RADIUS Standard and Cisco) no worky. When I use a plain old weak Open/WEP configuration with my AP, I can get an address from DHCP...but when I enabled advanced security (802.1x/PEAP/AES) I can auth, but no IP from DHCP...ideas? It would be nice to use the windows WZC for this to tie in the group policy for client config...but I am obviously missing something. -E

lennyhutch
lennyhutch

First of all, thanks for writing a great article. I wish I found this at the time when I needed it 8 months ago. I had to set up IAS the hard way by reading through all of MS's documents. Not an easy task. But thanks to this document, I've been able to optimize a lot of settings within IAS. I do have one problem still that this article does not touch. I've set up wireless using certificates from our CA and a root cert on the clients. I have the clients running Windows XP SP2 and it's set to validate the server certificate each time it connects. This always works fine. The problem is that this cert validation is only one way. (ie. client to server) I'm still able to connect to my access points without a certificate on the client. I've been looking for a way to force the IAS server to check that the client has a valid cert. No luck with this yet. Maybe I'm looking int the wrong area. The only thing I have found is that it's possible to add an object identifier to the RADIUS server. This is an attribute on the Advanced tab of "Edit Dial-in Profile". It's called Allowed-Certificate-OID. I've tried playing with this by adding all types of OID's but still can't get this working for the life of me. Does anyone know a way to do this? Your help is appreciated.

Editor's Picks