1. In the Active Directory Users and Computers console tree, click the Computers folder, right-click CLIENT1, click Properties, and then click the Dial-in tab.
2. Select Allow access, and then click OK.
1. In the Active Directory Users and Computers console tree, right-click Users, click New, and then click User.
2. In the New Object – User dialog box, type wirelessuser in First name and type WirelessUser in User logon name. This is shown in the following figure.
3. Click Next. In the New Object – User dialog box, type a password of your choice in Password and Confirm password. Clear the User must change password at next logon check box, and then click Next. This is shown in the following figure.
4. In the final New Object – User dialog box, click Finish.
Allow wireless access to users
1. In the Active Directory Users and Computers console tree, click the Users folder, right-click WirelessUser, click Properties, and then click the Dial-in tab.
2. Select Allow access, and then click OK.
Add groups to the domain
1. In the Active Directory Users and Computers console tree, right-click Users, click New, and then click Group.
2. In the New Object – Group dialog box, type WirelessUsers in Group name, and then click OK. This is shown in the following figure.
Add users to the WirelessUsers group
1. In the details pane of the Active Directory Users and Computers, double-click WirelessUsers.
2. Click the Members tab, and then click Add.
3. In the Select Users, Contacts, Computers, or Groups dialog box, type wirelessuser in Enter the object names to select. This is shown in the following figure.
4. Click OK. In the Multiple Names Found dialog box, click OK. The WirelessUser user account is added to the WirelessUsers group. This is shown in the following figure.
5. Click OK to save changes to the WirelessUsers group.
Add client computers to the WirelessUsers group
1. Repeat steps 1 and 2 in the preceding “Add users to the WirelessUsers group” procedure.
2. In the Select Users, Contacts, or Computers dialog box, type client1 in Enter the object names to select. This is shown in the following figure.
3. Click Object Types, clear the Users check box, and then select the Computers check box. This is shown in the following figure.
4. Click OK twice. The CLIENT1 computer account is added to the WirelessUsers group.
IAS1
IAS1 is a computer running Windows Server 2003 with SP1, Standard Edition, that is providing RADIUS authentication and authorization for the wireless AP. To configure IAS1 as a RADIUS server, perform the following steps.
Perform basic installation and configuration
1. Install Windows Server 2003 with SP1, Standard Edition, as a member server named IAS1 in the example.com domain.
2. For the intranet local area connection, configure the TCP/IP protocol with the IP address of 172.16.0.2, the subnet mask of 255.255.255.0, and the DNS server IP address of 172.16.0.1.
Perform basic installation and configuration
1. Install Internet Authentication Service as a Networking Services component by using Add or Remove Programs in Control Panel.
2. In the Administrative Tools folder, open the Internet Authentication Service snap-in.
3. Right-click Internet Authentication Service, and then click Register Server in Active Directory. When the Register Internet Authentication Server in Active Directory dialog box appears, click OK. This is shown in the following figure.
Create the Certificates (Local Computer) console
1. Create an MMC console on your IAS server that contains the Certificates (Local Computer) snap-in.
2. Click Start, click Run, type mmc, and then click OK.
3. On the File menu, click Add/Remove Snap-in, and then click Add.
4. Under Snap-in, double-click Certificates, click Computer account, and then click Next.
5. Click Local computer, click Finish, click Close, and then click OK. The Certificates (Local Computer) snap-in is shown in the following figure.
Note:
PEAP with MS-CHAP v2 requires certificates on the IAS servers but not on the wireless clients. Autoenrollment of computer certificates for the IAS servers can be used to simplify a deployment. However, in this section, a certificate is manually requested for the IAS1 computer because the autoenrollment of the certificates is not yet configured. This is described in the following "EAP-TLS Authentication" section of this guide.
Request a computer certificate
1. Right-click the Personal folder, click All Tasks, click Request New Certificate, and then click Next.
2. Click Computer for the Certificate types, and then click Next.
3. Type IAS Server1 Certificate in Friendly name. This is shown in the following figure.
4. Click Next. On the Completing the Certificate Request Wizard page, click Finish.
5. A The certificate request was successful message appears. Click OK.
Add WirelessAP as RADIUS client
1. In the console tree of the Internet Authentication Service snap-in, right-click RADIUS Clients, and then click New RADIUS Client.
2. On the Name and Address page of the New RADIUS Client wizard, in Friendly name, type WirelessAP. In Client address (IP or DNS), type 172.16.0.3, and then click Next. This is shown in the following figure.
3. Click Next. On the Additional Information page of the New RADIUS Client wizard, for Shared secret, type a RADIUS shared secret for the wireless AP, and then type it again in Confirm shared secret. This is shown in the following figure. The shared secret entered here needs to match the RADIUS shared secret on the configuration of the wireless AP.
4. Click Finish.
Create and configure remote access policy
1. In the console tree of the Internet Authentication Service snap-in, right-click Remote Access Policies, and then click New Remote Access Policy.
2. On the Welcome to the New Remote Access Policy Wizard page, click Next.
3. On the Policy Configuration Method page, type Wireless access to intranet in Policy name. This is shown in the following figure.
4. Click Next. On the Access Method page, select Wireless. This is shown in the following figure.
5. Click Next. On the User or Group Access page, select Group. This is shown in the following figure.
6. Click Add. In the Select Groups dialog box, click Locations, select example.com, and then click OK.
7. Type wirelessusers in the Enter the object names to select box. This is shown in the following figure.
8. Click OK. The WirelessUsers group in the example.com domain is added to the list of groups on the User or Group Access page. This is shown in the following figure.
9. Click Next. On the Authentication Methods page, the Protected EAP (PEAP) authentication is selected by default and configured to use PEAP-MS-CHAP v2. This is shown in the following figure.
10. Click Next. On the Completing the New Remote Access Policy page, click Finish.
Configure Windows Firewall on IAS1
1. Click Start, point to Control Panel, and then click Windows Firewall.
2. In the Windows Firewall dialog box, click On, and then click the Exceptions tab.
3. Click Add Port, and in the Add a Port dialog box type RADIUS Accounting for the Name, type 1812 for the Port number, and select UDP as the type of traffic processed by the port. Click OK.
4. Click Add Port again, and in the Add a Port dialog box, type RADIUS Authentication for the Name, type 1813 for the Port number, and select UDP as the type of traffic processed by the port. Click OK.
5. On the Exceptions page, verify that the two port exceptions you added are selected.
6. Click the Advanced tab, and then click Settings for Security Logging.
7. In the Log Setting dialog box, select Log dropped packets and Log successful connections. Note the path and file name in Name.
Please refer to the log file in case you need to add more ports to the exception list. The log file also allows you to view packets dropped by Windows Firewall and successful TCP connections.
8. Click OK twice to close Windows Firewall.
IIS1
IIS1 is a computer running Windows Server 2003 with SP1, Standard Edition, and Internet Information Services (IIS). It is providing Web and file server services for intranet clients. To configure IIS1 as a Web and file server, perform the following steps:
Install and configure IIS
1. On IIS1, install Windows Server 2003 with SP1, Standard Edition, as a member server named IIS1 in the example.com domain.
2. Install Internet Information Services (IIS) as a subcomponent of the Application Server component by using the Windows Components wizard of Add or Remove Programs.
Configure a shared folder
1. On IIS1, use Windows Explorer to create a new share for the root folder of drive C using the share name ROOT with the default permissions.
2. To determine whether the Web server is working correctly, start Internet Explorer on IAS1. If the Internet Connection Wizard prompts you, configure Internet connectivity for a LAN connection. In Internet Explorer, in Address, type
http://IIS1/iisstart.htm. You should see an "under construction" Web page.
3. To determine whether file sharing is working correctly, on IAS1 click Start, click Run, and then type \\IIS1\ROOT. You should see the contents of the root folder of drive C on IIS1.
Configure Windows Firewall on IIS1
1. Click Start, point to Control Panel, and then click Windows Firewall.
2. Select On, and then click the Exceptions tab.
3. In Programs and Services, select File and Print Sharing.
4. On the Exceptions tab, click Add Port.
5. In the Add a Port dialog box, type World Wide Web Publishing Service for the Name, type 80 for the Port number, select TCP as the protocol, and then click OK.
6. On the Exceptions tab, make sure World Wide Web Publishing Service and File and Print Sharing are selected.
7. Click the Advanced tab, and then click Settings in the Security Logging box.
8. On the Log Settings tab, select Log dropped packets and Log successful connections, and keep the default path and file name in Name.
Please refer to the log file in case you need to add more ports to the exception list. The log file also allows you to view packets dropped by Windows Firewall and successful TCP connections.
9. Click OK twice to close Windows Firewall.