These instructions are step-by-step, but fairly long and (as yet) without any screenshots. Hopefully they will be of use to someone! Good luck!
Requirements:
Server: Windows Server 2003 Standard / Enterprise (I used standard) DC
Clients: Windows XP Pro SP2, wireless NIC supporting WPA
Access point: Most new wireless APs / routers will do. I used a Linksys WRT54GL with modified firmware from http://www.dd-wrt.com/
You will need to be a domain admin for your own domain, but you don’t need to be an enterprise admin.
Summary:
To get the secured wireless working we need to have a RADIUS server running which authenticates the wireless computers against Active Directory. In WS2003, RADIUS is provided by the Internet Authentication Service (IAS) which is a built-in windows component, but isn’t installed by default.
To allow the laptops to verify that the server is what it claims to be, we need to set up certificates. In WS2003, this is done via Certificate Services which again is included with the OS, but not installed by default.
Next, we need to tell the access point(s) where our RADIUS (IAS) server is and vice versa and then use Group Policy to tell the XP clients how to authenticate.
The finished wireless network will then be using WPA, PEAP (MS-CHAPv2) and AES.
Procedure:
On the Domain Controller
Setting up IAS:
1) Launch Add/Remove programs > Windows components > Networking Services > Details> Tick Internet Authentication Services > OK, NEXT
2) Start > Programs > Administrative Tools > Internet Authentication Services
3) Right click Internet Authentication Services (local) on left hand side > “Register server in Active Directory” > OK
4) Right click Internet Authentication Services (local) > Properties > Ports – make a note of the ports used for Authentication and Accounting: you may need them for setting up your Access Point later
5) Right click on Radius Clients > New Radius Client > Pick a friendly name and a static IP address you can use for the Access Point. Be sure not to choose something in your DHCP range. Select RADIUS Standard and enter a shared secret. Microsoft recommend 22 characters or more generated by a random password generator.
6) Click on Remote Access Logging > Right click on Local file > As a minimum, select Accounting Requests and Authentication Requests and check the Log File tab settings.
Setting up Certificate Services:
7) Launch Add/Remove programs > Windows components > Certificate Services > Details > Tick Certificate Services CA > YES > OK > NEXT
8) In the Windows Component Wizard window:
a. Choose “Standalone Root CA”. If you are an enterprise admin and know how to set up autoenrollment, you might want to choose “Enterprise Root CA”, but standalone should work in all cases. NEXT.
b. Choose a “common name” such as StTriniansRootCA, increase the validity period from 5 years (I used 25), NEXT
c. Click YES to stop the IIS service.
d. Choose YES to installing ASP to allow web enrolment – we’ll be using that later
e. FINISH
Creating and installing a server certificate:
This process creates a certificate to prove the identity of your IAS server. By default the certificate only lasts 1 year before it expires. For instructions on increasing this value, visit http://support.microsoft.com/?id=254632
9) Open Internet Explorer at http://YOURSERVER/certsrv
10) Click “Request a certificate”
11) Click “advanced certificate request”
12) Click “Create and submit a request to this CA.”
13) The “Advanced Certificate Request” page must be filled in carefully, in particular the following fields:
Name – The fully qualified name of your server as the wireless clients see it, e.g. yourserver.yourdomain.int
Type of Certificate Needed – Choose “Server Authentication Certificate”
Create new key set – Select this option
CSP – Choose “Microsoft RSA/Schannel Cryptographic Provider”
Key Size – 1024 should be fine. Bigger numbers give better security, but increase the processing power required.
Mark Keys as exportable – Tick this
Store certificate in the local computer certificate store – Tick this
14) Click Submit >
15) The next screen tells you to come back later when your certificate has been approved, so go back to the Certification Authority snap-in, expand your Root CA > Pending Requests > Select the request > Right click > All tasks > Issue. It should move into the Issued Certificates container.
16) Open Internet Explorer at http://YOURSERVER/certsrv (again)
17) Click “View the status of a pending certificate request”
18) Follow the link to install the certificate you just created.
Creating a Remote Access Policy:
19) Create a security group (e.g. WirelessComputers) in the Active Directory Users and Computers snap-in and add all your wireless laptops and PCs as members of the group.
20) Start > Programs > Administrative Tools > Internet Authentication Services
21) Right click on Remote Access Policies > New Remote Access Policy
22) NEXT
23) Make sure the “Use the wizard…” option is selected and type in a name, such as “Wireless Access to the St. Trinians network”. NEXT.
24) Select “Wireless”, NEXT
25) Select Group, click Add… and find your WirelessComputers security group. NEXT
26) Select “Protected EAP (PEAP)” and click Configure…
27) Pick the certificate with your IAS server’s fully qualified domain name e.g. yourserver.yourdomain.int
28) “Enable fast reconnect” is optional, but most sources I have found suggest that you tick it.
29) “Secured password (EAP-MSCHAP v2)” should be the only item in the list
30) Click OK
31) NEXT
32) Finish
Pushing Wireless Networking policies out to workstations:
Some steps required for this section vary depending on whether the Group Policy Management Console (GPMC.msc) has been installed on your server or not, so those steps are described in a general way.
33) Create a new Group Policy Object and link it to the OU containing your wireless computers
34) Disable the user portion of the GPO (not necessary, but good practice for speeding up application of the policy)
35) Edit the policy
36) In the Group Policy Object Editor snap-in, navigate to Computer Configuration > Windows Settings > Security Settings > Wireless Network (IEEE 802.11) Policies
37) Right-click Wireless Network (IEEE 802.11) Policies > Create Wireless Network Policy
38) NEXT
39) Type a name, e.g. “St. Trinians Secure Wireless Network”, NEXT
40) Tick “Edit properties”, FINISH
41) In the properties of the policy, select the General tab
42) Set “Networks to access” to “Access point (infrastructure) networks only”
43) Tick “Use windows to configure…”
44) Untick “Automatically connect to non-preferred networks”
45) Click the “Preferred networks” tab
46) Click “Add…”
47) Pick the SSID you will be using to identify the network, e.g. SchWlan1 This will need to match the SSID set up on your access point(s).
48) Set “Network Authentication” to “WPA”
49) Set “Data Encryption” to “AES”
50) Click the IEEE 802.1x tab
51) Set the EAP Type to “Protected EAP (PEAP)”
52) Click Settings
53) Tick “Validate server certificate”
54) Tick “Connect to these servers” and type in the name of your IAS server
55) Under “Trusted Root Certification Authorities”, find the Root CA you created earlier and tick it
56) Tick “Do not prompt user to authorize new servers or trusted authorities”
57) Select “Secured password (EAP-MSCHAP v2)”
58) Tick “Enable Fast Reconnect”
59) OK
60) Untick “Authenticate as a guest…”
61) Tick “Authenticate as a computer…”
62) Computer Authentication: “Computer only” (This setting will prevent the computer being disconnected and reconnected while the user is logging in.)
63) OK
64) OK
65) In the Group Policy Object Editor, move down to Public Key Policies and right click on Trusted Root Certification Authorities
66) Import…
67) NEXT
68) Type \\YourDCName\CertConfig\ and click Browse…
69) Pick the Root CA certificate, OPEN
70) NEXT
71) NEXT
72) FINISH
73) Close the Group Policy Object Editor
74) To apply the policies, connect the wireless computers via a wired connection, log in, run “gpupdate /force” then reboot.
Setting up the wireless access point:
Obviously this depends very much on the model of the access point, so these instructions are very generic.
75) Look for an option for setting up WPA with Radius. On the superb DD-WRT firmware this is under Wireless > Wireless Security.
76) If there is an option to choose between AES and TKIP, choose AES
77) For the RADIUS server address, enter the IP address of your domain controller running IAS
78) For the RADIUS port, enter the port number you made a note of earlier on. By default this will probably by 1812.
79) Enter the WPA shared key: this should match exactly with the “shared secret” you used when setting up IAS.
80) Set up the SSID to match what you put in your Wireless Networking policies sent to the clients, e.g. SchWlan1. If you want disable broadcasting of the SSID it will make your network less visible as a target to casual snoopers, but it might make it more difficult to troubleshoot problems with your setup.