Internet Authentication Service (IAS) is the Remote Authentication Dial-in User Service (RADIUS) server in Windows Server 2003 family. As a RADIUS server, IAS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. As a RADIUS proxy, IAS forwards authentication and accounting messages to other RADIUS servers. A RADIUS client (typically an access server such as a dial-up server, VPN server, or wireless access point) sends user credentials and connection parameter information in the form of a RADIUS message to a RADIUS server. Microsoft Radius supports Windows 7, Windows XP SP2 and Mac OSX clients. This article provided an overview of Microsoft RADIUS and PEAP security and described how RADIUS security are implemented and deployed in IT infrastructure.
Prerequisite : Microsoft Active Directory, DNS, DHCP and Certificate Server, Cisco 1200 series wireless AP, MAC OSX 10.5, Windows XP Pro/Windows 7.
AAA Infrastructure:
Aunthentication: Microsoft Active Directory, Authorization: Microsoft Radius (IAS), Accounting: Microsoft Radius (IAS)
Security Measures: PEAP and Shared Secret
Encryption: MSCHAPv2
Configure IAS
Make sure all prerequisites mentioned above are ready and working. Install windows server and make it a member of Microsoft Active Directory domain.
Install machine certificate i.e. computer certificate in this server
Click on add/remove snap in
Click add
Select Certificates, click add
Check computer account radio button, click next
Select local computer, click finish
Right mouse click on personal and click on request certificate, follow screen shot
Click next, then click ok.
Install IAS as follows
Go to Add remove windows component, select internet Authentication Service, click ok.
Open IAS console from administrative tools, right click on IAS as above, click register service in Active Directory
Add RADIUS Client, mention Cisco access point name and IP of Cisco Access Point, click next
Select Radius standard and provide shared secret and confirm, click finish. Shared secret must be same as you mentioned in Cisco wireless access point
Create Wireless access group in windows Active Directory and Add desired members in that group
go to administrative tools in IAS server, open IAS console, Add wireless access policy in Radius server
right click in wireless access policy and create new access policy
Select as above
Check Wireless and click next
Add wireless access group from active directory by click add button
Select PEAP, click on configure
Click ok
Click finish
Now go to property of newly created access policy, click edit profile, click authentication tab, check EAP methods as follows.
Check encryption and authentication method. Use MSCHAP v2. Encryption 128 bits.
Configure Wireless access point as shown in the link
Now infrastructure is ready to authenticate iMac OSX 10.5, Windows 7 and XP via wireless.
Log on to an XP machine using user credentials who is a member of wireless access group. Go to run, type mmc and press ok. follow the steps mentioned above on top to install machine certificate but this time install user certificate i.e. check user account instead of computer account.
Once user certificate installed, right click on user certificate, click All task, click export follow screen shot
Save certificate in usb stick.
Configure Mac OSX 10.5
Now open iMac/Mac book pro. Go to utility, open Key Chain, select login, drag certificate from USB stick and drop it in key chain login, click ok
Type the password used while exporting certificate
go to system preference, open network, select AirPort, click on advance, click on +
Click on show all, select desired Mac wireless SSID, follow screen shot
type AD user name and password who is a member of wireless access group, select certificate, click add
Now authenticated as above. all done.
It is not necessary to bind Mac OSX 10.5 to AD to get wireless authentication via RADIUS. PEAP and certificate will do. now you can add user home drive, printer from print server.
On Windows XP or Windows 7 machine, log on using domain user credential who is a member wireless access group, install user certificate and machine/computer certificate as mentioned above. Turn on wireless, select SSID, click on connect, in few seconds it will be connected.
