How to configure Microsoft Radius Server (IAS) for Macintosh OSX 10.5, Windows 7 and windows XP Pro client

Internet Authentication Service (IAS) is the Remote Authentication Dial-in User Service (RADIUS) server in Windows Server 2003 family. As a RADIUS server, IAS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. As a RADIUS proxy, IAS forwards authentication and accounting messages to other RADIUS servers. A RADIUS client (typically an access server such as a dial-up server, VPN server, or wireless access point) sends user credentials and connection parameter information in the form of a RADIUS message to a RADIUS server. Microsoft Radius supports Windows 7, Windows XP SP2 and Mac OSX clients. This article provided an overview of Microsoft RADIUS and PEAP security and described how RADIUS security are implemented and deployed in IT infrastructure.

Prerequisite : Microsoft Active Directory, DNS, DHCP and Certificate Server, Cisco 1200 series wireless AP, MAC OSX 10.5, Windows XP Pro/Windows 7.

AAA Infrastructure:

Aunthentication: Microsoft Active Directory, Authorization: Microsoft Radius (IAS), Accounting: Microsoft Radius (IAS)

Security Measures: PEAP and Shared Secret

Encryption: MSCHAPv2 

Configure IAS

Make sure all prerequisites mentioned above are ready and working. Install windows server and make it a member of Microsoft Active Directory domain.

1

Install machine certificate i.e. computer certificate in this server

7

Click on add/remove snap in

8 

Click add

9

Select Certificates, click add

10

Check computer account radio button, click next

11

Select local computer, click finish

12

Right mouse click on personal and click on request certificate, follow screen shot

13

14

Click next, then click ok.

Install IAS as follows

2

Go to Add remove windows component, select internet Authentication Service, click ok.

3

4

Open IAS console from administrative tools, right click on IAS as above, click register service in Active Directory

Add RADIUS Client, mention Cisco access point name and IP of Cisco Access Point, click next

5

Select Radius standard and provide shared secret and confirm, click finish. Shared secret must be same as you mentioned in Cisco wireless access point

6

Create Wireless access group in windows Active Directory and Add desired members in that group

image

go to administrative tools in IAS server, open IAS console, Add wireless access policy in Radius server

15

right click in wireless access policy and create new access policy

untitled

Select as above

untitled1

Check Wireless and click next

untitled2

Add wireless access group from active directory by click add button

untitled3

Select PEAP, click on configure

untitled4

Click ok

untitled5

Click finish

Now go to property of newly created access policy, click edit profile, click authentication tab, check EAP  methods as follows.

untitled6

Check  encryption and authentication method. Use MSCHAP v2. Encryption 128 bits.

Configure Wireless access point as shown in the link

https://araihan.wordpress.com/2009/08/02/how-to-configure-cisco-1242-ap-to-get-authentication-from-ms-ias/

Now infrastructure is ready to authenticate iMac OSX 10.5, Windows 7 and XP via wireless.

Log on to an XP machine using user credentials who is a member of wireless access group. Go to run, type mmc and press ok. follow the steps mentioned above on top to install machine certificate but this time install user certificate i.e. check user account instead of computer account.

Once user certificate installed, right click on user certificate, click All task, click export follow screen shot

image

image

image

image

image

image

Save certificate in usb stick.

Configure Mac OSX 10.5

Now open iMac/Mac book pro. Go to utility, open Key Chain, select login, drag certificate from USB stick and drop it in key chain login, click ok

image

Type the password used while exporting certificate

image

image

go to system preference, open network, select AirPort, click on advance, click on +

image

Click on show all, select desired Mac wireless SSID, follow screen shot

image

image

type AD user name and password who is a member of wireless access group, select certificate, click  add

image

Now authenticated as above. all done.

It is not necessary to bind Mac OSX 10.5 to AD to get wireless authentication via RADIUS. PEAP and certificate will do. now you can add user home drive, printer from print server. 

On Windows XP or Windows 7 machine, log on using domain user credential who is a member wireless access group, install user certificate and machine/computer certificate as mentioned above. Turn on wireless, select SSID, click on connect, in few seconds it will be connected.