Microsoft KB Archive/816589

= HOW TO: Support Wireless Connections That Use EAP-TLS Authentication in Windows Server 2003 =

PSS ID Number: 816589

Article Last Modified on 11/7/2003

-

The information in this article applies to:


 * Microsoft Windows Server 2003, Standard Edition
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Datacenter Edition
 * Microsoft Windows Server 2003, 64-Bit Enterprise Edition
 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Small Business Server 2003, Premium Edition
 * Microsoft Windows Small Business Server 2003, Standard Edition

-





For a Microsoft Windows 2000 version of this article, see 318710.

IN THIS TASK

 * SUMMARY
 * Requirements
 * Configuring IAS Servers
 * Configuring Active Directory Accounts and Groups for Wireless Access
 * Configuring RADIUS Accounting and Authentication on Wireless Access Points
 * Configuring a Certificate Server
 * Installing Computer and User Certificates on Wireless Client Computers
 * REFERENCES



SUMMARY
This step-by-step article describes how to configure a Windows Server 2003 domain to support Microsoft Windows XP Professional-based client computers that are using Institute of Electrical and Electronics Engineers, Inc. (IEEE) 802.11 access with IEEE 802.1x authentication in a wireless network.

802.1X is an IEEE standard for authenticated network access to wired Ethernet networks and wireless 802.11 networks. IEEE 802.1X supports centralized user identification, authentication, dynamic key management, and accounting. 802.1X supports the following Extensible Authentication Protocol (EAP) authentication methods for wireless clients and servers:
 * EAP-TLS
 * EAP
 * EAP-MS-CHAP v2
 * PEAP

This article discusses the EAP-Transport Layer Security (TLS) authentication method. For more information about the different authentication methods that Windows Server 2003 supports, see the &quot;Understanding 802.1X authentication for wireless networks&quot; topic in Windows Server 2003 Help.

EAP-TLS is an EAP type that is used in certificate-based security environments, and it provides the strongest authentication and key determination method. EAP-TLS provides mutual authentication, negotiation of the encryption method, and encrypted key determination between the client and the authenticating server. If you want to use certificates or smart cards for user and client computer authentication, you must use EAP-TLS.

back to the top

Requirements
To deploy Windows XP Professional clients that use EAP-TLS, use the following list as a checklist of elements to configure:
 * Install and configure the primary Internet Authentication Service (IAS).
 * Install a computer certificate on the IAS server computers.
 * Add Wireless Access Points (WAP) that support IEEE 802.1x authentication.
 * Add the wireless access points as Remote Authentication Dial-In User Service (RADIUS) clients on the primary IAS server.
 * Use the New Remote Access Policy Wizard to create a common policy for wireless access.
 * Turn on guest authentication. To do so, create a group named Guests, and then add the Guest account as a member to support the installation of user certificates on your wireless clients over a wireless connection.
 * Use the New Remote Access Policy Wizard to create a custom policy for new wireless clients that do not have user certificates.
 * Copy the IAS configuration from the primary IAS server to the backup IAS server
 * Register the primary servers and the backup IAS servers in the appropriate Active Directory domains.
 * Configure Windows XP Professional client computers that are using wireless network adapters.

back to the top

Configuring IAS Servers
You can use IAS to support authentication, authorization, and accounting for wireless connections to an organization. This section provides information about how to configure a typical IAS for an organization.

Note You may want to configure two IAS servers, one primary and one secondary, to provide fault tolerance for RADIUS-based authentication. If you configure only one RADIUS server, and it becomes unavailable, wireless access clients cannot connect. If you configure two IAS servers and configuring all the wireless access points (RADIUS clients) for both the primary and the secondary IAS servers, the RADIUS clients can detect when the primary RADIUS server is unavailable and automatically use the secondary IAS server.  Install and configure a primary IAS on a Windows Server 2003 domain controller. For additional information about how to do this, click the following article numbers to view the articles in the Microsoft Knowledge Base:

816586 HOW TO: Configure a Primary Internet Authentication Service Server on a Domain Controller in Windows Server 2003

 Configure the IAS server computer (the domain controller) to read the properties of user accounts in the domain. For more information, see the &quot;To enable the IAS server to read user accounts in Active Directory&quot; topic in the Windows Server 2003 Help and Support Center. Turn on file logging for accounting and authentication events. For more information, see the &quot;To configure log file properties&quot; topic in the Windows Server 2003 Help and Support Center. If you must do so, configure additional UDP ports for authentication and accounting messages that the RADIUS clients send. For more information, see the &quot;To configure IAS port information&quot; topic in the Windows Server 2003 Help and Support Center.

Note By default, IAS uses UDP ports 1812 and 1645 for authentication and ports 1813 and 1646 for accounting. Add the wireless access points as RADIUS clients of the IAS server. For more information, see the &quot;To add RADIUS clients&quot; topic in the Windows Server 2003 Help and Support Center. Use the New Remote Access Policy Wizard to create a common wireless policy with the following settings:  Policy name: Wireless access.</li> Access Method: Wireless access.</li> User or Group: Select Group, and then specify the group you are using for wireless users.</li> Authentication methods: Select Smart Card or other Certificate. If you have multiple computer certificates, click Configure, and then select the appropriate computer certificate.</li> Policy Encryption Level: Select the Strongest encryption check box, and then clear all the other check boxes.</li></ul> </li> Optionally, create a custom wireless policy to support new wireless users using the New Remote Access Policy Wizard. To do so, use the following settings: <ul> Policy name: New wireless access.</li> Conditions: <ul> NAS-Port-Type matches Wireless-Other or Wireless-IEEE 802.11.</li> Windows-Groups matches Guests.</li></ul> </li> Permission: Grant remote access permission.</li> Profile settings, Dial-in Constraints tab: <ul> Select the Minutes client can be connected check box, and then type 10 .</li></ul> </li> Profile settings, Advanced tab: <ul> Add the Tunnel-Type attribute with the value of Virtual LANs (VLAN).</li> Add the Tunnel-Pvt-Group-ID attribute with the value of the VLAN ID of the VLAN that contains the certificate server for new wireless clients.</li></ul>

For additional examples of remote access policies, see the &quot;Remote access policies examples&quot; topic in the Windows Server 2003 Help and Support Center.</li></ul> </li> <li>Delete the default remote access policy. To do this, right-click the policy setting, click Delete, and then click Yes when you are prompted to confirm the deletion.</li></ol>

For information about how to configure a secondary IAS server on a different domain controller, see the &quot;Wireless access&quot; topic in the Windows Server 2003 Help and Support Center.

back to the top

Configuring Active Directory Accounts and Groups for Wireless Access
To configure Active Directory to support wireless access, follow these steps:
 * 1) Make sure that all the users who are making wireless connections have a corresponding user account in Active Directory.
 * 2) You can manage your wireless access by users or groups. To manage your wireless access by user, set the remote access permission on user accounts to Allow access or Deny access. To manage your wireless access by group, set the remote access permission on user accounts to Control access through Remote Access Policy. For more information about configuring remote permissions, see the &quot;To configure remote access permission for a user&quot; topic in the Windows Server 2003 Help and Support Center.
 * 3) Organize your wireless access users into the appropriate universal and nested group to use group-based remote access policies. For example, create a universal group named WirelessUsers that contains global groups of wireless user accounts.
 * 4) Configure the Guest account to permit guest access for new wireless clients. Enable reversibly encrypted password storage on the Guest account. For more information, see the &quot;To enable reversibly encrypted passwords in a domain&quot; topic in the Windows Server 2003 Help and Support Center.
 * 5) Create a group named Guests, and add the Guest account as a member.
 * 6) Configure the domain where the IAS server computers will be members for auto-enrollment of computer certificates. For more information, see the &quot;To configure automatic certificate allocation from an enterprise CA&quot; topic in the Windows Server 2003 Help and Support Center.

back to the top

Configuring RADIUS Accounting and Authentication on Wireless Access Points
Configure your third-party wireless access point as a RADIUS client with two RADIUS servers (the primary and secondary IAS servers). For more information, see the documentation for the wireless access point. . For information about how to contact computer hardware manufacturers, click the appropriate article number in the following list to view the article in the Microsoft Knowledge Base:

65416 Hardware and Software Third-Party Vendor Contact List, A-K

60781 Hardware and Software Third-Party Vendor Contact List, L-P

60782 Hardware and Software Third-Party Vendor Contact List, Q-Z

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

back to the top

Configuring a Certificate Server
For a wireless client computer to be authenticated by using EAP-TLS, you must install a computer certificate on the client computer and on the IAS server. The computer certificate on the wireless client computer establishes network connectivity with the domain. After a network connection is established and the user logs on, a user certificate authenticates wireless access.

Certificate Services provides customizable services for issuing and managing certificates that are used in software security systems that use public key technology. Certificate Services is available on computers running Microsoft Windows Server 2003, Standard Edition, Microsoft Windows Server 2003, Enterprise Edition, and Microsoft Windows Server 2003, Datacenter Edition.

Note You must also install a computer certificate on the IAS server so that the IAS server has a certificate to send to the wireless client computer for mutual authentication during the EAP-TLS authentication.

In a simple implementation, configure a single enterprise root certification authority (CA) to issue both the computer and the user certificates. If you install the computer or the user certificate on the wireless client computer, the root CA certificate for the issuing CA is also installed.

When you install the computer certificate on the IAS server, the root CA certificate for the issuing CA is also installed. Both the wireless client and the IAS server have the certificates that you must have to perform EAP-TLS authentication.

Note When an enterprise CA is installed, the installation includes the Smart Card Enrollment station. This gives the administrator the ability to act on behalf of a user to request and install a Smart Card Logon certificate or Smart Card User certificate on the user's smart card.

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

323342 HOW TO: Install a Certificate for Use with IP Security in Windows Server 2003

For more information, see the &quot;To install a stand-alone root certification authority&quot; topic in the Windows Server 2003 Help and Support Center.

back to the top

Installing Computer and User Certificates on Wireless Client Computers
For user authentication with EAP-TLS, configure either user certificates or smart card authentication. Certificates can reside either in the certificate store on your computer or on a smart card. A smart card is a credit-card-sized device that is inserted into a smart card reader. The smart card reader is installed internally in your computer or connected externally to your computer. For more information, see the &quot;Smart card and other certificate authentication&quot; topic in the Windows Server 2003 Help and Support Center.
 * For smart card authentication, use the Smart Card Enrollment station to permit you, the administrator, to act on behalf of a user, and to request and to install a Smart Card Logon certificate or Smart Card User certificate on the user's smart card. Then, issue smart cards to the users.
 * For user certificate-based authentication, the computer must request a user certificate from a Windows Server 2003 CA on the internal network. If you configured the domain to automatically allocate certificates to computers that are connected to the domain, you can connect the client computer to the domain by using a wired connection and a computer certificate is automatically issued.

For information about requesting a certificate, see the &quot;To request a certificate&quot; topic in the Windows Server 2003 Help and Support Center.

For information about enabling smart card and certificate authentication, see the &quot;To enable smart card or other certificate authentication&quot; topic in the Windows Server 2003 Help and Support Center. For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

323342 HOW TO: Install a Certificate for Use with IP Security in Windows Server 2003

back to the top

<div class="references_section">