Microsoft KB Archive/318710

= How to support wireless connections in a Windows 2000 domain =

Article ID: 318710

Article Last Modified on 5/21/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q318710



IN THIS TASK
SUMMARY
 * Requirements
 * How to configure a certificate server
 * How to configure Active Directory accounts and groups for wireless access
 * How to configure primary and secondary IAS servers
 * How to configure RADIUS accounting and authentication on Wireless Access Points
 * How to install computer and user certificates on wireless client computers

REFERENCES



SUMMARY
This step-by-step article describes how to configure a Windows 2000 domain to support Microsoft Windows XP Professional-based client computers that are using IEEE 802.11 access with IEEE 802.1x authentication in a wireless network.

back to the top

Requirements
To deploy Windows XP Professional clients that are using Extensible Authentication Protocol-Transport Level Security (EAP-TLS), you must configure the following items:
 * Windows XP Professional client computers that are using wireless network adapters.
 * A server that is running Windows 2000 Internet Authentication Service (IAS) for Remote Authentication Dial-In User Service (RADIUS) authentication.
 * Wireless Access Points (WAP) that support IEEE 802.1x authentication.

Additionally, you must install the following components in the Windows 2000 domain:  Windows 2000 Service Pack 2 (SP2). For additional information about how to obtain the latest Windows 2000 service pack, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

 An update for Windows 2000 IAS. For additional information about how to obtain this update, click the following article number to view the article in the Microsoft Knowledge Base:

304697 Some wireless values for the RADIUS attributes are not available

 An update for Active Directory that allows computer accounts to have dial-in properties. For additional information about how to obtain this update, click the following article number to view the article in the Microsoft Knowledge Base:

306260 Cannot modify dial-in permissions for computers that use wireless networking



back to the top

How to configure a certificate server
For a wireless client computer to be authenticated by using EAP-TLS, you must install a computer certificate on the client computer and on the IAS server. The computer certificate on the wireless client computer is used to obtain network connectivity with the domain. After a network connection is established and the user logs on, a user certificate is used to authenticate wireless access.

NOTE: You must also install a computer certificate on the IAS server so that the IAS server has a certificate to send to the wireless client computer for mutual authentication during the EAP-TLS authentication process.

In a simple implementation, configure a single enterprise root Certificate Authority (CA) to issue both the computer and the user certificates. If you install the computer or the user certificate on the wireless client computer, the root CA certificate for the issuing CA is also installed.

When you install the computer certificate on the IAS server, the root CA certificate for the issuing CA is also installed. Both the wireless client and the IAS server have the certificates that are required to perform EAP-TLS authentication.

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

231881 How to install/uninstall a Public Key Certificate Authority for Windows 2000

313234 How to change the policy settings for a Certification Authority (CA) in Windows 2000

For additional information about how to automatically allocate a certificate to each computer in a domain, follow these steps:  Click Start, and then click Help. Click the Search tab, type the following text, and then click List Topics:

configure automatic certificate allocation from an enterprise ca

 In the Select topic list, click Configure automatic certificate allocation from an enterprise CA, and then click Display.</li></ol>

back to the top

How to configure Active Directory accounts and groups for wireless access
To configure Active Directory to support wireless access:
 * 1) Create an account for each user.
 * 2) Create an account for each wireless computer.
 * 3) Grant the Remote access permission to each computer account.
 * 4) Grant the Remote access permission to each user account.
 * 5) Organize user and group accounts into universal and global groups to apply group-based remote access policy settings.

For additional information about how to support wireless connections in a Windows 2000 domain, click the following article number to view the article in the Microsoft Knowledge Base:

318750 Configure Active Directory accounts and groups for wireless access in Windows 2000

back to the top

How to configure primary and secondary IAS servers
<ol> Install and configure a primary IAS server and a secondary IAS server on Windows 2000 domain controllers. For additional information about how to do this, click the following article numbers to view the articles in the Microsoft Knowledge Base:

317588 How to configure a primary Internet Authentication Service server on a domain controller

317589 How to configure a secondary Internet Authentication Service server on a domain controller

</li> Add the WAP as Network Address Server (NAS) clients to the IAS servers.</li> Create a remote access policy setting for wireless access to the internal network. To do so: <ol style="list-style-type: lower-alpha;"> Click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.</li> Right-click Remote Access Policies, and then click New Remote Access Policy.</li> In the Policy friendly name box, type the name that you want to use, and then click Next.

For example, type Wireless access to internal network .</li> Click Add, click Windows-Groups, click Add, and then click Add.</li> Click the group to which you want to apply the remote access policy setting, click Add, click OK, and then click OK.

Windows-Groups matches &quot; &quot; is listed in the Conditions box.</li> Click Add, click NAS-Port-Type, and then click Add.</li> Under Available types, click Wireless-Other or Wireless-IEEE 802.11 (depending on the type of WAP that you have), click Add, and then click OK. (If you cannot configure the NAS-Port-Type and clients are denied access, look in the system event log for IAS errors and verify that the NAS-Port-Type in the error message matches the type that is set in your policy.)</li> Click Next, click Grant remote access permission, and then click Next.</li> Click Edit Profile, and then click the Authentication tab.</li> Click to select the Extensible Authentication Protocol check box, and then click to clear all of the other check boxes.</li> In the Select the EAP which is acceptable for this policy list, click Smart Card or other Certificate.

NOTE: If you have multiple certificates installed on the IAS server, click Configure, and then click the appropriate computer certificate.</li> Click Apply, and then click the Encryption tab.</li> <li>Click to clear all check boxes except for the Strongest check box.

NOTE: If the WAP does not support encryption, click to clear all check boxes, and then click to select the No Encryption check box.</li> <li>Click OK, click No if you are prompted to view the remote access Help topic, and then click Finish.</li></ol> </li> <li>Create a remote access policy setting for wireless access to the Internet. To do so: <ol style="list-style-type: lower-alpha;"> <li>Click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.</li> <li>Right-click Remote Access Policies, and then click New Remote Access Policy.</li> <li>In the Policy friendly name box, type the name that you want to use, and then click Next.

For example, type Wireless access to the Internet .</li> <li>Click Add, click Windows-Groups, click Add, and then click Add.</li> <li>Click the group to which you want to apply the remote access policy setting, click Add, click OK, and then click OK.

Windows-Groups matches &quot; &quot; is listed in the Conditions box.</li> <li>Click Add, click NAS-Port-Type, and then click Add.</li> <li>Under Available types, click Wireless-Other or Wireless-IEEE 802.11 (depending on the type of WAP that you have), click Add, and then click OK.</li> <li>Click Next, click Grant remote access permission, and then click Next.</li> <li>If the WAP supports virtual local area networks (VLANs): <ol> <li>Click Edit Profile, and then click the Advanced tab.</li> <li>Click Add, click Tunnel-Type, click Add, and then click Add.</li> <li>In the Attribute value list, click Virtual LANs (VLAN), click OK, and then click OK.</li> <li>In the RADIUS attributes list, click Tunnel-Pvt-Group-ID, click Add, and then click Add.</li> <li>In the Enter the attribute value in box, type the attribute value of the VLAN that is connected to the Internet.</li> <li>Click OK, click OK, click Close, and then click OK.</li></ol> </li> <li>Click Finish.</li></ol> </li> <li>Delete the default remote access policy setting named Allow access if dial-in permission is enabled, if it is listed.

To do so, right-click the policy setting, and then click Delete. Click Yes when you are prompted to confirm the deletion.</li> <li>Copy the remote access policy settings to the other IAS server.</li></ol>

For additional information about how to create a remote access policy setting, click the following article number to view the article in the Microsoft Knowledge Base:

313082 How to enforce a remote access security policy in Windows 2000

back to the top

How to configure RADIUS accounting and authentication on Wireless Access Points
Configure the WAP to use the IAS servers for RADIUS accounting and authentication. On each WAP, enter the following information for the primary IAS server and the secondary IAS server:
 * The Internet Protocol (IP) address or host name.
 * The shared secret.
 * The User Datagram Protocol (UDP) ports that are used for authentication and accounting.

For additional information about how to configure the WAP, consult the WAP documentation. For information about how to contact computer hardware manufacturers, click the appropriate article number in the following list to view the article in the Microsoft Knowledge Base:

65416 Hardware and Software Third-Party Vendor Contact List, A-K

60781 Hardware and Software Third-Party Vendor Contact List, L-P

60782 Hardware and Software Third-Party Vendor Contact List, Q-Z

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

back to the top

How to install computer and user certificates on wireless client computers
Install the computer and client certificates on the wireless client computers. If you configured the domain to automatically allocate certificates to computers that are connected to the domain, you can connect the client computer to the domain by using a wired connection. A computer certificate is automatically issued.

For user authentication with EAP-TLS, configure either user certificates or smart card authentication.
 * For smart card authentication, configure an enrollment station, and then issue smart cards with certificates that are mapped to individual user accounts.
 * For user certificate-based authentication, the computer must request a user certificate from a Windows 2000 CA on the internal network.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

253498 How to install a certificate for use with IP Security

back to the top

<div class="references_section">