Setup RADIUS Server for PEAP&EAP-TLS Authentication

=Setup RADIUS Server for PEAP and EAP-TLS Authentication: Description=

This page describes how to build up a secure LAN, using one server and an 802.1x compatible Access Point. The server is running Microsoft Windows Server 2003 standard edition with service pack 2. The 802.1x compatible Accees Point here we are using is Linksys WRT160N v2. There are two clients waiting for intranet access; one is client computer, running Windows XP, with PEAP-MS-CHAP v2 security. The other is an OMAP handset device, running Android 2.3, with EAP-TLS security. Before the clients can access the resource, they need to pass the PEAP-MS-CHAP v2 and EAP-TLS authentications.

This "How To" page takes you step-by-step through the configuration required for PEAP-MS-CHAP v2 authentication, then through the steps required for EAP-TLS authentication also.

By showing you how to configure each device, this "How To" note goes through building blocks to create a secure LAN with enterprise authentication.

You can also use this fragment in a lab, for testing 802.1x configurations.

PEAP-MS-CHAP v2: Protected Extensible Authentication Protocol —Microsoft Challenge Handshake Authentication Protocol version 2

EAP-TLS: Extensible Authentication Protocol —Transport Layer Security

= Infrastructure of Security LAN =

The infrastructure for this example 802.1x secure LAN consists of four devices performing the following roles:




 * A computer running Microsoft Windows Server 2003, Standard Edition, named RADIUS, that acts as a domain controller, a  Domain Name System (DNS)  server, a  certification authority(CA) , and a  Remote Authentication Dial-in User Service (RADIUS) server.


 * A computer running Microsoft Windows XP 2002 Professional Service Pack 1 (SP3), named CLIENT1, that acts as an  802.1x client computer.


 * A OMAP handset device, Blaze, running Android 2.3 (Gingerbread) with kernel 2.6.35.7, named 8021xuser, that acts as an  802.1x user.

Additionally, a Linksys Access Pointer acts as an  802.1x authenticator to provide connectivity to the Ethernet intranet network segment for the 802.1x clients (or supplicant).

The four devices represent a network segment in a corporate intranet. In this example, both wireless devices on the LAN are associated to a common 802.1x authenticating Linksys AP and will get the dynamic IP addresses from DHCP server. By the way, AP and sever are configured with fixed IP.

= Ramping the Windows 2003 Server and Enabling PEAP and EAP-TLS Capabilities =

Having the Domian Controller(DC) and Domain Name System(DNS) on Windows 2003 Server
Before enabling the enterprise security capabilities on Windows Server, three servers are need to install first.


 * A domain controller (DC) for the wifilabs.local domain, including Active Directory.
 * The enterprise root certification authority (CA) for the wifilabs.local domain.
 * A DNS server for the wifilabs.local DNS domain.

Note:
 * 1)  It is necessary for the server to join as a member of one domain, if you are going to enable EAP-TLS authentication. Here we have built up the Domain Controller on the server computer which allows us to create local domain, wifilabs.local, in our lab. 
 * 2) This PC uses Windows Server 2003, Standard Edition, so that you can configure autoenrollment of user and workstation certificates for EAP-TLS authentication, as described in "EAP-TLS Authentication". Certificate autoenrollment and autorenewal make it easier to deploy certificates and improve the security by automatically expiring and renewing certificates.

Perform Basic Installation and Configuration

 * 1) Install Windows Server 2003, Standard Edition with SP3, as a stand-alone server with all of default configurations and security updates.
 * 2) Click  Start </b>, right click  My Computer </b>, select  Properties </b>, click the  Computer Name tab </b> and type  RADIUS SERVER </b> in Computer Name. Click  OK </b>.
 * 3) Configure the  TCP/IP protocol </b> with the IP address of  192.168.0.98 </b>and the subnet mask of 255.255.255.0.

Configure the Computer as a Domain Controller
During the Active Directory you may accept defaults (as shown below) or specify your own preferences. You may be asked to insert the Windows Server 2003, CD ROM, and to restart the machine.


 * Click  Start </b>, click  Run </b>, type  dcpromo.exe </b>, and then click  OK </b> to start the Active Directory Installation Wizard.
 * In the Domain Controller Type page, select  Domain controller for a new domain </b>. Click  Next </b>.


 * Select  Domain in a new forest </b>. Click  Next </b>.
 * In  New Domain Name</b>, the <b style="color:black"> Full DNS name for new domain:</b> <b style="color:blue"> wifilabs.local </b>. Click <b style="color:black"> Next </b>.
 * In <b style="color:blue"> NetBIOS Domain name </b>, <b style="color:blue"> NetBIOS Domain name </b>: <b style="color:blue"> wifilabs </b>. Click <b style="color:black"> Next </b>.
 * In <b style="color:blue"> Database and Log Folders </b>, specify where you want to store the Active Directory database. Click <b style="color:black"> Next </b>.
 * In the Shared System Volume window, specify the folder and its location to be shared as the SYSVOL folder. Click Next.
 * In the DNS Registration Diagnostics window, select Install and configure the DNS server on this computer to use this DNS server as its preferred DSN server. Click Next.
 * In the Permissions window, select Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems. Click Next.
 * In the Directory Services Restore Mode Administrator Password window, enter passwords for the Administrator account. Click Next twice.

Add Computers to the Domain

 * Open the Active Directory Users and Computers snap-in (available from administrative tools).
 * In the console tree, expand wifilabs.local.
 * Right-click Computers, click New, and then click Computer.
 * In the New Object - Computer dialog box, type <b style="color:blue"> RADIUS </b> in Computer name. This is shown in the following figure. Click Next.
 * Repeat steps to create the additional computer account: <b style="color:blue">CLIENT1</b> (with no spaces).

Allow 802.1x Access to the Computers

 * In the Active Directory Users and Computers console tree, click the Computers folder, right-click CLIENT1, click Properties, and then click the Dial-in tab.
 * Select <b style="color:blue"> Allow access </b> and then click OK.

Add users to the Domain
email address. However, if you are simply setting up for a test, that is not necessary.
 * In the Active Directory Users and Computers console tree, right-click Users, click New,and then click User.
 * In the New Object - User dialog box, type <b style="color:blue">8021xUser</b> in First name and type <b style="color:blue"> 8021xUser</b> in User logon name. This is shown in the following figure. Click Next.
 * In the New Object - User dialog box, type a password of your choice in Password and Confirm password. Clear the User must change password at next logon check box. This is shown in the following figure. Click Next to continue the installation. Strictly speaking, you should give the 802.1x account an
 * Upon completion of the installation, click Finish.

Allow 802.1x Access to Users

 * In the Active Directory Users and Computers console tree, click the Users folder, rightclick 8021xUser, click Properties, and then click the Dial-in tab.
 * Select <b style="color:blue">Allow access</b> and then click OK.

Add Groups to the Domain
and then click Group.
 * In the Active Directory Users and Computers console tree, right-click Users, click New,
 * In the New Object - Group dialog box, type <b style="color:blue">8021xUsers</b> in Group name, and then click OK. This is shown in the following figure.

Add Users to the Group

 * In the details pane of the Active Directory Users and Computers, double-click 8021xUsers.
 * Click the Members tab, and then click Add.
 * In the Select Users, Contacts, or Computers dialog box, type <b style="color:blue">8021xUser</b> in Enter the object names to select. This is shown in the following figure. Click OK.
 * The 8021xUser user account is added to the 8021xUsers group. This is shown in 8021xUsers Properteies. Click OK to save changes to the 8021xUsers group.

Add the Computer to the Group
Note: Adding client computers to the 8021xUsers group allows computer authentication. Computer authentication is needed so that the computer can attach to the 8021x network, obtain an IP address configuration (if DHCP is being used), locate Active Directory domain controllers, download the latest Computer Configuration Group Policy settings, and other computer startup processes.


 * Repeat steps in the preceding "Add users to 8021xUsers group" procedure.
 * In the Select Users, Contacts, or Computers dialog box, type <b style="color:blue">client1</b> in Enter the object names to select. This is shown in the following figure.
 * Click Object Types.
 * Clear the Users check box, and then select the Computers check box. This is shown in the following figure. Click OK twice. The <b style="color:blue"> CLIENT1</b> computer account is added to the 8021xUsers group. Click OK to finish.

Having the RADIUS Sever on Windows 2003
RADIUS is a computer running Windows Server 2003, Standard Edition, that provides RADIUS authentication and authorisation for the 802.1x Linksys access point. During this process, the server PC named RADIUS is the member of wifilabs.local domain.

Whenever you restart the PC, remember to log into the WIFILABS domain.

To configure RADIUS as a RADIUS server, perform the following steps:

Perform basic installation and configuration

 * Install Windows Server 2003, Standard Edition with default configuration.
 * For the intranet local area connection, configure the TCP/IP protocol with the IP address of 192.168.0.98 and the subnet mask of 255.255.255.0.
 * Click Start, right click My Computer, select Properties, type <b style="color:blue">RADIUS </b>in Computer Name.
 * Click the Change button.
 * Type <b style="color:blue">wifilabs.local</b> in the Member of Domain field.
 * Click OK.
 * Enter the Administrator User name and password.
 * Click OK
 * Restart the machine.
 * Logout and login to the RADIUS server as "administrator" in the wifilabs.local domain. Domain selection is available under login options

Install and configure Internet Authentication Service

 * From Control Panel select Add or Remove Programs, click Add/Remove Windows Component and install the part of Networking Services called Internet Authentication.

Note: To install individual parts of Networking Services, click on the Details button, and select the elements you require. You may be required to insert the Windows Server 2003, CD-ROM.


 * In the Administrative Tools folder, open the Internet Authentication Service snap-in.
 * Right-click Internet Authentication Service, and then click <b style="color:blue"> Register Server in Active Directory</b>. When the Register Internet Authentication Server in Active Directorydialog box appears, click OK. This is shown in the following figure.

 

A message should confirm registration and authorisation to refer to users properties. If you see the following error, you need to make sure you are logged in as the wifilabs.local administrator.

Install Certificate Services on Windows Sever

 * In Control Panel, open Add or Remove Programs, and then click Add/Remove Windows Components.
 * In the Windows Components Wizard page, select <b style="color:blue"> Certificate Services </b>, and then click Next.
 * In the CA Type page, select <b style="color:blue">Enterprise root CA </b>. This is shown in the following figure. Click Next.
 * Type <b style="color:blue"> Example CA </b> in the Common name for this CA field, and then click Next. Accept the default Certificate Database Settings. This is shown in the following figure. Click Next.
 * Upon completion of the installation, click Finish. You may be asked to insert the Windows Server 2003 CD-ROM.

Configure Autoenrollment for the Root Certificate

 * Open the Active Directory Users and Computers snap-in (from administrative tools).
 * In the console tree, double-click Active Directory Users and Computers, right-click the wifilabs.local domain, and then click Properties.
 * On the Group Policy tab, click Default Domain Policy, and then click Edit. This opens the Group Policy Object Editor snap-in.
 * In the console tree, expand Computer Configuration --> Windows Settings--> Security Settings --> Public Key Policies, and then click Automatic Certificate Request Settings. This is shown in the following figure.
 * Right-click Automatic Certificate Request Settings, point to New, and then click Automatic Certificate Request.
 * On the Welcome to the Automatic Certificate Request Setup Wizard page, click Next.
 * On the Certificate Template page, click Computer. This is shown in the following figure.


 * Click Next. On the Completing the Automatic Certificate Request Setup Wizard page, click Finish. The <b style="color:blue"> Computer</b> certificate type now appears in the details pane of the Group Policy Object Editor snap-in. This is shown in the following figure.

Configure Autoenrollment for the Client Certificate

 * In the console tree, expand User Configuration--> Windows Settings-->Security Settings-->Public Key Policies. This is shown in the following figure.
 * In the details pane, double-click Autoenrollment Settings.
 * Click Enroll certificates automatically. Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box.
 * Select the Update certificates that use certificate templates check box. This is shown in the following figure. Click OK.

Request root Certificates for Radius Server
The Microsoft Management Console (MMC) lets system administrators create much more flexible user interfaces and customize administration tools. For the guide of new features, please refer to. Use the following steps to create an Microsoft Management Console (MMC) on your RADIUS server that contains the Certificates (Local Computer) snap-in.

Create the Certificates (Local Computer) console

 * Click Start, click Run, type <b style="color:blue">mmc</b>, and then click OK.
 * On the Console File menu, click Add/Remove Snap-in, and then click Add.
 * Under Snap-in, double-click Certificates, click Computer account, and then click Next.
 * Select Local computer, click Finish, click Close, and then click OK.

The Certificates (Local Computer) snap-in is shown in the following figure.

Note: PEAP with MS-CHAP v2 requires certificates on the RADIUS servers but not on the 802.1x clients. Autoenrollment of computer certificates for the RADIUS servers can be used to simplify a deployment. However, in this "PEAP-MS-CHAP v2 Authentication" section, a certificate is manually requested for the RADIUS computer because the autoenrollment of the certificates is not yet configured. This is described in "Configure Autoenrollment for Certificates Issue"

Manually Request Root Certificate

 * Right-click the Personal folder, click All Tasks, click Request New Certificate, and then click Next.
 * Click Computer for the Certificate types, and then click Next.
 * Type <b style="color:blue">RADIUS Certificate</b> in Friendly name. This is shown in the following figure.
 * Click Next. On the Completing the Certificate Request Wizard page, Click Finish.
 * A "The certificate request was successful" message is displayed. Click OK.

You may wish to save mmc console settings as "certificates_wifilabslocal.msc".

Enabling the Radius Server to have EAP-TLS and PEAP Authentication Capability
In the Internet Authentication Service(IAS), there are two configurations, Radius Client(which means 802.1x AP) and Remote Aceess Policy, we need to customize for our authentication environment.

Add the 802.1x Linksys AP as RADIUS client

 * Click Start, select Admin Tools, then select Internet Authentication Service.
 * In the console tree of the Internet Authentication Service snap-in, right-click RADIUS Clients, and then click New RADIUS Client.
 * In the Name and Address page of the New RADIUS Client wizard, for Friendly name, type <b style="color:blue"> 8021xAP </b>. In Client address (IP or DNS), type <b style="color:blue"> 192.168.0.98</b>, and then click Next. This is shown in the following figure.
 * Click Next. In the Additional Information page of the New RADIUS Client wizard, for Shared secret, type a shared secret for the 802.1x access point, and then type it again in Confirm shared secret. Tick Request must contain the Message Authenticator attribute. This is shown in the following figure. Click Finish.

<b style="color:red"> Note: The shared secret entered here needs to match the shared secret on the configuration of the 802.1x access point. Refer to Enable Linksys WRT160N Router have EAP-TLS and PEAP. </b>

Create and configure Remote Access Policy
Inside of Remote Aceess Policy, we are going to define the Acees Method, Active Groups used for PEAP type (ID/password) Authentication and Authentication Methods.(PEAP or EAP-TLS)


 * In the console tree of the Internet Authentication Service snap-in, right-click Remote Access Policies, and then click New Remote Access Policy.
 * On the Welcome to the New Remote Access Policy Wizard page, click Next.
 * On the Policy Configuration Method page, type <b style="color:blue"> wireless access to intranet </b> in Policy name. This is shown in the following figure.
 * Click Next. On the Access Method page, select <b style="color:blue"> Wireless</b>. This is shown in the following figure.
 * Click Next. On the User or Group Access page, select Group.
 * Click Add. In the Select Groups dialog box, type <b style="color:blue">8021xUsers</b> in the Enter the object names to select box. Verify that wifilabs.local is listed in the From this location field. This is shown in the following figure. If it’s not listed - click on the Locations button to select a location.
 * Click OK. The 8021xUsers group in the WIFILABS domain (shown as WIFILABS\8021xUsers) is added to the list of Group name: on the Users or Groups Acess page. This is shown in the following figure. Click Next.
 * On the Authentication Methods page, here is the way we define the enterprise security.(EAP-TLS/PEAP or both)

If the 802.1x security LAN only have PEAP(ID/password) authentication, then
 * 1) select <b style="color:blue"> Protected EAP (PEAP)</b> from the Type drop down list.
 * 2) Click Next. On the Completing the New Remote Access Policy page, click Finish.

If the 802.1x security LAN have EAP-TLS (client/root certificates) authentication, then


 * 1) select <b style="color:blue">Smart Card or other Certificate Properties </b> from the Type drop down list.
 * 2) Click Smart Card or other certificate, and then click OK. The Smart Card or other certificate type is shown in list of EAP providers. This is shown in the following figure.
 * 3) Click Edit. The Smart Card or other Certificate Properties dialog box is displayed. This is shown in the following figure.
 * 4) The properties of the computer certificate issued to the RADIUS computer are displayed. This step verifies that IAS has an acceptable computer certificate installed to perform EAP-TLS authentication. Click OK.
 * 5) Click Move Up to make the Smart Card or other certificate EAP provider the first in the list. This is shown in the following figure.
 * 6) Click OK to save changes to EAP providers. Click OK to save changes to the profile settings.

This will allow the 8021x access to intranet remote access policy to authorize 802.1x connections using the EAP-TLS authentication method.

Of course, you can add either of them later to have both of the authentication methods. This is the case we are going to have in our lab.

= Configure 802.1x Access Point with Enterprise Security =

Here is the example of configuration we have done in the lab. Please refer to Enable Linksys WRT160N Router to have EAP-TLS and PEAP.

= Client Computer with PEAP Authentication = CLIENT1 is a computer running Windows XP Professional SP3 that is acting as an 8021x client. It will obtain access to intranet resources through the 8021x Access Pointer. To configure CLIENT1 as an 8021x client, perform the following steps:

Perform basic installation and configuration
Use the following steps on CLIENT1 to install Windows XP Professional as a member computer named CLIENT1 of the wifilabs.local domain.


 * Connect CLIENT1 to the access point with SSID, linksys_n.

...

Setup Local Area Connection Network Properties
Note: Windows XP SP3 must be installed in order to have PEAP support.


 * Click Start / Control Panel / Network and Internet Connections / Internet Connections
 * On the Authentication tab, configure the LAN network properties for PEAP-MS-CHAP v2 authentication. The configuration is shown in the following figure. Click OK.

...

Confirmation of authenticated connection
...

= Client User with EAP-TLS Authentication =

Example of EAP-TLS Configuration in Gingerbread please refers to Configure Android Device to Test Enterprise Security.