Installation Settings for a Wireless Network Using Windows
Server 2003 and 2008
You must specify some of the server settings, such as the computer name, and the IP addresses
while installing Windows Server 2003. For information about how to install Windows Server 2003,
see the product Help.
When you install Windows Server 2003, make the following choices.

In the Windows Setup wizard, on the Computer Name and Administrator Password
page, type the following information.
Item
Value
Computer name
TESTSERVER
Administrator password
<Your password>
Confirm password
<Your password>

On the Networking Settings page, select Custom settings.

On the Networking Components page highlight the Internet Protocol (TCP/IP)
component, and then choose Properties. The Internet Protocol (TCP/IP) Properties dialog
box appears.

Choose Use the following IP address, and type the following information.
Item
Value
IP address
10.11.0.1
Subnet mask
255.255.0.0
Default gateway
10.11.0.1


Choose Use the following DNS server addresses, and type the following information.
Item
Value
Preferred DNS server
10.11.0.1
On the Workgroup or Computer Domain page, choose No, this computer is not on a
network, or is on a network without a domain. Make this computer a member of the
following workgroup: leaving the default entry.
Domain Settings for a Wireless Network
After you have installed Windows Server 2003, you need to specify a domain name and promote
your server to domain controller. For information about how to perform these steps, in the Windows
Server 2003 Help, see "Domain controller role: Configuring a domain controller," and select the
Creating a domain controller for a new forest option.
When you create your domain controller, make the following choices:

On the Domain Controller Type page of the Active Directory Installation Wizard, choose
Domain controller for a new domain.

On the Create New Domain page, choose Domain in a new forest.

On the New Domain Name page, type Testdomain.com in the Full DNS name for
new domain box.

On the DNS Registration Diagnostics page, choose Install and configure the DNS
server on this computer, and set this computer to use this DNS server as its
preferred DNS server.
DHCP Server Settings for a Wireless Network
To enable TESTSERVER to assign IP addresses to your access points, your CEPC, and any other
computers on your network, you need to configure DHCP Server.
For information about how to perform these steps, see "DHCP server role: Configuring a DHCP
server" in the Windows Server 2003 Help.
When you configure DHCP Server, make the following choices:

In the New Scope Wizard, on the Scope Name page, type Testscope as the scope
name.

On the IP Address Range page, type the following values:
Note

Do not change the default value for Length.
Item
Value
Start IP address
10.11.0.1
End IP address
10.11.0.254
Subnet mask
255.255.0.0
On the Configure DHCP Options page, choose Yes, I want to configure these
options now.

On the Router (Default Gateway) page, in the IP address box, type 10.11.0.1 as the
IP address.

On the Domain Name and DNS Servers page, type the following values.
Item
Value
Parent domain
TESTDOMAIN.com
Server name
TESTSERVER

On the WINS Servers page, in the Server name field, type TESTSERVER.

On the Activate Scope page, choose Yes, I want to activate this scope now.
Static IP Address Settings for the Wireless Access Points
After you have configured DHCP Server, you need to reserve static IP addresses for your two
wireless access points. By reserving static IP addresses for the access points, you ensure that the
access points will always be assigned the same, previously specified, IP address. This facilitates
accessing the Web-based configuration pages for the access points.
For information about how to reserve static IP addresses for your access points, open DHCP from
Administrative Tools, and from the Help menu choose Help Topics.
When you reserve static IP addresses for your access points, make the following choices:
1.
2.
In the New Reservation dialog box assign the following values to each access point.
Reservation name
IP address
CE8021x
10.11.0.11
CEWPA
10.11.0.12
Provide a MAC address and a description for each access point. To obtain the MAC address
for each access point, refer to the product-specific documentation.
DHCP will assign a static IP address to the access points listed in this table. You also have to
specify the static IP address on the configuration page for each access point.
3.
In the console tree, right-click the server node, and then choose Authorize.
4.
Connect your 802.1x access point to the server.
After a connection is established, the server assigns the appropriate reserved address to
your access point.
To verify that the DHCP server has assigned the appropriate address to your access point,
open the Web browser on TESTSERVER, and type the IP address of your access point in the
address bar. The configuration page appears in your browser window.
Configuring Active Directory for a Wireless Network
You must create an account for each user and each user group that will be connecting to the 802.1x
network. 802.1 x authentications requires a user and a domain name. User groups are required to
configure EAP policies. You create user and group accounts by using Active Directory.
For information about how to create user and user group accounts in Active Directory, from
Administrative Tools open Active Directory Users and Computers, and from the Help menu
choose Help Topics. In the Active Directory Help, search for "Manage Users, Groups, and
Computers."
To create user and user group accounts using Active Directory
1.
Create the following user accounts for the users who will access the wireless network:

eaptls

eappeap
Set the following properties for each user in the Properties dialog box.

On the Dial-in tab, select the Allow access and No Callback options.

On the Accounts tab, select the Store password using reversible encryption
account option, and then choose OK.
2.
Create the following user groups:

EAP-TLS

EAP-PEAP
In the New Object – Group dialog box set the Group scope to Global and Group type to
Security for each user group.
3.
Add the appropriate users to the user groups. The following table shows which user must
be added to which group.
4.
User
User group
Eaptls
EAP-TLS
Eappeap
EAP-PEAP
To verify that you have successfully added your users to the appropriate groups, in the
details pane, double-click each group and choose the Members tab. The member you added
to each group appears in the member list.
5.
Certificate Infrastructure for a Wireless Network
To implement certificate-based authentication on your 802.1x network through EAP-TLS, you must
set up a certificate infrastructure. In an 802.1x-based network you can specify that a network key
be used to authenticate to the network or to encrypt your data. Certificates bind the value of a
public network key to the identity of the person, device, or service that holds the corresponding
private key.
You must install a computer certificate on your CEPC to enable it to be authenticated as a wireless
client device using EAP-TLS. and you must install a computer certificate on your wireless client
device. A computer certificate must also be installed on the IAS server. During EAP-TLS
authentication, the IAS server can then send the certificate to the wireless client device for mutual
authentication.
The computer certificate that is submitted by the server must be issued from a certificate authority
(CA) that the wireless client trusts. Likewise, the user and computer certificates installed on the
wireless client device must be issued from a CA that the server trusts. In this test scenario,
TESTSERVER functions as the certificate authority.
Setting up a certificate infrastructure in an enterprise environment consists of a set of complex
procedures, and requires detailed planning. The steps described in this topic, reflect the scenario
Microsoft implemented for testing purposes. To enable certificate-based authentication for your
enterprise environment, you must implement your own customized certificate infrastructure
Installing Certificate Services and IAS on Windows Server
2003
or
Installing Network Policy service In 2008 server
To enable TESTSERVER to issue certificates and function as a CA, you first need to install
Microsoft® Certificate Services. Microsoft Certificate Services provide an integrated public key
infrastructure (PKI) that enables the secure exchange of information across a network.
To install and configure Certificate Services
1.
Open Add or Remove Programs from Control Panel.
2.
Choose Add/Remove Windows Components.
The Windows Components Wizard appears.
3.
In the Components box, select Certificate Services. You will be presented with the After
installing Certificate Services, the computer cannot be renamed and the computer
cannot join or be removed from a domain. Do you want to continue? message.
Choose Yes.
4.
In the Components box, highlight Networking Services, and then choose Details.
The Networking Services dialog box will appear.
5.
Choose Internet Authentication Service, choose OK, and then choose Next.
6.
On the CA Type page, choose Enterprise root CA, and then choose Next.
7.
On the CA Identifying Information page, in the Common name for this CA box, type
the name for the certificate, and then choose Next. For example, you can type Testserver
CA as the name of the CA.
8.
On the Certificate Database Settings page, leave the default values, and then choose
Next. If Internet Information Services is running, a message prompts you to stop the
service. To stop IIS, choose Yes.
9.
While the Windows Component Wizard is installing Microsoft Certificate Services, a message
will appear notifying you that Active Server Pages must be enabled to provide Web
enrollment services. To enable ASP, choose Yes
10.
11.
Choose Finish to close the Windows Components Wizard.
To verify that you have successfully configured your server as a CA with Web enrollment
support, launch the Web browser on TESTSERVER and type the following address in the
address bar:
Copy Code
http://<Server Name>/certsrv
For example, because TESTSERVER is the name of your domain controller, type the following
in the address bar:
Copy Code
http://TESTSERVER/certsrv
Configuring Certificate Server Templates with Windows
Server 2003
To enable your CA to issue certificates, you need to select and configure the certificate types that
your CA can issue.
To configure the certificate server templates
1.
On TESTSERVER, from Administrative Tools, open Certification Authority.
a.
In the console tree, expand the Testserver CA node, right-click Certificate
Templates, choose New, and then choose Certificate Template to Issue.
A list of supported certificate templates appears.
b.
2.
Select the Authenticated Session certificate template, and then choose OK.
On TESTSERVER, from Administrative Tools, open Active Directory Sites and
Services.
a.
From the View menu, choose Show Services Node.
b.
Under the Services node, double-click Public Key Services, and then double-click
Certificate Templates.
A list of supported certificate templates appears.
c.
To set the security permissions for the ClientAuth and the User templates, rightclick each template, and choose Properties. For each of the two templates, on the
Security tab on the template properties page, choose the Authenticated Users
group, and then select the Allow checkbox for Enroll permiss
IAS Client Settings for Windows Server 2003
A wireless access point that is configured as an Internet Authentication Service (IAS) client
functions as a remote network access device. The remote access device will forward all connection
and authentication requests from users to the IAS server. To enable IAS-based authentication on
your wireless network, you need to configure your Remote Access Service (RAS) server and the
802.1x enabled access point as IAS clients. The IAS server processes the request and either grants
or rejects the connection request. If the request is granted, the client is authenticated, and unique
keys, from which the WEP key is derived, can be generated for that session.
Because the RAS server and the IAS server are both located on TESTSERVER, you can create a
client with the same IP address that is assigned to TESTSERVER.
For information about how to create IAS clients, open Internet Authentication Service from
Administrative Tools, and from the Help menu choose Help Topics. In the Internet
Authentication Service Help, search for "Add RADIUS clients."
Create the following RADIUS clients.
Friendly name
IP address
TESTSERVER
10.11.0.1
CE8021X
10.11.0.11
CEWPA
10.11.0.12
When you create your IAS clients, make the following choices:

In the console tree, right-click RADIUS Clients, and then choose New RADIUS Client.
In the New RADIUS Client dialog box, type the friendly name for the client.

In the Client address (IP or DNS) field, type the IP address for the client.

Type a shared secret, and confirm the shared secret. You will be asked to provide the
shared secret for each access point when you configure your wireless access points.

Verify that the Request must contain the Message Authenticator attribute checkbox
is cleared.

To verify that you have configured each IAS client correctly, double-click the RADIUS
Clients node in the console tree to view a list of your IAS clients.
Configuring Remote Access Policies with Windows Server
2003
After creating your IAS clients, to set the appropriate access permissions and add the required
security settings, you need to define the remote access policies for each client.
To configure remote access policies
1.
On TESTSERVER, from Administrative Tools, open Internet Authentication Service.
2.
Create the following policies.
Authentication
type
Policy name
Group
EAP-TLS Authentication
EAP-TLS
Smart Card or
other certificate
EAP-PEAP Authentication
EAP-PEAP
Protected EAP
(PEAP)
a.
On the console tree, right-click the Remote Access Policies node, and then
choose New Remote Access Policy.
The New Remote Access Policy Wizard starts. Choose Next.
b.
On the Policy Configuration Method page, choose Use the wizard to set up a
typical policy for a common scenario, then in the Policy name field, type the
name of the policy, and then choose Next.
c.
On the Access Method page, choose Wireless, and then choose Next.
d.
On the User or Group Access page, choose Group, and then choose Add. The
Select Groups dialog box appears.
e.
In the Enter the object names to select box, type the appropriate group name
for your policy, then choose Check Names, and then choose OK.
f.
On the User or Group Access page, choose Next.
g.
On the Authentication Methods page, from the Type dropdown list, select the
appropriate authentication type as shown in the previous table, and then choose
Next.
h.
Choose Finish to close the New Remote Access Policy Wizard.
Configuring the WPA-Enabled Wireless Access Point
After typing the IP address for your WPA-enabled access point in the Web browser address bar, the
Settings Summary page appears in the Web browser window. You are now ready to configure
your access point.
Microsoft used a Buffalo Technology WLA-G54** 54MBPS wireless bridge base station for this test
scenario. The procedures in this document refer to Buffalo Technology-based hardware and
software. If you use a different WPA-enabled access point, refer to the product-specific
documentation.
To configure your wireless access point for pre-shared key authentication
1.
On the bottom of the Welcome to the AirStation page, choose Advanced.
2.
On the left column of the LAN setting page, choose Wireless.
3.
In the Wireless Setting table, in the ESS-ID row, select the Enter radio button, and type
CEWPA.
4.
In the WPA-Configuration row, from the Network Authentication dropdown list, choose
WPA-PSK.
5.
In the WPA Pre-Shared Key box, type a set of 8 to 63-digit characters.
6.
In the WPA Group Rekey Interval box, type 30.
7.
In the Type of encryption row, choose TKIP.
8.
In the ANY connection row, choose Allow. Leave the default value for all other settings.
9.
Choose Set.
Configuring the 802.1x Wireless Access Point
After typing the IP address for your 802.1x access point in the Web browser address bar, the
configuration page appears in the Web browser window. You are now ready to configure your access
point.
Microsoft used a Cisco** access point for this test scenario. The procedures in this document refer
to Cisco-based hardware and software. If you use a different access point to set up your 802.1x
network, refer to the product-specific documentation.
When configuring your access points use the following Service Set Identifiers (SSIDs):
To configure your wireless access point
1.
2.
On the configuration page, choose the Setup tab, and then choose Express Setup.
In the Radio Service Set ID (SSID) field, type an SSID for the access point, and then
choose OK.
3.
Under Services, choose Security, and then choose Radio Data Encryption (WEP).
4.
On the AP Radio Data Encryption page, select the Open checkboxes for the Accept
Authentication Type and the Require EAP options, and clear all other check boxes.
5.
In the Encryption Key box, type a 10-digit WEP key, then from the Key Size dropdown
list, select 40 bit, and then, to update the page, choose Apply.
6.
From the Use of Data Encryption by Station is dropdown list, choose Full Encryption,
and then choose OK.
7.
On the Security Setup page, choose Authentication Server. The following table shows
the values to set on the Authenticator Configuration page.
8.
Item
Value
802.1X Protocol Version (for EAP Authentication)
Draft 10
Server Name/IP
TESTSERVER
Server Type
RADIUS
Port
1812
Shared Secret
Type the shared secret you specified for each 8021X access point
when creating your IAS Clients under Creating IAS Clients on
Windows 2000 Server.
Timeout (in seconds)
20
User server for
EAP Authentication
When you have completed the configuration of the Authentication Server, choose OK.
Naseem Gul
www.naseemgul.weebly.com