Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

1 Windows 2000 Server Installation

advertisement 
Installation and Configuration of MS Windows 2000 Server
AireSpace S.E. Documentation
Installation and Configuration of MS Windows 2000 Server
Airespace
Version
0.1
Date
4/3/04
Author
Pat Martinez
Initial draft
Revisions
0.2
0.5
1.0
1.1
1.2
1.3
4/27/04
6/14/04
6/15/04
7/12/04
8/17/04
1/05/05
Pat Martinez
Pat Martinez
Pat Martinez
Pat Martinez
Pat Martinez
Pat Martinez
Added DHCP Option 43 section
Add certificate details and RADIUS VSA config
Update TOC- Final
Updated DHCP Option 43 section
Completed Certificate services section
Includes new Airespace VSA values for Rel. 2.2
Page 1
Release 1.0
Installation and Configuration of MS Windows 2000 Server
Table of Contents
1
WINDOWS 2000 SERVER INSTALLATION..................................................................... 3
1.1
Overview ..................................................................................................................................................................... 3
1.2
Windows 2000 Modules to include ............................................................................................................................ 3
2
INSTALLATION ................................................................................................................ 4
2.1
Installation Notes. ....................................................................................................................................................... 4
2.2
Using MMC ................................................................................................................................................................. 4
3
CONFIGURING SERVICES .............................................................................................. 9
3.1
Active Directory .......................................................................................................................................................... 9
3.1.1
User Configuration ............................................................................................................................................... 9
3.1.2
Group Configuration .......................................................................................................................................... 14
3.2
DNS Service .............................................................................................................................................................. 18
3.3
DHCP......................................................................................................................................................................... 19
3.3.1
OVERVIEW ....................................................................................................................................................... 19
3.3.2
Create a new DHCP scope. ................................................................................................................................ 20
3.3.3
Authorize the DHCP Server with Active Directory ........................................................................................... 24
3.3.4
Adding support for AP Discovery using Vendor specific information and DHCP Option 43 ........................... 25
3.3.5
Using the Vendor class and Pre-Defined options to support Auto Discovery. ................................................... 30
3.4
Certificate Authority ................................................................................................................................................ 34
3.4.1
OVERVIEW ....................................................................................................................................................... 34
3.4.2
Installing the Certificate Service using the Control Panel .................................................................................. 34
3.4.3
Tying the IAS to the Certificate Authority ......................................................................................................... 37
3.4.4
Create a trusted CA certificate for the laptop ..................................................................................................... 39
3.4.5
Create a client certificate for the laptop .............................................................................................................. 42
3.5
IAS Service ................................................................................................................................................................ 46
3.5.1
Create the IAS Clients. ....................................................................................................................................... 46
3.5.2
Create a Remote Access Policy .......................................................................................................................... 48
3.5.3
Create a Vendor Specific Attribute to support Identity Networking .................................................................. 58
Airespace
Page 2
Release 1.0
Installation and Configuration of MS Windows 2000 Server
1
1.1
Windows 2000 Server Installation
Overview
The purpose of this document is to provide our Systems Engineers, Support Teams,
Business Partners And Resellers with a basic Windows 2000 Server to use as a back end
AAA server when testing and running customer demos. In it you will find a complete but simple
set of steps necessary to have a fully functional AAA server when finished. There are several
ways to install and configure the various aspects of windows 2000 but I will limit the scope to
the fact that this is a local install using the Win2K CD-ROM disk. This will be the primary
domain controller and will be deployed in an organization called “?”. This document contains
several sections, each one covering a specific module that you will configure. I will point out
only those areas that we need to configure in order to achieve our goal and will accept the
default response for the other screens available. It is important that you become familiar with
the MMC tool that is an integral part of configuring and managing the Windows 2000 Server.
We will cover how to launch and populate this tool as we work through the configuration of the
server.
1.2
Windows 2000 Modules to include
The following modules are necessary for the W2K server to provide the functionality that
will be required to support 802.1x clients using certificates and to implement many of the
features that you will want to demonstrate for your customers.
- Active Directory
Airespace
-
DNS
-
DHCP
IIS (Internet Information Service)
-
IAS (Internet Access Security)
-
Certificate Authority Server service (To be installed later.)
Page 3
Release 1.0
Installation and Configuration of MS Windows 2000 Server
2
2.1
Installation
Installation Notes.
-
2.2
The installation procedure is fairly straight ahead and has a wizard that will walk you
through the file copy and install procedures just like any other Windows OS product.
The important thing to remember is that you will want to set this server as the Primary
Domain controller. Also it is important that you DO NOT INSTALL the Certificate
Services feature at this time. You can add it later, just before we configure the IAS
security policies.
Using MMC
MMC is a tool that you can use to configure the different services available on the Win2K
server. You can populate the tool with what are called “snap-ins” that allow you to choose
a service and configure
1) Click on the windows Start button and select Run
2) Type in MMC, to launch your windows console.
3) Select the File>Add/Remove Snap-in option.
Airespace
Page 4
Release 1.0
Installation and Configuration of MS Windows 2000 Server
In the window that appears, click on the Add button at the bottom.
Another window will appear that contains the system tools that you can choose to add to
the list of items that you will manage from the MMC console.
Click on the Services snap-in tool and then the Add button.
Airespace
Page 5
Release 1.0
Installation and Configuration of MS Windows 2000 Server
You will be prompted to select which computer you want to manage Services on. Select the
Local Computer option and press the Finish button at the bottom of the page
You should return back to the ADD/Remove Snap-in window where you should see the
services icon you selected to add.
Airespace
Page 6
Release 1.0
Installation and Configuration of MS Windows 2000 Server
Press the OK button that appears on the bottom of the window. You now see the snap-in
service added to your MMC console. Repeat the steps used above to add the following Snapin services:
-
Active Directory
-
DNS
DHCP
-
Internet Authentication Service (Local)
-
Certification Authority Service
-
Certificates (Local Machine)
Event Viewer
When completed, your MMC console should look similar to the screen shot above.
Some Snap-ins will present an option to manage the local machine or another computer. You only
want to manage your local server with the MMC console.
Notice the + sign next to the different snap-ins. Pressing the + icon expands the service options as
you can see in the picture above. You can see how you can work your way through the DNS Snap-in
tool. A right click on an Icon will open a drop-down menu that allows you to choose a number of
different functions available at that point. Take some time to explore the various services and the
configuration capabilities available. When you configure the different services in the following
sections, there will be information on how to navigate via MMC to find the items you will need to
configure.
Airespace
Page 7
Release 1.0
Installation and Configuration of MS Windows 2000 Server
When completed with your familiarization tour, save the MMC console to your desktop for easy
access when you need to configure or manage the Server.
Airespace
Page 8
Release 1.0
Installation and Configuration of MS Windows 2000 Server
3
3.1
Configuring Services
Active Directory
Active Directory Users and Computers: This snap-in tool shows the members of the domain training.org.
Beneath the training.org icon are a series of folders. The folder we are concerned with is the one labeled Users.
Here you create the users and user groups that will be a part of the demo domain. These objects will be
referred to later in the creation of various security policies created in IAS.
3.1.1
User Configuration
For a Demo you will want a few users that will be logging in to the Wireless network. We will create “student20”
with the support necessary to allow the user to authenticate using 802.1x. To create the user, right click on the
Users folder and select New > User.
In the window that appears, define the name of the user and edit the various Member properties as shown in the
following screenshots. The Tabs that we will want to configure include the following:
- General
- Account
- Dial-in
The rest of the tabs we can ignore but you will later verify membership information using the Member Of tab.
Airespace
Page 9
Release 1.0
Installation and Configuration of MS Windows 2000 Server
In the General tab, indicate who the user is. This is not the Login Name but only the reference that will be used
in AD to identify the user.
Airespace
Page 10
Release 1.0
Installation and Configuration of MS Windows 2000 Server
In the account profile you enter the users Logon name and password. This will be the Name and password the
system expects to receive from the user when authenticating using 802.1x. Notice the Domain info is already
entered in the appropriate area.
Airespace
Page 11
Release 1.0
Installation and Configuration of MS Windows 2000 Server
This Dial-in screen is one area that might be overlooked. Wireless connections are handled like Remote Dial-in
connections in AD. Make sure that the Allow Access option is selected
Airespace
Page 12
Release 1.0
Installation and Configuration of MS Windows 2000 Server
After creating the group and adding the members, you can use the Member of tab to verify the client is a
member of the appropriate group. Security policies will later be distributed on a group basis.
Airespace
Page 13
Release 1.0
Installation and Configuration of MS Windows 2000 Server
3.1.2
Group Configuration
Create a group to support all the users that will be authenticated using a given method supported at the
RADIUS server. In this example a group is created that supports clients using PEAP-passthrough
authentication. All users that you intend to authenticate using 802.1x and PEAP, should be a member of this
group.
Create a new group and give it a name that means something in relation to the purpose of this group. In this
example this group supports clients authenticating using PEAP. We have also decided this group of users were
going to use VLAN20
Airespace
Page 14
Release 1.0
Installation and Configuration of MS Windows 2000 Server
This window allows you to add the new Group Name. Note the Group Scope and Type values.
Once the group is named you will need to add the members to the group. Click on the Add button to see the list
of users in Active Directory.
Airespace
Page 15
Release 1.0
Installation and Configuration of MS Windows 2000 Server
Add the group members to their respective group by clicking on the Add button. You will be presented the list of
Active Directory users to choose from.
Airespace
Page 16
Release 1.0
Installation and Configuration of MS Windows 2000 Server
When finished creating the group, the group properties will be similar to the screens below.
Select OK and your new member appears in the list of group members. Select OK again to complete this
section.
Airespace
Page 17
Release 1.0
Installation and Configuration of MS Windows 2000 Server
3.2
DNS Service
OVERVIEW
DNS is installed and most of the configuration needed to support a demo is completed at this time. Within the
domain, you can define the static hosts if you need to for a lab type implementation.
One Item you may wish to add is an entry in the forward lookup zone for a web server that matches the default
home page on your browser. This can be used to redirect a Web Authenticated subscriber from the browsers
default page, into the Web Authentication log in screen. This will allow you to show the capture capability rather
than pointing to the WLAN switch’s virtual IP address.
*** ADD THE DETAILS FOR SETTING UP THE DNS SUPPORT FOR A WEB SERVER ***
Airespace
Page 18
Release 1.0
Installation and Configuration of MS Windows 2000 Server
3.3
DHCP
3.3.1
OVERVIEW
We will use the DHCP capability to provide an IP address to each wireless client that successfully authenticates
irregardless of the authentication used by the wireless client. We can also use DHCP and the Vender Specific
option 43 to provide IP address’ to our AP’s when deployed in a layer 3 scenario. The following screen will walk
you through the configuration steps necessary to define a DHCP scope. You will need to create a number of
scopes to support each network segment you define. This usually ends up to be one DHCP scope for each
VLAN interface defined on the switch. The example below shows a scope for each VLAN the is used in the
training lab. One thing to remember, after creating the DHCP server and defining the different scopes, you need
to authorize the DHCP service to the Active Directory.
Airespace
Page 19
Release 1.0
Installation and Configuration of MS Windows 2000 Server
3.3.2
Create a new DHCP scope.
Right click on the DHCP server icon and choose, Create a new scope. Windows will open the New Scope
Wizard. You will fill in the appropriate information as requested. The steps are outlined in the screen shots that
follow.
Enter the range of IP addresses the new scope will distribute.
Define the exclusion range. Your default Gateway and the VLAN interface will most likely be static addresses
and will fall into this range of excluded addresses.
Airespace
Page 20
Release 1.0
Installation and Configuration of MS Windows 2000 Server
Define the lease duration.
Configure the DHCP Options
DHCP can return other information to the client that can be very important for the client to operate properly on
the network. Items like the default router, the DNS Server address, or Vender Specific information can be
configured to be returned to the wireless clients.
Default Gateway (Router) configuration.
Airespace
Page 21
Release 1.0
Installation and Configuration of MS Windows 2000 Server
DNS Server configuration.
WINS Server configuration.
This is not necessary for a demo situation but may be necessary for Lab testing and compatibility issues.
Airespace
Page 22
Release 1.0
Installation and Configuration of MS Windows 2000 Server
Activate the scope
Once the DHCP scope configuration is completed, you must activate the scope to make the addresses
available. You can activate the scope if you are ready to distribute addresses.
The new scope is now available.
Airespace
Page 23
Release 1.0
Installation and Configuration of MS Windows 2000 Server
3.3.3
Authorize the DHCP Server with Active Directory
Before the DHCP server can deliver an IP address, it needs to be authorized in the Active Directory to provide
this function. The following screen shows how to Authorize the new DHCP server. Notice that the arrow on the
DHCP server icon points down. After you authorize the DHCP server, notice the position of the arrow.
Airespace
Page 24
Release 1.0
Installation and Configuration of MS Windows 2000 Server
3.3.4
Adding support for AP Discovery using Vendor specific information and DHCP Option 43
The first step necessary to use DHCP Option 43 for AP Discovery is to create a new Vendor class to
use within each scope. Right click on the DHCP server icon and choose Define Vendor Classes.
Airespace
Page 25
Release 1.0
Installation and Configuration of MS Windows 2000 Server
Define a new Vendor Class
Select Add... to create the new class. Create the Display name Airespace and give a short description of the
function. Add the Vendor Specific information, in this case Airespace.AP1200. Click on OK when finished.
You should now notice that the new class has been created.
Airespace
Page 26
Release 1.0
Installation and Configuration of MS Windows 2000 Server
The next step is to create the Predefined Options. This will be where you define the Code type and the data
format that will be used to deliver the Airespace Vendor Specific information to the AP’s. To create a Predefined
Option, right click on the server icon and choose Select Predefined Options from the list of menu items
presented.
A new window opens where you will set the Option class to Airespace. Click on the Add button to define the
option code and to choose the data type that you will be using. If you are going to use a single switch, you can
use the IP Address Data type.
Airespace
Page 27
Release 1.0
Installation and Configuration of MS Windows 2000 Server
When you select the Data type: IP Address, the resulting Value field has space for a single IP address as shown
in the screen shots below.
For entering multiple WLAN appliance IP addresses, you can use the Binary Data type. Notice the difference in
the Value field you are presented as compared with the example above.
When you have defined the available fields, select OK at the bottom of the Option Type window. You should see
the new Predefined Option that is associated with the Airespace class.
Airespace
Page 28
Release 1.0
Installation and Configuration of MS Windows 2000 Server
This completes the creation of the various option types needed to support Auto Discovery for AP’s deployed in a
layer 3 environment and using DHCP to learn the IP addresses of WLAN switches in the network.
Airespace
Page 29
Release 1.0
Installation and Configuration of MS Windows 2000 Server
3.3.5
Using the Vendor class and Pre-Defined options to support Auto Discovery.
Scenario: AP's to be attached to networks 172.10.1.0 and 172.20.1.0 have two WLAN appliances connected
on the network. One appliance is on the 192.100.10.0/28 network and the other switch is on the
192.100.10.16/28 network. When the AP does a DHCP discovery request, you want to deliver an IP address to
the AP and also return the IP address for the 2 WLAN appliances you would like the AP's to be aware of. The
following configuration shows how to set this up using MS Win2K server's DHCP service.
First you will create the Scope option on the 172.10.1.0 network then you will do the same on the 172.20.1.0
network. Configure a new scope option.
Change to the Advanced tab. Select Airespace as the Vendor class that you are going to use. You should see
the Predefined options you created earlier listed in the scrolling window beneath the User Class listings.
Airespace
Page 30
Release 1.0
Installation and Configuration of MS Windows 2000 Server
Select the Predefined option that you will assign to this scope. In the Data Entry area, enter the IP addresses
that you are going to return to the AP’s to allow them to obtain a configuration. This is a comma delimited listing.
Also note that there is a period (.) found in the initial empty Data Entry area. Make sure you remove this period
from the list of IP addresses that will be added in the data entry area.
When finished, your results should look like this with the Vendor class indicating Airespace and the IP
addresses of the appliances listed in the Data Entry area.
The new scope option has now been created. It should be listed as one of the DHCP scope options. Note that
the Router and the new scope options share the same code number but they are related to different vendor sets
and therefore do not interfere with each other.
Airespace
Page 31
Release 1.0
Installation and Configuration of MS Windows 2000 Server
Create the scope option on the 172.20.1.0 network.
Using the steps outlined previously, you must add support for AP’s the will be placed on the 172.20.1.0 network.
Create a new scope option for this subnet as you did for the previous subnet you just configured.
Select the Vendor Class for Airespace.
Airespace
Page 32
Release 1.0
Installation and Configuration of MS Windows 2000 Server
Define the comma delimited data in the Data Entry area. This info will be the IP addresses of the available
WLAN switches that you want the AP’s to be aware of. After the Airespace appliance IP addresses are entered
into the Data entry area, click on OK at the bottom of the window.
The DHCP Option 43 support is created as a scope option for this network as well.
Airespace
Page 33
Release 1.0
Installation and Configuration of MS Windows 2000 Server
3.4
Certificate Authority
3.4.1
OVERVIEW
You will need to install the Certificate Services in order to distribute the necessary certificates needed to support
the wireless client using 802.1x authentication. Several implementations of 802.1x and WPA require certificate
exchanges between the server and the client in order to establish the identity between the 2 devices and to
exchange security info between them.
3.4.2
Installing the Certificate Service using the Control Panel
When you installed Windows 2000 Server, the Certificate services module was not installed. Now we will install
the Certificate Server and create a root Certificate Authority on this server. Use the Control
Panel>Add/Remove Software tool to install this module. Use the Add/Remove Windows Components icon
to add this Windows component.
.
Airespace
Page 34
Release 1.0
Installation and Configuration of MS Windows 2000 Server
The Windows Components wizard allows you to select the Certificate Server option to install. Select the
Certificate Services check box to continue.
You will get a warning that you will not be able to change the name of the computer or do other things. Select
Yes to continue. Click on Next.
You will now choose the Certificate Authority type. Make sure you set this server as a Enterprise Certificate
Authority which enables the service to interact with AD. In the window that appears, enter the information that
identifies your CA. This information will be a part of each certificate distributed by this server.
Airespace
Page 35
Release 1.0
Installation and Configuration of MS Windows 2000 Server
Accept the storage location information by selecting Next. Windows will start the installation of the Certificate
Service once it finds the files it needs. Make sure you have your Windows 2000 disk in the CD-Rom drive and
that the path to the files is correct.
Once the installation is complete you will get a window indicating as such. Click on the Finish button.
When the installation is complete you will be asked to restart the server. Perform the restart and log back into
the server when ready. Launch the MMC console. You will want to add the Certificate Services snap-in to add
managing the Certificate Server to the console. Use the steps from section 2.2 to add the snap-in.
Airespace
Page 36
Release 1.0
Installation and Configuration of MS Windows 2000 Server
3.4.3
Tying the IAS to the Certificate Authority
Before you will be allowed to create a security policy using EAP you need to extend the CA path to your new
Win 2K server.
Open a browser connection to the certificate servers IP address/certsrv (ex: http://127.0.0.1/certsrv). Log in
using the administrator name and password for your server.
Once logged in you will select Retrieve the CA certificate or certificate revocation list from the listed tasks.
Click the Next button to continue.
Airespace
Page 37
Release 1.0
Installation and Configuration of MS Windows 2000 Server
The window below will be presented to you. You must select the Install this CA certification path in order to
install the CA path to your server.
When a scripting violation window like the one shown below appears, select Yes to add the certificate.
Once the certificate is installed on your laptop you will be notified of the successful installation. Restart your
server.
At this point your CA path is installed and you will be able to use IAS to create any supported security policy.
Airespace
Page 38
Release 1.0
Installation and Configuration of MS Windows 2000 Server
3.4.4
Create a trusted CA certificate for the laptop
In this section you will create a CA certificate on the client laptop. This is necessary if you plan to use the 802.1x
PEAP–MS CHAP v2 pass-through or WPA-PEAP methods to log in and authenticate onto the wireless network.
These security methods require the identification of the server to the client to provide a level of trust to the client
that the server is in fact the correct server and provides the server public key to the client to allow encryption
and decryption. Before you configure these authentication options you will need to complete the steps
necessary to create the CA certificate and distribute it to the wireless client. You will find your server listed
among the trusted root Certification Authorities after this CA server credential is installed on your laptop. Use the
following steps to create and install the certificate.
Open a browser connection to the certificate servers IP address/certsrv (ex: http://10.9.4.10/certsrv). Log in
using the user name and password that you will use when logging onto the network.
Once logged in you will select Retrieve the CA certificate or certificate revocation list from the listed tasks.
Click the Next button to continue.
Airespace
Page 39
Release 1.0
Installation and Configuration of MS Windows 2000 Server
The window below will be presented to you. You must select the Install this CA certification path in order to
install the necessary CA server path that will make sure the server you connect to is your valid CA server.
You should see a scripting violation window like the one shown below. Select Yes to add the certificate to your
laptop.
Airespace
Page 40
Release 1.0
Installation and Configuration of MS Windows 2000 Server
Once the certificate is installed on your laptop you will be notified of the successful installation. At this point your
CA certificate is installed.
Now that the certificate is installed, you must verify that the new certificate is on your laptop. Open the MMC
Console and make sure you have the Certificates snap-in for the current user added to the console. You will
see the Certificates-Current User icon. Click on the + next to the icon to expand the Certificates-Current User
window. Expand the folder labeled Trusted Root Certification Authorities. Double click on the Certificates
folder to display the list of trusted CA’s.
Scroll down the list of trusted CA’s until you find the certificate for training.org. This CA certificate was installed
on your laptop during the steps you completed above. Once you verify that the CA server certificate is present
on your laptop, you are ready to configure the laptop WNIC client for PEAP-MS-CHAP v2 authentication.
Airespace
Page 41
Release 1.0
Installation and Configuration of MS Windows 2000 Server
3.4.5
Create a client certificate for the laptop
In this section you will create a user certificate on the client laptop. This is necessary if you plan to use the
802.1x EAP–TLS method to log in and authenticate onto the wireless network. This process requires the
authentication of the server to the client as we saw with the previous EAP method. It also validates the client to
the server so both sides establish a trust relationship to each other using certificates only. This authentication
method provides a higher level of security than offered by other methods. Before you configure this
authentication option you will need to complete the steps necessary to create the client certificate that will be
used to authenticate the wireless client to the authentication server.
Clear the EAPOL folder from the Registry using Regedit (Refer to the previous section for details).
Open a browser connection to the certificate server located at http://10.9.4.10/certsrv. Log in using the user
name and password that you will use when logging onto the network.
Once logged in you will request a user certificate. Click the Next button to continue.
Airespace
Page 42
Release 1.0
Installation and Configuration of MS Windows 2000 Server
Select the User Certificate Request and select next.
After the Certificate Server has collected the info it needs, select submit. You will get a security warning. Read
the warning and select YES to request your certificate.
Airespace
Page 43
Release 1.0
Installation and Configuration of MS Windows 2000 Server
Note that your User Certificate has been issued. Since you will need to install your certificate on your laptop,
Windows offers to perform the install. Select the Install this Certificate button. You will get another security
warning. Read the warning and select YES to install your certificate. Your certificate is now installed on your
laptop and you can close your browser.
Next, make sure you have installed certificates on the Laptop PC's. Use the MMC console on your server to
verify that the certificates have been created and distributed to the PC’s. The following screen shot shows the
certificates distributed for the Training PC’s.
You can also verify that the certificate is installed on your laptop. Using the MMC console on your laptop you will
Airespace
Page 44
Release 1.0
Installation and Configuration of MS Windows 2000 Server
find your client certificate located as shown below. Double click you certificate icon to see what details are
configured for the certificate.
Airespace
Page 45
Release 1.0
Installation and Configuration of MS Windows 2000 Server
3.5
IAS Service
OVERVIEW: In order to provide RADIUS authentication support to the Airespace switch you will need to create
a RADIUS client profile on the IAS server. This will allow the request for authentication support coming from the
AS switch to be verified by the use of a configured Server Secret. The security for the 802.1x subscriber is
established by the implementation of a Security Policy. The following slides can be referenced to setup the
necessary support for the 802.1x client using PEAP-MSCHAPv2 authentication.
3.5.1
Create the IAS Clients.
Each WLAN switch is a client of IAS and needs to be added to the list of clients in IAS. Here you put in the
switch name and the Server Secret. This will match the RADIUS Secret configured on the WLAN switch.
Airespace
Page 46
Release 1.0
Installation and Configuration of MS Windows 2000 Server
The following screens show where you define the RADIUS client properties.
Put in the requested parameters to complete the RADIUS client configuration. Once this is complete, Make sure
that your WLAN switch and the RADIUS server can talk to each other.
Airespace
Page 47
Release 1.0
Installation and Configuration of MS Windows 2000 Server
3.5.2
Create a Remote Access Policy
Create a Remote Access Policy to support the group of users using a particular authentication method.
From the Remote Access Policies, add a new policy. Give the policy a name that helps understand what the
policy is for.
Airespace
Page 48
Release 1.0
Installation and Configuration of MS Windows 2000 Server
Add the needed conditions to the policy.
The condition we will use is a Windows group.
Airespace
Page 49
Release 1.0
Installation and Configuration of MS Windows 2000 Server
From the list presented, select the correct group and click ADD. In this example we will use the group
vlan20peappass that we created earlier in Active Directory.
When all members needed for this policy have been added, select OK. You will see the selected group appear
in the lower window. Click OK to continue.
Airespace
Page 50
Release 1.0
Installation and Configuration of MS Windows 2000 Server
Now that you have selected the group into this condition, you will make this the condition that will be matched
against to determine if the security policy will be implemented.
If the client matches the condition, the server will implement a security policy.
Airespace
Page 51
Release 1.0
Installation and Configuration of MS Windows 2000 Server
We will next define the details of the policy.
This next screen is VERY IMPORTANT. Make sure you select Grant remote access permission and select
next. A client will never be authenticated if you skip this step.
Airespace
Page 52
Release 1.0
Installation and Configuration of MS Windows 2000 Server
Choose to Edit Profile. The next several steps will define the security policy for this group of clients.
The default Authentication selection is shown below.
Airespace
Page 53
Release 1.0
Installation and Configuration of MS Windows 2000 Server
To support the PEAP-MSCHAP-v2 user, set the EAP Type for PEAP
With PEAP selected, select the Configure button and verify the certificate that will be used to identify the server.
Make sure you select MS-CHAP v2 only.
Airespace
Page 54
Release 1.0
Installation and Configuration of MS Windows 2000 Server
Make sure you have selected Grant remote access permission to the wireless clients. This is another VERY
IMPORTANT step that you must not overlook.
Airespace
Page 55
Release 1.0
Installation and Configuration of MS Windows 2000 Server
Set the Restrict Maximum session to 30 minutes.
Support all encryption policies for these users.
Airespace
Page 56
Release 1.0
Installation and Configuration of MS Windows 2000 Server
Default settings are OK in the following tabs of the profile.
Airespace
Page 57
Release 1.0
Installation and Configuration of MS Windows 2000 Server
When finished with the policy configuration, select OK to close the window and save the configuration.
3.5.3
Create a Vendor Specific Attribute to support Identity Networking
In order to support Identity Networking, we must provide a way deliver specific attributes back to the subscriber
when they authenticate. If the AAA Override feature is selected in the WLAN, then the attributes delivered by the
IAS server will supercede those listed in the WLAN configuration. The mechanism used to deliver these
attributes back to the subscriber is the RADIUS Vendor Specific Attribute (VSA).
To configure a VSA, you must edit the User Profile for the security policy that you will use to authenticate the
subscriber and deliver the new attributes with. From the MMC console, right click on the security policy you wish
to add the VSA to and select, Profile. The Properties screen for the selected security policy will appear. Click on
the Edit Profile… button in the lower left portion of the screen.
Airespace
Page 58
Release 1.0
Installation and Configuration of MS Windows 2000 Server
When the Profile screen appears, select the Advanced tab. Notice the current RADIUS parameters that are
configured for this security policy. You are going to add the Airespace VSA’s to this list.
Click the Add… button to select an attribute to add.
Airespace
Page 59
Release 1.0
Installation and Configuration of MS Windows 2000 Server
In the screen that appears there will be many RADIUS attributes displayed from which to choose. Notice the
attribute called Vendor-Specific. Select this option and click the Add button.
Select Add from screen below.
Airespace
Page 60
Release 1.0
Installation and Configuration of MS Windows 2000 Server
Up comes the following window. Our vendor code is 14179.
Fill in the Airespace vendor code, indicate that the attribute conforms to the RADIUS RFC, and select the
Configure Attribute button. In the Configure VSA screen you will enter the specific values for the Airespace
VSA’s. Refer to Airespace_Identity_Networking.pdf for values and definitions to use.
This example defines an interface for the subscriber. In this example the interface name is "vlan20".
Airespace
Page 61
Release 1.0
Installation and Configuration of MS Windows 2000 Server
The completed result appears like this. Click OK to complete the configuration of the VSA.
The new VSA should appear in your list of attributes for the security policy.
Airespace
Page 62
Release 1.0
Installation and Configuration of MS Windows 2000 Server
2) This example creates a QOS level of Gold for the subscriber.
3) This example creates a 802.1p tag for the subscriber.
The following is a list of Airespace VSA’s that are available as of this document revision date (1/05/05).
AAA_ATT_VAP_ID
AAA_ATT_QOS_LEVEL
AAA_ATT_DSCP
AAA_ATT_8021P_TYPE
AAA_ATT_VLAN_INTERFACE_NAME
AAA_ATT_ACL_NAME
AAA_ATT_DATA_BANDWIDTH_AVERAGE_CONTRACT
AAA_ATT_REAL_TIME_BANDWIDTH_AVERAGE_CONTRACT
AAA_ATT_DATA_BANDWIDTH_BURST_CONTRACT
AAA_ATT_REAL_TIME_BANDWIDTH_BURST_CONTRACT
= 1,
= 2,
= 3,
= 4,
= 5,
= 6,
= 7,
= 8,
= 9,
= 10
Your Windows 2000 Server is now fully configured and set to use for your Demos.
Airespace
Page 63
Release 1.0
Installation and Configuration of MS Windows 2000 Server
Airespace
Page 64
Release 1.0
Related documents
Wet Areas Compliance Certificate Template
Wet Areas Compliance Certificate Template
Student Application Form (Short Term Courses)
Student Application Form (Short Term Courses)
certificate of compliance of water installation on transfer of
certificate of compliance of water installation on transfer of
SCHOOL BOARD RECOGNITION
SCHOOL BOARD RECOGNITION
Child Protection study day 12th June 2007
Child Protection study day 12th June 2007
Computer Skills Computer Systems Analyst Tasks • Expand or
Computer Skills Computer Systems Analyst Tasks • Expand or
Dubai BMS
Dubai BMS
Download
advertisement