The Radius server and workstations require a server certificate, this can be generated by using the SelfSSL obtained from the IIS Resource kit.
How To Install:
- Download IIS 6.0 Resource Kit Tools (requires Windows Server 2003, Windows XP)
- Install the resource kit (If you want hand-holding through these steps, read these instructions with screenshots by Jonathan Maltz)
- From the Windows Start Menu, go to the "\Programs\IIS Resources\SelfSSL" folder and select "SelfSSL".
- Instructions will be listed in a command prompt. Type "selfssl" to run the program.
- Type "y" to confirm overriding/installing the certificate on the given site.
- Test that it worked by visiting https://localhost/.
Additional instructions are available from the following blog.
We are going to manage the wireless connection at the workstations via Microsoft Group Policies.
"Wireless and wired clients running Microsoft® Windows Vista™ or Windows Server 2008 and wired clients running Windows XP with Service Pack 3 support enhancements that can be configured through Group Policy settings that are supported by domain controllers running Windows Server® 2008. To support these enhancements for an Active Directory® directory service environment consisting of domain controllers running Windows Server 2003 or Windows Server 2003 R2, the Active Directory schema must be extended."
Use the following guide to extend the schema:
Active Directory Schema Extensions for Windows Vista Wireless and Wired Group Policy
Edit the Group Policy using Group Policy Management Console.
- Create a Group Policy Object for the computers you want to configure wireless access. (i.e. called Wireless workstation settings)
- Edit the Group Policy Object.
- Expand Computer Configuration, Policies, Windows Settings, Security Settings.
- Select Wireless Network (IEEE 802.11) Policies.
- Click the right hand mouse button, in the right hand window and select Create a new Wireless Policy.
- Enter an appropriate name and description, tick the Use Windows WLAN AutoConfig service for clients.
- Click Add, then select Infrastructure.
- In the Profile name enter an approprate name and the correct SSID
Tick - Connect automatically when this network is in range.
and tick - Connect even if the network is not broadcasting. - Click the Security tab
In Authentication select WPA-Enterprise
Encryption select - TKIP
In Select a network authentication method: select Microsoft: Protected EAP (PEAP)
Click on Properties:
Tick on Validate server certificate
In Trusted Root Certification Authorities - select your certificate. (Ensure it has been installed.)
In Select Authentication Method: select Secured password (EAP-MSCHAP v2)
Click Configure - In When connecting ensure Automatically use my Windows logon... is selected. - Click Ok, click OK on Protected EAP Properties.
In Authentication Mode: select User re-authentication
Max Authentication Failures: is set to 3.
Tick Cache user information.
Click Advanced.
Ensure Enforce advanced 802.1x settings is not selected.
Tick enable Single Sign on
Select Perform immediatly before User Logon
Max delay for connectivity set to 30
Tick Allow additional dialogs to be displayed. Click Ok, click Ok to close Wireless network properties. - In the Network Permissions tab
- Ensure the correct Network Name and network type is set with the permission set to Allow.
- Tick the following - Allow user to view denied networks and Allow everyone to create all user profiles. - then click Ok.
- Add the Group Policy object to the appropriate workstations.
On the workstation you need to install the certificate into the Trusted Root Certificate Authority.
On the workstation load the MMC and load Certificates and install the manually created certificate.
Links:
The Cable Guy - Wireless Group Policy Settings for Windows Vista
No comments:
Post a Comment