IAS with Wireless in AD Network

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.win2000.ras_routing,microsoft.public.windows.server.active_directory (More info?)

I have a small company which I do work for...I would like do the following:

- Windows 2003 Std
- Linksys 54G - several (I would like all of these to authneticate as
RADISU clients against Windows 2003 IAS)
- XP SP2 clients


Requirements:
--------------

(1) Have IAS centralize the wireless authentication (IAS performs the
authentication into the network against AD); if not the right account - no
entry

(2) Those authenticating must supply username/password against AD (for
their account)

(3) I do NOT want to deploy Certificates at all - please don't try to
change my mind - actually management

(4) Has to be secure enough (wireless); I know havibg cets services is most
secured, but not an option


Question:
---------

What meets these criterias?



Thanks.

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.win2000.ras_routing,microsoft.public.windows.server.active_directory (More info?)

I have this setup on my home network with SBS2003. The WAP54G just needs to
be configured for RADIUS and I turned on WPA-AES. Works like a charm. If
they don't supply a UID/password that is on the domain they don't get
connected. No certificates needed.

"Herb Martin" wrote:

> "-->AL" <al@munce.com> wrote in message
> news:euY#GvTIFHA.904@tk2msftngp13.phx.gbl...
> > I have a small company which I do work for...I would like do the
> following:
> >
> > - Windows 2003 Std
> > - Linksys 54G - several (I would like all of these to authneticate as
> > RADISU clients against Windows 2003 IAS)
> > - XP SP2 clients
> >
> >
> > Requirements:
> > --------------
> >
> > (1) Have IAS centralize the wireless authentication (IAS performs the
> > authentication into the network against AD); if not the right account - no
> > entry
>
> That's easy IF the linksys supports being a RADIUS
> client -- install IAS as you have guessed and setup
> an IAS Profile (or use the default 24 hour everyone
> profile) to specify when they are allowed in.
>
> If you are in native mode you get better control of
> the access through IAS-RADIUS but that is not
> necessary.
>
> > (2) Those authenticating must supply username/password against AD (for
> > their account)
>
> That is part of the conversation from the RADIUS
> client (?Linksys) to the IAS to the DC.
>
> > (3) I do NOT want to deploy Certificates at all - please don't try to
> > change my mind - actually management
>
> Ok.
>
> > (4) Has to be secure enough (wireless); I know havibg cets services is
> most
> > secured, but not an option
>
> IAS-RADIUS doesn't secure data, but it can secure
> the authentication.
>
> > Question:
> > ---------
> >
> > What meets these criterias?
>
> IAS comes close or does it depending on your
> access point and your precise meaning of "Secure
> enough."
>
> > Thanks.
> >
> >
>
>
>

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.win2000.ras_routing,microsoft.public.windows.server.active_directory (More info?)

You need to add your access point as a RADIUS client in IAS. I configured a
remote access policy for wireless that requires all 802.11 connections
authenticate with IAS and I further locked it down to only include members of
a group I called WirelessAuthUsers. Now when the clients try to connect via
that access point they will require authentication.

"-->AL" wrote:

> How do you REQUIRE to supply entering the user name and password? For
> example, if the machine is not part of the domain, but you would like to use
> it just for Internet access - how do you get a prompt for a username and
> password?
>
> If you could elaborate more - that would be great - thanks.
>
>
> "Dave" <Dave@discussions.microsoft.com> wrote in message
> news:675E64DA-F94B-43A0-AAD8-43B378FD6EBE@microsoft.com...
> >I have this setup on my home network with SBS2003. The WAP54G just needs
> >to
> > be configured for RADIUS and I turned on WPA-AES. Works like a charm. If
> > they don't supply a UID/password that is on the domain they don't get
> > connected. No certificates needed.
> >
> > "Herb Martin" wrote:
> >
> >> "-->AL" <al@munce.com> wrote in message
> >> news:euY#GvTIFHA.904@tk2msftngp13.phx.gbl...
> >> > I have a small company which I do work for...I would like do the
> >> following:
> >> >
> >> > - Windows 2003 Std
> >> > - Linksys 54G - several (I would like all of these to authneticate as
> >> > RADISU clients against Windows 2003 IAS)
> >> > - XP SP2 clients
> >> >
> >> >
> >> > Requirements:
> >> > --------------
> >> >
> >> > (1) Have IAS centralize the wireless authentication (IAS performs the
> >> > authentication into the network against AD); if not the right account -
> >> > no
> >> > entry
> >>
> >> That's easy IF the linksys supports being a RADIUS
> >> client -- install IAS as you have guessed and setup
> >> an IAS Profile (or use the default 24 hour everyone
> >> profile) to specify when they are allowed in.
> >>
> >> If you are in native mode you get better control of
> >> the access through IAS-RADIUS but that is not
> >> necessary.
> >>
> >> > (2) Those authenticating must supply username/password against AD (for
> >> > their account)
> >>
> >> That is part of the conversation from the RADIUS
> >> client (?Linksys) to the IAS to the DC.
> >>
> >> > (3) I do NOT want to deploy Certificates at all - please don't try to
> >> > change my mind - actually management
> >>
> >> Ok.
> >>
> >> > (4) Has to be secure enough (wireless); I know havibg cets services is
> >> most
> >> > secured, but not an option
> >>
> >> IAS-RADIUS doesn't secure data, but it can secure
> >> the authentication.
> >>
> >> > Question:
> >> > ---------
> >> >
> >> > What meets these criterias?
> >>
> >> IAS comes close or does it depending on your
> >> access point and your precise meaning of "Secure
> >> enough."
> >>
> >> > Thanks.
> >> >
> >> >
> >>
> >>
> >>
>
>
>

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.win2000.ras_routing,microsoft.public.windows.server.active_directory (More info?)

That may be true as I only have Windows XP clients. I have not tried with
Win2k.

"Herb Martin" wrote:

> "Dave" <Dave@discussions.microsoft.com> wrote in message
> news:6EEA8FEA-E504-4CA8-830E-34F7F4264BAF@microsoft.com...
> > You need to add your access point as a RADIUS client in IAS. I configured
> a
> > remote access policy for wireless that requires all 802.11 connections
> > authenticate with IAS and I further locked it down to only include members
> of
> > a group I called WirelessAuthUsers. Now when the clients try to connect
> via
> > that access point they will require authentication.
>
> Don't the clients (generally) need to be at least
> XP also?
>
> XP has the required dialog boxes for configuring
> the wireless authentication but I don't belive that
> Win2000 has them.
>
> (Unless the wireless card driver/config program
> provides this feature.)
>
> --
> Herb Martin
>
>
> >
> > "-->AL" wrote:
> >
> > > How do you REQUIRE to supply entering the user name and password? For
> > > example, if the machine is not part of the domain, but you would like to
> use
> > > it just for Internet access - how do you get a prompt for a username and
> > > password?
> > >
> > > If you could elaborate more - that would be great - thanks.
> > >
> > >
> > > "Dave" <Dave@discussions.microsoft.com> wrote in message
> > > news:675E64DA-F94B-43A0-AAD8-43B378FD6EBE@microsoft.com...
> > > >I have this setup on my home network with SBS2003. The WAP54G just
> needs
> > > >to
> > > > be configured for RADIUS and I turned on WPA-AES. Works like a charm.
> If
> > > > they don't supply a UID/password that is on the domain they don't get
> > > > connected. No certificates needed.
> > > >
> > > > "Herb Martin" wrote:
> > > >
> > > >> "-->AL" <al@munce.com> wrote in message
> > > >> news:euY#GvTIFHA.904@tk2msftngp13.phx.gbl...
> > > >> > I have a small company which I do work for...I would like do the
> > > >> following:
> > > >> >
> > > >> > - Windows 2003 Std
> > > >> > - Linksys 54G - several (I would like all of these to authneticate
> as
> > > >> > RADISU clients against Windows 2003 IAS)
> > > >> > - XP SP2 clients
> > > >> >
> > > >> >
> > > >> > Requirements:
> > > >> > --------------
> > > >> >
> > > >> > (1) Have IAS centralize the wireless authentication (IAS performs
> the
> > > >> > authentication into the network against AD); if not the right
> account -
> > > >> > no
> > > >> > entry
> > > >>
> > > >> That's easy IF the linksys supports being a RADIUS
> > > >> client -- install IAS as you have guessed and setup
> > > >> an IAS Profile (or use the default 24 hour everyone
> > > >> profile) to specify when they are allowed in.
> > > >>
> > > >> If you are in native mode you get better control of
> > > >> the access through IAS-RADIUS but that is not
> > > >> necessary.
> > > >>
> > > >> > (2) Those authenticating must supply username/password against AD
> (for
> > > >> > their account)
> > > >>
> > > >> That is part of the conversation from the RADIUS
> > > >> client (?Linksys) to the IAS to the DC.
> > > >>
> > > >> > (3) I do NOT want to deploy Certificates at all - please don't try
> to
> > > >> > change my mind - actually management
> > > >>
> > > >> Ok.
> > > >>
> > > >> > (4) Has to be secure enough (wireless); I know havibg cets
> services is
> > > >> most
> > > >> > secured, but not an option
> > > >>
> > > >> IAS-RADIUS doesn't secure data, but it can secure
> > > >> the authentication.
> > > >>
> > > >> > Question:
> > > >> > ---------
> > > >> >
> > > >> > What meets these criterias?
> > > >>
> > > >> IAS comes close or does it depending on your
> > > >> access point and your precise meaning of "Secure
> > > >> enough."
> > > >>
> > > >> > Thanks.
> > > >> >
> > > >> >
> > > >>
> > > >>
> > > >>
> > >
> > >
> > >
>
>
>