Configure IAS and the APs
Now that you've configured your wireless clients, you're ready to configure your IAS server and APs. On the IAS server, you need to define a remote access policy that links WLAN authentication requests to a requirement for certificate-based 802.1x authentication. You also need to create RADIUS client records for each of the APs on your WLAN. To create the remote access policy, open the MMC Internet Authentication Service snap-in and select the Remote Access Policies folder. Right-click in the details pane and select New Remote Access Policy. Click Next on the first page of the New Remote Access Policy Wizard. On the next page, select Use the wizard to set up a typical policy for a common scenario, enter WLAN Access for Domain Computers as the name of the remote access policy, and click Next. On the Access Method page, select Wireless to set up the remote access policy with the necessary RADIUS criteria to recognize WLAN authentication requests and apply this policy to those requests. Click Next.
On the User or Group Access page, you define which computers can connect to the WLAN. Select Group and add the STO\Domain Computers group. STO\Domain Computers includes all computers in the domain. You could use a less inclusive group, but don't forget that you're also going to add a certificate requirement, so when you're finished, only computers that are a member of STO\Domain Computers and have a certificate trusted by the IAS server will be able to connect. Click Next. At the Authentication Methods page, you can choose from Protected EAP (PEAP) or Smart Card or other certificate; select the latter and click Configure. In the Smart Card or other Certificate Properties dialog box, you can choose which certificate the IAS server will use to authenticate itself to the client. Select the certificate that your CA issued to the IAS server, and click OK. Back in the wizard, click Next, which brings you to a page that summarizes the remote access policy's details, as Figure 2 shows. Click Finish.
Next you need to configure the RADIUS client records for your APs so that IAS will recognize them. Still in the Internet Authentication Service snap-in, right-click RADIUS Clients and select New, RADIUS Client. In the New RADIUS Client wizard, enter a friendly name for one of your APs and its IP or DNS address. For this example, I'll call the AP First Floor East and give it the IP address 192.168.100.3. Click Next. On the Additional Information page, select RADIUS Standard as the Client-Vendor. The other information you need to enter on this page is a secret to be shared by the IAS server and the AP. Using this secret, the two systems will be able to authenticate to each other and encrypt data sent between them. Enter the same long, complex string of characters in both the Shared secret and Confirm shared secret fields, and remember or write down the secret for when you configure the AP. Select the Request must contain the Message Authenticator attribute, which causes the IAS server to require the AP to use the shared secret, and click Finish. Repeat this process (with different friendly names and addresses) for the other APs.
The final setup step is to configure your APs to communicate with IAS via RADIUS and to require 802.1x authentication from wireless clients. Most AP vendors provide a tiny Web server on their APs so that you can configure them from a Web browser on your workstation. Each AP's configuration pages will look a little different, but they all require the same basic settings for enabling 802.1x. On your AP, find the page that lets you enable 802.1x authentication. Next, enter the IP address of your IAS server and the shared secret. If the AP asks for a port number, enter 1812. Your AP might also let you enter a second RADIUS server, if available, for fault-tolerance purposes. Finally, configure the AP with the appropriate SSID.
Test Case
Now that everything is set up, it's time to test. First, test WLAN connectivity using a legitimate client--a computer that has the appropriate wireless network policy and a computer certificate from the CA. The computer should connect to the WLAN automatically, and a balloon should appear in the lower right corner of the desktop to indicate a wireless connection. Next, try connecting to the WLAN with an unauthorized client. Make sure the WLAN blocks it. You could also obtain a WLAN sniffer and confirm that your WLAN traffic is indeed encrypted.
If you run into any problems, you can diagnose them from the wireless client, the AP, or the IAS server. On the client, check the System and Security logs for certificate-related error messages. Most APs have a logging feature that you can use for tracking down authentication problems between the client and IAS or RADIUS problems between the AP and IAS. On the IAS server, you can look for errors in the System log as well as in the IAS log at C:\windows\system32\logfiles. The IAS log isn't very readable, but Iasparse does a great job of producing readable reports from the IAS log. To find out more about IAS logging and Iasparse, see "Activating the IAS Log," December 2003, InstantDoc 40571.