How To Install 802.1x Authentication Using Windows Server 2003

In an age where WEP encryption just isn’t going to cut it for those wanting to break into your wireless network, WPA offers a great alternative to closing the gap on wireless security. In this article we will discuss how to setup 802.1x using Windows Server 2003 and RADIUS.

Prerequisites:

  • Familiarization with the Windows Operating System.
  • Installation of Windows Server 2003 Enterprise Edition
  • Installation of Active Directory, DNS, DHCP, IIS, and Routing and Remote Access
  • Wireless Access Point that supports RADIUS.
  • Create a non-administrator Active Directory account
  • Wireless Network Interface Card that supports WPA.
  • Windows Server 2003 Installation CD or Installation Files

Once you have fulfilled the necessary requirements, boot your Win2k3 machine, and log into the Administrator account. Get into the Add Remove Programs Control Panel Applet. In the left hand pane, click on “Add/Remove Windows Components”.

The Windows Components Wizard will load, now put a check mark in the “Certificate Services” checkbox. It will give you a warning about installing certificate services and changing the domain/computer name. Just click yes.

Next, scroll down and find the box called “Networking Services”. Highlight this selection and click the details button. A new window will pop-up and put a check mark in the “Internet Authentication Service” in the check box.

Make sure that you have a Windows Server 2003 disc handy just in case it is needed for the services installation. Click OK, then click the Next > button. You will be presented with a window like this:

Make sure that the “Enterprise root CA” is selected. If you haven’t logged in as Administrator (logging in as a member of the administrators group is not sufficient) or haven’t installed Active Directory, the enterprise options will be disabled. Leave all other options unchecked and click Next >.

The next screen will ask for the common name for the CA. Any name will do. Click Next >. The computer will then generate a cryptographic key and you will be asked where the Certificate Database will be stored and its corresponding log. Leave the defaults and click Next >.

You will receive a notification that in order to complete the installation, IIS must be temporarily be stopped. This is because Certificate Services installs a web module that allows people to apply for and receive a certificate. Go ahead and click “Yes”. Depending on the speed of your machine, it may take several minutes for the installation to take place.

About half way through copying files, the computer may ask you to enable Active Server Pages (ASPs). It explains the possibility of a security risk, but since we want to simplify the issuance of certificates for demonstrative purposes, go ahead and click “Yes”. When the installation is complete go ahead and click “Finish”.

Congratulations! You have installed all the necessary software to start issuing certificates. Now, we need to configure that software to be able to validate identities of those who are authorized to connect to the wireless network.

To begin, we need to create a group of users that are allowed to use the resource. Theoretically we could just assign individual people to have access, but in an enterprise environment, groups are easier to manage than individual accounts.

To manage accounts, click Start -> Administrative Tools -> Active Directory Users and Computers. Expand the server tree and find the folder marked “Users”. Right click on that folder and select “New” and click “Group”. You will be prompted to type in a name. Any name will do, but let’s call it “Wireless Access”. Make sure the “Group Scope” is set to “Global”, and the “Group type” is set to “Security”. When finished, click “OK”.

Now that we have created the group, we need to assign users to that group. If you haven’t already created a few user accounts, do so now. When ready, right click a user and select “Properties”. Find the “Member Of” tab and click it. This will show what groups the user belongs to. Click the “Add…” button and type in “Wireless Access” or whatever you decided to call your wireless group. Once you see that they are now apart of that group, click “Apply”. We will need to change some more options later, so remember how we got to the users properties.

Setup the Certificate Authority

Here comes the fun part. Pull up Internet Explorer on the server and navigate to the following address: http://127.0.0.1/certsrv. This will load the Certificate Services web page to be able to apply for a certificate. There are two things that we need from this site. Click on the first link called “Request a Certificate”, then “User Certificate”. No further information is needed from the service, so click on “Submit >”. A warning will pop up warning you that the web site is requesting a certificate on your behalf. Go ahead and click “Yes”. Go ahead and click the link “Install this certificate”. Another warning will popup, but go ahead and click “Yes”.

Now, go ahead and click on the “Home” link on the top right hand corner. Now click the link “Download a CA certificate, certificate chain, or CRL”. Click in the link called “install this CA certificate chain”. Click “Yes” to the warning box that pops up. Now that we’ve done this, the server is now certified to be handling requests.

Posted on Nov 9
Written by Wayne Hartman