Review RADIUS and IAS concepts.

IAS Overview; Understanding IAS

Review IAS implementation best practices.

IAS Best Practices

Review IAS security issues.

Security information for IAS

If you are using certificates to authenticate wireless clients, install a computer certificate on the IAS server computers.

Computer certificates for certificate-based authentication

Install IAS on the servers to be used as primary and backup IAS servers.

Install IAS

Configure the properties of the primary IAS server, including the ports used and event log settings.

Configure IAS Properties

Configure logging methods for user authentication and accounting requests.

Configure Logging for User Authentication and Accounting

Add the wireless access points as RADIUS clients on the primary IAS server.

Add RADIUS clients

Use the New Remote Access Policy Wizard to create a common policy for wireless access.

Add a remote access policy

If you are using secure password authentication through Protected Extensible Authentication Protocol (PEAP), also called PEAP-EAP-MS-CHAP v2, configure authentication methods for the remote access policy.

Configure PEAP and EAP methods; PEAP

If you want client and server certificate authentication using Protected Extensible Authentication Protocol (PEAP), also called PEAP-EAP-TLS, configure authentication methods for the remote access policy.

Configure PEAP and EAP methods; PEAP

If you want client and server certificate authentication using PEAP-EAP-TLS, install a certificate on the wireless client from floppy disk, or deploy smart cards.

Checklist: Installing a user certificate from floppy disk on a wireless client; Checklist: Deploying smart cards for logging on to Windows; PEAP; Network access authentication and certificates

If you are using certificate authentication with EAP-TLS and initially installing a user certificate on your wireless clients over a wireless connection, enable guest authentication.

Guest authentication

If you are using certificate authentication with EAP-TLS and initially installing a user certificate on your wireless clients over a wireless connection, create a group named Guests and add the Guest account as a member.

Create a new group; Add a member to a group

If you are using certificate authentication with EAP-TLS and initially installing a user certificate on your wireless clients over a wireless connection, use the New Remote Access Policy Wizard to create a custom policy for new wireless clients (clients that do not have user certificates). Set the NAS-Port-Type condition to Wireless-IEEE 802.11 and Wireless-Other, and the Windows-Groups condition to Guests. On the Dial-in Constraints tab of the profile, restrict the maximum session time to 10 minutes. On the Advanced tab of the profile, add the Tunnel-Type attribute with the value of Virtual LANs (VLAN), and then add the Tunnel-Pvt-Group-ID attribute with the VLAN ID value that corresponds to guest wireless clients.

Add a remote access policy

Copy the IAS configuration from the primary IAS server to the backup IAS server.

Copy the IAS configuration to another server

Register the primary and backup IAS servers in the appropriate Active Directory domains.

Enable the IAS server to read user accounts in Active Directory

Verify the configuration of the wireless access points. Ensure that the RADIUS servers used for authentication and accounting for the wireless access point are the IAS server computers.

Manufacturer's documentation

Optional. Install a user certificate on wireless clients over a wireless connection.

Checklist: Installing a user certificate on a wireless client over a wireless connection

Optional. Install user certificates on wireless clients over an unauthenticated Ethernet connection.

Checklist: Installing a user certificate on a wireless client over an unauthenticated Ethernet connection

Optional. Install user certificates from floppy disk on wireless clients.

Checklist: Installing a user certificate from floppy disk on a wireless client