Outsourced wireless access

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Outsourced wireless access

This topic describes how IAS is used by both an outsourced wireless provider and an organization to outsource wireless Internet access. The wireless service provider offers remote wireless access points in locations such as airports. Employees of an organization can use these points to access the Internet. The wireless service provider forwards the access request of a client to an IAS server in the organization. The IAS server provides authentication and authorization. The wireless service provider determines the employee’s organization from the realm name portion of the employee's user name during the authentication process. This enables the service provider to bill the organization for the employee’s use of the wireless connection.

This topic describes a configuration for an organization that uses:

  • Two IAS servers.

    Two IAS servers (one primary and one secondary) are used to provide fault tolerance for RADIUS-based authentication, authorization, and accounting. If only one RADIUS server is configured and it becomes unavailable, outsourced wireless clients cannot connect. By using two IAS servers, the IAS proxies in the wireless service provider's network can detect when the primary RADIUS server is unavailable and automatically fail over to the secondary IAS server. The IAS servers are placed in the perimeter network.

  • Active Directory domains.

    Active Directory domains contain the user accounts, passwords, and dial-in properties that each IAS server requires to authenticate user credentials and evaluate both authorization and connection constraints.

  • A certificate infrastructure.

    The Extensible Authentication Protocol-Transport Level Security (EAP-TLS) authentication protocol is used to authenticate wireless clients with locally installed user certificates.

  • A wireless remote access policy.

    A common remote access policy is configured so that authenticated wireless users can access the Internet.

This topic also describes a configuration for a wireless service provider that uses:

  • Two IAS proxies in the wireless service provider's network.

    The wireless service provider uses RADIUS proxies in its network to forward RADIUS request messages between the wireless access points and the RADIUS servers. Two IAS proxies are used to provide fault tolerance for RADIUS authentication.

  • Multiple wireless access points.

    Third-party wireless access points provide wireless access in different airports.

The following illustration shows the outsourced wireless configuration.

Internet printing process overview

Note

  • This topic only describes how to configure IAS. It does not describe the configuration of Active Directory domains, the certificate infrastructure, or the wireless access points. For more information about how to deploy these components, see the appropriate Help topics.

To configure IAS for this example, complete the following steps:

  • Configure Active Directory for user accounts and groups.

  • Configure the primary IAS server in the perimeter network.

  • Configure the secondary IAS server in the perimeter network.

  • Configure the Internet firewall to support RADIUS traffic.

  • Configure the primary IAS proxy at the service provider.

  • Configure the secondary IAS proxy at the service provider.

  • Configure RADIUS accounting and authentication on the wireless access points at the service provider.

Configuring user accounts and groups

To configure user accounts and groups, do the following:

  1. Ensure that all users that are making remote access connections have a corresponding user account.

  2. If you want to manage access by group, ensure that all user accounts are configured with the Control access through Remote Access Policy remote access permission. For more information, see Configure remote access permission for a user.

  3. Organize your wireless access users into the appropriate universal and nested groups in order to take advantage of group-based remote access policies. For example, create a universal group named WirelessUsers that contains global groups of wireless user accounts. For more information, see Group scope.

Configuring the primary IAS server in the perimeter network

To configure the primary IAS server in the perimeter network, do the following:

  1. On a computer runningWindows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition in the perimeter network; install IAS as an optional networking component. For more information, see Install IAS. The computer on which IAS is installed is not required to be dedicated to forwarding RADIUS messages. You can install IAS on a Web server, file server, or DNS server.

  2. Configure the IAS server computer to read the properties of user accounts in the domain. For more information, see Enable the IAS server to read user accounts in Active Directory.

  3. If the IAS server is authenticating connection attempts for user accounts in other domains, verify that the other domains have a two-way trust with the domain in which the IAS server computer is a member. Next, configure the IAS server computer to read the properties of user accounts in other domains. For more information, see Enable the IAS server to read user accounts in Active Directory. For more information about trust relationships, see Trust direction.

    If the IAS server is authenticating connection attempts for user accounts in other domains, and those domains do not have a two-way trust with the domain in which the IAS server computer is a member, see Authentication across forests.

  4. Enable file logging for accounting and authentication events. For more information, see Configure log file properties.

  5. If needed, configure additional UDP ports for RADIUS messages that are sent by the wireless service provider's RADIUS proxies. For more information, see Configure IAS port information. By default, IAS uses UDP ports 1812 and 1645 for authentication and ports 1813 and 1646 for accounting.

  6. Add the service provider's RADIUS proxies as RADIUS clients of the IAS server. For more information, see Add RADIUS clients. Verify that you are configuring the correct name or IP address and shared secrets. For more information, see Shared secrets.

  7. Use the New Remote Access Policy Wizard to create a common wireless policy with the following settings:

    • Policy name: Wireless access

    • Access Method: Wireless access

    • User or Group: Select Group, and then specify the WirelessUsers group (example).

    • Authentication methods: Select Smart Card or other Certificate. If you have multiple computer certificates, click Configure, and then select the appropriate computer certificate.

    • Policy encryption level: Clear the Basic encryption (MPPE 40-bit) and Basic encryption (MPPE 56-bit) check boxes.

      For additional examples of remote access policies, see Remote Access Policies Examples.

  8. Delete the default remote access policies, or ensure that they are the last policies to be evaluated. For more information, see Delete a remote access policy and Change the policy evaluation order.

Configuring the secondary IAS server in the perimeter network

To configure the secondary IAS server on another computer in the perimeter network, do the following:

  1. On another computer runningWindows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition in the perimeter network; install IAS as an optional networking component. For more information, see Install IAS.

  2. Configure the secondary IAS server computer (the other domain controller) to read the properties of user accounts in the domain. For more information, see Enable the IAS server to read user accounts in Active Directory.

  3. If the secondary IAS server is authenticating connection attempts for user accounts in other domains, verify that the other domains have a two-way trust with the domain in which the secondary IAS server computer is a member. Next, configure the secondary IAS server computer to read the properties of user accounts in other domains. For more information, see Enable the IAS server to read user accounts in Active Directory. For more information about trust relationships, see Trust direction.

    If the secondary IAS server is authenticating connection attempts for user accounts in other domains, and those domains do not have a two-way trust with the domain in which the secondary IAS server computer is a member, see Authentication across forests.

  4. Copy the configuration of the primary IAS proxy to the secondary IAS proxy in the perimeter network. For more information, see Copy the IAS configuration to another server.

Configuring the Internet firewall to support RADIUS traffic

To configure the Internet firewall to support RADIUS traffic, do the following:

  1. Configure the Internet firewall to allow RADIUS traffic between the IAS servers in the perimeter network and the IAS proxies in the wireless service provider's network.

    For more information, see IAS and firewalls.

Configuring the primary IAS proxy at the service provider

To configure the primary IAS proxy at the service provider, do the following:

  1. On a computer running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition in the wireless service provider's network; install IAS as an optional networking component. For more information, see Install IAS. The computer on which IAS is installed is not required to be dedicated to forwarding RADIUS messages. You can install IAS on a Web server, file server, or DNS server.

  2. If needed, configure additional UDP ports for authentication and accounting messages that are sent by the wireless service provider's access points. For more information, see Configure IAS port information. By default, IAS uses UDP ports 1812 and 1645 for authentication and ports 1813 and 1646 for accounting.

  3. Add the wireless service provider's access points as RADIUS clients of the IAS proxy. For more information, see Add RADIUS clients. Verify that you are configuring the correct name or IP address and shared secrets. For more information, see Shared secrets.

  4. Create a connection request policy that forwards RADIUS request messages based on the realm name of the wireless service provider's customer.

    Use the New Connection Request Policy Wizard to create a connection request policy that forwards connection requests to a remote RADIUS server group for authentication and where the user name matches the realm name for the customer's organization. In the New Connection Request Policy Wizard, use the New Remote RADIUS server Group Wizard to create a remote RADIUS server group with members that include the two IAS servers in the customer's perimeter network.

    For more information, see Add a connection request policy.

  5. Delete the default connection request policy named Use Windows authentication for all users. For more information, see Delete a connection request policy.

Configuring the secondary IAS proxy at the service provider

To configure the secondary IAS proxy on another computer in the perimeter network, do the following:

  1. On another computer runningWindows Server 2003, Standard Edition; Windows Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition in the wireless service provider network; install IAS as an optional networking component. For more information, see Install IAS.

  2. Copy the configuration of the primary IAS proxy to the secondary IAS proxy in the wireless service provider's network. For more information, see Copy the IAS configuration to another server.

Configuring RADIUS accounting and authentication on the wireless access points at the service provider

Configure each wireless access point as a RADIUS client with two RADIUS servers (the primary and secondary IAS servers). For more information, see the documentation for the wireless access point.