Wireless access example

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Wireless access example

In this example, the network administrator is managing authorization by using groups. All user accounts have the Remote Access Permission (Dial-in or VPN) option set to Control access through Remote Access Policy.

The network administrator requires that all IEEE 802.11 wireless clients (members of the WirelessClients group) use certificate-based authentication through the EAP-TLS authentication protocol and 128-bit encryption. Wireless clients that do not have a user certificate installed are placed on a specific virtual local area network (VLAN) from which they can obtain a user certificate. This unauthenticated connection lasts for 10 minutes.

In this case, two policies are needed:

1. A policy that requires wireless connections to use EAP-TLS.

2. A policy that accepts unauthenticated wireless connections and configures the wireless access point for a VLAN with an ID of 3. VLAN 3 contains a certificate server from which the wireless client can obtain a user certificate.

After remote access permission is set for all user accounts, the administrator completes the following steps:

1. Use the New Remote Access Policy Wizard to create a common wireless policy with the following settings:

   • Policy name: Wireless access

   • Access Method: Wireless access

   • User or Group: Select Group, and then specify the WirelessClients group (example).

   • Authentication methods: Select Smart Card or other Certificate.

   • Policy Encryption Level: Check the Strongest encryption (MPPE 128-bit) check box, and then clear all other check boxes.

2. Use the New Remote Access Policy Wizard to create a custom wireless policy with the following settings:

   • Policy name: First-time wireless access

   • Conditions: NAS-Port-Type matches Wireless-Other or Wireless-IEEE 802.11; Windows-Groups matches WirelessUsers; Authentication-Type matches Unauthenticated

   • Permission: Grant remote access permission

   • Profile settings, Dial-in Constraints tab: Select the Minutes client can be connected check box, and then type 10.

   • Profile settings, Advanced tab: Add the Tunnel-Type attribute with the value of Virtual LANs (VLAN); Add the Tunnel-Pvt-Group-ID attribute with the value of 3.

3. Delete the default policies.

   For more information, see Delete a remote access policy.

Notes

• For this example, a public key infrastructure (PKI) that has allocated the required computer certificate to the IAS server is being used. Additionally, the wireless access point is configured to use both an IAS server as its RADIUS server and EAP. For more information about wireless access deployment, see Checklist: Configuring the IAS server and wireless access points for wireless access.

• You can configure wireless connection policy so that wireless clients periodically reauthenticate. This ensures that the client Wired Equivalent Privacy (WEP) encryption keys are changed often enough to provide adequate security for the wireless connection. To configure reauthentication, set the session timeout in your remote access policy or connection request policy for wireless connections (using the Session-Timeout attribute) to the required interval (for example, 10 minutes). Additionally, configure the Termination-Action attribute with the Attribute value set to RADIUS-Request. If the Termination-Action attribute is not set to RADIUS-Request, wireless access points might end the connection during reauthentication. For more information, see your hardware documentation.