Designing Support for Wireless Access

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Wireless networking technology is becoming more widespread with the adoption of industry standards such as IEEE 802.11 and 802.11b. Wireless networking allows a user to roam around a building or campus and automatically connect to the network after the user is in proximity to a wireless access point (wireless AP).

You can use IAS to support wireless access in the following scenarios:

  • Wireless LAN access

  • Outsourced wireless access

Countering Wireless Security Risks

While providing convenience, wireless networking technologies and wireless APs represent the following security risks:

  • Anyone who has a compatible wireless network adapter can gain access to the network.

  • Wireless networking signals use radio waves to send and receive information. Anyone within an appropriate distance to a wireless access point can detect and receive all data sent to and from the wireless access point.

IAS provides enhanced security for wireless access. To counter the first security risk, you can set up the wireless access point as a RADIUS client, and then configure it to send access requests and accounting messages to a central RADIUS server running IAS.

To counter the second security risk, you can encrypt the data sent between the wireless devices and the wireless access points. The authentication method used by the wireless client must be able to use encryption keys.

Special Considerations for Wireless Access

If you will be supporting wireless access, include the following elements in your design:

  • An authentication mechanism. With wireless access, you can use Protected Extensible Authentication Protocol (PEAP), EAP-TLS, or unauthenticated wireless access. For more information about PEAP, see "PEAP" in Help and Support Center for Windows Server 2003.

  • Certificates and a certification authority, if you are deploying authentication methods that use certificates on both the client and server, such as EAP-TLS. For more information, see "Integrate IAS with the Certificate Infrastructure" later in this chapter.

  • The Wireless-IEEE 802.11 and Wireless-Other port types for the NAS-Port-Type condition of remote access policies. By using these port types, you can create a separate remote access policy that contains connection parameters and encryption settings specifically designed for wireless devices.

  • The Ignore-User-Dialin-Properties attribute in the profile settings of a remote access policy. The dial-in properties of the user account are designed for clients dialing into an access server, not for clients connecting to a wireless port or authenticating switch. You can disable them on the remote access policy. For more information about profile settings, see Dial-in properties of a user account in Help and Support Center for Windows Server 2003.