WPS Technology for the Enterprise

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Enterprises can deploy WPS technology to simplify the process of providing Internet access to organization visitors. You can provide business partners and other visitors with promotion codes, which visitors use to gain Internet access through your Wi-Fi hotspots.

In the sections that follow, the components of WPS technology for the enterprise are described, how the components work together during a user sign-up is detailed, and how to deploy WPS technology for the enterprise is explained.

Components of WPS technology for the enterprise

This deployment scenario, designed for the enterprise that deploys Wi-Fi hotspots, has the following features:

• A VLAN-aware gateway device is used for client computer isolation during the account sign-up process.

• Users gain network access by using a promotion code. The codes are stored in a database on a server running SQL Server 2000 or a third-party database application.

• A perimeter network stands between wireless access points and the Enterprise LAN.

• On the perimeter network, an IAS proxy server forwards RADIUS messages between RADIUS clients (access points) and the IAS server on the Enterprise LAN. In addition, IPsec is deployed between the IAS proxy and IAS server to provide security for RADIUS traffic.

• The provisioning server on the perimeter network does not process user information or create accounts in the user account database. The provisioning server on the perimeter network maintains a custom XML-forwarding application that forwards XML files containing customer sign-up information to the account processing application on the account processing server. In addition, IPsec is deployed between the provisioning server and the account processing server on the enterprise LAN to provide security for traffic between the XML-forwarding application and the account processing application.

The account processing server is located on the enterprise LAN. The account processing server verifies promotion codes against the SQL Server database and creates accounts in the user accounts database for business partners or other visitors that have valid promotion codes and access to your Wi-Fi hotspots.

The following illustration depicts the components of an enterprise WISP network using a perimeter network and a VLAN-aware gateway device for client computer isolation.

Components of WPS technology for the enterprise

In the following sections are descriptions of the components of an enterprise WISP network, including components of the WLAN, the perimeter network, and the enterprise LAN.

Wi-Fi hotspot components

Following are the components that comprise the wireless local area network (WLAN), or Wi-Fi hotspot:

Wireless client

A computer running Windows XP Home Edition with SP2, Windows XP Professional with SP2, or Windows XP Tablet PC Edition with SP2. The computer must be equipped with a wireless network adapter that provides support for IEEE standard 802.11, IEEE standard 802.1X authentication, and Wired Equivalent Privacy (WEP). Support for Wi-Fi Protected Access (WPA) is preferred, but not required.

Wireless access point (RADIUS client)

One or more wireless access points deployed with a wired connection to the access controller, VLAN-aware switch or router, or other gateway device.

The wireless access point is configured as a RADIUS client to the Internet Authentication Service (IAS) proxy deployed on the perimeter network. The wireless access points used for WPS technology must have the following required features:

• Support for the use of VLANs.

• Support for the IEEE standard 802.1X authentication.

• Support for Wi-Fi Protected Access (WPA) is preferred.

• Support for RADIUS authentication and RADIUS accounting, including:

  • Support for the Class attribute as defined in RFC 2865, “Remote Authentication Dial-in User Service (RADIUS),” to allow session correlation for RADIUS authentication and accounting records. For session correlation, when you configure RADIUS accounting at your IAS server or proxy, you must log all accounting data that allow applications (such as billing applications) to query the database, correlate related fields, and return a cohesive view of each session in the query results. At a minimum, to provide session correlation, you must log the following IAS accounting data: NAS-IP-Address; NAS-Identifier (you need both NAS-IP-Address and NAS-Identifier because the access server can send either attribute); Class; Acct-Session-Id; Acct-Multi-Session-Id; Packet-Type; Acct-Status-Type; Acct-Interim-Interval; NAS-Port; and Event-Timestamp.

  • Support for accounting interim requests, which are sent periodically by some access servers during a user session, that can be logged. This type of request can be used when the Acct-Interim-Interval RADIUS attribute is configured to support periodic requests in the remote access profile on the IAS server. The access server, in this case a wireless access point, must support the use of accounting interim requests if you want the interim requests to be logged on the IAS server.

  • Support for IP address range filtering.

  • Support for dynamic RTO estimation or exponential backoff to handle congestion and delays in a wide area network (WAN) environment.

In addition, there are some filtering features that the access points must support to provide enhanced security for the network. These filtering options include:

• DHCP filtering. The access point must filter on IP ports to prevent the transmission of DHCP broadcast messages in the instance that the client is a DHCP server. The access point must block the client from sending IP packets from port 68 to the network.

• DNS filtering. The access point must filter on IP ports to prevent a client from performing as a DNS server. The access point must block the client from sending IP packets from port 53 to the network.

Perimeter network components

• Following are the components that comprise the perimeter network.

VLAN-aware gateway device

The VLAN-aware gateway device can be an access controller, a VLAN-aware router, a VLAN-aware switch, or any other device that can be configured to apply IAS-provided parameters to client connections. The VLAN-aware gateway device is configured with two VLANs: a Network Resource VLAN and an Internet VLAN.

The Network Resource VLAN allows all users access to the provisioning server and DHCP server. This VLAN grants access to network resources that allow users to connect to your network as guest, create an account, and receive provisioning information from the provisioning server.

The Internet VLAN provides access to the Internet. Only users who have promotion codes and have created accounts using the sign-up wizard are switched to this VLAN and granted Internet access. This process occurs when Windows XP reauthenticates the user with the newly created account information. When the user is authenticated and authorized by your IAS server, the IAS server returns attributes to the VLAN-aware wireless access point; the access point instructs the VLAN-aware gateway device to route traffic from the client to the Internet VLAN.

IAS proxy

The IAS proxy is running Windows Server 2003, Standard Edition with SP1; Windows Server 2003, Enterprise Edition with SP1; or Windows Server 2003, Datacenter Edition with SP1, and is configured with the following components.

Internet Authentication Service

IAS is configured as a proxy to forward RADIUS messages between RADIUS clients, such as access points that are located on the wireless LAN, and the IAS server that is located on the Enterprise LAN.

IPsec

An Active Directory-based IPsec policy provides private, secure communications for RADIUS traffic between the IAS proxy and the IAS server.

Provisioning server

The enterprise provisioning server is configured with the following components.

HTTPS Web server

The Internet Information Services (IIS) or third-party Web server must be deployed with HTTPS.

XML master and subfiles

The enterprise provisioning server stores the XML master and subfiles that provide the client with all configuration information needed to access the network, create an account, and ultimately access the Internet. For more information about the XML master file and subfiles, see “XML schemas” in this paper.

XML-forwarding Web application

The XML-forwarding Web application is a custom program, application, or service that you create and install on your provisioning server. The XML-forwarding application is used to forward XML documents from client computers to the account processing server on the Enterprise LAN. The XML documents are created on client computers when users run the sign-up wizard and enter all required information, such as their name and promotion code. Windows XP packages the information as an XML document, and then sends the document to the provisioning server. The XML-forwarding application then forwards the document to the account processing server.

Server certificate

For server authentication to client computers, the provisioning server must maintain a valid certificate in its certificate store. The certificate must contain the Server Authentication purpose in Enhanced Key Usage (EKU) extensions and be issued by a public certification authority (CA), such as Verisign or Thawte, which is trusted by client computers. The trusted root certification authority certificate store on computers running Windows XP is installed by default with a multitude of certificates issued by public CAs. You must obtain your server certificate from one of the public CAs for which clients already have trust.

In test lab deployments of WPS technology, you can deploy your own certification authority in lieu of using a public trusted root CA. In this circumstance you must install the private trusted root CA certificate in the Trusted Root Certification Authorities certificate store on all clients. In addition, you must enroll certificates to your provisioning server and IAS server that meet the minimum server certificate requirements. For more information, see “Server Certificate Requirements” in this paper.

IPsec

An Active Directory-based IPsec policy provides private, secure communications for all traffic between the account processing server on the Enterprise LAN and the provisioning server on the perimeter network.

DHCP server

If you do not deploy network address translation (NAT), the DHCP server must be able to assign valid public IP addresses to computers accessing the network through the wireless access points. However, if you deploy NAT, you can assign IP addresses from a private IP address range to wireless client computers.

Router

A router connects the perimeter network and the Enterprise LAN.

Enterprise LAN components

Following are the components that comprise the Enterprise LAN.

Domain controller and IAS server

The enterprise domain controller and IAS server is running Windows Server 2003, Standard Edition with SP1; Windows Server 2003, Enterprise Edition with SP1; or Windows Server 2003, Datacenter Edition with SP1, and is configured with the following components.

Active Directory

In this scenario, Active Directory is deployed. The user accounts database on the domain controller must be an Active Directory user accounts database or a database that uses Lightweight Directory Access Protocol (LDAP) and supports dynamic creation of user accounts.

When a user signs up for an account, the account processing Web application on the account processing server creates a new account in the user accounts database, and adds the user to a group that has clearly defined access privileges.

If you use an accounts database other than Active Directory, IAS extensions must be written and installed for this process to function correctly.

IP Security (IPsec) policy

In Active Directory, an IPsec policy for the domain includes the following:

• IPsec rule for IAS proxy and server. This rule protects RADIUS traffic between the IAS proxy on the perimeter network and the IAS server on the Enterprise LAN.

• IPsec rule for HTTPS Web servers. This rule protects all traffic between the provisioning server on the perimeter network and the account processing server on the Enterprise LAN.

Internet Authentication Service (IAS)

IAS is the Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server, and is used to authenticate and authorize users connecting to your network. IAS is configured with remote access policies that allow guest authentication for non-domain member computers and users. It is also configured to provide attributes to RADIUS clients (access points) that instruct the gateway device to apply the attributes to client connections. Protected Extensible Authentication Protocol (PEAP) with MS-CHAP v2 is configured in remote access policies as the authentication method used by clients and server.

Extension DLL and URL PEAP-TLV

AN IAS extension DLL defining a URL PEAP-TLV provides IAS with the ability to send the location of the provisioning server to client computers.

PEAP-Type-Length-Value (PEAP-TLV) is an Extensible Authentication Protocol (EAP) authentication type that allows the IAS server to pass information to client computers attempting to connect to your network.

In this circumstance, the value contained in the PEAP-TLV is an HTTPS Uniform Resource Locator (URL) that provides client computers with the location of the WISP provisioning server. With this URL, Windows XP can download the WISP XML files to the client computer.

In addition to the URL of the provisioning server, the URL PEAP-TLV includes an action parameter. The action parameter directs the client to perform a specific task.  The action parameter included in the URL PEAP-TLV defines tasks such as new customer sign-up, existing account renewal, and password change.

For more information, see “How to create an IAS extension DLL and a URL PEAP-TLV” in this paper.

Server certificate

For server authentication to client computers, the enterprise IAS server must maintain a valid certificate in its certificate store. The certificate must contain the Server Authentication purpose in Enhanced Key Usage (EKU) extensions and be issued by a public certification authority (CA), such as Verisign or Thawte, that is trusted by client computers. The Trusted Root Certification Authorities certificate store on computers running Windows XP is installed by default with a multitude of certificates issued by public CAs. You must obtain your server certificate from one of the public CAs for which clients already have trust. If you install IAS and Active Directory on the same computer, the computer must have a certificate. If you install IAS and Active Directory on different computers, only the IAS server needs a certificate.

Account processing server

The account processing server is configured with the following components:

HTTPS Web server

The Internet Information Services (IIS) or third-party Web server must be deployed with HTTPS.

Account processing Web application

The account processing Web server is configured with an account processing Web application that processes data provided during user sign-up or account renewal. The Web application accepts and processes XML documents forwarded from the provisioning server on the perimeter network.

When a user completes the sign-up wizard on a client computer, the user enters data, such as name, organization affiliation, and promotion code, that is converted to an XML document on the client. Windows XP sends this XML document to the provisioning server on the perimeter network, which in turn forwards the XML document to the account processing application.

The account processing application must be capable of accepting and processing the XML documents containing the user data. For example, the account processing application must compare the promotion code entered by the user to a promotion code in the SQL Server database, and then dynamically create an account in the Active Directory user accounts database with the properties (domain and security group membership) described in the database.

IPsec

An Active Directory-based IPsec policy provides private, secure communications for all traffic between the account processing server on the Enterprise LAN and the provisioning server on the perimeter network.

SQL server

A computer running SQL Server 2000 or another SQL-compatible relational database application.

The promotion code database on the SQL server is configured with the following fields: promotion code, user name, domain name, security group, and expiration date. With the exception of the user name field, each field for each record is preconfigured with a value. The value for the user name field is assigned by the Web application when a user creates an account with a promotion code that matches a value in the promotion code field in the database. By predefining the domain in which the user account is created by the Web application and the Active Directory security group to which the user account is joined as a member, you can assign network access and other permissions for your users.

How WPS technology works for the enterprise

The following example describes how the components of a WPS network for the enterprise interact during the connection and account creation process for a new user.

New user connection example

When a new user connects and establishes an account, the following four basic stages occur:

1. The user discovers the network at a Wi-Fi hotspot

2. The user authenticates as guest

3. The client is provisioned and the user establishes an account

4. The user is authenticated using the new account credentials

In the next section we will look at these stages in more detail.

1.  The user discovers the network at a Wi-Fi hotspot

When a user arrives at the Wi-Fi hotspot with a portable computer running Windows XP Home Edition with SP2, Windows XP Tablet PC Edition with SP2, or Windows XP Professional with SP2, the computer comes within range of the access point beacon.

Wireless auto configuration on the client computer detects the beacon information from the access point, which is enabled with broadcast Secure Set Identifier (SSID). The SSID is equivalent to the network name.

The user is informed by Windows XP that a wireless network is available. In this example, the user is employed by a business partner of the enterprise, and is provided by the enterprise with a promotion code to use for account establishment. The user proceeds by clicking Connect.

2.  The user authenticates as guest

Wireless Auto Configuration uses 802.1X and PEAP guest authentication to connect to the enterprise perimeter network through the access point, automatically passing a null user name and a blank password to the IAS proxy, which forwards the message to the IAS server. The access point is connected to a VLAN-aware gateway device that allows traffic from the client to pass through the Network Resource VLAN, but blocks the client from access to the Internet VLAN.

The IAS server is the PEAP authenticator and TLS endpoint for users who connect as guest. The TLS tunnel is created between the client and the IAS server. All subsequent messages between client and server pass through this tunnel, which traverses the access point, the gateway device, and the IAS proxy.

Server authentication is performed when the IAS server verifies its identity to the client computer using a certificate that contains the Server Authentication purpose in Enhanced Key Usage (EKU) extensions. This certificate is issued by a public trusted root CA that the client computer trusts.

The IAS server authenticates and authorizes the customer as guest. In the Access-Challenge message that the IAS server sends to the client is a URL PEAP-TLV message. The URL PEAP-TLV contains the URL of the provisioning server. This URL provides the client with the location of the XML master file.

The client computer receives an IP address lease from the DHCP server. The address is from a public IP address range configured in a scope on the DHCP server. In addition to the IP address, the client receives DHCP options, such as DNS server IP address.

3.  The client is provisioned and the user creates an account

The XML master file on the provisioning server contains pointers to the XML subfiles. The client downloads the XML master file and subfiles. When the XML sign-up schema is downloaded, the sign-up wizard is started on the client to allow the user to create an account.

Using the sign-up wizard on the client computer, the user steps through the process of signing up for an account. The customer enters the promotion code as well as personal data such as name, employer, and job title. The data entered by the user is converted into an XML document.

The XML document containing the user’s sign-up data is sent to the XML-forwarder Web application on the provisioning server.

The XML-forwarder Web application on the provisioning server sends the XML document to the account processing application on the account processing server.

The account processing application checks the promotion code entered by the user against the promotion code database on the SQL server. If the promotion code is valid, the account processing Web application continues processing the user’s data.

The account processing Web application reads the domain and security group information from the promotion code database on the SQL server. The account processing application creates a user account in Active Directory and adds the account to the security group. The application also enters the new user name in the promotion code database.

An XML document containing the new account credentials is sent from the account processing server to the XML-forwarder application on the provisioning server; the XML-forwarder application passes the XML document to the client computer. The client computer uses the credentials to configure wireless auto configuration and 802.1X under the name of the enterprise.

4.  The user is authenticated using the new account credentials

Wireless auto configuration restarts the association to the SSID for the enterprise WLAN.

Wireless auto configuration finds the correct 802.11 profile which was downloaded with the other network information. Wireless auto configuration re-associates with the access point using the correct profile.

802.1X restarts the authentication process using PEAP-MS-CHAP v2 and the new account credentials.

As the client starts the authentication process with PEAP-MS-CHAP v2 authentication, a TLS channel is created between the customer’s client computer and the enterprise IAS server.

In the second stage of PEAP-MS-CHAP v2 authentication, the IAS server authenticates and authorizes the connection request against the new account in the Active Directory user accounts database. The IAS server sends an Access-Accept message to the access point. Included in the Access-Accept message are attributes that specify which VLAN the customer can access.

The access point instructs the gateway device to assign the client to the Internet VLAN rather than the Network Resource VLAN.

The gateway device switches the client to the Internet VLAN, and the customer is provided with access to the Internet.

How to deploy WPS technology for the enterprise

In the set of instructions that follow, these assumptions are made:

1. The computer functioning as your IAS server has Windows Server 2003 with SP1 installed, and the EnableWPSCompatibility registry key is enabled according to the instructions in “Configuring IAS for WPS technology” in this paper.

2. Client computers are running Windows XP Home Edition with SP2; Windows XP Tablet PC Edition with SP2; or Windows XP Professional with SP2.

3. All of your hardware, including the VLAN-aware gateway device and VLAN-aware wireless access points, meet all of the technical requirements stated in “Components of WPS technology for the enterprise” in this paper.

4. You have already deployed a computer running SQL Server 2000 or a third-party database program on your network. For information about SQL Server 2000, see SQL Server at https://go.microsoft.com/fwlink/?LinkId=20014.

5. You have SQL Server 2000 or third-party relational database development experience and you understand how to use SQL Server 2000 or a third-party database program to create, modify, administer, and manage your databases.

6. You have experience deploying an Internet Information Services (IIS) or third-party Web server with HTTPS.

7. You have software development experience that allows you to create two custom Web applications. One Web application runs on the provisioning server and forwards XML documents between the account processing application and client computers. Another Web application runs on the account processing server and processes user data and creates user accounts in Active Directory or an LDAP-compliant third-party user accounts database.

8. You have software development experience that allows you to create an IAS extension DLL.

To deploy WPS technology for the Enterprise, the basic steps are as follows:

1. Create your enterprise Web applications

2. Configure the enterprise domain controller and IAS server

3. Configure the enterprise account processing server

4. Configure the database on the enterprise SQL server

5. Install and configure the enterprise router

6. Configure the enterprise XML master file and subfiles

7. Configure the enterprise provisioning server

8. Configure the enterprise DHCP server

9. Install and configure your enterprise VLAN-aware gateway device

10. Install and configure your enterprise wireless access points

11. Install and configure the enterprise IAS proxy

12. Configure RADIUS clients at the enterprise IAS server

13. Configure the enterprise Windows XP-based client computer

14. Configure certificates in an enterprise test lab environment (optional)

Create your enterprise Web applications

The XML forwarding Web application to be installed on the provisioning server must be capable of performing the following functions:

• Communicating with client computers using HTTPS.

• Uploading the XML master file and subfiles that are stored on the provisioning server to client computers that request the files.

• Accepting XML documents from client computers that contain user data.

• Forwarding XML documents that contain user data to the account processing server.

The account processing Web application to be installed on the account processing server must be capable of performing the following functions:

• Accepting and processing XML documents from the provisioning server that contain user data, such as promotion code, user name, and other information.

• Reading the promotion code database records to validate promotion codes.

• Reading the promotion code database records to determine the domain in which to create a new user account.

• Reading the promotion code database records to determine the security group membership for a new user account.

• Writing a user name to the user name field in the promotion code database.

• Dynamically creating new accounts in Active Directory (or a third-party LDAP-compliant database) using data provided by users and parameters derived from the promotion code database.

It is recommended that the design of your Web application provides users with knowledge of their password-based credentials (user name and password). Users should either be allowed to designate user name and password or this information should be provided to them upon completion of the sign-up wizard. Following are some circumstances where users will need to know their password-based credentials:

• For a variety of reasons, user authentication might fail. For example, cached credentials might get corrupted or network connectivity issues might prevent wireless client computers from successfully authenticating.

• The user account expires and the user wants to renew their account. In this circumstance, IAS sends a URL PEAP-TLV to the wireless client that contains the renewal action parameter (#renewal) and the URL of the provisioning server. After the wireless client is directed to your account renewal application, the user must have their password-based credentials to renew their account.

If your users know their user name and password, they can attempt to connect to your network until they are successful. If they do not have this information, they cannot fix the problem without calling your help desk.

You can create your Web application with the Microsoft .NET Framework 1.1 or with other application development software. If you want to create your Web application with the .NET Framework 1.1, you need the Microsoft .NET Framework 1.1 Software Development Kit.

Microsoft .NET Framework 1.1 Software Development Kit

Microsoft .NET Framework 1.1 Software Development Kit (SDK) includes .NET Framework 1.1, as well as everything you need to write, build, test, and deploy applications using .NET Framework 1.1. This includes documentation, samples, command-line tools, and compilers.

If you have already installed Microsoft® Visual Studio® .NET, you do not need to install .NET Framework 1.1 SDK separately; Visual Studio .NET includes the SDK. If you want to distribute .NET Framework 1.1 with your application, download .NET Framework 1.1 Redistributable in addition to the SDK.

You can get .NET Framework 1.1 SDK from the Download Center at https://go.microsoft.com/fwlink/?LinkId=17161. You can run .NET Framework 1.1 SDK on the following platforms:

• Windows Server 2003

• Microsoft Windows 2000 (Service Pack 2 is recommended)

• Windows XP Professional or Windows XP Home Edition (Windows XP Professional is required to run ASP.NET)

Configure the enterprise domain controller and IAS server

Install Windows Server 2003, Standard Edition with SP1; Windows Server 2003, Enterprise Edition with SP1; or Windows Server 2003, Datacenter Edition with SP1 on a computer that meets or exceeds the minimum hardware requirements for the respective operating system. After the operating system is installed, you can perform general configuration, Active Directory configuration, IPsec policy configuration, IAS configuration, and IAS extension DLL & URL PEAP-TLV configuration.

General configuration

1. Assign the server a static IP address. For more information, see “To configure TCP/IP for static addressing” in Help and Support Center for Windows Server 2003 or on the Web at https://go.microsoft.com/fwlink/?LinkId=20015

2. Install a server certificate obtained from a public trusted root certification authority, such as a certificate from Verisign.

   For more information, see “Obtaining and Installing a VeriSign WLAN Server Certificate for PEAP-MS-CHAP v2 Wireless Authentication” at https://go.microsoft.com/fwlink/?LinkId=33675.

   When you obtain the certificate, it must conform to the minimum server certificate requirements described in this paper.

   For more information, see “Network access authentication and certificates” in Help and Support Center for Windows Server 2003 or on the Web at https://go.microsoft.com/fwlink/?LinkId=20016.

Active Directory configuration

1. Install Active Directory and DNS. To install Active Directory, open Command Prompt, type dcpromo, and then follow the instructions provided in the wizard, entering your network configuration information in the wizard as you progress.

2. Design and create your security group or groups. When users sign up and create an account, your Web application adds the new user account as the member of a security group that you create in this step. The Web application chooses group membership based on the value of the security group field in the promotion code database on your SQL server, so you need to match the security group you create to the security group field in the SQL Server database. If you have the need for multiple security groups, you can assign permissions to each group individually. For more information, see “To create a new group” in Help and Support Center for Windows Server 2003 or on the Web at https://go.microsoft.com/fwlink/?LinkId=20018 and “Assign user rights to a group in Active Directory” at https://go.microsoft.com/fwlink/?LinkId=20019.

   Important

   The security groups you create in Active Directory are named and used in the SQL Server database and in IAS remote access policy.

3. Enable the Guest account in Active Directory. If guest access is not enabled in Active Directory, new customers cannot access your provisioning server by authenticating as guest. To enable the Guest account, open the Active Directory Users and Computers snap-in, and then double-click Users. Right-click the account named Guest, and then click Enable Account.

To perform this procedure, you must be a member of the Domain Admins group in the domain for which you want to raise functionality or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority.

Raise the domain functional level to Windows 2000 native or Windows Server 2003 by doing the following:

1. Open the Active Directory Domains and Trusts snap-in. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Domains and Trusts.

2. In the console tree, right-click the domain for which you want to raise functionality, and then click Raise Domain Functional Level.

3. In Select an available domain functional level, do one of the following:

   1. To raise the domain functional level to Windows 2000 native, click Windows 2000 native, and then click Raise.

   2. To raise domain functional level to Windows Server 2003, click Windows Server 2003, and then click Raise.

The current domain functional level is displayed under Current domain functional level in the Raise Domain Functional Level dialog box.

For more information, see “Domain and forest functionality” in Help and Support Center for Windows Server 2003 or on the Web at https://go.microsoft.com/fwlink/?LinkId=30600.

For information about configuring Active Directory replication, see “Active Directory replication” in this paper.

IPsec policy configuration

One IP Security policy can contain rules that accomplish the following:

• Protect RADIUS traffic between the IAS proxy and the IAS server

• Protect all traffic between the provisioning server and the account processing server

To create an IP Security policy in Active Directory using the IP Security Policy Management snap-in, do the following:

1. Click Start, click Run, type MMC, and then click OK.

2. Click File, click Add/Remove Snap-in, and then click Add.

3. Click IP Security Policy Management, and then click Add.

4. Click the Active Directory domain of which this computer is a member. Click Finish, click Close, and then click OK.

5. To add a new policy, in the console tree, click IP Security Policies on Active Directory. On the Action menu, click Create IP Security Policy. The IP Security Policy Wizard is started. Click Next.

6. In IP Security Policy Name, type a name for your IPsec policy. Optionally, type a description for the policy. Click Next.

7. In Requests for Secure Communication, verify that Activate the default response rule is selected. Click Next.

8. In Default Response Rule Authentication Method, verify that Active Directory default (Kerberos V5 protocol) is selected. Click Next, and then click Finish.

   The PolicyName Properties dialog box opens, where PolicyName is the name you typed for your policy. For example, if you named your policy “WPS policy,” the dialog box that opens is named WPS policy Properties.

To create a rule with RADIUS traffic filters

1. In PolicyName Properties, click Add. The Create IP Security Rule Wizard is started. Click Next.

   Note

   The Create IP Security Rule Wizard is also referred to as the Security Rule Wizard.

2. In Tunnel Endpoint, verify that This rule does not specify a tunnel is selected. Click Next.

3. In Network Type, verify that All network connections is selected.

4. In IP Filter List, click Add. In Name, type RADIUS filters, and then click Add. The IP Filter Wizard is started. Click Next.

5. In IP Filter Description and Mirrored property, type RADIUS port 1812. Verify that Mirrored. Match packets with the exact opposite source and destination addresses is selected. Click Next.

6. In IP Traffic Source, verify that My IP Address is selected in Source address. Click Next.

7. In IP Traffic Destination, click Destination address, and then select A specific IP Address. In IP address, type the IP address of the IAS proxy server that is located on the perimeter network. Click Next.

8. In IP Protocol Type, click Select a protocol type, and then select UDP. Click Next.

9. In IP Protocol Port, for Set the IP protocol port, verify that From any port is selected. Select To this port, type 1812, click Next, and then click Finish. The IP Filter List dialog box is now visible.

10. In IP filter list, click Add. The IP Filter Wizard is started. Click Next.

11. In IP Filter Description and Mirrored property, type RADIUS port 1813. Verify that Mirrored. Match packets with the exact opposite source and destination addresses is selected. Click Next.

12. In IP Traffic Source, verify that My IP Address is selected in Source address. Click Next.

13. In IP Traffic Destination, click Destination address, and then select A specific IP Address. In IP address, type the IP address of the IAS proxy server that is located on the perimeter network. Click Next.

14. In IP Protocol Type, click Select a protocol type, and then select UDP. Click Next.

15. In IP Protocol Port, for Set the IP protocol port, verify that From any port is selected. Select To this port, type 1813, click Next, and then click Finish. To close the RADIUS filters IP Filter List, click OK. The Security Rule Wizard is still running and should now be visible. In IP Filter Lists, select RADIUS filters, and then click Next.

16. In Filter Action, click Require Security. Click Next.

17. In Authentication Method, verify that Active Directory default (Kerberos V5 protocol) is checked, and then click Next.

18. In Completing the IP Filter Wizard, verify that the Edit properties check box is cleared, and then click Finish. This returns you to the PolicyName Properties dialog box.

To create an IPsec rule for all traffic between the provisioning server and the account processing server

1. In PolicyName Properties, click Add. The Create IP Security Rule Wizard is started. Click Next.

2. In Tunnel Endpoint, verify that This rule does not specify a tunnel is selected. Click Next.

3. In Network Type, verify that All network connections is selected. Click Next.

4. In IP Filter List, click Add. In Name, type Provisioning server filters, and then click Add. The IP Filter Wizard is started. Click Next.

5. In IP Filter Description and Mirrored property, type a description for the filter. Verify that Mirrored. Match packets with the exact opposite source and destination addresses is selected. Click Next.

6. In IP Traffic Source, click Source address, and then select A specific IP Address. In IP Address, type the IP address of the provisioning server that is located on the perimeter network. Click Next.

7. In IP Traffic Destination, click Destination address, and then select A specific IP Address. In IP address, type the IP address of the account processing server that is located on the enterprise LAN. Click Next.

8. In IP Protocol Type, verify that the value of Select a protocol type is Any. Click Next.

9. In Completing the IP Filter Wizard, verify that the Edit properties check box is cleared, and then click Finish. This returns you to the IP Filter List dialog box. Click OK.

10. The Security Rule Wizard is still running and should now be visible. In IP Filter List, select Provisioning server filters, and then click Next.

11. In Filter Action, click Require Security. Click Next.

12. In Authentication Method, verify that Active Directory default (Kerberos V5 protocol) is selected, and then click Next.

13. In Completing the Security Rule Wizard, verify that the Edit properties dialog box is cleared, and then click Finish.

14. This returns you to the PolicyName Properties dialog box. Displayed in IP Security rules are two rules, RADIUS filters and Provisioning server filters. To close the PolicyName Properties dialog box, click OK.

IAS configuration

For IAS, the three configuration stages are general configuration, remote access policy configuration, and connection request policy configuration. RADIUS client configuration occurs later in the overall WPS deployment process.

General configuration

1. Install Internet Authentication Service.

   For more information, see “To install IAS” in Help and Support Center for Windows Server 2003 or on the Web at https://go.microsoft.com/fwlink/?LinkId=20028.

2. Register IAS in Active Directory. In order for IAS to have permission to read user accounts in Active Directory, IAS must be registered in Active Directory.

   For more information, see “To enable the IAS server to read user accounts in Active Directory” in Help and Support Center for Windows Server 2003 or on the Web at https://go.microsoft.com/fwlink/?LinkId=20030.

3. Delete the default remote access policies. To delete the policies, open the IAS console and click Remote Access Policies. Select each existing policy, right-click the policy, and then click Delete.

4. Install your RADIUS extension DLL on your IAS server:

   1. Open Command Prompt and change directories to the folder that contains your DLL.

   2. Type the following: regsvr32DLL_name.dll, where DLL_name.dll is the name of your DLL file.

   Make sure that you configure DLL registry keys according to your needs.

   For more information, see “How to Create an IAS Extension DLL and a URL PEAP-TLV” in this paper.

Remote access policy configuration

There are two remote access policies configured for WPS technology. The Guest access policy provides network parameters and rules for users connecting as a guest. The Valid Users access policy provides network parameters and rules for users who have valid enterprise accounts.

To configure the Guest access policy

1. Open the Internet Authentication Service console and, if necessary, double-click Internet Authentication Service.

2. In the console tree, right-click Remote Access Policies, and then click New Remote Access Policy.

3. The New Remote Access Policy Wizard starts. For the Guest access policy, specify the following:

   1. For How do you want to set up this policy? verify that Use the wizard to set up a typical policy for a common scenario is selected.

   2. For Policy name, type Guest access (or type another name for your policy that you prefer).

   3. For Select the method of access for which you want to create a policy, click Wireless.

   4. For Grant access based on the following, click User.

   5. In Select the EAP type for this policy, select Protected EAP (PEAP), and then click Configure.

   6. In Certificate issued, select the certificate that you want the IAS server to use to verify its identity to client computers. Also select the Enable Fast Reconnect check box.

After you have completed creating the policy and have closed the wizard by clicking Finish, you need to perform additional policy configuration.

1. In the IAS console, click Remote Access Policies, and then double-click the policy you just created.

2. In the policy Properties dialog box, for Policy conditions, click Add.

3. In Attribute Types, click Day-And-Time-Restrictions, and then click Add. In Time of day restraints, select Permitted, configure the days and times that access is permitted, and then click OK.

4. In the policy Properties dialog box, click Grant remote access permission.

5. Click Edit Profile. On the Authentication tab, in Unauthenticated access, click Allow clients to connect without negotiating an authentication method.

To configure the Valid Users access policy

1. Open the Internet Authentication Service console and, if necessary, double-click Internet Authentication Service.

2. In the console tree, right-click Remote Access Policies, and then click New Remote Access Policy.

3. Use New Remote Access Policy Wizard to create a policy. For the Valid Users access policy, you can choose the following:

   1. For How do you want to set up this policy? verify that Use the wizard to set up a typical policy for a common scenario is selected.

   2. For Policy name, type Valid Users (or type another name for your policy that you prefer).

   3. For Select the method of access for which you want to create a policy, click Wireless.

   4. For Grant access based on the following, click Group, and then click Add. In Enter the object name to select, type the name of a security group that you defined when configuring Active Directory.

      Important

      The following three items must match: the name of the security group in Active Directory, the value of the security group field in the SQL server database, and the name of the security group configured in the Valid User access policy in IAS. The Web application uses the value of the SQL server database security group field to determine group membership for new accounts.

   5. In Select the EAP type for this policy, select Protected EAP (PEAP), and then click Configure.

   6. In Certificate issued, select the certificate that you want the IAS server to use to verify its identity to client computers. Also select the Enable Fast Reconnect check box.

After you have completed creating the policy and have closed the wizard by clicking Finish, you need to perform additional policy configuration.

1. In the IAS console, click Remote Access Policies, and then double-click the policy you just created.

2. In the policy Properties dialog box, for Policy conditions, click Add.

3. In Attribute Types, click Day-And-Time-Restrictions, and then click Add. In Time of day restraints, select Permitted, configure the days and times that access is permitted, and then click OK.

4. In the policy Properties dialog box, click Grant remote access permission.

5. Click Edit Profile, and then click the Advanced tab. By default, the Service-Type attribute appears in Attributes with a value of Framed. To specify additional connection attributes required for WPS technology with VLANs, click Add, and then add the following attributes:

   1. Framed-Protocol. Value: PPP

   2. Tunnel-Medium-Type. Value: 802 (Includes all 802 media plus Ethernet canonical format)

   3. Tunnel-Pvt-Group-ID. Value: Enter the integer that represents the VLAN number for the Internet VLAN. For example, if your access controller’s Internet VLAN is VLAN 4, type 4.

   4. Tunnel-Type. Value: Virtual LANs (VLAN)

   5. Tunnel-Tag. Value: Obtain this value from your hardware documentation

Connection request policy configuration

By default, there is one connection request policy predefined in the IAS console, called Use Windows authentication for all users. This policy can be used for WPS technology.

To configure connection request policy

1. In the IAS console, double-click Connection Request Processing, click Connection Request Policies, and then double-click the policy Use Windows authentication for all users.

2. Click Edit Profile. The Edit Profile dialog box opens.

3. On the Authentication tab, click Authenticate requests on this server, and then select the Protected EAP check box.

4. Click Configure Certificate, select the certificate you want IAS to use to verify its identity to client computers, and then click OK three times to close all dialog boxes and return to the IAS console.

Configure the enterprise account processing server

For the account processing server, if you are using Internet Information Services (IIS), do the following:

1. Install Internet Information Services and ASP.NET.

2. For more information, see “To install Internet Information Services (IIS) 6.0” in Help and Support Center for Windows Server 2003 or on the Web at https://go.microsoft.com/fwlink/?LinkId=20033.

3. Verify that you have .NET Framework 1.1 installed by clicking Start on your Windows desktop, selecting Control Panel, and then double-clicking the Add or Remove Programs icon. When that window appears, scroll through the list of programs. If you see Microsoft .NET Framework 1.1 listed, the latest version is already installed and you do not need to install it again.

   1. If Microsoft .NET Framework 1.1 is already installed, register ASP.NET with Microsoft .NET Framework 1.1 by running the following command at Command Prompt:

      %WINDIR%\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe –I

   2. If Microsoft .NET Framework 1.1 is not installed, install it by using Microsoft Windows Update at https://go.microsoft.com/fwlink/?LinkId=284.

      For more information, see “How to Get the .NET Framework 1.1” at https://go.microsoft.com/fwlink/?LinkId=116211.

4. Create two folders in the Web server root location %systemroot%\Inetpub\wwwroot. You can use one folder to hold your custom Web application and one folder to hold the XML master and subfiles that you will be creating in later steps. For example, you can create a folder named wpsdeploy (%systemroot%\Inetpub\wwwroot\wpsdeploy) to contain your Web application, and you can create a folder named wpsfiles (%systemroot%\Inetpub\wwwroot\wpsfiles) to contain your XML files.

5. Install your Web application into the folder you created for the Web application files.

6. Set user permissions for the Web application. Open Windows Explorer and browse to the location where you installed your Web application. For example, if you named your folder wpsdeploy, browse to %systemroot%\Inetpub\wwwroot\wpsdeploy. Right-click the wpsdeploy folder, and then click Sharing and Security. On the Security tab, click Add. In Enter the object names to select, type Everyone, and then click OK. In Permissions for Everyone, enable Write permissions by selecting the Allow check box.

7. Enable HTTPS. You must configure IIS to use a certificate for secure Web communications between the account processing server and the provisioning server. To enable HTTPS you must install a server certificate obtained from a public trusted root certification authority, such as a certificate from Verisign or Thawte. When you obtain the certificate, it must conform to the minimum server certificate requirements described in this paper.

For more information, see “Network access authentication and certificates” in Help and Support Center for Windows Server 2003 or on the Web at https://go.microsoft.com/fwlink/?LinkId=20016.

To enable Secure Sockets Layer (SSL) and HTTPS, complete the following procedures.

To obtain a new server certificate using the Web Server Certificate Wizard

1. In IIS Manager, expand the local computer, and then expand the Web Sites folder.

2. Right-click the Web site or file that you want, and then click Properties.

3. On the Directory Security or File Security tab, under Secure communications, click Server Certificate.

4. In the Web Server Certificate Wizard, click Create a new certificate.

5. Complete the Web Server Certificate Wizard, which will guide you through the process of requesting a new server certificate.

To install a server certificate using the Web Server Certificate Wizard

1. In IIS Manager, expand the local computer, and then expand the Web Sites folder.

2. Right-click the Web site or file that you want, and then click Properties.

3. On the Directory Security or File Security tab, under Secure communications, click Server Certificate.

4. In the Web Server Certificate Wizard, click Assign an existing certificate.

5. Complete the Web Server Certificate Wizard, which will guide you through the process of installing a server certificate.

Configure the database on the enterprise SQL server

On the computer running SQL Server 2000 or a third-party product with similar functionality, create a promotion code database with the following fields, using the appropriate data type for each field:

• Promotion code. This field contains promotion codes that you distribute publicly to potential customers. When customers sign up for an account, they provide the promotion code that is matched by the Web application to a value in this field in the database.

• User name. This field has no value assigned until a customer creates an account. At this time, the Web application assigns a value to this field.

• Domain name. This field contains the domain name where you want the Web application to create the user account when a customer signs up using the promotion code.

• Security group. The Web application joins the new user account to the security group defined in this field.

• Expiration date. If your promotion lasts for a specific period of time, you can enter the expiration date related to the promotion code in this field. If a user with a promotion code attempts to create an account after the expiration date for the promotion, they cannot do so.

Populate the database with records, providing values for all fields except user name, and enable the data link between your Web application and the SQL server. Also configure security and authentication on the SQL server so that your Web application has permission to access and write to the database. For more information, see SQL Server at https://go.microsoft.com/fwlink/?LinkId=20014.

Install and configure the enterprise router

The router must be capable of forwarding traffic between the enterprise LAN and the perimeter network.

Configure the enterprise XML master file and subfiles

There are two methods you can use to create and configure your XML master and subfiles:

• Use the WPS Authoring Tool to create a WPS project and publish your XML files. The WPS Authoring Tool has a graphical user interface and is designed to assist you in accurately producing and managing a collection of XML files for your WPS solution. For more information, see “Using the WPS Authoring Tool” at https://go.microsoft.com/fwlink/?LinkId=41067. Using the WPS Authoring Tool to create your XML data files is recommended.

• Use the XML schemas provided in this paper to create your files. Once you have created these files, you can enter information specific to your network and deployment parameters. For example, where the location of the provisioning server is required, you can provide an HTTPS URL. In another example, you might need to enter your domain name in several places; you can examine the schemas and example files and determine where to insert your domain name.

When your XML files are configured with the information for your organization, you can store them on your provisioning server and configure your Web application so that it can find the files when necessary. If you are using Internet Information Services as your Web server, you can install the files at the location %systemroot%\inetpub\wwwroot.

Configure the enterprise provisioning server

For the provisioning server, do the following:

1. Install Internet Information Services and ASP.NET.

2. For more information, see “To install Internet Information Services (IIS) 6.0” in Help and Support Center for Windows Server 2003 or on the Web at https://go.microsoft.com/fwlink/?LinkId=20033.

3. Verify that you have .NET Framework 1.1 installed by clicking Start on your Windows desktop, selecting Control Panel, and then double-clicking the Add or Remove Programs icon. When that window appears, scroll through the list of programs. If you see Microsoft .NET Framework 1.1 listed, the latest version is already installed and you do not need to install it again.

   1. If Microsoft .NET Framework 1.1 is already installed, register ASP.NET with Microsoft .NET Framework 1.1 by running the following command at Command Prompt:

      %WINDIR%\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe –I

   2. If Microsoft .NET Framework 1.1 is not installed, install it by using Microsoft Windows Update at https://go.microsoft.com/fwlink/?LinkId=284.

      For more information, see “How to Get the .NET Framework 1.1” at https://go.microsoft.com/fwlink/?LinkId=30841.

4. Create two folders in the Web server root location %systemroot%\Inetpub\wwwroot. You can use one folder to hold your custom Web application and one folder to hold the XML master file and subfiles that you will be creating in later steps. For example, you can create a folder named wpsdeploy (%systemroot%\Inetpub\wwwroot\wpsdeploy) to contain your Web application, and you can create a folder named wpsfiles (%systemroot%\Inetpub\wwwroot\wpsfiles) to contain your XML files.

5. Install your Web application into the folder you created for the Web application files.

6. Set user permissions for the Web application. Open Windows Explorer and browse to the location where you installed your Web application. For example, if you named your folder wpsdeploy, browse to %systemroot%\Inetpub\wwwroot\wpsdeploy. Right-click the wpsdeploy folder, and then click Sharing and Security. On the Security tab, click Add. In Enter the object names to select, type Everyone, and then click OK. In Permissions for Everyone, enable Write permissions by selecting the Allow check box.

7. Enable HTTPS. You must configure IIS to use a certificate for secure Web communications between the provisioning server and clients. To enable HTTPS you must install a server certificate obtained from a public trusted root certification authority, such as a certificate from Verisign or Thawte. When you obtain the certificate, it must conform to the minimum server certificate requirements described in this paper.

For more information, see “Network access authentication and certificates” in Help and Support Center for Windows Server 2003 or on the Web at https://go.microsoft.com/fwlink/?LinkId=20016.

To enable Secure Sockets Layer (SSL) and HTTPS, complete the following procedures.

To obtain a new server certificate using the Web Server Certificate Wizard

1. In IIS Manager, expand the local computer, and then expand the Web Sites folder.

2. Right-click the Web site or file that you want, and then click Properties.

3. On the Directory Security or File Security tab, under Secure communications, click Server Certificate.

4. In the Web Server Certificate Wizard, click Create a new certificate.

5. Complete the Web Server Certificate Wizard, which will guide you through the process of creating a new server certificate.

To install a server certificate using the Web Server Certificate Wizard

1. In IIS Manager, expand the local computer, and then expand the Web Sites folder.

2. Right-click the Web site or file that you want, and then click Properties.

3. On the Directory Security or File Security tab, under Secure communications, click Server Certificate.

4. In Web Server Certificate Wizard, click Assign an existing certificate.

5. Complete the Web Server Certificate Wizard, which will guide you through the process of installing a server certificate.

Configure the enterprise DHCP server

On a computer running Windows Server 2003:

1. Install DHCP.

   For more information, see “To install a DHCP server” in Help and Support Center for Windows Server 2003 or on the Web at https://go.microsoft.com/fwlink/?LinkId=20034.

2. In the DHCP console, run New Scope Wizard twice. Create two VLAN scopes from which IP addresses will be leased to wireless clients connected to the VLANs. Each scope must define a different IP address range using either a private address range or a public IP address range. If you are using network address translation (NAT), you can use a private IP address range; otherwise, the IP addresses leased to wireless clients must be from a public IP address range.

   For more information, see “To create a new scope” in Help and Support Center for Windows Server 2003 or on the Web at https://go.microsoft.com/fwlink/?LinkId=20123.

3. While running the New Scope Wizard, create an exclusion range for the IP addresses you will be assigning statically. For example, if you need to statically assign ten IP addresses from the address range 10.1.1.1 through 10.1.1.254, your exclusion range is defined as 10.1.1.1 through 10.1.1.10.

4. While running the New Scope Wizard, choose to assign scope options. On the Configure DHCP Options page, select Yes, I want to configure these options now. Scope options are applied only to leases of addresses from within the IP address range that the scope defines, which provides flexibility as your network grows. Define DNS server and Domain name options, as well as any other options that are appropriate for your network configuration.

5. While running the New Scope Wizard, activate the scope. The option to activate the scope while running the wizard is available only if you have chosen to configure DHCP options in the previous steps.

   For more information, see “To activate a scope” in Help and Support Center for Windows Server 2003 or on the Web at https://go.microsoft.com/fwlink/?LinkId=20124.

6. Authorize the DHCP server in Active Directory.

   For more information, see “To authorize a DHCP server in Active Directory” in Help and Support Center for Windows Server 2003 or on the Web at https://go.microsoft.com/fwlink/?LinkId=20125.

The DHCP server is now online and able to provide IP address leases to client computers. In some cases you might want to examine the types and durations of accounts you offer your users and adjust the DHCP lease duration accordingly. In most cases, when deploying WPS technology the default lease duration of eight days is too long and should be shortened considerably.

DHCP example

In this example, you are creating two VLANs and two scopes, one scope for each VLAN.

VLAN 2

VLAN 2 is the Network Resource VLAN that provides access to network resources (such as the IAS server and DHCP server) for wireless computers connecting as guest. VLAN 2 blocks access to the Internet, however. The DHCP scope for VLAN 2 is defined with the following example parameters:

• Address range: 192.168.1.1 through 192.168.1.254. This is a private IP address range. If you are using NAT, you can use this range on your network. If you are not using NAT, use a public IP address range. In addition, if your wireless deployment is large, select an IP address range that provides more IP addresses for lease to clients.

• Exclusion range: 192.168.1.1 through 192.168.1.10. By using this exclusion range, the available address pool for clients is 192.168.1.11 through 192.168.1.254. Ten IP addresses are excluded so that you can statically assign these addresses to computers and devices on your network. For example, the router IP address must be statically assigned on the router.

• DHCP scope option 003, Router: 192.168.1.1. The router IP address must be an address that falls within the exclusion range so that the DHCP server does not lease the router IP address to a wireless client computer, thereby creating an address conflict.

• DHCP scope option 006, DNS server: the IP address of the Active Directory and DNS server on the enterprise LAN

Note that DHCP scope option 003, Router, provides client computers with the IP address of their default gateway IP address. In this case, the default gateway for wireless clients is the VLAN-aware gateway device, whether it is an access controller, a VLAN-aware router, a VLAN-aware switch, or another compatible device. When you configure your VLAN-aware gateway device, you can specify the IP address that the device uses for each VLAN.

In this example, you must configure the VLAN-aware gateway device so that it uses the IP address 192.168.1.1 on VLAN 2.

For your WPS deployment you can configure additional DHCP options as needed. For example, if you are using a WINS server, you can configure your VLAN scopes with DHCP option 044, WINS/NBNS servers.

VLAN 4

VLAN 4 is the Internet VLAN that provides access to the Internet. Users who have successfully created an account are switched to this VLAN after completing the provisioning and sign-up process. The DHCP scope for VLAN 4 is defined with the following example parameters:

• Address range: 192.168.2.1 through 192.168.2.254

• Exclusion range: 192.168.2.1 through 192.168.2.10

• DHCP scope option 003, Router: 192.168.2.1. The router IP address must be an address that falls within the exclusion range so that the DHCP server does not lease the router IP address to a wireless client computer, thereby creating an address conflict.

• DHCP scope option 006, DNS server: the IP address of the Active Directory and DNS server on the Enterprise LAN

For VLAN 4 in this example, you must configure the VLAN-aware gateway device so that it uses the IP address 192.168.2.1 on VLAN 4.

Install and configure your enterprise VLAN-aware gateway device

Configure two VLANs on the gateway device: a Network Resource VLAN that provides access to the WISP LAN, and an Internet VLAN that provides access to the Internet.

The remote access policies you created in IAS determine which VLAN your customers can access:

• The Guest access policy places users on the Network Resource VLAN so that they can create and pay for a valid user account.

• The Valid Users access policy in IAS places customers on the Internet VLAN.

Each VLAN has a different IP address range. When configuring your DHCP server, you created a scope for each VLAN, and you defined DHCP scope option 003, Router. This is the IP address commonly referred to as the “default gateway.”

You must configure the VLAN-aware gateway device as the default gateway for each VLAN, using an IP address from the IP address range that you defined on your DHCP server.

Choosing the IP address for the default gateway for each VLAN

Your VLAN-aware gateway device is the default gateway for both VLANs and is configured with a different IP address for each VLAN.

Similarly, as described in “Configure the DHCP server” in this paper, configure the VLAN-aware gateway device so that it uses an IP address from the exclusion range 192.168.2.1 through 192.168.2.10 for VLAN 4. For example, you can configure the VLAN-aware gateway device so that it uses the IP address 192.168.2.1 on VLAN 4.

In some circumstances you might prefer to use your VLAN-aware gateway device as the DHCP server for each VLAN. If this is the case, you can define IP address ranges and exclusion ranges on the VLAN-aware gateway device rather than on a DHCP server.

See the product documentation for your VLAN-aware gateway device for information about configuring your hardware.

Install and configure your enterprise wireless access points

Configure the access points to use your RADIUS server, including configuration of the server IP address and the shared secret. Follow the directions in your access point documentation for other configuration settings, using the following guidelines:

• Authentication or RADIUS server: Specify your IAS server by IP address or FQDN, depending on the requirements of the AP.

• SSID: Specify a Secure Set Identifier (SSID), which is an alphanumeric string that serves as the network name. This name is broadcast by APs to wireless clients and is visible to users at your Wi-Fi hotspots.

• RADIUS settings: Use RADIUS authentication on User Datagram Protocol (UDP) port 1812 and use RADIUS accounting on UDP port 1813.

• Secret or shared secret: Use a strong shared secret and configure the IAS server with the same shared secret.

• EAP: Configure the AP to require EAP from wireless clients.

• 802.1X and WEP: Enable IEEE 802.1X authentication and WEP.

If your IAS server is running Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition, you can configure RADIUS clients by IP address range. This is a useful feature when you have a large number of access points to deploy; if you deploy your access points on the same subnet or VLAN within the same IP address range, configuration of RADIUS clients in IAS is simplified. Instead of individually configuring each access point as a RADIUS client in IAS, you can configure all access points at once using the IP address range of the subnet or VLAN upon which the APs reside. In this circumstance, use the same shared secret for all access points, and make sure that the shared secret is strong.

Install and configure the enterprise IAS proxy

For IAS proxy, the three configuration stages are general configuration, RADIUS client configuration, and connection request policy configuration.

General configuration

1. Install Internet Authentication Service.

   For more information, see “To install IAS” in Help and Support Center for Windows Server 2003 or on the Web at https://go.microsoft.com/fwlink/?LinkId=20028.

2. Delete the default remote access policies. To delete the policies, open the IAS console, and then click Remote Access Policies. Select each existing policy, right-click the policy, and then click Delete.

RADIUS client configuration

In the IAS console, add the wireless access points as RADIUS clients. In addition, configure the shared secret used between the IAS proxy and the access points. For more information, see “To add RADIUS clients” in Help and Support Center for Windows Server 2003 or on the Web at https://go.microsoft.com/fwlink/?LinkId=20031 and “To configure the Message Authenticator attribute and shared secret” at https://go.microsoft.com/fwlink/?LinkId=20032.

If your IAS server is a computer running Windows Server 2003, Enterprise Edition with SP1, or Windows Server 2003, Datacenter Edition with SP1, and if you have configured your wireless access points with IP addresses from the same IP address range, you can configure the access points as RADIUS clients using the IP address range rather than individually configuring each access point.

Connection request policy configuration

When you configure a remote RADIUS server group in the IAS console of the proxy server, you instruct the proxy server to forward messages to the IAS servers included in the remote RADIUS server group. To configure the IAS server on the Enterprise LAN as a member of a remote RADIUS server group, do the following:

1. In the IAS console, double-click Connection Request Processing. The folder expands to display Connection Request Policies and Remote RADIUS Server Groups. Right-click Remote RADIUS Server Groups, and then select New Remote RADIUS Server Group. New Remote RADIUS Server Group Wizard is started. Click Next.

2. In Group Configuration Method, click Custom. Type a value for Group Name. Click Next.

3. In Add Servers, click Add. In Add RADIUS Server, type the IP address of the IAS server on the enterprise LAN. To verify connectivity, click Verify.

4. Click the Authentication/Accounting tab. In Shared secret and Confirm shared secret, type the shared secret that you will also use on the IAS server. Click OK.

5. In Add Servers, click Next, and then click Finish.

6. The New Connection Request Policy Wizard is started. Click Next. In Policy Configuration Method, verify that the type of policy is set to A typical policy for a common scenario. In Policy Name, type the name for your connection request policy. Click Next.

7. In Request Authentication, select Forward connection requests to a remote RADIUS server for authentication. Click Next.

8. In Realm Name, type the realm name of the connection requests that will be forwarded. Also verify that the name of the remote RADIUS server group that you created is selected in Server group. Click Next, and then click Finish.

   For more information, see “Realm Names” in Help and Support Center for Windows Server 2003 or on the Web at https://go.microsoft.com/fwlink/?LinkId=34426.

9. In the IAS console, under Connection Request Processing, click Connection Request Policies. In the right pane of the IAS console, there are two connection request policies: the policy you just created, and the default connection request policy. The default connection request policy is named Use Windows authentication for all users. To delete the default policy, right-click Use Windows authentication for all users, and then click Delete. To confirm the deletion, click Yes.

Configure RADIUS clients at the enterprise IAS server

In the IAS console, add the IAS proxy server as a RADIUS client. In addition, configure the shared secret used between the IAS proxy and the IAS server.

For more information, see “To add RADIUS clients” in Help and Support Center for Windows Server 2003 or on the Web at https://go.microsoft.com/fwlink/?LinkId=20031 and “To configure the Message Authenticator attribute and shared secret” at https://go.microsoft.com/fwlink/?LinkId=20032.

Configure the enterprise Windows XP-based client computer

On the computer running Windows XP Professional, Windows XP Tablet PC Edition, or Windows XP Home Edition, install SP2. The computer must have a wireless network adapter compatible with IEEE 802.11 and 802.1X.

Configure certificates in an enterprise test lab environment (optional)

If you are deploying WPS technology in a test lab, you can obtain server certificates from a public trusted root CA or you can deploy Certificate Services for Windows Server 2003 on your test network. To deploy Certificate Services and enroll certificates to domain member computers (such as the servers on your networks), do the following:

1. On a computer running Windows Server 2003, install Certificate Services.

   For more information, see “To install an enterprise root certification authority” in Help and Support Center for Windows Server 2003 or on the Web at https://go.microsoft.com/fwlink/?LinkId=20035.

2. Add a server certificate template to the certification authority and configure the certification authority to allow computers to request a certificate that is based on the template you create.

   For WPS technology in a test lab environment, you must create a server certificate that will be trusted by client computers. The server certificate must meet the requirements stated in this paper. In addition, you must base your certificate on the correct certificate template for the operating system you are running. If you are running an enterprise certification authority (CA) on a computer running Windows Server 2003, Standard Edition, and your IAS server is a domain member, base your certificate on the Computer certificate template. If you are running an enterprise certification authority (CA) on a computer running Windows Server 2003, Enterprise Edition, and your IAS server is a domain member, base your certificate on the RAS and IAS Server certificate template.

   For more information, see “To create a certificate template” in Help and Support Center for Windows Server 2003 or on the Web at https://go.microsoft.com/fwlink/?LinkId=20036.

3. Autoenroll certificates to domain member computers. Autoenrollment allows domain member computers to automatically obtain, or enroll, certificates. For WPS technology, autoenroll certificates to servers using the certificate template you created in the previous step.

   For more information, see “Planning for autoenrollment deployment” in Help and Support Center for Windows Server 2003 or on the Web at https://go.microsoft.com/fwlink/?LinkId=20037 and “Checklist: Configuring certificate autoenrollment” at https://go.microsoft.com/fwlink/?LinkId=20038.

4. Install the enterprise CA certificate in the Trusted Root Certification Authority certificate store on client computers being used for testing purposes. You can request the enterprise root CA certificate by using Web enrollment services, which is installed with Certificate Services, or you can export the server certificate to a floppy disk, and then import the certificate into the Trusted Root Certification Authority certificate store on the client.

   For more information, see “To export a certificate” in Help and Support Center for Windows Server 2003 or on the Web at https://go.microsoft.com/fwlink/?LinkId=20039 and “To import a certificate” at https://go.microsoft.com/fwlink/?LinkId=20040.