Step Secure Wireless Acc

Chia sẻ: Nguyen Quang Quoc Vu | Ngày: | Loại File: DOC | Số trang:62

0
76
lượt xem
27
download

Step Secure Wireless Acc

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

This guide describes how to configure secure wireless access using IEEE 802.1X authentication using Protected Extensible Authentication Protocol with Microsoft Challenge-Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) and Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) in a test lab using a wireless access point (AP) and four computers.

Chủ đề:
Lưu

Nội dung Text: Step Secure Wireless Acc

  1. Step-by-Step Guide for Setting Up Secure Wireless Access in a Test Lab Microsoft Corporation Published: April, 2005 Author: Microsoft Corporation Abstract This guide describes how to configure secure wireless access using IEEE 802.1X authentication using Protected Extensible Authentication Protocol with Microsoft Challenge-Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) and Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) in a test lab using a wireless access point (AP) and four computers. Of the four computers, one is a wireless client; one is a domain controller that is also a certification authority (CA), Dynamic Host Configuration Protocol (DHCP) server, and Domain Name System (DNS) server; one is a Web and file server; and one is an Internet Authentication Service (IAS) server that is acting as a Remote Authentication Dial-In User Service (RADIUS) server.
  2. Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. © 2005 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, MS-DOS, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
  3. Contents Step-by-Step Guide for Setting Up Secure Wireless Access in a Test Lab........................1 Abstract.......................................................................................................................1 Contents.............................................................................................................................4 Step-by-Step Guide for Setting Up Secure Wireless Access in a Test Lab........................5 PEAP-MS-CHAP v2 Authentication................................................................................5 Before You Begin.....................................................................................................6 DC1.............................................................................................................................7 IAS1...........................................................................................................................28 IIS1............................................................................................................................38 Wireless AP...............................................................................................................39 CLIENT1....................................................................................................................40 EAP-TLS Authentication...............................................................................................45 DC1...........................................................................................................................45 IAS1...........................................................................................................................53 CLIENT1....................................................................................................................58 Summary......................................................................................................................61 See Also........................................................................................................................61
  4. 5 Step-by-Step Guide for Setting Up Secure Wireless Access in a Test Lab This guide provides detailed information about how you can use four computers and a wireless access point (AP) to create a test lab with which to configure and test secure wireless access with the Microsoft® Windows® XP Professional with Service Pack 2 (SP2) and the 32-bit versions of the Windows Server™ 2003 with Service Pack 1 (SP1) operating systems. The instructions in this guide are designed to take you step-by-step through the configuration required for Protected Extensible Authentication Protocol with Microsoft Challenge-Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) authentication, then through the steps required for EAP-TLS authentication. Note: The following instructions are for configuring a test lab using a minimum number of computers. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. This configuration is neither designed to reflect best practices nor is it designed to reflect a desired or recommended configuration for a production network. For more information about deploying secure wireless, see the Microsoft Wi-Fi Web site. PEAP-MS-CHAP v2 Authentication The infrastructure for the wireless test lab network consists of four computers performing the following roles: • A computer running Microsoft Windows Server 2003 with Service Pack 1 (SP1), Enterprise Edition, named DC1 that is acting as a domain controller, a Domain Name System (DNS) server, a Dynamic Host Configuration Protocol (DHCP) server, and a certification authority (CA). • A computer running Microsoft Windows Server 2003 with SP1, Standard Edition, named IAS1 that is acting as a Remote Authentication Dial-In User Service (RADIUS) server. • A computer running Windows Server 2003 with SP1, Standard Edition, named IIS1 that is acting as a Web and file server. • A computer running Windows XP Professional with SP2 named CLIENT1 that is acting as a wireless client.
  5. 6 Before You Begin Installing the Windows Server 2003 with SP1 operating system on each of the servers in this test lab also installs Windows Firewall, which is turned off by default. After the IAS and IIS servers are configured, you will turn on and configure Windows Firewall exceptions allowing for communication between the computers on the network. On the domain controller, Windows Firewall should stay off. On each of the client computers, Windows Firewall is turned on automatically when you install Windows XP Professional with SP2. Windows Firewall will remain turned on for each of the client computers. Additionally, make sure there is a wireless AP that provides connectivity to the Ethernet intranet network segment for the wireless client. The firewall for the wireless AP is controlled by the manufacturer's software. For this test lab, do not turn on the firewall on the wireless AP. Important: Before configuring the test lab, make sure that you have downloaded the most recent drivers for the wireless adapter on CLIENT1 to ensure that the adapter performs correctly while running under Windows XP Professional with SP2. The following figure shows the configuration of the wireless test lab. The wireless test lab represents a network segment on a corporate intranet. All computers on the corporate intranet, including the wireless AP, are connected to a
  6. 7 common hub or Layer 2 switch. Private addresses of 172.16.0.0/24 are used on the intranet network segment. IIS1 and CLIENT1 obtain their IP address configuration using DHCP. The following sections describe how to configure each of the test lab components. To create this test lab, configure the computers in the order presented. DC1 DC1 is a computer running Windows Server 2003 with SP1, Enterprise Edition, that is performing the following roles: • A domain controller for the example.com domain • A DNS server for the example.com DNS domain • A DHCP server for the intranet network segment • The enterprise root CA for the example.com domain Note: Windows Server 2003 with SP1, Enterprise Edition, is used so that autoenrollment of user and workstation certificates for EAP-TLS authentication can be configured. This is described in the "EAP-TLS Authentication" section of this guide. Certificate autoenrollment and autorenewal make it easier to deploy certificates and improve security by automatically expiring and renewing certificates. To configure DC1 for these services, perform the following steps. Perform basic installation and configuration 1. Install Windows Server 2003 with SP1, Enterprise Edition, as a stand-alone server. 2. Configure the TCP/IP protocol with the IP address of 172.16.0.1 and the subnet mask of 255.255.255.0. Configure the computer as a domain controller 1. To start the Active Directory Installation Wizard, click Start, click Run, type dcpromo.exe, and then click OK. 2. In the Welcome to the Active Directory Installation Wizard dialog box, click Next.
  7. 8 3. In the Operating System Compatibility dialog box, click Next. 4. Verify that Domain controller for a new domain option is selected, and then click Next. 5. Verify that Domain in a new forest is selected, and then click Next. 6. Verify that No, just install and configure DNS on this computer is selected, and then click Next. 7. On the New Domain Name page, type example.com, and then click Next. 8. On the NetBIOS Domain Name, confirm that the Domain NetBIOS name is EXAMPLE, and then click Next. 9. Accept the default Database and Log Folders directories as shown in the following figure, and then click Next. 10. In the Shared System Volume dialog box, as shown in the following figure, verify that the default folder location is correct. Click Next.
  8. 9 11. On the Permissions page, verify that the Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems check box is selected, as shown in the following figure. Click Next.
  9. 10 12. On the Directory Services Restore Mode Administration Password page, leave the password boxes blank, and then click Next. 13. Review the information on the Summary page, and then click Next.
  10. 11 14. On the Completing the Active Directory Installation Wizard page, click Finish. 15. When prompted to restart the computer, click Restart Now. Raise the domain functional level 1. Open the Active Directory Domains and Trusts snap-in from the Administrative Tools folder, and then right-click the domain computer dc1.example.com. 2. Click Raise Domain Functional Level, and then select Windows Server 2003 on the Raise Domain Functional Level page. This is shown in the following figure.
  11. 12 3. Click Raise, click OK, and then click OK again. Install and configure DHCP 1. Install Dynamic Host Configuration Protocol (DHCP) as a Networking Services component by using Add or Remove Programs in Control Panel. 2. Open the DHCP snap-in from the Administrative Tools folder, and then highlight the DHCP server, dc1.example.com. 3. Click Action, and then click Authorize to authorize the DHCP service. 4. In the console tree, right-click dc1.example.com, and then click New Scope. 5. On the Welcome page of the New Scope Wizard, click Next. 6. On the Scope Name page, type CorpNet in Name. This is shown in the following figure.
  12. 13 7. Click Next. On the IP Address Range page, type 172.16.0.10 in Start IP address, type 172.16.0.100 in End IP address, and type 24 in Length. This is shown in the following figure.
  13. 14 8. Click Next. On the Add Exclusions page, click Next. 9. On the Lease Duration page, click Next. 10. On the Configure DHCP Options page, click Yes, I want to configure these options now. This is shown in the following figure.
  14. 15 11. Click Next. On the Router (Default Gateway) page, click Next. 12. On the Domain Name and DNS Servers page, type example.com in Parent domain. Type 172.16.0.1 in IP address, and then click Add. This is shown in the following figure.
  15. 16 13. Click Next. On the WINS Servers page, click Next. 14. On the Activate Scope page, click Yes, I want to activate this scope now. This is shown in the following figure.
  16. 17 15. Click Next. On the Completing the New Scope Wizard page, click Finish. Install Certificate Services 1. In Control Panel, open Add or Remove Programs, and then click Add/Remove Windows Components. 2. In the Windows Components Wizard page, select Certificate Services, and then click Next. 3. On the CA Type page, select Enterprise root CA. This is shown in the following figure.
  17. 18 4. Click Next. Type Example CA in the Common name for this CA box, and then click Next. Accept the defaults on the Certificate Database Settings page. This is shown in the following figure.
  18. 19 5. Click Next. Upon completion of the installation, click Finish. 6. Click OK after reading the warning about installing IIS. Verify Administrator permissions for certificates 1. Click Start, click Administrative Tools, and then click Certification Authority. 2. Right-click Example CA, and then click Properties. 3. On the Security tab, click Administrators in the Group or user names list. 4. In the Permissions for Administrators list, verify that the following options have been set to Allow: Issue and Manage Certificates, Manage CA, Request Certificates. If any of these are set to Deny or are not selected, set the permission to Allow, as shown in the following example.
  19. 20 5. Click OK to close the Example CA Properties dialog box, and then close Certification Authority. Add computers to the domain 1. Open the Active Directory Users and Computers snap-in. 2. In the console tree, expand example.com. 3. Right-click Users, click New, and then click Computer. 4. In the New Object – Computer dialog box, type IAS1 in Computer name. This is shown in the following figure.
Đồng bộ tài khoản