+ Post New Thread
Page 2 of 7 FirstFirst 123456 ... LastLast
Results 16 to 30 of 99
Wireless Networks Thread, RADIUS and IAS in Technical; Surely a quick example on http://www.russdev.com/edugeek/doku.php?id=wifisetup isn't too much to ask for...
  1. #16

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,590
    Thank Post
    109
    Thanked 762 Times in 593 Posts
    Rep Power
    180

    Re: RADIUS and IAS

    Surely a quick example on http://www.russdev.com/edugeek/doku.php?id=wifisetup isn't too much to ask for

  2. #17

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,190
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56

    Re: RADIUS and IAS

    Ric_

    That is exactly what i would like to see. Some examples of what admins have already configured and setup and the methods in which they went about it. Possible pitfalls to avoid as problems arose from issues undocumented (how often does this happen?) , and things like that.

    I am not the greatest technician in the world as i am more or less a newb, but would like to get better and more experienced, learning from other peoples experiences as much as possible.

  3. #18
    Richie1972's Avatar
    Join Date
    Apr 2006
    Location
    Blackburn
    Posts
    239
    Thank Post
    2
    Thanked 6 Times in 6 Posts
    Rep Power
    18

    Re: RADIUS and IAS

    I could be missing something here, but surely if you just use WEP encryption and ensure that only the IT techs have the WEP key, then they are the only people who can join a pc/laptop to the wireless network.
    If a pupil/staff member brings in their own laptop, then without the WEP key (and without the rights to join a computer to the domain) the laptop can't connect to your network

  4. #19

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,922
    Thank Post
    1,332
    Thanked 1,774 Times in 1,101 Posts
    Blog Entries
    19
    Rep Power
    593

    Re: RADIUS and IAS

    Apart from the fact that there are a number of sniffers out there (one has been mentioned in a previous thread) that can get the WEP key in around 1 1/2 hours ... and then other software that can sniff traffic and can get permissions to join a domain in around 8-12 hours.

    Each level of security is an additional detterrent ... the same way that locks on your windows, burglar alarms, padlocks and chains, etc are a detterent.

    A determined person will get in ...

    Already mentioned is ACLs ... only allowing certain MAC addresses to have access to your WLAN. This is another level of security but you have to remember that you MAC address can be spoofed with reasonable ease.

    We have to remember that there are certain comanies and public organisiations out there that, for the number of wireless devices you may come across in schools now, actually have a person in their Network team dedicated to looking after the wireless side of things.

    For a number of years the NSA documents were standards in securing windows networks (especially in a multi-platform environment) but even they went externally to sort out wireless security (2003, Certicom gain contract for writing advanced encryption technology. A certain chunk of this is now develpoed in house by NSA at the moment but still also written by several other groups, including 2 British companies)

  5. #20

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,590
    Thank Post
    109
    Thanked 762 Times in 593 Posts
    Rep Power
    180

    Re: RADIUS and IAS

    @Richie_OLSJ: As Grumbledook says, there are sniffers out there that can easily crack a WEP key with NO technical knowldge. Grumbledook mentions 1 1/2 hours but it can be done much quicker if you do it in a more brutal fashion

    Intel has some documentation at http://www.intel.com/cd/ids/develope...700.htm?page=1 that may be of interest to people.

  6. #21


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339

    Re: RADIUS and IAS

    BECTA say WPA2 and RADIUS for wireless

  7. #22

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,802
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: RADIUS and IAS

    Good luck with WPA2. Given that windows doesn't support it. (Linux does though!).

  8. #23


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339

    Re: RADIUS and IAS

    ?
    SUMMARY
    This article describes the Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) Update. A link to download this update is included. You can install this update on a computer that is running Windows XP with Service Pack 2. The update supports the additional mandatory security features of the IEEE 802.11i standard that are not already included for products that support WPA. Additionally, after you install the update, Windows XP will display previously hidden Service Set Identifiers (SSIDs) in the Choose A Wireless Network dialog box. This functionality makes it easier for you to connect to public Wi-Fi networks to which you have not previously connected.
    http://support.microsoft.com/?id=893357

  9. #24

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,802
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: RADIUS and IAS

    Ah, yes, now go try and make it work.

  10. #25

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    737
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    36

    Re: RADIUS and IAS

    We are have setup a mini test network for this and have managed to get the WPA access using RADIUS (Windows 2003 IAS). I got my colleague writing the step by step instructions for this at the moment. I will post it here when he's completed it.

    The guide is intended at setting up a wireless network where clients authenticates using RADIUS. The two things we tested were using the username and password authentication i.e. PEAP and the other was certificates and both worked.

    It is recommended to do both user and machine authentication to restrict user access and also computer authentication so GPO and startup scripts runs during the bootup.

    Few things that are required:

    - 802.1x supplicant support on the client, Windows XP SP1 and over has this already, Windows 2000 Pro - you can download hotfix which enables this functionality, linux,mac - don't know, never used it

    - Access points which support 802.1x ideally with WPA/TKIP or AES

    - RADIUS server (Windows server ships with IAS

    - Certificate Authority (this can be on the same machine as the RADIUS server)

    - Some time to test the damn thing

    HTH,


    Ash.

  11. #26

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,590
    Thank Post
    109
    Thanked 762 Times in 593 Posts
    Rep Power
    180

    Re: RADIUS and IAS

    @Ashok: There's also the WPA2 supplement available for download from MS to enhance your security - this is what I will be using with my Bluesocket setup.

  12. #27

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,190
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56

    Re: RADIUS and IAS

    @ashok,

    How far off is that guide mate? I have to implement some wireless stuff and am also looking at what you have set already set up.

    I could do with the help that your guide will bring me

  13. #28

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    737
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    36

    Re: RADIUS and IAS

    @Hodgehi,

    My collegue is still working on the guide at the moment, he's completed the PEAP setup on the client and server, he's documenting the certificate authentication at the moment.

    The reason why we decided to document both is that the PEAP method is easily the flexible when it comes to deploying wireless but certificate based is more secure.

    You may want to start off with using PEAP. I personally think its secure enough for schools.

    I will post the guide here when he's completed it.

    Ash.

  14. #29

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,190
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56

    Re: RADIUS and IAS

    OK thanks. sorry if i sounded a little pushy

  15. #30
    sahmeepee's Avatar
    Join Date
    Oct 2005
    Location
    Greater Manchester
    Posts
    795
    Thank Post
    20
    Thanked 70 Times in 42 Posts
    Rep Power
    33

    Re: RADIUS and IAS

    We got this working properly at our place this week. Having never touched the certificate authority stuff in anger before it took a lot longer then it should, 90% of which was head-scratching time. I am in the middle of writing this up and I'll wikify it as soon as humanly possible.

    Our setup:
    WS2003 on a DC with IAS and Certificate Authority & a standalone Root Certificate Authority (CA) set up
    XPSP2 on the laptops
    Linksys WRT54GL with DD-WRT v23 SP1 firmware (I can't express how good these are for under £40 each)

    We are using PEAP - the clients trust the server because of its secure certificate; the server trusts the clients because they are domain members (MSCHAPv2 auth). As mentioned earlier, you can limit which computers are allowed in by putting the allowed PCs into a security group.

    We push out our Root CA's certificate to the laptops via group policy (connected over a wire) so when they connect they trust the server certificate we push out straight away.

    Some comments on the rest of this thread:

    It is recommended to do both user and machine authentication to restrict user access and also computer authentication so GPO and startup scripts runs during the bootup.
    If you need to authenticate users as well then yes, but I'm assuming that anyone logging on to one of our laptops with a domain account should be allowed access. If a laptop gets nicked, I'll take it off the domain. The problem with doing the dual authentication is the timing:

    It logs on as a computer at first
    Applies computer GPOs
    The user logs in
    It starts applying user GPOs AND It disconnects and tries to reauthenticate as the user at roughly the same time!

    I've read a few posts suggesting that this makes a balls up of GPO application. Long story short: if you don't need user auth as well, set the policy to computer auth only.

    BECTA say WPA2 and RADIUS for wireless
    Then they aren't recommending Windows Server 2003 SP1. You can set all this stuff up using WS2003 SP1, but the one thing you can't do is tell the clients to use WPA2 via your wireless group policy - WPA is the best you can do until SP2. There may be a reghack for this: I might phone BECTA to ask . WPA is "secure enough" for now though, and when WPA2 is added to Group Policy it's just a quick policy change to deploy it, assuming your router allows WPA and WPA2 at the same time.

    EDIT: sorry for the long post!

  16. Thanks to sahmeepee from:

    OverWorked (24th November 2008)

SHARE:
+ Post New Thread
Page 2 of 7 FirstFirst 123456 ... LastLast

Similar Threads

  1. radius with guests
    By strawberry in forum How do you do....it?
    Replies: 9
    Last Post: 16th July 2008, 04:10 PM
  2. How does Radius work?
    By ranj in forum Wireless Networks
    Replies: 3
    Last Post: 4th January 2008, 12:42 PM
  3. Radius Testing Software
    By plexer in forum Wireless Networks
    Replies: 0
    Last Post: 25th September 2007, 04:00 PM
  4. HP NX6325 Radius PEAP
    By plexer in forum Wireless Networks
    Replies: 0
    Last Post: 1st December 2006, 10:15 AM
  5. ISA Server 2004 and RADIUS
    By spc-rocket in forum Wireless Networks
    Replies: 0
    Last Post: 11th December 2005, 12:48 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •