How to support wireless connections in a Windows 2000 domain

Article translations Article translations
Article ID: 318710 - View products that this article applies to.
This article was previously published under Q318710
Expand all | Collapse all

On This Page

SUMMARY

This step-by-step article describes how to configure a Windows 2000 domain to support Microsoft Windows XP Professional-based client computers that are using IEEE 802.11 access with IEEE 802.1x authentication in a wireless network.

Requirements

To deploy Windows XP Professional clients that are using Extensible Authentication Protocol-Transport Level Security (EAP-TLS), you must configure the following items:
  • Windows XP Professional client computers that are using wireless network adapters.
  • A server that is running Windows 2000 Internet Authentication Service (IAS) for Remote Authentication Dial-In User Service (RADIUS) authentication.
  • Wireless Access Points (WAP) that support IEEE 802.1x authentication.
Additionally, you must install the following components in the Windows 2000 domain:
  • Windows 2000 Service Pack 2 (SP2). For additional information about how to obtain the latest Windows 2000 service pack, click the following article number to view the article in the Microsoft Knowledge Base:
    260910 How to obtain the latest Windows 2000 service pack
  • An update for Windows 2000 IAS. For additional information about how to obtain this update, click the following article number to view the article in the Microsoft Knowledge Base:
    304697 Some wireless values for the RADIUS attributes are not available
  • An update for Active Directory that allows computer accounts to have dial-in properties. For additional information about how to obtain this update, click the following article number to view the article in the Microsoft Knowledge Base:
    306260 Cannot modify dial-in permissions for computers that use wireless networking

How to configure a certificate server

For a wireless client computer to be authenticated by using EAP-TLS, you must install a computer certificate on the client computer and on the IAS server. The computer certificate on the wireless client computer is used to obtain network connectivity with the domain. After a network connection is established and the user logs on, a user certificate is used to authenticate wireless access.

NOTE: You must also install a computer certificate on the IAS server so that the IAS server has a certificate to send to the wireless client computer for mutual authentication during the EAP-TLS authentication process.

In a simple implementation, configure a single enterprise root Certificate Authority (CA) to issue both the computer and the user certificates. If you install the computer or the user certificate on the wireless client computer, the root CA certificate for the issuing CA is also installed.

When you install the computer certificate on the IAS server, the root CA certificate for the issuing CA is also installed. Both the wireless client and the IAS server have the certificates that are required to perform EAP-TLS authentication.

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
231881 How to install/uninstall a Public Key Certificate Authority for Windows 2000
313234 How to change the policy settings for a Certification Authority (CA) in Windows 2000
For additional information about how to automatically allocate a certificate to each computer in a domain, follow these steps:
  1. Click Start, and then click Help.
  2. Click the Search tab, type the following text, and then click List Topics:
    configure automatic certificate allocation from an enterprise ca
  3. In the Select topic list, click Configure automatic certificate allocation from an enterprise CA, and then click Display.

How to configure Active Directory accounts and groups for wireless access

To configure Active Directory to support wireless access:
  1. Create an account for each user.
  2. Create an account for each wireless computer.
  3. Grant the Remote access permission to each computer account.
  4. Grant the Remote access permission to each user account.
  5. Organize user and group accounts into universal and global groups to apply group-based remote access policy settings.
For additional information about how to support wireless connections in a Windows 2000 domain, click the following article number to view the article in the Microsoft Knowledge Base:
318750 Configure Active Directory accounts and groups for wireless access in Windows 2000

How to configure primary and secondary IAS servers

  1. Install and configure a primary IAS server and a secondary IAS server on Windows 2000 domain controllers. For additional information about how to do this, click the following article numbers to view the articles in the Microsoft Knowledge Base:
    317588 How to configure a primary Internet Authentication Service server on a domain controller
    317589 How to configure a secondary Internet Authentication Service server on a domain controller
  2. Add the WAP as Network Address Server (NAS) clients to the IAS servers.
  3. Create a remote access policy setting for wireless access to the internal network. To do so:
    1. Click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.
    2. Right-click Remote Access Policies, and then click New Remote Access Policy.
    3. In the Policy friendly name box, type the name that you want to use, and then click Next.

      For example, type Wireless access to internal network.
    4. Click Add, click Windows-Groups, click Add, and then click Add.
    5. Click the group to which you want to apply the remote access policy setting, click Add, click OK, and then click OK.

      Windows-Groups matches "domain_name\group_name" is listed in the Conditions box.
    6. Click Add, click NAS-Port-Type, and then click Add.
    7. Under Available types, click Wireless-Other or Wireless-IEEE 802.11 (depending on the type of WAP that you have), click Add, and then click OK. (If you cannot configure the NAS-Port-Type and clients are denied access, look in the system event log for IAS errors and verify that the NAS-Port-Type in the error message matches the type that is set in your policy.)
    8. Click Next, click Grant remote access permission, and then click Next.
    9. Click Edit Profile, and then click the Authentication tab.
    10. Click to select the Extensible Authentication Protocol check box, and then click to clear all of the other check boxes.
    11. In the Select the EAP which is acceptable for this policy list, click Smart Card or other Certificate.

      NOTE: If you have multiple certificates installed on the IAS server, click Configure, and then click the appropriate computer certificate.
    12. Click Apply, and then click the Encryption tab.
    13. Click to clear all check boxes except for the Strongest check box.

      NOTE: If the WAP does not support encryption, click to clear all check boxes, and then click to select the No Encryption check box.
    14. Click OK, click No if you are prompted to view the remote access Help topic, and then click Finish.
  4. Create a remote access policy setting for wireless access to the Internet. To do so:
    1. Click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.
    2. Right-click Remote Access Policies, and then click New Remote Access Policy.
    3. In the Policy friendly name box, type the name that you want to use, and then click Next.

      For example, type Wireless access to the Internet.
    4. Click Add, click Windows-Groups, click Add, and then click Add.
    5. Click the group to which you want to apply the remote access policy setting, click Add, click OK, and then click OK.

      Windows-Groups matches "domain_name\group_name" is listed in the Conditions box.
    6. Click Add, click NAS-Port-Type, and then click Add.
    7. Under Available types, click Wireless-Other or Wireless-IEEE 802.11 (depending on the type of WAP that you have), click Add, and then click OK.
    8. Click Next, click Grant remote access permission, and then click Next.
    9. If the WAP supports virtual local area networks (VLANs):
      1. Click Edit Profile, and then click the Advanced tab.
      2. Click Add, click Tunnel-Type, click Add, and then click Add.
      3. In the Attribute value list, click Virtual LANs (VLAN), click OK, and then click OK.
      4. In the RADIUS attributes list, click Tunnel-Pvt-Group-ID, click Add, and then click Add.
      5. In the Enter the attribute value in box, type the attribute value of the VLAN that is connected to the Internet.
      6. Click OK, click OK, click Close, and then click OK.
    10. Click Finish.
  5. Delete the default remote access policy setting named Allow access if dial-in permission is enabled, if it is listed.

    To do so, right-click the policy setting, and then click Delete. Click Yes when you are prompted to confirm the deletion.
  6. Copy the remote access policy settings to the other IAS server.
For additional information about how to create a remote access policy setting, click the following article number to view the article in the Microsoft Knowledge Base:
313082 How to enforce a remote access security policy in Windows 2000

How to configure RADIUS accounting and authentication on Wireless Access Points

Configure the WAP to use the IAS servers for RADIUS accounting and authentication. On each WAP, enter the following information for the primary IAS server and the secondary IAS server:
  • The Internet Protocol (IP) address or host name.
  • The shared secret.
  • The User Datagram Protocol (UDP) ports that are used for authentication and accounting.
For additional information about how to configure the WAP, consult the WAP documentation. For information about how to contact computer hardware manufacturers, click the appropriate article number in the following list to view the article in the Microsoft Knowledge Base:
65416 Hardware and Software Third-Party Vendor Contact List, A-K

60781 Hardware and Software Third-Party Vendor Contact List, L-P

60782 Hardware and Software Third-Party Vendor Contact List, Q-Z
Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

How to install computer and user certificates on wireless client computers

Install the computer and client certificates on the wireless client computers. If you configured the domain to automatically allocate certificates to computers that are connected to the domain, you can connect the client computer to the domain by using a wired connection. A computer certificate is automatically issued.

For user authentication with EAP-TLS, configure either user certificates or smart card authentication.
  • For smart card authentication, configure an enrollment station, and then issue smart cards with certificates that are mapped to individual user accounts.
  • For user certificate-based authentication, the computer must request a user certificate from a Windows 2000 CA on the internal network.
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
253498 How to install a certificate for use with IP Security

REFERENCES

For more information about enterprise deployment of IEEE 802.11 by using Windows XP and Windows 2000 IAS, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/bb457015.aspx

Properties

Article ID: 318710 - Last Review: May 21, 2007 - Revision: 4.3
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
Keywords: 
kbhowtomaster KB318710

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com