Manualshelf

Specifications

ManualsBrandsExtreme Networks ManualsComputer equipmentWM20 Controller
21222324252627282930
Summit WM20 Technical Reference Guide, Software Version 4.2 23
3 Creating the Windows Security Infrastructure
NOTE
To ensure information and best practice configuration integrity, all information contained in this section was
extracted from two sources:
• “Deploying Secure 802.11 Wireless Networks with Microsoft Windows”, by Joseph Davies
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx
Wireless client computers running Windows
Windows XP and Windows Server 2003 have built-in support for IEEE 802.11 wireless access and
IEEE 802.1X authentication using the Extensible Authentication Protocol (EAP). Windows 2000
supports IEEE 802.1X authentication when either Windows 2000 Service Pack 4 (SP4) or Windows
2000 Service Pack 3 (SP3) and Microsoft 802.1X Authentication Client is installed (Windows 2000
SP4 is recommended).
At least two Internet Authentication Service (IAS) servers.
At least two IAS servers (one primary and one secondary) are used to provide fault tolerance for
Remote Authentication Dial-In User Service (RADIUS)-based authentication. If only one RADIUS
server is configured and it becomes unavailable, wireless access clients cannot connect. By using
two IAS servers and configuring all wireless access points (APs) (the RADIUS clients) for both the
primary and secondary IAS servers, the RADIUS clients can detect when the primary RADIUS
server is unavailable and automatically fail over to the secondary IAS server.
You can use either Windows Server 2003 or Windows 2000 Server IAS. IAS servers running
Windows 2000 must have either SP4 or SP3 with Microsoft 802.1X Authentication Client installed
(Windows 2000 SP4 is recommended). IAS is not included with Windows Server 2003, Web
Edition
Active Directory® directory service domains.
Active Directory domains contain the user accounts, computer accounts, and dial-in properties
that each IAS server requires to authenticate credentials and evaluate authentication. While not a
requirement, to both optimize IAS authentication and authentication response times and
minimize network traffic, IAS should be installed on Active Directory domain controllers. You
can use either Windows Server 2003 or Windows 2000 Server domain controllers. Windows 2000
domain controllers must have SP3 or SP4 installed.
Computer certificates installed on the IAS servers.
Regardless of which wireless authentication method you use, you must install computer
certificates on the IAS servers.
For EAP-TLS authentication, a certificate infrastructure.
When the Extensible Authentication Protocol-Transport Level Security (EAP-TLS) authentication
protocol is used with computer and user certificates on wireless clients, a certificate
infrastructure, also known as a public key infrastructure (PKI), is needed to issue certificates
For Protected EAP (PEAP) with Microsoft Challenge Handshake Authentication Protocol version 2
(MS-CHAP v2) authentication, root certification authority (CA) certificates on each wireless client.
PEAP-MS-CHAP v2 is a password-based secure authentication method for wireless connections.