Setting up Windows 2000 Radius to authenticate wireless 802.1x clients

by Robert Vegas [Published on 3 May 2005 / Last Updated on 3 May 2005]

How to set up RADIUS on Windows 2000 so you can autheticate wireless clients.

Requirements:
  • Windows 2000 with Active Directory (latest service pack)
  • Certificate server
  • IAS server
  • Access point with 802.1X capability, the following were used in this guide
    • Linksys BEFW11S4
    • D-link DI-824vup
  • Windows 2000 or Windows XP client with a wireless adapter (latest service pack)

 

Windows 2000 Radius server setup:

Make sure Active Directory and DNS are configured properly

  • Install the IAS and certificate server components from add/remove programs

       

After the IAS and certificate server components has been installed successfully. Setup the server as CA root and register the IAS server with Active Directory.

For help on setting up the certificate server for automatic certificate allocation:

  • Click Start, and then click Help
     
  • Click the Search tab, type the following text, and then click List Topics :

    configure automatic certificate allocation from an enterprise ca

  • In the Select topic list, click Configure automatic certificate allocation from an enterprise CA , and then click Display
     

To register the Radius sever:

  • Right click the RADIUS server and select the "Register in Active Directory" option.

           

  • Click ok when you see this message

           

  • Next right click the clients option and select create new client.

        

  • Name : <Access Point name>
  • IP: <IP address of the Access point>
  • Click Verify to make sure its the correct IP
  • Client Vendor: Radius Standard
  • Check the "client must always send signature attribute in the request" box
  • Enter a secret key that will be exchanged between the access point and server

  • Edit the remote policy to include Extensible Authentication Protocol on the Authentication tab
  • Also add the group that you want to allow wireless access

 

Changing the user properties in Active Directory:

  • Give the user dial in permissions, or create a group and add the users to that group
  • Change domain mode to native to enable the Remote Access Policy option

 

Radius client setup:

D-link access point configuration:

  • Enable 802.1X
  • Encryption :enabled
  • Server: W2k Radius IP
  • Port : 1812
  • Radius secret : same as Radius server
  • WEP enabled (optional)

     

 

Linksys access point configuration:

  • Wireless security : Enabled
  • Security mode: Radius
  • Radius Servers address: W2k Radius IP
  • Port : 1812
  • Shared Key: same as Radius server
  • Wireless encryption type : 64bits 10HEX

         

Note: Once the Radius Server and clients are setup, stop and start the IAS service and reboot the access point.

Wireless client setup:

  • Select the "wireless networks" tab from wireless network properties
  • Highlight the access point in the available networks and click configure
  • On the "association tab" change the network authentication to "Open"
  • Data Encryption: WEP
  • If WEP was enabled on the router and a KEY was set then enter the Key here
  • if a WEP key was not specified on the access point then, check the "key is provided for me" option
     

        

Authentication tab

  • Enable IEEE 802.1x
  • EAP type: Select protected EAP (PEAP)


        
 

  • Click the properties button
  • Authentication Method: Secured password (EAP-MSCHAPv2)
  • Click the configure button
  • Uncheck the windows logon name and password box

          

  • Right click the wireless icon and select the "View available wireless networks" option
  • Select the wireless network and check the 802.1x box
  • then click connect (a WEP key may be needed if set on the access point)

           

  • A username and password screen will appear

             

  • Enter the domain username and password and click logon

       

  • Once connected the wireless icon will change

   

Problems that may occur while trying to connect:

Event ID : 2

  • If a problem occurs while trying to connect, check the application log on the server:
  • Make sure the correct domain credentials are provided

       (This screen indicates incorrect credentials)

  • Make sure the user account has dial in permissions set to "Allow"
  • Uncheck the windows logon name and password box. As shown above in red text

Event ID: 14 or 18

  • Check the connection between the Radius server and the access point
  • Check the client information on the IAS server
  • Make sure the shared secret on the server matches the key on the client

Robert Vegas is currently the owner of Pctechnicians Canada.

Featured Links