Wireless access with secure password authentication

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Wireless access with secure password authentication

In this example, the network administrator is managing authorization by using groups. All user accounts have the Remote Access Permission (Dial-in or VPN) option set to Control access through Remote Access Policy.

The network administrator requires that all IEEE 802.11 wireless clients (members of the WirelessClientsGroupName) use Protected Extensible Authentication Protocol, or PEAP, for secure password authentication on the network. PEAP uses Transport Level Security (TLS) to create an end-to-end (EAP client to EAP authenticator) encrypted connection after verifying the identity of the authenticator (typically, an IAS server). The IAS server authenticates itself to the client with a certificate that includes the Server Authentication purpose in Enhanced Key Usage (EKU) extensions.

Because PEAP is used with EAP-MS-CHAPv2 as the authentication type, user authentication is accomplished with password-based credentials that are typed by the user. PEAP with EAP-MS-CHAPv2, also called PEAP-EAP-MS-CHAPv2, eliminates the need to deploy certificates to wireless clients for the purpose of client computer and user authentication.

For more information, see Network access authentication and certificates.

Note

  • You can also use PEAP with EAP-TLS (also known as PEAP-EAP-TLS), which provides strong security. PEAP-EAP-TLS uses a public key infrastructure with certificates, which are used for server authentication, and either smart cards or certificates for client computer and user authentication. When you use PEAP-EAP-TLS, client certificate information is encrypted, providing improved security over EAP-TLS without PEAP.

After remote access permission is set for all user accounts, the administrator completes the following steps:

  1. Use the New Remote Access Policy Wizard to create a common wireless policy with the following settings:

    • Policy name: Wireless access

    • Access Method: Wireless access

    • User or Group: Select Group, and then specify the WirelessClients group (example).

    • Authentication methods: Select Protected Extensible Authentication Protocol (PEAP).

    • Policy Encryption Level: Check the Strongest encryption (MPPE 128-bit) check box, and then clear all other check boxes.

  2. Delete the default policies.

    For more information, see Delete a remote access policy.

When you select PEAP as the authentication method, the default authentication type is EAP-MS-CHAPv2. The following defaults are used:

  • Number of authentication retries: 0

  • Allow client to change password (not selected)

To change these settings, complete the steps in Configure PEAP and EAP methods.

Notes

  • Although the deployment of certificates for user and client computer authentication is more difficult than using PEAP with EAP-MS-CHAPv2, certificates are more secure and PEAP with EAP-TLS with smart cards or certificates is the recommended authentication method for wireless clients.

  • You can configure wireless connection policy so that wireless clients periodically reauthenticate. This ensures that the client Wired Equivalent Privacy (WEP) encryption keys are changed often enough to provide adequate security for the wireless connection. To configure reauthentication, set the session timeout in your remote access policy or connection request policy for wireless connections (using the Session-Timeout attribute) to the required interval (for example, 10 minutes). Additionally, configure the Termination-Action attribute with the Attribute value set to RADIUS-Request. If the Termination-Action attribute is not set to RADIUS-Request, wireless access points might end the connection during reauthentication. For more information, see your hardware documentation.