Categories
Windows Server 2003

IAS RADIUS Server Configuration for 802.1x EAP-MS-CHAP v2

IAS RADIUS Server Configuration for 802.1x EAP-MS-CHAP v2

This article describes the steps required to setup a resiliant 802.11x Wifi RADIUS authentication infrastructure; a must for any SMB.

This article assumes you have configured your Wireless Access Point with the desired radius server IP addresses / FQDNs and a shared secret.

IAS/Certificate Services Installation/Configuration Primary RADIUS Server

To optimize IAS authentication and authorization response times and minimize network traffic, install IAS on a domain controller.

  1. First, install IIS on your Domain Controller.
  2. Next, install Enterprise Certificate Authority Root – Enterprise Root Server Mode> Give the CA the same name as the server’s name
  3. Next Create a new Global Group > ‘Wireless Users and Computers’ Add Computer AND User Objects into this group that you wish to grant IAS RADIUS Access.
  4. Ensure that Users Account are configured to grant Remote Access (Dial In) permissions.
  5. Next Install IAS (via Add/Remove Programs > Windows Components)

You will also need to request a NPS/IAS/RADIUS Server Authentication certificate for each IAS server you wish to configure.

Create IAS RADIUS Clients

Next load the IAS MMC Snap-In Select Clients

  1. Rt-Click Clients > New > Enter a Friendly Name
  2. Ensure that Protocol is ‘RADIUS’
  3. Enter Access Point IP Address
  4. Select RADIUS Standard as the client vendor.
  5. Tick the Client must always send the signature attribute in the request
  6. Enter the shared secret as configured on the AP
  7. Click Finish

           RADIUS2.png

Configure Remote Access Policies

  1. Select Remote Access Policies
  2. Rt-Click Remote Access Policies > New Remote Access Policy>
  3. Enter a friendly name
  4. Click Next
  5. On the conditions window, click Add
  6. Select Windows Groups and click Add
  7. Click Add and then set Domain as location and earch for the Global Group, then click OK, you will return to the conditions window
  8. Click Add, select NAS-Port-Type and then select Wireless – IEEE 802.11
  9. Click Add, select Wireless – Other and then Click Add, you will return to the conditions window.
  10. Click Next
  11. Select Grant Remote Access Permission
  12. Click Edit Profile then select the ‘Authentication’ tab
  13. Enable Extensible Authentication Protocol, select PEAP as the EAP type from the drop down box
  14. Disable all other authentication types
  15. Click Configure under the Extensible Authentication Protocol group
  16. Ensure that Secured Password (EAP-MSCHAP-V2) is listed
  17. Select the IAS/RADIUS Server Authentication certificate you wish use for authentication (note if the certificate is to be replaced in future change it here)

           RADIUS3.png

    18. Click OK

    19. Click OK until the Remote Access Policy Configuration Window disappears!

RADIUS1.png

Perform the steps as above on the Secondary RADIUS server.

Client Configuration

Once laptop has detected AP, configure advanced options:

                Network Authentication should be set as: WPA using TKIP Data encryption
                Under Authentication select Protected EAP
                                Select Properties
                                Ensure Validate Server Certificate is selected
                                Ensure that Connect to these servers contains the RADIUS servers FQDN’s
                                Scroll down and select both RADIUS server certificates under Trusted Root Cert. Authorities
It may be necessary to manually install one of the Certificates to your client.

Client configuration can be completed using Group Policy; Computer Configuration/Windows Settings/Wireless (802.11) Policies

Manual Certificate Installation

Navigate Internet Explorer to:

  • http://your-certificateserver1/certsrv
  • http://your-certifcateserver2/certsrv

From each server retrieve the CA certificate’; download the CA certificate in DER encoded format.

ON the client load MMC and add the Certificates snap-in, select Computer account > Local computer. Expand Trusted Root Certificate Authorities and Select Certificates  > Right-Click certificates > Import >  Select the first RADIUS server’s CA certificate

 

Categories
Windows Server 2003

Deploying Outlook 2007 via Group Policy

Deploying Outlook 2007 via Group Policy

There are 2 options for deploying Outlook 2007 via Group Policy:

1) Using the supplied MSI and modifying the config.xml file

2) Calling setup from a group-policy machine start up script and installing using a customised MSP file.

 

Option 1 Cons / Option 2 Pros

Option 1 is limiting in that you are not able to integrate service packs and updates by adding the MSP files to the Upgrades directory in the root of your installation folder. Option 2 allows you to achieve this. This means you cannot automate integration of SP1 with Option 1.

Option 1 also limits your setup options, whereas you can use the following command to create an entirely modified and personalised Outlook 2007 setup: setup /adminOption 1 will not allow you to upgrade a previous version of Outlook to 2007 unless you specifically deployed Outlook via group policy and not a complete Office Suite installation that included Outlook.

If you attempt to upgrade using Option 1 setup will install the files but Outlook 2007 will show as ‘Not Available’ when you try to modify the setup. This is due to Group Policy; even though you specify the ‘Setting Id=”RemovePrevious” Value=”OUTLOOKFiles” ’ setup will not upgrade the previous version as group policy does not see the installation as an upgrade.

Furthermore, instructing the new Outlook 2007 GPO to upgrade your previous version of Office will also fail.Option 2 will allow you to upgrade a previous installation of Outlook to 2007, even if your Outlook install is part of an full Office Suite.

 

Option 1 Pros / Option 2 Cons

Option 2, however, will not allow you to ‘manage’ the software; if a machine falls out of the scope of the install script Outlook will not be uninstalled. Option 1 would enable you to manage software in this way.

 

Conclusion

With the above in mind I opted for Option 2 as I was performing an upgrade to 2007 from 2000 so it really was a no brainer. I combined the MSP based setup with a start-up script written in vbScript. This is configured in a new GPO and set as a machine start-up script. The scope of the GPO depends upon machine membership within a particular group within AD: thus providing a granular and controlled method of deployment.

Const HKEY_LOCAL_MACHINE = &H80000002
Set WshShell = CreateObject(“WScript.Shell”)
Set fso = CreateObject(“Scripting.FileSystemObject”)
Set objNetwork = CreateObject(“Wscript.Network”)
strComputerName = objNetwork.ComputerName
InstallDIR = WshShell.ExpandEnvironmentStrings(“%PROGRAMFILES%”) & “Microsoft OfficeOffice12”
target = InstallDIR & “OUTLOOK.exe”
 
If NOT fso.FileExists(target) Then ”If there is no Outlook 2007 executable install Outlook 2007
    cmd = WshShell.Run(“file_serveroutlook2007$setup.exe /adminfile file_serveroutlook2007$Outlook2K7UPDT.MSP”,0,True)
    ‘Create Outlook Desktop Icon
    Set objNetwork = CreateObject(“Wscript.Network”)
    Set wmiLocator = CreateObject(“WbemScripting.SWbemLocator”) ”Object used to get StdRegProv Namespace
    Set wmiNameSpace = wmiLocator.ConnectServer(objNetwork.ComputerName, “rootdefault”) ‘ Registry Provider (StdRegProv) lives in rootdefault namespace.
    Set objRegistry = wmiNameSpace.Get(“StdRegProv”)
    objRegistry.CreateKey HKEY_LOCAL_MACHINE, ”   SoftwareMicrosoftWindowsCurrentVersionExplorerDesktopNameSpace{00020D75-0000-0000-C000-000000000046}]”
End If