How to setup your Cisco Access Point to use WPA with Microsoft SBS 2003
IFM supplies network engineering services for $NZ200+GST per hour. If you require assistance with designing or engineering a Cisco network - hire us!
802.11b (and 802.11a and 802.11g) are great. You loose the tether to your desktop. The problem is, how do you secure your network so that your users can still use your network without having to jump through hoops.
WEP used to be the answer. WEP is insecure and dead. Cisco have an excellent security suite, but if you're a small company then the cost of investing in the additional components may be prohibitive. If this is your case then WPA (Wi-Fi Protected Access) is the solution for you. It has two modes it can be used in, pre-shared key mode and dynamic key mode.
I look down on pre-shared key mode. It requires you to manually enter a key on every wireless machine, and if the key is ever discovered you have to change it on every access point and every machine. It really is only good on the smallest of networks. The dynamic key approach requires two digital certificates to be installed on each workstation. After that, you do nothing. Security keys are dynamically generated per user per session. If a machine gets stolen, you simply invalidate those two certificates on your server and your network is secure again. No more pain.
If you have Microsoft Small Business Server 2003 (or Windows Server 2003) then you can use the more secure easier to manage dynamic mode. Note that you can not do this with Windows 2000 server. You will also need a Cisco 350 Access Point series or better (1100 series, 1200 series, etc). If you have Cisco ACS, please use that instead. Cisco ACS is easy to setup compared to using SBS2003. However, you're reading this article because you probably don't have Cisco ACS. The client used in this article was Windows XP. I believe Windows 2000 Professional also supports WPA - providing you download the WPA patches from Microsoft.
There are many steps in getting a working SBS 2003 WPA setup going. Most steps are essential, and the setup won't work at all if it is not done. This guide tries to cover all the major points and gotchas, but is not an exact step by step guide. So you will have to have an inkling of what to do yourself.
The major steps (clicking on these will scroll you down to the relevant section):
- Patches. Do a Windows Update on your server, your workstation, and make sure your Cisco wireless kit has up to date software on it. The Windows Updates are essential. There is a critical wireless patch that needs to be applied to Windows XP and Windows 2000 that will prevent the solution from working if not done.
- Install Microsoft Certificate Server. The WPA setup can only be used with certificates. You CAN NOT use username/password authentication (need Cisco ACS for the simpler username/password authentication).
- Install IAS (Internet Authentication Service) on your SBS 2003 server.
- Create a "Wireless Users" security group in Active Directory (not essential, but highly recommended).
- Create a "Wireless" access policy in IAS.
- Add your access point in as a RADIUS client.
- Configure you Cisco access point.
- Install two certificates on your machine. One for your machine account, and one for your user account. It is critical that both of these are installed.
- Configure the wireless settings on your workstation. Note that you CAN NOT use Cisco ACU to configure your settings. You must set it so that Windows XP/2000 does the configuration.
- Special notes for Intel Wireless NIC Users. You may have trouble connecting to WPA networks if you don't do this.
- Summary
Patches
The most critical patch to have on your workstations at the time or writing is KB826942. You will see it under Add/Remove Programs if you have it installed already. You can install it by using Windows Update, or by getting it directly from Microsoft. You will not be able to use WPA without this patch. It is critical. You should do a Windows Update on your SBS2003 server as well. It is also strongly recommend that you update your Cisco access points to the most recent software, as well as your wireless NICs.
Patches - Update
Windows XP SP2 contains all the patches you need. If you have Windows XP SP2, you don't need to install any patches.
Install Microsoft Certificate Server
The general click path on the server is:
- Start
- Control Panel
- Add or Remove Programs
- Add/Remove Windows Components
- Tick "Certificate Services" if it isn't already.
- Follow your nose when answering the questions. Probably best to make yourself an Enterprise CA, since this is a simple AD structure (you're a small company, right?)
Install IAS (Internet Authentication Server)
Don't get this confused with ISA. Where using IAS - and they have nothing to do with each other. The general click path on the server is:
- Start
- Control Panel
- Add or Remove Programs
- Add/Remove Windows Components
- Networking Services
- Details
- Tick "Internet Authentication Service", if it isn't already.
- Click "Okay" lots of times.
Create a "Wireless Users" security group
The general click path on the server is:
- Start
- All Programs
- Administrative Tools
- Active Directory Users and Computers
- If you're running SBS2003 navigate to "MyBusiness" and then "Security Groups". If you have Windows 2003 server then navigate to "Users".
- Right click, and select "New" and then "Group".
- Type "Wireless Users" for the group name.
- Set the scope to Universal.
- Now the REALLY important bit. Add both the users who you want to have wireless access AND (I repeat AND) their machines. To see machines, click the "Add" button, and then "Object Types", and make sure that "Computers" is ticked. This is critical, repeat CRITICAL.
Create a "Wireless" access policy
This is done in IAS. The general click path is:
- Start
- All Programs
- Administrative Tools
- Internet Authentication Service
- Remote Access Policies
- Right click, "New Remote Access Policy"
- Next
- Use the wizard to setup a typical policy for a common scenario.
- Type "Wireless Access" for your policy name.
- Next
- Wireless
- Select "Group", click "Add".
- Type "Wireless Users", and lick "OK".
- Next
- Change the "Authentication Method" from "PEAP" to "Smart Card or other certificate". This is critical.
- Click "Configure", and select the certificate that you originally created when installing your certificate server. You will probably only have one option.
- OK
- Next
- Finish
- Double click on your new "Wireless Access" policy.
- Edit Profile
- Tick "Minutes client can be connected", and set it to "10".
- OK
- OK
Add your access point in as a RADIUS client
This is done in IAS. The general click path is:
- Start
- All Programs
- Administrative Tools
- Internet Authentication Service
- RADIUS Clients
- Right click, "New RADIUS Client"
- Type a name for your access point.
- Type the IP address of your access point.
- Next
- Change "Client-Vendor" from "RADIUS Standard" to "Cisco".
- Type in a "Shared secret" (password) to be used between the RADIUS server and the access point. Note this down, because you will have to configure this on the access point as well.
- Finish
Configure you Cisco access point
This is done via your WWW browser. Make sure your running an IOS based access point (you will be unless you have had it for quite sometime). General summary of settings. You need to use "Open Authentication with EAP", "TKIP" for your encryption, and set up everything to use VLAN1. If this is a new access point, run the "Express Setup" first. The general click path is:
- Security
- Server Manager
- Under "Corporate Servers" enter the IP address of your IAS server.
- In "Shared Secret" enter the password I said to note down above when configuring IAS.
- Apply
- Under "Default Server Properties", set "EAP Authentication" "Priority 1" to your IAS server.
- Apply
- SSID Manager
- Type in your SSID (what your access point will be known as), and enter a VLAN of "1".
- Under "Authentication Methods" click "Open Authentication" and select "with EAP" from the drop down box.
- Under "Authentication Key Management" set "Key Management" to "Mandatory" and tick "WPA".
- Apply
- Encryption Manager
- Select "Cipher", and "TKIP". Don't use any of the other TKIP settings, CRITICAL. Use plain TKIP.
- Apply
Install two certificates on your machine
This bit gets done on the workstation. It is CRITICAL that you add both a machine certificate and a user certificate. The general click path is:
- Start
- Run
- MMC
- File
- Add/Remove Snap-In
- Add
- Certificates
- My User account
- Finish
- Add
- Computer Account
- Next
- Finish
- Close
- OK
- Go to "Certificates - Current User"
- Personal
- Certificates
- Right click, "All Tasks", "Request New Certificate"
- Next
- Select a "User" certificate.
- Next
- Type a name you would like the certificate known by, such as your username.
- Finish
- Now repeat this process for "Certificates (Local Computer)", but give the certificate a friendly name similar to that of the machine's name.
Configure the wireless settings on your workstation
A really CRITICAL bit. If you have Cisco ACU installed, you MUST tell it to allow windows to configure the wireless settings. Repeat, this is CRITICAL. You can still use ACU to monitor your wireless connection, you just can't use it to configure the wireless settings. So if you have ACU installed the general click path is:
- Start
- All Programs
- Cisco Systems
- Aironet Client Utility (ACU)
- Select Profile
- Use Another Application to Configure My Wireless Settings
- OK
Now we need to configure the Windows wireless settings. The general click path is:
- Start
- Connect To
- Show all connections
- View
- Details
- Right click on your "Wireless Network Connection".
- View Available Wireless Networks
- Advanced - DO NOT CLICK ON CONNECT
- Make sure "Use Windows to configure my wireless network settings" is ticked.
- You should be able to see your wireless network. Reboot if you can't. Click on "Configure".
- Set "Network Authentication" to "WPA".
- Set "Data Encryption" to "TKIP".
- Click on the Authentication tab.
- Make sure "Authenticate as computer when computer information is available. CRITICAL.
- Set "EAP Type" to "smart Card or other Certificate".
- Properties
- Under "Trusted Root Certificate Authorities" find the certificate for your certificate server, and tick it.
- OK
- OK
- OK
Under the "Status" column in "Network Connections" you should see the wireless connection progressing through several stages. When all is going correctly the status should be "Authentication succeeded". If you've just finished all of the workstation configuration above you may need to do a reboot before it starts working correctly.
Special notes for Intel Wireless NIC Users
Intel NICs have trouble associating to Cisco access points that have legacy world domain mode turned on. This may prevent you from connecting to the network, or may allow you to connect intermittently. If you have Intel NICs refer to this article from Intel and Cisco.
Summary
Congratulations, you should now have a wireless connected workstation that has secure access to your wired network. If you haven't, make sure you've done all the critical steps. Check the event log on the SBS2003 server (particularly look at any IAS events), and check the event log on the access point.