Setting up 802.1X networks by Setting up 802.1X networks by using Internet Authentication using Internet Authentication Service Service

Sam SalhiSam SalhiSoftware Test EngineerSoftware Test EngineerNetworking and DevicesNetworking and DevicesMicrosoft CorporationMicrosoft Corporation

Setting up 802.1X networks by Setting up 802.1X networks by using Internet Authentication using Internet Authentication Service Service

Sam SalhiSam SalhiSoftware Test EngineerSoftware Test EngineerNetworking and DevicesNetworking and DevicesMicrosoft CorporationMicrosoft Corporation

2

ObjectiveObjectiveMain objective is to educate network enterprise Main objective is to educate network enterprise administrators about how to set up 802.1X administrators about how to set up 802.1X secure networkssecure networks

3

AgendaAgenda

Server setupServer setupAuthentication methods and vulnerabilitiesAuthentication methods and vulnerabilitiesBest practices and recommendationsBest practices and recommendations

Certificate Authority (CA) setupCertificate Authority (CA) setupBest practices and recommendationsBest practices and recommendations

Active DirectoryActive Directory®® and client setup and client setupUser and computer account setup and managementUser and computer account setup and managementPolicy configuration in the domainPolicy configuration in the domainBest practices and recommendationsBest practices and recommendations

TroubleshootingTroubleshooting

4

AbstractAbstract

At the moment, setting up 802.1X is one of the At the moment, setting up 802.1X is one of the most challenging tasks that network and systems most challenging tasks that network and systems administrators faceadministrators face

This Support WebCast is targeted at network This Support WebCast is targeted at network professionals, such as administrators, who need professionals, such as administrators, who need to improve security and centralize wireless to improve security and centralize wireless access to their networksaccess to their networks

5

RecapRecapRADIUSRADIUS

RADIUS is a standard for authentication, RADIUS is a standard for authentication, authorization, and accounting (Microsoft authorization, and accounting (Microsoft implementation adds auditing); AAA or AAAA for short implementation adds auditing); AAA or AAAA for short (triple A or quad A)(triple A or quad A)RADIUS is primarily used to manage network access RADIUS is primarily used to manage network access through dial-in, wireless, and VPN network access through dial-in, wireless, and VPN network access servers.servers.The protocol was standardized in RFC 2058; the The protocol was standardized in RFC 2058; the current implementation is defined in RFCs 2138 and current implementation is defined in RFCs 2138 and 2139. 2139. RADIUS uses User Datagram Protocol (UDP) packets.RADIUS uses User Datagram Protocol (UDP) packets.Older servers used ports 1645 and 1646.Older servers used ports 1645 and 1646.Latest standards are ports 1812 for authentication and Latest standards are ports 1812 for authentication and 1813 for accounting.1813 for accounting.Internet Authentication Service (IAS) has the ability to Internet Authentication Service (IAS) has the ability to map any other unused port to do RADIUS.map any other unused port to do RADIUS.

6

Recap Recap (2)(2)

IEEE 802.1X IEEE 802.1X (8021X for short)(8021X for short)

A mechanism to provide authentication and key A mechanism to provide authentication and key managementmanagementDynamic key management = Different keys per Dynamic key management = Different keys per different clientdifferent clientMore secure than WEP, and less susceptible to WEP More secure than WEP, and less susceptible to WEP crack techniquescrack techniquesWorks with wired and wireless LANsWorks with wired and wireless LANsSupports multiple authentication methods, token keys, Supports multiple authentication methods, token keys, passwords, certificates, one-time passwords, and passwords, certificates, one-time passwords, and othersothersMany more great features such as central user Many more great features such as central user management and mutual authentication management and mutual authentication More information: More information: http://www.ieee802.org/1/pages/802.1x.htmlhttp://www.ieee802.org/1/pages/802.1x.htmlNote that this URL goes to an external site outside the Microsoft site.Note that this URL goes to an external site outside the Microsoft site.

7

Setting up Active DirectorySetting up Active DirectoryTo set up Active Directory, run To set up Active Directory, run Dcpromo.exe on your future domain Dcpromo.exe on your future domain controller.controller.When the domain is up, you can When the domain is up, you can create user accounts and add create user accounts and add computer accounts to the Active computer accounts to the Active Directory.Directory.In Windows 2000 mixed domains, In Windows 2000 mixed domains, the accounts must be set to the accounts must be set to Allow Allow accessaccess so that it can be so that it can be successfully authenticated. There successfully authenticated. There are mechanisms to override this on are mechanisms to override this on the IAS server.the IAS server.In native domains in Windows 2000 In native domains in Windows 2000 (and later), the (and later), the Control access Control access through Remote Access Policythrough Remote Access Policy option is available. This is the option is available. This is the default (and the recommended default (and the recommended setup for all user and computer setup for all user and computer accounts), because this option accounts), because this option allows the IAS server to determine allows the IAS server to determine whether to let the user in or not.whether to let the user in or not.

8

Certificate Authority (CA) setupCertificate Authority (CA) setup

To set up the CA, perform the following steps on To set up the CA, perform the following steps on your future CA server:your future CA server:

1.1. Click Click StartStart, click , click Control PanelControl Panel, and then double-, and then double-click click Add or Remove ProgramsAdd or Remove Programs..

2.2. Click Click Add/Remove Windows ComponentsAdd/Remove Windows Components..

3.3. Click Click Certificate ServicesCertificate Services, and then click , and then click DetailsDetails. .

4.4. Make sure that Make sure that Certificate Services Web Certificate Services Web Enrollment SupportEnrollment Support is selected. (You must have IIS is selected. (You must have IIS installed before you perform this step.)installed before you perform this step.)

9

CA setup CA setup (2)(2)

RecommendationRecommendation Use Certificate Services on computers running Use Certificate Services on computers running MicrosoftMicrosoft®® Windows Server Windows Server™™ 2003 Enterprise 2003 Enterprise Edition. This allows the administrator to have Edition. This allows the administrator to have custom templates and it includes two custom templates and it includes two important certificate templates: important certificate templates:

RAS and IAS Server AuthenticationRAS and IAS Server Authentication

Wireless AuthenticationWireless Authentication

These customized templates have the correctThese customized templates have the correctsettings for the IAS server and wireless clientssettings for the IAS server and wireless clients

10

CA setup CA setup (3)(3)

When the CA is installed, you must publish When the CA is installed, you must publish the certificate templates:the certificate templates:

RAS and IAS Server AuthenticationRAS and IAS Server Authentication

Wireless AuthenticationWireless Authentication

11

CA setup CA setup (4)(4)

Follow these steps to add the templates:Follow these steps to add the templates:1.1. Click Click StartStart, point to , point to ProgramsPrograms, point to , point to Administrative Administrative

toolstools, and then click , and then click Certificate AuthorityCertificate Authority..

2.2. Find the certificate templates.Find the certificate templates.

3.3. Right-click the certificate templates, and then click Right-click the certificate templates, and then click Certificate Template to issueCertificate Template to issue..

4.4. In the dialog box that appears, click In the dialog box that appears, click RAS and IAS RAS and IAS server authenticationserver authentication and and Wireless authenticationWireless authentication..

12

Setting up Group PolicySetting up Group Policy

By default, wireless Group Policy settings are not By default, wireless Group Policy settings are not set.set.An administrator might want to change the An administrator might want to change the default to make the process of getting wireless default to make the process of getting wireless clients on the network easier.clients on the network easier.Group Policy must be downloaded to the client Group Policy must be downloaded to the client before it can take effect on the client computers. before it can take effect on the client computers. This happens automatically when a domain user This happens automatically when a domain user logs on to the computer for the first time, or when logs on to the computer for the first time, or when a new computer joins the domain (after first a new computer joins the domain (after first boot). It also happens at regular intervals.boot). It also happens at regular intervals.

13

Setting up Group Policy Setting up Group Policy (2)(2)

To force the Group Policy download on the client To force the Group Policy download on the client computer, use the computer, use the GPUPDATE.EXEGPUPDATE.EXE command-line command-line tool with the tool with the /F/F[[orceorce]] option. This makes the option. This makes the computer download and update Group Policy computer download and update Group Policy locally (with any new modifications).locally (with any new modifications).Use Group Policy to automatically enroll Use Group Policy to automatically enroll certificates for client computers. This is in certificates for client computers. This is in addition to other certificates needed by the client addition to other certificates needed by the client (like the enterprise root certificate or other third-(like the enterprise root certificate or other third-party root certificates that the administrator party root certificates that the administrator wants to push down to the clients automatically wants to push down to the clients automatically through Group Policy).through Group Policy).

14

Setting up Group Policy Setting up Group Policy (3)(3)

Open the Active Directory Users and Computers Open the Active Directory Users and Computers snap-in.snap-in.Locate an organizational unit (OU) that you Locate an organizational unit (OU) that you would like to have wireless policy applied to, or would like to have wireless policy applied to, or create a new one by right-clicking the domain create a new one by right-clicking the domain name, pointing to name, pointing to NewNew, and then clicking , and then clicking Organizational UnitOrganizational Unit..Add computers that you would like to apply the Add computers that you would like to apply the Group Policy to.Group Policy to.NoteNote Wireless Group Policy applies only to Wireless Group Policy applies only to computerscomputers

15

Setting up Group Policy Setting up Group Policy (4)(4)

Right-click the OU, and then click Right-click the OU, and then click PropertiesProperties. . TipTip You can make the policy domain wide by right- You can make the policy domain wide by right-clicking the domain name. Check the links at the end clicking the domain name. Check the links at the end for additional information about Group Policy.for additional information about Group Policy.

Click the Click the Group PolicyGroup Policy tab. tab.

Click Click NewNew..

Type the new name.Type the new name.

Click Click EditEdit to start editing the policy. to start editing the policy.

16

Setting up Group Policy Setting up Group Policy (5)(5)

Note You can also use new Group Policy Console Management GPMC, which works the same.Check links at the end of this WebCast for more information.

17

Group PolicyGroup PolicyConfiguring 802.1X in GPConfiguring 802.1X in GP

Find the Wireless Network (IEEE Find the Wireless Network (IEEE 802.11) and right-click it.802.11) and right-click it.

Select Select Create Wireless Network Create Wireless Network PolicyPolicy..

After the wizard is done, continue After the wizard is done, continue to edit properties.to edit properties.

18

Group Policy Group Policy (2)(2)Configuring 802.1X in GPConfiguring 802.1X in GP

RecommendationRecommendation On the On the GeneralGeneral tab, make tab, make sure to change the sure to change the Networks to accessNetworks to access list to list to Access point (infrastructure) networks onlyAccess point (infrastructure) networks only..

This option will only push this SSID as the default on This option will only push this SSID as the default on your clients. (It will be added in the your clients. (It will be added in the Preferred Preferred Networks Networks list.)list.)

Wireless group policy is Wireless group policy is notnot exclusionary technology; exclusionary technology; you cannot prevent users from connecting to other you cannot prevent users from connecting to other SSIDS.SSIDS.

You can limit your clients to connect only to APs or You can limit your clients to connect only to APs or ad hoc networks.ad hoc networks.

Click the Click the Preferred NetworksPreferred Networks tab, and then tab, and then click click AddAdd..

19

Group Policy Group Policy (3)(3)Configuring 802.1X in GPConfiguring 802.1X in GP

20

Group Policy Group Policy (4)(4)Configuring 802.1X in GPConfiguring 802.1X in GP

Select the Service Set Identifier (SSID) of your Select the Service Set Identifier (SSID) of your network. Clients will default to this SSID when network. Clients will default to this SSID when presented with multiple SSIDs.presented with multiple SSIDs.

Add a description (optional).Add a description (optional).

Leave the other default settings unchanged.Leave the other default settings unchanged.

21

Group Policy Group Policy (5)(5)Configuring 802.1X in GPConfiguring 802.1X in GP

22

Group Policy Group Policy (6)(6)Configuring 802.1X in GPConfiguring 802.1X in GP

Click the Click the IEEE 802.1XIEEE 802.1X tab.tab.

Select the appropriate Select the appropriate EAP type.EAP type.

Click Click SettingsSettings..

23

Group Policy Group Policy (7)(7)Configuring 802.1X in GPConfiguring 802.1X in GP

Select EAP method’s Select EAP method’s additional configuration.additional configuration.

24

Group Policy Group Policy (7)(7)Configuring 802.1X in GPConfiguring 802.1X in GP

RecommendationsRecommendationsAlways enable validate server certificate (to make sure Always enable validate server certificate (to make sure that the client authenticates the server)that the client authenticates the server)Always enable Fast Reconnect with PEAPAlways enable Fast Reconnect with PEAPOptionally, supply the names of your IAS servers in Optionally, supply the names of your IAS servers in the the Connect to these serversConnect to these servers field. This will prevent field. This will prevent the clients from connecting to rogue servers. Make the clients from connecting to rogue servers. Make sure that you specify the fully qualified domain name sure that you specify the fully qualified domain name (FQDN) of the server as it appears in the server (FQDN) of the server as it appears in the server certificate.certificate.

Starting in WindowsStarting in Windows®® XP SP2, this field is a regular XP SP2, this field is a regular expression, so if you want to accept servers in the expression, so if you want to accept servers in the Microsoft.com domain you type: ^.*\.microsoft\.com$Microsoft.com domain you type: ^.*\.microsoft\.com$

These settings are available on the client for These settings are available on the client for individual client configuration.individual client configuration.

25

Server setupServer setup

Setting up the IAS serverSetting up the IAS serverIAS is Microsoft implementation of RADIUS. IAS is Microsoft implementation of RADIUS. RADIUS is one of the most popular RADIUS is one of the most popular authentication protocols.authentication protocols.

IAS is included in Windows 2000 Server and IAS is included in Windows 2000 Server and Windows Server 2003. Add IAS by using Windows Server 2003. Add IAS by using Add/Remove Windows ComponentsAdd/Remove Windows Components..

26

Server setup Server setup (2)(2)

There are some limitations in the Standard There are some limitations in the Standard Server IAS. There are 50 RADIUS clients and Server IAS. There are 50 RADIUS clients and 2 server groups2 server groups

Windows Server 2003, Enterprise Edition and Windows Server 2003, Enterprise Edition and Windows Server 2003, Datacenter Edition do not Windows Server 2003, Datacenter Edition do not have these limitationshave these limitationsWindows XP and Windows Server 2003, Web Windows XP and Windows Server 2003, Web Edition do not have IASEdition do not have IASWindows Small Business Server 2003, Standard Windows Small Business Server 2003, Standard Edition has the standard server IASEdition has the standard server IAS

IAS has been a component in Windows since IAS has been a component in Windows since Windows NTWindows NT®® 4.0 4.0802.1X network support is available only in 802.1X network support is available only in Windows 2000 Server IAS and Windows Windows 2000 Server IAS and Windows Server 2003 family IASServer 2003 family IAS

27

Server setupServer setupAuthentication methodsAuthentication methods

IAS supports many authentication IAS supports many authentication methods:methods:

Extensible Authentication Protocol – Transport Extensible Authentication Protocol – Transport Layer Security (EAP-TLS)Layer Security (EAP-TLS)

This is a robust and secure protocol, used with This is a robust and secure protocol, used with smart cards and certificatessmart cards and certificates

EAP-TLS provides very high levels of security and EAP-TLS provides very high levels of security and leverages the use of Public Key Infrastructure (PKI) leverages the use of Public Key Infrastructure (PKI) based on the widely accepted Secure Sockets based on the widely accepted Secure Sockets Layer (SSL) technologyLayer (SSL) technology

28

Server setupServer setupAuthentication methods Authentication methods (2)(2)

PEAP-EAP-MSCHAPv2PEAP-EAP-MSCHAPv2Protected EAP (PEAP) is also a very secure Protected EAP (PEAP) is also a very secure authentication protocol. It has an internal protected authentication protocol. It has an internal protected authentication method that is flexible and easy to authentication method that is flexible and easy to deploy, without the need for client-side certificates.deploy, without the need for client-side certificates.

PEAP-EAP-TLSPEAP-EAP-TLSThis authentication is the ultimate in security, This authentication is the ultimate in security, providing a secured external channel for EAP-TLS providing a secured external channel for EAP-TLS to be negotiated.to be negotiated.

29

Server setupServer setupAdvantages of EAP and PEAPAdvantages of EAP and PEAP

The main advantages of EAP and PEAP are that The main advantages of EAP and PEAP are that the Access Point (AP) becomes a pass-through the Access Point (AP) becomes a pass-through for the authentication allowing the client to for the authentication allowing the client to communicate directly with the server with little communicate directly with the server with little interference of the AP.interference of the AP.

EAP and PEAP allow the mutual authentication EAP and PEAP allow the mutual authentication of client and server, where the client validates of client and server, where the client validates the server certificate to ensure its validity and the server certificate to ensure its validity and authenticity, before connecting to the network. authenticity, before connecting to the network. NoteNote Mutual authentication is not done in all EAP Mutual authentication is not done in all EAP methods.methods.

30

Server setupServer setupAdvantages of EAP and PEAP Advantages of EAP and PEAP (2)(2)

Combined with 802.1X, EAP and PEAP provide Combined with 802.1X, EAP and PEAP provide a great framework for exchanging encryption a great framework for exchanging encryption keys without resorting to static Wired Equivalent keys without resorting to static Wired Equivalent Privacy (WEP) for encryption. Privacy (WEP) for encryption.

Keys are provided to the AP and the client after Keys are provided to the AP and the client after successful authentication.successful authentication.

31

Server setupServer setupServer configurationServer configuration

Before IAS can be set up for EAP/PEAP, the Before IAS can be set up for EAP/PEAP, the infrastructure for this must be in place. infrastructure for this must be in place.

Active Directory, DHCP, and Certificate Authority Active Directory, DHCP, and Certificate Authority all must be in place before IAS. We will discuss all must be in place before IAS. We will discuss the basic setup of Active Directory and Certificate the basic setup of Active Directory and Certificate Authority. DHCP and DNS are beyond the scope Authority. DHCP and DNS are beyond the scope of this WebCastof this WebCast

32

Server setupServer setupServer configuration Server configuration (2)(2)

Active Directory and Certificate Authority are Active Directory and Certificate Authority are optional for optional for onlyonly PEAP-EAP-MSCHAPv2, but are PEAP-EAP-MSCHAPv2, but are highly recommended for centralized highly recommended for centralized management. management.

Active Directory is also mandatory in the case of Active Directory is also mandatory in the case of computer authentication.computer authentication.

IAS can be deployed with a public domain IAS can be deployed with a public domain certificate that can be obtained from any public certificate that can be obtained from any public Certificate Authority.Certificate Authority.

33

Server setupServer setupServer configuration Server configuration (3)(3)

Register IAS in Active DirectoryRegister IAS in Active DirectoryLog on to the IAS server as a domain Log on to the IAS server as a domain administrator.administrator.

Right-click the IAS root node, and then click Right-click the IAS root node, and then click Register IAS in Active DirectoryRegister IAS in Active Directory..

This is a very important step. Without successfully This is a very important step. Without successfully registering IAS, the server may not be able to look registering IAS, the server may not be able to look up users or get proper certificatesup users or get proper certificates

34

Server setupServer setupServer configuration, add clientsServer configuration, add clients

Make sure that the Make sure that the client is a member of client is a member of the clients list.the clients list.Confirm that the case-Confirm that the case-sensitive shared secret sensitive shared secret is correctly configured is correctly configured on IAS and Access on IAS and Access Server (802.1X capable Server (802.1X capable switch or Access Point).switch or Access Point).Select a Select a strongstrong secret secret that is that is more thanmore than 1515 characters and contains characters and contains both alpha-numeric and both alpha-numeric and special characters.special characters.

35

Server setupServer setupServer configuration, add Remote Access PolicyServer configuration, add Remote Access Policy

Add an appropriate Remote Access Policy Add an appropriate Remote Access Policy (RAP) to the IAS server(RAP) to the IAS server

You may use the wizard or you can modify an You may use the wizard or you can modify an existing policy.existing policy.

RecommendationRecommendation Add Add Wireless IEEE802.11Wireless IEEE802.11 and and Wireless-OtherWireless-Other to the to the NAS-Port-TypeNAS-Port-Type policy condition. You may also add this as a policy condition. You may also add this as a dial-in constraint in the Remote Access Policy dial-in constraint in the Remote Access Policy profile (double-click the policy after you create profile (double-click the policy after you create it, and then click it, and then click Edit profileEdit profile to see the to see the constraints).constraints).

36

Server setupServer setupServer configuration, add RAP Server configuration, add RAP (2)(2)

You may use this setting with additional You may use this setting with additional conditions and constraints as long as they do conditions and constraints as long as they do not conflictnot conflict

RecommendationRecommendation When creating a policy, When creating a policy, make sure that you make it as restrictive as make sure that you make it as restrictive as possible, to make sure that only authorized possible, to make sure that only authorized users are allowed accessusers are allowed access

Use Windows Groups membership, date and time Use Windows Groups membership, date and time restrictions, and similar itemsrestrictions, and similar items

37

Server setupServer setupServer configuration, add RAP Server configuration, add RAP (3)(3)

38

Server setupServer setupServer configuration, add RAP Server configuration, add RAP (4)(4)

Condition versus constraintCondition versus constraintIf a condition is met, that policy is invokedIf a condition is met, that policy is invoked

The constraint is checked The constraint is checked afterafter the condition is the condition is metmet

Use constraints to have better control over Use constraints to have better control over users connecting, even if they are authorized users connecting, even if they are authorized to connectto connect

RecommendationRecommendation Always make your Always make your constraints as restrictive as possibleconstraints as restrictive as possible

39

Server setupServer setupServer configuration, add RAP Server configuration, add RAP (5)(5)

Policy condition

Policy constraint

40

Server setupServer setupServer configuration, authentication typesServer configuration, authentication types

Selecting the authentication typeSelecting the authentication typeRecommendationRecommendation Make sure that no other Make sure that no other authentication types authentication types are selectedare selected

41

Server setupServer setupServer configuration, authentication types Server configuration, authentication types (2)(2)

RecommendationRecommendation Make sure that you select Make sure that you select only only one EAPone EAP type. You can have more, but try type. You can have more, but try to be as restrictive as possible. As a general rule, to be as restrictive as possible. As a general rule, have only ONE per policyhave only ONE per policy

42

Server setupServer setupServer configuration, authentication types Server configuration, authentication types (3)(3)

If your CA infrastructure is If your CA infrastructure is correctly configured, you correctly configured, you will see a certificate issued will see a certificate issued to your computer. If no to your computer. If no suitable certificate is suitable certificate is found, authentication will found, authentication will notnot be successful. be successful.

RecommendationRecommendation Always Always enable fast reconnect if enable fast reconnect if you are using PEAP. you are using PEAP. Fast Fast reconnectreconnect improves improves performance without performance without sacrificing security. sacrificing security.

43

Server setupServer setupServer configurationServer configuration

Set up as many policies as required and Set up as many policies as required and make sure that they are as restrictive as make sure that they are as restrictive as possible.possible.

There is no limitation for the number of policies There is no limitation for the number of policies on IAS server.on IAS server.

Policies are evaluated sequentially. The first Policies are evaluated sequentially. The first one that matches is used and the rest are one that matches is used and the rest are ignored.ignored.

44

Server setupServer setupServer configuration, connection request Server configuration, connection request processingprocessing

Next, you must set up connection request Next, you must set up connection request processing. By default, IAS authenticates on the processing. By default, IAS authenticates on the local server (against Active Directory). You may local server (against Active Directory). You may proxy the authentication to a remote computer. proxy the authentication to a remote computer. Check the links at the end for setting up IAS Check the links at the end for setting up IAS proxy.proxy.

45

TroubleshootingTroubleshooting

First step: Check the IAS server’s event First step: Check the IAS server’s event loglog

The event log will contain information for all The event log will contain information for all authentications that take place. Make sure that authentications that take place. Make sure that you select both you select both Rejected authentication Rejected authentication requestsrequests and and Successful authentication Successful authentication requestsrequests on the IAS server properties page. on the IAS server properties page.

Right-click the root node in the IAS Snap-In, and Right-click the root node in the IAS Snap-In, and then click then click PropertiesProperties to see this page. to see this page.

46

Troubleshooting Troubleshooting (2)(2)

47

TroubleshootingTroubleshootingTrace logsTrace logs

When troubleshooting, always enable tracing:When troubleshooting, always enable tracing:NETSH RAS SET TRACING * ENABLEDNETSH RAS SET TRACING * ENABLED

When done troubleshooting, When done troubleshooting, alwaysalways disable disable tracing to eliminate additional overhead:tracing to eliminate additional overhead:NETSH RAS SET TRACING * DISABLEDNETSH RAS SET TRACING * DISABLED

Trace files are available under %Trace files are available under %windirwindir%\Tracing%\Tracing((windirwindir is the folder where Windows is installed) is the folder where Windows is installed)

48

TroubleshootingTroubleshootingTrace logs Trace logs (2)(2)

Trace files are generated on the client and on the server.Trace files are generated on the client and on the server.

Traces to look for on the client are RASTLS and Traces to look for on the client are RASTLS and RASCHAP. These depend on the authentication method RASCHAP. These depend on the authentication method being used. Additionally, they will give a rough idea about being used. Additionally, they will give a rough idea about what is going on during the authentication process.what is going on during the authentication process.

Traces to look for on the IAS server are RASTLS, Traces to look for on the IAS server are RASTLS, IASSAM, and possibly RASCHAP when using PEAP-IASSAM, and possibly RASCHAP when using PEAP-EAP-MSCHAPv2. These will also give a rough idea about EAP-MSCHAPv2. These will also give a rough idea about what is going on during the authentication.what is going on during the authentication.

An unexplainable error or a failure that is written in the An unexplainable error or a failure that is written in the logs might mean that there has been a problem.logs might mean that there has been a problem.

49

TroubleshootingTroubleshootingNetwork MonitorNetwork Monitor

Install Network MonitorInstall Network MonitorNetwork Monitor will help you sniff the Network Monitor will help you sniff the RADIUS traffic and understand what is going RADIUS traffic and understand what is going onon

When doing 802.1X, all EAP payloads (inside When doing 802.1X, all EAP payloads (inside RADIUS) are encrypted.RADIUS) are encrypted.

Other RADIUS information might not be encrypted.Other RADIUS information might not be encrypted.

Network Monitor is included with Network Monitor is included with Windows Server 2003. Use Windows Server 2003. Use Add/Remove Add/Remove Windows ComponentsWindows Components (look under (look under Management and Monitoring Tools) to add Management and Monitoring Tools) to add Network Monitor.Network Monitor.

50

TroubleshootingTroubleshootingThings to checkThings to check

Always check your connections:Always check your connections:Make sure that you can ping the APsMake sure that you can ping the APs

Make sure that the firewall is not blocking Make sure that the firewall is not blocking traffictraffic

51

TroubleshootingTroubleshootingThings to check Things to check (2)(2)

Check that the IAS server has a valid certificate Check that the IAS server has a valid certificate (a valid certificate will be requested on behalf of (a valid certificate will be requested on behalf of the computer if it has been added as a member the computer if it has been added as a member of the RAS and IAS servers group).of the RAS and IAS servers group).

If If Register Server in Active DirectoryRegister Server in Active Directory is unavailable is unavailable and you still can’t find the IAS server in the RAS and and you still can’t find the IAS server in the RAS and IAS servers group on the DC, you can add it manually.IAS servers group on the DC, you can add it manually.You can also specify an IAS server in the RAS and You can also specify an IAS server in the RAS and IAS servers certificate template; click the IAS servers certificate template; click the SecuritySecurity tab tab of the Certificate template.of the Certificate template.

52

TroubleshootingTroubleshootingAlways updateAlways update

Always install the latest patches and updates on Always install the latest patches and updates on your server and client. Frequently visit your server and client. Frequently visit http://windowsupdate.microsoft.comhttp://windowsupdate.microsoft.com) or enable ) or enable automatic update on your computers.automatic update on your computers.

53

TroubleshootingTroubleshootingAsk the expertsAsk the experts

Visit the RADIUS newsgroup and post questions Visit the RADIUS newsgroup and post questions there to obtain help from the community. there to obtain help from the community. Additionally, many members of the IAS Additionally, many members of the IAS development team monitor and respond to development team monitor and respond to questions posted to the newsgroup. questions posted to the newsgroup. microsoft.public.internet.radiusmicrosoft.public.internet.radius

54

TroubleshootingTroubleshootingIf you have to contact Product Support ServicesIf you have to contact Product Support Services

When you send a question to Product When you send a question to Product Support Services (PSS), provide:Support Services (PSS), provide:

Network Monitor captures Network Monitor captures

Trace logs from the client and the server to Trace logs from the client and the server to help PSS identify the problemhelp PSS identify the problemA configuration dump, using the command-line A configuration dump, using the command-line command: command: NETSH AAAA SHOW CONFIG > ConfigFile.TXTNETSH AAAA SHOW CONFIG > ConfigFile.TXT

A rough description of your networkA rough description of your network

55

Additional resourcesAdditional resourcesIASIAS

General information: General information: http://www.microsoft.com/windowsserver2003http://www.microsoft.com/windowsserver2003/technologies/ias/default.mspx/technologies/ias/default.mspx

Troubleshooting:Troubleshooting:http://www.microsoft.com/resourceshttp://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/documentation/WindowsServ/2003/enterprise//proddocs/en-us/sag_ias_tshoot_node.aspproddocs/en-us/sag_ias_tshoot_node.asp

Tracing:Tracing:http://www.microsoft.com/technet/security/guidancehttp://www.microsoft.com/technet/security/guidance//secmod192.mspxsecmod192.mspx

Related RFCs:Related RFCs:Rfc1994, rfc2138, rfc2284, rfc2548, rfc2619, rfc2621, Rfc1994, rfc2138, rfc2284, rfc2548, rfc2619, rfc2621, rfc2759, rfc2865, rfc2866, rfc2867, rfc2868, rfc2869, rfc2759, rfc2865, rfc2866, rfc2867, rfc2868, rfc2869, and rfc2975and rfc2975

(Note that the URLs should be entered as one line; they are wrapped here for readability.)

56

Additional resourcesAdditional resourcesWIFIWIFI

General information:General information:http://www.microsoft.com/http://www.microsoft.com/wifiwifi//

Troubleshooting:Troubleshooting:http://www.microsoft.com/technet/prodtechnolhttp://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wifitrbl.mspx/winxppro/maintain/wifitrbl.mspx

(Note that the URL should be entered as one line; it is wrapped here for readability.)

57

Additional resourcesAdditional resourcesVPN, Active Directory, and PKIVPN, Active Directory, and PKI

VPN:VPN:http://www.microsoft.com/http://www.microsoft.com/vpnvpn//

Active Directory:Active Directory:http://www.microsoft.com/windowsserver2003http://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/technologies/directory/activedirectory/default.mspx/default.mspx

PKI:PKI:http://www.microsoft.com/windowsserver2003http://www.microsoft.com/windowsserver2003/technologies//technologies/pki/default.mspxpki/default.mspx

58

Additional resourcesAdditional resourcesGroup PolicyGroup Policy

Windows Server 2003: Windows Server 2003: http://www.microsoft.com/windowsserver2003http://www.microsoft.com/windowsserver2003/technologies/management/grouppolicy/technologies/management/grouppolicy/default.mspx/default.mspx

TechNet Technical Resources for IT Pros:TechNet Technical Resources for IT Pros:http://www.microsoft.com/http://www.microsoft.com/technet/prodtechnoltechnet/prodtechnol/windowsserver2003/technologies/management/windowsserver2003/technologies/management//gp/default.mspxgp/default.mspx

Group Policy Management Console (GPMC):Group Policy Management Console (GPMC):http://www.microsoft.com/downloads/details.aspx?http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en DD3CBFC81887&displaylang=en

Thank you for joining us for today’s event.Thank you for joining us for today’s event.

For information about all upcoming Support For information about all upcoming Support WebCasts, and access to the archived content WebCasts, and access to the archived content (streaming media files, PowerPoint® slides, and (streaming media files, PowerPoint® slides, and transcripts), visit the Support WebCast site at transcripts), visit the Support WebCast site at http://support.microsoft.com/WebCasts/http://support.microsoft.com/WebCasts/..

We sincerely appreciate your feedback. Please submit We sincerely appreciate your feedback. Please submit any comments or suggestions about the Support any comments or suggestions about the Support WebCasts on the “Contact Us” page of the Support WebCasts on the “Contact Us” page of the Support Web site atWeb site athttp://support.microsoft.com/servicedesks/webcasts/feedback.asphttp://support.microsoft.com/servicedesks/webcasts/feedback.asp..

© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.