Configuring the Authenticator

Setting up an AP to serve as an authenticator is perhaps the easiest step in the 802.1x process. Since the AP acts as a mere middleman in the 802.1x negotiation process, there is very little information that needs to be configured. In our example, we will be configuring a Cisco 350 AP.

From the Home menu, select Setup (Figure 10.27).

From the Setup menu, select Security. (The security link is located under Services).

From the Security screen (Figure 10.28), select Authentication Server (Figure 10.29). Here, you need to configure the settings for the IAS server that you just finished setting up. For Server Name/IP, enter the IP address for your IAS server. Leave the Server Type (RADIUS) and Port (1812) at their defaults. Also, use Draft 10 (or higher) for the 802.1x protocol version and under Use server for, select the checkbox for EAP Authentication. Enter the shared secret you configured for your IAS server. Click OK and you will be returned to the Security Setup screen.

From the Security Setup screen, select Radio Data Encryption (WEP). Go ahead and set up a WEP key. If this is your first time setting a WEP key, here's what you need to do: Under WEP Key 1 (Figure 10.30): Enter a 26 digit HEX key. Set the Key Size to 128-bit. Click OK. You will be sent back to the Security Setup screen. This just sets the WEP key, but does not yet enable it. To enable the WEP key, click Radio Data Encryption (WEP) and look for the Use of Data Encryption by Stations is. This is set to No Encryption. Change the drop-down box to Full Encryption. Also, select the check boxes under the Open column for Accept Authentication Type and Require EAP. Click OK.

Note that at this point, you will need to reconfigure your client for WEP and EAP.

Setting Up the Supplicant

802.1x support is built in to Windows XP. In January 2003, Microsoft released a patch for Windows 2000 to support 802.1x as a supplicant. You can download it at http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/8021xclient.asp. This patch requires Service Pack 3.

If you are running the Windows 2000 patch, note that the update ships in a disabled state. To enable 802.1x services, right-click on My Computer, and click Manage. This will launch the Computer Management snap-in (Figure 10.31). Double-click Services and Applications, then double-click Services. Here you will find a list of all the services on your computer.

Look for a service called Wireless Configuration. Double-click on it and set the Startup type to Automatic and then click Start to start the service. Click OK to continue (Figure 10.32).

Now that the 802.1x service is started, we can configure 802.1x settings for our wireless connection. Click Start | Settings | Control Panel to open the control panel and then double-click on Network and Dial-Up Connections. Right-click on your wireless adapter and select Properties. Switch to the Authentication tab. To enable 802.1x, select Enable network access control using IEEE 802.1x. (By default, this option is enabled). In the EAP type drop-down menu, you can select your EAP type. You will have a choice between using Smart Card or other Certificate or PEAP. If you are using client and server certificates (i.e., EAP-TLS), you will want to select Smart Card or other Certificate. If you wish to use Windows usernames and passwords for authentication, choose PEAP, as shown in Figure 10.33.

All Systems Go

When you are finished configuring all of your 802.1x components, it's time to associate with the AP and authenticate. If you run into problems, here are a few troubleshooting hints. On your IAS server, check out the Event Viewer and look through the log files (particularly in the system log). Also, in the Authentication tab for your WLAN interface, (where you selected your EAP type), be sure to check out the Properties button. If you are using PEAP, check out the Configure button next to the Select Authentication Method, which defaults to: Secured password (EAP-MSCHAP v2). Here, you will find an option called Automatically use my Windows logon name and password (and domain if any). When you deselect this option, you will be prompted for a username/password/domain when you try to authenticate.

Keep in mind that at the time of this writing, PEAP support in IAS was not available for Windows 2000 Server. However, IAS for Windows 2000 Server does support EAP-TLS. Windows 2003 Server, on the other hand, supports both EAP-TLS and PEAP. Other RADIUS servers, such as Cisco's Access Control Server (ACS) support EAP-PEAP by default.