Wireless

Windows 2008
Linksys WAP54g devices

Currently using WPA2. Should I do a win2k8 radius server with cert? Is it more secure? Advantages? How to setup?
LVL 5
shankshankAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RICHARDloireCommented:
WPA is encryption. RADIUS, 802.1x, etc are for
authentication. The major connection is that RADIUS authentication
delivers a one-time, unique, WPA encryption key for each session. I
other words, you don't need a common company wide WPA encryption key
for the entire network which might leak out

To help you configure you read MS IAS RADIUS This should point you in the right direction.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
shankshankAuthor Commented:
Oh right. I guess the big question is, is there really any major benefits for setting this up? As the WPA2 manual entry of keys was no problem for me.
RICHARDloireCommented:
besides security... To me, the benefit is that once setup. IAS can be used not only for Wireless access but for user level access if you have CISCO devices. Then you'll be able to manage them through group policies. So, no need to hand out passwords, phrases, etc. You just click and unclick as your organizations needs change.

If you are a growing organization it would be a good starting point to learn (wink, wink) as the impact won't be so high. That way when you do get big you'll be an expert ;)
PMI ACP® Project Management

Prepare for the PMI Agile Certified Practitioner (PMI-ACP)® exam, which formally recognizes your knowledge of agile principles and your skill with agile techniques.

RICHARDloireCommented:
OH, and you'll be able to manage VPN access if you have that as an option in your network.
shankshankAuthor Commented:
richard, the vpn would be great

right now users do authenticate on our cisco asa via they domain credentials. the problem is that in order for it to work, we have to go into ADUC and check preauthentication of kerberos,
shankshankAuthor Commented:
also that doc is for 2k3
RICHARDloireCommented:
This should help network Policy Server
shankshankAuthor Commented:
Is there a doc available on implementing this for CIsco ASA and WAP and disallowing clients from connecting if say AV not installed etc?
Can I just deploy the NPS with basic settings, change my WAP and ASA to point to a radius server and be set to go and fine tune later?

RICHARDloireCommented:
I'd recommend CISCO ASA-VPN-ASDM

yes you can always do the basic settings, then add on.
shankshankAuthor Commented:
Hello!

So I was able to get the VPN connected via nps thank you. How do I see what users are authenticating on the NPS? Just to ensure that it is working etc.
RICHARDloireCommented:
If you have the NPS MMC window open on the left hand side you should be able to see the active clients. You can also go into your logs and see it in action through security logs.
shankshankAuthor Commented:
i have it open
all i see is radius clients and servers
policies
network access protection
accounting
RICHARDloireCommented:
If you have logging enabled you can go into accounting, but just be careful because if for some reason the system can't write to file it won't accept connections. The easiest way is to go into the windows log. You'll see something like:
Network Policy Server granted access to a user.

User:
%tSecurity ID:%t%t%t%1
%tAccount Name:%t%t%t%2
%tAccount Domain:%t%t%t%3
%tFully Qualified Account Name:%t%4

Client Machine:
%tSecurity ID:%t%t%t%5
%tAccount Name:%t%t%t%6
%tFully Qualified Account Name:%t%7
%tOS-Version:%t%t%t%8
%tCalled Station Identifier:%t%t%9
%tCalling Station Identifier:%t%t%10

NAS:
%tNAS IPv4 Address:%t%t%11
%tNAS IPv6 Address:%t%t%12
%tNAS Identifier:%t%t%t%13
%tNAS Port-Type:%t%t%t%14
%tNAS Port:%t%t%t%15

RADIUS Client:
%tClient Friendly Name:%t%t%16
%tClient IP Address:%t%t%t%17

Authentication Details:
%tProxy Policy Name:%t%t%18
%tNetwork Policy Name:%t%t%19
%tAuthentication Provider:%t%t%20
%tAuthentication Server:%t%t%21
%tAuthentication Type:%t%t%22
%tEAP Type:%t%t%t%23
%tAccount Session Identifier:%t%t%24

Quarantine Information:
%tResult:%t%t%t%t%25
%tSession Identifier:%t%t%t%26

shankshankAuthor Commented:
hmm yeah i am in accounting
i see that file logging is configured
i can see data in that log
but i cant see it nicely displayed in the MMC i had to open the file manually
shankshankAuthor Commented:
I cfreate new ticket. U helped well, thank you
shankshankAuthor Commented:
excellent work
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.