Programatically answering MS IAS RADIUS server requests from WLAN - how?

Posted on 2011-10-08
Last Modified: 2013-11-05
Using IAS (Internet Authentication Service), I am setting up a RADIUS server that will authenticate WLAN clients.
My question is: Is my concept doable, and how would I have to interface IAS exactly.

Concept of operation:
WLAN clients are going to connect to an Access Point that uses RADIUS towards a Windows Server machine (on its LAN). Between each client connection request - it may pass hours or even days.

The WLAN clients are not known in advance, and the server machine *user* has to *manually* accept/reject each incoming client as they come by clicking Yes/No on a dialog box (which I am going to pop up from a standalone EXE file made by me).
If a client was accepted once earlier, it is allowed to connect without this manual confirmation.
Once accepted, the WLAN client may connect, and a AES encrypted WLAN connection is started.

Type of Windows Server and IAS: Suggest the best one (we'll prefer the newest version).

So, my idea of implementation is as follows:
1. To configure IAS to somehow notify my EXE file each time a RADIUS client wants to connect.
2. My EXE file will present a dialog box to the user
3. Minutes / hours may pass if the user does not pay attention or does not want to decide.
4. If user presses 'Yes', my EXE must notify IAS that the client may accept.
5. If user presses 'No', should probably also notify IAS

So my exact question is:
How would I go about to make those notifications towards the IAS server?

I can write a standalone executable, or a Windows Service.

Question by:tedz
    LVL 4

    Expert Comment

    What's the criterion saying a client is allowed, rejected to connect to your WLAN ?

    I don't understand your sentence: "the server machine *user* has to *manually* accept/reject each incoming client as they come by clicking Yes/No on a dialog box"

    Do you mean there will be a guy in front of the radius server that will manually accept/reject a client ?
    On which criterion ? you'll only receive a mac adress/ip address/maybe username depending your authentication method.

    Please give more information, the "manually" thing has to be explained.

    Usually a radius server has criterion to filter the client request by its own (password / certificate / filter on mac address / username ...) or using a third database (Active Directory, LDAP, SQL, flat files), without the need of an extra application.

    Author Comment

    I actually mean that a person need to click Yes or No in a dialog box to accept/reject a client.

    When the WLAN client contacts the RADIUS server it also transfers its MAC address and its SSID to the RADIUS server.  The operator (the physical person) will use the SSID and visual contact in order to  determine if he/she should accept or not. I will for example present the SSID in the dialog box, or whatever ID the WLAN client is presenting.

    So my application will therefore act like an 'addon' for the RADIUS server providing a dialog box.
    And my application must communicate with the RADIUS server.

    You mention flat files. That will be an excellent and easy interface for me to implement.

    So my question is how to set up IAS to use this or another convenient method.
    I have absolutely no experience with IAS and need hints to get started - if this concept is possible.

    Hope that clarified.
    LVL 4

    Expert Comment

    Interesting, never heard about a physical person acting as a RADIUS server on visual contact ...

    1- I think it's a lot of work for an already known result: The operator will click on yes each time, as every single device that is wireless enabled will try to connect to your hotspot ... It can be a lot of requests ... Radius servers are made for that if the design is correct.

    2- I've doubts that the RADIUS protocol is made for such utilization as you would add some user delay that may lead to protocol timeout ...
    I've no answer for your question, but doubts about the design.

    It seems that we are speaking about guest users.
    Usually, depending the number of users and the security you want to add, you can:
    - let them use wireless without authentication
    - No authentication but a web portal with legal conditions to be accepted
    - have a single PSK (small networks)
    - or provision (automatically or manually) temporary login/password that a user will have to enter on a web portal, and that will be deleted after a certain amount of time.

    The functionnality will nearly be the same as your actual concept: instead of accepting manually the request, the operator simply give a PSK or login/password to the guest that need an internet connection.

    Speaking about AES, in case of a web portal with a login/password form, that's usually open wireless networks, because you authenticate user only once the wireless connection is fully established.

    Author Comment

    I think I must inform more about the usage so that you understand that my concept is necessary.
    Any other concept is not an option.

    In fact, I have already implemented this exact solution using another RADIUS server, only that we want to switch to IAS.

    The WLAN clients are industry installations (client modules, CM)
    The WLAN Access Points (AP) are vessels.
    The RADIUS server is a machine on the same LAN as the AP onboard the vessel.

    When a vessel approaches an industry installation, the CM operator may want to connect to the vessel in order to transfer data. The operator gives a command to connect the CM to the AP.

    The CM/AP will then issue a RADIUS request.
    The RADIUS server will now consult my application if it is allowed or not by telling me the SSID and MAC.
    My application will now handle the authentication.
    In case of unknown SSID or previous rejection, my app returns negative and the RADIUS server will return negative and the connection is not made.
    The CM will continue to issue RADIUS request a few minutes (with a few seconds interval) to let the user decide.
    In case of acceptance, my app returns positive and the RADIUS server will immediately allow and the AES connection is established.

    So, that means the RADIUS server will continue to reject until my application gives acceptance - which only occurs after the user has pressed 'Yes' on his dialog.

    I hope you now understand the concept.

    So the question is basically if IAS is usable for such a scheme and how it is configured.
    My application has to receive an event immediately when a RADIUS request is made containing SSID and MAC.
    My application then responds either Yes or No
    LVL 4

    Accepted Solution

    Hmmm big delay in the response.
    Your design is very customed and would need a customizable radius server as well.

    I'm not an IAS expert, and I don't know what was your previous RADIUS server, but I guess IAS would be to "black-boxed", I would suggest to have an eye to freeRadius, you may be able to script everything you need ...

    Author Closing Comment

    Thank's for your assessment.

    It's actually very good to know it would be difficult - it saves me a lot of time trying to develop such a solution.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    The environment that this is running in is SCCM 2007 R2 running on a Windows 2008 R2 server. The PXE Distribution point is running on its own Windows 2008 R2 box. This is what Event viewer showed after trying to start the WDS service:  An erro…
    The question has been asked on multiple occasions as to how best to do printing in a remote desktop or terminal services environment.   It seems that this particular question has plagued several people and most especially as Terminal Services, as…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now