Programatically answering MS IAS RADIUS server requests from WLAN - how?

Using IAS (Internet Authentication Service), I am setting up a RADIUS server that will authenticate WLAN clients.
My question is: Is my concept doable, and how would I have to interface IAS exactly.

Concept of operation:
WLAN clients are going to connect to an Access Point that uses RADIUS towards a Windows Server machine (on its LAN). Between each client connection request - it may pass hours or even days.

The WLAN clients are not known in advance, and the server machine *user* has to *manually* accept/reject each incoming client as they come by clicking Yes/No on a dialog box (which I am going to pop up from a standalone EXE file made by me).
If a client was accepted once earlier, it is allowed to connect without this manual confirmation.
Once accepted, the WLAN client may connect, and a AES encrypted WLAN connection is started.

Type of Windows Server and IAS: Suggest the best one (we'll prefer the newest version).

So, my idea of implementation is as follows:
1. To configure IAS to somehow notify my EXE file each time a RADIUS client wants to connect.
2. My EXE file will present a dialog box to the user
3. Minutes / hours may pass if the user does not pay attention or does not want to decide.
4. If user presses 'Yes', my EXE must notify IAS that the client may accept.
5. If user presses 'No', should probably also notify IAS

So my exact question is:
How would I go about to make those notifications towards the IAS server?

I can write a standalone executable, or a Windows Service.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

What's the criterion saying a client is allowed, rejected to connect to your WLAN ?

I don't understand your sentence: "the server machine *user* has to *manually* accept/reject each incoming client as they come by clicking Yes/No on a dialog box"

Do you mean there will be a guy in front of the radius server that will manually accept/reject a client ?
On which criterion ? you'll only receive a mac adress/ip address/maybe username depending your authentication method.

Please give more information, the "manually" thing has to be explained.

Usually a radius server has criterion to filter the client request by its own (password / certificate / filter on mac address / username ...) or using a third database (Active Directory, LDAP, SQL, flat files), without the need of an extra application.
tedzAuthor Commented:
I actually mean that a person need to click Yes or No in a dialog box to accept/reject a client.

When the WLAN client contacts the RADIUS server it also transfers its MAC address and its SSID to the RADIUS server.  The operator (the physical person) will use the SSID and visual contact in order to  determine if he/she should accept or not. I will for example present the SSID in the dialog box, or whatever ID the WLAN client is presenting.

So my application will therefore act like an 'addon' for the RADIUS server providing a dialog box.
And my application must communicate with the RADIUS server.

You mention flat files. That will be an excellent and easy interface for me to implement.

So my question is how to set up IAS to use this or another convenient method.
I have absolutely no experience with IAS and need hints to get started - if this concept is possible.

Hope that clarified.
Interesting, never heard about a physical person acting as a RADIUS server on visual contact ...

1- I think it's a lot of work for an already known result: The operator will click on yes each time, as every single device that is wireless enabled will try to connect to your hotspot ... It can be a lot of requests ... Radius servers are made for that if the design is correct.

2- I've doubts that the RADIUS protocol is made for such utilization as you would add some user delay that may lead to protocol timeout ...
I've no answer for your question, but doubts about the design.

It seems that we are speaking about guest users.
Usually, depending the number of users and the security you want to add, you can:
- let them use wireless without authentication
- No authentication but a web portal with legal conditions to be accepted
- have a single PSK (small networks)
- or provision (automatically or manually) temporary login/password that a user will have to enter on a web portal, and that will be deleted after a certain amount of time.

The functionnality will nearly be the same as your actual concept: instead of accepting manually the request, the operator simply give a PSK or login/password to the guest that need an internet connection.

Speaking about AES, in case of a web portal with a login/password form, that's usually open wireless networks, because you authenticate user only once the wireless connection is fully established.
Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

tedzAuthor Commented:
I think I must inform more about the usage so that you understand that my concept is necessary.
Any other concept is not an option.

In fact, I have already implemented this exact solution using another RADIUS server, only that we want to switch to IAS.

The WLAN clients are industry installations (client modules, CM)
The WLAN Access Points (AP) are vessels.
The RADIUS server is a machine on the same LAN as the AP onboard the vessel.

When a vessel approaches an industry installation, the CM operator may want to connect to the vessel in order to transfer data. The operator gives a command to connect the CM to the AP.

The CM/AP will then issue a RADIUS request.
The RADIUS server will now consult my application if it is allowed or not by telling me the SSID and MAC.
My application will now handle the authentication.
In case of unknown SSID or previous rejection, my app returns negative and the RADIUS server will return negative and the connection is not made.
The CM will continue to issue RADIUS request a few minutes (with a few seconds interval) to let the user decide.
In case of acceptance, my app returns positive and the RADIUS server will immediately allow and the AES connection is established.

So, that means the RADIUS server will continue to reject until my application gives acceptance - which only occurs after the user has pressed 'Yes' on his dialog.

I hope you now understand the concept.

So the question is basically if IAS is usable for such a scheme and how it is configured.
My application has to receive an event immediately when a RADIUS request is made containing SSID and MAC.
My application then responds either Yes or No
Hmmm big delay in the response.
Your design is very customed and would need a customizable radius server as well.

I'm not an IAS expert, and I don't know what was your previous RADIUS server, but I guess IAS would be to "black-boxed", I would suggest to have an eye to freeRadius, you may be able to script everything you need ...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tedzAuthor Commented:
Thank's for your assessment.

It's actually very good to know it would be difficult - it saves me a lot of time trying to develop such a solution.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.