idialman

Hi all, a bit of advice please

Im thinking of upgrading the wireless from WEP to possible WPA (and im not to sure what it is other then a setup which allows users to connect using their domain login details is this right???)

The main reason is at my place of work we have a few windows servers and many desktops and probably around 30 wireless laptops.

The issuse we have is when we have to change WEP passwords this of course currently means i have to go round to each laptop to change the WEP and isnt a quick job.

So can WPA be setup through windows server 2003 so laptop users have to use their login details??

All i thinking if this is the case would users be able to login out of hours?

Any other info would be great

jimcarree

Yes you can set up wireless like this; it works very well but is a little complex to initially configure.

For starters, you need to be running in a Windows domain evironment. You also need to set up a PKI if you haven't already so you can issue cetificates to the laptops.

Lastly you need to configure Windows Internet Authentication Service (IAS) to authorise clients with Active Directory. The access point needs to be set up as a RADIUS client to the IAS server.

The exact procedure takes a few hours to get set up, but when it goes your laptops will automatically connect to the network using the credentials of the currently logged on user and a certificate installed on the computer, without any prompting to the user.

If you haven't already done so, I'd suggest reading up on some of these areas before proceeding. A effectiveness of security of a PKI depends very much on how it is set up.

If you have any questions about any stages of getting set up I'll be happy to help.

miketoy

Thanks for the advise, can you suggets any good books or manuals,

yes i currently work at a school and we have a domain enviroment.

What is this PKI?

ive read a little about the IAS through active directory which seems fairly simple.

Sounds like ill have to action this it sounds way better then WEP, quick question will with WPA setup, a laptop user be able to login, because if they have a new laptop where their profile hasnt been downloaded to it how will the laptop obtain an IP etc if its not connected if that makes sense or will the laptop sit ready etc

Sorry its been a long day today

idialman

Another, simpler option if you use Windows Server 2003 is to configure the WEP key as a Group Policy Object. Although I don't trust WEP as far as i can throw it so setting up WPA is highly recommended.

If you find WPA too complex there is the option of WPA-PSK, although not as robust as WPA it is still more secure than WEP. I'd still recommend going down the full WPA path if you have the infrastrucure in place to run it.

jimcarree

The IAS side of it really is pretty easy. Just add the access point to the RADIUS client list with a suitable secret or key, and create an access rule to suit which users, when and what type of clients are allowed to connect. You also want to make sure each user has dialin permissions set to 'Control through Remote Access Policy'.

A PKI (Public Key Infrastructure) issues and controls certificates for use on your network. This is quite a complex subject and involves far too much to possibly discuss in detail here. Microsoft have some useful articles; this is where I started when first deplying them.

The drawback to this (IIRC WEP is the same anyway?) is that the network connection does not become active until after the user has logged in, although I have yet to see any issues arise from this.

If anything I'd recommend giving it a go with a trial access point and see how well it suits your needs. If it works, the infrastructure will be in place by that stage anyway and you can deploy it with very little effort from that point.

miketoy

Ok im convinced, next week if i get time. Thanks again and im sure ill have questions along the way.

idialman

Ok here goes nothing!! but what would help is if you could list bullet points of the stages. (does anyone know a step by step guide on the net anywhere????)

With this PKI as i didnt setup the servers would they most probably be setup if the 800 users have their own user name and password?

jimcarree

There's a nice how-to at http://www.windowsnetworking.com/pag...e_p.asp?id=407