Extreme Networks Summit WM Technical Reference Manual page 39

Version 5.1

Hide thumbs Also See for Summit WM:

Installation instructions (1 page)

Getting started manual (126 pages)

Maintenance manual (130 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

page of 222

/ 222
Contents
Table of Contents
Bookmarks

Table of Contents

CAs, this method does not work for third-party CAs. The recommended method of importing

certificates is to use the Certificates snap-in. For information about how to install a VeriSign, Inc.

certificate for PEAP-MS-CHAP v2 authentication, see Obtaining and Installing a VeriSign WLAN

Server Certificate for PEAP-MS-CHAP v2 Wireless Authentication.

3 Install IAS as an optional networking component.

4 If you are using Windows 2000 IAS, install Windows 2000 SP4.

5 The primary IAS server computer must be able to access account properties in the appropriate

domains. If IAS is being installed on a domain controller, no additional configuration is required in

order for IAS to access account properties in the domain of the domain controller. If IAS is not

installed on a domain controller, you must configure the primary IAS server computer to read the

properties of user accounts in the domain. For more information, see the "Enable the IAS server to

read user accounts in Active Directory" procedure in this section. If the IAS server authenticates and

authorizes wireless connection attempts for user accounts in other domains, verify that the other

domains have a two-way trust with the domain in which the IAS server computer is a member.

Next, configure the IAS server computer to read the properties of user accounts in other domains.

For more information, see the "Enable the IAS server to read user objects in Active Directory"

procedure in this section. If there are accounts in other domains, and those domains do not have a

two-way trust with the domain in which the IAS server computer is a member, you must configure a

RADIUS proxy between the two untrusted domains. If there are accounts in other Active Directory

forests, you must configure a RADIUS proxy between the forests. For more information, see "Cross-

Forest Authentication" in this article.

6 If you want to store authentication and accounting information for connection analysis and security

investigation purposes, enable logging for accounting and authentication events. Windows 2000 IAS

can log information to a local file. Windows Server 2003 IAS can log information to a local file and to

a Structured Query Language (SQL) server database. For more information, see the topic titled

"Configure log file properties" in Windows 2000 Help and the topic titled "Configure logging for

user authentication and accounting" in Windows Server 2003 Help and Support.

7 If needed, configure additional UDP ports for authentication and accounting messages that are sent

by RADIUS clients (the wireless APs). For more information, see the "Configure IAS port

information" procedure in this section. By default, IAS uses UDP ports 1812 and 1645 for

authentication messages and UDP ports 1813 and 1646 for accounting messages.

8 Add the wireless APs as RADIUS clients of the IAS server. For more information, see the "Add

RADIUS clients" procedure in this section. Verify that you are configuring the correct name or IP

address and shared secret for each wireless AP. Use a different shared secret for each wireless AP.

Each shared secret should be a random sequence of upper and lowercase letters, numbers, and

punctuation that is at least 22 characters long. To ensure randomness, use a random character

generation program to create shared secrets to configure on the IAS server and the wireless AP. To

ensure the maximum security for RADIUS messages, it is recommended that you use Internet

Protocol security (IPsec) Encapsulating Security Payload (ESP) with certificate authentication to

provide data confidentiality, data integrity, and data origin authentication for RADIUS traffic sent

between the IAS servers and the wireless APs. Windows 2000 and Windows Server 2003 support

IPsec. IPsec must also be supported by the wireless APs.

Enable the IAS server to read user accounts in Active Directory

To register the IAS server in the default domain using Internet Authentication Service:

1 Log on to the IAS server with an account that has domain administrator permissions.

2 Open the Internet Authentication Service snap-in.

Summit WM Technical Reference Guide, Software Version 5.1

Table of Contents

Extreme Networks Summit WM Technical Reference Manual page 39

Related Manuals for Extreme Networks Summit WM

Related Products for Extreme Networks Summit WM

Table of Contents