Active Directory; Radius - Extreme Networks Summit WM Technical Reference Manual

Active Directory

When configuring Active Directory for wireless access, use the following best practices:
If you have a native-mode domain and are using a group-based wireless remote access policy, use
●
universal groups and global groups to organize your wireless accounts into a single group.
Additionally, set the remote access permission on computer and user accounts to Control access
through Remote Access Policy.
If you are using a Windows 2000 enterprise CA as an issuing CA, use the Computer Configuration
●
Automatic Certificate Request Settings Group Policy setting to automatically issue computer
certificates to all domain members. Ensure that all appropriate domain system containers are
configured for automatic enrollment of computer certificates, either through the inheriting of group
policy settings of a parent system container or explicit configuration.

RADIUS

When deploying your RADIUS infrastructure for wireless access, use the following best practices:
If supported by your wireless APs, use Internet Protocol security (IPsec) and Encapsulating Security
●
Payload (ESP) to provide data confidentiality for RADIUS traffic between the wireless AP and the
IAS servers and between IAS servers. Use 3DES encryption and, if possible, certificates for Internet
Key Exchange (IKE) main mode authentication. IPsec settings for RADIUS traffic sent between IAS
servers can be configured using Group Policy and assigned at the Active Directory system container
level. For more information about IPsec, see the Windows Server 2003 IPsec Web site
(
http://www.microsoft.com/windowsserver2003/technologies/networking/ipsec/default.mspx
To provide the maximum security for unprotected RADIUS traffic, choose RADIUS shared secrets
●
that are random sequences of upper and lowercase letters, numbers, and punctuation at least 22
keyboard characters long. If possible, use a random character generation program to determine
shared secrets to configure on the IAS server and the wireless AP.
Use as many different RADIUS shared secrets as possible. The actual number of RADIUS shared
●
secrets depends on configuration constraints and management considerations. For example, IAS
allows the configuration of RADIUS shared secrets on a per-client or per-server basis. However,
many wireless APs allow for the configuration of a single RADIUS shared secret for both primary
and secondary RADIUS servers. In this case, a single RADIUS shared secret is used for two different
RADIUS client-RADIUS server pairs: the wireless AP with its primary RADIUS server and the
wireless AP with its secondary RADIUS server. Additionally, if you are using the netsh aaaa show
and netsh exec commands to copy the configuration of one IAS server (the primary) to another (the
secondary), the RADIUS shared secret for each wireless AP/primary IAS server pair must be the
same as the RADIUS shared secret for each wireless AP/secondary IAS server pair. Because the
Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition versions of
IAS allows you to configure a range of IP addresses to define a single RADIUS client (for example,
all the wireless APs on a single subnet in a single building at Microsoft), all the wireless AP/IAS
server pairs defined by the IAS RADIUS client are configured with the same RADIUS shared secret.
When there are separate account databases, such as different Active Directory forests or domains
●
that do not have two-way trusts, you must use a RADIUS proxy between the wireless APs and the
RADIUS servers that are providing the authentication and authentication processing. Windows
Server 2003 IAS supports RADIUS proxy functionality through the configuration of connection
request policies and remote RADIUS server groups. For this example, connection request policies are
created to match different portions of the User-Name RADIUS attribute corresponding to each
Summit WM Technical Reference Guide, Software Version 5.1
)
61