Thursday, December 11, 2008

Radius Server with WPA2 in 2008

RADIUS

In Windows Server 2003, to enable Radius authentication Internet Authentication Service needed to be installed and configured. Now in Windows Server 2008 this has been replaced by Network Policy server.

Network Policy Server

Network Policy Server (NPS) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy in Windows Server 2008. NPS is the replacement for Internet Authentication Service (IAS) in Windows Server 2003.
As a RADIUS server, NPS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. As a RADIUS proxy, NPS forwards authentication and accounting messages to other RADIUS servers. NPS also acts as a health evaluation server for Network Access Protection (NAP).



Installation

Open Initial Configuration Tasks, and click Add Roles.

Select Network Policy and Access Services, and click Next.

Click Next after you have read through the Introduction.

The next screen you will be presented with is the ‘Select Role Services’. Network Policy Server needs to be selected to use any of the items. Routing and Remote Access Services is for enabling VPN termination, you may install this at the same time if you plan to run this server as a VPN server, for now it will not be installed.

Select the Host Credential Authorization Protocol, you will be prompted with a dialog box that looks a little like this:


Simply click ‘Add Required Role Services’ as all of these items are required for the sub section of this role.

Simply click next and next until you get to the Confirmation page, triple check you have all the roles selected that are required, and click install.


Once the NPS has been installed, and the server restarted Radius installation can begin.

Open the Network Policy Server from Start, Administrative Tools, Network Policy Server


Creating the Radius policy is now made easy with the Network Access Protection wizard. Simply select RADIUS server for 802.1X Wireless or Wired Connections, and click Configure NAP.


Once at this stage you will need to configure your access point as well. Each Access Point configuration varies, but you should have something like WPA2-Enterprise, once you select this you should be able to enter the IP Address of this server, and enter the secret we are about to setup. Consult your manuals or forums on locating your radius setup on your AP.

Radius works by creating a secure link between the radius server and radius client, so on the next page you must create a Radius client.


Type in a name for your client, this is purely only for the administrator as a readable name, the server uses the IP address when trying to communicate.

Pick a “secret” or password that you will enter on your Access Point, this will be how the client and server know each other and can verify the connection.

Now click next once you have created your Radius Client.

Now select Microsoft: Smart Card or other certificate, this will use any existing certificate that has been created on the server.


Now add the groups of users that you want to be allowed to access the radius authentication.

Now click next and finish, and you have created a Radius policy.

Depending on your Access Point, the configuration will be different.

But essentially you will have to configure Radius Authentication


So once you link your Access Point to the server, when you try to authenticate users they will be required to get a certificate. I'll outline out to request a certificate from the server in the next post.

Changes from 2003 to 2008

Server Manager

This is probably the largest change between 2003 and 2008, with the ability to centrally manage and control all features and roles that your 2008 Windows Server is running.


The Windows Server® 2008 operating system eases the task of managing and securing multiple server roles in an enterprise with the new Server Manager console. Server Manager in Windows Server 2008 provides a single source for managing a server's identity and system information, displaying server status, identifying problems with server role configuration, and managing all roles installed on the server.


Server Manager replaces several features included with Windows Server® 2003, including Manage Your Server, Configure Your Server, and Add or Remove Windows Components.

Server Manager also eliminates the requirement that administrators run the Security Configuration Wizard before deploying servers; server roles are configured with recommended security settings by default, and are ready to deploy as soon as they are installed and properly configured.



Roles and Features

The next main change from 2003 to 2008 is the idea of Roles and Features, like in 2003 when you went to add a windows service, Add/Remove programs was your only option. Now in Windows Server 2008 you can add services via their separate Roles and Features section in the server management.


Just like in Add/Remove Windows components, each item in Roles and Features can be ticked to install, and ‘details’ can be clicked to add more specific items to the installation.

Each section, Roles and Features, can be viewed individually via the Server Manager Console. This enables administrators to quickly and more efficiently view what has been installed and configured so they can determine if they are on the server they want to be on.

Above: Roles viewed from Server Manager

Above: Features viewed from Server Manager

Windows Firewall

Windows Server 2008 introduces a new and improved firewall; the Windows Firewall with Advanced Security. The new Windows firewall introduces many improvements and is very similar to the firewall that was included with Windows Vista. Features included with the new Windows Firewall with Advanced Security include:

  • Granular inbound access control
  • Granular outbound access control
  • Tight integration with the Windows Server 2008 Server Manager, with automatic configuration of the firewall when services are installed using the Server Manager
  • Highly improved IPsec policy configuration and management, and a name change. IPsec policies are now referred to as Connection Security Rules
  • Improved monitoring of firewall policy
  • Improved monitoring of IPsec policies (now called Connection Security Rules)
  • Improved centralized monitoring of Main and Quick Mode Security Associations

Monday, November 3, 2008

DHCP Scope Subinterfaces

How to get DHCP forwarding working with Cisco Router Subinterfaces
Configure subinterfaces on your Cisco Router, and ensure they each have an IP address in their subnet they will operate in.

eg,
FastEthernet 0/1.10
encapsulation dot1Q
ip address 192.168.0.1 255.255.255.0

Now we are using a Windows Server 2008 machine to handle the DHCP scopes and leases, here is what our DHCP looks like.


So we have created a scope, like any other scope, for the 192.168.0.0 range. Now the thing about the leases is, you will only get a lease from a range you are in, so while your pc might be in a 172. range, you will never get a lease from the 192 range, as the router passes its own subinterface ip to the dhcp server and lets it know which subnet its from.

To enable the router to pass the DHCP requests onto the Server you must put this commnd on each of your subinterfaces.

Its called 'ip helper-address " where the is the IP of your DHCP server

so enter the subinterface configuration on the router and enter that command with your DHCP server in place.

So for us, it is

Router(config-subif)# ip helper-address 172.16.99.2

This will enable the subinterface to pass DHCP (and a few other broadcast based protocols, for a full list see here: http://www.ciscopress.com/articles/article.asp?p=330807&seqNum=9 ) through the router to our DHCP server, so that your clients in their VLAN can get valid IP addresses!


Tuesday, October 14, 2008

Update time

Well, what a last few weeks its been. Lots of changes to our base setup, new computers arrived and new hardware :)

So heres the run down.

New Computers

We received 4 new machines which are all faster and newer than what we peviously got given.

They consist of:
  • IBM Thinkcentre
  • 2.8ghz Pentium 4
  • 1gb DDR-400 Ram
  • 40GB HDD
  • Intel Pro-1000 Network
These have all been installed, and replaced each of the older celeron computers.

There is still only 4 servers in total.


New Cisco Hardware

All of our Cisco hardware is now in place.

We have the following:

1x Cisco 1841 Router
1x Cisco 2950 Switch
1x Cisco 1131 Access Point

We have configured the Router for Network Address Translation so that we could implement DHCP from within our network.

So the network topology is like this:

Internet (RJ45) -> FE 0/1 Router then from Router1 FE0/0 it goes into FA0/1 on Switch1.

This is all that has been configured at this stage, so all ports on the switch are in the same VLAN and get DHCP from Omega.



Naming

So each device has been given a name.

The servers from Bottom to top are named
  • Omega
  • Swiss
  • Rolex
  • Seiko
The router has been called 'R1', The switch has been called 'S1' and finally the Access Point has been called 'AP1'. Yes very imginitive, but it makes life easier in console to have a shorter name :)

The domain that we have setup will be adelaide.coffee.com.au .

Addressing

We decided on the 172.16.x.x range for our network as it is not as widely used as 10.x.x.x and 192.168.0.x, so it makes it a little more secure.

So the following has been decided for the different subnets

HR / Payroll
  • 172.16.10.0
  • Using 172.16.10.1-30 /27
Management
  • 172.16.20.0
  • Using 172.16.20.1-30 /27
Office Workers
  • 17.16.30.0
  • Using 172.16.30.1-30 /27
Guests / Cafe Users
  • 192.168.0.0
  • Using 192.168.0.1-126 /25
Network Admins / Servers
  • 172.16.99.0
  • Using 172.16.99.1-14 /28

For the servers and devices in the Network Admins / Servers subnet we have decided on the following statically assigned IPs

  • Router (R1) - 172.16.99.1 (Mac: 00-1C-F6-33-4F-E0)
  • Omega - 172.16.99.2 (Mac: 00-0D-60-91-3A-59)
  • Swiss - 172.16.99.3 (Mac: 00-0D-60-25-1B-5B)
  • Seiko - 172.16.99.4 (Mac: 00-0D-60-91-31-EF)
  • Rolex - 172.16.99.5 (Mac: 00-0D-60-92-57-E9)
  • Switch (S1) - 172.16.99.6 (Mac: 00-0B-Be-19-6D-80)
  • Access Point (AP1) - 172.16.99.7 (Mac: 00-1D-A1-EF-13-26)
The remaining IP's in the Server subnet will be for administrator computers, which will be assigned via DHCP.


Roles

There are 4 servers to ensure the load is evenly distributed as they are not the latest and greatest systems for what we are doing.

The roles have been assigned as the following:
  • Omega - Domain Controller / Radius Authentication / VPN Terminator / DNS / DHCP
  • Swiss - Exchange 2007 / Domain Controller
  • Rolex - Website / FTP / File Server
  • Seiko - Firewall / IDS / Squid Proxy
Conclusion

So
in conclusion, we have completed quite a bit mainly on the role assigning and addressing side of things, but we have set a good grounding for the setup of the equiptment and will be implementing some of it this week!

Till next time.

Wednesday, August 6, 2008

Installation

First up we are installing Windows Server 2008 Enterprise on all systems.

Start by booting from the DVD.

On the first screen we changed the settings to:

Language: English
Time and Currency Format: English (Australian)
Keyboard or Input Method: US

Then clicked Next.

After this you are prompted with which version of Server 2008 you are installing.

We selected:

Windows Server 2008 Enterprise (Full Installation) X86

Then you click next, and agree to the license terms and clicked next.

Now as this is a fresh installation so the "upgrade" option is disabled, so you simply pick the 'Custom (Advanced)" option and continue.

The next page is your partitioning page, we have chosen to use the entire 40GB just for server 2008.

Once partitioning is complete, simply click next and go get a coffee as the windows setup will now copy the image off the DVD to the HDD as it installs Windows Server 2008.



The same method works for the Windows Vista Business client, except of course you select 'Windows Vista Business' when asked for which version you are installing.

When Windows Server 2008 has completed installation you get prompted with this:



You must change the administrator password as it has not been set yet.



Once the password has been set, you have completed Windows Server 2008 installation!

Setup

So we set all our gear up and it looks like this:








On the left we have the four servers all on the KVM for easy access.

On the right we have the client on its own setup for easy access.

Inventory

So this is a list of the current pieces of hardware that we have been given for our test setup.

Windows 2008 System (x4):

IBM Netvista 6826-KMM
- 2.20ghz Intel Celeron
- 40gb IDE HDDs
- DVD-ROM
- 512mb DDR-266
- Intel 10/100 Pro Network (onboard)

Windows Vista System (x1):

Custom Built ATX Tower
- 3.4ghz Intel Pentium 4
- 80gb SATA HDD
- DVD-ROM
- 2048mb DDR-400
- 100mbit onboard network

Other hardware:
- ATEN "Master View" 4-Port KVM
- Netgear FS108 8-Port 100mbit switch
- HP L1706 17" LCD (Running on KVM)
- IBM E74 17" CRT (Running on Client)
- PS2 Keyboard and Mouse x2

To come:
- Some form of a Cisco router.


What we have been given:
- 1x RJ45 Cat5 cable which has access to the internet via it.

Welcome

Well welcome to the blog.

This is a weekly journal that I am required to complete as part of some study I am doing. So while creating this blog I hope I may be able to help some other people out there or even get comments from other IT admins for possible better methods of implementing things!

This is the blog of the implementation of a Windows 2008 Domain and Windows Vista clients.