WiFi using 802.1x

What's the simplest method to implement 802.1x authentication with a wireless
Access point and SBS 2003? Is there a step-by-step document?

Thanks...

-JoeF

It's non-trivial and fairly touchy. I did write it up in my SBS 2003 R2
book, and the method works, but I don't recommend it unless there's a very
compelling reason and someone doing it who knows what they're about. I would
settle for WPA2 and a good long PSK.

--
Charlie.
http://msmvps.com/blogs/russel




"JoeF" <> wrote in message
news:BD558967-220E-47F0-8D6F-...
> What's the simplest method to implement 802.1x authentication with a
> wireless
> Access point and SBS 2003? Is there a step-by-step document?
>
> Thanks...
>
> -JoeF

Yep. You should probably add technet to your short-list of sites to search,
just as an aside. Might save you some time waiting for an answer in the
futrue.

http://technet.microsoft.com/en-us/l...90(WS.10).aspx

-Cliff



"JoeF" <> wrote in message
news:BD558967-220E-47F0-8D6F-...
> What's the simplest method to implement 802.1x authentication with a
> wireless
> Access point and SBS 2003? Is there a step-by-step document?
>
> Thanks...
>
> -JoeF

Interesting. I've deployed 802.1x on SBS03, 03R2, and SBS08 (and EBS08 as
well, but this isn't an EBS group...just an aside...) and have not had any
problems. The document I posted in my previous reply was the one I used for
my first deployment, but every one since has been done from memory with very
little effort.

So, for the record, I certainly am not attempting to contradict you I am
just genuinely curions what issues you've seen. Would you be willing to
share?

-Cliff


"Charlie Russel - MVP" <> wrote in message
news:...
> It's non-trivial and fairly touchy. I did write it up in my SBS 2003 R2
> book, and the method works, but I don't recommend it unless there's a very
> compelling reason and someone doing it who knows what they're about. I
> would settle for WPA2 and a good long PSK.
>
> --
> Charlie.
> http://msmvps.com/blogs/russel
>
>
>
>
> "JoeF" <> wrote in message
> news:BD558967-220E-47F0-8D6F-...
>> What's the simplest method to implement 802.1x authentication with a
>> wireless
>> Access point and SBS 2003? Is there a step-by-step document?
>>
>> Thanks...
>>
>> -JoeF
>

I just plugged a WAP into the LAN, gave it a fixed, reserved IP address, and
set up WPA2 encryption. Only permitted people are given the WPA2 key, and
I've never had any problems, but now you've got me worried. What have I
missed? The technet article quoted by Cliff looks ridiculously complex.

NeilH

"Charlie Russel - MVP" <> wrote in message
news:...
> It's non-trivial and fairly touchy. I did write it up in my SBS 2003 R2
> book, and the method works, but I don't recommend it unless there's a very
> compelling reason and someone doing it who knows what they're about. I
> would settle for WPA2 and a good long PSK.
>
> --
> Charlie.
> http://msmvps.com/blogs/russel
>
>
>
>
> "JoeF" <> wrote in message
> news:BD558967-220E-47F0-8D6F-...
>> What's the simplest method to implement 802.1x authentication with a
>> wireless
>> Access point and SBS 2003? Is there a step-by-step document?
>>
>> Thanks...
>>
>> -JoeF
>

Nothing wrong with what you're doing, it's what I do.

--
Charlie.
http://msmvps.com/blogs/russel




"Neil Hoskins" <> wrote in
message news:...
>I just plugged a WAP into the LAN, gave it a fixed, reserved IP address,
>and set up WPA2 encryption. Only permitted people are given the WPA2 key,
>and I've never had any problems, but now you've got me worried. What have
>I missed? The technet article quoted by Cliff looks ridiculously complex.
>
> NeilH
>
> "Charlie Russel - MVP" <> wrote in message
> news:...
>> It's non-trivial and fairly touchy. I did write it up in my SBS 2003 R2
>> book, and the method works, but I don't recommend it unless there's a
>> very compelling reason and someone doing it who knows what they're about.
>> I would settle for WPA2 and a good long PSK.
>>
>> --
>> Charlie.
>> http://msmvps.com/blogs/russel
>>
>>
>>
>>
>> "JoeF" <> wrote in message
>> news:BD558967-220E-47F0-8D6F-...
>>> What's the simplest method to implement 802.1x authentication with a
>>> wireless
>>> Access point and SBS 2003? Is there a step-by-step document?
>>>
>>> Thanks...
>>>
>>> -JoeF
>>
>
>

Installing IAS (aka, RADIUS) on an SBS box is OK and works fine, as long as
you don't have ISA in the mix. And even with you can do it, as I suggested.
But I'm not sure it's worth the effort, and I've seen a whole bunch of these
go wrong, usually around the certificates involved.

The sequence of steps is fairly important, if I remember correctly.
Honestly, it's been 3 years at least since I did a 2003 one, and I'd have to
go read the steps myself. ;-) But the last part of my comment is the most
critical - "someone doing it who knows what they're about". You qualify, but
not every person on the NG does.

--
Charlie.
http://msmvps.com/blogs/russel




"Cliff Galiher" <> wrote in message
news:e%...
> Interesting. I've deployed 802.1x on SBS03, 03R2, and SBS08 (and EBS08 as
> well, but this isn't an EBS group...just an aside...) and have not had any
> problems. The document I posted in my previous reply was the one I used
> for my first deployment, but every one since has been done from memory
> with very little effort.
>
> So, for the record, I certainly am not attempting to contradict you I am
> just genuinely curions what issues you've seen. Would you be willing to
> share?
>
> -Cliff
>
>
> "Charlie Russel - MVP" <> wrote in message
> news:...
>> It's non-trivial and fairly touchy. I did write it up in my SBS 2003 R2
>> book, and the method works, but I don't recommend it unless there's a
>> very compelling reason and someone doing it who knows what they're about.
>> I would settle for WPA2 and a good long PSK.
>>
>> --
>> Charlie.
>> http://msmvps.com/blogs/russel
>>
>>
>>
>>
>> "JoeF" <> wrote in message
>> news:BD558967-220E-47F0-8D6F-...
>>> What's the simplest method to implement 802.1x authentication with a
>>> wireless
>>> Access point and SBS 2003? Is there a step-by-step document?
>>>
>>> Thanks...
>>>
>>> -JoeF
>>

The only downside to WPA2 with pre-shared key is that if someone leaves your
company with that key, your network can be compromised. This is completely
irrelevant as long as you remember to change the pre-shared key when someone
leaves, or if a computer goes missing.

What you gain by doing 802.1x is that the computer authenticates
independently of user login. This means that anything that happens prior to
login will work as expected - WSUS updates are one thing that comes to mind.

I find this method by Owen Williams to be less complex than the TechNet
method. For one thing, it eliminates all the security stuff by just
allowing domain computers to authenticate to the wireless, without
configuring security groups and all that. I don't know why you'd have
wireless-capable PCs that you'd want to deny access. This uses a
certificate that automatically deploys to domain-joined PCs with group
policy, at which point they can connect to wireless. One possible downside
to this method is that it'll pretty much prevent you connecting non-domain
PCs to wireless. That's not something I would allow anyway, but if you
wanted to, one of the other methods might be easier.
http://home.comcast.net/~clearviewtc/

For those who may not know about it, you can easily generate really good,
long keys at https://www.grc.com/passwords.htm.


"Neil Hoskins" <> wrote in
message news:...
>I just plugged a WAP into the LAN, gave it a fixed, reserved IP address,
>and set up WPA2 encryption. Only permitted people are given the WPA2 key,
>and I've never had any problems, but now you've got me worried. What have
>I missed? The technet article quoted by Cliff looks ridiculously complex.
>
> NeilH
>
> "Charlie Russel - MVP" <> wrote in message
> news:...
>> It's non-trivial and fairly touchy. I did write it up in my SBS 2003 R2
>> book, and the method works, but I don't recommend it unless there's a
>> very compelling reason and someone doing it who knows what they're about.
>> I would settle for WPA2 and a good long PSK.
>>
>> --
>> Charlie.
>> http://msmvps.com/blogs/russel
>>
>>
>>
>>
>> "JoeF" <> wrote in message
>> news:BD558967-220E-47F0-8D6F-...
>>> What's the simplest method to implement 802.1x authentication with a
>>> wireless
>>> Access point and SBS 2003? Is there a step-by-step document?
>>>
>>> Thanks...
>>>
>>> -JoeF
>>
>
>

Thanks for that.

"Dave Nickason [SBS MVP]" <> wrote in message
news:%23gfUz%...
> The only downside to WPA2 with pre-shared key is that if someone leaves
> your company with that key, your network can be compromised. This is
> completely irrelevant as long as you remember to change the pre-shared key
> when someone leaves, or if a computer goes missing.
>
> What you gain by doing 802.1x is that the computer authenticates
> independently of user login. This means that anything that happens prior
> to login will work as expected - WSUS updates are one thing that comes to
> mind.
>
> I find this method by Owen Williams to be less complex than the TechNet
> method. For one thing, it eliminates all the security stuff by just
> allowing domain computers to authenticate to the wireless, without
> configuring security groups and all that. I don't know why you'd have
> wireless-capable PCs that you'd want to deny access. This uses a
> certificate that automatically deploys to domain-joined PCs with group
> policy, at which point they can connect to wireless. One possible
> downside to this method is that it'll pretty much prevent you connecting
> non-domain PCs to wireless. That's not something I would allow anyway,
> but if you wanted to, one of the other methods might be easier.
> http://home.comcast.net/~clearviewtc/
>
> For those who may not know about it, you can easily generate really good,
> long keys at https://www.grc.com/passwords.htm.
>
>
> "Neil Hoskins" <> wrote
> in message news:...
>>I just plugged a WAP into the LAN, gave it a fixed, reserved IP address,
>>and set up WPA2 encryption. Only permitted people are given the WPA2 key,
>>and I've never had any problems, but now you've got me worried. What have
>>I missed? The technet article quoted by Cliff looks ridiculously complex.
>>
>> NeilH
>>
>> "Charlie Russel - MVP" <> wrote in message
>> news:...
>>> It's non-trivial and fairly touchy. I did write it up in my SBS 2003 R2
>>> book, and the method works, but I don't recommend it unless there's a
>>> very compelling reason and someone doing it who knows what they're
>>> about. I would settle for WPA2 and a good long PSK.
>>>
>>> --
>>> Charlie.
>>> http://msmvps.com/blogs/russel
>>>
>>>
>>>
>>>
>>> "JoeF" <> wrote in message
>>> news:BD558967-220E-47F0-8D6F-...
>>>> What's the simplest method to implement 802.1x authentication with a
>>>> wireless
>>>> Access point and SBS 2003? Is there a step-by-step document?
>>>>
>>>> Thanks...
>>>>
>>>> -JoeF
>>>
>>
>>
>