neohelp Posted August 8, 2013 Share Posted August 8, 2013 Hello Im wondering the pros and cons on setting up a wifi router for RADIUS autentification instead of WPA2. The RADIUS server would be a W2K3SBS with Active Directory. How would I go on with setting this up on the W2K3SBS server? Thank you Link to comment Share on other sites More sharing options...
]SK[ Posted August 8, 2013 Share Posted August 8, 2013 Too much for one person to post. This basically. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted August 8, 2013 Veteran Share Posted August 8, 2013 Pros is that is it much more secure than WPA2. The only issue that there is with RADIUS auth is that if you have a requirement that forces users to change passwords, they will not be able to authenticate if their cached password is mismatched from their domain password. After a password change you will need to be physically plugged in to apply the password to the cache. We have this issue where I work, lots of wireless users. Link to comment Share on other sites More sharing options...
]SK[ Posted August 8, 2013 Share Posted August 8, 2013 A common issue. Had this a lot at schools. Kinda annoying when you have 800+ laptops! Link to comment Share on other sites More sharing options...
+BudMan MVC Posted August 8, 2013 MVC Share Posted August 8, 2013 "Pros is that is it much more secure than WPA2. " To be honest that is debatable.. If you think about it, normal required password length for windows is what 7 characters. User name is easy to guess or get via email address if they are using exchange, etc. Could leave network open to dos of sorts, if I just flood the server with login requests -- possible to even lock out say most every account in their AD if they are not setup correctly, etc. The pro of enterprise auth vs just a psk if you ask me is more the ability to remove a users access without having to have every single user change the password they use. If 1 user account get compromised, you change that 1 account not the shared PSK. Where you have a user base that comes and goes - using a psk would suck if you had to change it every time a user got fired or quit, etc. So I don't think I agree with the statement that is more secure -- more flexible for sure, but not really any more secure if you ask me. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted August 8, 2013 Veteran Share Posted August 8, 2013 not if the username does not match that of the email address. one company used the first 5 letters of their last name and their first initial...another used first name, middle initial, last 2 initials....no one has the same standards. I personally like firstinitial lastname. some even say screw it and make it the same their username which in many cases is firstname.lastname. stupid non standard standards. but anyway, you would have to guess username, if they have access to the wireless (some do not), and then guess their password. whole lot of guessing if you ask me vs guessing one passkey. Link to comment Share on other sites More sharing options...
]SK[ Posted August 8, 2013 Share Posted August 8, 2013 The past two big companies I have worked for used a Payroll ID or just a User Account number. A little more difficult to guess than 'ASmith' or 'Alan Smith'. Link to comment Share on other sites More sharing options...
neohelp Posted August 9, 2013 Author Share Posted August 9, 2013 Thank you for the pros and cons :) My next question is how do I set this up in W2K3SBS? Thank you Link to comment Share on other sites More sharing options...
TPreston Posted August 9, 2013 Share Posted August 9, 2013 Install the AD cert services role Duplicate the NPS Server cert and assign enroll permissions for your Server Request the duplicated NPS Server cert and install it to computer certs / personal Install the NPS role and configure a radius client On the NPS console select the 802.1X wizard Select secure wireless connections Select PEAP as the authentication method and remove all the other methods Finish the wizard and remove everything except maximum 128bit encryption That's what i do usually, Make sure you don't use non standard characters for the shared secret like %$"^ just Hex Link to comment Share on other sites More sharing options...
neohelp Posted August 9, 2013 Author Share Posted August 9, 2013 Install the AD cert services role Duplicate the NPS Server cert and assign enroll permissions for your Server Request the duplicated NPS Server cert and install it to computer certs / personal Install the NPS role and configure a radius client On the NPS console select the 802.1X wizard Select secure wireless connections Select PEAP as the authentication method and remove all the other methods Finish the wizard and remove everything except maximum 128bit encryption That's what i do usually, Make sure you don't use non standard characters for the shared secret like %$"^ just HexI thought a RADIUS server used AD creds, not a certificate. Link to comment Share on other sites More sharing options...
TPreston Posted August 9, 2013 Share Posted August 9, 2013 PEAP uses both a certificate to stop clients connecting to rogue access points and your domain credentials. If you can setup a CA or have one already its the best choice. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted August 9, 2013 Veteran Share Posted August 9, 2013 It does. You need a cert for encryption/trust. Link to comment Share on other sites More sharing options...
neohelp Posted August 10, 2013 Author Share Posted August 10, 2013 OK :) Then forget it. Just wanted AD user/pass authentification, no certs or anything. Thank you Link to comment Share on other sites More sharing options...
sc302 Veteran Posted August 10, 2013 Veteran Share Posted August 10, 2013 I think you may be confusing the complexity of it. It really isn't at all complex. Link to comment Share on other sites More sharing options...
Recommended Posts