{"id":250,"date":"2017-08-13T17:00:35","date_gmt":"2017-08-13T21:00:35","guid":{"rendered":"http:\/\/puluka.com\/home\/?p=250"},"modified":"2017-08-13T17:00:35","modified_gmt":"2017-08-13T21:00:35","slug":"screenos-wireless-radius-authentication-with-microsoft-server-2003-ias","status":"publish","type":"post","link":"http:\/\/puluka.com\/home\/networking\/screenos\/screenos-wireless-radius-authentication-with-microsoft-server-2003-ias\/","title":{"rendered":"ScreenOS Wireless RADIUS Authentication with Microsoft Server 2003 IAS"},"content":{"rendered":"<p><strong>Product<\/strong>: ScreenOS wireless series<br \/>\n<strong>Version<\/strong>: 6.2R7 and above<\/p>\n<p>There is a RADIUS bug in code below this release that can cause a system reboot when RADIUS authentication is denied for the client.<\/p>\n<h2>Network Topology:<\/h2>\n<p><strong>Network diagram:<\/strong><br \/>\n<a href=\"http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/WirelessRADIUS.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-251\" src=\"http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/WirelessRADIUS-300x235.jpg\" alt=\"\" width=\"300\" height=\"235\" srcset=\"http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/WirelessRADIUS-300x235.jpg 300w, http:\/\/puluka.com\/home\/wp-content\/uploads\/2017\/08\/WirelessRADIUS.jpg 386w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><br \/>\nWireless segment on the ScreenOS firewall authenticates to Microsoft IAS server<\/p>\n<h2>Description:<\/h2>\n<p>Create a RADIUS authentication wireless segment on a ScreenOS firewall.\u00a0 This uses the Microsoft IAS server component that is free with Windows server 2003.\u00a0 The configuration does require a active directory domain and a Microsoft certificate authority.\u00a0 All components are included with the Server 2003 OS and can be installed on a single server.<\/p>\n<h3>Microsoft Domain Setup<\/h3>\n<p>This configuration was tested using a Microsoft Server 2003 infrastructure. This infrastructure requires that three roles are setup on the domain:<\/p>\n<ul>\n<li>Active Directory Domain Controller<\/li>\n<li>Certificate Authority<\/li>\n<li>Internet Authentication Server (IAS) &#8211; this is the Microsoft implementation of RADIUS<\/li>\n<\/ul>\n<p>These three roles can all exist on the same server without any issues in a small network or they can be existing and distributed on other servers in an existing setup. The configuration of this infrastructure is outlined in this technet article.<\/p>\n<p><a href=\"http:\/\/technet.microsoft.com\/en-us\/network\/cc917481.aspx\">Deployment of Protected 802.11 Networks<\/a> Using Microsoft Windows<\/p>\n<h3>Windows XP client Setup<\/h3>\n<p>After this is configured the wireless client software on the affected computers will also need to be configured. And the certificates needed for the authentication methods chosen will need to be distributed to the clients. The document also above outlined the group policy options for these setting changes and certificate distribution.<\/p>\n<p>When you connect to the SSID for the wireless segment the protocol needs to be changed to Protected EAP in the properties of the wireless interface.<\/p>\n<ul>\n<li>Select the ssid and again pick properties<\/li>\n<li>Select the authentication tab and change from smart card to certificate authentication<\/li>\n<li>setup Peap on client wireless connection<\/li>\n<\/ul>\n<h3>ScreenOS Configuration<\/h3>\n<p>The Juniper ScreenOS wireless enabled firewall will be configured to communicate with this Microsoft RADIUS infrastructure to authenticate clients. There are two basic steps to the process.<\/p>\n<ol>\n<li>Configure the RADIUS authentication server<\/li>\n<li>Configure the wireless interface for 802.1x using this server<\/li>\n<\/ol>\n<h2>Configuration:<\/h2>\n<ol>\n<li style=\"list-style-type: none\">\n<ol>\n<li>Add a RADIUS Authentication Server<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p>For this example the following are the parameters<br \/>\nPrimary RADIUS server 192.168.1.10<br \/>\nSecondary RADIUS server (optional) 192.168.1.11<br \/>\nRADIUS passphrase YourPassword<br \/>\nThe auth server name is radserver<\/p>\n<p>CLI<\/p>\n<p>lab-&gt; set auth-server radserver server-name 192.168.1.10<br \/>\nlab-&gt; set auth-server radserver backup1 192.168.1.11<br \/>\nlab-&gt; set auth-server radserver account-type 802.1x<br \/>\nlab-&gt; set auth-server radserver radius secret YourPassword<\/p>\n<p>Web<\/p>\n<p>Configuration &#8211; Auth &#8211; Auth Servers<br \/>\nFill in the form<\/p>\n<ol>\n<li style=\"list-style-type: none\">\n<ol>\n<li>Configure a wireless interface to use the RADIUS server<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p>For this example the SSID is MyWireless on the wireless0 interface using &#8220;radserver&#8221; as the authentication server.<\/p>\n<p><strong>CLI<\/strong><\/p>\n<p>lab-&gt; set ssid name MyWireless<br \/>\nlab-&gt; set ssid MyWireless authentication 802.1x auth-server radserver<br \/>\nlab-&gt; set ssid MyWireless interface wireless0<\/p>\n<p><strong>Web<\/strong><\/p>\n<p>Wireless &#8211; SSID<br \/>\nSelect new and fill in the form<\/p>\n<h2>Verification:<\/h2>\n<p>When connecting there are sessions and statistics on the firewall and logs generated on the Microsoft IAS server.<\/p>\n<h3>IAS Server<\/h3>\n<p>In the IAS mmc the logging area shows the location of the log file.<br \/>\nDefault: Windows\\system32\\logs<\/p>\n<p>There will be log entries for all connection attempts whether rejected or accepted.<\/p>\n<h3>Firewall<\/h3>\n<p>Sessions shows actively connected devices while the statistics show the counts since the last reset.<\/p>\n<p><strong>CLI<\/strong><\/p>\n<p>lab-&gt;get dot1x session<br \/>\nlab-&gt;get dot1x statistics<\/p>\n<p><strong>Web<\/strong><\/p>\n<p>Network &#8211; 802.1x &#8211; Statistics or Sessions<\/p>\n<p>Originally Posted December 20, 2010<br \/>\nLast Revised on December 20, 2010<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Product: ScreenOS wireless series Version: 6.2R7 and above There is a RADIUS bug in code below this release that can cause a system reboot when RADIUS authentication is denied for the client. Network Topology: Network [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[],"class_list":["post-250","post","type-post","status-publish","format-standard","hentry","category-screenos"],"_links":{"self":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts\/250","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/comments?post=250"}],"version-history":[{"count":1,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts\/250\/revisions"}],"predecessor-version":[{"id":252,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts\/250\/revisions\/252"}],"wp:attachment":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/media?parent=250"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/categories?post=250"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/tags?post=250"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}