Authentication Infrastructure
The authentication infrastructure exists to:
- Authenticate the credentials of wireless clients
- Authorize the wireless connection
- Inform wireless APs of wireless connection restrictions
- Record the wireless connection creation and termination for accounting purposes
The authentication infrastructure for protected wireless connections consists of:
- Wireless APs
- RADIUS servers
- Active Directory domain controllers
- Issuing CAs of a PKI (optional)
If you are using a Windows domain as the user account database for verification of user or computer credentials and for obtaining dial-in properties, use Network Policy Server (NPS) in Windows Server 2008. NPS is a full-featured RADIUS server and proxy that is tightly integrated with Active Directory.
NPS performs the authentication of the wireless connection by communicating with a domain controller over a protected remote procedure call (RPC) channel. NPS performs authorization of the connection attempt through the dial-in properties of the user or computer account and network policies configured on the NPS server.
By default, NPS logs all RADIUS accounting information in a local log file (%SystemRoot%\System32\Logfiles\Logfile.log by default) based on settings configured in the properties dialog box of the Local File Logging object in the Accounting node in the Network Policy Server snap-in.
Uses for Authentication Infrastructure
Best practices to follow for the authentication infrastructure are the following:
- To better manage authorization for wireless connections, create a universal group in Active Directory for wireless access that contains global groups for the user and computer accounts that are allowed to make wireless connections. For example, create a universal group named WirelessAccounts that contains the global groups based on your organization's regions or departments. Each global group contains allowed user and computer accounts for wireless access. When you configure your network policy for wireless connections, specify the WirelessAccounts group name.
- Use the NPS New Network Policy wizard to create a wireless-specific network policy to authorize wireless connections and specify connection constraints and requirements. For example, create a wireless network policy to grant access based on group membership and to require a specific authentication method.
In this tutorial:
- IEEE 802.11 Wireless Networks
- Support for IEEE 802.11 Standards
- Wireless Security
- WPA
- Planning and Design Considerations
- Wireless Authentication Modes
- Intranet Infrastructure
- Wireless AP Placement
- Authentication Infrastructure
- Wireless Clients
- Windows Vista Wireless Policy
- Windows XP Wireless Policy
- Command-Line Configuration
- PKI
- 802.1X Enforcement with NAP
- Deploying Protected Wireless Access
- Configuring Active Directory for Accounts and Groups
- Deploying Wireless APs
- Configuring Wireless Clients
- Configuring and Deploying Wireless Profiles
- Maintenance for a Protected Wireless
- Troubleshooting Wireless Connections
- Network Diagnostics Framework Support for Wireless Connections
- Wireless Diagnostics Tracing
- NPS Event Logging
- Troubleshooting the Windows Wireless Client
- Troubleshooting the Wireless AP
- Common Wireless AP Problems
- Troubleshooting the Authentication Infrastructure
- Troubleshooting Certificate-Based Validation
- Troubleshooting Password-Based Validation