Configuring Microsoft IAS for eduroam-US

Thank you to Brian Gibson and Mark Parlan at Wheaton College for contributing these instructions to the documentation.
If you have any questions or comments regarding these instructions please contact the eduroam-US Team and we will work with you to assist as much as possible.

Description

This document outlines how we set up the Windows 2003 Server (SP2) Internet Authentication Service (IAS) software as a campus RADIUS server for implementing eduroam. In our case, the IAS server receives requests from 1 of 2 sources

  1. Our local wireless controller, if the person is connecting to the "eduroam" network here on campus.
  2. From the US TLRS (Top Level Radius Server), if our user is visiting another eduroam enabled campus.

Instructions

  1. The first thing to do is open up your campus perimeter firewall and the Windows 2003 Server's local firewall so inbound requests from the US TLRSs are allowed through to these UDP ports on the IAS server: 1812, 1813, 1645, 1646.
  2. Join the local Windows 2003 IAS server to your Active Directory domain. This is important because when the Radius server needs to authenticate Wheaton users it will do so against Active Directory.
  3. Before you install Radius you should install Microsoft's Internet Information Services (IIS) so you can easily install an SSL certificate in place (you will not be using IIS for anything else, it just makes it easy to install the certificate). Do the following....

    1. Select Control Panel.
    2. Add or Remove Programs.
    3. Add/Remove Windows Components.
    4. Application Server.
    5. Select Internet Information Services (IIS) and uncheck any unecessary services underneath like SMTP or FTP.

    After IIS is installed and all the current Windows Updates are done go into the properties for the "Default Web Site" and go under Directory Security -> Secure Communications -> Server Certificate and follow the wizard to create a new certificate, create a certificate signing request (CSR) from the new private key, then manually submit the csr file to a trusted certificate authority (ex: GeoTrust, Thawte, Verisign).

    Once they issued you the web server certificate and intermediate CA certificates (usually bundled into one file) just go back into Directory Security -> Secure Communications -> Server Certificate and follow the wizard to import the new SSL certificate. You might want to temporarily open up TCP port 443 on the server so you can test that the SSL certificate is trusted by the various clients (computers, tablets, smartphones etc...). Once you have completed your https testing close off port 443 at the local Windows firewall.

  4. Now install Microsoft's IAS (Internet Authentication Server) which will act as your RADIUS server. IAS is not part of the standard Windows 2003 installation, you must install the IAS separately, as follows:

    1. Select Control Panel.
    2. Add or Remove Programs.
    3. Add/Remove Windows Components.
    4. Networking Services.
    5. Select Internet Authentication Server.

    After the install completes the IAS console is located under Control Panel -> Administrative Tools. Make sure that you run Windows Update after you are done to make sure the server is secure.

  5. Go into the IAS console and the first thing to do is add your wireless controller(s) as a RADIUS client. To add a RADIUS client right click on the Radius Client folder and select New -> Radius client. For the Friendly name: enter in "Wireless Controller" and enter in your wireless controller's IP address.

    Next you will be asked to select a Client-Vendor and to define a shared secret. Use RADIUS Standard as the Client-Vendor (for our case this worked, we use an Aruba controller) and enter in the shared secret your network administrator provided and select Finish.

    Next we have to add the eduroam-US top level server(s) as a RADIUS client. The same process applies as above but use the shared secret that you agree upon with the eduroam-US admin team.

  6. Next we need to create a Remote Access Policy. Right click on Remote Access Policy and select New -> Remote Access Policy. Give the policy a name ex: "Wireless eduroam Users". On the next screen select Wireless. On the next screen select User - User access permissions are specified in the user account. Now you will be asked what EAP type to use. IAS only supports "PEAP" and "EAP-TLS". Select PEAP then next.

    Double click on the new Wireless eduroam Users policy and click the Edit Profile button and on the Authentication tab check off Microsoft Encrypted Authentication version 2 (MS-CHAP v2) and check off Unencrypted authentication (PAP, SPAP). Make sure this Remote Access Policy is number 1 in the order of policies.

  7. Go into the local Windows Firewall on the IAS server and for the UDP exceptions you added earlier (ports 1645, 1646, 1812 and 1813) add an exception for your local Wireless Controller(s).
  8. Go into the Active Directory Users and Computers tool on a Domain Controller and edit the accounts of the people you want to grant eduroam access. To do this go to their Dial-in tab select Allow access. We wrote a script that does an LDAP modify process on every Wheaton account so this option is always allowed.
  9. You should make sure that IAS logging is turned on, you can do this by going to Remote Access Logging inside of IAS then go to LocalFile. We pointed the logs to be created inside of this folder C:\Windows\system32\LogFiles. You can put them where ever you like.
  10. Now we have to create a remote RADIUS group that will contain the eduroam-US top level server(s). This is for when a visiting user on our campus tries to connect to our "eduroam" SSID we know to refer the RADIUS request up the food chain to the eduroam-US top level server(s). Go into the IAS console, located under Control Panel -> Administrative Tools. You need to expand the Connection Request Processing node then right mouse click on Remote RADIUS Server Groups and select New Remote RADIUS Server Group then Next at the initial wizard screen. Keep the default option of Typical and for the Group name (we called ours "eduroam"). You should then be asked for the Primary server: which will be the IP address of the top level us eduroam RADIUS server and for the Server group shared secret you would enter the shared secret that the eduroam-US admin provides for you (then confirm it) then complete the wizard.
  11. Now we have to create Connection Request Policies for the different connection scenarios. They are .....
    1. "USTopLevel (Wheaton users abroad)" - This policy is first in the list and it handles looking for requests coming from the eduroam-US top level server(s) with the person's login name containing "@wheatonma.edu". The policy conditions are...

      User-Name matches ".* [at] wheatonma.edu" AND
      Client-IP-Address matches "<eduroam-US top level server(s)>"

      Under Edit Profile on the Authentication tab select Authenticate requests on this server.

    2. "Wheaton (local Wheaton users on campus using wheatonma.edu)" - This policy is second in the list and it handles looking for requests coming from on campus (our wireless controller) with the person's login name containing "@wheatonma.edu". The policy conditions are...

      User-Name matches ".* [at] wheatonma.edu" AND
      Client-IP-Address matches "155.47.20.3"

      Under Edit Profile on the Authentication tab select Authenticate requests on this server.

    3. "External (people visiting Wheaton)" - This policy is last in the list and it handles looking for requests coming from on campus (our wireless controller) and it should get triggered for outside users (since our previous policy handled Wheaton users locally this gets everyone else, like "user [at] otherschool.edu"). The policy conditions are...

      User-Name matches ".*@.*" AND
      Client-IP-Address matches "155.47.20.3"

      Under Edit Profile on the Authentication tab select Forward requests to the following remote RADIUS server group for authentication and select eduroam.

      On the Accounting tab select Record accounting information on the servers in the following RADIUS server group. -> eduroam.

  12. To make sure that the IAS server is using your Certificate Authority-issued SSL certificate, go to Remote Access Policies -> Wireless eduroam Users -> Edit Profile -> Authentication -> EAP Methods -> Highlight "Protected EAP (PEAP)" and click Edit and it should list your SSL certificate.
  13. Create a local user within Active Directory with the name eduroam_test and send that along with the user's password to the eduroam-US admins so they can test from their campus. NOTE: Make sure you set up this Active Directory user so their account is not disabled, they have dial-in acccess allowed, their password never expires, and they cannot change their password. The eduroam-US admins will also create a user on their end (ex: wheatonma_test [at] eduroamus.edu) so you can test as a 'remote' user on your campus.
  14. Have your network admin configure the wireless newtork for eduroam by pointing the RADIUS requests to your IAS server.
  15. Test the different scenarios...
    1. A wheaton user off campus using eduroam_test [at] wheatonma.edu as the user name (The eduroam-US team can test this).
    2. A wheaton user on campus using eduroam_test [at] wheatonma.edu as the user name.
    3. A visiting user on our campus using wheatonma_test [at] eduroamus.edu as the user name (The eduroam-US team can help troubleshoot issues with logging in).