Improve Wireless security with Windows Home Server

Wireless networks are always less protected than wired LANs since they do not require physical access to a cable inside the building. Enterprises use 802.1x security to strengthen the security of the wireless network. With Windows Home server this is also possible. Prior to using the wireless network users are requested to fill in their username and password. Based on group membership the user is granted or denied the usage of the wireless network.

What we need:

  • Windows Home Server installed + DVD
  • Wireless Access Point with 802.1x support
  • Client with Windows XP or Windows Vista

We start with the server based setup. For the access point to verify the users credentials we are going to install a radius server, basically the access point forwards the username/password request from the client to the radius server which will simply answer with access granted, or access denied.

We need to create a group that will hold all the persons that are granted access to use the wireless service. Logon to the Windows Home Server using remote access and click Start. Right click My Computer and select Manage.


Go to System ToolsLocal Users and Groups. From the Action menu, select New Group

For the name, type Wireless and click Add. Add all the users who need access to the wireless service. Click OK.

Next we need to install the Radius server on the Windows Home Server.

Logon to the Windows Home Server console and go to, StartControl PanelAdd or Remove Programs


Click on Add or Remove Windows Components, scroll down the menu and click on Network Services, then click Details.


Select Internet Authentication Service and click OK

Click Next on the Windows Components Wizard page. You will be asked for the Windows Home Server DVD. If the server does not have a local DVD drive please do the following:

On a client, insert the Windows Home Server DVD. Go to My Computer and right click the DVD and select Explore. Right click the i386 folder and select Copy. Select the Shared Folders icon on your desktop and select Software. Paste the i386 folder there. In the Windows Home Server console on the location window, browse to D:SharesSoftwarei386.

If the Server has a DVD drive, insert the Windows Home Server DVD and select E:i386 as the source for the files. The server will now install the Radius server we use to connect to the access point.

Once the installation is complete we need to configure the radius server. Go to Start > Control Panel > Administrative Tools and select Internet Authentication Service.


Select Radius clients, click on Action in the menu bar and select New Radius Client

For the friendly name, type Access point and give the IP address that the access point will have. If you have a router with wireless integrated this will be the same as your default gateway.


For the Client Vendor, leave the setting to Radius Standard. Type a password that the access point will use. Write the password down, since we also need to configure the same password in the access point.

Next we need to create a policy, which group must be used to verify the users etc. Select Remote Access Policies. From the Action Menu, select New Remote Access Policy.

 

On the welcome page, click Next. On the Policy Configuration Method page, select Use the wizard to setup a typical policy for a common scenario and fill in a name (wireless policy) and click Next.

 

Select Wireless on the Access Method page and click Next.

 

On the User or Groups page, select Add and type Wireless (the group name we used earlier). Click Next if the group is added. Then click Next again.

On the Authentication Methods page, select Protected EAP (PEAP) and click Next.


Click Finish on the last page.

Finally on the home server we need to open firewall ports to allow the Radius to be accessed.

Go to Start > Control Panel >Windows Firewall. Click on the Exceptions tab. Click Add Port.


Type Radius 1813 and 1813 for the port. Also make sure to select UDP. Repeat this for the following numbers: 1812, 1813, 1645, 1646

 

Click OK to close the Windows Firewall page.

This concludes the server side of the configuration.

The next part is specific for each brand of Wireless access point (router), in this example a Linksys access point is used.

Open the configuration page of the access point by browsing to the IP address in Internet Explorer.


Select Edit Security.

In the pop-up window, select WPA Radius.


And fill in the IP address of the Windows Home Server (Radius Server Address), and the password we entered earlier.

Click Save Settings.

Now we need to configure the wireless client (your home computer). This document only describes the Vista configuration:

Click the Network icon and select Network and Sharing Center.


Go to the Network and Sharing Center


Select Manage Wireless Networks


On the Wireless Networks page, select Add


Select Manually Create a Network Profile


Enter the Network ID (mind capitals!!) , select WPA-Enterprise and TKIP. Also make sure to check BOTH checkboxes.


On the next page select Change Connection settings

Select the Security tab


Make sure, WPA-Enterprise and TKIP is selected. For the Authentication method select Microsoft Protected EAP (PEAP)

Select Settings


De-select Validate Server certificate

Select Configure and de-select Automatically use my …..

Click OK on all windows.

Select OK on all boxes and wait for the prompt to enter username and password

Enter your username and password and you’re online!