Step 4: Configuring the authentication server

With wireless networks proliferating it is a good idea to understand what it takes to build a VPN for a wireless gateway. Contributor and Microsoft MVP Brien Posey details the necessary steps in this step-by-step guide.

As I explained earlier, we are going to be using the IAS service as an authentication mechanism for users attaching to your wired network via the VPN. As such, your IAS server must be a member server in your domain and must be running Windows Server 2003.

To install IAS, open the Control Panel and choose the "Add/Remove Programs" option. When the "Add or Remove Programs" dialog box appears, click the "Add/Remove Windows Components" button. Windows will now display a list of the Windows components that you can install. Select the "Networking Services" option and click the "Details" button. Now, select the "Internet Authentication Service" option and click "OK," followed by "Next," to install IAS.

Now that IAS has been installed, you will have to configure it. To do so, choose the "Internet Authentication Service" option from the "Administrative Tools" menu. The first thing that you must do is to register your IAS server with the Active Directory. To do so, right click on the "Internet Authentication Service (Local)" container and select the "Register Server in Active Directory" option. Click "OK" to complete the registration process.

Once the service has been registered with the Active Directory, the next thing that you will have to do is to create an Active Directory group for the VPN. The users that you add to this group will be the users who will be allowed to access the network through the VPN.

After you have created the Active Directory group, it's time to create a remote access policy. To do so, right-click on the "Remote Access Policies" container in the "Internet Authentication Service" console, and select the "New Remote Access Policy" option from the shortcut menu. This will open the "New Remote Access Policy" wizard. Click "Next" to bypass the wizard's welcome screen. The following screen asks you for a policy name. Verify that the "Typical Policy for a Common Scenario" option is selected and then enter "VPN Access" as the policy name. Click "Next" to continue.

On the following screen, select the "VPN" option and click "Next" again. The following screen will give you the opportunity to apply the policy to either users or groups. Select the VPN users group that you created earlier, thereby assigning the newly created VPN access policy to the VPN users group.

Click "Next" and you will see the "Authentication Methods" screen. I recommend starting out by using MS CHAPV2. Later on, you will want to come back and switch to EAP. The reason why I recommend doing things this way is because MS CHAP does not require certificates from your enterprise certificate authority. Starting out with MSCHAP is a great way to verify that all of the other components of your wireless VPN are working correctly before you throw certificates into the mix. If you decide to make the switch to EAP later on, you will have to associate a certificate with the EAP protocol on the IAS Server. There is an excellent article on the Microsoft Web site regarding how to request certificates from a certificate authority.

To implement MS CHAPV2 encryption, make sure that the "MS CHAP" option is selected and click "Next." On the following screen, verify that only the "Strongest Encryption" option is selected and click "Next," followed by "Finish."

How to create a VPN for your wireless network

 Home: Introduction
 Step 1: Server requirements
 Step 2: Server placement
 Step 3: Setting up the certificate authority
 Step 4: Configuring the authentication server
 Step 5: Configuring the VPN server
 Step 6: Configuring wireless clients

Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at
Copyright 2005 TechTarget

Read more on IT risk management