Richard Kassissieh is Director of Information Services at 
RSS 2.0 
RADIUS with IAS and Netgear WG302
Posted by: rkassissieh
December022005
Here is the full documentation for our successful integration of Netgear WG302 wireless access points with Windows 2000 IAS server. Thank you to Richard Bender for writing this up and those who sent me requests for these notes.
Notes on Setting up RADIUS on IAS to use MAC addresses as User IP's
Equipment:
Netgear WG302 ProSafe 802.11g Wireless Access Point
Windows 2000 Server running IAS (Internet Authentication Service)
Situation:
The Netgear ProSafe WG302 provides MAC address filtering for up to 256 MAC addresses. However, if you use multiple WAP's updating them and managing the address list becomes very time consuming. Having a central management point (ie a RADIUS server) would be a perfect solution to this problem.
Why lAS?
If you are running a Win2K server based network it's free and it ties into AD.
The Problem:
Make the WG302 interface with the IAS server so that you can control wireless network access via MAC address filtering.
How to set this up:
Install IAS
On the Win2K server that you intend to use for this add the LAS service
Add/Remove Programs/Windows Components/Networking Services
The IAS MCC will then show up in the Administrative Tools Window
Configure IAS
Register Service in AD so that it can authenticate users and computers
Right-click the root of the tree pane, Internet Authentication Service (Local), and select Register server in Active Directory
Add Clients
Open the IAS MCC\Clients folder
Add your WAP's as clients
Need IP address of each WAP and "shared secret" authentication key
Set up Log File
Don't neglect this, these files can get huge quickly.
Set up Remote Access Policies
At least look at the default policy
(our policy is to grant anyone in the Wireless Access security group remote access)
Configure AD (the tricky part)
Create an OU for MAC Addresses (recommended)
Create a new User in that OU
The user name is the MAC address you wish to add without spaces, hyphens, or periods
Advice: put the MAC address in using lower case letters, then copy it to the clipboard
****CRITICAL STEP****
The user password is the MAC address and you must use lower case letters.
The WG302 sends the MAC address to the IAS server in lower case. If you use upper case letters in the password authentication will fail. Finish tocreate the new account.
Tweak the New Account
Important:
Set membership into a security group that will have remote access (we put all these accounts into a Wireless Access group) or grant user Dial Up access
Optional:
Add the users name in the Description field on the General tab. Add some sort of sorting info into the Office field on the General tab.
Configure the WG302 WAP units Browse to each unit and: Go to the RADIUS Server Settings screen
Set the IP address of the RADIUS server
The port should be 1812 unless you are doing something custom
The "shared secret" authentication phrase is the one you put in earlier on the
IAS server. Go to the Access Control screen
Turn Access Control on
Select Access Control Database: RADIUS MAC Address Database
Reboot the unit
Now when you bring a wireless system, that has an address you have put into the Win2K AD, into range of the WAP it should transparently authenticate against the LAS RADIUS server and get an IP address from your DHCP server. You should see entries like this in your event log:
User 009099blf732 was granted access.
Fully Qualified User Name = domain name/OU/009099blf732
NAS-IP-Address = WAP IP Address
NAS Identifier = WAP MAC Address (don't use this as a template, it is lower case but it uses hyphens)
Client-Friendly Name = WAP name
Client-IP-Address = WAP IP Address
NAS-Port-Type = 19
NAS-Port = 47
Policy-Name = This is the name of the policy set in LAS for remote access users
Authentication-Type = PAP (in our case)
This is useful because it allows you to scan the log and see if each WAP is working. We have found that the new firmware for the WG302 is not perfect (but hey, the first round wouldn't even talk to a RADIUS server) and that occasionally a WAP will "hang" and not communicate with the RADIUS server. Rebooting the unit fixes the problem. For extra style points you could probably write a script that would reboot the units every night to be proactive.
Notes on Setting up RADIUS on IAS to use MAC addresses as User IP's
Equipment:
Netgear WG302 ProSafe 802.11g Wireless Access Point
Windows 2000 Server running IAS (Internet Authentication Service)
Situation:
The Netgear ProSafe WG302 provides MAC address filtering for up to 256 MAC addresses. However, if you use multiple WAP's updating them and managing the address list becomes very time consuming. Having a central management point (ie a RADIUS server) would be a perfect solution to this problem.
Why lAS?
If you are running a Win2K server based network it's free and it ties into AD.
The Problem:
Make the WG302 interface with the IAS server so that you can control wireless network access via MAC address filtering.
How to set this up:
Install IAS
On the Win2K server that you intend to use for this add the LAS service
Add/Remove Programs/Windows Components/Networking Services
The IAS MCC will then show up in the Administrative Tools Window
Configure IAS
Register Service in AD so that it can authenticate users and computers
Right-click the root of the tree pane, Internet Authentication Service (Local), and select Register server in Active Directory
Add Clients
Open the IAS MCC\Clients folder
Add your WAP's as clients
Need IP address of each WAP and "shared secret" authentication key
Set up Log File
Don't neglect this, these files can get huge quickly.
Set up Remote Access Policies
At least look at the default policy
(our policy is to grant anyone in the Wireless Access security group remote access)
Configure AD (the tricky part)
Create an OU for MAC Addresses (recommended)
Create a new User in that OU
The user name is the MAC address you wish to add without spaces, hyphens, or periods
Advice: put the MAC address in using lower case letters, then copy it to the clipboard
****CRITICAL STEP****
The user password is the MAC address and you must use lower case letters.
The WG302 sends the MAC address to the IAS server in lower case. If you use upper case letters in the password authentication will fail. Finish tocreate the new account.
Tweak the New Account
Important:
Set membership into a security group that will have remote access (we put all these accounts into a Wireless Access group) or grant user Dial Up access
Optional:
Add the users name in the Description field on the General tab. Add some sort of sorting info into the Office field on the General tab.
Configure the WG302 WAP units Browse to each unit and: Go to the RADIUS Server Settings screen
Set the IP address of the RADIUS server
The port should be 1812 unless you are doing something custom
The "shared secret" authentication phrase is the one you put in earlier on the
IAS server. Go to the Access Control screen
Turn Access Control on
Select Access Control Database: RADIUS MAC Address Database
Reboot the unit
Now when you bring a wireless system, that has an address you have put into the Win2K AD, into range of the WAP it should transparently authenticate against the LAS RADIUS server and get an IP address from your DHCP server. You should see entries like this in your event log:
User 009099blf732 was granted access.
Fully Qualified User Name = domain name/OU/009099blf732
NAS-IP-Address = WAP IP Address
NAS Identifier = WAP MAC Address (don't use this as a template, it is lower case but it uses hyphens)
Client-Friendly Name = WAP name
Client-IP-Address = WAP IP Address
NAS-Port-Type = 19
NAS-Port = 47
Policy-Name = This is the name of the policy set in LAS for remote access users
Authentication-Type = PAP (in our case)
This is useful because it allows you to scan the log and see if each WAP is working. We have found that the new firmware for the WG302 is not perfect (but hey, the first round wouldn't even talk to a RADIUS server) and that occasionally a WAP will "hang" and not communicate with the RADIUS server. Rebooting the unit fixes the problem. For extra style points you could probably write a script that would reboot the units every night to be proactive.