We have successfully implemented Radius server authentication using Microsoft IAS for our wireless access points. For a small institution such as ours, inexpensive, centralized authentication is essential. Our access points cost about $200 each, and the IAS server is part of Windows 2000 server.
We purchased Netgear WG302 wireless access points over a year ago. These are medium-priced access points, somewhere between low-end residential models and expensive, corporate models. We were hoping to centralize administration either by FTP-ing a config file to each access point or installing a Radius server. Last year, both methods failed. The FTP server within the access point limited the number of MAC addresses you could upload to 10. The access point’s support for Radius was limited to WPA. That would require us to distribute a password to students, which we did not want to do.
We were upset that the access point did not live up to advance billing, since two of the centralized administration protocols did not work in a practical mannner. However, our network admin managed to develop a scheme that worked all last year despite its awkwardness: a macro that would successively visit the web administration page of each access point and add one address at a time. Unbelieveably, it worked, but it took a while to run and would not permit batch additions or subtractions — Clearly a short-term solution.
Fortunately for us, Netgear updated their access point firmware this year to allow Radius for MAC access control. Now, when you turn access control on, you have the option of using either a local MAC address database or a Radius server. Nonetheless, it still required our network admin three days of trial and error to get it to work, since documentation was both scarce and conflicting. A couple of key tips were that it only worked if the MAC address objects in Active Directory were all lower-case, the AD password was lower-case, and dial-in/remote access permission for the AD object was turned on.
Two great features of the new system are that one can quickly create or update a MAC address by manipulating AD objects, and one may monitor access point status in the event log.
Write me if you want more implementation details. I would not be surprised if the required tips vary from platform to platform.
[Update] Implementation details posted here.