Windows Server 2k8r2 RADIUS (Part 2)

8/3/2019 Windows Server 2k8r2 RADIUS (Part 2)

1/13

Introduction

In Part 1, we discovered why businesses must use the Enterprise mode of Wi-Fi Protected Access (WPA

or WPA2), versus using the Personal (PSK) mode. We learned the 802.1X authentication of the

Enterprise mode requires the use of a RADIUS server, which is included in Windows Server.

We already installed and configured the Certificate Services in Windows Server 2008. In this part, well

continue by installing and configuring the Network Policy and Access Services. Then well setup the

wireless controllers and/or access points (APs) with the encryption and RADIUS settings. Next well

configure the client computers. Then well finally be able to connect.

Install the Network Policy and Access Services Role

In previous versions of Windows Server, RADIUS functionality was provided by the Internet Authenticate

Service (IAS). Starting in Windows Server 2008, its provided by the Network Policy and Access Services.

This includes the previous IAS services along with the new NAP feature.

On the Initial Configuration Tasks window, scroll down, and click Add roles. If youve closed or hidden

that window, click Start> Server Manager, select Roles, and click Add Roles.

Select Network Policy and Access Services (see Figure 1), and click Next.

Figure 1: Choose to install the Network Policy and Access Services role


2/13

Review the introduction, and click Next.

Select the following (see Figure 2):

y Network Policy Servery Routing and Remote Access Serversy Remote Access Servicesy Routing

Figure 2: Select to install the first four options

Click Next. Then click Install, wait for the installation to complete, and then click Close.

Now you can begin configuring NPS for the RADIUS functionality: click Start, type nps.msc, and hit Enter.

For the Standard Configuration option, select RADIUS server for 802.1X Wireless or Wired

Connections(see Figure 3) from the drop-down menu.


3/13

Figure 3: Choose the RADIUS server for 802.1X

Click Configure 802.1X.

For the Type of 802.1X connections, select Secure Wireless Connections (see Figure 4), and click Next.


4/13

Figure 4: Select to secure wireless connections

For each wireless controller and/or access point, click Add to create a new RADIUS client entry. As Figure

5 shows, youll be specifying a friendly name, which should help you identify it from the others, the IP or

DNS address, and a Shared Secret.


5/13

Figure 5: Input your wireless controller or access point details

These Shared Secrets are important to the authentication and encryption. Make them long and

complex, like passwords. They should be unique to each controller/AP. Later, youll enter the same

Shared Secrets into the corresponding controller/AP. Remember to keep them secret, store them safely.

For the Authentication Method, select Microsoft Protected EAP (PEAP) since were using PEAP.

Click the Configure button, select the certificate you created earlier, and click OK.

On the Specify User Groups window (see Figure 6), click Add.


6/13

Figure 6: Add the user groups you want to be able to connect

On the Select Group dialogs, enter the groups or click Advanced to search for the available groups. If you

havent created additional groups, you probably want to select Domain Users to allow users

and Domain Computers for machine authentication if your controllers/APs support it. If you receive an

error that the domain doesnt exist, restart the Active Directory Domain Services server and try again.

Once youve added the desired group(s), click Next to continue.

On the Configure a VLAN window (see Figure 7), if your network (switches and controllers/APs) support

VLANs and you have them configured, click the Configureto setup the VLAN functionality.


7/13

Figure 7: Click the Configure button to define the VLAN settings

Now youre done configuring the VLANs, click Next.

Review the settings and click Finish.

Configure the wireless controllers and/or APs

Now its time to configure the wireless controllers or access points (APs). Bring up the web-based GUI

for the by entering their IP address into a browser. Then navigate to the wireless settings.

Choose WPA-Enterprise or WPA2-Enteprise. For the encryption type, select TKIP if using WPAorAES if

using WPA2. Then enter the IP address of the RADIUS server, which is the Windows Sever machine you

just setup. Next, enter the shared secret you created earlier for the particular controller/AP. Then save

the settings.


8/13

Install the CA Certificate on Client Computers

In Part 1, you created your own Certificate Authority (CA) and server certificate. Thus you must install

the CA onto your client computers. This way the clients can validate the server before performing the

authentication.

If youre running a domain network with Active Directory, you may want to deploy this certificate with

Group Policy. However, you can also manually install it, like well discuss.

To view and manage the certificates in Windows Server 2008, bring up the Certificate Manager. If you

saved that MMC to your desktop in Part 1, open it. Otherwise, follow these steps again:

1. Click Start, type MMC, and hit Enter.2. On the MMC window, click File>Add/Remove Snap-in.3. Select Certificates, and click Add.4. Select Computer account, and click Next.5. Select Local computer, click Finish, and then OK.

Tip:

Again, you might want to save this MMC to your desktop for easier access later: click File>Save.

Now expand Certificates (Local Computer Account), expand Personal, and click Certificates.

As Figure 8 shows, right-click the certificate with the Issued To value ending in CA, hover over All Tasks,

and choose Export. Then follow the wizard to export. When prompted, dont export theprivate key,

but use the DER format. You probably want to export to a flash drive so you can take it around to the

client computers.


9/13

Figure 8: Exporting the CA certificate to install onto the clients

Now on the client computers, double-click the certificate and click the Install Certificate button (see

Figure 9). Use the wizard to import it into the Trusted Root Certificate Authorities store.


10/13

Figure 9: Installing the CA certificate onto a client.

Configure the Network Settings on Client Computers

Now you can configure the network settings. Like with the certificate installation, you can push the

network settings to clients using Group Policy if youre running a domain network with Active Directory.

However, you can also manually configure the clients, like well discuss for Windows XP, Vista, and 7.

First, manually create a network profile or preferred network entry. For the Security Type choose WPA-

Enterprise orWPA2-Enteprise. For the Encryption Type, select TKIP if using WPA or AES if using WPA2.

Open the network profile and select the Security tab (in Vista & 7) or Authentication tab (in XP). In XP,

check theEnable IEEE 802.1x authentication for this network option.

For the Network Authentication method(in Vista & 7, as Figure 10 shows) or EAP Type (in XP),

choose Protected EAP (PEAP). In XP, also deselect both check boxes on the bottom of the window.


11/13

Figure 10: Choose PEAP for the authentication method

In Windows 7 only, click the Advanced Settings button on the Security tab. Then on the Advanced

Settings window, check the Specify authentication mode option, choose User Authentication, and

click OK to return to the Security tab.

Click the Settings (in Vista & 7) or Properties (in XP) button.

Then on the Protected EAP Properties dialog, follow these steps (Figure 11 shows an example):

y Check the first box, Validate server certificate.y Check the second box, Connect to these servers, and enter your servers full computer name. If

needed, double-check it on Windows Server by clicking Start > Server Manager.

y In the Trusted Root Certification Authorities list box, select CA certificate you just imported.y Select Secured password (EAP-MSCHAP v2) for the Authentication Method.


12/13

Figure 11: Configure the PEAP properties

y Click the Configure button. If youre running a domain network with Active Directory, youprobably want to keep this option checked. Otherwise, uncheck it so the user can enter their

username and password when connecting to the network.

Finally, click OK on the dialog windows to save the settings.

Finally, Connect and Logon!

Now that you have the server, APs, and clients configured, you can try to connect.

On a client computer, choose the network from the list of available wireless networks. Unless you

enabled the client to automatically use its Windows logon, youll be prompted to enter the login

credentials, as Figure 12 shows. Use an account on the Windows Server belonging to the group(s) you


13/13

configured earlier in the Network Policy and Access Services portion of the setup. If you chose the

Domain Users group, the Administrator account should be allowed by default.

Figure 12: The login window.

Now you should have an 802.1X-authenticating and Enterprise-encrypted network, with thanks to

Windows Server 2008 for providing the RADIUS functionality. Weve setup the server, wireless APs, and

clients for the PEAP authentication. End-users should be able login with their accounts.

To manage the RADIUS server settings, such as adding or removing APs, use the Network Policy Server

utility: clickStart>All Programs> Administrative Tools>Network Policy Server.

Windows Server 2k8r2 RADIUS (Part 2)

Documents