Top Banner

of 13

Windows Server 2k8r2 RADIUS (Part 2)

Apr 06, 2018

Download

Documents

Scott Qa
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
  • 8/3/2019 Windows Server 2k8r2 RADIUS (Part 2)

    1/13

    Introduction

    In Part 1, we discovered why businesses must use the Enterprise mode of Wi-Fi Protected Access (WPA

    or WPA2), versus using the Personal (PSK) mode. We learned the 802.1X authentication of the

    Enterprise mode requires the use of a RADIUS server, which is included in Windows Server.

    We already installed and configured the Certificate Services in Windows Server 2008. In this part, well

    continue by installing and configuring the Network Policy and Access Services. Then well setup the

    wireless controllers and/or access points (APs) with the encryption and RADIUS settings. Next well

    configure the client computers. Then well finally be able to connect.

    Install the Network Policy and Access Services Role

    In previous versions of Windows Server, RADIUS functionality was provided by the Internet Authenticate

    Service (IAS). Starting in Windows Server 2008, its provided by the Network Policy and Access Services.

    This includes the previous IAS services along with the new NAP feature.

    On the Initial Configuration Tasks window, scroll down, and click Add roles. If youve closed or hidden

    that window, click Start> Server Manager, select Roles, and click Add Roles.

    Select Network Policy and Access Services (see Figure 1), and click Next.

    Figure 1: Choose to install the Network Policy and Access Services role

  • 8/3/2019 Windows Server 2k8r2 RADIUS (Part 2)

    2/13

    Review the introduction, and click Next.

    Select the following (see Figure 2):

    y Network Policy Servery Routing and Remote Access Serversy Remote Access Servicesy Routing

    Figure 2: Select to install the first four options

    Click Next. Then click Install, wait for the installation to complete, and then click Close.

    Now you can begin configuring NPS for the RADIUS functionality: click Start, type nps.msc, and hit Enter.

    For the Standard Configuration option, select RADIUS server for 802.1X Wireless or Wired

    Connections(see Figure 3) from the drop-down menu.

  • 8/3/2019 Windows Server 2k8r2 RADIUS (Part 2)

    3/13

    Figure 3: Choose the RADIUS server for 802.1X

    Click Configure 802.1X.

    For the Type of 802.1X connections, select Secure Wireless Connections (see Figure 4), and click Next.

  • 8/3/2019 Windows Server 2k8r2 RADIUS (Part 2)

    4/13

    Figure 4: Select to secure wireless connections

    For each wireless controller and/or access point, click Add to create a new RADIUS client entry. As Figure

    5 shows, youll be specifying a friendly name, which should help you identify it from the others, the IP or

    DNS address, and a Shared Secret.

  • 8/3/2019 Windows Server 2k8r2 RADIUS (Part 2)

    5/13

    Figure 5: Input your wireless controller or access point details

    These Shared Secrets are important to the authentication and encryption. Make them long and

    complex, like passwords. They should be unique to each controller/AP. Later, youll enter the same

    Shared Secrets into the corresponding controller/AP. Remember to keep them secret, store them safely.

    For the Authentication Method, select Microsoft Protected EAP (PEAP) since were using PEAP.

    Click the Configure button, select the certificate you created earlier, and click OK.

    On the Specify User Groups window (see Figure 6), click Add.

  • 8/3/2019 Windows Server 2k8r2 RADIUS (Part 2)

    6/13

    Figure 6: Add the user groups you want to be able to connect

    On the Select Group dialogs, enter the groups or click Advanced to search for the available groups. If you

    havent created additional groups, you probably want to select Domain Users to allow users

    and Domain Computers for machine authentication if your controllers/APs support it. If you receive an

    error that the domain doesnt exist, restart the Active Directory Domain Services server and try again.

    Once youve added the desired group(s), click Next to continue.

    On the Configure a VLAN window (see Figure 7), if your network (switches and controllers/APs) support

    VLANs and you have them configured, click the Configureto setup the VLAN functionality.

  • 8/3/2019 Windows Server 2k8r2 RADIUS (Part 2)

    7/13

    Figure 7: Click the Configure button to define the VLAN settings

    Now youre done configuring the VLANs, click Next.

    Review the settings and click Finish.

    Configure the wireless controllers and/or APs

    Now its time to configure the wireless controllers or access points (APs). Bring up the web-based GUI

    for the by entering their IP address into a browser. Then navigate to the wireless settings.

    Choose WPA-Enterprise or WPA2-Enteprise. For the encryption type, select TKIP if using WPAorAES if

    using WPA2. Then enter the IP address of the RADIUS server, which is the Windows Sever machine you

    just setup. Next, enter the shared secret you created earlier for the particular controller/AP. Then save

    the settings.

  • 8/3/2019 Windows Server 2k8r2 RADIUS (Part 2)

    8/13

    Install the CA Certificate on Client Computers

    In Part 1, you created your own Certificate Authority (CA) and server certificate. Thus you must install

    the CA onto your client computers. This way the clients can validate the server before performing the

    authentication.

    If youre running a domain network with Active Directory, you may want to deploy this certificate with

    Group Policy. However, you can also manually install it, like well discuss.

    To view and manage the certificates in Windows Server 2008, bring up the Certificate Manager. If you

    saved that MMC to your desktop in Part 1, open it. Otherwise, follow these steps again:

    1. Click Start, type MMC, and hit Enter.2. On the MMC window, click File>Add/Remove Snap-in.3. Select Certificates, and click Add.4. Select Computer account, and click Next.5. Select Local computer, click Finish, and then OK.

    Tip:

    Again, you might want to save this MMC to your desktop for easier access later: click File>Save.

    Now expand Certificates (Local Computer Account), expand Personal, and click Certificates.

    As Figure 8 shows, right-click the certificate with the Issued To value ending in CA, hover over All Tasks,

    and choose Export. Then follow the wizard to export. When prompted, dont export theprivate key,

    but use the DER format. You probably want to export to a flash drive so you can take it around to the

    client computers.

  • 8/3/2019 Windows Server 2k8r2 RADIUS (Part 2)

    9/13

    Figure 8: Exporting the CA certificate to install onto the clients

    Now on the client computers, double-click the certificate and click the Install Certificate button (see

    Figure 9). Use the wizard to import it into the Trusted Root Certificate Authorities store.

  • 8/3/2019 Windows Server 2k8r2 RADIUS (Part 2)

    10/13

    Figure 9: Installing the CA certificate onto a client.

    Configure the Network Settings on Client Computers

    Now you can configure the network settings. Like with the certificate installation, you can push the

    network settings to clients using Group Policy if youre running a domain network with Active Directory.

    However, you can also manually configure the clients, like well discuss for Windows XP, Vista, and 7.

    First, manually create a network profile or preferred network entry. For the Security Type choose WPA-

    Enterprise orWPA2-Enteprise. For the Encryption Type, select TKIP if using WPA or AES if using WPA2.

    Open the network profile and select the Security tab (in Vista & 7) or Authentication tab (in XP). In XP,

    check theEnable IEEE 802.1x authentication for this network option.

    For the Network Authentication method(in Vista & 7, as Figure 10 shows) or EAP Type (in XP),

    choose Protected EAP (PEAP). In XP, also deselect both check boxes on the bottom of the window.

  • 8/3/2019 Windows Server 2k8r2 RADIUS (Part 2)

    11/13

    Figure 10: Choose PEAP for the authentication method

    In Windows 7 only, click the Advanced Settings button on the Security tab. Then on the Advanced

    Settings window, check the Specify authentication mode option, choose User Authentication, and

    click OK to return to the Security tab.

    Click the Settings (in Vista & 7) or Properties (in XP) button.

    Then on the Protected EAP Properties dialog, follow these steps (Figure 11 shows an example):

    y Check the first box, Validate server certificate.y Check the second box, Connect to these servers, and enter your servers full computer name. If

    needed, double-check it on Windows Server by clicking Start > Server Manager.

    y In the Trusted Root Certification Authorities list box, select CA certificate you just imported.y Select Secured password (EAP-MSCHAP v2) for the Authentication Method.

  • 8/3/2019 Windows Server 2k8r2 RADIUS (Part 2)

    12/13

    Figure 11: Configure the PEAP properties

    y Click the Configure button. If youre running a domain network with Active Directory, youprobably want to keep this option checked. Otherwise, uncheck it so the user can enter their

    username and password when connecting to the network.

    Finally, click OK on the dialog windows to save the settings.

    Finally, Connect and Logon!

    Now that you have the server, APs, and clients configured, you can try to connect.

    On a client computer, choose the network from the list of available wireless networks. Unless you

    enabled the client to automatically use its Windows logon, youll be prompted to enter the login

    credentials, as Figure 12 shows. Use an account on the Windows Server belonging to the group(s) you

  • 8/3/2019 Windows Server 2k8r2 RADIUS (Part 2)

    13/13

    configured earlier in the Network Policy and Access Services portion of the setup. If you chose the

    Domain Users group, the Administrator account should be allowed by default.

    Figure 12: The login window.

    Now you should have an 802.1X-authenticating and Enterprise-encrypted network, with thanks to

    Windows Server 2008 for providing the RADIUS functionality. Weve setup the server, wireless APs, and

    clients for the PEAP authentication. End-users should be able login with their accounts.

    To manage the RADIUS server settings, such as adding or removing APs, use the Network Policy Server

    utility: clickStart>All Programs> Administrative Tools>Network Policy Server.