8/3/2019 Windows Server 2k8r2 RADIUS (Part 2)
1/13
Introduction
In Part 1, we discovered why businesses must use the Enterprise mode of Wi-Fi Protected Access (WPA
or WPA2), versus using the Personal (PSK) mode. We learned the 802.1X authentication of the
Enterprise mode requires the use of a RADIUS server, which is included in Windows Server.
We already installed and configured the Certificate Services in Windows Server 2008. In this part, well
continue by installing and configuring the Network Policy and Access Services. Then well setup the
wireless controllers and/or access points (APs) with the encryption and RADIUS settings. Next well
configure the client computers. Then well finally be able to connect.
Install the Network Policy and Access Services Role
In previous versions of Windows Server, RADIUS functionality was provided by the Internet Authenticate
Service (IAS). Starting in Windows Server 2008, its provided by the Network Policy and Access Services.
This includes the previous IAS services along with the new NAP feature.
On the Initial Configuration Tasks window, scroll down, and click Add roles. If youve closed or hidden
that window, click Start> Server Manager, select Roles, and click Add Roles.
Select Network Policy and Access Services (see Figure 1), and click Next.
Figure 1: Choose to install the Network Policy and Access Services role
8/3/2019 Windows Server 2k8r2 RADIUS (Part 2)
2/13
Review the introduction, and click Next.
Select the following (see Figure 2):
y Network Policy Servery Routing and Remote Access Serversy Remote Access Servicesy Routing
Figure 2: Select to install the first four options
Click Next. Then click Install, wait for the installation to complete, and then click Close.
Now you can begin configuring NPS for the RADIUS functionality: click Start, type nps.msc, and hit Enter.
For the Standard Configuration option, select RADIUS server for 802.1X Wireless or Wired
Connections(see Figure 3) from the drop-down menu.
8/3/2019 Windows Server 2k8r2 RADIUS (Part 2)
3/13
Figure 3: Choose the RADIUS server for 802.1X
Click Configure 802.1X.
For the Type of 802.1X connections, select Secure Wireless Connections (see Figure 4), and click Next.
8/3/2019 Windows Server 2k8r2 RADIUS (Part 2)
4/13
Figure 4: Select to secure wireless connections
For each wireless controller and/or access point, click Add to create a new RADIUS client entry. As Figure
5 shows, youll be specifying a friendly name, which should help you identify it from the others, the IP or
DNS address, and a Shared Secret.
8/3/2019 Windows Server 2k8r2 RADIUS (Part 2)
5/13
Figure 5: Input your wireless controller or access point details
These Shared Secrets are important to the authentication and encryption. Make them long and
complex, like passwords. They should be unique to each controller/AP. Later, youll enter the same
Shared Secrets into the corresponding controller/AP. Remember to keep them secret, store them safely.
For the Authentication Method, select Microsoft Protected EAP (PEAP) since were using PEAP.
Click the Configure button, select the certificate you created earlier, and click OK.
On the Specify User Groups window (see Figure 6), click Add.
8/3/2019 Windows Server 2k8r2 RADIUS (Part 2)
6/13
Figure 6: Add the user groups you want to be able to connect
On the Select Group dialogs, enter the groups or click Advanced to search for the available groups. If you
havent created additional groups, you probably want to select Domain Users to allow users
and Domain Computers for machine authentication if your controllers/APs support it. If you receive an
error that the domain doesnt exist, restart the Active Directory Domain Services server and try again.
Once youve added the desired group(s), click Next to continue.
On the Configure a VLAN window (see Figure 7), if your network (switches and controllers/APs) support
VLANs and you have them configured, click the Configureto setup the VLAN functionality.
8/3/2019 Windows Server 2k8r2 RADIUS (Part 2)
7/13
Figure 7: Click the Configure button to define the VLAN settings
Now youre done configuring the VLANs, click Next.
Review the settings and click Finish.
Configure the wireless controllers and/or APs
Now its time to configure the wireless controllers or access points (APs). Bring up the web-based GUI
for the by entering their IP address into a browser. Then navigate to the wireless settings.
Choose WPA-Enterprise or WPA2-Enteprise. For the encryption type, select TKIP if using WPAorAES if
using WPA2. Then enter the IP address of the RADIUS server, which is the Windows Sever machine you
just setup. Next, enter the shared secret you created earlier for the particular controller/AP. Then save
the settings.
8/3/2019 Windows Server 2k8r2 RADIUS (Part 2)
8/13
Install the CA Certificate on Client Computers
In Part 1, you created your own Certificate Authority (CA) and server certificate. Thus you must install
the CA onto your client computers. This way the clients can validate the server before performing the
authentication.
If youre running a domain network with Active Directory, you may want to deploy this certificate with
Group Policy. However, you can also manually install it, like well discuss.
To view and manage the certificates in Windows Server 2008, bring up the Certificate Manager. If you
saved that MMC to your desktop in Part 1, open it. Otherwise, follow these steps again:
1. Click Start, type MMC, and hit Enter.2. On the MMC window, click File>Add/Remove Snap-in.3. Select Certificates, and click Add.4. Select Computer account, and click Next.5. Select Local computer, click Finish, and then OK.
Tip:
Again, you might want to save this MMC to your desktop for easier access later: click File>Save.
Now expand Certificates (Local Computer Account), expand Personal, and click Certificates.
As Figure 8 shows, right-click the certificate with the Issued To value ending in CA, hover over All Tasks,
and choose Export. Then follow the wizard to export. When prompted, dont export theprivate key,
but use the DER format. You probably want to export to a flash drive so you can take it around to the
client computers.
8/3/2019 Windows Server 2k8r2 RADIUS (Part 2)
9/13
Figure 8: Exporting the CA certificate to install onto the clients
Now on the client computers, double-click the certificate and click the Install Certificate button (see
Figure 9). Use the wizard to import it into the Trusted Root Certificate Authorities store.
8/3/2019 Windows Server 2k8r2 RADIUS (Part 2)
10/13
Figure 9: Installing the CA certificate onto a client.
Configure the Network Settings on Client Computers
Now you can configure the network settings. Like with the certificate installation, you can push the
network settings to clients using Group Policy if youre running a domain network with Active Directory.
However, you can also manually configure the clients, like well discuss for Windows XP, Vista, and 7.
First, manually create a network profile or preferred network entry. For the Security Type choose WPA-
Enterprise orWPA2-Enteprise. For the Encryption Type, select TKIP if using WPA or AES if using WPA2.
Open the network profile and select the Security tab (in Vista & 7) or Authentication tab (in XP). In XP,
check theEnable IEEE 802.1x authentication for this network option.
For the Network Authentication method(in Vista & 7, as Figure 10 shows) or EAP Type (in XP),
choose Protected EAP (PEAP). In XP, also deselect both check boxes on the bottom of the window.
8/3/2019 Windows Server 2k8r2 RADIUS (Part 2)
11/13
Figure 10: Choose PEAP for the authentication method
In Windows 7 only, click the Advanced Settings button on the Security tab. Then on the Advanced
Settings window, check the Specify authentication mode option, choose User Authentication, and
click OK to return to the Security tab.
Click the Settings (in Vista & 7) or Properties (in XP) button.
Then on the Protected EAP Properties dialog, follow these steps (Figure 11 shows an example):
y Check the first box, Validate server certificate.y Check the second box, Connect to these servers, and enter your servers full computer name. If
needed, double-check it on Windows Server by clicking Start > Server Manager.
y In the Trusted Root Certification Authorities list box, select CA certificate you just imported.y Select Secured password (EAP-MSCHAP v2) for the Authentication Method.
8/3/2019 Windows Server 2k8r2 RADIUS (Part 2)
12/13
Figure 11: Configure the PEAP properties
y Click the Configure button. If youre running a domain network with Active Directory, youprobably want to keep this option checked. Otherwise, uncheck it so the user can enter their
username and password when connecting to the network.
Finally, click OK on the dialog windows to save the settings.
Finally, Connect and Logon!
Now that you have the server, APs, and clients configured, you can try to connect.
On a client computer, choose the network from the list of available wireless networks. Unless you
enabled the client to automatically use its Windows logon, youll be prompted to enter the login
credentials, as Figure 12 shows. Use an account on the Windows Server belonging to the group(s) you
8/3/2019 Windows Server 2k8r2 RADIUS (Part 2)
13/13
configured earlier in the Network Policy and Access Services portion of the setup. If you chose the
Domain Users group, the Administrator account should be allowed by default.
Figure 12: The login window.
Now you should have an 802.1X-authenticating and Enterprise-encrypted network, with thanks to
Windows Server 2008 for providing the RADIUS functionality. Weve setup the server, wireless APs, and
clients for the PEAP authentication. End-users should be able login with their accounts.
To manage the RADIUS server settings, such as adding or removing APs, use the Network Policy Server
utility: clickStart>All Programs> Administrative Tools>Network Policy Server.
Top Related