Microsoft NPS as a RADIUS Server for WiFi Networks: Self Signed Certificate. The Microsoft Network Policy Server (NPS) is often used as a RADIUS server for WiFi networks. It can provide authentication and authorization services for users on a wireless network. Generally, NPS is used with various EAP methods (e.g. In this procedure, you install NPS by using either Windows PowerShell or the Server Manager Add Roles and Features Wizard. NPS is a role service of the Network Policy and Access Services server role. By default, NPS listens for RADIUS traffic on ports 1812, 1813, 1645, and 1646 on all installed network adapters.
Share this page : Purpose of this Project
We will let the mobile devices (Laptop, windows tablet) be able to logon in the wireless network automatically via certificate based authentication before user login, so mobile devices can pull the computer GPO, such as MSI deployment, printer deployment on Computer object, etc. And after user login, it will switch to user certificate based authentication, and allow proxy to audit and apply policies on the devices. The answer is Certificate based authentication (EAP-TLS).
Unfortunately this is not that straight forward since there are a couple of requirement for the server and client certificate. You can configure this with this tutorial, but you would need a solid understanding of how NPS works, how CA works, in case of troubleshooting required, as there are so many steps and this project may fail if any one of them not configured correctly.
Part 1. Plan the infrastructure
You can put them all in one server, but the best practices is you will need three servers, AD DS, AD CS, NPS.
Part 2. CA preparation
We recommend certificate auto-enrollment as it provides numbers of advantages:
Step 1 Install AD CS
https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/install-the-certification-authority
Step 2. Configure Certificate template for server
Servers that are running the Network Policy Server (NPS) service that are members of the RAS and IAS Servers group. You can configure this in the active directory Users and computers.
Membership in both the Enterprise Admins and the root domain’s Domain Admins group is the minimum required to complete this procedure.
To configure the Server certificate template
Note, double check the reference part to make sure your template meet the requirement.
STEP 3 Configure Certificate template for computer and Users
Step 4 Configure certificate auto-enrollment for both server, users and computer
On the computer where AD DS is installed, open Group Policy Management. The Select Group Policy Object dialog box opens.
By default, this periodic refresh is performed every 90 minutes with a randomized offset of up to 30 minutes. Membership in Administrators, or equivalent, is the minimum required to complete this procedure.
To refresh Group Policy on the local computer, at the Windows CMD prompt, type gpupdate /force, and then press ENTER
To verify NPS enrollment of a server certificate
Log on the NPS server. Type MMC.exe, right click MMC.exe, run as administrator. In MMC, Click File, Add/Remove Snap-in… , select Certificates, click Add > , choose Local computer. click OK.
In the left pane, click Console Root, Certificate (local computer) > Personal > certificate. The certificate created above should show here, note down the name and expire date.
If cert not showing here, troubleshoot.
To Verify Computer Certificate and User certificate
Log on the NPS server. Type MMC.exe, right click MMC.exe, run as administrator. In MMC, Click File, Add/Remove Snap-in… , select Certificates, click Add > , choose Local computer. click OK. Then do the same to add Local-Current User.
In the left pane, click Console Root, Certificate (local computer) > Personal > certificate. Confirm the certificate is there with name, PC_name.Domain_name
Do the same check User certificate, if not, troubleshoot.
Part 3. Configure NPS
Install the Network Policy Server on the Microsoft Windows 2016 Server
In this setup, the NPS is used as a RADIUS server to authenticate wireless clients with EAP-TLS authentication. Complete these steps in order to install and configure NPS on the Microsoft WIndows 2016 server:
Configure the Network Policy Server Service for EAP-TLS Authentication
Add the Wireless LAN Controller as an authentication, authorization, and accounting (AAA) client on the NPS.
Connection request policies are used to specify which RADIUS servers perform authentication and authorization of RADIUS clients’ connection requests. These policies can also specifywhich servers RADIUS accounting requests are sent to. They’re applied to NPS servers configured as RADIUS servers or RADIUS proxies.
To create a connection request policy
By default there is an policy which handle all the authentication locally, but for scalability and easy troubleshooting, I want to configure the precise policy for Wireless use.
1. In Network Policy Server, right-click Connection Request Policies.
2. Select New on the shortcut menu.
3. In the New Connection Request Policy dialog box, enter a Policy name and leave Type of network access server set to Unspecified.
4. Click Next.
5. In the Specify condition click Add. Then scroll to the bottom, and select NAS Port Type, click Add, in the Common 802.1x Connection tunnel types, select Wireless – IEEE 802.11.click Add, then OK.
6. In the dialog box that follows, Then click Add again, select Day and Time Restrictions, select the time when you want user to be authenticated. click OK. Then click Next.
7. In the Specify Connection Request Forwarding dialog box, select Authenticate requests on this server. Click Next.
8. In the Specify Authentication Methods and Configure Settings dialog boxes, accept the defaults by clicking Next, then click Finish.
Now we work on the network Policies.
Optional : You can also add password authentication, so if the machine or current user don’t have a certificate, it process with password based authentication. To do this click Add… , choose Microsoft: Protected EAP (PEAP), then clickMicrosoft: Protected EAP (PEAP), and click Edit. Under Eap Types, make sure there is Secured password (EAP_MSCHAP v2). If not, add that here.
Ensure the previously created NPS certificate is selected in the Certificate issued drop-down list, and click Ok. Note that If your server has multiple certificates, you can confirm the certs by name and expire date you noted down in PART 2 Step4.
Click Next multiple times until you Click Finish.
Deploy the Wifi profile to client computer
Right click on the policy and click Edit. Go to Computer Configuration>Policies>Windows Settings>Security Settings>Wireless Network (IEEE 802.11) Polices and right click, Choose Create a New Wireless Network Policy for Windows Vista and Later Releases
Give the Policy a name then click Add > Infrastructure
Give the profile a name and then enter the name of the SSID that you want to connect users to then click Add.
Select the Security tab and select WPA2-Enterprise and AES-CCMP encryption. Then select Microsoft: Smart card or other certificate and
Here are three option explained:
Click Properties after Microsoft: Smart Card or other certificate
Click Advanced after When Connecting: make sure no option ticked.
Click OK until save all the Wifi Profile setting.
Link the GPO to the OU where all the mobile clients are sitting.
Now go to page 2 to setup the Cisco Wireless controller for RADIUS Authentication.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2022
Categories |