Friday, March 7, 2014

Authenticating WiFi users with Windows AD + RADIUS Server


 At fast Install:
 http://nilgodhuli.blogspot.com/2014/03/installing-active-directory-on-windows.html 
then:
http://nilgodhuli.blogspot.com/2014/03/how-to-install-enterprise-certificate.html
  1. Log into the Windows server using Domain Admin credentials.
  2. Open the Server Manager console.
 In the Server Manager console right-click Roles and select Add role.
  1. When the Add Roles Wizard opens click Next.
 
 On Select Server Roles, check the box Network Policy and Access Services and click Next.

 On the Select Role Services, check the box labeled Network Policy Server and click Next.

 Network Policy Server And   Health Registration Authority

Use the local CA to issue on this computer


On the "Confirm Installation Selections" dialog, click Install.
Wait for the Installation Progress to complete.

Configuring RADIUS service

Choose Start | Ad­min­is­tra­tive Tools | Net­work Pol­icy Server
Right click on NPS and then click on Reg­is­ter server in Ac­tive Di­rec­tory
 
Stay on NPS (local) and from the right win­dow choose |RA­DIUS server for 802.1x Wire­less or Wired Con­nec­tions |Click on Con­fig­ure 802.1x

Choose |Se­cure Wire­less Con­nec­tions | Choose Name |Next

Ra­dius clients |Add

Choose a name for client | Enter IP ad­dress (it has to be fixed) of client that we are reg­is­ter­ing | Shared se­cret – Man­ual |Enter pass­word for client iden­ti­fi­ca­tion |OK

Next

Choose | Mi­crosoft Pro­tected EAP (PEAP) |Click on Con­fig­ure

Cer­tifi­cate Prop­er­ties | Se­lect Se­cured pass­word | click on Edit

Edit num­ber of au­then­ti­ca­tion re­tries to de­sired value | OK |OK

Next

Choose groups that will be able to au­then­ti­cate with RA­DIUS |Next

Next

Fin­ish
After fin­ish­ing con­fig­u­ra­tion click on Start |Ad­min­is­tra­tive Tools | Ser­vices |find NPS ser­vice and restart it.
By click­ing on Ra­dius Clients and Servers | Ra­dius Clients I can see cre­ated client. I`m now able to au­then­ti­cate with RA­DIUS.
That is the basic setup for RA­DIUS server.
You can setup RA­DIUS more de­tailed under |NPS |Poli­cies |Con­nec­tion Re­quest Poli­cies or Net­work Poli­cies

I`m now di­rect­ing my at­ten­tion to Net­work Poli­cies
Net­work Poli­cies | Choose cre­ated WiFiAP and right click| Prop­er­ties

Tab Con­straints |I have cho­sen even less se­cure au­then­ti­ca­tion meth­ods for test­ing pur­poses. In pro­duc­tion en­vi­ron­ment you should choose only most se­cure pro­to­cols.

Tab Set­tings | En­cryp­tion. For test­ing pur­poses I left all op­tions ON, in pro­duc­tion en­vi­ron­ment you should choose strongest en­cryp­tion (MPPE 128bit)
You should go through all the set­tings and setup RA­DIUS to your pref­er­ences.

ACCESS POINT setup

I used Linksys WAP54G. Setup is more or less the same for all APs. Al­though I had some APs that just won`t work with Win­dows Server based RA­DIUS server, so be care­ful when you choose your equip­ment.

Ac­cess Point should have eth­er­net con­nec­tion to the net­work en­vi­ron­ment where RA­DIUS server is lo­cated.

Ac­cess Point should be setup as fol­lows:
Sta­tic IP, same sub­net as RA­DIUS server


Setup as Ac­cess Point


Basic Wire­less Set­tings |Setup SSID name


Wire­less Se­cu­rity |Choose WPA En­ter­prise ( My AP is older so It doesn`t have WPA2 ) |En­cryp­tion AES | RA­DIUS Server: IP ad­dress of RA­DIUS server | RA­DIUS Port: it`s usu­ally 1812 |Shared se­cret: you de­fined it while cre­at­ing new client in NPS, de­sir­able value for shared se­cret is for ex­am­ple: 984752G2N3
Key re­newal: leave as it is.

Ad­vanced Wire­less Set­tings | Leave de­fault set­tings.

With this step we con­fig­ured AP for com­mu­ni­ca­tion with RA­DIUS. Save your set­tings and re­boot Ac­cess Point.

Testing


I want to con­nect my iPhone (iOS5) to WiFI net­work Ra­diusTest and by that con­nec­tion test con­nec­tion be­tween client – AP and RA­DIUS server.

On my iPhone in WiFI net­works I can see cre­ated WiFi Ra­diusTest  – I`m tap­ing on it to con­nect.
I need to au­then­ti­cate. I en­tered my do­main user ac­count and pass­word in fol­low­ing form : Do­main\user + pass­word | Choose Join
After few sec­onds I`m of­fered the cer­tifi­cate that I cre­ated ear­lier on RA­DIUS server | Ac­cept
iPhone is suc­cess­fully con­nected and au­then­ti­cated on RA­DIUS server.
With this step in­stalling, con­fig­ur­ing and test­ing RA­DIUS server on Win­dows Server 2008 x64 is suc­cess­fully fin­ished.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)