{"id":751,"date":"2012-07-18T21:25:23","date_gmt":"2012-07-18T21:25:23","guid":{"rendered":"http:\/\/microsoftgeek.com\/?p=751"},"modified":"2012-07-18T21:25:23","modified_gmt":"2012-07-18T21:25:23","slug":"using-windows-2008-for-radius-authentication","status":"publish","type":"post","link":"https:\/\/microsoftgeek.com\/?p=751","title":{"rendered":"Using Windows 2008 For RADIUS Authentication"},"content":{"rendered":"

This will be a basic setup using Windows 2008 Server to allow RADIUS and dot1x authentication. Steps for basic installation include:<\/p>\n

    \n
  1. Rename the server<\/li>\n
  2. Setting server as Domain Controller<\/li>\n
  3. Installing Certificate Services<\/li>\n
  4. Request Certificates (optional)<\/li>\n
  5. Installing Network Policy Services (previously IAS)<\/li>\n
  6. Creating Group Policies<\/li>\n<\/ol>\n

    Rename The Server<\/h2>\n

    Something different about Windows 2008 Server is that the server name is auto-generated and you are not given a chance during the install to name the server so you must do before<\/strong> installing Active Directory or Certificate Services.<\/p>\n

    In the \u201cInitial Configuration Tasks\u201d window, click the \u201cProvide computer name and domain\u201d link.<\/p>\n

    \"\"<\/p>\n

    Enter a Computer description and click the \u201cChange\u2026\u201d button to change the computer name. I\u2019ll be using WLAN-DC as my name and description.<\/p>\n

    \"\"<\/p>\n

    Enter the Computer name and click \u201cOK\u201d and reboot when prompted.<\/p>\n

    \"\"<\/p>\n

    Setting Server as a Domain Controller<\/h2>\n

    For this example we setup a new forest for the wlan.net domain. Server 2008 abstracts most server function into \u201cRoles\u201d so we\u2019ll be adding the Active Directory Domain Services Role with the Server Manager by clicking \u201cRoles\u201d and clicking \u201cAdd Roles.\u201d<\/p>\n

    \"\"<\/p>\n

    Select the Active Directory Domain Services Role.<\/p>\n

    \"\"<\/p>\n

    Click through the confirmation screens and click Install. You should get see an installation progress screen and finally an \u201cinstallation success\u201d message that asks you to run the command \u201cdcpromo.exe\u201d which will configure your domain. So click the link to run \u201cdcpromo\u201d or click the \u201cStart\u201d button, select \u201cRun\u201d and enter \u201cdcpromo.exe\u201d. You should now see the \u201cActive Directory Domain Service\u201d install wizard. Click \u201cNext \u201c to continue.<\/p>\n

    \"\"<\/p>\n

    Choose \u201cCreate a new domain in a new forest\u201d and click \u201cNext\u201d.<\/p>\n

    \"\"<\/p>\n

    For our example domain we\u2019ll use \u201cwlan.net\u201d. Click \u201cNext\u201d and it will check to see if the name is already used on the network.<\/p>\n

    \"\"<\/p>\n

    When asked to set which \u201cForest Functional Level\u201d I used the 2008 level.<\/p>\n

    \"\"<\/p>\n

    The next screen you\u2019ll see is a warning that the DNS service isn\u2019t install and will offer to install it for you. Just click \u201cNext\u201d to accept and install.<\/p>\n

    \"\"<\/p>\n

    It will display the following warning, just click \u201cYes\u201d to continue.<\/p>\n

    \"\"<\/p>\n

    Just accept the defaults and click \u201cNext\u201d.<\/p>\n

    \"\"<\/p>\n

    Now you\u2019ll be prompted to enter a \u201cDirectory Services Restore Mode Administrator Password\u201d. Enter a password and click \u201cNext\u201d.<\/p>\n

    \"\"<\/p>\n

    Click \u201cNext\u201d at the Summary screen.<\/p>\n

    \"\"<\/p>\n

    You\u2019ll now see the Installation Wizard install DNS and Active Directory. Check the \u201cReboot on completion\u201d box and once the wizard finishes it\u2019ll reboot and be ready for the next step.<\/p>\n

    \"\"<\/p>\n

    Installing Certificate Services<\/h2>\n

    To enable PEAP or EAP-TLS we\u2019ll need to install Certificate Services to enable a Certificate Authority (CA) to generate and sign certificates for our domain. Again, add a Role via the Server Manager and select \u201cActive Directory Certificate Services\u201d and click \u201cNext\u201d.<\/p>\n

    \"\"<\/p>\n

    Click through the conformation screen and select \u201cCertification Authority\u201d and \u201cCertificate Authority Web Enrollment\u201d which will tell you that you\u2019ll need IIS to be installed to use the \u201cCertificate Authority Web Enrollment\u201d. Click \u201cAdd Required Role Services\u201d and click \u201cNext\u201d to continue.<\/p>\n

    \"\"<\/p>\n

    When prompted for which type of Certificate Authority to install, choose \u201cEnterprise\u201d.<\/p>\n

    \"\"<\/p>\n

    When prompted for CA Type, select \u201cRoot CA\u201d and click \u201cNext\u201d.<\/p>\n

    \"\"<\/p>\n

    When prompted to Set Up Private Key select \u201cCreate a new private key\u201d and click \u201cNext\u201d.<\/p>\n

    \"\"<\/p>\n

    When prompted to Configure Cryptography for CA, accept the defaults and click \u201cNext\u201d for the rest of the conformation screens.<\/p>\n

    \"\"<\/p>\n

    Request Certificates (optional)<\/h2>\n

    Now that we have our Certificate Authority (CA) up and running we may want to request a certificate for our Authentication Server.<\/p>\n

    We\u2019ll create a Microsoft Management Console (MMC) that will allow us to request and install the certificate for our server. Press the \u201cStart\u201d button and enter \u201cMMC\u201d in the command field to open the MMC. Next we\u2019ll add the Certificate (For Local Computer) snap-in by clicking \u201cFile\u201d and choosing \u201cAdd\/Remove Snap-in\u201d. Select \u201cCertificates\u201d and click \u201cAdd\u201d.<\/p>\n

    \"\"<\/p>\n

    Now be sure to select \u201cComputer Account\u201d and click \u201cNext\u201d.<\/p>\n

    \"\"<\/p>\n

    Choose \u201cLocal Computer\u201d, click \u201cFinish\u201d and \u201cOK\u201d.<\/p>\n

    \"\"<\/p>\n

    TIP:<\/strong> While you\u2019re here you might as well add the \u201cCertificate Authority\u201d snap-in and save this MMC to your desktop because you\u2019ll need it again in the future.<\/p>\n

    To request a certificate for your server (if you don\u2019t want to use the default certificate) expand \u201cCertificates (Local Computer Account)\u201d, \u201cPersonal\u201d, and right-click \u201cCertificates\u201d and select \u201cAll Tasks\u201d, \u201cRequest New Certificate\u2026\u201d<\/p>\n

    \"\"<\/p>\n

    Click through the Enrollment screens choosing the settings you desire for your certificate.<\/p>\n

    \"\"<\/p>\n

    Installing Network Policy and Access Services<\/h2>\n

    In Windows 2008 Server you can no longer just install the Internet Authentication Service (IAS) and have RADIUS functionality. You must now install Network Policy and Access Services, which now include everything from earlier versions of Windows server such as RRAS\/IAS\/etc,\u2026 but now includes NAP (think NAC for Windows). We will be installing and configuring just enough to enable PEAP and RADIUS functionality with our Aruba controller. So once again head to the Server Manager and \u201cAdd a Role\u201d selecting \u201cNetwork Policy and Access Services\u201d and click through the confirmation screen.<\/p>\n

    \"\"<\/p>\n

    Select \u201cNetwork Policy Server\u201d, \u201cRouting and Remote Access Services\u201d, \u201cRemote Access Service\u201d and \u201cRouting\u201d. Click \u201cNext\u201d, click through the confirmation screen and click \u201cInstall\u201d.<\/p>\n

    \"\"<\/p>\n

    Installation will take a couple of minutes and present you with an install summery. Just click \u201cClose\u201d.<\/p>\n

    Now that NPS is installed, press the \u201cStart\u201d button and enter \u201cnps.msc\u201d in the command field. The NPS MMC should open up allowing you to select the \u201cRADIUS server for 802.1X Wireless or Wired Connections\u201d Installation Wizard from the \u201cStandard Configuration\u201d pull-down menu and click \u201cConfigure 802.1X\u201d.<\/p>\n

    \"\"<\/p>\n

    From the \u201cSelect 802.1X Connections Type\u201d page, select \u201cSecure Wireless Connections\u201d and click \u201cNext\u201d.<\/p>\n

    \"\"<\/p>\n

    From the \u201cSpecify 802.1X Switches\u201d screen click \u201cAdd\u2026\u201d and enter the settings for your Aruba controller and press \u201cOK\u201d.<\/p>\n

    \"\"<\/p>\n

    For the \u201cConfigure an Authentication Method\u201d screen select \u201cMicrosoft Smart Card or other certificate\u201d for EAP-TLS or \u201cMicrosoft Protected EAP (PEAP)\u201d for PEAP. I will be selecting PEAP for this example and click \u201cConfigure\u2026\u201d<\/p>\n

    \"\"<\/p>\n

    Select the appropriate certificate to use for this server. In this case we\u2019ll use the \u201cWLAN-DC.wlan.net\u201d certificate and click \u201cOK\u201d.<\/p>\n

    \"\"<\/p>\n

    For the \u201cSpecify User Groups\u201d screen select the users and\/or groups you would like to allow wireless access. For this example I am allowing all of my domain users by selecting the \u201cDomain Users\u201d group. If I want to enforce Machine Authentication I need to add the \u201cDomain Computers\u201d group as well as checking the \u201cEnforce Machine Auth\u201d option in the dot1x policy on my Aruba controller. Click \u201cNext\u201d to continue.<\/p>\n

    Note:<\/strong> Groups listed here are considered as an OR statement.<\/p>\n

    \"\"<\/p>\n

    For the next screen you can click \u201cNext\u201d and \u201cFinish\u201d or click \u201cConfigure\u2026\u201d to add RADIUS attributes for Server Derivation rules.<\/p>\n

    \"\"<\/p>\n

    For example, you may want to map the \u201cDomain Users\u201d to the \u201cemployee_role\u201d on your Aruba controller. You could do that here with the \u201cFilter-Id\u201d attribute.<\/p>\n

    \"\"<\/p>\n

    Note:<\/strong> There seems to be a bug in Windows if you mess with these attributes too much the \u201cFilter-Id\u201d attribute vanishes. If this happens cancel out of the wizard and start over.<\/p>\n

    Press \u201cNext\u201d and \u201cFinish\u201d to complete the wizard. This should now allow you to authenticate users against your Windows 2008 Server.<\/p>\n","protected":false},"excerpt":{"rendered":"

    This will be a basic setup using Windows 2008 Server to allow RADIUS and dot1x authentication. Steps for basic installation include: Rename the server Setting server as Domain Controller Installing Certificate Services Request Certificates (optional) Installing Network Policy Services (previously IAS) Creating Group Policies Rename The Server Something different about Windows 2008 Server is that […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-751","post","type-post","status-publish","format-standard","hentry","category-general-2008"],"_links":{"self":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/751","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=751"}],"version-history":[{"count":2,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/751\/revisions"}],"predecessor-version":[{"id":753,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/751\/revisions\/753"}],"wp:attachment":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=751"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=751"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=751"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}