Scribd
Upload
117 views

NPS Using Microsoft Windows 2008 Server

The document provides instructions for setting up a Windows 2008 server to enable 802.1x authentication with an Aruba wireless controller. The key steps include: 1) installing Active Directory, Certificate Services, and Network Policy Server roles to enable the server as a RADIUS server; 2) configuring the Network Policy server to support PEAP or EAP-TLS authentication for wireless connections; and 3) specifying the user groups allowed for wireless access controlled by the Aruba controller.

Uploaded by

Sandip Pudasaini
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
117 views

NPS Using Microsoft Windows 2008 Server

The document provides instructions for setting up a Windows 2008 server to enable 802.1x authentication with an Aruba wireless controller. The key steps include: 1) installing Active Directory, Certificate Services, and Network Policy Server roles to enable the server as a RADIUS server; 2) configuring the Network Policy server to support PEAP or EAP-TLS authentication for wireless connections; and 3) specifying the user groups allowed for wireless access controlled by the Aruba controller.

Uploaded by

Sandip Pudasaini
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 36

UsingWindows2008WithArubaControllers

Version1.0 TobiasRice ThiswillbeabasicsetupusingWindows2008Servertoallowdot1xauthwithan Arubacontroller.Stepstohaveabasicinstallationinclude: 1. 2. 3. 4. 5. 6. Renametheserver SettingserverasDomainController InstallingCertificateServices RequestCertificates(optional) InstallingNetworkPolicyServices(previouslyIAS) CreatingGroupPolicies

RenameTheServer
SomethingdifferentaboutWindows2008Serveristhattheservernameisauto generatedandyouarenotgivenachanceduringtheinstalltonametheserverso youmustdobeforeinstallingActiveDirectoryorCertificateServices. IntheInitialConfigurationTaskswindow,clicktheProvidecomputernameand domainlink.

EnteraComputerdescriptionandclicktheChangebuttontochangethe computername.IllbeusingWLANDCasmynameanddescription.

EntertheComputernameandclickOKandrebootwhenprompted.

SettingServerasaDomainController
Forthisexamplewesetupanewforestforthewlan.netdomain.Server2008 abstractsmostserverfunctionintoRolessowellbeaddingtheActiveDirectory DomainServicesRolewiththeServerManagerbyclickingRolesandclickingAdd Roles.

SelecttheActiveDirectoryDomainServicesRole.

ClickthroughtheconfirmationscreensandclickInstall.Youshouldgetseean installationprogressscreenandfinallyaninstallationsuccessmessagethatasks youtorunthecommanddcpromo.exewhichwillconfigureyourdomain.Soclick thelinktorundcpromoorclicktheStartbutton,selectRunandenter dcpromo.exe.YoushouldnowseetheActiveDirectoryDomainServiceinstall wizard.ClickNexttocontinue.

ChooseCreateanewdomaininanewforestandclickNext.

Forourexampledomainwellusewlan.net.ClickNextanditwillchecktoseeif thenameisalreadyusedonthenetwork.

WhenaskedtosetwhichForestFunctionalLevelIusedthe2008level.

ThenextscreenyoullseeisawarningthattheDNSserviceisntinstallandwill offertoinstallitforyou.JustclickNexttoacceptandinstall.

Itwilldisplaythefollowingwarning,justclickYestocontinue.

JustacceptthedefaultsandclickNext.

NowyoullbepromptedtoenteraDirectoryServicesRestoreModeAdministrator

Password.EnterapasswordandclickNext.

ClickNextattheSummaryscreen.

YoullnowseetheInstallationWizardinstallDNSandActiveDirectory.Checkthe Rebootoncompletionboxandoncethewizardfinishesitllrebootandbeready

forthenextstep.

ToenablePEAPorEAPTLSwellneedtoinstallCertificateServicestoenablea CertificateAuthority(CA)togenerateandsigncertificatesforourdomain.Again, addaRoleviatheServerManagerandselectActiveDirectoryCertificateServices

InstallingCertificateServices

andclickNext.

ClickthroughtheconformationscreenandselectCertificationAuthorityand CertificateAuthorityWebEnrollmentwhichwilltellyouthatyoullneedIIStobe installedtousetheCertificateAuthorityWebEnrollment.ClickAddRequired

RoleServicesandclickNexttocontinue.

WhenpromptedforwhichtypeofCertificateAuthoritytoinstall,choose Enterprise.

WhenpromptedforCAType,selectRootCAandclickNext.

WhenpromptedtoSetUpPrivateKeyselectCreateanewprivatekeyandclick Next.

WhenpromptedtoConfigureCryptographyforCA,acceptthedefaultsandclick Nextfortherestoftheconformationscreens.

RequestCertificates(optional)
NowthatwehaveourCertificateAuthority(CA)upandrunningwemaywantto requestacertificateforourAuthenticationServer. WellcreateaMicrosoftManagementConsole(MMC)thatwillallowustorequest andinstallthecertificateforourserver.PresstheStartbuttonandenterMMCin thecommandfieldtoopentheMMC.NextwelladdtheCertificate(ForLocal Computer)snapinbyclickingFileandchoosingAdd/RemoveSnapin.Select

CertificatesandclickAdd.

NowbesuretoselectComputerAccountandclickNext.

ChooseLocalComputer,clickFinishandOK.

TIP:WhileyourehereyoumightaswelladdtheCertificateAuthoritysnapinand savethisMMCtoyourdesktopbecauseyoullneeditagaininthefuture. Torequestacertificateforyourserver(ifyoudontwanttousethedefault certificate)expandCertificates(LocalComputerAccount),Personal,andright clickCertificatesandselectAllTasks,RequestNewCertificate

ClickthroughtheEnrollmentscreenschoosingthesettingsyoudesireforyour certificate.

InstallingNetworkPolicyandAccessServices
InWindows2008ServeryoucannolongerjustinstalltheInternetAuthentication Service(IAS)andhaveRADIUSfunctionality.YoumustnowinstallNetworkPolicy andAccessServices,whichnowincludeeverythingfromearlierversionsof WindowsserversuchasRRAS/IAS/etc,butnowincludesNAP(thinkNACfor Windows).WewillbeinstallingandconfiguringjustenoughtoenablePEAPand RADIUSfunctionalitywithourArubacontroller.SoonceagainheadtotheServer ManagerandAddaRoleselectingNetworkPolicyandAccessServicesandclick throughtheconfirmationscreen.

SelectNetworkPolicyServer,RoutingandRemoteAccessServices,Remote AccessServiceandRouting.ClickNext,clickthroughtheconfirmationscreen

andclickInstall.

Installationwilltakeacoupleofminutesandpresentyouwithaninstallsummery. JustclickClose. NowthatNPSisinstalled,presstheStartbuttonandenternps.mscinthe commandfield.TheNPSMMCshouldopenupallowingyoutoselecttheRADIUS serverfor802.1XWirelessorWiredConnectionsInstallationWizardfromthe

StandardConfigurationpulldownmenuandclickConfigure802.1X.

FromtheSelect802.1XConnectionsTypepage,selectSecureWireless ConnectionsandclickNext.

FromtheSpecify802.1XSwitchesscreenclickAddandenterthesettingsfor yourArubacontrollerandpressOK.

FortheConfigureanAuthenticationMethodscreenselectMicrosoftSmartCard orothercertificateforEAPTLSorMicrosoftProtectedEAP(PEAP)forPEAP.I

willbeselectingPEAPforthisexampleandclickConfigure

Selecttheappropriatecertificatetouseforthisserver.Inthiscasewellusethe WLANDC.wlan.netcertificateandclickOK.

FortheSpecifyUserGroupsscreenselecttheusersand/orgroupsyouwouldlike toallowwirelessaccess.ForthisexampleIamallowingallofmydomainusersby selectingtheDomainUsersgroup.IfIwanttoenforceMachineAuthenticationI needtoaddtheDomainComputersgroupaswellascheckingtheEnforce MachineAuthoptioninthedot1xpolicyonmyArubacontroller.ClickNextto continue. Note:GroupslistedhereareconsideredasanORstatement.

ForthenextscreenyoucanclickNextandFinishorclickConfiguretoadd RADIUSattributesforServerDerivationrules.

Forexample,youmaywanttomaptheDomainUserstotheemployee_roleon yourArubacontroller.YoucoulddothatherewiththeFilterIdattribute.

Note:ThereseemstobeabuginWindowsifyoumesswiththeseattributestoo muchtheFilterIdattributevanishes.Ifthishappenscanceloutofthewizardand startover. PressNextandFinishtocompletethewizard.Thisshouldnowallowyouto authenticateusersagainstyourWindows2008Server.Totestyourconfiguration, sshtoyourArubacontrollerandconfigureittousethenewRADIUSserver. (MC800)>en Password:****** (MC800)#configureterminal EnterConfigurationcommands,oneperline.EndwithCNTL/Z

(MC800)(config)#aaaauthenticationserverradiusnps (MC800)(RADIUSServer"nps")#host10.1.0.236 (MC800)(RADIUSServer"nps")#enable (MC800)(RADIUSServer"nps")#keyp@ssw0rd (MC800)(RADIUSServer"nps")#nasidentifierArubaMaster (MC800)(RADIUSServer"nps")#nasip10.1.0.250

Nowtesttoseeifeverythingisworkingproperly.
Authenticationsuccessful

(MC800)#aaatestservermschapv2npstobiasqwerty12!@

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy