In this post I will show how to set up a RADIUS server on Windows Server 2019 to provide 802.1X Wireless Connections through wireless access points. Show
Microsoft’s implementation of a Remote Authentication Dial-In User Service (RADIUS) server is for Windows Server operating systems later than Windows Server 2003 the Network Policy and Access Services (NPAS) server role.
So first I will install the Network Policy and Access Services (NPAS) server role either on a domain controller or member server. Now as the Network Policy and Access Services (NPAS) server role is installed you will have a new console named Network Policy Server. Open the Network Policy Server console and select the RADIUS server for 802.1X Wireless or Wired Connections template to configure NPS by using the wizard. Click on Configure 802.1X to start the wizard. Select Secure Wireless Connections Here I need to add all my wlan access points as RADIUS clients. For authentication I will use the Protected EAP (PEAP) protocol.
Click on Configure to select a certificate to prove the identity of the RADIUS server to the clients. You can use here the default computer certificate from your internal PKI. The clients needs to trust that certificate, otherwise the user’s wont be able to connect to the wireless network.
Successful mutual PEAP-MS-CHAP v2 authentication has two main parts:
If the credentials are valid and authentication succeeds, the NPS begins the authorization phase of processing the connection request. If the credentials are not valid and authentication fails, NPS sends an Access Reject message and the connection request is denied.
Source: https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/wireless/a-deploy-8021x-wireless-access#authentication The server running NPS performs authorization as follows:
If both authentication and authorization are successful, and if the matching network policy grants access, NPS grants access to the network, and the user and computer can connect to network resources for which they have permissions. Source: https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/wireless/a-deploy-8021x-wireless-access#authorization
Here I will add all groups which are allowed to access the network through my wlan access points.
In the next dialog you can configure traffic control attributes (RADIUS tunnel attributes) to allow and deny traffic to user’s based on their assigned VLANs.
You can change all of theses settings later directly in the NPS console. Here you can modify the RADIUS clients. The wizard will create a Connection Request Policy and a Network Policy.
By default the wizard will set to process the authentication request locally on the server. Network Policy
You can also configure Accounting for the NPS server.
The wizard created our Network Policy and we do not need to change here anything. By adding Windows Groups, it doesn’t matter if they were local groups on the server itself or domain groups, NPS will process both of them. As mentioned further above you can use here the default computer certificate on the NPS server from your internal PKI. The clients needs to trust that certificate, otherwise the user’s wont be able to connect to the wireless network.
Configure your WLAN Access PointsOn the wlan access points we have to configure the IP address from the NPS (RADIUS) server, port and shared secret. Optionally we can also configure Radius Accounting. Configure Wireless Network (IEEE 802.11) Policies | Wi-Fi profilesYou can configure group policies in your network to define preferred networks and settings for the WLAN connection to your clients.
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Wireless Network (IEEE 802.11) Policies Clients should connect automatically to this network when it is in range.
In the advanced settings you can enable single sign-on for the wireless network, by checking this your password to logon to your computer will also be passed and used to establish the wireless connection with the access points.
Create Wi-Fi profiles using the System Center Configuration Manager (SCCM) or Microsoft Intune.You can also use SCCM or Microsoft Intune to configure Wi-Fi profiles. This topic is well documented from Microsoft in the following articles.
Manage Wi-Fi profiles on local computer by using the netsh commandYou can also use the netsh command line tool to manage the Wi-Fi profiles on a local computer.
TroubleshootingIn case something went wrong and your clients won’t connect to the the wireless network, you can investigate several logs to get more details about the problem. You can search in two locations for logs to investigate the reason why clients can’t connect to the network. For general configuration problems between the NPS server and the RADIUS clients, you can investigate the Event Viewer. Custom Views -> Server Roles -> Network Policy and Access Services For problems regarding authentication from the user’s itself, you should use the Accounting logs. Here you can see the default path from them.
Reason for rejecting a user. Can be:
Source: https://www.radiusreporting.com/IAS-DB-Attribute-Format-Table.html EAP authentication exchange for wireless clients through the access point and RADIUS server stuck by using a route-based IPSec in pfSense during the SSL handshake and here exactly after the Client HelloIf you ran into that issue, you can read my following post about how to set up a lean Branch Office Network without any Servers and DCs inside by using an IPSec S2S VPN Tunnel connected with the Headquarters Network. Set up a lean Branch Office Network without any Servers and DCs inside by using an IPSec S2S VPN Tunnel connected with the Headquarters Network Links
|