Windows Server 2008: how to configure Network Policy Server or Radius Server –Step by Step Guide

 

Step1: Prepare AAA Environment

  • Windows Server 2008 SP2 or Windows Server 2008 R2
  • Active Directory Domain Services
  • Active Directory Certificate Services
  • DHCP
  • Radius i.e. NPS must be a member of domain
  • Computer certificate installed in Radius Server
  • Windows 7, Windows XP or Mac OSX 10.5.8 Client
  • Cisco Wireless Access Point

Step2: Installation

Start menu>Administrative Tools>Server manager>Roles>Add Roles

 1 2 3 4 5 6 7 8 9

Step3: Setup Clients

Administrative Tools>Network Policy Server>Radius Client>Right Click>New Radius Client

 10 11

Radius Secret mentioned here must be same in Cisco Wireless Access Point. You must verify connection by clicking verify.

Step4: Setup Policy

Network Policy Server>Policies>network Policies>Right Click>New

  13 14

This is highly important part of entire config. Based on your need, you have to choose desire config type among all.

VPN Tunnel Type:L2TP

NASPort Type: VPN or Wireless

EAP Type: EAP-TLS, MSChap v2 or PEAP

AD Group: Wireless User Group or VPN User Group

15 16 17 18 19 20

Here, you can choose one or both depending on your infrastructure. I have shown both VPN and Wireless Client.

 21 22 23 24

Here, I am showing both EAP type for this article. But you have to choose only one again depending on your infrastructure.

25 26 27 28

Smart card or Certificate is the best option. For Windows 7 and XP, only certificates will work smooth as silk. However, if you have Macintosh Client then you have choose Certificate and PEAP.

 29 30

If you want VPN client to authenticate via Radius i.e. NPS then select Tunnel type.

31 32 33 34 35 36 37 38 39

Here, I explained  standard Radius config. I would recommend following for two different situations:

  • L2TP, Certificate and EAP for VPN Client
  • Certificate, PEAP and MSChap v2 for Wireless Client.

You can have more then one policy in NPS. A single server can be used to authenticate both VPN and Wireless Client. For some weird reason, my Macintosh client did not work with only user and machine certificate. Apple support advised me to use user cert and Radius shared secret instead. But for Windows 7 and XP client, certificates and EAP will work smooth as silk.

Further Help:

Microsoft Technet 

Keywords: L2TP, Radius, NPS, Windows Server 2008, Certificates

How to configure Microsoft Radius Server (IAS) for Macintosh OSX 10.5, Windows 7 and windows XP Pro client

Internet Authentication Service (IAS) is the Remote Authentication Dial-in User Service (RADIUS) server in Windows Server 2003 family. As a RADIUS server, IAS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. As a RADIUS proxy, IAS forwards authentication and accounting messages to other RADIUS servers. A RADIUS client (typically an access server such as a dial-up server, VPN server, or wireless access point) sends user credentials and connection parameter information in the form of a RADIUS message to a RADIUS server. Microsoft Radius supports Windows 7, Windows XP SP2 and Mac OSX clients. This article provided an overview of Microsoft RADIUS and PEAP security and described how RADIUS security are implemented and deployed in IT infrastructure.

Prerequisite : Microsoft Active Directory, DNS, DHCP and Certificate Server, Cisco 1200 series wireless AP, MAC OSX 10.5, Windows XP Pro/Windows 7.

AAA Infrastructure:

Aunthentication: Microsoft Active Directory, Authorization: Microsoft Radius (IAS), Accounting: Microsoft Radius (IAS)

Security Measures: PEAP and Shared Secret

Encryption: MSCHAPv2 

Configure IAS

Make sure all prerequisites mentioned above are ready and working. Install windows server and make it a member of Microsoft Active Directory domain.

1

Install machine certificate i.e. computer certificate in this server

7

Click on add/remove snap in

8 

Click add

9

Select Certificates, click add

10

Check computer account radio button, click next

11

Select local computer, click finish

12

Right mouse click on personal and click on request certificate, follow screen shot

13

14

Click next, then click ok.

Install IAS as follows

2

Go to Add remove windows component, select internet Authentication Service, click ok.

3

4

Open IAS console from administrative tools, right click on IAS as above, click register service in Active Directory

Add RADIUS Client, mention Cisco access point name and IP of Cisco Access Point, click next

5

Select Radius standard and provide shared secret and confirm, click finish. Shared secret must be same as you mentioned in Cisco wireless access point

6

Create Wireless access group in windows Active Directory and Add desired members in that group

image

go to administrative tools in IAS server, open IAS console, Add wireless access policy in Radius server

15

right click in wireless access policy and create new access policy

untitled

Select as above

untitled1

Check Wireless and click next

untitled2

Add wireless access group from active directory by click add button

untitled3

Select PEAP, click on configure

untitled4

Click ok

untitled5

Click finish

Now go to property of newly created access policy, click edit profile, click authentication tab, check EAP  methods as follows.

untitled6

Check  encryption and authentication method. Use MSCHAP v2. Encryption 128 bits.

Configure Wireless access point as shown in the link

https://araihan.wordpress.com/2009/08/02/how-to-configure-cisco-1242-ap-to-get-authentication-from-ms-ias/

Now infrastructure is ready to authenticate iMac OSX 10.5, Windows 7 and XP via wireless.

Log on to an XP machine using user credentials who is a member of wireless access group. Go to run, type mmc and press ok. follow the steps mentioned above on top to install machine certificate but this time install user certificate i.e. check user account instead of computer account.

Once user certificate installed, right click on user certificate, click All task, click export follow screen shot

image

image

image

image

image

image

Save certificate in usb stick.

Configure Mac OSX 10.5

Now open iMac/Mac book pro. Go to utility, open Key Chain, select login, drag certificate from USB stick and drop it in key chain login, click ok

image

Type the password used while exporting certificate

image

image

go to system preference, open network, select AirPort, click on advance, click on +

image

Click on show all, select desired Mac wireless SSID, follow screen shot

image

image

type AD user name and password who is a member of wireless access group, select certificate, click  add

image

Now authenticated as above. all done.

It is not necessary to bind Mac OSX 10.5 to AD to get wireless authentication via RADIUS. PEAP and certificate will do. now you can add user home drive, printer from print server. 

On Windows XP or Windows 7 machine, log on using domain user credential who is a member wireless access group, install user certificate and machine/computer certificate as mentioned above. Turn on wireless, select SSID, click on connect, in few seconds it will be connected.