(2013-09-13)
Problem
I need to set up a NPS server on my Windows 2008 Server to act as a Radius authenticator to a cluster of Cisco AP541N access points.
Solution
This worked for me.
On the AP541N:Set the Global Radius settings:
- Radius server IP
- Radius secret
Set the SSID to connect to by selecting all:
- WPA
- WPA2
- Enable pre-authentication
- TKIP
- CCMP (AES)
- Use global RADIUS server settings
NPS Pre-configuration:The role to install is
Network Policy and Access Services, the service is
Network Policy Server.
Once it is installed, right-click on NPS (local) and select Register Server In Active Directory.
(Also note that I usually have to stop and then start the NPS Service after running through the below configuration the first time; future changes seem to take effect right away.)
Define the RADIUS clients:
Server Manager -> Roles -> Network Policy and Access -> NPS (Local) -> Radius Clients -> Radius Clients
Create a new client:
- Make sure it is enabled
- Short, friendly name
- IP address or DNS name
- Manual shared secret
Repeat this set up for each AP in the cluster.
Define the Connection Request Policy:Under Connection Request Policy, create a new policy. On the overview tab:
- make sure it is enabled
- the type of network access server is Unspecified
On the Conditions tab:
- Client Friendly Name, set to soemthing which matches the Client Friendly Names you set above; for example, I have cap-1, cap-2, and cap-3, so my Client Friendly Name in the connection policy is cap-*
On the Settings tab, Authentication methods:
- select Override network policy authentication settings
- Add EAP Types EAP-MSCHAP-v2 and PEAP
- select MS-CHAP-v2
- select MS-CHAP
- leave all the other boxes unselected
You shouldn't need any other values.
Define the Network Policy:
On the Overview tab:
- make sure it is enabled
- Grant access
- clear Ignore user account dial-in properties
- Type of network access server is Unspecified
On the Conditions tab:
- Windows Groups: set to the windows user group that will grant access
- Client Friendly Name: same as the connection policy above
On the Constraints tab:
- leave everything as default; but ideally it should look the same as the connection policy above
On the settings tab:
- remove the Standard Radius Attributes (PPP Framing type etc) because you don't need them
Configure Domain Clients:Wireless Properties:
Security tab:
- WPA2-Enterprise
- AES
- PEAP
- Remember my credentials
PEAP Settings:
- clear Validate Server Certificate
- Select Authentication Method: EAP-MSCHAP-v2
- Enable Fast Reconnect
Security tab, Advanced Settings:
- Specify authentication mode: user authentication
Configure Non-Domain Windows Clients:As above, except:
EAP-MSCHAP-v2 Configure:
- clear Automatically Use my Windows logon name and password (and domain if any)
Further Refinements
I added a second Network Access policy that permits access to computers that are members of a particular group.
I then changed the Security Tab -> Advanced Settings -> Specifiy Authentication Mode to Computer authentication.
Finally a co-worker created a GPO that pushes out a pre-defined SSID network definition with the settings above to all domain member computers.
Now all domain laptops automatically connect to the wireless.
Non-domain member computers can still join as long as the Specify Authentication Mode is set to User authentication.
Configuring tablets, phones, and non-Windows computers is left as an exercise for the reader.