For When You Can't Have The Real Thing
[ start | index | login ]
start > Windows > Server > 2008 > Radius Server for Cisco AP541N

Radius Server for Cisco AP541N

Created by dave. Last edited by dave, 5 years and 87 days ago. Viewed 2,900 times. #3
[diff] [history] [edit] [rdf]
labels
attachments
(2013-09-13)

Problem

I need to set up a NPS server on my Windows 2008 Server to act as a Radius authenticator to a cluster of Cisco AP541N access points.

Solution

This worked for me.

On the AP541N:

Set the Global Radius settings:

  • Radius server IP
  • Radius secret
Set the SSID to connect to by selecting all:
  • WPA
  • WPA2
  • Enable pre-authentication
  • TKIP
  • CCMP (AES)
  • Use global RADIUS server settings
NPS Pre-configuration:

The role to install is Network Policy and Access Services, the service is Network Policy Server.

Once it is installed, right-click on NPS (local) and select Register Server In Active Directory.

(Also note that I usually have to stop and then start the NPS Service after running through the below configuration the first time; future changes seem to take effect right away.)

Define the RADIUS clients: Server Manager -> Roles -> Network Policy and Access -> NPS (Local) -> Radius Clients -> Radius Clients

Create a new client:

  • Make sure it is enabled
  • Short, friendly name
  • IP address or DNS name
  • Manual shared secret
Repeat this set up for each AP in the cluster.

Define the Connection Request Policy:

Under Connection Request Policy, create a new policy. On the overview tab:

  • make sure it is enabled
  • the type of network access server is Unspecified
On the Conditions tab:
  • Client Friendly Name, set to soemthing which matches the Client Friendly Names you set above; for example, I have cap-1, cap-2, and cap-3, so my Client Friendly Name in the connection policy is cap-*
On the Settings tab, Authentication methods:
  • select Override network policy authentication settings
  • Add EAP Types EAP-MSCHAP-v2 and PEAP
  • select MS-CHAP-v2
  • select MS-CHAP
  • leave all the other boxes unselected
You shouldn't need any other values.

Define the Network Policy:

On the Overview tab:

  • make sure it is enabled
  • Grant access
  • clear Ignore user account dial-in properties
  • Type of network access server is Unspecified
On the Conditions tab:
  • Windows Groups: set to the windows user group that will grant access
  • Client Friendly Name: same as the connection policy above
On the Constraints tab:
  • leave everything as default; but ideally it should look the same as the connection policy above
On the settings tab:
  • remove the Standard Radius Attributes (PPP Framing type etc) because you don't need them
Configure Domain Clients:

Wireless Properties:

  • Connect automatically
Security tab:
  • WPA2-Enterprise
  • AES
  • PEAP
  • Remember my credentials
PEAP Settings:
  • clear Validate Server Certificate
  • Select Authentication Method: EAP-MSCHAP-v2
  • Enable Fast Reconnect
Security tab, Advanced Settings:
  • Specify authentication mode: user authentication
Configure Non-Domain Windows Clients:

As above, except:

EAP-MSCHAP-v2 Configure:

  • clear Automatically Use my Windows logon name and password (and domain if any)

Further Refinements

I added a second Network Access policy that permits access to computers that are members of a particular group.

I then changed the Security Tab -> Advanced Settings -> Specifiy Authentication Mode to Computer authentication.

Finally a co-worker created a GPO that pushes out a pre-defined SSID network definition with the settings above to all domain member computers.

Now all domain laptops automatically connect to the wireless.

Non-domain member computers can still join as long as the Specify Authentication Mode is set to User authentication.

Configuring tablets, phones, and non-Windows computers is left as an exercise for the reader.

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt