It describes how to create an infrastructure for authentication, authorization, and accounting for wireless connections using Microsoft RADIUS Server (IAS/NPS) and Windows clients.
Before going into the details of how to create the protected 802.1x network, let’s take a minute to understand the components of 802.1x.
Additionally, configure RADIUS settings on your wireless AP switches with the following: · The IP address or name of the RADIUS server · The RADIUS shared secret · UDP ports for authentication and accounting, and failure detection settings. · Create the connection request policies and network policies required. You can use the RAS and IAS certificate template to create a new template to use for NPS servers. To force a refresh of Computer Configuration Group Policy for a computer running Windows 7, Windows XP, or Windows Server 2003, restart the computer or type gpupdate /target:computer at a command prompt.
If the wireless APs require vendor specific attributes (VSAs) or additional RADIUS attributes, you must add the VSAs or attributes to the remote access policies of the IAS/NPS servers. The steps needed are: · Install the NPS server role on the server. The link below discusses configuring this template and enabling it for auto-enrollment: PS Server Certificate: Configure the Template and Autoenrollment We can follow the blog given below to install and Configure the NPS: configure Wireless Network Policies Group Policy settings, do the following: 1. For user authentication with EAP-TLS, a locally installed user certificate or a smart card must be used.
For user authentication with EAP-TLS or PEAP-TLS after a network connection is made and the user logs on, you must use a user certificate on the wireless client computer.
In order to create Certificate Infrastructure, follow the below steps: · Install a Certificate Infrastructure · Install Computer Certificates · Install User Certificates Once the Certificate Infrastructure is ready, you need to configure AD accounts and groups.· Set the remote access permission on user and computer accounts to the appropriate setting (either Allow access or Control access through Remote Access Policy) as shown below: The next step is to deploy the wireless Access Point. Change 802.1X settings as needed, including specifying and configuring the correct EAP type. If you are using EAP-TLS or PEAP-TLS, you need to install computer and user certificates on wireless clients.The AP needs to be configured to support WPA, WPA2, or WEP encryption with 802.1X authentication. On the Network Properties tab, type the wireless network name (SSID) and change wireless network key settings as needed. If the domain is configured for autoenrollment of computer certificates, each computer that is a member of the domain requests a computer certificate when Computer Configuration Group Policy is refreshed.If you want to validate the computer certificate of the NPS server, select Validate server certificate (recommended and enabled by default). To summarize, for EAP-TLS or PEAP-TLS, you need to have a certificate infrastructure to issue computer certificates to your NPS servers and both computer and user certificates to your wireless client computers.If you want to specify the names of the NPS servers that must perform the TLS authentication, select Connect to these servers and type the names. For PEAP-MS-CHAP v2, you only need to install computer certificates on the NPS servers, provided that the appropriate root CA certificates are already installed on the wireless clients.Open the Active Directory Users and Computers snap-in. In the console tree, double-click Active Directory Users and Computers, right-click the domain container that contains your wireless computer accounts, and then click Properties. On the Group Policy tab, click the appropriate Group Policy object (the default object is Default Domain Policy), and then click Edit. In the console tree, open Computer Configuration, then Windows Settings, then Security Settings, then Wireless Network (IEEE 802.11) Policies. Right-click Wireless Network (IEEE 802.11) Policies and then click Create Wireless Network Policy. The locally installed user certificate must be obtained through autoenrollment, Web enrollment, by requesting the certificate using the Certificates snap-in, by importing a certificate file, or by running a CAPICOM program or script.In the Wireless Network Policy Wizard, type a name and description. In the details pane, double-click your newly created wireless network policy. If you have configured autoenrollment of user certificates, then the wireless user must update their User Configuration Group Policy to obtain a user certificate.Note: There have been reports of Android devices corrupting network profiles; when this happens, the device keeps trying and failing to connect to FVCCNET.Removing ('forgetting') the profile and re-entering it seems to fix the problem.You will need to manage Active Directory users and groups for wireless access, configure NPS servers as RADIUS servers to the wireless APs, and configure the wireless APs as RADIUS clients to the IAS servers.In order to connect to FVCC's wireless network, you will need your FVCC Logon ID (aka. If you don't know your FVCC Logon ID and password, please bring a photo ID to MIS.