RADIUS Server

You can use a Windows Server 2008 computer to authenticate wireless users by configuring the Windows Server 2008 computer as a RADIUS server and configuring your wireless access points to send authentication requests to the RADIUS server.

Use the buttons below to navigate through the lesson

Select Network Policy Server. Click Next. Select Install. To continue. Installation succeeded. Select Close.

Expand NPS. From the dropdown list Select RADIUS server for 802.1x wireless or Wired Connections. Select Configure 802.1x. Select Secure Wireless Connections. Default policy name is filled in (this can be changed) Click Next.

Click Add to specify wireless access point. Choose a Friendly name for the connection and fill in the IP address of the access point. Click Verify. Select Resolve, once verified, Click OK.

Fill in the Secret key for the connection. Confirm the Key and click OK. RADIUS client has been added.  Click Next to continue.

Select an Authentication Method from the drop down list. For this Exercise select EAP-MSCHAPv2. Select Configure.

Authentication Methods

Microsoft: Protected EAP (PEAP) This authentication method requires you to install a computer certificate on the RADIUS server and a computer certificate or user certificate on all wireless client computers. All client computers must trust the
certification authority (CA) that issued the computer certificate installed on the RADIUS server, and the RADIUS server must trust the CA that issued the certificates that the client computers provide. The best way to do this is to use an enterprise PKI (such as the Active Directory Certificate Services role in Windows Server 2008). PEAP is compatible with the 802.1X Network Access Protection (NAP) enforcement method.

Microsoft: Smart Card Or Other Certificate  Essentially the same authentication method as PEAP, this authentication technique relies on users providing a certificate using a smart card. When you select this authentication method, Windows wireless clients prompt users to connect a smart card when they attempt to connect to the wireless network.

Microsoft: Secured Password (EAP-MSCHAP v2) This authentication method requires computer certificates to be installed on all RADIUS servers and requires all client computers to trust the CA that issued the computer certificate installed on the RADIUS server. Clients authenticate using domain credentials.

Number of authentication retries can be configured. Change password options allowed or not from here. Number of authentication retries can be configured. Change password options allowed or not from here. Click OK to continue, then Next. Add the remote users or groups, click Next to continue.

Virtual LAN configuration. Select configure, Select Tunnel Type, then Edit.

Select Commonly used for 802.1x VLan click OK to continue. Attribute has been added. Click OK to continue.  OK to continue.

Vendor Specific Attribute can be added. Click OK to continue. Click OK to continue. Click Next to continue. Click Finish.

Expand Advanced Configuration. The RADIUS server needs to be registered with Active Directory. Right click NPS (Local) select Register server in Active Directory. click OK to continue. Server is now authorised. Click OK to continue.

RADIUS Proxy

The most common use of a RADIUS proxy is to submit requests to organization-specific RADIUS servers based on the realm identified in the RADIUS request. In this way, different organizations can manage their own RADIUS servers (and thus manage the user accounts that each RADIUS server authenticates). For example, if your organization has two domains that do not trust each other, you could have your wireless access points submit requests to your RADIUS proxy. The RADIUS proxy could then determine which domain’s RADIUS proxy to forward the request to. You can also use a RADIUS proxy to load-balance requests across multiple RADIUS servers if one RADIUS server is unable to handle the load.

If you have existing RADIUS servers and you need a layer of abstraction between the access points and the RADIUS servers or if you need to submit requests to different RADIUS servers based on specific criteria, you can configure Windows Server 2008 as a RADIUS proxy.

Expand RADIUS Clients and Servers. Expand RADIUS Clients and Servers. Right click Remote RADIUS Server. Select New. Specify Group name, then Click Add. Add Server address and click Verify. Resolve the address, then click OK to continue.

Authentication/Accounting Fill in and confirm the shared secret for this connection. Accounting will use the same secret key by default. Select the Load Balancing tab.  Authentication requests can be split between multiple servers by assigning different priorities and weights to each server, click OK to continue. Server is now added to the group. click OK to continue. More Servers can be added to the group if required. The Connection Request policy has been added.

The new Network Policy is active.