Setup enterprise wireless in Windows Server 2008 R2: Part2 NPS

Once the GPO’s are configured to provide client computers with settings required to obtain a certificate from the domain the next step is authenticating users using Network Policy Server via RADIUS.

First add a RAIDUS client which is my SonicPoint IP address.  I manually entered the Shared Secret.

Next add a Connection Request Policy:

Type of network access server: Unspecified

Conditions: NAS Port Type; Wireless – IEEE 802.11 (middle section) and Wireless – Other (bottom section)

 

Next add a Network Policy:

Grant Access

Type of network access server: Unspecified

Conditions: NAS Port Type; Wireless – IEEE 802.11 (middle section) and Wireless – Other (bottom section)

Conditions: Windows Groups; <Specify Windows Security Group for laptops to access wireless>

Constraints: Authentication Methods: EAP Types: PEAP and EAP-MSCHAP v2

Click PEAP and Edit.  Select domain certificate.

 

Test this setup in the firewall user authentication tool to check username and passwords are validated correctly.  Configure NPS accounting to troubleshoot issues with authentication.

 

 

Advertisements

Setup enterprise wireless in Windows Server 2008 R2: Part1 GPO

I needed to add enterprise wireless to my domain using a Sonicwall system (NSA firewall and SonicPoint wireless).  The setup for those devices will not be covered here.

After looking at various authentication methods, I decided to use certificates to authenticate the computers but not the users.  Once the computer is authenticated with the domain it will received GPO configuration including Software Installation policies.

The first step (after installing and configuring Certification Authority on domain) is to create a GPO to configure auto-enrollment settings on the PCs.  See these GPO settings (all under Computer Configuration):

[Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client – Auto-Enrollment]

Set Configuration Model: Enabled and check the two options regarding certificate updates/renewals.

[Policies > Windows Settings > Security Settings > Public Key Policies > Automatic Certificate Request Settings]

Add a new certificate request for Computer.

These settings may already be present in the Default Domain policy so they might not need to be specified in a new GPO.

 

Next create the wireless network settings in a new GPO.  This will be targeted at the specific group of computers that require wireless access.

[Policies > Windows Settings > Security Settings > Wireless Network (IEEE 802.11) Policies]

Add a new policy and enter a Policy Name.  Under Connect to available networks in the order of profiles listed below, click Add > Infrastructure.

Enter a Profile Name and add at least one SSID.  On the Security tab specify the details to connect to the Access Point.  I’m using WPA2-Enterprise and AES.  Authentication Method is PEAP and Mode is Computer Authentication.

Click Ok twice to add policy.

 

I then linked the GPO to my Laptops OU (which contains the computer objects for the laptops) and created a Security Group to control which laptops can access the wireless network.  Add this Security Group to the Security Filtering of the GPO.