- \n
- PEAP (Protected EAP)<\/li>\n
- EAP-TLS<\/li>\n<\/ul>\n
PEAP is normally used to authenticate users by using a username and password<\/strong>. The RADIUS server will show a certificate to the users so that they can verify that they are talking to the correct RADIUS server. EAP-TLS is the most secure form<\/strong> of wireless authentication because it replaces the client username\/password with a client certificate<\/strong>.<\/p>\n
This tutorial will walk you through the installation and configuration of Windows Server 2008 using NPS (Network Policy Server) as the RADIUS server for a Cisco wireless LAN controller. We will configure the server so that it supports PEAP using MS-CHAPv2 for password authentication but we\u2019ll also look at EAP-TLS which can be used to authenticate clients using certificates that we will generate on the server. In this tutorial we will configure the following components on the server:<\/p>\n
- \n
- Active Directory<\/li>\n
- DNS<\/li>\n
- Certificate Services<\/li>\n
- IIS<\/li>\n
- NPS<\/li>\n<\/ul>\n
Active Directory (AD) is where we store all the user accounts, it\u2019s the central database that we use for authentication. Whenever you install an AD you also require a DNS server. Certificate services will be used to install the server as a root CA so that we can generate a computer certificate that will be presented to wireless clients and to generate the client certificates for EAP-TLS.<\/p>\n
IIS is the web server and we will use it so that EAP-TLS clients can easily request a certificate with their web browser for their wireless connection. Last but not least, NPS is the RADIUS server and that\u2019s where we will configure some wireless policies.<\/p>\n
I realized that many network engineers are comfortable configuring switches and wireless equipment but might be new to Windows Server 2008. This \u201chow to\u201d was written so anyone without \u201cWindows Server\u201d experience should be able to get the job done.<\/p>\n
This is the topology that I will use for this example:<\/p>\n
![\"Server](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/server-2008-eap-demo-topology.png\")
<\/a><\/p>\nA fairly simple topology with a single switch that connects the server, WLC and access point together. I\u2019m using a Cisco wireless LAN controller to demonstrate this but the configuration will be the same for any other wireless LAN controller or access point. The configuration for Windows Server 2008 will be the same. There\u2019s plenty of work so let\u2019s get started!<\/p>\n
>Basic Network Configuration<\/h2>\n
Before we start with the installation of Active Directory we\u2019ll fix some basics like setting the correct computer name and IP address.<\/p>\n
Computer Name<\/h3>\n
Click Start<\/strong> > Computer<\/strong> (right mouse click) > Properties<\/strong>.<\/p>\n
![\"windows](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-computer-properties.png\")
<\/a><\/p>\nClick on Change Settings<\/strong>.<\/p>\n
![\"Windows](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-system.png\")
<\/a><\/p>\nClick the Change<\/strong> button.<\/p>\n
![\"Windows](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-system-properties.png\")
<\/a><\/p>\nHere\u2019s where you will enter the computer name. I\u2019ll use \u201cAD\u201d (Active Directory). You don\u2019t have to change the workgroup name as we\u2019ll turn this computer into a domain controller in a minute. Make your changes and click on OK<\/strong>.<\/p>\n
![\"Windows](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-computer-name.png\")
<\/a><\/p>\nOnce you change the computer name you will have to reboot<\/strong> before the changes will occur. Once your server is rebooted you\u2019ll have to change the IP address.<\/p>\n
IP address<\/h3>\n
Make sure you don\u2019t configure any DNS servers<\/strong> as this server will become a DNS server. You don\u2019t have to configure a default gateway but if you have a router that leads to the outside world you can enter it here:<\/p>\n
![\"Windows](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-change-ip-address.png\")
<\/a><\/p>\nOnce you have configured your computer name and IP address we can continue with the installation of Active Directory.<\/p>\n
Installing Active Directory<\/h2>\n
Active Directory is where we store all the usernames in a central database. To install it we need to add a new role to the server.<\/p>\n
Click on Start<\/strong> > Administrative Tools<\/strong> > Server Manager<\/strong>.<\/p>\n
![\"Windows](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-start-menu-server-manager.png\")
<\/a><\/p>\nClick on Roles<\/strong> > Add Roles<\/strong>.<\/p>\n
![\"Windows](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-server-manager-roles.png\")
<\/a><\/p>\nYou will be presented with the following wizard. Click on Next<\/strong>.<\/p>\n
![\"Windows](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-add-roles-wizard.png\")
<\/a><\/p>\nSelect Active Directory Domain Services<\/strong> and click on Next<\/strong>.<\/p>\n
![\"Windows](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-add-roles-wizard-overview.png\")
<\/a><\/p>\nYou will get a notification about adding the .NET Framework feature. Click on Add Requires Features<\/strong>.<\/p>\n
![\"Windows](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-ad-features-requested.png\")
<\/a><\/p>\nClick Next<\/strong> to continue.<\/p>\n
![\"Windows](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-add-roles-wizard-ad-selected.png\")
<\/a><\/p>\nYou will see an introduction about Active Directory Domain Services. Click Next<\/strong> to continue.<\/p>\n
![\"windows-server-2008-active-directory-install\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-active-directory-install.png\")
<\/a><\/p>\nClick Next<\/strong> to confirm the installation options.<\/p>\n
![\"windows-server-2008-active-directory-install-confirm\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-active-directory-install-confirm.png\")
<\/a><\/p>\nYou will see the following screen that indicates the installation progress:<\/p>\n
![\"windows-server-2008-active-directory-installation-progress\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-active-directory-installation-progress.png\")
<\/a><\/p>\nOnce the installation is done you might receive a warning about Windows automatic updating. If this is a production server, make a mental note to enable windows updates in the future. Click on Close<\/strong>to continue.<\/p>\n
![\"windows-server-2008-active-directory-installation-results\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-active-directory-installation-results.png\")
<\/a><\/p>\nOnce Active Directory Domain Services is installed we can create a new domain. Click on the start<\/strong>button and type \u201cdcpromo<\/strong>\u201d (without the quotes):<\/p>\n
![\"windows-server-2008-dcpromo\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-dcpromo.png\")
<\/a><\/p>\nYou will see a welcome screen, leave \u201cuse advanced mode installation\u201d unchecked and click on Next<\/strong>.<\/p>\n
![\"windows-server-2008-ad-domain-services-installation-wizard\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-ad-domain-services-installation-wizard.png\")
<\/a><\/p>\nYou will be presented with some information about operating system compatibility. Click Next<\/strong> to continue.<\/p>\n
![\"windows-server-2008-ad-domain-services-compatibility\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-ad-domain-services-compatibility.png\")
<\/a><\/p>\nWe will create a new forest with a new domain. Select the second option and click on Next<\/strong>.<\/p>\n
![\"windows-server-2008-ad-domain-services-new-domain\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-ad-domain-services-new-domain.png\")
<\/a><\/p>\nThe FQDN (Fully Qualified Domain Name) of my forest root domain will be \u201cNETWORKLESSONS.LOCAL\u201d. Click Next<\/strong> to continue.<\/p>\n
![\"windows-server-2008-ad-domain-services-FQDN\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-ad-domain-services-FQDN.png\")
<\/a><\/p>\nWe will have to select the Forest Functional Level. If you only use Server 2008 R2 or later versions then you can select the \u201cWindows Server 2008 R2\u2033 functional level. If you plan to use older versions of Windows Server then you should use a \u201clower\u201d functional level. I don\u2019t plan to add any other servers to this network so I\u2019ll select \u201cWindows Server 2008 R2\u2033 and click on Next<\/strong>.<\/p>\n
![\"windows-server-2008-forest-functional-level-2008R2\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-forest-functional-level-2008R2.png\")
<\/a><\/p>\nSelect \u201cDNS server\u201d and click on Next<\/strong>.<\/p>\n
![\"windows-server-2008-ad-domain-services-dns\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-ad-domain-services-dns.png\")
<\/a><\/p>\nYou will receive a notification that the server is unable to create a DNS entry. This is OK because the DNS server isn\u2019t installed yet. Click on Yes<\/strong> to continue.<\/p>\n
![\"windows-server-2008-ad-domain-services-dns-delegation\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-ad-domain-services-dns-delegation.png\")
<\/a><\/p>\nThe default folder structure is fine, click on Next<\/strong> to continue.<\/p>\n
![\"windows-server-2008-ad-domain-services-folders\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-ad-domain-services-folders.png\")
<\/a><\/p>\nA separate password is used in case you need to restore your Active Directory. I recommend to use a different password than the administrator password for this. Click on Next<\/strong> to continue.<\/p>\n
![\"windows-server-2008-ad-domain-services-restore-password\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-ad-domain-services-restore-password.png\")
<\/a><\/p>\nYou will receive a summary, click on Next<\/strong> to continue.<\/p>\n
![\"windows-server-2008-ad-domain-services-summary\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-ad-domain-services-summary.png\")
<\/a><\/p>\nIt will take a couple of minutes to install everything, you will see this progress screen:<\/p>\n
![\"windows-server-2008-ad-domain-services-progress\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-ad-domain-services-progress.png\")
<\/a><\/p>\nClick on Finish<\/strong> to continue.<\/p>\n
![\"windows-server-2008-ad-domain-services-completion\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-ad-domain-services-completion.png\")
<\/a><\/p>\nThe server will ask you to restart, Click on Restart Now<\/strong>.<\/p>\n
![\"windows-server-2008-ad-domain-services-restart\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-ad-domain-services-restart.png\")
<\/a><\/p>\nOnce your server is restarted you will have a working Active Directory and DNS server. The next step will be to install the certificate server.<\/p>\n
\u00a0Installing Certificate Server<\/h2>\n
When PEAP wireless clients try to connect to the network, the RADIUS server will present a computer certificate to the user to authenticate itself. It\u2019s up to the client to accept only valid certificates and this will help to prevent spoofing attacks where an attacker might run a fake RADIUS server. EAP-TLS will also use require the computer certificate from the RADIUS server but we\u2019ll also require a client certificate for each user that wants to connect to the wireless network.<\/p>\n
In order to do this we will configure our server to become a root CA<\/strong> (Certificate Authority). This allows us to generate a computer certificate and also to generate client certificates.<\/p>\n
Click on Start<\/strong> > Administrative Tools<\/strong> > Server Manager<\/strong>.<\/p>\n
<\/a><\/p>\nClick on Roles<\/strong> > Add Roles.<\/strong><\/p>\n
<\/a><\/p>\nClick on Next<\/strong> to continue.<\/p>\n
<\/a><\/p>\nSelect Active Directory Certificate Services<\/strong> and click on Next<\/strong>.<\/p>\n
![\"windows-server-2008-add-roles-ad-certificate-services\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-add-roles-ad-certificate-services.png\")
<\/a><\/p>\nYou will see an introduction to Active Directory Certificate Services. Click on Next<\/strong> to continue.<\/p>\n
![\"windows-server-2008-introduction-to-certificate-services\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-introduction-to-certificate-services.png\")
<\/a><\/p>\nSelect Certification Authority.\u00a0<\/strong>If you want to use EAP-TLS<\/strong> then you should also select Certification Authority Web Enrollment<\/strong>. This will allow us to request client certificates through the web browser which is very convenient.<\/p>\n
![\"windows-server-2008-add-roles-certification-authority\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-add-roles-certification-authority.png\")
<\/a><\/p>\nOnce you select Certification Authority Web Enrollment you will receive a notification that we need to install IIS (Web Server). Click on Add Required Role Services<\/strong> to continue.<\/p>\n
![\"windows-server-2008-add-roles-ad-certificate-services-features\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-add-roles-ad-certificate-services-features.png\")
<\/a><\/p>\nMake sure both services are selected and click on Next<\/strong> to continue.<\/p>\n
![\"windows-server-2008-add-roles-ca-web-enrollment\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-add-roles-ca-web-enrollment.png\")
<\/a><\/p>\nThe certificate server can be part of the domain and use active directory or run as stand-alone. We want it to use the active directory so select Enterprise<\/strong> and click on Next<\/strong>.<\/p>\n
![\"windows-server-2008-ca-type\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-ca-type.png\")
<\/a><\/p>\nYou can specify if you want this server to be a new Root CA or if you want it to be a Subordinate CA. Select Root CA<\/strong> and click on Next<\/strong> to continue.<\/p>\n
![\"windows-server-2008-root-ca\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-root-ca.png\")
<\/a><\/p>\nSelect Create a new private key<\/strong> and click on Next<\/strong>.<\/p>\n
![\"windows-server-2008-new-private-key\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-new-private-key.png\")
<\/a><\/p>\nThe default cryptography parameters are fine, click Next<\/strong> to continue.<\/p>\n
![\"windows-server-2008-ca-cryptography\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-ca-cryptography.png\")
<\/a><\/p>\nThe default CA name is also fine, it will use the computer name and domain name for this. Click onNext<\/strong> to continue.<\/p>\n
![\"windows-server-2008-ca-name\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-ca-name.png\")
<\/a><\/p>\nThe default validity period for the root CA certificate is 5 years. Click Next<\/strong> to continue.<\/p>\n
![\"windows-server-2008-ca-validity-period\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-ca-validity-period.png\")
<\/a><\/p>\nClick Next<\/strong> to continue.<\/p>\n
![\"windows-server-2008-ca-database-location\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-ca-database-location.png\")
<\/a><\/p>\nIf you selected the web enrollment option you will see the installation wizard for IIS. You can read the introduction if you like or click on Next<\/strong> to continue.<\/p>\n
![\"windows-server-2008-IIS-installation\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-IIS-installation.png\")
<\/a><\/p>\nThe default role services are fine, click Next<\/strong> to continue.<\/p>\n
![\"windows-server-2008-IIS-role-services\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-IIS-role-services.png\")
<\/a><\/p>\nIn the confirmation screen you will be warned that you can\u2019t make any changes to the computer name or domain name once you installed the certificate services. Click Install<\/strong> to continue.<\/p>\n
![\"windows-server-2008-CA-IIS-confirmation\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-CA-IIS-confirmation.png\")
<\/a><\/p>\nYou will see the following Installation Progress, grab a quick drink\u2026<\/p>\n
![\"windows-server-2008-CA-IIS-progress\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-CA-IIS-progress.png\")
<\/a><\/p>\nOnce the installation is done you will see another notification that you should enable Windows updates. Click on Close<\/strong>.<\/p>\n
![\"windows-server-2008-CA-IIS-installation-results\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-CA-IIS-installation-results.png\")
<\/a><\/p>\nRight now you have a working Certificate Authority and IIS is running to serve web requests. If you plan to use EAP-TLS we need to enable HTTPS support for IIS, by default it is disabled. If you only want to use PEAP then you can skip this step. Click on Start<\/strong> > Administrative Tools<\/strong> > Internet Information Services (IIS) Manager<\/strong>.<\/p>\n
![\"windows-server-2008-iis-start-menu\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-iis-start-menu.png\")
<\/a><\/p>\nClick on AD<\/strong> (server name) > Sites<\/strong> > Default Web Site<\/strong> and select Bindings<\/strong> on the right side of the screen.<\/p>\n
![\"windows-server-2008-iis-manager\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-iis-manager.png\")
<\/a><\/p>\nClick on Add<\/strong>.<\/p>\n
![\"windows-server-2008-iis-site-bindings\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-iis-site-bindings.png\")
<\/a><\/p>\nSelect https<\/strong> in the Type dropdown box and make sure the SSL certificate has been selected. Click onOK<\/strong> to continue.<\/p>\n
![\"windows-server-2008-iis-site-binding-https\"](\"https:\/\/networklessons.com\/wp-content\/uploads\/2013\/06\/windows-server-2008-iis-site-binding-https.png\")
<\/a><\/p>\nThis concludes the installation of the certificate server and IIS. We can now move onto the configuration of the RADIUS server.<\/p>\n
Installing Network Policy Server<\/h2>\n
Network Policy Server (NPS) is the RADIUS server that you can find on Windows Server 2008. It has a lot of features and is pretty easy to configure. First we will have to install it.<\/p>\n
Click on Start<\/strong> > Administrative Tools<\/strong> > Server Manager<\/strong>.<\/p>\n
<\/a><\/p>\nClick on Roles<\/strong> > Add Roles<\/strong>.<\/p>\n