In this post, we will install Network Policy Server to autheticate computers in our domain. WPA2-Enterprise with 802.1X authentication lets us to authenticate users or computers in our domain. The most common method of authentication with PEAP-MSCHAPv2 is user authentication, in which clients are prompted to enter their domain credentials. It is also possible to configure RADIUS for machine authentication, in which the computers themselves are authenticated against RADIUS, so the user doesn't need to provide any credentials to gain access. Typically, you can use EAP-TLS to configure machine authentication.
The steps that we need to implement are as follows:
- Add the CA role to Windows Server. (If you don' have one)
- Add the NPS role to Windows Server.
- Add a trusted certificate to NPS.
- Add APs as RADIUS clients on the NPS server.
- Configure a policy in NPS to support PEAP-MSCHAPv2.
- Deploy PEAP-MSCHAPv2 wireless network settings and auto certificate enrollment to domain member computers using Group Policy.
Install CA Role:
I have already posted an article about installing CA role on a Windows Server. You can just follow those steps to install and configure it.
https://configland.com/windowsservers/197-setting-up-microsoft-active-directory-certificate-services
After I install and configure the CA. I can see the Root CA certificate under its Personal folder on my CA.
Also Trusted Root Certificate folder has the same certificate
Install & Configure NPS :
Server Manager > Add Roles and Features > Network Policy and Access Services and complete the wizard.
After you add the role, open up the NPS MMC. Select RADIUS server for 802.1X Wireless or Wired Connections. Then click "Configure 802.1X"
Choose if the connection type is for wireless or wired.
Add your Access Point(s) IP Address and specify a shared secret that will be used between APs and NPS server. So the same secret must be entered on your APs, too.
As authentication method select Protected EAP
You can create a user group and specify allow or deny rule for those specific user group. I just leave it empty so rule will be applied to all users
Click Next and Then Finish.
We just created 1 Connection request policy and 1 Network Policy. Double click to secure wireless connections and add Domain Computers group or any group you want to grant access
Right click NPS and register server in AD
Click OK
Configure Your Access Point:
Select WPA2-Enterprise and specify an SSID, Auth Type, Encryption, Radius Server IP and Radius Server Password. The password must be the same shared secret that we define while configured NPS previously.
Create a GPO for Clients:
Now we will create a gpo that makes our computers automatically request a computer certificate from our CA. This GPO will also tell our domain computers to connect to our SSID.
Create a Group Policy Object and link it where you want to apply. I named it Radius Policy. Click Add button under Security Filtering and add Domain Computers
Computer Configuration > Policies > Windows Settings > Security Setting > Public Key Policies> Automatic Certificate Request Settings > New > Automatic Certificate Request
Select Computer
Computer Configuration > Policies > Windows Settings > Security Setting > Public Key Policies> Certificate Services Clients > Right click Properties
Select Enabled > Check both checkboxes
Computer Configuration > Policies > Windows Settings > Security Setting > Wireless Network Policies > Create a new Vista or Later Policy
Give a name to the Policy > Click Add and choose Infrastructure
As Network Name enter your SSID and click Add button
Select security and authentication methods then click Properties
Make sure you select Connect to these servers and type your NPS server DNS name. We also define our Root CA here as the Trusted Root Certification Authority.
Lets test it on a workstation. Reboot your workstation to make sure new group policy is applied to the computer. I succesfully connect my SSID.
Go to wireless properties to see details abot this connection
In this post we authenticate computers which are in our domain. Thanks for reading.