Istanbul/Turkey

802.1X Computer Authentication with Network Policy Server

In this post, we will install Network Policy Server to autheticate computers in our domain. WPA2-Enterprise with 802.1X authentication lets us to authenticate users or computers in our domain. The most common method of authentication with PEAP-MSCHAPv2 is user authentication, in which clients are prompted to enter their domain credentials. It is also possible to configure RADIUS for machine authentication, in which the computers themselves are authenticated against RADIUS, so the user doesn't need to provide any credentials to gain access. Typically, you can use EAP-TLS to configure machine authentication.

The steps that we need to implement are as follows:

 

  • Add the CA role to Windows Server. (If you don' have one)
  • Add the NPS role to Windows Server.
  • Add a trusted certificate to NPS.
  • Add APs as RADIUS clients on the NPS server.
  • Configure a policy in NPS to support PEAP-MSCHAPv2.
  • Deploy PEAP-MSCHAPv2 wireless network settings and auto certificate enrollment to domain member computers using Group Policy.

 

Install CA Role:

I have already posted an article about installing CA role on a Windows Server. You can just follow those steps to install and configure it. 

https://configland.com/windowsservers/197-setting-up-microsoft-active-directory-certificate-services

 

After I install and configure the CA. I can see the Root CA certificate under its Personal folder on my CA.

 

Also Trusted Root Certificate folder has the same certificate

 

Install & Configure NPS :

Server Manager > Add Roles and Features > Network Policy and Access Services and complete the wizard.

After you add the role, open up the NPS MMC. Select RADIUS server for 802.1X Wireless or Wired Connections. Then click "Configure 802.1X"

 

 

Choose if the connection type is for wireless or wired. 

 

 

Add your Access Point(s) IP Address and specify a shared secret that will be used between APs and NPS server. So the same secret must be entered on your APs, too.

 

 

As authentication method select Protected EAP

 

You can create a user group and specify allow or deny rule for those specific user group. I just leave it empty so rule will be applied to all users

 

 

Click Next and Then Finish.

 

 

We just created 1 Connection request policy and 1 Network Policy. Double click to secure wireless connections and add Domain Computers group or any group you want to grant access

 

 

 

 

Right click NPS and register server in AD

 

 

Click OK

 

 

Configure Your Access Point:

Select WPA2-Enterprise and specify an SSID, Auth Type, Encryption, Radius Server IP and Radius Server Password. The password must be the same shared secret that we define while configured NPS previously.

 

 

Create a GPO for Clients:

Now we will create a gpo that makes our computers automatically request a computer certificate from our CA. This GPO will also tell our domain computers to connect to our SSID.

Create a Group Policy Object and link it where you want to apply. I named it Radius Policy. Click Add button under Security Filtering and add Domain Computers

 

 

Computer Configuration > Policies > Windows Settings > Security Setting > Public Key Policies>  Automatic Certificate Request Settings > New >  Automatic Certificate Request 

 

Select Computer

 

 

 

 

 

Computer Configuration > Policies > Windows Settings > Security Setting > Public Key Policies> Certificate Services Clients > Right click Properties

 

 

Select Enabled > Check both checkboxes

 

 

Computer Configuration > Policies > Windows Settings > Security Setting > Wireless Network Policies > Create a new Vista or Later Policy

Give a name to the Policy > Click Add and choose Infrastructure

 

 

As Network Name enter your SSID and click Add button

 

 

Select security and authentication methods then click Properties

 

 

Make sure you select Connect to these servers and type your NPS server DNS name. We also define our Root CA here as the Trusted Root Certification Authority.

 

 

Lets  test it on a workstation. Reboot your workstation to make sure new group policy is applied to the computer. I succesfully connect my SSID.

 

 

Go to wireless properties to see details abot this connection

 

 

 

 

In this post we authenticate computers which are in our domain. Thanks for reading.

  • Hits: 126