Wi-Fi authorization in Active Directory/RADIUS (Windows Server 2008 R2)

This article describe how to configure RADIUS authentication (WPA/WPA2 Enterprise) in Wi-Fi Access Points

First step. Install “Network Policy and Access Services”.

In Server Manager use Add Role:

2013-08-29_164303

Check “Routing and Remote Access Services”

2013-08-29_164324

In “Select Role Services” windows check “Network Policy Server”:

2013-08-29_164348

“Next-Next-Finish” will install required component.

Second step. Configure Network Policy Server.

You can configure NPS from Server Manager or Administrative Tools (Network Policy Server Snap-In).

By default, NPS configured to log “Rejected authentication requests” and “Successful authentication requests”. You can change this settings by clicking right mouse button on “NPS (local)” node and check Properties menu field. Logging options is on the General page. You can check or change ports in Ports page.

2013-08-29_1652222013-08-29_165725

Log file path can be changed in Accounting menu. This can help resolve connection error.

2013-08-29_165932

Now need to change default “Use Windows authentication for all users” policy in “Connection Request Policies” from “NPS (local) – Policies – Connection Request Policies” menu:

2013-08-29_181316

In last “Settings” page check “Authentication” and “Accounting” menu. In “Authentication” menu set “Authenticate requests on this server”. In “Accounting” – clear check box from “Forward accounting requests to this RADIUS server group”.

2013-08-29_171636 2013-08-29_171621

Add network policy in “NPS (local) – Policies – Network Policies” menu.

2013-08-29_171815

In fist “Specify Network Policy Name and Connection Type” page set Policy name:

2013-08-29_171900

In second “Specify Conditions” page add Windows Group that you want grant access:

2013-08-29_172338

In “Specify Access Permission” page check “Access granted”.

In “Configure Authentication Methods” page use “Add” menu to add “Microsoft: Protected EAP (PEAP)” authentication method” and uncheck all other authentication method:

2013-08-29_173129

Another step in this page. Check “Microsoft: Protected EAP (PEAP)” authentication type and use “Edit” button to select certificate:

2013-08-29_173321

Click “Next” twice to “Configure Settings” page. In “Encryption” menu unckeck all check boxes except “Strong encryption (MPPE 128-bit)”:

2013-08-29_181620

Finish creating network policy.

Step three. Add RADIUS client and register NPS server in Active Directory.

You should add RADIUS client from “NPS (local) – RADIUS Clients and Servers – RADIUS Clients” menu.

2013-08-29_174526

Add values in “New RADIUS Client” window. Friendly name, Address (IP or DNS) and Shared secret. In Advanced tab check RADIUS Standard:

2013-08-29_1750152013-08-29_175145

Register RADIUS server in Active Directory by clicking right mouse button on “NPS (local)” and press “Register server in Active Directory”:

2013-08-29_175247

Step four. Configure Wi-Fi Access Point.

In Access Point setting set WPA/WPA2 Enterprise authentication method:

2013-08-29_175710

In RADIUS settings page add RADIUS server IP address, port 1812 (by default) and shared secret from previous step:

2013-08-29_175744

Configuration done. Now you can connect to Wi-Fi by using windows login and password.

Loading

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.