IAS RADIUS Server Configuration for 802.1x EAP-MS-CHAP v2
This article describes the steps required to setup a resiliant 802.11x Wifi RADIUS authentication infrastructure; a must for any SMB.
This article assumes you have configured your Wireless Access Point with the desired radius server IP addresses / FQDNs and a shared secret.
IAS/Certificate Services Installation/Configuration Primary RADIUS Server
To optimize IAS authentication and authorization response times and minimize network traffic, install IAS on a domain controller.
- First, install IIS on your Domain Controller.
- Next, install Enterprise Certificate Authority Root – Enterprise Root Server Mode> Give the CA the same name as the server’s name
- Next Create a new Global Group > ‘Wireless Users and Computers’ Add Computer AND User Objects into this group that you wish to grant IAS RADIUS Access.
- Ensure that Users Account are configured to grant Remote Access (Dial In) permissions.
- Next Install IAS (via Add/Remove Programs > Windows Components)
You will also need to request a NPS/IAS/RADIUS Server Authentication certificate for each IAS server you wish to configure.
Create IAS RADIUS Clients
Next load the IAS MMC Snap-In Select Clients
- Rt-Click Clients > New > Enter a Friendly Name
- Ensure that Protocol is ‘RADIUS’
- Enter Access Point IP Address
- Select RADIUS Standard as the client vendor.
- Tick the Client must always send the signature attribute in the request
- Enter the shared secret as configured on the AP
- Click Finish
Configure Remote Access Policies
- Select Remote Access Policies
- Rt-Click Remote Access Policies > New Remote Access Policy>
- Enter a friendly name
- Click Next
- On the conditions window, click Add
- Select Windows Groups and click Add
- Click Add and then set Domain as location and earch for the Global Group, then click OK, you will return to the conditions window
- Click Add, select NAS-Port-Type and then select Wireless – IEEE 802.11
- Click Add, select Wireless – Other and then Click Add, you will return to the conditions window.
- Click Next
- Select Grant Remote Access Permission
- Click Edit Profile then select the ‘Authentication’ tab
- Enable Extensible Authentication Protocol, select PEAP as the EAP type from the drop down box
- Disable all other authentication types
- Click Configure under the Extensible Authentication Protocol group
- Ensure that Secured Password (EAP-MSCHAP-V2) is listed
- Select the IAS/RADIUS Server Authentication certificate you wish use for authentication (note if the certificate is to be replaced in future change it here)
18. Click OK
19. Click OK until the Remote Access Policy Configuration Window disappears!
Perform the steps as above on the Secondary RADIUS server.
Client Configuration
Once laptop has detected AP, configure advanced options:
Network Authentication should be set as: WPA using TKIP Data encryption
Under Authentication select Protected EAP
Select Properties
Ensure Validate Server Certificate is selected
Ensure that Connect to these servers contains the RADIUS servers FQDN’s
Scroll down and select both RADIUS server certificates under Trusted Root Cert. Authorities
It may be necessary to manually install one of the Certificates to your client.
Client configuration can be completed using Group Policy; Computer Configuration/Windows Settings/Wireless (802.11) Policies
Manual Certificate Installation
Navigate Internet Explorer to:
- http://your-certificateserver1/certsrv
- http://your-certifcateserver2/certsrv
From each server retrieve the CA certificate’; download the CA certificate in DER encoded format.
ON the client load MMC and add the Certificates snap-in, select Computer account > Local computer. Expand Trusted Root Certificate Authorities and Select Certificates > Right-Click certificates > Import > Select the first RADIUS server’s CA certificate